Reliability index based strategy for the probability-damage approach in fail-safe design optimization (β-PDFSO)

This research proposes a new formulation for fail-safe size optimization, considering the probability of occurrence of each failure scenario and the random structural parameters as sources of uncertainty. Essentially, the fail-safe reliability-based design optimization is reformulated, where the term “damaged structure” coalesces information of the whole set of damaged configurations. Thus, a single random reliability index is defined, representing the reliability of a limit-state of the damaged structure, which accounts for the safety level of the entire set of damaged configurations. The method provides the optimum design for which the reliability indices of the damaged structure are achieved at the confidence level the designer demands. The first application example corresponds to an academic analytical problem. The second and third application examples correspond to practical engineering cases: a 2D truss structure with stress constraints as well as the tail section of an aircraft fuselage with stress and buckling constraints. Results show a considerable reduction of the objective function compared to the fail-safe RBDO, which could lead to oversized designs. In this sense, mass savings up to 13.6% are achieved for the industrial-like application example.


Introduction
Structural design in several engineering fields must consider failure scenarios that are unlikely, but could occur over the service life, causing damage to the structure. An example of this can be found in the design of cable-stayed bridges, where regulations contemplate the possibility that the impact of a vehicle may break a cable. Thus, the recommendations for stay cable design, testing, and installation developed by the Post-Tensioning Institute [38] define the load combination that the bridge must withstand in the absence of the damaged cable after the accident. In aerospace, there are a huge variety of accidental situations that could lead to a loss of structural performance as a result of an object striking the aircraft. Some examples are bird strikes, runway debris, or hail, as well as the detachment of a rotating engine part and subsequent impact on the aircraft (engine blade loss, uncontained engine rotor failure, propeller blade failure, etc.). These scenarios are covered by extensive regulations that apply to aircraft design. Thus, requirements specified by the Federal Aviation Administration in FAR 25.571(e) [21] establish that "The airplane must be capable of successfully completing a flight during which likely structural damage occurs as a result of: uncontained fan blade impacts, uncontained engine failures or uncontained high energy rotating machinery failure". More specifically, the Advisory Circulars AC 20-128A [17] and AC 25.905-1 [19] provide design recommendations for these events, establishing the set of load combinations that the damaged structure must withstand, known as Get Home Loads.
Fail-safety is a structural design philosophy that considers that a structure must be able to sustain possible damage. This damage could be of different nature, and can be classified into two categories: deterioration and accidental damages. Deterioration damage refers to the degradation of the material properties during normal operation, e.g., fatigue or corrosion effects. On the other hand, accidental This article is an extended version of a conference paper published at the AIAA SciTech Forum and Exposition 2021 [11]. Copyright by the authors.

3
damage is related to occasional events prompted by discrete sources, e.g., uncontained engine rotor failure or bird strikes. Niu [36] established fail-safe design practices for fatiguerelated damages, where crack propagation may lead to "a failure of a single member in redundant structure or partial failure of a monolithic structure". Therefore, the situation must be studied "one instance at a time". This makes sense, because fatigue failure does not generally incur in several members failed at the same time. In contrast, when a structure is damaged by a discrete source, multiple failures can occur simultaneously at different locations. As aviation regulations contemplate this discrete source of damage, the simultaneous collapse of several members in an aircraft represents a real design practice.
Guaranteeing structural safety in damage scenarios will inevitably require an increase in the structural weight. The final design should provide alternative resistant structural schemes to sustain the stresses when partial damage occurs, hence redistributing the internal forces in the remaining structure. From the designer's perspective, it is of interest to ascertain the minimum weight increase that will ensure the required safety. In that sense, several investigations were carried out by combining optimization techniques with the failsafe strategy. They could be classified into fail-safe topology optimization and fail-safe size optimization.
Topology optimization is particularly attractive when the physical size, shape, and connectivity of the structure are not previously defined. Only some quantities in the problem are known, such as the design domain, applied loads, and boundary conditions. Due to its general approach, this type of structural optimization brings the best chance to find groundbreaking designs, making it appropriate for preliminary stages in a structural design process. Generally, failsafe topology optimization pursues to minimize the compliance of a conceptual design that can sustain damage.
Some researchers have analyzed the local failure in topology optimization for truss structures, where the local failure can be modeled straightforwardly by removing one bar from the truss, since a clear definition of a structural member exists. Achtziger and Bendsøe [2] studied the optimal topology of a truss, so that stiffness after degradation is maximized. Mohr et al. [33] proposed a redundant robust topology optimization of truss. Stolpe [40] modeled failure as either a complete damage of some predefined number of members or by degradation of the member areas, and concluded that the optimal topology can change drastically even in the situation that only one member is partially degraded. Based on this idea, Pollini [37] performed the fail-safe optimization of viscous dampers.
Another research line is focused on the fail-safe topology optimization of continuum structures. In this case, the first limitation is the absence of discrete structural elements to be eliminated, as members emerge after performing the optimization process. Jansen et al. [24] were the first to address this aspect by defining damage scenarios in the continuum design domain, eliminating areas or patches of a given size. In this approach, the fail-safe optimization problem was formulated as minimizing the compliance of the worst-case damage scenario. As a consequence of eliminating part of the design domain, the original bar could not be generated; hence, robust optimization introduced redundant members into the design to replace the non-existing bar. Results showed that the designs obtained contain a number of redundant bars which leads to an increased robustness with respect to local removal of material. One of the major shortcomings of Jansen et al. [24] was that it involves a very large number of finite-element analyses (FEA) models at the scale equal to the number of elements. To overcome this difficulty, Zhou and Fleury [43] established a computationally viable solution for this problem, significantly reducing the computational burden. Nevertheless, some of these patches could be empty, containing only void regions instead of structural parts. To improve this aspect, Ambrozkiewicz and Kriegesmann [3] proposed strategies to determine the placement of the damaged zones. The first approach stated that a patch can be considered empty if the maximum value of the densities in the patch is below a certain threshold. The second one was based on a load-path identification. As a result, the computational cost was reduced significantly. Wang et al. [42] proposed an efficient optimization strategy to obtain the designs which are insensitive to the occurrence of local failure, introducing the von Mises failure criterion to evaluate the patches to be damaged or undamaged. By defining the failure coefficient, the material properties of a given patch was regarded as degenerated if its von Mises stress exceeded an allowable stress. Furthermore, Ambrozkiewicz and Kriegesmann [4] presented a sequential topology and shape optimization for fail-safe design, consisting of three steps: (1) minimizing the compliance subject to volume constraints to get a preliminary design, (2) identifying the load-bearing members of the optimal design and creation of damage scenarios, and (3) performing a density-based shape optimization using the damage scenarios. Smith and Norato [39] introduced a topology optimization technique for the design of fail-safe structures made of geometric components. It was concluded that the methodology was significantly more efficient than densitybased techniques, since the number of analyses required is proportional to the number of geometric components and independent from the mesh. Kranz et al. [26] proposed load-path-based evaluation scheme for fail-safe topology optimization, where redundant structures are obtained at much less computational cost. Hederberg and Thore [23] combined density-based topology optimization with a moving morphable component representation of structural damage, obtaining more robust fail-safe designs.
As already discussed, topology optimization approaches have enormous potential in the early stages of the design process of a structure. However, in advanced stages of the design, there are numerous features of the structure that are already frozen and cannot be modified. Generally, shape and geometry of the structure are not considered variable at this stage and topology optimization methods cannot be used. It is at this point that size optimization methods gain prominence. Often, the industry requires fail-safe designs, which can be obtained by reinforcing the original structure, i.e., without adding additional structural elements. Thus, an industrial example known to the authors is the optimization of the tail-cone structure of an aircraft taking into account possible structural failures. Some of the possible failures that the aircraft company contemplates are the release of an unducted blade from open rotor engines or an uncontained auxiliary power unit (APU) rotor failure, generating debris that strike the aircraft. Alternatively, other types of partial damage are the collapse of one of the bars supporting the APU, a failure of a fitting in the interface between the tail-section and the forward section, or a fire event in the APU compartment, which may cause damage in the skin or firewalls. Optimization of this structure with these failure scenarios cannot be tackled with fail-safe topology optimization, but can be addressed with fail-safe size optimization methods.
One of the first works in fail-safe size optimization of structures was presented by Sun et al. [41]. In their work, stress, displacement, buckling, and natural frequency constraints were applied for each failure case. Arora et al. [5] and Nguyen and Arora [35] proposed an optimization strategy to perform fail-safe structural optimization of large structures. Feng and Moses [22] explored several criteria for optimizing size components in a structure to consider both extreme and accident conditions. Marhadi et al. [29] proposed an optimization strategy that attempts to maximize the energy absorption by considering the possible damage to the members that integrate the structure. Recent research considers finite-element models of the intact structure and a set of possible partial collapses into the optimization process. Fail-safe deterministic size optimization was first applied to shell structures by Baldomir et al. [6]. This multi-model approach aimed to obtain a minimum penalty weight over the intact structure while guaranteeing the fulfillment of several limit-states in both the intact and damaged configurations. As a result, the final optimum design would be safe under all the damaged scenarios considered. Lüdeker and Kriegesmann [27] performed a fail-safe optimization of beam structures, aiming for the mass minimization of lattice structures subjected to stress constraints, proposing strategies to reduce the number of constraints in the optimization problem. Considering local degradation of member properties, recent observations by Dou and Stolpe [12] show that the degradation of one arbitrary member may yield to a worse objective function than the complete removal of the member. In the same trend, Dou and Stolpe [13] characterized local thickness degradation in a part of a member by combining different damaged models into the fail-safe design problem.
One of the main shortcomings of the previous fail-safe techniques was that their formulations did not contemplate the quantification of reliability in the final optimal design when there is uncertainty in any parameter. The only way of increasing the reliability in those approaches is by the use of partial safety factors. Thus, Cid et al. [8,9], made a further step by proposing a fail-safe probabilistic approach, in which these uncertainty data were taken into account in the failsafe design. In that research, the reliability index associated with each limit-state had to be guaranteed in the intact model and all damaged scenarios simultaneously. By applying this technique, it was possible to guarantee a specific target reliability index on each limit-state.
The fail-safe approaches described in the paragraph above aim to simultaneously meet all limit-states in the whole set of damaged configurations. Admittedly, this strategy may seem too conservative and could lead to oversized designs, since the accidental situation will be a single event and it is unknown which partial collapse will occur. In addition, it should be taken into consideration that some damaged configurations may have different probability of occurrence than others. These values of probability of occurrence of each damaged configuration can be grounded in historical evidence of accidents. For instance, in the aerospace field, the Federal Aviation Administration conducted several studies [18], characterizing uncontained engine rotor failures from historical accidents occurred from 1962 to 1989. In the civil engineering field, companies have reported accidental situations applied to cable-stayed bridges, in which the accidental situation where three adjacent cables break due to an impact of a vehicle is less probable than the breakage of a single cable. To address this aspect, a new methodology, denoted as probability-damage approach for fail-safe design optimization (PDFSO) was proposed by Cid et al. [10], where the probability of occurrence of each damage scenario was contemplated as a new source of uncertainty into the deterministic fail-safe optimization problem. In that strategy, the main novelty was to define a new probabilistic formulation where the set of responses from the damaged configurations associated with the same limit-state are transformed into a single probabilistic constraint. That probabilistic constraint represents a limitstate in the damaged structure. Thus, the fulfillment of the limit-states associated with the damaged structure are guaranteed for a specific confidence level R T imposed by the designer. That confidence level takes into account the 1 3 risk that designer is willing to admit in case an accidental situation happens. As a result, the optimum design would be an intermediate solution between the deterministic optimization of the intact model and the fail-safe deterministic optimization. In the same trend, Martínez-Frutos and Ortigosa [30] incorporated the probability of occurrence of each damage situation into a risk-averse approach for fail-safe topology optimization, using level-set-based optimization techniques. More recently, Martínez-Frutos and Ortigosa [31] consider the probability of occurrence at a specified location and failure size as sources of uncertainty in a robust fail-safe topology optimization.
Although the PDFSO approach considerably improved the fail-safe formulation, the main shortcoming was that the aleatory uncertainty in parameters affecting the structure was not integrated in that approach. Thus, a preliminary work addressing this problem was presented by the authors [11]. Therefore, the purpose of this research is to extend that work by fully describing and formulating a new fail-safe optimization strategy, taking into account the two sources of uncertainty. The fundamental idea behind the new multimodel approach is that the reliability index ( ) associated with a limit-state of the damaged structure is not a single value. On the contrary, there will be as many values of as damaged configurations with their associated probability of occurrence. Therefore, it is possible to construct a new discrete random distribution function of to define the reliability index associated with a limit-state of the damaged structure. The new constraint is then formulated as the probability of the reliability index being lower than the target reliability index, with the confidence level demanded by the designer. It is important to emphasize that if the effect of having different probabilities of occurrence for each damaged model was disregarded, a damaged configuration very harmful to the structure but with a low probability of occurrence compared to others could lead to an oversized design, as the target reliability index ( T ) of each limit-state would have to be guaranteed in all the damaged configurations simultaneously.
Since the fail-safe RBDO provides a conservative design by guaranteeing the reliability indices in all the damaged scenarios, the -PDFSO approach improves that methodology by including the probability of occurrence of each damaged configuration into the problem statement. As a result, the main advantage of this method is that lighter fail-safe designs can be obtained with the confidence level required by the designer. This formulation applies to any size optimization problem that contemplates multiple failure scenarios and inherent random uncertainty in the parameters.
The remainder of the paper is organized as follows. Section 2 describes the theoretical background, summarizing previous fail-safe techniques relevant for this research. In Sect. 3, the -PDFSO approach is formulated, providing a detailed description of the method. Then, Sect. 4 presents three application examples of increasing complexity to demonstrate the capabilities of the proposed approach: the first example corresponds to an academic problem, with analytical expressions to simulate the structural responses in the intact and damaged models. The second example represents a steel lattice truss bridge, where the structure must resist accidental scenarios where some bars break due to a vehicle impact. The third example corresponds to a industrial-like application example for airplanes with open rotor engines, where two types of accidental situations can occur: debris released from the engine striking the fuselage or the detachment of fittings that connect the fuselage section with the VTP/HTP or with the rear tail cone section. Section 5 compares the computational cost in terms of iterations and function calls. Section 6 offers concluding remarks and suggests future research lines. Section 7 provides the link of a GitHub repository with the source code of the -PDFSO method applied to the analytical example presented in Sect. 4.1.

Fail-safe deterministic optimization
Baldomir et al. [6] presented a fail-safe deterministic optimization approach to achieve minimal weight structures that are safe in the event of partial collapse. The methodology defines a model of the complete structure and D incomplete configurations of the structure (Fig. 1). An identification label M i is assigned to each model, where M 0 corresponds to the intact model and The basis of this method requires the definition of a group of damaged versions of the structure where design conditions are imposed. The modifications that the algorithm performs during the optimization process on the intact structure are also applied to the damaged models simultaneously. The compact formulation of the fail-safe deterministic optimization is presented in Eq. (1), where F is the objective function that only affects the intact structure and depends on the set of design variables d, and g is the set of constraints affecting both intact and incomplete structures M i .

Fail-safe RBDO
Subsequently, the previous approach was completed by introducing the hypothesis that some parameters affecting the structural responses of intact and damaged models were random in nature, leading to a probabilistic approach, denoted as fail-safe RBDO. Cid et al. [8,9] formulated this method where it is necessary to solve the reliability analyses on the intact structure and the damaged configurations simultaneously at each iteration of the optimization process. The formulation of the fail-safe RBDO is shown in Eq. (2): where P[-] is the probability operator, G represents the limit-state in the whole set of models M i , which now also depends on the random variables x, Φ is the CDF of a standard normal distribution, and T is the target reliability index. Equation (2b) means that the probability of overcoming the limit-state G M i j has to be lower than or equal to the target probability of failure, Φ(− T j ) . If the problem in Eq. (2) is solved through the reliability index approach (RIA) [14], Eq. (2b) can be rewritten as where the reliability index of each limit-state M i j must be greater than the target reliability index T j . Normalizing this equation, the multi-model RBDO problem can be reformulated as in Eq. (3):

Probability-damage approach for fail-safe design optimization (PDFSO)
Finally, Cid et al. [10] formulated the probability-damage approach for fail-safe design optimization (PDFSO). That research incorporates a source of uncertainty that had not been taken into account in fail-safe optimization approaches until then. It involves the consideration that each damaged configuration has its own probability of occurrence. That is, accidental situations that can lead to partial collapse of the structure do not necessarily have the same probability of occurrence. This information can be introduced into the optimization problem in such a way that each damaged configuration affects the final design based on its probability of occurrence.
To illustrate this concept, we consider as an example of structural response g j the limit-state of stress in a generic element j as g j ∶ j − max . Figure 2 shows the limit-state g in the element j in each damaged configuration M i ( g ). As each limit-state g j is influenced by the probability of occurrence of the damaged configurations P M i , a source of uncertainty is included in the problem. Thus, a probabilistic formulation is defined where the values of the structural response g M i j in all damaged models are used to construct a single random response Ĝ j per limit-state. The probability mass function of the new random limit-state Ĝ j Fig. 2 Limit-state in the element j (in black color) in each incomplete Fig. 3. The PDFSO approach is formulated in Eq. (4). A deeper explanation of this methodology can be found in Cid et al. [10]. Equation (4c) means that the probability of overcoming the limit-state in the damaged structure ( Ĝ j ) has to be lower than or equal to a specific target probability of failure p T f j . This means that in case of an accidental situation, the fulfillment of all the limit-states is guaranteed with at least a confidence level of

Introduction
The fail-safe strategy presented in this paper merges the two methodologies described in Eqs. (2) and (4) to obtain an unified approach which simultaneously considers the uncertainty due to the probability of occurrence of each damaged model and the inherent uncertainty in parameters that affect the structural response. The main idea is to formulate a PDFSO problem under aleatory uncertainty, where the reliability index associated with a limit-state of the damaged structure is defined by a probability mass function. The reason is that there is no certainty concerning which damaged configuration of the whole set may occur; hence, it is not possible to give a unique value of for a limit-state referring to the damaged structure. This strategy, denoted as -PDFSO, is described in detail in the following section.

Description and formulation
The fundamental assumption in the -PDFSO is that a partial collapse will occur, causing damage to the structure. Therefore, simultaneously guaranteeing a target reliability index over all possible damaged configurations seems a very restrictive approach. In addition, each failure scenario should contribute to the final design according its probability of occurrence P M i . It is important to note that the probability of a given damaged configuration P M i is defined here as the following conditional probability: where A is the accidental event that produces a partial collapse of the structure. Thus, an initial premise to satisfy is that ∑ D i=1 P M i = 1 , since we assume in the optimization problem that an accidental situation will occur and that the events M i are independent of each other.
The AC 25.1309-1B [20] defines these events as "hazardous failure conditions" and must be considered as "extreme remote events", having an average probability per flight hour of the order of 10 −7 (one accident per 10 million hour of flight). Thus, the actual probability of occurrence of a specific damaged configuration will be given by the value P M i multiplied by the probability of having an accident of this type P[A].
Generally, RBDO problems are formulated with the aim to minimize a function subject to the reliability index associated with each limit-state j being greater than a target reliability index. However, applying this approach over the intact and all the damaged configurations simultaneously might be too conservative, as only one of them will happen. Given that j (reliability index with respect to the limit-state G j ) can be calculated at each damaged configuration ( M i ), there would be as many reliability indices ( j ) as damaged configurations with their associated probability occurrence, resulting in pairs of values [   1, … , D ), and the vertical coordinate indicates the value of the probability of occurrence of the associated damaged configuration, P M i . Thus, this representation can be understood as the probability mass function, f̂j , of the discrete random variable ̂j = As a result, a single design constraint per limit-state can be generated using this new random variable ̂j that represents the reliability of the damaged structure in the limitstate G j . The idea is to define the design constraint to ensure that T j will be achieved with the certainty the designer demands. Then, a new RBDO problem can be defined ( -PDFSO) as presented in Eq. (5) Equation (5b) guarantees the specified target reliability index T over the limit-states associated with the intact model M 0 . Furthermore, Eq. (5c) denotes that the probability of not guaranteeing the safety level in the damaged structure ̂j must be lower than the target probability of failure p T f j accepted by the designer. The complementary value of p T f j is denoted as target reliability level, as the confidence level of the structure when an accidental collision occurs. The -PDFSO problem when p T f j = 0 provides an optimum solution that matches the result of solving the fail-safe RBDO [9], where the reliability indices for the whole set of damaged configurations are simultaneously greater than or equal to the target reliability index ( . However, as stated above, guaranteeing T j in all damaged configurations seems a rather restrictive approach. When adopting a value of p T f j ≠ 0 , T j would not be satisfied in some limit-states, but the final design must comply with Eq. (6) To clarify this point, Fig. 6 shows a simplified case with only four damaged configurations indicating how the design constraints are checked at the optimum solution for a generic limit-state j.
As can be seen, the reliability index j is below the target reliability index T j in the damaged configurations M 2 and M 4 . Thus, the probability of not guaranteeing T j in the damaged structure for that limit-state will be the probability of M 2 or M 4 occurring, i.e., the sum of their probabilities of occurrence. Consequently, at the optimum design, P M 2 + P M 4 must be lower than or equal to p T f j , as stated in Eq. (5c).
After normalizing the probabilistic constraints (5b) and (5c), the -PDFSO can be reformulated as in Eq. (7). The probability mass function of Ĥ j is defined through the pair of values [ H M i j , P M i ] ∀ i, which gives rise to a piecewise discontinuous cumulative distribution function FĤ j . Figure 7 shows the flowchart of the -PDFSO problem formulated in Eq. (7)

3
The optimization code was developed in MATLAB [32], using the SQP algorithm implemented in the fmincon function. The algorithm modifies the design variables at each finite difference step, where the input data of the FE models are automatically updated. An HPC cluster is used to simultaneously calculate the reliability indices in all the configurations, what greatly accelerates the iterative procedure. The following steps need to be performed in a loop until convergence: 1. The set of damaged FE meshes representing the damaged configurations must be defined prior to initiating the optimization procedure ( M i , i = 0, … , D). 2. The value for the design variables k is established for the initial design, k = 0.
Then, Eq. (7b) can be evaluated. 5.2 To evaluate each constraint associated with the damaged structure (which is unknown), the CDF of the normalized random reliability index in the damaged structure ( FĤ j ) has to be built for each limit-state j. The single random response ( Ĥ j ) represents the reliability of the damaged structure and contains the information of the reliability indices  occurrence P M i . Since Ĥ j is a discrete random response, it must be interpolated over the entire domain to apply gradient-based optimization. Furthermore, FĤ j has to be continuous and differentiable to compute its gradients. For this reason, the Piecewise Cubic Hermite Interpolating Polynomial (PCHIP) from Matlab was adopted to evaluate Eq. (7c). As a result, by evaluating FĤ j (0) at different values of design variables, different values of the constraints are obtained, allowing the algorithm to progress. 6 If F converged and the design constraints are satisfied, the final design is achieved. Otherwise, the design variables are updated. 7 The iterative process continues ( k = k + 1 ) going back to step 3 until the convergence criteria are satisfied. The first criterion is the one based on Karush-Kuhn-Tucker (KKT) conditions, that is, the objective function has to be non-decreasing in feasible directions, within the value of the optimality tolerance. This value is established in the fmincon solver through the parameter Opti-malityTolerance, set to 10 −3 . The second criterion refers to the fulfillment of design constraints, which have to be satisfied within the value of the constraint tolerance. This value is established in the fmincon solver through the parameter ConstraintTolerance, also set to 10 −3

Case studies
Three examples of structural optimization using the -PDFSO formulated in Eq. (7) are presented below. In all of them, the same target reliability index T j = T = 3.7190 is adopted for all limit-states j, which corresponds to a target probability of failure of 10 −4 .

Analytical problem
This section introduces a simple analytical example to illustrate the application of the -PDFSO. The main objective is to provide the reader with a simple example to facilitate the understanding of the method. The idea is to define a fail-safe optimization problem using mathematical expressions to simulate the objective function F and the structural responses R j . These structural responses do not have any physical meaning. They are only analytical expressions that simulate the behavior of a structural system. That is, an increase in the value of the design variables leads to an increase in the value of the objective function and reduces the value of the structural responses. These structural responses depend on the design variables     Table 1.
The objective is to minimize the objective function F, defined as the sum of the design variables d = [ d 1 , d 2 ]. In a deterministic approach without any source of uncertainty, the design constraint would simply be that the response R j is less than the allowed response R max . However, two sources of uncertainty are taken into account in this problem: the aleatory uncertainty in the random parameters x = [ x 1 , x 2 ] affecting the structural response and the uncertainty due to the probability of occurrence of each partial collapse.
The formulation of the -PDFSO problem is presented in Eq. (10), with the probabilistic constraints of the intact (Eq. 10b) and damaged configurations (Eq. 10c). The random variables are defined as normally distributed with mean = (0.25, 1) and standard deviation = (0.025, 0.1). As there are two structural responses ( R j , with j = 1, 2 ), the problem has a total of four design constraints (two for the intact model and two for the damaged structure)      so that the structural response R M i j is lower than the maximum value of the response R max . The definition of the probabilistic constraints is summarized in Fig. 8.
The optimization problem presented in Eq. (10) was solved for a target reliability index T = 3.7190 and target probabilities of failure p T f equal to 0.02, 0.05, and 0.10, which correspond to a confidence level, R T , of 0.98, 0.95, and 0.90, respectively. This means that the optimum design obtained from the -PDFSO approach guarantees a target reliability index of 3.7190 when a partial collapse occurs with at least certainties of survival of 98, 95, and 90%, respectively.
The results are presented in Table 2, along with the results of the intact and fail-safe RBDO. As can be seen, -PDFSO result is bounded between the intact (F = 1.8376) and fail-safe (F = 6.5941) RBDO designs, leading to a reduction in the objective function of 7.51%, 22.09% and 35.88% for p T f = 0.02, 0.05, and 0.10, respectively. Analyzing for example the case with p T f = 0.05, it means that when a partial collapse occurs, j ≥ T is satisfied with at least 95% probability. Thus, the objective function can be reduced by 22.09% with respect to the fail-safe RBDO, where T is guaranteed with a reliability level of 100%.
The active constraints for the intact model and fail-safe RBDO designs are summarized in Table 3. In these formulations, the target reliability index is guaranteed in all configurations, having exactly the value = 3.7190 for the active limit-states. The active constraints for the -PDFSO   Table 4. It can be drawn from this table that the sum of P M i associated with those damaged configurations where the target reliability index is not guaranteed is always below the value of p T f imposed by the designer in the optimization problem, as stated in Eq. (6). In addition, Figs. 9, 10 and 11 show the CDFs associated with active constraints in the -PDFSO for p T f = 0.02, 0.05, and 0.10, respectively.

Two-dimensional truss structure
This example corresponds to a practical engineering case of a 125-bar truss structure, with elements supporting axial and bending forces. The structure represents a 160 m long and 10 m high bridge, with a spacing of 5 m between vertical bars. The load case considered corresponds to the application of concentrated forces of 200 kN in the nodes of the bottom cord, as presented in Fig. 12. It is assumed that an accident causing loss of some bars will occur as a result of a vehicle impact. Recent civil engineering codes [7] contemplate that "structural schemes must ensure that the accidental removal of a limited part of the structure does not compromise its integrity". The FE model was defined in Abaqus [1], with bars modeled through the B21 element type and solid circular section. The bar IDs appear in Fig. 12, where only the left part is shown due to the symmetry of the structure. Uncertainty is present in the concentrated forces applied in nodes of the bottom chord, taking the load value as a normal random variable with mean P = 200 kN and standard deviation P = 20 kN. Figure 13 shows the set of 46 damaged models considered in the problem. It is assumed that only the inner bars can be damaged and the likelihood of simultaneously breaking two bars will be less than breaking only one. Scenarios where more than two bars are damaged simultaneously are not taken into account. Three types of partial collapses were considered, whose probabilities of occurrence are summarized in Table 5.
The design variables are the cross-sectional radius of the members. The structure has been divided into 12 zones with one design variable each. Table 6 lists the members that have the same design variable, as well as their initial values.

3
The complete formulation of the problem is presented in Eq. (11), where the volume V of the intact structure is considered as the objective function. Probabilistic design constraints of normal stress in the members are established. As discussed in Sect. 3, two types of constraints are defined: the first one affects only the limit-states of the intact structure and the second one affects the damaged structure, which is unknown. Therefore, it is necessary to define the confidence level required over these restrictions.  In this example, a minimum reliability index of T = 3.719 is imposed and three confidence levels have been considered: R T j = 0.98, 0.95 and 0.9 which correspond to a probability of failure of p T f = 0.02, 0.05 and 0.1, respectively. Table 7 shows the optimum values of the bar radius in the intact structure that minimizes its weight satisfying the probabilistic constraints. The results show that the final volume of the design is always between the intact (V = 52.1511 m 3 ) and fail-safe (V = 102.1052 m 3 ) RBDO designs. We can appreciate that if the designer increases the confidence level close to the maximum ( R T j = 1), the design leads to the failsafe RBDO. On the contrary, if the confidence level decreases, the solution leads to the RBDO optimum when only the intact structure is considered. With this approach, the savings obtained for each R T j are the following: 0.79%, 3.66%, and 17.93% for R T j of 0.98, 0.95, and 0.9, respectively.
Furthermore, it was found that the decrease in the value of R T is not linear with the decrease achieved in the objective function. Also, it is observed that although the -PDFSO provides designs with values of the objective function bounded between the intact RBDO and fail-safe RBDO results, the design variables do not necessarily follow this rule. For instance, for R T = 0.98, the bottom chord in zones 1 and 3 are higher than the values in the fail-safe RBDO.
Bars with active stress constraints for the intact and failsafe RBDO designs are shown in Fig. 14, all of them with a reliability index equal to 3.719. Figure 15 and Table 8 show the active limit-states for the -PDFSO designs ( p T f = 0.02, 0.05 and 0.10). Particularly, the damaged configurations where the reliability indices are not guaranteed are shown. Thus, although T is not achieved in some damaged configurations, the addition of their probabilities of occurrence is less than the p T f set by the designer. Thus, in the case p T f = 0.10, the stress in bar 43 ( 43 ) is an active limit-state in the damaged structure, since P[Ĥ 43 ≤ 0] = 0.099963 as can be seen in Fig. 16, satisfying the probabilistic constraint shown in Eq. (11c). This can also be checked by the sum of the values of P M i where T is not achieved, M 10 , M 12 , M 25 , M 40 , and M 42 , being lower that the target value of 0.1. This slightly difference is due to the use of the polynomial interpolation to evaluate the piecewise CDF, as can be seen in the zoom presented in Fig. 16. The same behavior can be observed in Table 8 for the remaining limit-states and different values of p T f .

Aircraft-tail fuselage
The motivation for this industrial-type example comes from the demands of the aviation sector. One of the designs considered for the new generation of single-aisle aircraft includes two open rotor engines with two blade planes.
This configuration must account for incidents produced by unleashed debris striking the fuselage, such as the release of unducted blades or debris originated by uncontained engine failures. Thus, the proposed failure cases correspond to a representative sample of the damage scenarios contemplated by the industry in modern aircraft (Table 11). The 3D model presented in Fig. 17 represents the rear part of a commercial aircraft. The propulsion system consists of two open rotor engines, which are mounted in section 19 of the aircraft. This section is 6100 mm long, with a frontal interface frame 3300 mm wide and 3500 mm high, and a rear frame 1200 mm wide and 1400 mm high connecting to the tail cone. Section 19 consists of a fuselage skin stiffened by frames, stringers, and a torsion box; whose purpose is to absorb the VTP and HTP loads. These engines contain big unducted blades that could be released in the event of failure, as well as other rotating components inside the nacelle that could lead to an uncontained rotor failure [25,28]. The FE model of section 19 was defined using Nastran [34]. It has a total of 4044 degrees of freedom, comprising 570 shell elements (CQUAD4 and CTRIA3), 543 bar elements (CBAR and CBEAM), and 280 truss elements (CROD), to represent the fuselage skin, frames, stringers, and the torsion box. Rigid connections (RBE3) are used to simulate the load transmission of the vertical and horizontal tail plane (VTP and HTP). Another RBE3 is defined to constrain the nodes of the interface frame, as shown in Fig. 17. Loads from the VTP, HTP, and tail cone are applied in section 19,     as shown in Fig. 17. The load cases used in this example are defined in Table 9. Young moduli of the materials used in skin and stiffeners are considered as normal random variables whose mean and standard deviations are shown in Table 10. Uncertainty in load values is contemplated through the definition of a multiplication factor , defined as a new normal random variable as presented in Table 10.
Essentially, two types of failure scenarios associated with discrete events were considered in this research. The first one represents the accidental situations that generate debris striking the aircraft fuselage, such as the release of broken blades or uncontained engine failures. Examples of real accidents of this type can be found in reports by the Federal Aviation Administration [15,16,18]. The damaged models related to these events correspond to those presented in Fig. 18, going from M 1 to M 54 . The second failure scenario is associated with the fitting failure in the VTP/HTP or rear tail cone joints. These situations are commonly studied in the aerospace industry when analyzing airframe assemblies, where a failure of the lugs and bolts can lead to the detachment of two assembled sections. In this case, the damaged models are presented in Fig. 19, with labels from M 55 through M 66 , where one of the fittings fails.
The aerospace industry agrees upon different probabilities of occurrence for damage scenarios of different nature. In this example, as the real values should be obtained from confidential aircraft reports, approximate values were adopted to simulate a realistic probability assignment of the failure events. Table 11 shows each type of failure considered as well as their probability of occurrence.  The aim is to obtain the minimum mass of the skin and frames in the intact structure due to the consideration of the probability of occurrence of the set of 66 partial collapses and the uncertainty in the random parameters presented in Table 10. The skin was divided in five zones, and frames were organized into two groups, corresponding to a different channel profile. Thus, the skin thickness of each zone and the dimensions of each frame profile amount to a total number of 13 design variables. All of them are presented in Fig. 20 Table 12 shows the optimum values of skin thicknesses and dimensions of frame profiles. It can be concluded that the final mass of the design is always between the intact (M = 230.6758 kg) and fail-safe (M = 514.8307 kg) RBDO designs. Mass savings increase up to 5.30% for a confidence level of 0.95 and 13.56% for a confidence level of 0.90. As in the previous example, the design variables are not bounded between the lower and upper bounds provided by the intact and fail-safe RBDO designs. In this case, the flange length in the type 2 frame ( Fb 2 ) is not bounded between 32.6178 and 34.3031, having values for R T = 0.95 and 0.90 of 29.7569 and 27.4679 mm. This means that that the optimum design resulted in a different load-path structure compared with the fail-safe RBDO.
By assuming the confidence level of R T =0.90, the mass of the design is considerably reduced compared to the failsafe RBDO, while still yielding acceptable safety levels. The reason is that an accidental scenario leading to a partial collapse of the structure is an event categorized in the AC 25.1309-1B [20] as extremely remote, that corresponds to a probability less than 10 −7 . Therefore, considering a p T f = 0.10 implies that only in the 10% of the accidents of this type that occur, the reliability index of some  limit-states will not reach the desired T in some of the damaged configurations. Active constraints for the optimum designs shown in Table 12 are summarized in Tables 13 and 14. As in the example presented in Sect. 4.2, there are some damaged configurations where T is not guaranteed in some limit-states. However, the addition of the probability of occurrence associated with these constraints is less than the p T f set by the designer. In addition, Figs. 21 and 22 show the CDF of the limit-states associated with active constraints in the -PDFSO for p T f = 0.05 and 0.10, respectively.

Conclusions
The -PDFSO is a new fail-safe optimization strategy to obtain minimum weight structures that takes into account the probability of occurrence of each accidental scenario, as well as uncertainty in parameters affecting structural responses. The results show that it is possible to avoid oversized designs compared to those obtained using a standard fail-safe RBDO approach, in which the probability of occurrence of each damaged configuration is disregarded.
The advantages provided by the proposed method can be clearly seen in example 1, where a reduction of 8.92% is achieved for a confidence level of R T = 0.98 compared to the result given by the fail-safe RBDO. Furthermore, for R T equal to 0.95 and 0.90, the methodology achieves reductions of the objective function up to a 20.99% and 32.60%, respectively. In structural application example 2, savings achieved are 0.79%, 3.66%, and 17.93% for the same R T values as in example 1. Finally, in example 3, the objective function is reduced by up to 5.30% for R T = 0.95 and a 13.56% for R T = 0.90.
It is worth mentioning that an accident leading to a partial collapse of a structure is an event categorized by the regulations as extremely remote. In the case of an aeronautical structure, a probability of less than 10 −7 is established. In this context, it seems appropriate to establish a confidence level on the constraints affecting the damaged structure. The -PDFSO has demonstrated to be a promising approach for achieving optimum designs under fail-safe conditions for industrial application in which specific probability of occurrence of each damaged configuration is available. Nevertheless, authors are aware that the method is computationally expensive due to having to calculate the reliability indices of all limitstates for all damaged configurations. Further research concerning strategies to alleviate the computational cost are currently under development. They are oriented to reduce the set of reliability indices to calculate for each iteration of the optimization process. Other future work is aimed at including not only random uncertainty but also epistemic uncertainty.

Replication of results
MATLAB code with the -PDFSO method applied to the analytical example presented in Sect. 4.1 is available at link: https:// github. com/ clara cbeng oa/ betaP DFSO.