Interoperability between a dynamic reliability
modeling and a Systems Engineering process
– Principles and Case Study
Gilles Deleuze, Aurélie Leger, Pierre Yves Piriou
Electricité de France R&D
Sylvain Chabroux, Joe Matta
Knowledge Inside
ERTS 2014, Toulouse, 6 Feb 2014
Summary
Introduction
Definitions
Framework for RAMS/SE Interoperability
Meta model for interoperability
Case Study
Conclusion
‹N°› - 05/06/2012
Introduction
‹N°› - 05/06/2012
RAMS
=
Reliability, Availability, Maintainability and
Safety assessments
‹N°› - 05/06/2012
INTRODUCTION
Feasibility demonstrated of interoperability between System
Engineering frameworks and RAMS [David, 2010], [Aboutaleb, 2012]
Limitation: “static” dependability, invariant system structure
Large and complex industrial systems, requires “dynamic”
dependability approaches
Idea:
develop a “hub automaton”, that supports the translation of
dynamic models for specific dynamic dependability tools.
‹N°› - 05/06/2012
TEST CASE
Steam generator in a nuclear power plant
Vue des parties internes du GV
TEST CASE
Risk = Unavailability of Feed water control system
Feedwater Control System
plage de
variation à
surveiller.
Surface d’échange: 4746 m2
Débit vapeur: 1820 t/hr
Hauteur: 20,60 m
Diamètre: 4,50 m
Poids à vide: 300 t
‹N°›
- 05/06/2012
Vue
des parties
internes du GV
Schéma de principe du GV
Definitions
‹N°› - 05/06/2012
DEFINITIONS
Complexity = “interactive complexity” + “tight coupling” [Perrow, 85]
Interactive complexity : dynamic phenomena, occurrence of
rare event sequences and non-linear effects.
Consequence: risk of incomplete knowledge of the system.
Tight coupling : strong interdependence between phenomena.
Consequence: risk of dependent failures, e.g. common-cause
and cascade failures.
‹N°› - 05/06/2012
DEFINITIONS
Dynamic Dependability
“…influence of time, process dynamics, and human actions, on system operations
and failures, and accidental scenarios.“ [Brissaud, 2011]
Rely on Dynamic Fault Trees, Boolean Driven Markov Processes…
Hybrid System
Combination of continuous physical processes, deterministic event sequences,
random events [Aubry et al., 2012]
Hybrid dependability
Mathematical framework Kolmogorov-Chapman equations [Labeau, Smidts, 2000]
Modeling or simulation of Piecewise Deterministic Markov Processes (PDMP)
[Dufour, 2002]
Dynamic reliability
Continuous phenomena (for example, ageing) influenced by stochastic events or
drifts: reliability characteristics influenced by the process.
‹N°› - 05/06/2012
Framework for RAMS/SE
Interoperability
‹N°› - 05/06/2012
FRAMEWORK
Interoperability vs. Integration [Léger, 2009]
Activity A
Activity B
Activity C
REAL SYSTEM
Real activities are in interaction and sometimes in integration
Activity B
Activity B
Activity A
Activity A
Shared semantics
Activity C
AN INTEGRATED MODEL OF THE SYSTEM
Integrated model of activities
‹N°› - 05/06/2012
Neutral exchange
formalism
Activity C
AN INTEROPERABLE MODEL OF THE SYSTEM
Interoperable model of activities
FRAMEWORK
• Implementation of the metamodel
Choice of arKItect Designer :
Commercial Off-The-Shelf (COTS) by KNOWLEDGE
INSIDE
Ready to use
Meta-Model Interpreter
Generation of customizable building block diagrams
Easy to use.
Completeness.
‹N°› - 05/06/2012
FRAMEWORK
• Dynamic Modelling
Two approaches
Stochastic Hybrid Automaton (SHA) [Babykina, 2011] [Castaneda, 2011].
Quantitative analysis with Monte Carlo Simulations, to make dependability
assessments
Quantitative analysis with exploration of minimal sequences
Open source tool EDF R&D : Pycatshoo, based on SHA [Chraïbi, 2013].
State Charts and a dedicated COTS (Matlab/Simulink) [Zhang, 2012]
Quantitative analysis with Monte Carlo simulations
Both require:
Combination of engineering activities,
Computational power
Large volume of data (e.g; reliability data, state graphs…)
Models at component level
Interoperability between various tools (Matlab, Scilab, Pycatshoo …).
Choice for this study:
Interoperability between SE process and a dynamic modeling based on SHA.
‹N°› - 05/06/2012
FRAMEWORK
RAMS/SE interoperability
Stages of the SE process
System Specifications (SS)
Analysis of requirements
Functional Architecture
System Design (SD).
System Architecture (SA)
Refinement Feedback.
‹N°› - 05/06/2012
FRAMEWORK
RAMS/SE interoperability
Stages of the RAMS process
Preliminary Risk Analysis (PRA)
System state definition
System risk event identification
Undesired Customer Event (UCE) identification
System Risk Analysis (SRA)
Static” analysis such as Failure Modes and Effects Analysis (FMEA)
Fault Tree Analysis (FTA).
Dynamic modeling
‹N°› - 05/06/2012
FRAMEWORK
Interoperable System Engineering and RAMS processes developed for the test
case
RAMS process - Implementation in arKItect
‹N°› - 05/06/2012
FRAMEWORK
RAMS/SE interoperability
Relations between the processes implemented through the SE platform
Python scripting to interface SE platform and RAMS tools
Documentation
Traceability maintained throughout all levels of system model, incl.
requirements, evolutions..
Allocation of System Requirements to hardware, software, or manual actions.
Allocation of functional and performance requirements or design constraints.
‹N°› - 05/06/2012
Metamodel for Interoperability
‹N°› - 05/06/2012
METAMODEL FOR INTEROPERABILITY
Existing Meta-model [Pfister, 2012] extended to represent Dynamic Dependability
into SE processes [Piriou, 2013] [Piriou, 2014]
Semantics for phased mission systems with repairable multistate components.
Represented by an UML class diagram
‹N°› - 05/06/2012
METAMODEL FOR INTEROPERABILITY
Specific items for dynamic RAMS
modeling
Phased missions
Structure, failure and recovery processes, success
criteria are phase-specific
Component States
Each component can be activated and can fail
according to several operation
Component States - Implementation in arKItect
Effects of component states on function
achievement
Important for components having non discrete
capacities (pumps, heaters…)
Redundancy policies
Achievement rates - Implementation in arKItect
‹N°› - 05/06/2012
METAMODEL FOR INTEROPERABILITY
Algorithm for a dynamic model
Based on an instance of the meta-model,
Formalism: Stochastic Guarded Transition System
(SGTS) [Rauzy, 2008]
Algorithm
Defining and initializing variables
Defining the transitions
3 mission phase transition
7 stochastic transitions
4 priority transitions (redundancy policy)
Defining assertions
compute if the function is satisfied and if the
redundancy policies must be called.
Instance of the meta-model
Example of priority transition
Example of stochastic transition
‹N°› - 05/06/2012
Case Study
‹N°› - 05/06/2012
THE CASE STUDY
Availability of a feed-water control system used in a power
plant steam generator
Classical problem of hybrid dependability with dynamic
reliability issue.
[Aubry et al., 2012], [Zhang, 2012], [Deleuze et al., 2011] [NUREG 6942].
In the article, only the sub-system composed of the two
feeding turbo pumps is considered.
‹N°› - 05/06/2012
THE CASE STUDY
‹N°› - 05/06/2012
THE CASE STUDY
‹N°› - 05/06/2012
THE CASE STUDY
SGTS implemented with PyCATSHOO [Chraïbi, 2013]
PythoniC AuTomates Stochastiques Hybrides Orientés Objet
Expert knowledge integrated to the model to compensate lack of knowledge due to the
semantic used for interoperability.
Availability is assessed with a Monte Carlo simulation
Output: unavailaibility of the two pumps
Sequence : 12 identical missions
For each mission: 1st phase lasts 1 day, 2nd phase 28 days, 3rd phase 1 day.
Average unavailability is equal to 0.62%.
‹N°› - 05/06/2012
Unavailability of the pumps
(x-axis : time in hours, y-axis : unavailability)
Conclusion
‹N°› - 05/06/2012
CONCLUSION
First step towards interoperability of SE and dynamic RAMS
A sound SE process, supported by a tool like arKItect Designer , can
support the RAMS engineer to manage data and models
A “hub automaton” based on Stochastic Guarded Transition System
support the translation of the dynamic dependability model into
dynamic RAMS tools
Given a SE Meta-model [Piriou, 2013], a RAMS engineer can model
realistic failure/repair scenarios, redundancy policies and dynamical
allocation of functions… and manage traceability and data
Complementary studies : more hybrid aspects, dynamic
reliability modeling aspects.
‹N°› - 05/06/2012