Interoperability between a dynamic reliability modeling and a Systems Engineering process – Principles and Case Study

Gilles Deleuze, Aurélie Leger, Pierre Yves PiriouElectricité de France R&D

Sylvain Chabroux, Joe MattaKnowledge Inside

ERTS 2014, Toulouse, 6 Feb 2014

‹N°› - 05/06/2012

Summary

Introduction

Definitions

Framework for RAMS/SE Interoperability

Meta model for interoperability

Case Study

Conclusion

‹N°› - 05/06/2012

Introduction

‹N°› - 05/06/2012

RAMS

=

Reliability, Availability, Maintainability and Safety assessments

‹N°› - 05/06/2012

INTRODUCTION

Feasibility demonstrated of interoperability between System Engineering frameworks and RAMS [David, 2010], [Aboutaleb, 2012]

Limitation: “static” dependability, invariant system structure

Large and complex industrial systems, requires “dynamic” dependability approaches

Idea:

develop a “hub automaton”, that supports the translation of dynamic models for specific dynamic dependability tools.

TEST CASESteam generator in a nuclear power plant

Vue des parties internes du GV

TEST CASE

Risk = Unavailability of Feed water control system

‹N°› - 05/06/2012

Feedwater Control System

Vue des parties internes du GV Schéma de principe du GV

Surface d’échange: 4746 m2Débit vapeur: 1820 t/hr

Hauteur: 20,60 mDiamètre: 4,50 m

Poids à vide: 300 t

plage de variation à surveiller.

‹N°› - 05/06/2012

Definitions

‹N°› - 05/06/2012

DEFINITIONS

Complexity = “interactive complexity” + “tight coupling” [Perrow, 85]

Interactive complexity : dynamic phenomena, occurrence of rare event sequences and non-linear effects.

Consequence: risk of incomplete knowledge of the system.

Tight coupling : strong interdependence between phenomena.

Consequence: risk of dependent failures, e.g. common-cause and cascade failures.

‹N°› - 05/06/2012

DEFINITIONS

Dynamic Dependability“…influence of time, process dynamics, and human actions, on system operations and failures, and accidental scenarios.“ [Brissaud, 2011]

Rely on Dynamic Fault Trees, Boolean Driven Markov Processes…

Hybrid SystemCombination of continuous physical processes, deterministic event sequences, random events [Aubry et al., 2012]

Hybrid dependabilityMathematical framework Kolmogorov-Chapman equations [Labeau, Smidts, 2000]

Modeling or simulation of Piecewise Deterministic Markov Processes (PDMP) [Dufour, 2002]

Dynamic reliability Continuous phenomena (for example, ageing) influenced by stochastic events or drifts: reliability characteristics influenced by the process.

‹N°› - 05/06/2012

Framework for RAMS/SE Interoperability

‹N°› - 05/06/2012

FRAMEWORK

Interoperability vs. Integration [Léger, 2009]

Activity A Activity B

Activity C

REAL SYSTEM

Activity A

Activity B

Activity C

AN INTEGRATED MODEL OF THE SYSTEM

Shared semantics

Real activities are in interaction and sometimes in integration

Integrated model of activities Interoperable model of activities

Activity A Activity B

Activity C

AN INTEROPERABLE MODEL OF THE SYSTEM

Neutral exchange formalism

‹N°› - 05/06/2012

FRAMEWORK

• Implementation of the metamodel

Choice of arKItect Designer :

Commercial Off-The-Shelf (COTS) by KNOWLEDGE INSIDE

Ready to use

Meta-Model Interpreter

Generation of customizable building block diagrams

Easy to use.

Completeness.

‹N°› - 05/06/2012

FRAMEWORK

• Dynamic Modelling

Two approachesStochastic Hybrid Automaton (SHA) [Babykina, 2011] [Castaneda, 2011].

Quantitative analysis with Monte Carlo Simulations, to make dependability assessments

Quantitative analysis with exploration of minimal sequences

Open source tool EDF R&D : Pycatshoo, based on SHA [Chraïbi, 2013].

State Charts and a dedicated COTS (Matlab/Simulink) [Zhang, 2012] Quantitative analysis with Monte Carlo simulations

Both require:

Combination of engineering activities,

Computational power

Large volume of data (e.g; reliability data, state graphs…)

Models at component level

Interoperability between various tools (Matlab, Scilab, Pycatshoo …).

Choice for this study: Interoperability between SE process and a dynamic modeling based on SHA.

‹N°› - 05/06/2012

FRAMEWORK

RAMS/SE interoperability

Stages of the SE process

System Specifications (SS)

Analysis of requirements

Functional Architecture

System Design (SD).

System Architecture (SA)

Refinement Feedback.

‹N°› - 05/06/2012

FRAMEWORK

RAMS/SE interoperability

Stages of the RAMS process

Preliminary Risk Analysis (PRA)

System state definition

System risk event identification

Undesired Customer Event (UCE) identification

System Risk Analysis (SRA)

Static” analysis such as Failure Modes and Effects Analysis (FMEA)

Fault Tree Analysis (FTA).

Dynamic modeling

‹N°› - 05/06/2012

FRAMEWORK

Interoperable System Engineering and RAMS processes developed for the test case

RAMS process - Implementation in arKItect

‹N°› - 05/06/2012

FRAMEWORK

RAMS/SE interoperability

Relations between the processes implemented through the SE platform

Python scripting to interface SE platform and RAMS tools

Documentation

Traceability maintained throughout all levels of system model, incl. requirements, evolutions..

Allocation of System Requirements to hardware, software, or manual actions.

Allocation of functional and performance requirements or design constraints.

‹N°› - 05/06/2012

Metamodel for Interoperability

‹N°› - 05/06/2012

METAMODEL FOR INTEROPERABILITY

Existing Meta-model [Pfister, 2012] extended to represent Dynamic Dependability into SE processes [Piriou, 2013] [Piriou, 2014]

Semantics for phased mission systems with repairable multistate components.

Represented by an UML class diagram

‹N°› - 05/06/2012

METAMODEL FOR INTEROPERABILITY

Specific items for dynamic RAMS modeling

Phased missions Structure, failure and recovery processes, success criteria are phase-specific

Component States Each component can be activated and can fail according to several operation

Effects of component states on function achievement

Important for components having non discrete capacities (pumps, heaters…)

Redundancy policies

Component States - Implementation in arKItect

Achievement rates - Implementation in arKItect

‹N°› - 05/06/2012

METAMODEL FOR INTEROPERABILITY

Algorithm for a dynamic model

Based on an instance of the meta-model,Formalism: Stochastic Guarded Transition System (SGTS) [Rauzy, 2008]

Algorithm

Defining and initializing variables

Defining the transitions

3 mission phase transition

7 stochastic transitions

4 priority transitions (redundancy policy)

Defining assertions

compute if the function is satisfied and if the redundancy policies must be called.

Instance of the meta-model

Example of priority transition

Example of stochastic transition

‹N°› - 05/06/2012

Case Study

‹N°› - 05/06/2012

THE CASE STUDY

Availability of a feed-water control system used in a power plant steam generator

Classical problem of hybrid dependability with dynamic reliability issue.

[Aubry et al., 2012], [Zhang, 2012], [Deleuze et al., 2011] [NUREG 6942].

In the article, only the sub-system composed of the two feeding turbo pumps is considered.

‹N°› - 05/06/2012

THE CASE STUDY

‹N°› - 05/06/2012

THE CASE STUDY

‹N°› - 05/06/2012

THE CASE STUDYSGTS implemented with PyCATSHOO [Chraïbi, 2013]

PythoniC AuTomates Stochastiques Hybrides Orientés Objet

Expert knowledge integrated to the model to compensate lack of knowledge due to the semantic used for interoperability.

Availability is assessed with a Monte Carlo simulation

Output: unavailaibility of the two pumpsSequence : 12 identical missions

For each mission: 1st phase lasts 1 day, 2nd phase 28 days, 3rd phase 1 day.

Average unavailability is equal to 0.62%.

Unavailability of the pumps(x-axis : time in hours, y-axis : unavailability)

‹N°› - 05/06/2012

Conclusion

‹N°› - 05/06/2012

CONCLUSION

First step towards interoperability of SE and dynamic RAMS

A sound SE process, supported by a tool like arKItect Designer , can support the RAMS engineer to manage data and models

A “hub automaton” based on Stochastic Guarded Transition System support the translation of the dynamic dependability model into dynamic RAMS tools

Given a SE Meta-model [Piriou, 2013], a RAMS engineer can model realistic failure/repair scenarios, redundancy policies and dynamical allocation of functions… and manage traceability and data

Complementary studies : more hybrid aspects, dynamic reliability modeling aspects.