A model-based approach to System of Systems risk management

The failure of many System of Systems (SoS) enterprises can be attributed to the inappropriate application of traditional Systems Engineering (SE) processes within the SoS domain, because of the mistaken belief that a SoS can be regarded as a single large, or complex, system. SoS Engineering (SoSE) is a sub-discipline of SE; Risk Management and Modelling and Simulation (M&S) are key areas within SoSE, both of which also lie within the traditional SE domain. Risk Management of SoS requires a different approach to that currently taken for individual systems; if risk is managed for each component system then it cannot be assumed that the aggregated affect will be to mitigate risk at the SoS level. A literature review was undertaken examining three themes: (1) SoS Engineering (SoSE), (2) M&S and (3) Risk. Theme 1 of the literature provided insight into the activities comprising SoSE and its difference from traditional SE with risk management identified as a key activity. The second theme discussed the application of M&S to SoS, providing an output, which supported the identification of appropriate techniques and concluding that, the inherent complexity of a SoS required the use of M&S in order to support SoSE activities. Current risk management approaches were reviewed in theme 3 as well as the management of SoS risk. Although some specific examples of the management of SoS risk were found, no mature, general approach was identified, indicating a gap in current knowledge. However, it was noted most of these examples were underpinned by M&S approaches. It was therefore concluded a general approach SoS risk management utilising M&S methods would be of benefit. In order to fill the gap identified in current knowledge, this research proposed a new model based approach to Risk Management where risk identification was supported by a framework, which combined SoS system of interest dimensions with holistic risk types, where the resulting risks and contributing factors are captured in a causal network. Analysis of the causal network using a model technique selection tool, developed as part of this research, allowed the causal network to be simplified through the replacement of groups of elements within the network by appropriate supporting models. The Bayesian Belief Network (BBN) was identified as a suitable method to represent SoS risk. Supporting models run in Monte Carlo Simulations allowed data to be generated from which the risk BBNs could learn, thereby providing a more quantitative approach to SoS risk management. A method was developed which provided context to the BBN risk output through comparison with worst and best-case risk probabilities. The model based approach to Risk Management was applied to two very different case studies: Close Air Support mission planning and the Wheat Supply Chain, UK National Food Security risks, demonstrating its effectiveness and adaptability. The research established that the SoS SoI is essential for effective SoS risk identification and analysis of risk transfer, effective SoS modelling requires a range of techniques where suitability is determined by the problem context, the responsibility for SoS Risk Management is related to the overall SoS classification and the model based approach to SoS risk management was effective for both application case studies

A new approach to the system reliability analysis using reverse Petri nets

Анализа стабла неисправности (АСН) је техника за анализу поузданости која се користи за одређивање узрока и вероватноће отказа система. АСН је базирана на стаблу неисправности (СН), графичком моделу који користи логичка кола и отказне догађаје за представљање узрочно-последичних веза између догађаја који претходе отказу система. Квалитативни део АСН састоји се у одређивању минималних скупова пресека. Скуп пресека је скуп примарних догађаја који, када се догоде истовремено, доводе до отказа ситема. Минимални скуп пресека (минипресек) је скуп пресека који је редукован на минимални број елемената који изазивају отказ система. У овој дисертацији је предложена нова метода за одређивање минипресека кохерентног СН, СН које садржи само И и ИЛИ логичка кола, са вишеструким догађајима. Метода је заснована на посебном типу Петријевих мрежа – инверзним Петријевим мрежама. Прво је представљен нови алгоритам за редукцију скупова пресека кохерентног СН. Одређивање свих минипресека кохерентног СН је НП тежак проблем. У дисертацији се разматрају приступи којима се прво одређују сви скупови пресека датог СН а затим се врши елиминисање надскупова, односно скупова пресека који нису минимални. У тим приступима, СН се трансформише у еквивалентну булову једначину у којој се, затим, елиминишу сви редундантни скупови пресека. Већ је доказано да су скупови пресека, који не садрже вишеструке догађаје, минимални. Тиме се редукција ограничава само на скупове пресека са вишеструким догађајима. У овој дисертацији се посматра још једна врста скупова пресека: они који, ако садрже неки вишеструки догађај, садрже сва његова понављања. Овакви скупови пресека су означени са C*. Показује се да је скуп пресека облика C*, ако постоји, такође минималан. Тиме се додатно скраћује поступак редукције булове једначине. Затим се, даље, доказују услови за постојање скупова пресека облика C* и одређује минимална број скупова пресека који се могу елиминисати као надскуп од C*. Предложен је нови алгоритам за редукцију булове једначине датог СН, који се базира на раздвајању скупова пресека у три групе: скупови пресека без вишеструких догађаја, скупови пресека облика C* и остали скупови пресека. Ефикасност алгоритма је илустрована на групи тест...The Fault Tree Analysis (FTA) is a reliability analysis technique used to determine the root causes and probability of occurrence of a specified top event. FTA is based on a Fault Tree (FT), a graphical model using logic gates and fault events to model the cause-effect relationships involved in causing the top event. Determining minimal cut sets is a qualitative part in the FTA. The cut set is a set of basic events which, when simultaneous, cause the top event to occur. The minimal cut set (minicut) is a cut set which has been reduced to the minimum number of events that cause the top event to occur. This Dissertation proposes a new method for minicuts generation of a coherent FT, constructed using AND and OR logic operator only, with repeated events. The approach is based on the special type of Petri Nets – Reverse Petri Net. First, a new algorithm for reducing cut sets in coherent fault trees is presented. Determining all minicuts of a fault tree is NP-hard problem. Coherent fault trees and the top-down approaches for minicuts generation are considered. The FT can be translated into an equivalent Boolean expression. Obtained Boolean expression then should be reduced by eliminating all redundant cut sets. It is already proved that the cut sets not containing any repeated event are minicuts. This limits the reduction only to the cut sets containing repeated events. Cut sets containing all repetitions of its events are denoted by {C*}. It is proved that C*, if exists, is also minicut. This further limits the reduction of the Boolean expression. In addition, we proved conditions for existence of C* and calculated the minimal number of cut sets that can be eliminated as subsets of C*. Finally, a new algorithm for reduction of the Boolean expression which is based on the partition of the cut sets into three families: those not containing any repeated event, those of type C*, and others, is proposed. The efficiency of the algorithm is shown by applying it to some benchmark fault trees..

Compositional dependability analysis of dynamic systems with uncertainty

Over the past two decades, research has focused on simplifying dependability analysis by looking at how we can synthesise dependability information from system models automatically. This has led to the field of model-based safety assessment (MBSA), which has attracted a significant amount of interest from industry, academia, and government agencies. Different model-based safety analysis methods, such as Hierarchically Performed Hazard Origin & Propagation Studies (HiP-HOPS), are increasingly applied by industry for dependability analysis of safety-critical systems. Such systems may feature multiple modes of operation where the behaviour of the systems and the interactions between system components can change according to what modes of operation the systems are in.MBSA techniques usually combine different classical safety analysis approaches to allow the analysts to perform safety analyses automatically or semi-automatically. For example, HiP-HOPS is a state-of-the-art MBSA approach which enhances an architectural model of a system with logical failure annotations to allow safety studies such as Fault Tree Analysis (FTA) and Failure Modes and Effects Analysis (FMEA). In this way it shows how the failure of a single component or combinations of failures of different components can lead to system failure. As systems are getting more complex and their behaviour becomes more dynamic, capturing this dynamic behaviour and the many possible interactions between the components is necessary to develop an accurate failure model.One of the ways of modelling this dynamic behaviour is with a state-transition diagram. Introducing a dynamic model compatible with the existing architectural information of systems can provide significant benefits in terms of accurate representation and expressiveness when analysing the dynamic behaviour of modern large-scale and complex safety-critical systems. Thus the first key contribution of this thesis is a methodology to enable MBSA techniques to model dynamic behaviour of systems. This thesis demonstrates the use of this methodology using the HiP-HOPS tool as an example, and thus extends HiP-HOPS with state-transition annotations. This extension allows HiP-HOPS to model more complex dynamic scenarios and perform compositional dynamic dependability analysis of complex systems by generating Pandora temporal fault trees (TFTs). As TFTs capture state, the techniques used for solving classical FTs are not suitable to solve them. They require a state space solution for quantification of probability. This thesis therefore proposes two methodologies based on Petri Nets and Bayesian Networks to provide state space solutions to Pandora TFTs.Uncertainty is another important (yet incomplete) area of MBSA: typical MBSA approaches are not capable of performing quantitative analysis under uncertainty. Therefore, in addition to the above contributions, this thesis proposes a fuzzy set theory based methodology to quantify Pandora temporal fault trees with uncertainty in failure data of components.The proposed methodologies are applied to a case study to demonstrate how they can be used in practice. Finally, the overall contributions of the thesis are evaluated by discussing the results produced and from these conclusions about the potential benefits of the new techniques are drawn

AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunication Environments

This report considers the application of Articial Intelligence (AI) techniques to the problem of misuse detection and misuse localisation within telecommunications environments. A broad survey of techniques is provided, that covers inter alia rule based systems, model-based systems, case based reasoning, pattern matching, clustering and feature extraction, articial neural networks, genetic algorithms, arti cial immune systems, agent based systems, data mining and a variety of hybrid approaches. The report then considers the central issue of event correlation, that is at the heart of many misuse detection and localisation systems. The notion of being able to infer misuse by the correlation of individual temporally distributed events within a multiple data stream environment is explored, and a range of techniques, covering model based approaches, `programmed' AI and machine learning paradigms. It is found that, in general, correlation is best achieved via rule based approaches, but that these suffer from a number of drawbacks, such as the difculty of developing and maintaining an appropriate knowledge base, and the lack of ability to generalise from known misuses to new unseen misuses. Two distinct approaches are evident. One attempts to encode knowledge of known misuses, typically within rules, and use this to screen events. This approach cannot generally detect misuses for which it has not been programmed, i.e. it is prone to issuing false negatives. The other attempts to `learn' the features of event patterns that constitute normal behaviour, and, by observing patterns that do not match expected behaviour, detect when a misuse has occurred. This approach is prone to issuing false positives, i.e. inferring misuse from innocent patterns of behaviour that the system was not trained to recognise. Contemporary approaches are seen to favour hybridisation, often combining detection or localisation mechanisms for both abnormal and normal behaviour, the former to capture known cases of misuse, the latter to capture unknown cases. In some systems, these mechanisms even work together to update each other to increase detection rates and lower false positive rates. It is concluded that hybridisation offers the most promising future direction, but that a rule or state based component is likely to remain, being the most natural approach to the correlation of complex events. The challenge, then, is to mitigate the weaknesses of canonical programmed systems such that learning, generalisation and adaptation are more readily facilitated

Advanced reliability analysis of complex offshore Energy systems subject to condition based maintenance.

As the demand for energy in our world today continues to increase and conventional reserves become less available, energy companies find themselves moving further offshore and into more remote locations for the promise of higher recoverable reserves. This has been accompanied by increased technical, safety and economic risks as the unpredictable and dynamic conditions provide a challenge for the reliable and safe operation of both oil and gas (O&G) and offshore wind energy assets. Condition-based maintenance (CBM) is growing in popularity and application in offshore energy production, and its integration into the reliability analysis process allows for more accurate representation of system performance. Advanced reliability analysis while taking condition-based maintenance (CBM) into account can be employed by researchers and practitioners to develop a better understanding of complex system behaviour in order to improve reliability allocation as well as operation and maintenance (O&M). The aim of this study is therefore to develop models for reliability analysis which take into account dynamic offshore conditions as well as condition-based maintenance (CBM) for improved reliability and O&M. To achieve this aim, models based on the stochastic petri net (SPN) and dynamic Bayesian network (DBN) techniques are developed to analyse the reliability and optimise the O&M of complex offshore energy assets. These models are built to take into account the non-binary nature, maintenance regime and repairability of most offshore energy systems. The models are then tested using benchmark case studies such as a subsea blowout preventer, a floating offshore wind turbine (FOWT), an offshore wind turbine (OWT) gearbox and an OWT monopile. Results from these analyses reveal that the incorporation of degradation and CBM can indeed be done and significantly influence the reliability analysis and O&M planning of offshore energy assets.Shafiee, Mahmood (Associate)PhD in Energy and Powe

A multi-modelS based approach for the modelling and the analysis of usable and resilient partly autonomous interactive systems

La croissance prévisionnelle du trafic aérien est telle que les moyens de gestion actuels doivent évoluer et être améliorés et l'automatisation de certains aspects de cette gestion semble être un moyen pour gérer cet accroissement du trafic tout en gardant comme invariant un niveau de sécurité constant. Toutefois, cette augmentation du trafic pourrait entraîner un accroissement de la variabilité de la performance de l'ensemble des moyens de gestion du trafic aérien, en particulier dans le cas de dégradation de cette automatisation. Les systèmes de gestion du trafic aérien sont considérés comme complexes car ils impliquent de nombreuses interactions entre humains et systèmes, et peuvent être profondément influencés par les aspects environnementaux (météorologie, organisation, stress ...) et tombent, de fait, dans la catégorie des Systèmes Sociotechniques (STS) (Emery & Trist, 1960). A cause de leur complexité, les interactions entre les différents éléments (humains, systèmes et organisations) de ces STS peuvent être linéaires et partiellement non linéaires, ce qui rend l'évolution de leur performance difficilement prévisible. Au sein de ces STS, les systèmes interactifs doivent être utilisables, i.e. permettre à leurs utilisateurs d'accomplir leurs tâches de manière efficace et efficiente. Un STS doit aussi être résilient aux perturbations telles que les défaillances logicielles et matérielles, les potentielles dégradations de l'automatisation ou les problèmes d'interaction entre les systèmes et leurs opérateurs. Ces problèmes peuvent affecter plusieurs aspects des systèmes sociotechniques comme les ressources, le temps d'exécution d'une tâche, la capacité à d'adaptation à l'environnement... Afin de pouvoir analyser l'impact de ces perturbations et d'évaluer la variabilité de la performance d'un STS, des techniques et méthodes dédiées sont requises. Elles doivent fournir un support à la modélisation et à l'analyse systématique de l'utilisabilité et de la résilience de systèmes interactifs aux comportements partiellement autonomes. Elles doivent aussi permettre de décrire et de structurer un grand nombre d'informations, ainsi que de traiter la variabilité de chaque élément du STS et la variabilité liée à leurs interrelations. Les techniques et méthodes existantes ne permettent actuellement ni de modéliser un STS dans son ensemble, ni d'en analyser les propriétés d'utilisabilité et de résilience (ou alors se focalisent sur un sous-ensemble du STS perdant, de fait, la vision systémique). Enfin, elles ne fournissent pas les moyens d'analyser la migration de tâches suite à l'introduction d'une nouvelle technologie ou d'analyser la variabilité de la performance en cas de dégradation de fonctions récemment automatisées. Ces arguments sont développés dans la thèse et appuyés par une analyse détaillée des techniques de modélisation existantes et des méthodes qui leurs sont associées. La contribution présentée est basée sur l'identification d'un ensemble d'exigences requises pour pouvoir modéliser et analyser chacun des éléments d'un STS. Certaines de ces exigences ont été remplies grâce à l'utilisation de techniques de modélisation existantes, les autres grâce à l'extension et au raffinement d'autres techniques. Cette thèse propose une approche qui intègre 3 techniques en particulier : FRAM (centrée sur les fonctions organisationnelles), HAMSTERS (centrée les objectifs et activités humaines) et ICO (dédiée à la modélisation du comportement des systèmes interactifs). Cette approche est illustrée par un exemple mettant en œuvre les extensions proposées et l'intégration des modèles. Une étude de cas plus complexe sur la gestion du trafic aérien (changement de route d'un avion en cas de mauvaises conditions météorologiques) est ensuite présentée pour montrer le passage à l'échelle de l'approche. Elle met en avant les bénéfices de l'intégration des modèles pour la prise en compte de la variabilité de la performance des différents éléments d'un STSThe current European Air Traffic Management (ATM) System needs to be improved for coping with the growth in air traffic forecasted for next years. It has been broadly recognised that the future ATM capacity and safety objectives can only be achieved by an intense enhancement of integrated automation support. However, increase of automation might come along with an increase of performance variability of the whole ATM System especially in case of automation degradation. ATM systems are considered complex as they encompass interactions involving humans and machines deeply influenced by environmental aspects (i.e. weather, organizational structure) making them belong to the class of Socio-Technical Systems (STS) (Emery & Trist, 1960). Due to this complexity, the interactions between the STS elements (human, system and organisational) can be partly linear and partly non-linear making its performance evolution complex and hardly predictable. Within such STS, interactive systems have to be usable i.e. enabling users to perform their tasks efficiently and effectively while ensuring a certain level of operator satisfaction. Besides, the STS has to be resilient to adverse events including potential automation degradation issues but also interaction problems between their interactive systems and the operators. These issues may affect several STS aspects such as resources, time in tasks performance, ability to adjust to environment, etc. In order to be able to analyse the impact of these perturbations and to assess the potential performance variability of a STS, dedicated techniques and methods are required. These techniques and methods have to provide support for modelling and analysing in a systematic way usability and resilience of interactive systems featuring partly autonomous behaviours. They also have to provide support for describing and structuring a large amount of information and to be able to address the variability of each of STS elements as well as the variability related to their interrelations. Current techniques, methods and processes do not enable to model a STS as a whole and to analyse both usability and resilience properties. Also, they do not embed all the elements that are required to describe and analyse each part of the STS (such as knowledge of different types which is needed by a user for accomplishing tasks or for interacting with dedicated technologies). Lastly, they do not provide means for analysing task migrations when a new technology is introduced or for analysing performance variability in case of degradation of the newly introduced automation. Such statements are argued in this thesis by a detailed analysis of existing modelling techniques and associated methods highlighting their advantages and limitations. This thesis proposes a multi-models based approach for the modelling and the analysis of partly-autonomous interactive systems for assessing their resilience and usability. The contribution is based on the identification of a set of requirements needed being able to model and analyse each of the STS elements. Some of these requirements were met by existing modelling techniques, others were reachable by extending and refining existing ones. This thesis proposes an approach which integrates 3 modelling techniques: FRAM (focused on organisational functions), HAMSTERS (centred on human goals and activities) and ICO (dedicated to the modelling of interactive systems). The principles of the multi-models approach is illustrated on an example for carefully showing the extensions proposed to the selected modelling techniques and how they integrate together. A more complex case study from the ATM World is then presented to demonstrate the scalability of the approach. This case study, dealing with aircraft route change due to bad weather conditions, highlights the ability of the integration of models to cope with performance variability of the various parts of the ST