The Impact of Petri Nets on System-of-Systems Engineering

The successful engineering of a large-scale system-of-systems project towards deterministic behaviour depends on integrating autonomous components using international communications standards in accordance with dynamic requirements. To-date, their engineering has been unsuccessful: no combination of top-down and bottom-up engineering perspectives is adopted, and information exchange protocol and interfaces between components are not being precisely specified. Various approaches such as modelling, and architecture frameworks make positive contributions to system-of-systems specification but their successful implementation is still a problem. One of the most popular modelling notations available for specifying systems, UML, is intuitive and graphical but also ambiguous and imprecise. Supplying a range of diagrams to represent a system under development, UML lacks simulation and exhaustive verification capability. This shortfall in UML has received little attention in the context of system-of-systems and there are two major research issues: 1. Where the dynamic, behavioural diagrams of UML can and cannot be used to model and analyse system-of-systems 2. Determining how Petri nets can be used to improve the specification and analysis of the dynamic model of a system-of-systems specified using UML This thesis presents the strengths and weaknesses of Petri nets in relation to the specification of system-of-systems and shows how Petri net models can be used instead of conventional UML Activity Diagrams. The model of the system-of-systems can then be analysed and verified using Petri net theory. The Petri net formalism of behaviour is demonstrated using two case studies from the military domain. The first case study uses Petri nets to specify and analyse a close air support mission. This case study concludes by indicating the strengths, weaknesses, and shortfalls of the proposed formalism in system-of-systems specification. The second case study considers specification of a military exchange network parameters problem and the results are compared with the strengths and weaknesses identified in the first case study. Finally, the results of the research are formulated in the form of a Petri net enhancement to UML (mapping existing activity diagram elements to Petri net elements) to meet the needs of system-of-systems specification, verification and validation

Safety‐oriented discrete event model for airport A‐SMGCS reliability assessment

A detailed analysis of State of the Art Technologies and Procedures into Airport Advanced-Surface Movement Guidance and Control Systems has been provided in this thesis, together with the review ofStatistical Monte Carlo Analysis, Reliability Assessment and Petri Nets theories. This practical and theoretical background has lead the author to the conclusion that there is a lack of linkage in between these fields. At the same of time the rapid increasing of Air Traffic all over the world, has brought in evidence the urgent need of practical instruments able to identify and quantify the risks connected with Aircraft operations on the ground, since the Airport has shown to be the actual ‘bottle neck’ of the entire Air Transport System. Therefore, the only winning approach to such a critical matter has to be multi-disciplinary, sewing together apparently different subjects, coming from the most disparate areas of interest and trying to fulfil the gap. The result of this thesis work has come to a start towards the end, when a Timed Coloured Petri Net (TCPN) model of a ‘sample’ Airport A-SMGCS has been developed, that is capable of taking into account different orders of questions arisen during these recent years and tries to give them some good answers. The A-SMGCS Airport model is, in the end, a parametric tool relying on Discrete Event System theory, able to perform a Reliability Analysis of the system itself, that: • uses a Monte Carlo Analysis applied to a Timed Coloured Petri Net, whose purpose is to evaluate the Safety Level of Surface Movements along an Airport • lets the user to analyse the impact of Procedures and Reliability Indexes of Systems such as Surface Movement Radars, Automatic Dependent Surveillance-Broadcast, Airport Lighting Systems, Microwave Sensors, and so on… onto the Safety Level of Airport Aircraft Transport System • not only is a valid instrument in the Design Phase, but it is useful also into the Certifying Activities an in monitoring the Safety Level of the above mentioned System with respect to changes to Technologies and different Procedures.This TCPN model has been verified against qualitative engineering expectations by using simulation experiments and occupancy time schedules generated a priori. Simulation times are good, and since the model has been written into Simulink/Stateflow programming language, it can be compiled to run real-time in C language (Real-time workshop and Stateflow Coder), thus relying on portable code, able to run virtually on any platform, giving even better performances in terms of execution time. One of the most interesting applications of this work is the estimate, for an Airport, of the kind of A-SMGCS level of implementation needed (Technical/Economical convenience evaluation). As a matter of fact, starting from the Traffic Volume and choosing the kind of Ground Equipment to be installed, one can make predictions about the Safety Level of the System: if the value is compliant with the TLS required by ICAO, the A-SMGCS level of Implementation is sufficiently adequate. Nevertheless, even if the Level of Safety has been satisfied, some delays due to reduced or simplified performances (even if Safety is compliant) of some of the equipment (e.g. with reference to False Alarm Rates) can lead to previously unexpected economical consequences, thus requiring more accurate systems to be installed, in order to meet also Airport economical constraints. Work in progress includes the analysis of the effect of weather conditions and re-sequencing of a given schedule. The effect of re-sequencing a given schedule is not yet enough realistic since the model does not apply inter arrival and departure separations. However, the model might show some effect on different sequences based on runway occupancy times. A further developed model containing wake turbulence separation conditions would be more sensitive for this case. Hence, further work will be directed towards: • The development of On-Line Re-Scheduling based on the available actual runway/taxiway configuration and weather conditions. • The Engineering Safety Assessment of some small Italian Airport A-SMGCSs (Model validation with real data). • The application of Stochastic Differential Equations systems in order to evaluate the collision risk on the ground inside the Place alone on the Petri Net, in the event of a Short Term Conflict Alert (STCA), by adopting Reich Collision Risk Model. • Optimal Air Traffic Control Algorithms Synthesis (Adaptive look-ahead Optimization), by Dynamically Timed Coloured Petri Nets, together with the implementation of Error-Recovery Strategies and Diagnosis Functions

Modelling methodologies for railway asset management

Management of railway assets incurs significant expenditure. Railway asset management modelling can predict the cost and efficacy of an asset management plan, and thus support the asset management planning process. Modelling frameworks can be used to facilitate the development of large, multi-asset, whole life cycle models which can be used to represent large sections of rail track and associated assets. This is achieved with libraries of models and tools with a high level of inter-compatibility. This research set out to support the development of modelling frameworks for railway asset management. It sought to determine the state of the art of railway asset management modelling in order to find which assets require further modelling development before they can be suitably represented in a framework’s model library. It also sought to determine the most accurate and suitable modelling methodology to base the framework upon. These aims were met by first carrying out a literature review to determine the state of the art of asset management modelling for major railway asset types. This review found Petri net models solved via Monte Carlo methods to be the most suitable modelling methodology for asset management. The level crossing asset class was chosen for the development of several models to explore the different types of Petri net model, concentrating on the computational resources required. This asset class was chosen as no asset management model was found in literature, and the diversity of the asset interactions. Literature review found several asset classes in need of further development, and some where asset management modelling may not be possible without other advances. The level crossing Petri net models developed demonstrated that computational requirements differ between the various types of Petri net. Stochastic Petri nets were found to simulate quickly, but had a high memory requirement. Coloured Petri nets were found to have the opposite requirements. A novel Petri net type, the Simple Coloured Petri net was developed to create a balance in computational cost. It was further found that complex processes such as scheduling and resource allocation can only be carried out using Coloured Petri nets due to their enhanced feature set. This work has found that further research on modelling specific asset classes is required to enable the development of a complete asset modelling library for use in a framework. If large models are to be developed, it is recommended that the Simple Coloured Petri net be used to balance computational requirements. Any models requiring complex functions should be developed using the Coloured Petri net methodology

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000

Doppler-only target tracking for a multistatic radar exploiting FM band illuminators of opportunity

Includes bibliographical referencesCommensal Radar (CR), defined as a subclass of Passive Radar (PR), is a receive only radar that exploits non-cooperative illuminators of opportunity for target detection, location and subsequent tracking. The objective of this thesis is to evaluate the feasibility of using a Frequency Modulation (FM) Broadcast band CR system as a cost effective solution for Air Traffic Control (ATC). An inherent complication by exploiting FM is the low range resolution due to the low bandwidth of FM radio signals. However, due to typical long integration times associated with CR, the frequency domain resolution is typically very good. As a result, measurements of the target's Doppler shift are highly accurate and could potentially make FM illuminators a viable source for ATC purposes. Accordingly, this thesis aims to obtain a comprehensive understanding of using high resolution Doppler measurements to accurately track the position of a target. This objective have been addressed b by performing a comprehensive mathematical analysis for a Doppler only tracking CR system. The analysis is verified with a tracking simulation, in which the Recursive Gauss Newton Filter (RGNF) is used and lastly, a field experiment was conducted to produce tracking results based on real measurement data. Results demonstrated that Doppler only target tracking from real measurement data is possible, even when the initial target state vector is initialised from real measurement data. A good degree of correlation is achieved between the theoretical, simulated and measured results, hence verifying the theoretical findings of this thesis. Ensuring that the observation matrix is properly conditioned in Doppler only tracking applications is important, as failure to do so results in tracking instability. Factors that influence the conditioning of the observation matrix are; the number of receivers used (assuming the basic observation criteria is met) and the placement of the receivers, keeping in mind the possibility of Doppler correlation in the measurements. The possibility of improving an ill-conditioned observation matrix is also demonstrated. In general, tracking filters, for example the RGNF, typically employ time history information and therefore, a direct comparison to the Cramer Rao Lower Bound (CRLB) is unrealistic and accordingly a new theoretical lower bound, called the Cumulative CRLB was derived that does account for time history measurements. Although the best results for this thesis are achieved by using long integration periods (4 s), the effect of Doppler walk was not compensated for and is an aspect that requires further investigation to potentially further improve on the results obtained in this thesis. As a final conclusion for this thesis; the Doppler only target tracking delivered some encouraging results, however a qualification test in the form of an extensive trial period is next required to motivate Doppler only tracking for ATC purposes

Modelling methodologies for railway asset management

Management of railway assets incurs significant expenditure. Railway asset management modelling can predict the cost and efficacy of an asset management plan, and thus support the asset management planning process. Modelling frameworks can be used to facilitate the development of large, multi-asset, whole life cycle models which can be used to represent large sections of rail track and associated assets. This is achieved with libraries of models and tools with a high level of inter-compatibility. This research set out to support the development of modelling frameworks for railway asset management. It sought to determine the state of the art of railway asset management modelling in order to find which assets require further modelling development before they can be suitably represented in a framework’s model library. It also sought to determine the most accurate and suitable modelling methodology to base the framework upon. These aims were met by first carrying out a literature review to determine the state of the art of asset management modelling for major railway asset types. This review found Petri net models solved via Monte Carlo methods to be the most suitable modelling methodology for asset management. The level crossing asset class was chosen for the development of several models to explore the different types of Petri net model, concentrating on the computational resources required. This asset class was chosen as no asset management model was found in literature, and the diversity of the asset interactions. Literature review found several asset classes in need of further development, and some where asset management modelling may not be possible without other advances. The level crossing Petri net models developed demonstrated that computational requirements differ between the various types of Petri net. Stochastic Petri nets were found to simulate quickly, but had a high memory requirement. Coloured Petri nets were found to have the opposite requirements. A novel Petri net type, the Simple Coloured Petri net was developed to create a balance in computational cost. It was further found that complex processes such as scheduling and resource allocation can only be carried out using Coloured Petri nets due to their enhanced feature set. This work has found that further research on modelling specific asset classes is required to enable the development of a complete asset modelling library for use in a framework. If large models are to be developed, it is recommended that the Simple Coloured Petri net be used to balance computational requirements. Any models requiring complex functions should be developed using the Coloured Petri net methodology

Recent advances in petri nets and concurrency

CEUR Workshop Proceeding

Improving resilience to cyber-attacks by analysing system output impacts and costs

Cyber-attacks cost businesses millions of dollars every year, a key component of which is the cost of business disruption from system downtime. As cyber-attacks cannot all be prevented, there is a need to consider the cyber resilience of systems, i.e. the ability to withstand cyber-attacks and recover from them. Previous works discussing system cyber resilience typically either offer generic high-level guidance on best practices, provide limited attack modelling, or apply to systems with special characteristics. There is a lack of an approach to system cyber resilience evaluation that is generally applicable yet provides a detailed consideration for the system-level impacts of cyber-attacks and defences. We propose a methodology for evaluating the effectiveness of actions intended to improve resilience to cyber-attacks, considering their impacts on system output performance, and monetary costs. It is intended for analysing attacks that can disrupt the system function, and involves modelling attack progression, system output production, response to attacks, and costs from cyber-attacks and defensive actions. Studies of three use cases demonstrate the implementation and usefulness of our methodology. First, in our redundancy planning study, we considered the effect of redundancy additions on mitigating the impacts of cyber-attacks on system output performance. We found that redundancy with diversity can be effective in increasing resilience, although the reduction in attack-related costs must be balanced against added maintenance costs. Second, our work on attack countermeasure selection shows that by considering system output impacts across the duration of an attack, one can find more cost-effective attack responses than without such considerations. Third, we propose an approach to mission viability analysis for multi-UAV deployments facing cyber-attacks, which can aid resource planning and determining if the mission can conclude successfully despite an attack. We provide different implementations of our model components, based on use case requirements.Open Acces

A methodology for automated service level agreement compliance prediction

PhD ThesisService Level Agreement (SLA) specification languages express monitorable contracts between service providers and consumers. It is of interest to determine if predictive models can be derived for SLAs expressed in such languages, if possible in a fashion that is as automated as possible. Assuming that the service developer or user uses some SLA specification languages during the service development or deployment process,the Service level agreement Compliance Prediction(SlaCP) methodology is proposed as a general engineering methodology for predicting SLA compliance.This methodology helps contractual parties to assess the probability of SLA compliance,as automatically as is feasible,by mapping an existing SLA on a stochastic model of the service and using existing numerical solution algorithms or discrete event simulation to solve the model.The SlaCP methodology is generic, but the methodology is mostly described,in this thesis,assuming the use of the Web Service Level Agreement(WSLA)and the Stochastic Discrete Event Systems (SDES)formalism.The approach taken in this methodology is firstly to associate formal semantics with WSLA elements in order to be understood mathematically precise.Then,a five-step mapping process between the source and the target formalisms is conducted.These steps include:mapping into model primitives,reward metrics,expressions for functions of the semetrics,the time at which the prediction occurs,and the ultimate probability of SLA compliance.The proposed methodology is implemented in a software tool that automates most of its steps using Mobius and SPNP.The methodology is evaluated using a case study which shows the methodology’s feasibility and limitations in both theoretical and practical terms.Tishreen University, Ministry of Higher Education in Syri

Inference of resource-based simulation models from process event-log data

This research was focused on inferring resource-based simulation models from data. and has proven it is realistic to do so. The research has discovered a new Process Mining algorithm with superior performance and has developed methods to identify, quantify and discover resource attributes and resource-based decisions from data