The Art of Fault Injection

Classical greek philosopher considered the foremost virtues to be temperance, justice, courage, and prudence. In this paper we relate these cardinal virtues to the correct methodological approaches that researchers should follow when setting up a fault injection experiment. With this work we try to understand where the "straightforward pathway" lies, in order to highlight those common methodological errors that deeply influence the coherency and the meaningfulness of fault injection experiments. Fault injection is like an art, where the success of the experiments depends on a very delicate balance between modeling, creativity, statistics, and patience

Design of an integrated airframe/propulsion control system architecture

The design of an integrated airframe/propulsion control system architecture is described. The design is based on a prevalidation methodology that uses both reliability and performance. A detailed account is given for the testing associated with a subset of the architecture and concludes with general observations of applying the methodology to the architecture

Development and certification of mixed-criticality embedded systems based on probabilistic timing analysis

An increasing variety of emerging systems relentlessly replaces or augments the functionality of mechanical subsystems with embedded electronics. For quantity, complexity, and use, the safety of such subsystems is an increasingly important matter. Accordingly, those systems are subject to safety certification to demonstrate system's safety by rigorous development processes and hardware/software constraints. The massive augment in embedded processors' complexity renders the arduous certification task significantly harder to achieve. The focus of this thesis is to address the certification challenges in multicore architectures: despite their potential to integrate several applications on a single platform, their inherent complexity imperils their timing predictability and certification. Recently, the Measurement-Based Probabilistic Timing Analysis (MBPTA) technique emerged as an alternative to deal with hardware/software complexity. The innovation that MBPTA brings about is, however, a major step from current certification procedures and standards. The particular contributions of this Thesis include: (i) the definition of certification arguments for mixed-criticality integration upon multicore processors. In particular we propose a set of safety mechanisms and procedures as required to comply with functional safety standards. For timing predictability, (ii) we present a quantitative approach to assess the likelihood of execution-time exceedance events with respect to the risk reduction requirements on safety standards. To this end, we build upon the MBPTA approach and we present the design of a safety-related source of randomization (SoR), that plays a key role in the platform-level randomization needed by MBPTA. And (iii) we evaluate current certification guidance with respect to emerging high performance design trends like caches. Overall, this Thesis pushes the certification limits in the use of multicore and MBPTA technology in Critical Real-Time Embedded Systems (CRTES) and paves the way towards their adoption in industry.Una creciente variedad de sistemas emergentes reemplazan o aumentan la funcionalidad de subsistemas mecánicos con componentes electrónicos embebidos. El aumento en la cantidad y complejidad de dichos subsistemas electrónicos así como su cometido, hacen de su seguridad una cuestión de creciente importancia. Tanto es así que la comercialización de estos sistemas críticos está sujeta a rigurosos procesos de certificación donde se garantiza la seguridad del sistema mediante estrictas restricciones en el proceso de desarrollo y diseño de su hardware y software. Esta tesis trata de abordar los nuevos retos y dificultades dadas por la introducción de procesadores multi-núcleo en dichos sistemas críticos: aunque su mayor rendimiento despierta el interés de la industria para integrar múltiples aplicaciones en una sola plataforma, suponen una mayor complejidad. Su arquitectura desafía su análisis temporal mediante los métodos tradicionales y, asimismo, su certificación es cada vez más compleja y costosa. Con el fin de lidiar con estas limitaciones, recientemente se ha desarrollado una novedosa técnica de análisis temporal probabilístico basado en medidas (MBPTA). La innovación de esta técnica, sin embargo, supone un gran cambio cultural respecto a los estándares y procedimientos tradicionales de certificación. En esta línea, las contribuciones de esta tesis están agrupadas en tres ejes principales: (i) definición de argumentos de seguridad para la certificación de aplicaciones de criticidad-mixta sobre plataformas multi-núcleo. Se definen, en particular, mecanismos de seguridad, técnicas de diagnóstico y reacción de faltas acorde con el estándar IEC 61508 sobre una arquitectura multi-núcleo de referencia. Respecto al análisis temporal, (ii) presentamos la cuantificación de la probabilidad de exceder un límite temporal y su relación con los requisitos de reducción de riesgos derivados de los estándares de seguridad funcional. Con este fin, nos basamos en la técnica MBPTA y presentamos el diseño de una fuente de números aleatorios segura; un componente clave para conseguir las propiedades aleatorias requeridas por MBPTA a nivel de plataforma. Por último, (iii) extrapolamos las guías actuales para la certificación de arquitecturas multi-núcleo a una solución comercial de 8 núcleos y las evaluamos con respecto a las tendencias emergentes de diseño de alto rendimiento (caches). Con estas contribuciones, esta tesis trata de abordar los retos que el uso de procesadores multi-núcleo y MBPTA implican en el proceso de certificación de sistemas críticos de tiempo real y facilita, de esta forma, su adopción por la industria.Postprint (published version

A Predictive Model of Nuclear Power Plant Crew Decision-Making and Performance in a Dynamic Simulation Environment

The safe operation of complex systems such as nuclear power plants requires close coordination between the human operators and plant systems. In order to maintain an adequate level of safety following an accident or other off-normal event, the operators often are called upon to perform complex tasks during dynamic situations with incomplete information. The safety of such complex systems can be greatly improved if the conditions that could lead operators to make poor decisions and commit erroneous actions during these situations can be predicted and mitigated. The primary goal of this research project was the development and validation of a cognitive model capable of simulating nuclear plant operator decision-making during accident conditions. Dynamic probabilistic risk assessment methods can improve the prediction of human error events by providing rich contextual information and an explicit consideration of feedback arising from man-machine interactions. The Accident Dynamics Simulator paired with the Information, Decision, and Action in a Crew context cognitive model (ADS-IDAC) shows promise for predicting situational contexts that might lead to human error events, particularly knowledge driven errors of commission. ADS-IDAC generates a discrete dynamic event tree (DDET) by applying simple branching rules that reflect variations in crew responses to plant events and system status changes. Branches can be generated to simulate slow or fast procedure execution speed, skipping of procedure steps, reliance on memorized information, activation of mental beliefs, variations in control inputs, and equipment failures. Complex operator mental models of plant behavior that guide crew actions can be represented within the ADS-IDAC mental belief framework and used to identify situational contexts that may lead to human error events. This research increased the capabilities of ADS-IDAC in several key areas. The ADS-IDAC computer code was improved to support additional branching events and provide a better representation of the IDAC cognitive model. An operator decision-making engine capable of responding to dynamic changes in situational context was implemented. The IDAC human performance model was fully integrated with a detailed nuclear plant model in order to realistically simulate plant accident scenarios. Finally, the improved ADS-IDAC model was calibrated, validated, and updated using actual nuclear plant crew performance data. This research led to the following general conclusions: (1) A relatively small number of branching rules are capable of efficiently capturing a wide spectrum of crew-to-crew variabilities. (2) Compared to traditional static risk assessment methods, ADS-IDAC can provide a more realistic and integrated assessment of human error events by directly determining the effect of operator behaviors on plant thermal hydraulic parameters. (3) The ADS-IDAC approach provides an efficient framework for capturing actual operator performance data such as timing of operator actions, mental models, and decision-making activities

New trends for conducting hazard & operability (HAZOP) studies in continuous chemical processes

Identifying hazards is fundamental for ensuring the safe design and operation of a system in process plants and other facilities. Several techniques are available to identify hazardous situations, all of which require their rigorous, thorough, and systematic application by a multi-disciplinary team of experts. Success rests upon first identifying and subsequently analyzing possible scenarios that can cause accidents with different degrees of severity. While hazard identification may be the most important stage for risk management, it depends on subjectivity issues (e.g., human observation, good judgment and intuition, creativity, expertise, knowledge) which introduce bias. Without a structured identification system, hazards can be overlooked, thus entailing incomplete risk-evaluations and potential loss. The present Thesis is focused on developing both managerial and technical aspects intended to standardize one of the most used techniques for hazard identification; viz. HAZard & Operability (HAZOP) study. These criteria have been carefully implemented not only to ensure that most of the hazardous scenarios will be identified, but also that US OSHA PSM Rule, EPA RMP, and Seveso Directive requirements will be accomplished. Chapter I pioneers the main research topic; from introducing the process safety concept up to the evidence of more detailed information is required from related regulations. A review of regulations (i.e., US, Europe legislation) focused on Hazard Identification has been conducted, highlighting, there is an absence of specific criteria for performing techniques intended to identify what can go wrong. Chapter II introduces the risk management system required to analyze the risk from chemical process facilities, and justifies that hazard identification stage is the Process Safety foundation. Hereafter, an overview of the key Process Hazard Analyzes (PHA) has been conducted, and the specific HAZOP weaknesses and strengths have been highlighted to establish the first steps to focus on. Chapter III establishes the scope, the purpose and the specific objectives that the research covers. It answers the following questions on the spot: why the present research is performed, which elements are included, and what has been considered for acquiring the final conclusions of the manuscript. Chapter IV gathers HAZOP-related literature from books, guidelines, standards, major journals, and conference proceedings with the purpose of classifying the research conducted over the years and finally define the HAZOP state-of-the-art. Additionally, and according to the information collected, the current HAZOP limitations have been emphasized, and thus, the research needs that should be considered for the HAZOP improvement and advance. Chapter V analyzes the data collected while preparing, organizing, executing and writing HAZOPs in five petroleum-refining processes. A statistical analysis has been performed to extract guidance and conclusions to support the established criteria to conduct effectively HAZOP studies. Chapter VI establishes the whole set of actions that have to be taken into account for ensuring a wellplanned and executed HAZOP study. Both technical and management issues are addressed, criteria supported after considering the previous chapters of the manuscript. Chapter VI itself is the result of the present research, and could be used as a guideline not only for team leaders, but also for any related party interested on performing HAZOPs in continuous chemical processes. Chapter VII states the final conclusions of the research. The interested parties should be released about the hazard identification related-gaps present in current process safety regulations; which are the key limitations of the HAZOP study, and finally, which are the criteria to cover the research needs that have been found Annex I proposes the key tools (tables, figures and checklists "ready-to use'') to be used for conducting HAZOPs in continuous chemical processes. The information layout is structured according to the proposed HAZOP Management System. This information is intended to provide concise and structured documentation to be used as a reference book when conducting HAZOPs. Annex II is intended to overview the most relevant petroleum refining processes by highlighting key factors to take into account in the point of view of process safety and hazard identification, i.e. HAZOP. In this sense, key health and safety information of specific petroleum refining units is provided as a valuable guidance during brainstorming sessions. Annex III illustrates the complete set of data collected during the field work of the present research, and also analyzed in Chapter V of the manuscript. Additionally, it depicts a statistical summary of the key variables treated during the analysis. Finally, the Nomenclature, References, and Abbreviations & Acronyms used and cited during the manuscript have been listed. Additionally, a Glossary of key terms related to the Process Safety field has been illustrated.La present Tesis doctoral té com a objectiu estandarditzar l'aplicació d'una de les tècniques més utilitzades a la industria de procés per a la identificació de perills; l'anomenat HAZard & OPerability (HAZOP) study, específicament a processos complexes, com per exemple, unitat de refineria del petroli.El capítol I defineix el concepte de Seguretat de Processos, i progressivament analitza les diferents regulacions relacionades amb la temàtica, detallant específicament les mancances i buits d'informació que actualment hi ha presents a la primera etapa de la gestió del risc en industries de procés: la identificació de perills.El capítol II defineix el sistema de gestió del risc tecnològic que aplica a les industries de procés, i es justifica que l'etapa d'identificació de perills és el pilar de tot el sistema. Finalment, es mencionen algunes de les tècniques d'identificació més utilitzades, els anomenats Process Hazard Analysis (PHA), i es detallen les seves mancances i fortaleses, característiques que han acabat definint la temàtica específica de la Tesis. Concretament, es dóna èmfasis a la tècnica anomenada HAZard & OPerability (HAZOP) study, objecte principal de la recerca.El capítol III defineix l'abast, el propòsit i els objectius específics de la recerca. La intenció d'aquest capítol és donar resposta a les següents qüestions: el perquè de la recerca, quins elements han estat inclosos i què s'ha considerat per tal d'assolir les conclusions de la Tesis.El capítol IV descriu l'estat de l'art de la literatura relacionada amb el HAZOP. Aquesta revisió no només permet classificar les diferents línies de recerca relacionades amb el HAZOP, sinó que també permet assolir un coneixement profund de les diferents particularitats de la pròpia tècnica. El capítol finalitza amb un conjunt de mancances tant de gestió com tècniques, així com les necessitats de recerca que poden millorar l'organització i execució dels HAZOPs.El capítol V analitza la informació que ha estat recopilada durant la fase experimental de la tesis. Les dades procedeixen de la participació en cinc estudis HAZOP aplicats a la industria de refineria del petroli.En aquest sentit, el capítol V desenvolupa una anàlisi estadística d'aquestes dades per extreure'n conclusions quant a la preparació, organització i execució dels HAZOPs.El capítol VI estableix el conjunt d'accions que s'ha de tenir en compte per tal d'assegurar que un estudi HAZOP estigui ben organitzat i executat (la metodologia). Es defineix un Sistema de Gestió del HAZOP, i a partir de les seves fases, es desenvolupa una metodologia que pretén donar suport a tots aquells punts febles que han estat identificats en els capítols anteriors. Aquesta metodologia té la intenció de donar suport i guia no només als líders del HAZOP, sinó també a qualsevol part interessada en aquesta temàtica.El capítol VII descriu les conclusions de la recerca. En primera instància s'enumeren les mancances quant a la definició de criteris a seguir de diferents regulacions que apliquen a la Seguretat de Processos.Seguidament, es mencionen les limitacions de la pròpia tècnica HAZOP, i finalment, es descriuen quins són els criteris establerts per donar solució a totes aquestes febleses que han estat identificades.L'Annex I és una recopilació de diferents criteris que han estat desenvolupats al llarg de l'escrit en forma de taules i figures. Aquestes han estat ordenades cronològicament d'acord amb les diferents fases que defineixen el Sistema de Gestió HAZOP. L'annex I es pot utilitzar com a una referència concisa i pràctica, preparada i pensada per ésser utilitzada directament a camp, amb la intenció de donar suport a les parts interessades en liderar estudis HAZOP.L'annex II recopila informació relacionada amb aspectes clau de seguretat i medi ambient en diferents unitats de refineria. Aquest informació és un suport per tal de motivar el "brainstorming" dels diferents membres que conformen l'equip HAZOP.L'Annex III recopila les dades de les diferents variables que han estat considerades a la fase experimental de la recerca, juntament amb un conjunt de figures que mostren la seva estadística bàsica

Proactive management of uncertainty to improve scheduling robustness in proces industries

Dinamisme, capacitat de resposta i flexibilitat són característiques essencials en el desenvolupament de la societat actual. Les noves tendències de globalització i els avenços en tecnologies de la informació i comunicació fan que s'evolucioni en un entorn altament dinàmic i incert. La incertesa present en tot procés esdevé un factor crític a l'hora de prendre decisions, així com un repte altament reconegut en l'àrea d'Enginyeria de Sistemes de Procés (PSE). En el context de programació de les operacions, els models de suport a la decisió proposats fins ara, així com també software comercial de planificació i programació d'operacions avançada, es basen generalment en dades estimades, assumint implícitament que el programa d'operacions s'executarà sense desviacions. La reacció davant els efectes de la incertesa en temps d'execució és una pràctica habitual, però no sempre resulta efectiva o factible. L'alternativa és considerar la incertesa de forma proactiva, és a dir, en el moment de prendre decisions, explotant el coneixement disponible en el propi sistema de modelització.Davant aquesta situació es plantegen les següents preguntes: què s'entén per incertesa? Com es pot considerar la incertesa en el problema de programació d'operacions? Què s'entén per robustesa i flexibilitat d'un programa d'operacions? Com es pot millorar aquesta robustesa? Quins beneficis comporta? Aquesta tesi respon a aquestes preguntes en el marc d'anàlisis operacionals en l'àrea de PSE. La incertesa es considera no de la forma reactiva tradicional, sinó amb el desenvolupament de sistemes proactius de suport a la decisió amb l'objectiu d'identificar programes d'operació robustos que serveixin com a referència pel nivell inferior de control de planta, així com també per altres centres en un entorn de cadenes de subministrament. Aquest treball de recerca estableix les bases per formalitzar el concepte de robustesa d'un programa d'operacions de forma sistemàtica. Segons aquest formalisme, els temps d'operació i les ruptures d'equip són considerats inicialment com a principals fonts d'incertesa presents a nivell de programació de la producció. El problema es modelitza mitjançant programació estocàstica, desenvolupant-se finalment un entorn d'optimització basat en simulació que captura les múltiples fonts d'incertesa, així com també estratègies de programació d'operacions reactiva, de forma proactiva. La metodologia desenvolupada en el context de programació de la producció s'estén posteriorment per incloure les operacions de transport en sistemes de múltiples entitats i incertesa en els temps de distribució. Amb aquesta perspectiva més àmplia del nivell d'operació s'estudia la coordinació de les activitats de producció i transport, fins ara centrada en nivells estratègic o tàctic. L'estudi final considera l'efecte de la incertesa en la demanda en les decisions de programació de la producció a curt termini. El problema s'analitza des del punt de vista de gestió del risc, i s'avaluen diferents mesures per controlar l'eficiència del sistema en un entorn incert.En general, la tesi posa de manifest els avantatges en reconèixer i modelitzar la incertesa, amb la identificació de programes d'operació robustos capaços d'adaptar-se a un ampli rang de situacions possibles, enlloc de programes d'operació òptims per un escenari hipotètic. La metodologia proposada a nivell d'operació es pot considerar com un pas inicial per estendre's a nivells de decisió estratègics i tàctics. Alhora, la visió proactiva del problema permet reduir el buit existent entre la teoria i la pràctica industrial, i resulta en un major coneixement del procés, visibilitat per planificar activitats futures, així com també millora l'efectivitat de les tècniques reactives i de tot el sistema en general, característiques altament desitjables per mantenir-se actiu davant la globalitat, competitivitat i dinàmica que envolten un procés.Dynamism, responsiveness, and flexibility are essential features in the development of the current society. Globalization trends and fast advances in communication and information technologies make all evolve in a highly dynamic and uncertain environment. The uncertainty involved in a process system becomes a critical problem in decision making, as well as a recognized challenge in the area of Process Systems Engineering (PSE). In the context of scheduling, decision-support models developed up to this point, as well as commercial advanced planning and scheduling systems, rely generally on estimated input information, implicitly assuming that a schedule will be executed without deviations. The reaction to the effects of the uncertainty at execution time becomes a common practice, but it is not always effective or even possible. The alternative is to address the uncertainty proactively, i.e., at the time of reasoning, exploiting the available knowledge in the modeling procedure itself. In view of this situation, the following questions arise: what do we understand for uncertainty? How can uncertainty be considered within scheduling modeling systems? What is understood for schedule robustness and flexibility? How can schedule robustness be improved? What are the benefits? This thesis answers these questions in the context of operational analysis in PSE. Uncertainty is managed not from the traditional reactive viewpoint, but with the development of proactive decision-support systems aimed at identifying robust schedules that serve as a useful guidance for the lower control level, as well as for dependent entities in a supply chain environment. A basis to formalize the concept of schedule robustness is established. Based on this formalism, variable operation times and equipment breakdowns are first considered as the main uncertainties in short-term production scheduling. The problem is initially modeled using stochastic programming, and a simulation-based stochastic optimization framework is finally developed, which captures the multiple sources of uncertainty, as well as rescheduling strategies, proactively. The procedure-oriented system developed in the context of production scheduling is next extended to involve transport scheduling in multi-site systems with uncertain travel times. With this broader operational perspective, the coordination of production and transport activities, considered so far mainly in strategic and tactical analysis, is assessed. The final research point focuses on the effect of demands uncertainty in short-term scheduling decisions. The problem is analyzed from a risk management viewpoint, and alternative measures are assessed and compared to control the performance of the system in the uncertain environment.Overall, this research work reveals the advantages of recognizing and modeling uncertainty, with the identification of more robust schedules able to adapt to a wide range of possible situations, rather than optimal schedules for a hypothetical scenario. The management of uncertainty proposed from an operational perspective can be considered as a first step towards its extension to tactical and strategic levels of decision. The proactive perspective of the problem results in a more realistic view of the process system, and it is a promising way to reduce the gap between theory and industrial practices. Besides, it provides valuable insight on the process, visibility for future activities, as well as it improves the efficiency of reactive techniques and of the overall system, all highly desirable features to remain alive in the global, competitive, and dynamic process environment

Scenario-based verification and validation of dynamic UML specifications

The Unified Modeling Language (UML) is the result of the unification process of earlier object oriented models and notations. Verification and validation (V&V) tasks, as applied to UML specifications, enable early detection of analysis and design flaws prior to implementation. In this work, we address four V&V analysis methods for UML dynamic specifications, namely: Timing analysis and automatic V&V of timing constraints, automated Architectural-level Risk assessment, Performance Modeling and Fault Injection analysis. For each we present: approaches, methods and/or automated techniques. We use two case studies: a Cardiac Pacemaker and a simplified Automatic Teller Machine (ATM) banking subsystem, for illustrating the developed techniques

Aerospace medicine and biology: A continuing bibliography with indexes (supplement 341)

This bibliography lists 133 reports, articles and other documents introduced into the NASA Scientific and Technical Information System during September 1990. Subject coverage includes: aerospace medicine and psychology, life support systems and controlled environments, safety equipment, exobiology and extraterrestrial life, and flight crew behavior and performance

Integration Of Cognitive And Physical Factors To Model Human Performance In Fluid Power Systems

Fluid power technology is constantly evolving as a result of the interaction between the human and the system. Systems such as the hydraulic excavator utilize this technology in order to deliver safe, efficient, and effective performance. However, traditional research has placed much emphasis on technical performance rather than on human components. Imbalances of this nature demonstrate inadequate understanding, lack of knowledge, and limited research on the factors affecting performance. This research aims to address these shortcomings by using an integrated approach to better model human performance in fluid power systems