Model-based dependability analysis : state-of-the-art, challenges and future outlook

Abstract: Over the past two decades, the study of model-based dependability analysis has gathered significant research interest. Different approaches have been developed to automate and address various limitations of classical dependability techniques to contend with the increasing complexity and challenges of modern safety-critical system. Two leading paradigms have emerged, one which constructs predictive system failure models from component failure models compositionally using the topology of the system. The other utilizes design models - typically state automata - to explore system behaviour through fault injection. This paper reviews a number of prominent techniques under these two paradigms, and provides an insight into their working mechanism, applicability, strengths and challenges, as well as recent developments within these fields. We also discuss the emerging trends on integrated approaches and advanced analysis capabilities. Lastly, we outline the future outlook for model-based dependability analysis

Method for evaluating an extended fault tree to analyse the dependability of complex systems: application to a satellite-based railway system

Evaluating dependability of complex systems requires the evolution of the system states over time to be analysed. The problem is to develop modelling approaches that take adequately the evolution of the different operating and failed states of the system components into account. The Fault Tree (FT) is a well- known method that efficiently analyse the failure causes of a system and serves for reliability and availability evaluations. As FT is not adapted to dynamic systems with repairable multi-state compo- nents, extensions of FT (eFT) have been developed. However efficient quantitative evaluation processes of eFT are missing. Petri nets have the advantage of allowing such evaluation but their construction is difficult to manage and their simulation performances are unsatisfactory. Therefore, we propose in this paper a new powerful process to analyse quantitatively eFT. This is based on the use of PN method, which relies on the failed states highlighted by the eFT, combined with a new analytical modelling approach for critical events that depend on time duration. The performances of the new process are demonstrated through a theoretical example of eFT and the practical use of the method is shown on a satellite-based railway system

ВИЗНАЧЕННЯ ТЕХНОГЕННИХ РИЗИКІВ В ПЕРЕХІДНИХ СТАНАХ ПРИ ЕКСПЛУАТАЦІЇ СИСТЕМ ВОДООЧИЩЕННЯ В ТЕПЛОЕНЕРГЕТИЦІ

Introduction. Currently, the most important issues in the national economy are the issues of continuous, reliable and safe operation of circulating water supply systems, namely power units of thermal power plants and thermal power plants of industrial enterprises. Faultless and reliable operation of water supply systems ensures the normal operation of social and industrial enterprises, as well as the safe operation of fire protection systems, which can be disrupted by stopping the supply of quality products to the consumer. In Ukraine and abroad, this issue is devoted to many scientific papers on the assessment, calculation and management of man-made risks, the calculation and management of risks in water treatment systems in heat and energy. But the impact of these risks on environmental safety is not covered, while the issue is of great economic importance. However, the influence of these risks on environmental protection is not covered, while the problem is of great economic importance. There is no general methodological approach that considers the diversity of water treatment systems and their design solutions. There is no clear ranking of objects to be protected by risk analysis, and there is no analysis of the effects acting on them.Purpose and methods. The purpose of the work is to determine the risks associated with the patterns of the probability of failure of units, the patterns of transition from state to state and the risks associated with changes in patterns when replacing the blocks of the water treatment system or its elements. To study the probability of risks as a result of failures for the entire period of operation of the water treatment system in the heating industry, a structural and functional block diagram of the water treatment system is built. To obtain numerical data on the failure probability at any time, the failure probability curve was approximated by the curves of the law of normal distribution (Gaussian curves).Results and discussion. Studies have shown that the minimum risk is proportional to the minimum probability of failure. Then it will be fair to say that to minimize the risk, it is necessary to reduce the failure probability function on the part of the failure curve that corresponds to the operating state of the unit or element, that is on the plot or in the normal operation. To calculate the minimum probability of risk, it is necessary to determine the minimum of this function. Since failure is a function of many variables, thus Rfail = f (x, y, z) → 0. It is also established that for most water treatment systems at any time of operation it is possible to determine the risks associated with the regularities of failure probabilities of units, with regularities the transition of the system from state to state and the risks associated with changes in the above patterns when replacing the blocks of the water treatment system or its elements.Conclusions. As a result of the conducted researches, it is received that at long enough work of water treatment system it is necessary to establish in it a probabilistic constant mode of transition from a condition to a condition according to the scheme "working condition of all blocks - failure of one or several blocks - repair - working condition of all blocks". The probabilities of the sequence and duration of these events are determinable, which makes it possible on the one hand to assess the risks arising from the operation and to determine a management strategy to minimize these risks. The probability of failure rate intensity and possible changes in this probability during the operation of the water treatment system depending on the time interval on the failure curve on which the operation of this system is considered. Determining this probability makes it possible to predict risks throughout the periods of operation of systems and take measures to minimize them.Вступ. В даний час найбільш важливими питаннями в народному господарстві є питання безперервної, надійної та безпечної роботи систем оборотного водопостачання, а саме енергоблоків теплових електричних станцій і теплоцентралей промислових підприємств. Безвідмовна та надійна робота систем водопостачання забезпечує нормальну роботу соціально-побутових та промислових підприємств, а також безпечну роботу протипожежних систем, яка може порушуватися при припиненні подачі якісного продукту споживачеві. В Україні та за кордоном цій проблематиці присвячено багато наукових праць, які присвячені оцінці, розрахункам і управлінню техногенними ризиками. Питання розрахунку і управління ризиками в системах водоочищення в теплоенергетиці і вплив цих ризиків на екологічну безпеку довкілля практично не висвітлені, попри те, що вони маютьвелике народногосподарське значення. Відсутній загальний методологічний підхід, що враховує різноманітність систем водоочищення і їхніх конструктивних рішень, немає чіткого ранжирування об'єктів, на захист яких спрямований аналіз ризику, і немає аналізу впливів, що діють на них.Мета та методи. Мета роботи – визначити ризики, що пов’язані з закономірностями ймовірностей відмов блоків, з закономірностями переходу системи із стану в стан і ризики, які пов’язані зі змінами закономірностей при заміні блоків системи водоочищення або її елементів. Для дослідження імовірності виникнення ризиків у результаті відмов за весь період експлуатації системи водоочищення в теплоенергетиці побудована структурно-функціональна блок-схема системи водоочищення. Для одержання числових даних щодо ймовірності відмов у будь-який заданий момент часу кривa ймовірності відмовлень була апроксимована кривими закону нормального розподілу (кривими Гауса).Результати та обговорення. В результаті досліджень встановлено, що мінімальний ризик пропорційний мінімальній ймовірності відмов. Тоді буде справедливе твердження, що з метою мінімізації ризику необхідно мінімізувати функцію ймовірності відмовлень, на тій частині кривої відмов, що відповідає робочому стану блока чи елемента, тобто на ділянці припрацювання чи на ділянці нормальної роботи. Для розрахунку мінімальної ймовірності ризику необхідно визначити мінімум цієї функції. Оскільки відмова є функцією багатьох перемінних, то Рвід = f (x, y, z) 0. Також встановлено, що для більшості систем водоочищення у довільний момент часу експлуатації можна визначити ризики, які пов’язані з закономірностями ймовірностей відмов блоків, з закономірностями переходу системи із стану в стан і ризики, які пов’язані зі змінами вищезгаданих закономірностей призаміні блоків системи водоочищення або її елементів.Висновки. В результаті проведених досліджень отримано, що при досить тривалій роботі системи водоочищення в неї встановлюється ймовірнісний постійний режим переходу зі стану в стан за схемою «робочий стан усіх блоків – відмова одного чи декількох блоків – ремонт – робочий стан усіх блоків». Імовірності послідовності і тривалості цих подій піддаються визначенню, що дає можливість з однієї сторони оцінювати ризики, що виникають при експлуатації і визначати стратегію управління для мінімізації цих ризиків. Імовірність інтенсивності потоку відмовлень і можливі зміни цієї ймовірності при експлуатації системи водоочищення залежать від тимчасового інтервалу на кривій відмовлень, на якому розглядається робота цієї системи. Визначення цієї ймовірності дає можливість прогнозувати ризики на всьому періоді експлуатації системи і вживати заходів для їхньої мінімізації

Compositional dependability analysis of dynamic systems with uncertainty

Over the past two decades, research has focused on simplifying dependability analysis by looking at how we can synthesise dependability information from system models automatically. This has led to the field of model-based safety assessment (MBSA), which has attracted a significant amount of interest from industry, academia, and government agencies. Different model-based safety analysis methods, such as Hierarchically Performed Hazard Origin & Propagation Studies (HiP-HOPS), are increasingly applied by industry for dependability analysis of safety-critical systems. Such systems may feature multiple modes of operation where the behaviour of the systems and the interactions between system components can change according to what modes of operation the systems are in.MBSA techniques usually combine different classical safety analysis approaches to allow the analysts to perform safety analyses automatically or semi-automatically. For example, HiP-HOPS is a state-of-the-art MBSA approach which enhances an architectural model of a system with logical failure annotations to allow safety studies such as Fault Tree Analysis (FTA) and Failure Modes and Effects Analysis (FMEA). In this way it shows how the failure of a single component or combinations of failures of different components can lead to system failure. As systems are getting more complex and their behaviour becomes more dynamic, capturing this dynamic behaviour and the many possible interactions between the components is necessary to develop an accurate failure model.One of the ways of modelling this dynamic behaviour is with a state-transition diagram. Introducing a dynamic model compatible with the existing architectural information of systems can provide significant benefits in terms of accurate representation and expressiveness when analysing the dynamic behaviour of modern large-scale and complex safety-critical systems. Thus the first key contribution of this thesis is a methodology to enable MBSA techniques to model dynamic behaviour of systems. This thesis demonstrates the use of this methodology using the HiP-HOPS tool as an example, and thus extends HiP-HOPS with state-transition annotations. This extension allows HiP-HOPS to model more complex dynamic scenarios and perform compositional dynamic dependability analysis of complex systems by generating Pandora temporal fault trees (TFTs). As TFTs capture state, the techniques used for solving classical FTs are not suitable to solve them. They require a state space solution for quantification of probability. This thesis therefore proposes two methodologies based on Petri Nets and Bayesian Networks to provide state space solutions to Pandora TFTs.Uncertainty is another important (yet incomplete) area of MBSA: typical MBSA approaches are not capable of performing quantitative analysis under uncertainty. Therefore, in addition to the above contributions, this thesis proposes a fuzzy set theory based methodology to quantify Pandora temporal fault trees with uncertainty in failure data of components.The proposed methodologies are applied to a case study to demonstrate how they can be used in practice. Finally, the overall contributions of the thesis are evaluated by discussing the results produced and from these conclusions about the potential benefits of the new techniques are drawn

Integrated application of compositional and behavioural safety analysis

To address challenges arising in the safety assessment of critical engineering systems, research has recently focused on automating the synthesis of predictive models of system failure from design representations. In one approach, known as compositional safety analysis, system failure models such as fault trees and Failure Modes and Effects Analyses (FMEAs) are constructed from component failure models using a process of composition. Another approach has looked into automating system safety analysis via application of formal verification techniques such as model checking on behavioural models of the system represented as state automata. So far, compositional safety analysis and formal verification have been developed separately and seen as two competing paradigms to the problem of model-based safety analysis. This thesis shows that it is possible to move forward the terms of this debate and use the two paradigms synergistically in the context of an advanced safety assessment process. The thesis develops a systematic approach in which compositional safety analysis provides the basis for the systematic construction and refinement of state-automata that record the transition of a system from normal to degraded and failed states. These state automata can be further enhanced and then be model-checked to verify the satisfaction of safety properties. Note that the development of such models in current practice is ad hoc and relies only on expert knowledge, but it being rationalised and systematised in the proposed approach – a key contribution of this thesis. Overall the approach combines the advantages of compositional safety analysis such as simplicity, efficiency and scalability, with the benefits of formal verification such as the ability for automated verification of safety requirements on dynamic models of the system, and leads to an improved model-based safety analysis process. In the context of this process, a novel generic mechanism is also proposed for modelling the detectability of errors which typically arise as a result of component faults and then propagate through the architecture. This mechanism is used to derive analyses that can aid decisions on appropriate detection and recovery mechanisms in the system model. The thesis starts with an investigation of the potential for useful integration of compositional and formal safety analysis techniques. The approach is then developed in detail and guidelines for analysis and refinement of system models are given. Finally, the process is evaluated in three cases studies that were iteratively performed on increasingly refined and improved models of aircraft and automotive braking and cruise control systems. In the light of the results of these studies, the thesis concludes that integration of compositional and formal safety analysis techniques is feasible and potentially useful in the design of safety critical systems

Fujaba days 2009 : proceedings of the 7th international Fujaba days, Eindhoven University of Technology, the Netherlands, November 16-17, 2009

Fujaba is an Open Source UML CASE tool project started at the software engineering group of Paderborn University in 1997. In 2002 Fujaba has been redesigned and became the Fujaba Tool Suite with a plug-in architecture allowing developers to add functionality easily while retaining full control over their contributions. Multiple Application Domains Fujaba followed the model-driven development philosophy right from its beginning in 1997. At the early days, Fujaba had a special focus on code generation from UML diagrams resulting in a visual programming language with a special emphasis on object structure manipulating rules. Today, at least six rather independent tool versions are under development in Paderborn, Kassel, and Darmstadt for supporting (1) reengineering, (2) embedded real-time systems, (3) education, (4) specification of distributed control systems, (5) integration with the ECLIPSE platform, and (6) MOF-based integration of system (re-) engineering tools. International Community According to our knowledge, quite a number of research groups have also chosen Fujaba as a platform for UML and MDA related research activities. In addition, quite a number of Fujaba users send requests for more functionality and extensions. Therefore, the 7th International Fujaba Days aimed at bringing together Fujaba developers and Fujaba users from all over the world to present their ideas and projects and to discuss them with each other and with the Fujaba core development team

Fujaba days 2009 : proceedings of the 7th international Fujaba days, Eindhoven University of Technology, the Netherlands, November 16-17, 2009

Fujaba is an Open Source UML CASE tool project started at the software engineering group of Paderborn University in 1997. In 2002 Fujaba has been redesigned and became the Fujaba Tool Suite with a plug-in architecture allowing developers to add functionality easily while retaining full control over their contributions. Multiple Application Domains Fujaba followed the model-driven development philosophy right from its beginning in 1997. At the early days, Fujaba had a special focus on code generation from UML diagrams resulting in a visual programming language with a special emphasis on object structure manipulating rules. Today, at least six rather independent tool versions are under development in Paderborn, Kassel, and Darmstadt for supporting (1) reengineering, (2) embedded real-time systems, (3) education, (4) specification of distributed control systems, (5) integration with the ECLIPSE platform, and (6) MOF-based integration of system (re-) engineering tools. International Community According to our knowledge, quite a number of research groups have also chosen Fujaba as a platform for UML and MDA related research activities. In addition, quite a number of Fujaba users send requests for more functionality and extensions. Therefore, the 7th International Fujaba Days aimed at bringing together Fujaba developers and Fujaba users from all over the world to present their ideas and projects and to discuss them with each other and with the Fujaba core development team

A visual interactive method for prime implicants identification

We propose a visual interactive method for the identification of the Prime Implicants (PIs) of dynamic non-coherent systems. Visual interactive methods integrate mathematical and symbolic models with runtime interaction and real-time graphic display, which allow visualizing the underlying physical relationships among process parameters. The proposed method is based on a parallel coordinates data mining tool that relies on an innovative pruning procedure which, on the basis of a proper selection of characteristic features of the accident sequences, retrieves the PIs among the whole set of Implicants in terms of process parameters values and/or components failure states. The method is exemplified on an artificial case study and, then, applied for the dynamic reliability analysis of the Airlock System (AS) of a CANDU reactor