Historical review of fire safety at NPP and application of fire PSA to Westinghouse PWR NPP in the frame of risk-informed decision making by

The importance of fire as a potential initiator of multiple-system failures took on a new perspective after the cable-tray fire at Browns Ferry in 1975 The review have shown that the first generation Nuclear Power Plant (NPP) fire safety was not factored as high risk area that needed to be effectively assessed and quantified. This resulted in development of peculiar fire safety regulations, standards and expensive backfits. Lack of appropriate regulations and effective methods of fire risk assessment, prescriptive, difficult and expensive retrofit regulations were instituted in USA. The alternative risk-informed performance based regulation was established in USA to resolve the challenges of the prescriptive rules. The review have revealed that both the prescriptive and risk-informed performance based approaches will not represent adequate design basis for new Nuclear Power Plants. The Japanese were pulled in the path of renew fire safety regulations and risk quantification after the Fukushima accident. It has been recognized that effective fire safety assessment, and culture, in concert with countermeasures to prevent, detect, suppress, and mitigate the effect of fires if they occur, will minimized NPP fire risk. Among the numerous recommendation the fire safety at NPP must be planned and engineered before construction begin using the state-of-the-arts technology. Also, the methods of fire risk assessment must integrate the state-of-the-arts deterministic and probabilistic approaches. Two methods are presented which serve to incorporate the fire-related risk into the current practices in nuclear power plants with respect to the assessment of configurations. The first method is a fire protection systems and key safety functions Unavailability Matrix (UM) which is developed to identify structures, systems, and components significant for fire-related risk. The second method is a fire zones and key safety functions (KSFs) fire risk matrix which is useful to identify fire zones which are candidates for risk management actions. The UM is an innovative tool to communicate fire risk. The Monte Carlo method has been used to assess the uncertainty of the UM. The analysis shows that the uncertainty is sufficiently bounded. The significant fire-related risk is localized in six KSF representative components and one fire protection system which should be included in the maintenance rule. The unavailability of fire protection systems does not significantly affect the risk. The fire risk matrix identifies the fire zones that contribute the most to the fire-related risk. These zones belong to the control building and electric penetrations building. The aggregation of Internal Events PSA model and Fire PSA model have shown that the Fire PSA contributes 38.4% to the Risk increase. The feasibility of developing Fire-related Risk Monitor from the FIRE PSA for the Spanish NPP was carried out. One of the main challenges is that RiskSpectrum® fire PSA has 384 fire cases and 384 CDF but in Risk Monitor one CDF is required. However, CAFTA is unable to convert a Sequential Fault Tree structure of the internal Event tree in the Fire PSA. The conversion fails to implement neither all of the sequences leading to core damage nor the Fault Tree selection of the frequency of fire. The proposal is to suppress exchange events and introduce the alignment of the consequences so that a unique result of core damage can be quantified. The detection and fire suppression Event Trees in the reference model were replaced by detection and fire extinction Fault trees. The frequency of each Fire Case of the conversion model and the reference model are quantified and the frequencies compared. The results shows that 90% of the cases are valid, however, the rest have challenges with MCS. A unique CDF of 7.65x10-7 is quantified compared with 9.83×10-6 of the reference. The conversion of the new model in CAFTA was not successful due to software incompatibility.La importància del incendi com un potencial iniciador de sistema múltiples fallides van agafar una nova perspectiva després del incendi al cable-safata de Browns Ferry el 1975. La revisió ha mostrat que la primera generació de seguretat contra incendis de centrals d'Energia Nuclear (NPP) no va ser àrea de alt risc, àrea que necessitava ser efectivament avaluada i quantificada. Això va resultar en el desenvolupament de normes de seguretat de incendi peculiar, estàndards i cares revisions. La manca d'una reglamentació adequada i mètodes eficaços d'avaluació de risc d'incendi, va fer que als USA foren instituïts mètodes d'adaptació de normativa preceptius, difícils i costós. L'alternativa de regulació informada per el risc es va establir als USA per resoldre els reptes de la regulació preceptiva. La revisió ha mostrat que tant als enfocaments de normativa preceptiva i regulació informada per el risc no representen bases de disseny adequades per a noves NPP. Ha estat reconeguda que la efectiva avaluació de seguretat al incendi i la cultura en concert amb mesures per prevenir, detectar, suprimir i mitigar l'efecte d'incendis, si es produeixen, minimitzarà el risc d'incendi en una NPP. Entre les nombroses recomanacions la seguretat contra incendis a una NPP s'hauran previst i dissenyat abans de començar la construcció i utilitzant estat del art de la tecnologia. També, els mètodes d'avaluació del risc d'incendi tindran que integrar el estat del art en els enfocaments de determinista i probabilístics. Dos mètodes són presentats que serveixen per incorporar el risc relacionats amb el foc a les pràctiques actuals en centrals nuclears en respecte a l'avaluació de configuracions. El primer mètode és un sistema de protecció contra incendis i una matriu de indisponiblitats de les funcions clau de seguretat (MU) que es desenvolupa per a identificar estructures, sistemes i components significatius per riscos relacionats amb els incendis. El segon mètode és zones de focs i matriu de risc d'incendi i funcions (KSFs) clau de seguretat que és útil identificar les zones de foc que són candidats per a les accions de gestió de risc. La MU és una eina innovadora per comunicar el risc d'incendi. El risc significatiu relacionats amb el incendi està localitzat en sis components representatius KSF i un sistema de protecció de foc que cal que figuri en la regla de manteniment. La manca de sistemes de protecció contra incendis no afecta significativament al risc. La matriu de risc d'incendi identifica les zones de foc que mes contribueixen al risc relacionats amb el incendi. Aquestes zones pertanyen a l'edifici de control i edifici de penetracions elèctriques. L'agregació del model de PSA de esdeveniments interns i model de incendis PSA han demostrat que el PSA de incendis aporta 38.4% a l'augment de risc. S'ha desenvolupat la viabilitat del Monitor de risc de incendis a partir del PSA de incendis per a una central nuclear espanyola. Un dels reptes principals és que RiskSpectrum® incendis PSA te 384 casos de incendis i te 384 CDF però en risc Monitor és necessària una CDF. Tanmateix, el CAFTA és incapaç de convertir una estructura seqüencial de arbre de fallida de l'arbre esdeveniment interna en el PSA de incendis. La conversió fracassa al posar en pràctica totes les seqüències de danys al nucli i la selecció de l'arbre de fallida de la freqüència de incendi. La descoberta i supressió de arbres de l'esdeveniment de incendi en el model de referència es van substituir per detecció i els arbres de fallades d'extinció d'incendi. La freqüència de cada cas de incendi del model de conversió i el model de referència son quantificades i les freqüències son comparades. Els resultats demostra que el 90% dels casos són vàlid, no obstant això, la resta té reptes amb MCS. Un únic CDF de 7.65x10-7 s'ha quantificat en comparació amb 9.83 × 10-6 de la referència. La conversió del nou model a CAFTA no va tenir èxit a causa de la incompatibilitat del programari

Review of Quantitative Software Reliability Methods

The current U.S. Nuclear Regulatory Commission (NRC) licensing process for digital systems rests on deterministic engineering criteria. In its 1995 probabilistic risk assessment (PRA) policy statement, the Commission encouraged the use of PRA technology in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data. Although many activities have been completed in the area of risk-informed regulation, the risk-informed analysis process for digital systems has not yet been satisfactorily developed. Since digital instrumentation and control (I&C) systems are expected to play an increasingly important role in nuclear power plant (NPP) safety, the NRC established a digital system research plan that defines a coherent set of research programs to support its regulatory needs. One of the research programs included in the NRC's digital system research plan addresses risk assessment methods and data for digital systems. Digital I&C systems have some unique characteristics, such as using software, and may have different failure causes and/or modes than analog I&C systems; hence, their incorporation into NPP PRAs entails special challenges. The objective of the NRC's digital system risk research is to identify and develop methods, analytical tools, and regulatory guidance for (1) including models of digital systems into NPP PRAs, and (2) using information on the risks of digital systems to support the NRC's risk-informed licensing and oversight activities. For several years, Brookhaven National Laboratory (BNL) has worked on NRC projects to investigate methods and tools for the probabilistic modeling of digital systems, as documented mainly in NUREG/CR-6962 and NUREG/CR-6997. However, the scope of this research principally focused on hardware failures, with limited reviews of software failure experience and software reliability methods. NRC also sponsored research at the Ohio State University investigating the modeling of digital systems using dynamic PRA methods. These efforts, documented in NUREG/CR-6901, NUREG/CR-6942, and NUREG/CR-6985, included a functional representation of the system's software but did not explicitly address failure modes caused by software defects or by inadequate design requirements. An important identified research need is to establish a commonly accepted basis for incorporating the behavior of software into digital I&C system reliability models for use in PRAs. To address this need, BNL is exploring the inclusion of software failures into the reliability models of digital I&C systems, such that their contribution to the risk of the associated NPP can be assessed

Historical review of fire safety at NPP and application of fire PSA to Westinghouse PWR NPP in the frame of risk-informed decision making by

The importance of fire as a potential initiator of multiple-system failures took on a new perspective after the cable-tray fire at Browns Ferry in 1975 The review have shown that the first generation Nuclear Power Plant (NPP) fire safety was not factored as high risk area that needed to be effectively assessed and quantified. This resulted in development of peculiar fire safety regulations, standards and expensive backfits. Lack of appropriate regulations and effective methods of fire risk assessment, prescriptive, difficult and expensive retrofit regulations were instituted in USA. The alternative risk-informed performance based regulation was established in USA to resolve the challenges of the prescriptive rules. The review have revealed that both the prescriptive and risk-informed performance based approaches will not represent adequate design basis for new Nuclear Power Plants. The Japanese were pulled in the path of renew fire safety regulations and risk quantification after the Fukushima accident. It has been recognized that effective fire safety assessment, and culture, in concert with countermeasures to prevent, detect, suppress, and mitigate the effect of fires if they occur, will minimized NPP fire risk. Among the numerous recommendation the fire safety at NPP must be planned and engineered before construction begin using the state-of-the-arts technology. Also, the methods of fire risk assessment must integrate the state-of-the-arts deterministic and probabilistic approaches. Two methods are presented which serve to incorporate the fire-related risk into the current practices in nuclear power plants with respect to the assessment of configurations. The first method is a fire protection systems and key safety functions Unavailability Matrix (UM) which is developed to identify structures, systems, and components significant for fire-related risk. The second method is a fire zones and key safety functions (KSFs) fire risk matrix which is useful to identify fire zones which are candidates for risk management actions. The UM is an innovative tool to communicate fire risk. The Monte Carlo method has been used to assess the uncertainty of the UM. The analysis shows that the uncertainty is sufficiently bounded. The significant fire-related risk is localized in six KSF representative components and one fire protection system which should be included in the maintenance rule. The unavailability of fire protection systems does not significantly affect the risk. The fire risk matrix identifies the fire zones that contribute the most to the fire-related risk. These zones belong to the control building and electric penetrations building. The aggregation of Internal Events PSA model and Fire PSA model have shown that the Fire PSA contributes 38.4% to the Risk increase. The feasibility of developing Fire-related Risk Monitor from the FIRE PSA for the Spanish NPP was carried out. One of the main challenges is that RiskSpectrum® fire PSA has 384 fire cases and 384 CDF but in Risk Monitor one CDF is required. However, CAFTA is unable to convert a Sequential Fault Tree structure of the internal Event tree in the Fire PSA. The conversion fails to implement neither all of the sequences leading to core damage nor the Fault Tree selection of the frequency of fire. The proposal is to suppress exchange events and introduce the alignment of the consequences so that a unique result of core damage can be quantified. The detection and fire suppression Event Trees in the reference model were replaced by detection and fire extinction Fault trees. The frequency of each Fire Case of the conversion model and the reference model are quantified and the frequencies compared. The results shows that 90% of the cases are valid, however, the rest have challenges with MCS. A unique CDF of 7.65x10-7 is quantified compared with 9.83×10-6 of the reference. The conversion of the new model in CAFTA was not successful due to software incompatibility.La importància del incendi com un potencial iniciador de sistema múltiples fallides van agafar una nova perspectiva després del incendi al cable-safata de Browns Ferry el 1975. La revisió ha mostrat que la primera generació de seguretat contra incendis de centrals d'Energia Nuclear (NPP) no va ser àrea de alt risc, àrea que necessitava ser efectivament avaluada i quantificada. Això va resultar en el desenvolupament de normes de seguretat de incendi peculiar, estàndards i cares revisions. La manca d'una reglamentació adequada i mètodes eficaços d'avaluació de risc d'incendi, va fer que als USA foren instituïts mètodes d'adaptació de normativa preceptius, difícils i costós. L'alternativa de regulació informada per el risc es va establir als USA per resoldre els reptes de la regulació preceptiva. La revisió ha mostrat que tant als enfocaments de normativa preceptiva i regulació informada per el risc no representen bases de disseny adequades per a noves NPP. Ha estat reconeguda que la efectiva avaluació de seguretat al incendi i la cultura en concert amb mesures per prevenir, detectar, suprimir i mitigar l'efecte d'incendis, si es produeixen, minimitzarà el risc d'incendi en una NPP. Entre les nombroses recomanacions la seguretat contra incendis a una NPP s'hauran previst i dissenyat abans de començar la construcció i utilitzant estat del art de la tecnologia. També, els mètodes d'avaluació del risc d'incendi tindran que integrar el estat del art en els enfocaments de determinista i probabilístics. Dos mètodes són presentats que serveixen per incorporar el risc relacionats amb el foc a les pràctiques actuals en centrals nuclears en respecte a l'avaluació de configuracions. El primer mètode és un sistema de protecció contra incendis i una matriu de indisponiblitats de les funcions clau de seguretat (MU) que es desenvolupa per a identificar estructures, sistemes i components significatius per riscos relacionats amb els incendis. El segon mètode és zones de focs i matriu de risc d'incendi i funcions (KSFs) clau de seguretat que és útil identificar les zones de foc que són candidats per a les accions de gestió de risc. La MU és una eina innovadora per comunicar el risc d'incendi. El risc significatiu relacionats amb el incendi està localitzat en sis components representatius KSF i un sistema de protecció de foc que cal que figuri en la regla de manteniment. La manca de sistemes de protecció contra incendis no afecta significativament al risc. La matriu de risc d'incendi identifica les zones de foc que mes contribueixen al risc relacionats amb el incendi. Aquestes zones pertanyen a l'edifici de control i edifici de penetracions elèctriques. L'agregació del model de PSA de esdeveniments interns i model de incendis PSA han demostrat que el PSA de incendis aporta 38.4% a l'augment de risc. S'ha desenvolupat la viabilitat del Monitor de risc de incendis a partir del PSA de incendis per a una central nuclear espanyola. Un dels reptes principals és que RiskSpectrum® incendis PSA te 384 casos de incendis i te 384 CDF però en risc Monitor és necessària una CDF. Tanmateix, el CAFTA és incapaç de convertir una estructura seqüencial de arbre de fallida de l'arbre esdeveniment interna en el PSA de incendis. La conversió fracassa al posar en pràctica totes les seqüències de danys al nucli i la selecció de l'arbre de fallida de la freqüència de incendi. La descoberta i supressió de arbres de l'esdeveniment de incendi en el model de referència es van substituir per detecció i els arbres de fallades d'extinció d'incendi. La freqüència de cada cas de incendi del model de conversió i el model de referència son quantificades i les freqüències son comparades. Els resultats demostra que el 90% dels casos són vàlid, no obstant això, la resta té reptes amb MCS. Un únic CDF de 7.65x10-7 s'ha quantificat en comparació amb 9.83 × 10-6 de la referència. La conversió del nou model a CAFTA no va tenir èxit a causa de la incompatibilitat del programari.Postprint (published version

On Age-of-Information Aware Resource Allocation for Industrial Control-Communication-Codesign

Unter dem Überbegriff Industrie 4.0 wird in der industriellen Fertigung die zunehmende Digitalisierung und Vernetzung von industriellen Maschinen und Prozessen zusammengefasst. Die drahtlose, hoch-zuverlässige, niedrig-latente Kommunikation (engl. ultra-reliable low-latency communication, URLLC) – als Bestandteil von 5G gewährleistet höchste Dienstgüten, die mit industriellen drahtgebundenen Technologien vergleichbar sind und wird deshalb als Wegbereiter von Industrie 4.0 gesehen. Entgegen diesem Trend haben eine Reihe von Arbeiten im Forschungsbereich der vernetzten Regelungssysteme (engl. networked control systems, NCS) gezeigt, dass die hohen Dienstgüten von URLLC nicht notwendigerweise erforderlich sind, um eine hohe Regelgüte zu erzielen. Das Co-Design von Kommunikation und Regelung ermöglicht eine gemeinsame Optimierung von Regelgüte und Netzwerkparametern durch die Aufweichung der Grenze zwischen Netzwerk- und Applikationsschicht. Durch diese Verschränkung wird jedoch eine fundamentale (gemeinsame) Neuentwicklung von Regelungssystemen und Kommunikationsnetzen nötig, was ein Hindernis für die Verbreitung dieses Ansatzes darstellt. Stattdessen bedient sich diese Dissertation einem Co-Design-Ansatz, der beide Domänen weiterhin eindeutig voneinander abgrenzt, aber das Informationsalter (engl. age of information, AoI) als bedeutenden Schnittstellenparameter ausnutzt. Diese Dissertation trägt dazu bei, die Echtzeitanwendungszuverlässigkeit als Folge der Überschreitung eines vorgegebenen Informationsalterschwellenwerts zu quantifizieren und fokussiert sich dabei auf den Paketverlust als Ursache. Anhand der Beispielanwendung eines fahrerlosen Transportsystems wird gezeigt, dass die zeitlich negative Korrelation von Paketfehlern, die in heutigen Systemen keine Rolle spielt, für Echtzeitanwendungen äußerst vorteilhaft ist. Mit der Annahme von schnellem Schwund als dominanter Fehlerursache auf der Luftschnittstelle werden durch zeitdiskrete Markovmodelle, die für die zwei Netzwerkarchitekturen Single-Hop und Dual-Hop präsentiert werden, Kommunikationsfehlerfolgen auf einen Applikationsfehler abgebildet. Diese Modellierung ermöglicht die analytische Ableitung von anwendungsbezogenen Zuverlässigkeitsmetriken wie die durschnittliche Dauer bis zu einem Fehler (engl. mean time to failure). Für Single-Hop-Netze wird das neuartige Ressourcenallokationsschema State-Aware Resource Allocation (SARA) entwickelt, das auf dem Informationsalter beruht und die Anwendungszuverlässigkeit im Vergleich zu statischer Multi-Konnektivität um Größenordnungen erhöht, während der Ressourcenverbrauch im Bereich von konventioneller Einzelkonnektivität bleibt. Diese Zuverlässigkeit kann auch innerhalb eines Systems von Regelanwendungen, in welchem mehrere Agenten um eine begrenzte Anzahl Ressourcen konkurrieren, statistisch garantiert werden, wenn die Anzahl der verfügbaren Ressourcen pro Agent um ca. 10 % erhöht werden. Für das Dual-Hop Szenario wird darüberhinaus ein Optimierungsverfahren vorgestellt, das eine benutzerdefinierte Kostenfunktion minimiert, die niedrige Anwendungszuverlässigkeit, hohes Informationsalter und hohen durchschnittlichen Ressourcenverbrauch bestraft und so das benutzerdefinierte optimale SARA-Schema ableitet. Diese Optimierung kann offline durchgeführt und als Look-Up-Table in der unteren Medienzugriffsschicht zukünftiger industrieller Drahtlosnetze implementiert werden.:1. Introduction 1 1.1. The Need for an Industrial Solution . . . . . . . . . . . . . . . . . . . 3 1.2. Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Related Work 7 2.1. Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Codesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1. The Need for Abstraction – Age of Information . . . . . . . . 11 2.4. Dependability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. Deriving Proper Communications Requirements 17 3.1. Fundamentals of Control Theory . . . . . . . . . . . . . . . . . . . . 18 3.1.1. Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.2. Performance Requirements . . . . . . . . . . . . . . . . . . . 21 3.1.3. Packet Losses and Delay . . . . . . . . . . . . . . . . . . . . . 22 3.2. Joint Design of Control Loop with Packet Losses . . . . . . . . . . . . 23 3.2.1. Method 1: Reduced Sampling . . . . . . . . . . . . . . . . . . 23 3.2.2. Method 2: Markov Jump Linear System . . . . . . . . . . . . . 25 3.2.3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.3. Focus Application: The AGV Use Case . . . . . . . . . . . . . . . . . . 31 3.3.1. Control Loop Model . . . . . . . . . . . . . . . . . . . . . . . 31 3.3.2. Control Performance Requirements . . . . . . . . . . . . . . . 33 3.3.3. Joint Modeling: Applying Reduced Sampling . . . . . . . . . . 34 3.3.4. Joint Modeling: Applying MJLS . . . . . . . . . . . . . . . . . 34 3.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4. Modeling Control-Communication Failures 43 4.1. Communication Assumptions . . . . . . . . . . . . . . . . . . . . . . 43 4.1.1. Small-Scale Fading as a Cause of Failure . . . . . . . . . . . . 44 4.1.2. Connectivity Models . . . . . . . . . . . . . . . . . . . . . . . 46 4.2. Failure Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2.1. Single-hop network . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2.2. Dual-hop network . . . . . . . . . . . . . . . . . . . . . . . . 51 4.3. Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.3.1. Mean Time to Failure . . . . . . . . . . . . . . . . . . . . . . . 54 4.3.2. Packet Loss Ratio . . . . . . . . . . . . . . . . . . . . . . . . . 55 4.3.3. Average Number of Assigned Channels . . . . . . . . . . . . . 57 4.3.4. Age of Information . . . . . . . . . . . . . . . . . . . . . . . . 57 4.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5. Single Hop – Single Agent 61 5.1. State-Aware Resource Allocation . . . . . . . . . . . . . . . . . . . . 61 5.2. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 5.3. Erroneous Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 67 5.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6. Single Hop – Multiple Agents 71 6.1. Failure Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 6.1.1. Admission Control . . . . . . . . . . . . . . . . . . . . . . . . 72 6.1.2. Transition Probabilities . . . . . . . . . . . . . . . . . . . . . . 73 6.1.3. Computational Complexity . . . . . . . . . . . . . . . . . . . 74 6.1.4. Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . 75 6.2. Illustration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 6.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 6.3.1. Verification through System-Level Simulation . . . . . . . . . 78 6.3.2. Applicability on the System Level . . . . . . . . . . . . . . . . 79 6.3.3. Comparison of Admission Control Schemes . . . . . . . . . . 80 6.3.4. Impact of the Packet Loss Tolerance . . . . . . . . . . . . . . . 82 6.3.5. Impact of the Number of Agents . . . . . . . . . . . . . . . . . 84 6.3.6. Age of Information . . . . . . . . . . . . . . . . . . . . . . . . 84 6.3.7. Channel Saturation Ratio . . . . . . . . . . . . . . . . . . . . 86 6.3.8. Enforcing Full Channel Saturation . . . . . . . . . . . . . . . 86 6.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 7. Dual Hop – Single Agent 91 7.1. State-Aware Resource Allocation . . . . . . . . . . . . . . . . . . . . 91 7.2. Optimization Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 7.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 7.3.1. Extensive Simulation . . . . . . . . . . . . . . . . . . . . . . . 96 7.3.2. Non-Integer-Constrained Optimization . . . . . . . . . . . . . 98 7.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 8. Conclusions and Outlook 105 8.1. Key Results and Conclusions . . . . . . . . . . . . . . . . . . . . . . . 105 8.2. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 A. DC Motor Model 111 Bibliography 113 Publications of the Author 127 List of Figures 129 List of Tables 131 List of Operators and Constants 133 List of Symbols 135 List of Acronyms 137 Curriculum Vitae 139In industrial manufacturing, Industry 4.0 refers to the ongoing convergence of the real and virtual worlds, enabled through intelligently interconnecting industrial machines and processes through information and communications technology. Ultrareliable low-latency communication (URLLC) is widely regarded as the enabling technology for Industry 4.0 due to its ability to fulfill highest quality-of-service (QoS) comparable to those of industrial wireline connections. In contrast to this trend, a range of works in the research domain of networked control systems have shown that URLLC’s supreme QoS is not necessarily required to achieve high quality-ofcontrol; the co-design of control and communication enables to jointly optimize and balance both quality-of-control parameters and network parameters through blurring the boundary between application and network layer. However, through the tight interlacing, this approach requires a fundamental (joint) redesign of both control systems and communication networks and may therefore not lead to short-term widespread adoption. Therefore, this thesis instead embraces a novel co-design approach which keeps both domains distinct but leverages the combination of control and communications by yet exploiting the age of information (AoI) as a valuable interface metric. This thesis contributes to quantifying application dependability as a consequence of exceeding a given peak AoI with the particular focus on packet losses. The beneficial influence of negative temporal packet loss correlation on control performance is demonstrated by means of the automated guided vehicle use case. Assuming small-scale fading as the dominant cause of communication failure, a series of communication failures are mapped to an application failure through discrete-time Markov models for single-hop (e.g, only uplink or downlink) and dual-hop (e.g., subsequent uplink and downlink) architectures. This enables the derivation of application-related dependability metrics such as the mean time to failure in closed form. For single-hop networks, an AoI-aware resource allocation strategy termed state-aware resource allocation (SARA) is proposed that increases the application reliability by orders of magnitude compared to static multi-connectivity while keeping the resource consumption in the range of best-effort single-connectivity. This dependability can also be statistically guaranteed on a system level – where multiple agents compete for a limited number of resources – if the provided amount of resources per agent is increased by approximately 10 %. For the dual-hop scenario, an AoI-aware resource allocation optimization is developed that minimizes a user-defined penalty function that punishes low application reliability, high AoI, and high average resource consumption. This optimization may be carried out offline and each resulting optimal SARA scheme may be implemented as a look-up table in the lower medium access control layer of future wireless industrial networks.:1. Introduction 1 1.1. The Need for an Industrial Solution . . . . . . . . . . . . . . . . . . . 3 1.2. Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Related Work 7 2.1. Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Codesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1. The Need for Abstraction – Age of Information . . . . . . . . 11 2.4. Dependability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. Deriving Proper Communications Requirements 17 3.1. Fundamentals of Control Theory . . . . . . . . . . . . . . . . . . . . 18 3.1.1. Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.2. Performance Requirements . . . . . . . . . . . . . . . . . . . 21 3.1.3. Packet Losses and Delay . . . . . . . . . . . . . . . . . . . . . 22 3.2. Joint Design of Control Loop with Packet Losses . . . . . . . . . . . . 23 3.2.1. Method 1: Reduced Sampling . . . . . . . . . . . . . . . . . . 23 3.2.2. Method 2: Markov Jump Linear System . . . . . . . . . . . . . 25 3.2.3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.3. Focus Application: The AGV Use Case . . . . . . . . . . . . . . . . . . 31 3.3.1. Control Loop Model . . . . . . . . . . . . . . . . . . . . . . . 31 3.3.2. Control Performance Requirements . . . . . . . . . . . . . . . 33 3.3.3. Joint Modeling: Applying Reduced Sampling . . . . . . . . . . 34 3.3.4. Joint Modeling: Applying MJLS . . . . . . . . . . . . . . . . . 34 3.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4. Modeling Control-Communication Failures 43 4.1. Communication Assumptions . . . . . . . . . . . . . . . . . . . . . . 43 4.1.1. Small-Scale Fading as a Cause of Failure . . . . . . . . . . . . 44 4.1.2. Connectivity Models . . . . . . . . . . . . . . . . . . . . . . . 46 4.2. Failure Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2.1. Single-hop network . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2.2. Dual-hop network . . . . . . . . . . . . . . . . . . . . . . . . 51 4.3. Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.3.1. Mean Time to Failure . . . . . . . . . . . . . . . . . . . . . . . 54 4.3.2. Packet Loss Ratio . . . . . . . . . . . . . . . . . . . . . . . . . 55 4.3.3. Average Number of Assigned Channels . . . . . . . . . . . . . 57 4.3.4. Age of Information . . . . . . . . . . . . . . . . . . . . . . . . 57 4.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5. Single Hop – Single Agent 61 5.1. State-Aware Resource Allocation . . . . . . . . . . . . . . . . . . . . 61 5.2. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 5.3. Erroneous Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 67 5.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6. Single Hop – Multiple Agents 71 6.1. Failure Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 6.1.1. Admission Control . . . . . . . . . . . . . . . . . . . . . . . . 72 6.1.2. Transition Probabilities . . . . . . . . . . . . . . . . . . . . . . 73 6.1.3. Computational Complexity . . . . . . . . . . . . . . . . . . . 74 6.1.4. Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . 75 6.2. Illustration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 6.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 6.3.1. Verification through System-Level Simulation . . . . . . . . . 78 6.3.2. Applicability on the System Level . . . . . . . . . . . . . . . . 79 6.3.3. Comparison of Admission Control Schemes . . . . . . . . . . 80 6.3.4. Impact of the Packet Loss Tolerance . . . . . . . . . . . . . . . 82 6.3.5. Impact of the Number of Agents . . . . . . . . . . . . . . . . . 84 6.3.6. Age of Information . . . . . . . . . . . . . . . . . . . . . . . . 84 6.3.7. Channel Saturation Ratio . . . . . . . . . . . . . . . . . . . . 86 6.3.8. Enforcing Full Channel Saturation . . . . . . . . . . . . . . . 86 6.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 7. Dual Hop – Single Agent 91 7.1. State-Aware Resource Allocation . . . . . . . . . . . . . . . . . . . . 91 7.2. Optimization Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 7.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 7.3.1. Extensive Simulation . . . . . . . . . . . . . . . . . . . . . . . 96 7.3.2. Non-Integer-Constrained Optimization . . . . . . . . . . . . . 98 7.4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 8. Conclusions and Outlook 105 8.1. Key Results and Conclusions . . . . . . . . . . . . . . . . . . . . . . . 105 8.2. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 A. DC Motor Model 111 Bibliography 113 Publications of the Author 127 List of Figures 129 List of Tables 131 List of Operators and Constants 133 List of Symbols 135 List of Acronyms 137 Curriculum Vitae 13

Evaluating Architectural Safeguards for Uncertain AI Black-Box Components

Although tremendous progress has been made in Artificial Intelligence (AI), it entails new challenges. The growing complexity of learning tasks requires more complex AI components, which increasingly exhibit unreliable behaviour. In this book, we present a model-driven approach to model architectural safeguards for AI components and analyse their effect on the overall system reliability

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

Advances in Condition Monitoring, Optimization and Control for Complex Industrial Processes

The book documents 25 papers collected from the Special Issue “Advances in Condition Monitoring, Optimization and Control for Complex Industrial Processes”, highlighting recent research trends in complex industrial processes. The book aims to stimulate the research field and be of benefit to readers from both academic institutes and industrial sectors