a meta-model for integrating safety concerns into system engineering processes lurpa – ens cachan...

A Meta-model for Integrating Safety Concerns into System Engineering

Processes

LURPA – ENS Cachan (France)• Pierre-Yves Piriou• Jean-Marc Faure

MRI – EDF R&D Clamart (France)• Gilles Deleuze

Wednesday 17th April 2013

Outline

2

A Meta-model for Integrating Safety Concerns into System Engineering Processes

Context and objective of the work• General industrial concern• Application domain: safety of nuclear power plants• Objective

Related workContribution

• General description of the meta-model• Details

Illustration: instantiation of the meta-model• Brief description of the example• Some instance diagrams

Conclusion and outlook

IEEE Systems Conference 2013

Context and objective of the work

3

General concernBridging the gap between System Engineering and

Safety Analysis.


Functional

studies

Models and tools

(UML-SysML, arKItect, Obeo Designer, …)

Standards and documents

(ISO-IEC 15288,

ISO-IEC 26702,

INCOSE SE Handbook…)

Meta-modelDysfunctional

studies

Models and tools

(FTA,SPN, Markov chains,

AltaRica,…)

Standards and documents

(NF X60-500,

NF EN 13306,

[Villemeur, 1988], …)

System Engineering

SafetyAnalysis


4

Safety of Nuclear Power Plant (1)This field considers Phased Mission Systems.

Each mission phase determines:• A specific system structure• A specific success criterion• Specific failure and recovery processes


t

Power

Phase 2:Production

phase

Phase 3: Power

decreasing

Phase 1:Power

increasing


5

Safety of Nuclear Power Plant (2)Many components can be repaired.

The component states are defined by the combination of one failure mode and one operation mode


OFF

RUN

OVERSPEED

RUPTURE

failure

failurerepair

repair

OK

LEAK

Operation Mode:deterministic

evolution

Failure Mode:stochasticevolution

StateOFF-OK

StateRUN-OK

StateRUN-LEAK

StateOVERSPEED-LEAK

StateOVERSPEED-OK

StateRUN-OK

StateOFF-RUPTURE


6

Safety of Nuclear Power Plant (3)Redundancy policies declarations have to be formalized.

• A component can spare another one simply by changing its operation mode


OFF

RUN

OVERSPEED

OFF

RUN

OVERSPEED RUPTURE

failure

failurerepair

repair

OK

LEAK

RUPTURE

failure

failurerepair

repair

OK

LEAKP1

P2

REDUNDANCY


7IEEE Systems Conference 2013

Objective

To refine an existing System Engineering meta-model for easily defining models dealing with safety concerns:

studies

Models

Tools

Standards

documents

studies

Models

Tools

Standards

Documents

• Phased Mission Systems (PMS)• Repairable components• Realistic failure/repair scenarios• Redundancy policies

Resulting Meta-model

Safety Analysis knowledge

• Failure mode• Redundancy• …

System EngineeringMeta-Model

• Requirements• Architecturing• …

Related work

8

Integrating safety concerns into SE processes

For the first steps of the system lifecycle:• [Guillerm 2011]: Safety requirements elicitation.• [Cancila 2009]: Integrating the preliminary risk analysis process.

It is assumed that these issues are solved.

[David 2010]: A method for modeling realistic failure/repair scenarios in a complex system design.

• Phased Mission Systems not considered• Nor Redundancy Policies


Related work

9

The existing System Engineering meta-model

[Pfister 2012]: A meta-model for formalizing systems knowledge, based on functional architecture patterns.

• A meta-model is a model of model.• It should be used in addition to the SE processes.


Outline

10








Contribution

11

The Meta-model

Meta-model specified with an UML class diagram and OCL constraints

Minimal describing classes for modeling:

• Mission phases• Component states:

- Operation modes- Failure modes

• Effect of a componenton a function

• Redundancy policies


Contribution

12

Details: Component State

A component may be in several States.A state is defined by one Failure Mode and one

Operation ModeThe possible evolution

between the states are driven by probability rates


FaultyState

failureRate

repairRate

Non-faultyState

Contribution

13

Details: Redundancy Policy (1)

During the phase P, the function F must be performed by a set of n components C = {ci}iϵ[1,n]. If it doesn’t do, there is a redundant component CR (CR C ).


Contribution

14


For validating the redundancy policy, the current state of the component CR must be in the set of m states S = {Si}iϵ[1,m].


Contribution

15


In order to spare the failed components, the component CR has to be powered on the state SR (SR S ).


When a reconfiguration occurs,the allocation of components to

functions may be changed.

Outline

16








Illustration : Instantiation of the Meta-Model

17

Example description (1)Two feeding turbo pumps


SteamGenerator

Sensors

PIDController

OtherComponents

Referenceinput

Secondary circuit of the power plant

steamwater

Water level control system FTP1

FTP2


18

Example description (1)Two feeding turbo pumpsOne Function: « To supply enough water »Three considered mission phases

• P1: To increase the power (0%Pn < Power < 60%Pn)• P2: To produce energy (60%Pn < Power < 100%Pn)• P3: To decrease the power (0%Pn < Power < 60%Pn)


SteamGenerator

Sensors

PIDController

OtherComponents

Referenceinput

Secondary circuit of the power plant

steamwater

Water level control system FTP1

FTP2

19

Example description (2)P1: Only one pump is active. In case of failure of that pump,

the spare component is activated.P2: The two pumps are active. In case of failure of one of

them, the other is over-speededP3: same as phase P1


P2P1 P3

t

Power/Pn

100 %

60 %

150

: FTP1 RUN; FTP2 OFF

Curve of power

: FTP1 RUN; FTP2 RUN: FTP1 OFF; FTP2: RUN

: FTP1 OFF; FTP2 OVERSPEEDFailure of FTP1 Repair of FTP1

Failure of FTP1


20

Instance diagram for the Components (Modes)


FTP2


FTP1

21

Instance diagram for the Components (Tables of attributes values)

Each combination of Operation Mode and Failure Mode is a state that is featured by failure (λ) / repair (μ) rates.



FailureMode

Operation Mode

OK LEAK RUPTURE

OFFOFF-OK

Not relevantOFF-LEAK

λ = 0 / μ = 0.2OFF-RUPTUREλ = 0 / μ = 0.1

RUNRUN-OK

Not relevantRUN-LEAK

λ = 0.01 / μ = 0.1RUN-RUPTUREλ = 0.001 / μ = 0

OVERSPEEDOVERSPEED-OK

Not relevantOVERSPEED-LEAK

λ = 0.05 / μ = 0OVERSPEED-

RUPTUREλ = 0.002 / μ = 0



R2.1: If the set of components {FTP1} does not perform fittingly the function F during the phase P2, …

R2.1: Redundancy policy

name = R2athreshold = 50.0

C1: Component

name: FTP1

P2: Phase

name: Productiondescription: “Maximum production”

F: Function

name = Fdescription = “To supply enough water”goal = 60.0

definedFor

aimedFunction

spared

Instance diagram for a redundancy policy



…and if the component FTP2 is available (i.e. its current state is in the set of states {(RUN, Ok)}, …




C1: Component

name: FTP1

P2: Phase


F: Function


definedFor

spared

C2: Component

name: FTP2

(RUN,OK)2: State

failureRate: 0.0repairRate: 0.0

redundant

available

aimedFunction





C1: Component

name: FTP1

P2: Phase


F: Function


definedFor

spared


C2: Component

name: FTP2

(RUN,OK)2: State


redundant

available

(OVERSPEEED,OK)2: State


rescue

…then FTP2 has to be powered on the state (OVER-SPEED, OK) for participating in the achievement of F.

aimedFunction

Conclusion and Outlook

25

Conclusion and Outlook

The meta-model offers a framework for integrating safety analysis into SE processes.

The meta-model has been implemented with the modeling tool arKItect® .

For assessing safety attributes, a dynamical model is necessary.

The definition of an algorithm for automating the construction of a formal dynamical model from an instance of this meta-model is an ongoing work.


Question Time

A Meta-model for Integrating Safety Concerns into System Engineering

Processes

LURPA – ENS Cachan (France)• Pierre-Yves Piriou• Jean-Marc Faure

MRI – EDF R&D Clamart (France)• Gilles Deleuze

Wednesday 17th April 2013

Thank you for your attention

27

References (1)


[1] F. Pfister, V. Chapurlat, M. Huchard, C. Nebut, and J.-L. Wippler, “A proposed meta-model for formalizing systems engineering knowledge, based on functional architectural patterns,” Systems Engineering, vol. 15, pp. 321–332, Autumn 2012.

[2] R. Guillerm, N. Sadou, and H. Demmou, “Combining FMECA and Fault Trees for declining safety requirements of complex systems,” in ESREL 2011, C. . G. Soares, Ed., Troyes (France), september 2011, p. 1287-1293.

[3] D. Cancila, F. Terrier, F. Belmonte, H. Dubois, H. Espinoza, S. Gérard, and A. Cuccuru, “Sophia: a modeling language for model-based safety engineering,” in MoDELS ACES-MB, Denver, Colorado, USA, October, 6th 2009, pp. 11–25.

[4] P. David, V. Idasiak, and F. Kratz, “Reliability study of complex physical systems using sysml,” International Journal in Reliability Engineeringand System Safety, vol. 95, no. 4, pp. 431 – 450, 2010.

[5] OMG, Uml 2.0 OCL specification, Object Management Group, 2003.

[6] A. Villemeur, Reliability, Availability, Maintainability and Safety Assessment, Methods and Techniques. Wiley, 1992.


[7] G.-R. Burdick, J.-B. Fussell, D.-M. Rasmuson, and J.-R. Wilson, “Phased mission analysis: A review of new developments and an application,” IEEE Transactions on Reliability, vol. R-26, pp. 43–49, April 1977.

[8] L. Meshkat, L. Xing, S. Donohue, and O. S.K., “An overview of the phase-modular fault tree approach to phased mission system analysis,” in Proceedings of the International Conference on Space Mission Challenges for Information Technology, Pasadena, CA, USA, July 2003, p. 10.

[9] M. Kothare, B. Mettler, M. Morari, P. Bendotti, and C.-M. Falinower, “Level control in the steam generator of a nuclear power plant,” in Decision and Control, 1996, Proceedings of the 35th IEEE (10 pages), vol. 4, Kobe, Hyogo, Japan, December 11th-13th 1996, pp. 4851–4856.

[10] H. Zhang, B. de Saport, F. Dufoura, and G. Deleuze, “Dynamic reliability: Towards efficient simulation of the availability of a feedwater control system,” in NPIC-HMIT 2012, San Diego, USA, July 22-26 2012.

[11] H. Aboutaleb, M. Bouali, M. Adedjouma, and E. Suomalainen, “An integrated approach to implement system engineering and safety engineering processes: Sasha project,” in ERTS2012 (6 pages), Toulouse, France, February 2nd 2012.

References (2)

29

A software for multi-scale and multi-job design.

Developed by the French company: Knowledge Inside

The tool offers a graphical and collaborative environement.

Two layers of design:• The Domain Specific Language design (meta-model)• The System design (instanciation)


30

PyCATSHOO (EDF R&D)

Pythonic Context (Object-Oriented) for modeling and computing the Hybrid Stochastic Automaton

A computation engine for the Monte Carlo simulation

Using Knowledge Bases

[12] H. Chraibi, Dynamic reliability and assessment with PyCATSHOO: Application to a test case. in PSAM (10 pages), Tokyo, Japan, April, 14th-18th 2013.


31

Definition of a Mission Phase (step 1)

The Mission Phase determines for the system:• The system structure• The failure and recovery processes• The success criteria


32

Definition of the effect of a component on a function (step 3)

The components which perform a function have to reach a quantified goal in order to fittingly achieve it.

If a function is allocated to a component, then that component performs this function with an achievement rate to be defined.


a meta-model for integrating safety concerns into system engineering processes lurpa – ens cachan...

Documents

safety concerns

work slide

ieee systems conference

rupture slide

specific system

work t power phase

system lifecycle

metamodel brief description