1k likes | 1.14k Views
Stochastic modeling techniques for the safety and dependability analysis of DES. Andrea Bobbio Dipartimento Informatica, Università del Piemonte Orientale, Alessandria (Italy) bobbio@mfn.unipmn.it. Dependability and DES.
E N D
Stochastic modeling techniques for the safety and dependability analysis of DES Andrea Bobbio Dipartimento Informatica, Università del Piemonte Orientale, Alessandria (Italy) bobbio@mfn.unipmn.it MED-08, Ajaccio, June 26, 2008
Dependability and DES Technological objects (as well as natural and biological beings) age in time reducing their ability to perform their functions until, eventually, a final catastrophic breakdown occurs. MED-08, Ajaccio, June 26, 2008
Dependability and DES • We adopt the term dependability to identify the ability of a system to deliver service that can justifiably be trusted. • Dependability is an integrating concept that encompasses various attributes: • Reliability: continuity of correct service. • Availability: readiness for correct service. • Maintainability: ability to undergo modifications and repairs. • Safety: absence of catastrophic consequences. MED-08, Ajaccio, June 26, 2008
What dependability theory and practice wants to avoid MED-08, Ajaccio, June 26, 2008
Are these connections reliable ? MED-08, Ajaccio, June 26, 2008
Dependability and DES • The obvious statement that any object ages, implies that any model of any technological system, to be realistic, should include the dependability aspects. • However, this inclusion has two undesirable effects: • it increases the model complexity; • it introduces time scales spread over various orders of magnitude. MED-08, Ajaccio, June 26, 2008
Dependability and DES The separation in time scales can be invoked to theoretically justify the decomposition of the functional model with respect to thedependability model and to consider each one in isolation. P.J. Courtois - Decomposability: Queueing and Computer System Applications, Academic Press, 1977 A. Bobbio and K.S. Trivedi. An aggregation technique for the transient analysis of stiff Markov chains. IEEE Transactions on Computers, C-35:803-814, 1986. MED-08, Ajaccio, June 26, 2008
Safety and DES Even if safety is considered to be an attribute of the dependability, it often requires autonomous and specific modeling techniques. Safety problems usually requires to account for some critical continuous variables that exceed acceptable limits. Safety (and dependability) analysis of DES leads to the need to combine into a single modelling framework continuous and discrete variables. MED-08, Ajaccio, June 26, 2008
Dependability and DES A discrete event system is an event-driven system, that is, its state evolution depends entirely on the occurrence of discrete events over time. The admissible time instances are taken from a continuous or discrete set Lothar Thiele Computer Engineering and Networks Laboratory Discrete Event Systems - Introduction Since dependability related phenomena are event driven, models and method for DES are very similar to models and method for dependability. MED-08, Ajaccio, June 26, 2008
Outline • Correctness verification vs stochastic analysis • Heterogeneous dependability modeling of DES: Fault tree and Bayesian networks; • Example of safety analysis: Fluid models; • Draw-net tool. MED-08, Ajaccio, June 26, 2008
Modelling Methods for DES To deal with the modeling and analysis of dependable and time critical DEStwo main methodologies can be envisaged: functional models - whose aim is to ascertain for conformity to specification and reachability properties. stochastic models - whose aim is to provide performance and dependability measures; MED-08, Ajaccio, June 26, 2008
Modeling paradigms Various classifications are possible. • For what concerns the timing: stochastic vs non stochastic; discrete vs continuous • For what concerns the state space: discrete vs continuous (or hybrid). MED-08, Ajaccio, June 26, 2008
Timed Models • In Timed (or non-stochastic) models the timing of events is represented by constant values or (non-deterministic) intervals. • Typical fields of application: • Scheduling • Real time • Validation and Verification MED-08, Ajaccio, June 26, 2008
The Model Checking Problem • Model checking: Automated verification technique that checks whether a given finite-state model satisfies a given requirement, by: systematic exhaustive state-space exploration • Simulation: Checks whether specification holds on some executions. MED-08, Ajaccio, June 26, 2008
Functional vs stochastic models Functional models explore the area of what is possible. Stochastic models explore the area of what is probable. MED-08, Ajaccio, June 26, 2008
Outline • Correctness verification vs stochastic analysis • Heterogeneous dependability modeling of DES: Fault tree and Bayesian networks; • Example of safety analysis: Fluid models; • Draw-net tool. MED-08, Ajaccio, June 26, 2008
Stochastic Models • In Stochastic Models the timing of events is represented by random variables. • Typical fields of application: • Performance evaluation (stochastic attributes are: inter-arrival times of jobs, duration of service …) • Dependability analysis (stochastic attributes are: failure times, recovery and repair times….) The obtainable measures are mean values, moments and distributions. MED-08, Ajaccio, June 26, 2008
Models properties Several modeling paradigms are available.The usability of a model can be classified according totwo main properties: The Modeling Power -Refers to the ability of the model to allow anaccurate and faithful representation of the system; The Decision Power -Refers to the ability of the model to beanalytically tractable and to provideresults with a low space andtime complexity. MED-08, Ajaccio, June 26, 2008
Model Types in Dependability Combinatorial models assume that components are statisticallyindependent: poor modeling power coupled with highanalytical tractability. Reliability Block Diagrams, FT, Network Reliability …. State-space models rely on the specification of the whole set ofthe possible system states and of the possible transitionsamong them. CTMC, Petri nets, …. MED-08, Ajaccio, June 26, 2008
Combinatorial Models:Network Reliability Random Network Scale Free Network MED-08, Ajaccio, June 26, 2008
Poisson Distribution Power-law Distribution Random Network Scale Free Network
State-Space Models A system state encodes a complete description of the state of each component, the stochastic behaviour of each component may depend on the state of all the other components. This extreme flexibility is very seldom exploited in practice since it is very rare to encounter applications in which each component changes its stochastic behavior according to the state of all the other components. The state space description appears overspecified with respect to the real modeling needs. MED-08, Ajaccio, June 26, 2008
New Model Types in Dependability Local dependencies:Between combinatorial and state space models, research is currently carried on to include localized dependencies. Dynamic FT (DFT) Bayesian Networks (BN) MED-08, Ajaccio, June 26, 2008
Heterogeneous Models Modeling power and decision power are in competition. A single modeling paradigm is not sufficient in anypractical situation and we need to resort to a combination of Heterogeneous Models. SHARPE, Möbius, Galileo, Drawnet are examples of toolsbased on heterogeneous modeling. MED-08, Ajaccio, June 26, 2008
Multiformalism Models From FT to Bayesian Networks (BN) to Dynamic FT (DFT) Solved by CTMC or PN Converted into a Bayesian Network BN MED-08, Ajaccio, June 26, 2008
Fundamental assumptions for FT Widespread diffusion; simple to manipulate; powerful software tools (combinatorial solutions, BDD) • Events are binary events (working/non-working); • Events are statistically independent; • Relationships between events and causes are logical AND and OR (Boolean) gates; • The root of the FT is the catastrophic undesired event called the Top Event (TE). MED-08, Ajaccio, June 26, 2008
Case study: a PLC architecture MED-08, Ajaccio, June 26, 2008
PLCarchitecture: FTA MED-08, Ajaccio, June 26, 2008
Bayesian Networks Bayesian Networks have become a widely used formalism for representing uncertain knowledge in probabilistic systems and have been applied to a variety of real-world problems. BN are defined by a directed acyclic graph in which discrete random variables are assigned to nodes, together with the conditional dependence on the parent nodes. Root nodes are nodes with no parents, and marginal prior probabilities are assigned to them. MED-08, Ajaccio, June 26, 2008
References This work has been done with my collegues: L. Portinale, S. Montani, and D. Codetta-Raiteri • L. Portinale and A. Bobbio. Bayesian networks for dependability analysis: an application to digital control reliability. In: 15-th Conf Uncertainty in Artificial Intelligence, UAI-99, July, 551-558, 1999. • A. Bobbio and L. Portinale and M. Minichino and E. Ciancamerla. Improving the Analysis of Dependable Systems by Mapping Fault Trees into Bayesian Networks. Reliability Engineering and System Safety, 71:249-260, 2001. • A. Bobbio, D. Codetta-Raiteri, S. Montani, L. Portinale. Reliability analysis of Systems with Dynamic Dependencies. In: Bayesian Networks: A Practical Guide to Applications, O. Pourret, P. Naim and B.G. Marcot Eds., pages 225-238, John Wiley & Sons, March 2008 • S. Montani, L. Portinale, A. Bobbio, D. Codetta-Raiteri. Radyban: A tool for reliability analysis of dynamic fault trees through conversion into dynamic Bayesian networks. Reliability Engineering and System Safety, 93:922-932, 2008 MED-08, Ajaccio, June 26, 2008
BN versus FTA • BNs may improve both the modeling and the analysis power wrt FT: • Modeling Issues: • Local conditional dependencies, probabilistic gates, multi-state variables, dependent failures, uncertainty in model parameters. • Analysis Issues: • A forward (or predictive) analysis • A backward (diagnostic) analysis, the posterior probability of any set of variables is computed. MED-08, Ajaccio, June 26, 2008
FTA OR Gate vs BN Node } cpt MED-08, Ajaccio, June 26, 2008
FTA AND Gate vs BN Node } cpt MED-08, Ajaccio, June 26, 2008
FTA k:n Gate vs BN Node cpt MED-08, Ajaccio, June 26, 2008
The BN model of the PLC MED-08, Ajaccio, June 26, 2008
Advanced BN modeling features • BN can also improve the modeling power wrt FT: • Probabilistic Gates; • Multi-state Variables; • Sequentially dependent failures; • Parameter uncertainty. MED-08, Ajaccio, June 26, 2008
Probabilistic Gates: Common Cause Failures MED-08, Ajaccio, June 26, 2008
Multi-state Variables prior cpt MED-08, Ajaccio, June 26, 2008
Multi-state nodes and sequentially dependent failures cpt MED-08, Ajaccio, June 26, 2008
Parameter uncertainty in BN models Node PS becomes a non-root node but a child of a new root node where the multi-variablePS is defined. MED-08, Ajaccio, June 26, 2008
Diagnostic inference on BN Any probabilistic computation that can be performed in FT can also be performed in BN (using only prior information). Standard BN inference deals with posterior probability computation of any set of variables Q given the evidence set E (i.e. P(Q|E)). By considering the evidence E as the occurrence of a failure, posterior information can be very relevant for criticality and diagnostic (fault localization) aspects. MED-08, Ajaccio, June 26, 2008
Local dependencies: Dynamic Fault Trees As proposed by Joan Dugan et al. local dependencies can be included into a FT by defining a new class of gates, called Dynamic gates This extension has been called Dynamic Fault Tree (DFT) • J. Bechta Dugan, S.J. Bavuso, and M.A. Boyd. Dynamic fault-tree models for fault-tolerant computer systems. IEEE Trans Reliability, 41:363.377, 1992. • J. Bechta Dugan, K.J. Sullivan, and D. Coppit. Developing a low-cost high quality software tool for dynamic fault-tree analysis. IEEE Trans Reliability, 49:49-59, 2000. MED-08, Ajaccio, June 26, 2008
Sequence Enforcing Gate Functional Dependency Gate Warm Spare Gate • Dynamic Gates • (Dugan et al.) • They allow to model local dependencies among basic components or among their failure events. Priority And MED-08, Ajaccio, June 26, 2008
HSS Sprinkler System L. Meshkat and J.B. Dugan. Dependability analysis of systems with on demand and active failure modes using Dynamic Fault Trees. IEEE Transactions on Reliability, 51(2):240-251, 2002. MED-08, Ajaccio, June 26, 2008
DFT Representation MED-08, Ajaccio, June 26, 2008
DFT Solution via CTMC or GSPN • Separation into dynamic modules • Generation of the corresponding CTMC for dynamic modules • Translation of the DFT in GSPN. It can be done through graph transformation rules. MED-08, Ajaccio, June 26, 2008
Transformation technique • Basic Event is isolated and transformed in GSPN. • Each gate with its input events and its output event, is isolated and transformed in a GSPN. • All the GSPNs are merged together by superposition over the common places. • The resulting GSPN corresponds to the DFT. D. Codetta Raiteri, "The Conversion of Dynamic Fault Trees to Stochastic Petri Nets, as a case of Graph Transformation", In Electronic Notes on Theoretical Computer Science vol. 127(2), pages 45-60, Elsevier, March 2005. MED-08, Ajaccio, June 26, 2008
WSP gate transformation • S is the spare component. • S replaces M if M fails. • S is initially dormant (stand-by) • S has two failure rates: • when dormant (0<<1) • when working M is the main component MED-08, Ajaccio, June 26, 2008
FDEP gate transformation • Input events: • one trigger event (T) • a set of dependent events (D1, D2, …) • If T fails, D1, D2, … are forced to fail. • Output event: Y=T MED-08, Ajaccio, June 26, 2008
PAND gate transformation • Y fails if • X1, … Xn are all failed (AND condition) • X1, …, Xn failed in the specified order • (priority condition) MED-08, Ajaccio, June 26, 2008