solution by kb3-bdmp and figseq (a) or yams (m)...check_valve_3 check_valve_2 node_1 380...
TRANSCRIPT
Solution by KB3-BDMP and
Figseq (A) or YAMS (M)
EDF-R&D
www.researchgate.net/profile/Marc_Bouissou
Outline
The BDMP formalism
Tools of the KB3 platform
6.6kV Model presentation
Results
Conclusion
Boolean logic Driven
Markov Processes
BDMP in a nutshell
Fault trees - Markov chains - Petri nets
4
BDMP: an attractive trade-off
Interest proven in reliability and safety engineering
Recent adaptation to security modeling
Dynamic
Readable
Tractable
Complete theory
Efficient software available
BDMP can be used to model
any kind of system…
Repairable or not
Multiphase
Multistate
…
And also for
security modeling
BDMP definition
A simplified view of the definitions given in
the foundation paper*
* A new formalism that combines advantages of fault-trees and Markov models:
Boolean logic Driven Markov Processes – Reliability Engineering and System Safety 2003
BDMP main ideas
The total independence of leaves of a fault-tree is
replaced by simple dependencies.
Each leaf has two modes:
required and not required. Transitions
between those two modes define instantaneous
states in which on demand failures can be triggered.
Any Markov process can be associated to each
mode of a leaf
Formalism
“Boolean logic Driven Markov Process”
(BDMP)
Graphical representation of a
BDMP
P1 P2 P3 P4
r
G1 G2
main top event
secondarytop event
trigger
triggered Markov processes Pi +
definition of failure states for each Pi
Examples of leaves behaviors
Not required RequiredTransition
S F W Fm m
l
failure mode possible only if in required mode
S<->W
F <-> F
S F W Fm m
l
failure mode with reduced rate if in non required mode
la S<->W
F <-> F
W F W Fm m
on demand failure mode
W->W (1-g) or W->F (g)
F->F
W<-W
F<-F{
{
!
A !
S !
Graphical representation in the tool KB3-BDMP
Definition of required mode in a
BDMP Very powerful concept, because it is hierarchical
Requirement signal transmitted by the branches of
the fault-tree
S1
S2 S3
a gate or leaf is required
except if it receives a
signal of non req. from :
all its fathers or
directly via a trigger
Makes it easy to model
cascade standby redundancies
Definition of required mode in a BDMP:
example of cascade standby redundancy
Only possible failures
in the initial state
of the BDMP
ReqReq
Req
Req
ReqReq
Req Req
Req
Req
Req Req
ReqReq
Req Req
Req
Req
Req Req
Req
Req Req
This BDMP specifies a
Markov chain with
64 states and 340
transitions!
Definition of irrelevant events
After a failure of f2, all others fi become irrelevant
An event is said to be irrelevant if the propagation of the effects of its realization in the fault-tree only concerns gates which are already in the «true» state...f1 f2 fn
h
r
Number of sequences leading to top event r
= n if irrelevant events are trimmed: (f1,h ; f2,h…)
Exponential function K( n ) if they are not trimmed: (f1,h ; f1,f2,h ; f1,f3,h…)
K(n) = n + n K(n-1).
For example, K(10) = 9.864.100, and K(15) > 3.5 1012
Effect of irrelevant events
trimming on Markov chain size
64 states
340 transitions
36 states
140 transitions
Supposing all leaves represent repairable components
Exploitation of irrelevant events
Trimming of irrelevant events:
Non repairable system -> dramatic reduction of the Markov chain size, with exact calculation of reliability
Repairable system -> dramatic reduction of the Markov chain size , with approximate calculation of reliability and availability
Note that in many cases the model with trimming is more realistic than without (e.g.: electrical components, mutually exclusive failure modes)
Tools of the KB3
workbench
MBSA, MBDA for static
and dynamic systems
Sequence generator:
FIGSEQ
Most probable sequences
Reliability, MTTF
Asymptotic availability
(limited to markovian models)
Monte Carlo simulator: YAMS
Most probable sequences
Reliability, Availability
Mean value of numerical
variables…
FigaroModel (read-
able
text)
Formally
defined
semantics
KB3 workbench principlesKB3 workbench principles
Fault tree generator:
FIGARBRE
Commercial tools
check_valve_1tank_1
380
motor_driven_pump_3
!
test_loss_fluid_1380
motor_driven_pump_2
node_3
check_valve_3
check_valve_2
node_1
380
motor_driven_pump_1
check_valve_2
check_valve_3
test_loss_fluid_1
check_valve_1
motor_driven_pump_2
tank_1
node_3
motor_driven_pump_3
node_1
motor_driven_pump_1
Figaro librairies
(incl. BDMP)MP)
KB3
Figaro IDE
Principles of sequences exploration in
a locally defined Markov chain
Initial state
ModelProcess
Parameters
System state
Event : - failure, repair,
- any change of the
system state
Target : set of system states
Truncating criteria : probability,
transitions number, ...
Mission time
System model (BDMP or simulation model):
- events that may occur and
consequences on system
Stop on target
Stop on truncating criteria
Absorbing state
Sequence :
succession of events
E1
E0 t
state of the system
the system
breaks down
the system is totally
repaired
(end of cycle)
initially : in the perfect
working state
first repair duration R
NRI approximation for reliability of
repairable systems
1 0( ) Pr(entering in after ) Pr( times spent in )R t E t E t
tK
k
i tX
exp)Pr(1
Theorem: ( ) exp tR t =>
Figseq includes a smart algorithm that
computes from the exploration of
sequences without loop
Proving properties with Figseq
Reachability: e.g. is it possible to reach a
system failure in less than 3 failures?
"Liveness": Figseq detects states with a long
sojourn time => for a quickly and completely
repairable system, such a state is an
indication of modeling error
Advantages of sequence based
methods
Ability to process huge graphs (even infinite)
Qualitative validation of the models (if the model is a
BDMP most sequences are minimal)
Most probable sequences = weak points of the
system. The results give hints as how to improve the
reliability or availability of the system
Intuitive understanding of the results
An extension of the NRI algorithm allows availability
calculations
The only limit: the failure probability must not be scattered
into too many sequences, each of them having a very
small contribution
The BDMP model of the
6.6kV benchmark
Modeling principles, simplifying
assumptions…
Modeling principles:
power propagation BDMP built like a fault tree, then addition of triggers
Bus bar X lost = short circuit on (X or upstream circuit breaker) or X not
fed (i.e. upstream components unable to provide power)
Approximations: no short circuit propagation (via a refusal to open of a
CB), perfect sources for the low voltage part
OR
LHA_lostLHA_lost
!
LHALHA
UE_1UE_1
AND
LHA_not_fedLHA_not_fed
OR
loss_of_supply_by_LGDloss_of_supply_by_LGD
loss_of_supply_by_DGA_and_TAC
Diesel_Gen
loss_of_supply_by_DGA_and_TAC
Diesel_Gen
CB_LHA12_unable
Circuit_breakers_A
AND
LHA_and_LHB_lost
!
SH_CB_LHA1SH_CB_LHA1
This link goes to the
second input of a PAND
gate (see next slide)
Modeling principles:
interaction LV HV A HV CB will refuse to open (or close) if:
the CB itself fails
it is unable to move because its low voltage
supply was unavailable when the CB state
change is required
I !
RC_CB_LGD2RC_CB_LGD2
OR
RC_CB_LGD2_RC_CB_LGD2_
CB_LGD2_unableCB_LGD2_unable
LBA_lost
Low_voltage_A
loss_of_supply_by_TS
Main_page
loss_of_supply_by_TA
Main_page
TSTS
TATA
CB_LGACB_LGA
LGALGA
CB_LGD1CB_LGD1 CB_LGD2CB_LGD2
LGDLGD
Modeling principles:
low voltage part The supplies coming from the HV part are supposed perfect (this breaks
an interaction loop)
Aggregation of some failures (pessimistic: the mean repair time taken is
the worst of the group)
The time to battery depletion is modeled with an Erlang distribution
(except for the calculation with YAMS)
LBAline2_lostLBAline2_lost
!
RDA2RDA2
!
LLALLA
!
TUA2TUA2
!
SH_CB_RDA2SH_CB_RDA2
!
SH_CB_TUA2SH_CB_TUA2
!
SH_CB_LBA2SH_CB_LBA2
BAT_A1_D_DBAT_A1_D_D BAT_A2_D_DBAT_A2_D_D
AND
BATTERY_A_lostBATTERY_A_lost
the failures of these leaves
can be (option) exponentially
distributed or deterministic.
Their mean repair time is
1000h.
Modeling principles:
CCFs on diesel generators After a CCF, both DGs are repaired after 400h (MTTR)
CCFs in function and on demand are considered when at least one DG
is required
Grey dotted lines ensure the sequence: demand_CCF_DG then
independent starts of DG then opening of CB_LHA1 (resp. CB_LHB1)
OR
DGA_lostDGA_lost
!
DGA_longDGA_long
I !
demand_DGAdemand_DGA
I !
demand_CCF_DGdemand_CCF_DGI !
demand_DGBdemand_DGB
!
DGB_longDGB_long
!
CCF_DGCCF_DG
!
DGA_shortDGA_short
!
DGB_shortDGB_short
OR
DGB_lostDGB_lost
RO_CB_LHA1
Circuit_breakers_A
RO_CB_LHB1
Cirsuit_breakers_B
A few figures on the BDMP model
83 leaves (<-> Markov chain with roughly 283 states)
163 nodes (gates and basic events)
Graphical model on 6 pages
All behavior is graphically displayed
Less than 1 day to build it
The complete graphical description of the model is available in
the paper of the MARS 2017 workshop defining the benchmark.
See http://mars-workshop.org/mars2017/
Figseq results
Reliability and availability,
Sequences and cutsets
Figseq results
Machine: Intel core i5 [email protected], 4 cores
9 seconds to get (unreliability at 104h, asymptotic unavailability):
[2.76e-5, 3.97e-4] [1.29e-7, 2.83e-6]
14 sequences, 9 cutsets (of order >= 4)
30 mn to get:
[3.86e-5, 4.22e-5] [1.60e-7, 1.89e-7]
3950 sequences
6 mn to get:
all sequences with at most 3 failures
856 sequences, 108 minimal cut sets – shows some
(low probability) combinations with LV failures
Excerpt of the cutsets/sequences
containing at
most 3 failures
several
examples of
cutsets with
loss of LV
YAMS results
Reliability and availability,
a few sequences
Influence of exponential
approximation for batteries
Model Calculation
type
CPU Cutoff
(proba
at 104h)
Unreliability
at 104h
Asymptotic
unavailability
BDMP
(exp
approx)
Figseq
« best
estimate »
20s
30mn
1E-8
1E-11
3.48E-5
3.86E-5
1.51E-7
1.58E-7
BDMP
(exp
approx)
YAMS 60mn
2E7 sim.
3.89E-5
+-3E-6
1.55E-7
+-2E-8
BDMP
(batteries
=1 hour)
YAMS 60mn
2E7 sim.
3.73E-5
+-3E-6
1.66E-7
+-2E-8
Less than 10% difference
Simplified model
UE_1UE_1
AND
LHA_and_LHB_lostLHA_and_LHB_lost
AND
LHA_not_fedLHA_not_fed
AND
loss_of_supply_by_LGDloss_of_supply_by_LGD
OR
loss_of_supply_by_GEVloss_of_supply_by_GEV
OR
loss_of_houseload_operationloss_of_houseload_operation
OR
TS_lostTS_lost
I !
on_dem_houseon_dem_house
OR
TA_lostTA_lost
OR
loss_of_supply_by_LGRloss_of_supply_by_LGR
AND
LHB_not_fedLHB_not_fed
AND
TS_not_fedTS_not_fed
AND
loss_of_supply_by_LGFloss_of_supply_by_LGF
!
TSTS
!
in_func_housein_func_house
!
TATA
!
GEVGEV
!
SUBSTATIONSUBSTATION
!
TPTP
!
LGRLGR
!
GRIDGRID
OR
OR_14OR_14
!
CCF_GEV_LGRCCF_GEV_LGR
!
UNITUNIT
OR
loss_of_supply_by_UNITloss_of_supply_by_UNIT
OR
SH_GEV_or_LGRSH_GEV_or_LGR
loss_of_supply_by_DGB
Diesel_Gen
loss_of_supply_by_DGB
Diesel_Gen
loss_of_supply_by_DGA_and_TAC
Diesel_Gen
loss_of_supply_by_DGA_and_TAC
Diesel_Gen
rep_1rep_1
I !
demand_DGAdemand_DGA
!
DGA_longDGA_long
I !
demand_CCF_DGdemand_CCF_DGI !
demand_DGBdemand_DGB!
CCF_DGCCF_DG
!
DGB_longDGB_long
I !
demand_TACdemand_TAC
!
TACTAC
AND
loss_of_supply_by_DGA_and_TACloss_of_supply_by_DGA_and_TAC
OR
loss_of_supply_by_DGBloss_of_supply_by_DGB
!
DGA_shortDGA_short
OR
loss_of_supply_by_TACloss_of_supply_by_TAC
!
DGB_shortDGB_short
OR
loss_of_DGAloss_of_DGA
OR
loss_of_DGBloss_of_DGB
LHA_not_fed
Main_page
loss_of_supply_by_LGD
Main_page
LHB_not_fed
Main_page
loss_of_supply_by_LGF
Main_page
Figseq
calculation
with cutoff
1E-11 on 2
models:
CPU Unrel. at
104h
« best
estimate »
Asymptotic
unavailability
Simplified
Full
66s
1800s
3.73E-5
3.86E-5
1.58E-7
1.58E-7
21 leaves only!
Conclusions
BDMP
Ready to use thanks to KB3-BDMP
Very powerful in terms of modeling
Their mathematical properties dramatically reduce the combinatorial problems and help get interesting qualitative results
Suitable for dependability and security modeling
This was the first model of the 6.6kV, so it could not benefit from cross validation with other approaches
FIGSEQ (A)
Yields sequences and cutsets, hence the most important components. Reachability, liveness properties verification
YAMS (M)
Yields few interesting sequences. Cpu consumption can explode, in spite of use of parallel machines
A few references
BDMP theory
M. Bouissou, "Gestion de la complexité dans les études quantitatives de sûreté de
fonctionnement de systèmes" Lavoisier, éditions TEC&DOC, Octobre 2008
M. Bouissou, J.L. Bon, A new formalism that combines advantages of fault-trees and
Markov models: Boolean logic Driven Markov Processes, Reliability Engineering and
System Safety, Vol. 82, Issue 2, Nov. 2003, pp. 149-163
Many more (and papers downloads) at: www.researchgate.net/profile/Marc_Bouissou and
https://sites.google.com/site/ludovicpietrecambacedes/
BDMP tools
M. Bouissou, Automated Dependability Analysis of Complex Systems with the KB3
Workbench: the Experience of EDF R&D, Proc. CIEM 2005, Bucharest, Romania, October
2005
Get the software: http://www.edf.fr/recherche/codes-de-calcul/kb3
Benchmark information (other test cases)
www.researchgate.net/profile/Marc_Bouissou project "Benchmark on dependability…"36
How to experiment with BDMP
Request your demo version
of KB3, with many examples
of BDMP
Build your own BDMP (only
limitation: must not exceed
80 objects)
Debug your model using
interactive simulation
Quantify it by Monte Carlo
simulation (using the free
tool YAMS)
NB: FIGSEQ is reserved for EDF use only