stochastic modeling techniques for the safety and dependability analysis of des

Andrea Bobbio MED-08, Ajaccio, June 26, 2008 1

Stochastic modeling techniques for the safety and dependability analysis of DES

Andrea Bobbio

Dipartimento Informatica,

Università del Piemonte Orientale,

Alessandria (Italy)[email protected]


Dependability and DES

Technological objects (as well as natural and biological beings) age in time reducing their ability to perform their functions until, eventually, a final catastrophic breakdown occurs.



We adopt the term dependability to identify the ability of a system to deliver service that can justifiably be trusted.

Dependability is an integrating concept that encompasses various attributes:

Reliability: continuity of correct service. Availability: readiness for correct service. Maintainability: ability to undergo modifications

and repairs. Safety: absence of catastrophic consequences.


What dependability theory and practicewants to avoid


Are these connections reliable ?



The obvious statement that any object ages, implies that any model of any technological system, to be realistic, should include the dependability aspects.

However, this inclusion has two undesirable effects:

it increases the model complexity;

it introduces time scales spread over various orders of magnitude.



The separation in time scales can be invoked to theoretically justify the decomposition of the functional model with respect to the dependability model and to consider each one in isolation.

P.J. Courtois - Decomposability: Queueing and Computer System Applications, Academic Press, 1977

A. Bobbio and K.S. Trivedi. An aggregation technique for the transient analysis of stiff Markov chains. IEEE Transactions on Computers, C-35:803-814, 1986.


Safety and DESEven if safety is considered to be an attribute of the dependability, it often requires autonomous andspecific modeling techniques.

Safety problems usually requires to account for some critical continuous variables that exceed acceptable limits.

Safety (and dependability) analysis of DES leadsto the need to combine into a single modellingframework continuous and discrete variables.


A discrete event system is an event-driven system, that is, its state evolution depends entirely on the occurrence of discrete events over time. The admissible time instances are taken from a continuous or discrete set

Lothar Thiele Computer Engineering and Networks LaboratoryDiscrete Event Systems - Introduction


Since dependability related phenomena are event driven, models and method for DES are very similar to models and method for dependability.


OutlineOutline

Correctness verification vs stochastic analysis

Heterogeneous dependability modeling of DES:

Fault tree and Bayesian networks;

Example of safety analysis: Fluid models;

Draw-net tool.


Modelling Methods for DESModelling Methods for DES

To deal with the modeling and analysis of dependable and time critical DES two main methodologies can be envisaged:

functional models - whose aim is to ascertain for conformity to specification and reachability properties.

stochastic models - whose aim is to provide performance and dependability measures;


Modeling paradigmsModeling paradigms

For what concerns the timing:

stochastic vs non stochastic;

discrete vs continuous

For what concerns the state space:

discrete vs continuous (or hybrid).

Various classifications are possible.


Timed ModelsTimed Models

In Timed (or non-stochastic) models the timing of events is represented by constant values or (non-deterministic) intervals.

Typical fields of application:

Scheduling

Real time

Validation and Verification


The Model Checking Problem

Model checking: Automated verification technique that checks whether a given finite-state model satisfies a given requirement, by:

systematic exhaustive state-space exploration

Simulation: Checks whether specification holds on some executions.


Functional vs stochastic models

Stochastic models explore the area of what is probable.

Functional models explore the area of what is possible.


OutlineOutline


Heterogeneous dependability modeling of DES:


Example of safety analysis: Fluid models;

Draw-net tool.


Stochastic ModelsStochastic ModelsIn Stochastic Models the timing of events is represented by random variables.

Typical fields of application:

Performance evaluation (stochastic attributes are: inter-arrival times of jobs, duration of service …)

Dependability analysis (stochastic attributes are: failure times, recovery and repair times….)

The obtainable measures are mean values, moments and distributions.


Models propertiesModels properties

Several modeling paradigms are available. The usability of a model can be classified according to two main properties:

The Modeling Power - Refers to the ability of the model to allow an accurate and faithful representation of the system;

The Decision Power - Refers to the ability of the model to be analytically tractable and to provide results with a low space and time complexity.


Model Types in DependabilityModel Types in Dependability

Combinatorial models assume that components are statistically independent: poor modeling power coupled with high analytical tractability.

Reliability Block Diagrams, FT, Network Reliability ….

State-space models rely on the specification of the whole set of the possible system states and of the possible transitions among them.

CTMC, Petri nets, ….


Combinatorial Models:Combinatorial Models:Network ReliabilityNetwork Reliability

Random Network Scale Free Network

Poisson Distribution Power-law Distribution

Random Network Scale Free Network


State-Space ModelsState-Space ModelsA system state encodes a complete description of the state of each component, the stochastic behaviour of each component may depend on the state of all the other components.

This extreme flexibility is very seldom exploited in practice since it is very rare to encounter applications in which each component changes its stochastic behavior according to the state of all the other components.

The state space description appears overspecified with respect to the real modeling needs.


New Model Types in New Model Types in DependabilityDependability

Local dependencies: Between combinatorial and state space models, research is currently carried on to include localized dependencies.

Dynamic FT (DFT)

Bayesian Networks (BN)


Heterogeneous ModelsHeterogeneous Models

Modeling power and decision power are in competition.

A single modeling paradigm is not sufficient in any practical situation and we need to resort to a combination of Heterogeneous Models.

SHARPE, Möbius, Galileo, Drawnet are examples of tools based on heterogeneous modeling.


From FT

to Bayesian Networks (BN)

to Dynamic FT (DFT) Solved by CTMC or PN

Converted into a Bayesian Network BN

Multiformalism Models


Events are binary events (working/non-working);

Events are statistically independent;

Relationships between events and causes are logical AND and OR (Boolean) gates;

The root of the FT is the catastrophic undesired event called the Top Event (TE).

Fundamental assumptions for FT

Widespread diffusion; simple to manipulate;

powerful software tools (combinatorial solutions, BDD)


Case study: a PLC architecture


PLC architecture: FTA


Bayesian NetworksBayesian Networks Bayesian Networks have become a widely used

formalism for representing uncertain knowledge in probabilistic systems and have been applied to a variety of real-world problems.

BN are defined by a directed acyclic graph in which discrete random variables are assigned to nodes, together with the conditional dependence on the parent nodes.

Root nodes are nodes with no parents, and marginal prior probabilities are assigned to them.


References

L. Portinale and A. Bobbio. Bayesian networks for dependability analysis: an application to digital control reliability. In: 15-th Conf Uncertainty in Artificial Intelligence, UAI-99, July, 551-558, 1999.

A. Bobbio and L. Portinale and M. Minichino and E. Ciancamerla. Improving the Analysis of Dependable Systems by Mapping Fault Trees into Bayesian Networks. Reliability Engineering and System Safety, 71:249-260, 2001.

A. Bobbio, D. Codetta-Raiteri, S. Montani, L. Portinale. Reliability analysis of Systems with Dynamic Dependencies. In: Bayesian Networks: A Practical Guide to Applications, O. Pourret, P. Naim and B.G. Marcot Eds., pages 225-238, John Wiley & Sons, March 2008

S. Montani, L. Portinale, A. Bobbio, D. Codetta-Raiteri. Radyban: A tool for reliability analysis of dynamic fault trees through conversion into dynamic Bayesian networks. Reliability Engineering and System Safety, 93:922-932, 2008

This work has been done with my collegues: L. Portinale, S. Montani, and D. Codetta-Raiteri


BN versus FTABN versus FTABNs may improve both the modeling and the analysis power wrt FT:

Modeling Issues:

Local conditional dependencies, probabilistic gates, multi-state variables, dependent failures, uncertainty in model parameters.

Analysis Issues:

A forward (or predictive) analysis A backward (diagnostic) analysis, the posterior probability of any set of variables is computed.


FTA OR Gate vs BN NodeFTA OR Gate vs BN Node

}cpt


FTA AND Gate vs BN NodeFTA AND Gate vs BN Node

cpt}


FTA k:n Gate vs BN NodeFTA k:n Gate vs BN Node

cpt


The BN model of the PLCThe BN model of the PLC


Advanced BN modeling featuresAdvanced BN modeling features

BN can also improve the modeling power wrt FT:

Probabilistic Gates;

Multi-state Variables;

Sequentially dependent failures;

Parameter uncertainty.


Probabilistic Gates: Probabilistic Gates: Common Cause FailuresCommon Cause Failures


Multi-state VariablesMulti-state Variables

cpt

prior


Multi-state nodes and Multi-state nodes and sequentially dependent failuressequentially dependent failures

cpt


Parameter uncertainty in Parameter uncertainty in BN modelsBN models

Node PS becomes a non-root node but a child of a new root node where the multi-variable PS is defined.


Diagnostic inference on BNDiagnostic inference on BN

Any probabilistic computation that can be performed in FT can also be performed in BN (using only prior information).

Standard BN inference deals with posterior probability computation of any set of variables Q given the evidence set E (i.e. P(Q|E) ).

By considering the evidence E as the occurrence of a failure, posterior information can be very relevant for criticality and diagnostic (fault localization) aspects.


Local dependencies: Dynamic Local dependencies: Dynamic Fault Trees Fault Trees

As proposed by Joan Dugan et al. local dependencies can be included into a FT by defining a new class of gates, called Dynamic gates

This extension has been called

Dynamic Fault Tree (DFT)J. Bechta Dugan, S.J. Bavuso, and M.A. Boyd. Dynamic fault-tree models forfault-tolerant computer systems. IEEE Trans Reliability, 41:363.377, 1992.

J. Bechta Dugan, K.J. Sullivan, and D. Coppit. Developing a low-cost high qualitysoftware tool for dynamic fault-tree analysis. IEEE Trans Reliability, 49:49-59, 2000.

Andrea Bobbio MED-08, Ajaccio, June 26, 2008 43Functional Dependency Gate

Sequence Enforcing Gate

Warm Spare Gate

Dynamic Gates(Dugan et al.)

They allow to model local dependencies among basic components or among their failure events.

Priority And


HSS Sprinkler System

L. Meshkat and J.B. Dugan. Dependability analysis of systems with on demandand active failure modes using Dynamic Fault Trees. IEEE Transactionson Reliability, 51(2):240-251, 2002.


DFT Representation


DFT Solution via CTMC or GSPN

Separation into dynamic modules

Generation of the corresponding CTMC for dynamic modules

Translation of the DFT in GSPN.

It can be done through graph transformation rules.


Transformation technique

Basic Event is isolated and transformed in GSPN.

Each gate with its input events and its output event, is isolated and transformed in a GSPN.

All the GSPNs are merged together by superposition over the common places.

The resulting GSPN corresponds to the DFT.

D. Codetta Raiteri, "The Conversion of Dynamic Fault Trees to Stochastic Petri Nets, as a case of Graph Transformation", In Electronic Notes on Theoretical Computer Science vol. 127(2), pages 45-60, Elsevier, March 2005.


WSP gate transformationM is the main componentS is the spare component.

S replaces M if M fails. S is initially dormant (stand-by)S has two failure rates:• when dormant (0<<1)• when working


FDEP gate transformationInput events: • one trigger event (T)• a set of dependent events (D1, D2, …)If T fails, D1, D2, … are forced to fail.Output event: Y=T


PAND gate transformation

Y fails if• X1, … Xn are all failed (AND condition)• X1, …, Xn failed in the specified order (priority condition)


DFT model


Dynamic Module

State Space Solutionvia conversion into GSPN


Conversion into GSPN

,


Conversion into GSPN

Pr{#PumpFault=1}


DFTFTBDD

Pr{PumpFault, t=1000h} = = 1.14275598e-04

Pr = 1.14275598e-04

Pr{SystemFault, t=1000h}= = Pr{DigCon, t=1000h}Pr{F1, t=1000} + + (1-Pr{DigCon, t=1000h})Pr{F0, t=1000h}==0.0265295


Bayesian Networks to solve DFTThe use of BNs is an alternative way to analyze FTs:

Bayesian Networks

• Remove the assumption on binary events

• Remove the assumption on statistical independence

• Remove the assumption on Boolean gates (AND, OR)• Noisy OR, noisy AND

• Provide a more flexible forward and backward analysis• Forward (predictive) analysis: Pr(TE), Pr(Sub)

• Backward (diagnostic) analysis: Pr(A|TE), Pr(TE|A), …

• Avoid the state space generation

• Avoid the representation of the global state model


Dynamic Bayesian Networks (DBN)

• DBN is a discrete model– The system is represented at several time slices– Conditional dependencies among variables at

different slices, are introduced to capture the temporal evolution.

• 2TBN: – Markovian assumption– 2 time slices: t, t+


DFT conversion into DBN

Modular approach:• First, every single gate is converted into DBN• Then, the resulting DBNs are connected together in

correspondance to the nodes they share. • An adjustment to the CPT of a node is required when

new arcs enter the node, due to the connection of two DBNs.

• The connection of all the DBNs corresponding to the single gates, provides the DBN expressing the DFT model.


Warm Spare gate• A is the main component

• failure rate: • S1, S2 are the warm spare components

• stand by is the dormancy factor (0<<1) • working


Functional Dependency gate

Pr{T(t+Δ)=1|T(t)=1}=1Pr{T(t+Δ)=1|T(t)=0}=1-e-

T t

Pr{A(t+Δ)=1|A(t)=1}=1Pr{A(t+Δ)=1|A(t)=0,T(t+Δ)=0}=1-e-

A t

Pr{A(t+Δ)=1|A(t)=0,T(t+Δ)=1}=pdep(=1)


Priority AND gate

Pr{A(t+Δ)=1|A(t)=1}=1Pr{A(t+Δ)=1|A(t)=0}=1-e-

A t

Pr{B(t+Δ)=1|B(t)=1}=1Pr{B(t+Δ)=1|B(t)=0}=1-e-

B t

Pr{PF(t+Δ)=1|*,PF(t)=1}=0Pr{PF(t+Δ)=1| A(t)=0, B(t)=0,PF(t)=0}=0Pr{PF(t+Δ)=1| A(t)=1, B(t)=0,PF(t)=0}=1Pr{PF(t+Δ)=1| A(t)=0, B(t)=1,PF(t)=0}=0Pr{PF(t+Δ)=1| A(t)=1, B(t)=1,PF(t)=0}=1

t t+1

0

010

0

0

0

110 oper

111 fail101

000


RADYBAN tool DBNet allows the analysis of a DBN (DBN solver) and is a Drawnet module.

The DBN can be manually drawn or obtained from the conversion of a DFT model (DFT2DBN).

The DFT or the DBN can be drawn by means of the DrawNet graphical interface

The DFT or the DBN are saved in XML files.


HSS – DBN representation


OutlineOutline


Hyerachical dependability modeling of DES:


Example of safety analysis: Fluid models

Draw-net tool.


Hybrid models for Safety problems

Safety problems usually requires to account for some critical continuous variables that exceed acceptable limits.

Example of application of a hybrid model to a safety problem.

Modeling a Car Safety Control in a road tunnel using Fluid Stochastic Petri Nets


Hybrid ModelsHybrid Models

Hybrid models contain discrete as well as continuous variables in the same model.

Typical examples are discrete controllers that control continuous variables.

Recent modelling and analysis techniques:

Hybrid Automata

Fluid Petri Nets.


The Fluid Petri Net ModelThe Fluid Petri Net ModelFPN's are an extension of PN able to model

the coexistence of discrete and continuous variables.

The primitives of FPN (places, transitions and arcs) are partitioned in two groups:

discrete primitives that handle discrete tokens (as in standard PN);

continuous (or fluid) primitives that handle continuous (fluid) quantities.

FPN is suitable for modeling and analyzing hybrid systems.


FSPN PrimitivesFSPN Primitives


Fluid Petri NetsFluid Petri Nets


Hybrid models: an example

Bobbio and M. Gribaudo and A. Horvàth. Modeling a car safety controller using fluid stochastic Petri nets. In: Proceedings 6-th International Workshop on Performability Modeling of Computer and Communication Systems (PMCCS6), pp 27-30, September, 2003.

Bobbio and M. Gribaudo and A. Horvàth. Modelling a Car Safety Controller in Road Tunnels using Hybrid Petri Nets. In: 9th International IEEE Conference on Intelligent Transportation Systems, Toronto, September 2006

Modeling a Car Safety Control Using Fluid Stochastic Petri NetsThis work has been done with my collegues: A. Horvath and M. Gribaudo


Road Tunnel safety: Motivation

• Major Road tunnel accidents in the last years• EU project Safetunnel: ”to reduce the number of

accident inside road tunnels through preventive safety measures”

• Safety measures should not compromise the road system, slowing down the traffic and creating long queues.

• It has usually been modeled using hybrid systems.


The model

Controlled variables are position, speed and distance. Fluid places to describe the speed, position and distances.Different configurations of driver behaviors and installed safety equipments. The traffic is modelled by a target car and the one in front of it.


Model of the truck


Model of the car


Model of the distance


Completely random (I)

• Both the truck and car ignore each other and the speed limits!


Completely random (II)

• Simulation trace


Completely random (III)

• Car will crash!


Speed Control

• The reasonable drivers try to keep a fixed maximum speed.


Safety distance

• Car may still crash due to human reaction time, if safety distances are not respected!


Alarm (I)

• Add an alarm that sounds when the distance becomes smaller than a given threshold…


Alarm (II)


Alarm (III)

• The alarm prevents short distances among vehicles that may cause car-crashes.


Sudden Stop (I)

• We may also experience what happens if the car in front has a sudden stop.


Sudden Stop (II)


Sudden Stop (III)

• The alarm should be able to prevent a car accident.


OutlineOutline


Hyerachical dependability modeling of DES:


Example of safety analysis: Fluid models

Draw-net tool.

The DrawNET Modelling System


DMS goals• The Draw-Net Modeling Systems (DMS) is a

framework supporting the design and the solution of models expressed in any graph-based formalism:– Building models by composition of submodels

• Submodels can be conforming to different formalisms (multi-formalism)

– Defining and executing solution procedures based on• A single solver• A set of solvers (multi-solution)

– Models or submodels can be conforming to • existing available formalisms• formalisms defined by the user

– Integration of existing solution tools– Use of the Data Definition Language (DDL), a common

formal language to express formalisms and models


DMS architecture


DNForGe: Editor


Draw-Net tool: model editor(GSPN model)


DrawNET: the main GUI


References about DMS• G. Franceschinis, M. Gribaudo, M. Iacono, V. Vittorini, C. Bertoncello, "DrawNet++: a flexible

framework for building dependability models", Proc. of the Int. Conf. on Dependable Systems and Networks, Washington DC, USA, June 2002.

• M. Gribaudo, D. Codetta-Raiteri, G. Franceschinis, "Draw-Net, a customizable multi-formalism multi-solution tool for the quantitative evaluation of systems”, Proceedings of the 2nd International Conference on Quantitative Evaluation of Systems, pages 257-258, Turin, Italy, September 2005.

• M. Gribaudo, D. Codetta-Raiteri, G. Franceschinis, “The Draw-Net modeling system: a framework for the design and the solution of single-formalism and multi-formalism models”, Tech. Rep. TR-INF-2006-01-01-UNIPMN, Dipartimento di Informatica, Università del Piemonte Orientale, Jan. 2006.

• M. Gribaudo, “FSPNEdit: A fluid stochastic Petri net modeling and analysis tool", Tools of Aachen 2001, Int Multiconfernce on Measurements Modelling and Evaluation of computer Communication Systems, pages 24-28, University of Dortmund, Bericht No. 760/2001, 2001.

• A. Bobbio, D. Codetta-Raiteri, “Parametric Fault-trees with dynamic gates and repair boxes", Proc. Reliability Maintainability Symp, 459-465, Los Angeles, CA USA, January 2004.

• S. Montani, L. Portinale, A. Bobbio, M. Varesio, D. Codetta-Raiteri, “A tool for automatically translating Dynamic Fault Trees into Dynamic Bayesian Networks”, Proceedings of the Annual Reliability and Maintainability Symposium, pages 434-441, Newport Beach, CA USA, January 2006.


ConclusionsConclusions

Stress the need for multi-formalism multi-solution techniques

New data structures

Non exponential models

Safety critical systems

Systems of systems and interdependencies of critical infrastructures.

stochastic modeling techniques for the safety and dependability analysis of des

Documents

dependability theory

term dependability

dependability aspects

stochastic models

stochastic vs

stochastic modeling

time critical des

safety problems