Upload
elmer
View
53
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Meta-model for Inte gra ting Safety Concerns into System Engineering Processes. Wednesday 17 th April 2013. LURPA – ENS Cachan (France) Pierre-Yves Piriou Jean-Marc Faure MRI – EDF R&D Clamart (France ) Gilles Deleuze. - PowerPoint PPT Presentation
Citation preview
A Meta-model for Integrating Safety Concerns into System Engineering
Processes
LURPA – ENS Cachan (France)• Pierre-Yves Piriou• Jean-Marc Faure
MRI – EDF R&D Clamart (France)• Gilles Deleuze
Wednesday 17th April 2013
Outline
2
A Meta-model for Integrating Safety Concerns into System Engineering ProcessesContext and objective of the work
• General industrial concern• Application domain: safety of nuclear power plants• Objective
Related workContribution
• General description of the meta-model• Details
Illustration: instantiation of the meta-model• Brief description of the example• Some instance diagrams
Conclusion and outlook
IEEE Systems Conference 2013
Context and objective of the work
3
General concernBridging the gap between System Engineering and
Safety Analysis.
IEEE Systems Conference 2013
Functionalstudies
Models and tools(UML-SysML, arKItect, Obeo Designer, …)
Standards and documents(ISO-IEC 15288,ISO-IEC 26702,
INCOSE SE Handbook…)
Meta-model
Dysfunctionalstudies
Models and tools(FTA,SPN,
Markov chains, AltaRica,…)
Standards and documents(NF X60-500,NF EN 13306,
[Villemeur, 1988], …)
System Engineering
SafetyAnalysis
Context and objective of the work
4
Safety of Nuclear Power Plant (1)This field considers Phased Mission Systems.
Each mission phase determines:• A specific system structure• A specific success criterion• Specific failure and recovery processes
IEEE Systems Conference 2013
t
Power
Phase 2:Production
phase
Phase 3: Power
decreasing
Phase 1:Power
increasing
Context and objective of the work
5
Safety of Nuclear Power Plant (2)Many components can be repaired.
The component states are defined by the combination of one failure mode and one operation mode
IEEE Systems Conference 2013
OFF
RUN
OVERSPEED
RUPTURE
failure
failurerepair
repairOK
LEAK
Operation Mode:deterministic
evolution
Failure Mode:stochasticevolution
StateOFF-OK
StateRUN-OK
StateRUN-LEAK
StateOVERSPEED-LEAK
StateOVERSPEED-OK
StateRUN-OK
StateOFF-RUPTURE
Context and objective of the work
6
Safety of Nuclear Power Plant (3)Redundancy policies declarations have to be formalized.
• A component can spare another one simply by changing its operation mode
IEEE Systems Conference 2013
OFF
RUN
OVERSPEED
OFF
RUN
OVERSPEED RUPTURE
failure
failurerepair
repair
OK
LEAK
RUPTURE
failure
failurerepair
repair
OK
LEAKP1
P2
REDUNDANCY
Context and objective of the work
7IEEE Systems Conference 2013
ObjectiveTo refine an existing System Engineering meta-model for
easily defining models dealing with safety concerns:
studiesModels
Tools
Standardsdocuments
studiesModels
Tools
StandardsDocuments
• Phased Mission Systems (PMS)• Repairable components• Realistic failure/repair scenarios• Redundancy policies
Resulting Meta-model
Safety Analysis knowledge
• Failure mode• Redundancy• …
System EngineeringMeta-Model
• Requirements• Architecturing• …
Related work
8
Integrating safety concerns into SE processes
For the first steps of the system lifecycle:• [Guillerm 2011]: Safety requirements elicitation.• [Cancila 2009]: Integrating the preliminary risk analysis process.
It is assumed that these issues are solved.
[David 2010]: A method for modeling realistic failure/repair scenarios in a complex system design.
• Phased Mission Systems not considered• Nor Redundancy Policies
IEEE Systems Conference 2013
Related work
9
The existing System Engineering meta-model
[Pfister 2012]: A meta-model for formalizing systems knowledge, based on functional architecture patterns.
• A meta-model is a model of model.• It should be used in addition to the SE processes.
IEEE Systems Conference 2013
Outline
10
A Meta-model for Integrating Safety Concerns into System Engineering ProcessesContext and objective of the work
• General industrial concern• Application domain: safety of nuclear power plants• Objective
Related workContribution
• General description of the meta-model• Details
Illustration: instantiation of the meta-model• Brief description of the example• Some instance diagrams
Conclusion and outlook
IEEE Systems Conference 2013
Contribution
11
The Meta-model
Meta-model specified with an UML class diagram and OCL constraints
Minimal describing classes for modeling:
• Mission phases• Component states:
- Operation modes- Failure modes
• Effect of a componenton a function
• Redundancy policies
IEEE Systems Conference 2013
Contribution
12
Details: Component State
A component may be in several States.A state is defined by one Failure Mode and one
Operation ModeThe possible evolution
between the states are driven by probability rates
IEEE Systems Conference 2013
FaultyState
failureRate
repairRate
Non-faultyState
Contribution
13
Details: Redundancy Policy (1)During the phase P, the function F must be performed
by a set of n components C = {ci}iϵ[1,n]. If it doesn’t do, there is a redundant component CR (CR C ).
IEEE Systems Conference 2013
Contribution
14
Details: Redundancy Policy (2)For validating the redundancy policy, the current state
of the component CR must be in the set of m states S = {Si}iϵ[1,m].
IEEE Systems Conference 2013
Contribution
15
Details: Redundancy Policy (3)
In order to spare the failed components, the component CR has to be powered on the state SR (SR S ).
IEEE Systems Conference 2013
When a reconfiguration occurs,the allocation of components to
functions may be changed.
Outline
16
A Meta-model for Integrating Safety Concerns into System Engineering ProcessesContext and objective of the work
• General industrial concern• Application domain: safety of nuclear power plants• Objective
Related workContribution
• General description of the meta-model• Details
Illustration: instantiation of the meta-model• Brief description of the example• Some instance diagrams
Conclusion and outlook
IEEE Systems Conference 2013
Illustration : Instantiation of the Meta-Model
17
Example description (1)Two feeding turbo pumps
IEEE Systems Conference 2013
SteamGenerator
Sensors
PIDController
OtherComponents
Referenceinput
Secondary circuit of the power plant
steamwater
Water level control system FTP1
FTP2
Illustration : Instantiation of the Meta-Model
18
Example description (1)Two feeding turbo pumpsOne Function: « To supply enough water »Three considered mission phases
• P1: To increase the power (0%Pn < Power < 60%Pn)• P2: To produce energy (60%Pn < Power < 100%Pn)• P3: To decrease the power (0%Pn < Power < 60%Pn)
IEEE Systems Conference 2013
SteamGenerator
Sensors
PIDController
OtherComponents
Referenceinput
Secondary circuit of the power plant
steamwater
Water level control system FTP1
FTP2
19
Example description (2)P1: Only one pump is active. In case of failure of that pump,
the spare component is activated.P2: The two pumps are active. In case of failure of one of
them, the other is over-speededP3: same as phase P1
IEEE Systems Conference 2013
P2P1 P3
t
Power/Pn
100 %
60 %
150
: FTP1 RUN; FTP2 OFF
Curve of power
: FTP1 RUN; FTP2 RUN: FTP1 OFF; FTP2: RUN
: FTP1 OFF; FTP2 OVERSPEEDFailure of FTP1 Repair of FTP1
Failure of FTP1
Illustration : Instantiation of the Meta-Model
20
Instance diagram for the Components (Modes)
IEEE Systems Conference 2013
FTP2
Illustration : Instantiation of the Meta-Model
FTP1
21
Instance diagram for the Components (Tables of attributes values)Each combination of Operation Mode and Failure Mode
is a state that is featured by failure (λ) / repair (μ) rates.
IEEE Systems Conference 2013
Illustration : Instantiation of the Meta-Model
FailureMode
Operation Mode
OK LEAK RUPTURE
OFFOFF-OK
Not relevantOFF-LEAK
λ = 0 / μ = 0.2OFF-RUPTUREλ = 0 / μ = 0.1
RUNRUN-OK
Not relevantRUN-LEAK
λ = 0.01 / μ = 0.1RUN-RUPTUREλ = 0.001 / μ = 0
OVERSPEEDOVERSPEED-OK
Not relevantOVERSPEED-LEAK
λ = 0.05 / μ = 0OVERSPEED-
RUPTUREλ = 0.002 / μ = 0
Illustration : Instantiation of the Meta-Model
22IEEE Systems Conference 2013
R2.1: If the set of components {FTP1} does not perform fittingly the function F during the phase P2, …
R2.1: Redundancy policy
name = R2athreshold = 50.0
C1: Component
name: FTP1
P2: Phase
name: Productiondescription: “Maximum production”
F: Functionname = Fdescription = “To supply enough water”goal = 60.0
definedFor
aimedFunction
spared
Instance diagram for a redundancy policy
Illustration : Instantiation of the Meta-Model
23IEEE Systems Conference 2013
…and if the component FTP2 is available (i.e. its current state is in the set of states {(RUN, Ok)}, …
Instance diagram for a redundancy policy
R2.1: Redundancy policy
name = R2athreshold = 50.0
C1: Component
name: FTP1
P2: Phase
name: Productiondescription: “Maximum production”
F: Functionname = Fdescription = “To supply enough water”goal = 60.0
definedFor
spared
C2: Component
name: FTP2
(RUN,OK)2: StatefailureRate: 0.0repairRate: 0.0
redundant
available
aimedFunction
Illustration : Instantiation of the Meta-Model
24IEEE Systems Conference 2013
R2.1: Redundancy policy
name = R2athreshold = 50.0
C1: Component
name: FTP1
P2: Phase
name: Productiondescription: “Maximum production”
F: Functionname = Fdescription = “To supply enough water”goal = 60.0
definedFor
spared
Instance diagram for a redundancy policy
C2: Component
name: FTP2
(RUN,OK)2: StatefailureRate: 0.0repairRate: 0.0
redundant
available
(OVERSPEEED,OK)2: StatefailureRate: 0.0repairRate: 0.0
rescue
…then FTP2 has to be powered on the state (OVER-SPEED, OK) for participating in the achievement of F.
aimedFunction
Conclusion and Outlook
25
Conclusion and Outlook
The meta-model offers a framework for integrating safety analysis into SE processes.
The meta-model has been implemented with the modeling tool arKItect® .
For assessing safety attributes, a dynamical model is necessary.
The definition of an algorithm for automating the construction of a formal dynamical model from an instance of this meta-model is an ongoing work.
IEEE Systems Conference 2013
Question Time
A Meta-model for Integrating Safety Concerns into System Engineering
Processes
LURPA – ENS Cachan (France)• Pierre-Yves Piriou• Jean-Marc Faure
MRI – EDF R&D Clamart (France)• Gilles Deleuze
Wednesday 17th April 2013
Thank you for your attention
27
References (1)
IEEE Systems Conference 2013
[1] F. Pfister, V. Chapurlat, M. Huchard, C. Nebut, and J.-L. Wippler, “A proposed meta-model for formalizing systems engineering knowledge, based on functional architectural patterns,” Systems Engineering, vol. 15, pp. 321–332, Autumn 2012.
[2] R. Guillerm, N. Sadou, and H. Demmou, “Combining FMECA and Fault Trees for declining safety requirements of complex systems,” in ESREL 2011, C. . G. Soares, Ed., Troyes (France), september 2011, p. 1287-1293.
[3] D. Cancila, F. Terrier, F. Belmonte, H. Dubois, H. Espinoza, S. Gérard, and A. Cuccuru, “Sophia: a modeling language for model-based safety engineering,” in MoDELS ACES-MB, Denver, Colorado, USA, October, 6th 2009, pp. 11–25.
[4] P. David, V. Idasiak, and F. Kratz, “Reliability study of complex physical systems using sysml,” International Journal in Reliability Engineeringand System Safety, vol. 95, no. 4, pp. 431 – 450, 2010.
[5] OMG, Uml 2.0 OCL specification, Object Management Group, 2003.
[6] A. Villemeur, Reliability, Availability, Maintainability and Safety Assessment, Methods and Techniques. Wiley, 1992.
28IEEE Systems Conference 2013
[7] G.-R. Burdick, J.-B. Fussell, D.-M. Rasmuson, and J.-R. Wilson, “Phased mission analysis: A review of new developments and an application,” IEEE Transactions on Reliability, vol. R-26, pp. 43–49, April 1977.
[8] L. Meshkat, L. Xing, S. Donohue, and O. S.K., “An overview of the phase-modular fault tree approach to phased mission system analysis,” in Proceedings of the International Conference on Space Mission Challenges for Information Technology, Pasadena, CA, USA, July 2003, p. 10.
[9] M. Kothare, B. Mettler, M. Morari, P. Bendotti, and C.-M. Falinower, “Level control in the steam generator of a nuclear power plant,” in Decision and Control, 1996, Proceedings of the 35th IEEE (10 pages), vol. 4, Kobe, Hyogo, Japan, December 11th-13th 1996, pp. 4851–4856.
[10] H. Zhang, B. de Saport, F. Dufoura, and G. Deleuze, “Dynamic reliability: Towards efficient simulation of the availability of a feedwater control system,” in NPIC-HMIT 2012, San Diego, USA, July 22-26 2012.
[11] H. Aboutaleb, M. Bouali, M. Adedjouma, and E. Suomalainen, “An integrated approach to implement system engineering and safety engineering processes: Sasha project,” in ERTS2012 (6 pages), Toulouse, France, February 2nd 2012.
References (2)
29
A software for multi-scale and multi-job design.
Developed by the French company: Knowledge Inside
The tool offers a graphical and collaborative environement.
Two layers of design:• The Domain Specific Language design (meta-model)• The System design (instanciation)
IEEE Systems Conference 2013
30
PyCATSHOO (EDF R&D)
Pythonic Context (Object-Oriented) for modeling and computing the Hybrid Stochastic Automaton
A computation engine for the Monte Carlo simulation
Using Knowledge Bases
[12] H. Chraibi, Dynamic reliability and assessment with PyCATSHOO: Application to a test case. in PSAM (10 pages), Tokyo, Japan, April, 14th-18th 2013.
IEEE Systems Conference 2013
31
Definition of a Mission Phase (step 1)
The Mission Phase determines for the system:• The system structure• The failure and recovery processes• The success criteria
IEEE Systems Conference 2013
32
Definition of the effect of a component on a function (step 3)
The components which perform a function have to reach a quantified goal in order to fittingly achieve it.
If a function is allocated to a component, then that component performs this function with an achievement rate to be defined.
IEEE Systems Conference 2013