ESA PetriNet: Petri Net Tool for Reliability Analysis

Romaric Guillerm, Nabil Sadou, Hamid Demmou

14 Oct. 2009 LAAS-CNRS

Outline2

General Context and Motivation

System Modelling

Feared Scenario Deriving Algorithm

The Tool: ESA PetriNet

Case Study

Conclusion

General Context3

Complexity of embedded system Integration of mechanic, hydraulic, electric,

electronic and information technologies Existence of reconfigurations to maintain

the system in safe degraded states Hybrid aspect (both discrete and

continuous) Complexity of the modelling Complexity of safety analysis

Motivations4

Why searching for critical scenarios? To evaluate safety as soon as possible during

the design phase To minimize the cost and the time of design

What is a feared scenario? List of events which leads from a normal

operating state to a feared one with a partial order relation between these events

The order of occurrence of the events is important !

System Modelling5

Hybrid aspect: Continuous dynamic: energetic system (differential

equations) Discrete dynamic: operation mode, failure and

reconfiguration mechanisms (Petri net) Use of Petri nets with a temporal abstraction

temporal Petri nets

The discrete part is deal with the Petri net structure and the continuous part is deal with the temporal aspect (through a temporal abstraction)

6

Algorithm: Automatic method for deriving feared scenarios. It is not a classical Petri nets player. It is a player based on linear logic which guides the

construction of partial order. It avoids the state space explosion. Petri nets

player

Algorithm

A

B

C DE

t21t1

1

I1

I2 F2

F1

F G Ft41

t31

I1 F1

t32…t1

1t31I1 t4

1 t21

…

interlacement

partial orders

A

B

CD

E

t1

t2

GF

t4

t3

Feared Scenario Deriving Algorithm

7

It is done on four steps:

1. Determine the normal states: The places that when marked represent a normal operation states. These ‘normal’ places will be used as stop criteria for the backward reasoning.

2. Determine the target state (partial feared state or state to be analysed): It can be either a partial feared state or another partial state with a direct or indirect link to the feared state (Simulation, PHA).

Feared Scenario Deriving Algorithm

3. Backward Reasoning8

Starting from the feared state in the reversed Petri net:

OKS

rS

KOS

dS

OK1

r2

KO1

d1

OK2

r2

KO2

d2

OKe

re

KOe

de

The goal is to determine the normal states from which the system goes to the feared state.

Only the necessary transitions are fired.

The objects are introduced progressively.

Normal ‘conditioning’ states are the stop criterion.

Potentially enabled transition

Marking enrichment

Obj1 – satellite 1 Obj2 – satellite 2 Obj3 – ground station

Obj4 – alimentation

4. Forward Reasoning9

Starting from the conditioning state in the initial Petri net:

Analysis of the bifurcations (transition conflict in the Petri net) between the normal behavior and the feared one.

Determination of the complete context of the feared state.

Scenario deriving

OKS

rS

KOS

dS

OK1

r1

KO1

d1

OK2

r2

KO2

d2

OKe

re

KOe

de

Initial Marking : IM1=OKs OKeOKe

deKOe

ds KOsOKs

I1

I2 F1

F2KOe

Obj1 – satellite 1 Obj2 – satellite 2 Obj3 – ground station

Obj4 – alimentation

The Tool: ESA PetriNet

Web link: http://www.laas.fr/ESA

10

Example – Presentation 11

2 main tanks 1 electrovalve for each tank 1 relief electrovalve shared between the 2

tanks

Volume regulation system of two tanks

Objective:To keep the volume of each tank inside the interval [Vimin, Vimax]

Interest:Overflow of the tank 1

Example – Modelling12

“tank” class:

tank1 tank2

Example – Modelling13

“electrovalve” and “relief electrovalve” classes:

EV1EVS

EV2

Example – Scenarios Research

14

Research of the feared scenarios with the Petri net modelling: Feared state: overflow of the tank 1

Example – Scenarios Research

15

Conclusion 16

The approach that we have presented in this paper is the deriving feared scenario method in hybrid systems.

The T-temporal Petri net modeling approach allows to address the two aspects separately: The discrete aspect by linear logic, through the Petri net

structure The continuous aspect by temporal abstractions, through the

t-temporal aspect.

The extraction of the feared scenarios is automated by a tool: ESA PetriNet - temporal edition

But the great disadvantage of the approach is the temporal abstraction required for the system modelling…

Further Information…17

… We have developed another new approach based on Differential Predicate Transition Petri net (DPT Petri net).

The DPT Petri net modelling approach, in which the continuous and the discrete parts are represented by two different formalisms, allows to address the two aspects separately: The discrete aspect by linear logic The continuous aspect by local simulation of the differential

equations.

The causal relations are determined by combining the initial deriving feared scenarios algorithm (discrete simulator) and a differential equations solver (continuous simulator).

These two simulators evolves alternatively, the discrete simulator determines the state changes according to the timed data transmitted by the continuous simulator.

18

Thank you for your attention-----

Questions?

http://www.laas.fr/ESA

Annexes19

Hybrid Edition of ESA PetriNet

Differential Predicate Transition Petri Nets (DPT Petri Nets)

20

The main features to take into account the continuous part are : A set of variables (xi) is associated with each token. A differential equation system (Fi) is associated with each

place (Pi):

An enabling function (ei) is associated with each transition (ti): . It triggers the firing of the enabled transitions.

A junction function (ji) is associated with each transition (ti): . It defines the value xi associated with the tokens of the output places

li

tXXF

tXXF

F

lll

iii

...1,

),(

),,(

.

,

.

0 ,,),( _ iinputi Xe

))(()( __ iinputiioutput XjX

Continuous Scenario Deriving Algorithm

21

The discrete algorithm is limited to discrete systems or hybrid systems in which the continuous dynamic is approximated by temporal abstraction

To deal with continuous dynamic, it is necessary exploit directly the hybrid model

Combines the Discrete Scenario Driving Algorithm with differential equation solver

P1

P2

P3 P4

max12 :),,(

22VVXXe inputinput

t1

t3t2

max22 :),,(

22VVXXe inputinput

)()( :j

1 VV

Algorithm Solver Configuration change

Definition of the equations to integrate

List of the enabled transitions

List of enabling functions to keep a watch on

),,(

222 ded

dVXXF

pp FF

Execution of the junction functions

Integration of the equations

Dates of firing of the transitions

T3T2

T2<T3

22

List of junction functions to keep a watch on

Continuous Scenario Deriving Algorithm

Example – Presentation 23

2 main tanks 1 electrovalve for each tank 1 relief electrovalve shared between the 2

tanks

Volume regulation system of two tanks

Objective:To keep the volume of each tank inside the interval [Vimin, Vimax]

Interest:Overflow of the tank 1

Example – Modelling24

“tank” class:

tank1

Variables associated to places: XV1_cr = {v1} ; XV1_dec = {v1} ; XV1_dec_s = {v1}Enabling functions: eT11: v1=V1max=110 eT12: v1=V1min=90 eT14: v1=V1L=115 eT15: v1=V1min=90 eT13: v1=V1S=120Junction functions: jT11=jT12=jT13=jT14=jT15=ODifferential equations: FV1_cr: Dv1=0.017 FV1_dec: Dv1=-0.017 FV1_dec_s: Dv1=-0.017

Example – Modelling25

“electrovalve” and “relief electrovalve” classes:

ev1 evs

Example – Scenarios Research

26

Research of the feared scenarios with the Petri net modelling: Feared state: overflow of the tank 1

Example – Scenarios Research

27