Embed Size (px)
Citation preview
Dov DoriMassachusetts Institute of Technology (visiting)
Technion, Israel Institute of Technology
CSD&M Complex Systems Design & Management Nov. 13, 2014
Mirror, Mirror on the Wall –Do You See Me at All?
The Cyber-Physical Gap and its Implications on Risks:
Modeling Nuclear Hazards Mitigation
2
Multiple engineering professionals talk different languages
Mechanical Engineers Civil Engineers
Software EngineersElectronics Engineers
Systems engineers are supposed to design systems and integrate these languages –
What language do they talk?
3
Systems Engineers Do Have Languages• Systems Modeling Language –
SysML• OMG Standard since 2007
• Object-Process Methodology –OPM • OPM book published in 2002• ISO Standard 19450 as of Aug.
2014(formally: 19450 Publically Available Specification) OPM software: OPCAT, freely downloadable from http://esml.iem.technion.ac.il/
Along with papers and other resources
4
The Six Leading MBSE Methodologies (INCOSE Task Force, Estefan, 2008 p 43)
IBM Telelogic Harmony-SE
INCOSE Object-Oriented Systems Engineering Method (OOSEM)
IBM Rational Unified Process for Systems Engineering (RUP SE) for
Model-Driven Systems Development (MDSD)
Vitech Model-Based System Engineering (MBSE) Methodology
JPL State Analysis (SA)
Object-Process Methodology (OPM): 2014 –ISO 19450 Standard (PAS)
SysML was not surveyed since it is a language, not a methodology
5
The idea behind conceptual modeling
conceived reality modeled reality
Is modeled by
Bus
Aircraft
Vehicle
Gas Filling
Is modeled by
Is modeled by
Using graphical symbols, the model expresses physical things – objects and processes – and relations among them.
is a
is a
Object
Process
Energy Replenishing
is
Car
5
6
The Object-Process Theorem Stateful objects, processes, and relations among them constitute a necessary and sufficient universal ontology
CorollaryUsing stateful objects, processes, and relations among them, one can model systems in any domain
7
Object-Process Methodology (OPM)Things: Objects and Processes
A thing that exists or might exist physically or informatically
A thing that transforms one or more objects
9
Processes transform objects by
(1) Consuming them:
10
Processes transform objects by
(2) Creating them:
11
Processes transform objects by
(3) Changing their state:
14
Thing’s EssenceThe Essence of an OPM Thing(Object or Process) Denotes whether the thing is
physical (shaded, 3D) or informatical (flat, 2D)
15
Cyber-Physical Systems: Characteristics
•Software-controlled physical systems•Include physical and cybernetic components•An agent – a human decision-maker or an information & decision-making system – is the cybernetic component
•Hardware (motors, actuators, VLSI chips…) is the physical component
•Physical processes signal and induce cybernetic events and vice versa
16
Essence is key to the Cyber-Physical Gap
•Thing’s Essence is key to understanding and modeling the cyber-physical gap
•Physical objects represent what is really “out there” – actual states and values of objects
•Informatical objects represent information about their corresponding physical objects available to a (human or artificial) decision making agent
•A cyber-physical gap exists when the state of the informatical object incorrectly indicates the state of the physical object is supposed to represent
17
Two main sources of cyber-physical gaps
•Incorrect instrument reading causes agents to create a different world view than what is really out there
•Agent’s misconception or incorrect assumption possibly triggered or supported by incorrect measurement reading
18
The Three-Mile Island 2 Accident March 28, 1979
http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html
Modeling the cyber-physical gap with OPM:
19
https://www.youtube.com/watch?v=0J7kHfBBBmk 2:00 – 2:15https://www.youtube.com/watch?feature=player_detailpage&v=0J7kHfBBBmk#t=121
20
Three OPM Models
First OPM Model: Normal operation of a Pressurized Water Reactor
Second OPM Model: The reactor with the particular chain of faults with a hypothetical lack of human involvement, which could be prevent core meltdown
Third OPM Model: The reactor with the particular chain of faults, including human involvement accounting for the cyber-physical gap that worked against the built-in security measures, causing core meltdown
21
First OPM Model: Normal operation of a Pressurized Water Reactor
22
Electric Energy Generating In-Zoomed: Animated Simulation
23
Turbine Spinning In-Zoomed: Animated Simulation
24
Electric Energy Successfully Generated
25
Auto-generated Object-Process Language (OPL) ExampleFeedwater can be cooling tower, condensor, or steam generator.
cooling tower is initial.Pressurized Water Reactor consists of Reactor Secondary Unit, Reactor Primary Unit, and Cooling Tower.
Reactor Secondary Unit consists of Turbine, Generator, and Main Feedwater Pump.Turbine consists of Condensate Pump.Condensate Pump can be operational or tripped.operational is initial.Main Feedwater Pump can be operational or tripped.
operational is initial.Reactor Primary Unit consists of Reactor Core and Steam Generator.
Cooling Tower consists of Circulating Water Pump.Electric Energy Generating is physical.
Electric Energy Generating consists of Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating.Electric Energy Generating requires Pressurized Water Reactor and Cooling Tower.Electric Energy Generating yields Electric Energy.Electric Energy Generating zooms into Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating.
Controlled Nuclear Reaction affects Reactor Core.Controlled Nuclear Reaction yields Heat Energy.Steam Generating affects Steam Generator.Steam Generating consumes Heat Energy.Steam Generating yields Steam.Turbine Spinning consists of Turbine Water Circulating, Water Cooling, Turbine Heat Removing, and Steam Generator Water Circulating.Turbine Spinning affects Turbine.Turbine Spinning consumes Steam.Turbine Spinning yields Mechanical Energy.Turbine Spinning zooms into Water Cooling, Turbine Water Circulating, Turbine Heat Removing, and Steam Generator Water Circulating.
Water Cooling consumes Steam.Water Cooling yields cooling tower Feedwater.Turbine Water Circulating requires Circulating Water Pump.Turbine Water Circulating changes Feedwater from cooling tower to condensor.Turbine Heat Removing requires condensor Feedwater.Turbine Heat Removing yields Mechanical Energy.Steam Generator Water Circulating occurs if Main Feedwater Pump is operational and Condensate Pump is operational .Steam Generator Water Circulating changes Feedwater from condensor to steam generator.
Electricity Generating requires Generator.Electricity Generating consumes Mechanical Energy.Electricity Generating yields Electric Energy.
26
When Things Start Going Wrong: Summary of Events
http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#summary
The [TMI2] accident began about 4 a.m. on Wednesday, March 28, 1979, when the plant experienced a failure in the secondary, non-nuclear section of the plant (one of two reactors on the site).… a … failure prevented the main feedwater pumps from sending water to the steam generators that remove heat from the reactor core. This caused the plant's turbine-generator and then the reactor itself to automatically shut down. Immediately, the pressure in the primary system (the nuclear portion of the plant) began to increase. In order to control that pressure, the pilot-operated relief valve [PORV] opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open.
27
Second OPM Model: Failing Pressurized Water Reactor Operation:
no cyber-physical gap
28
OPCAT simulation of the failing yet self-corrected nuclear facility
29
Pumps fail and are tripped
30
Tripped Pumps Cause too high
Pressure
31
PORV opens to relieve Pressure
3232
33
Colling water is escaping
34
Alert is generated
35
Emergency cooling water being pumped; water level back to normal; meltdown prevented
36
Steam is generated
37
Electric energy is generated
38
When humans are misinformed: The Cyber-Physical Gap
http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#summary
…The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve. … As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. …To prevent the pressurizer from filling up completely, thestaff reduced how much emergency cooling water was being pumped in to the primary system. These actions starved the reactor core of coolant, causing it to overheat.
39
Third OPM Model: The Cyber-Physical Model Version
4040
41
42
First cyber-physical gap –Incorrect instrument reading:
PORV is (stuck) open, but due to the false PORV closed indication, the Crew determines
PORV is closed!
A critical conflict between reality and its cybernetic mirroring!
43
44
Second cyber-physical gap – Agent misconception: Since PORV is believed to be closed, the Reactor Crew determines that Core Water
Level is too high while in reality it is low!
Again, a critical conflict between reality and its cybernetic mirroring!
45
Final blow due to the second cyber-physical gap: The Reactor Crew applies Emergency Water Supply Stopping
since it determined Core Water Level to be too high, making it too low, causing core meltdown.
46
“… the Crew stops the water supply, starving the reactor core of coolant, causing it to overheat.”
47
1. The 80/20 cyber-physical design ruleThe entire design effort of a cyber-physical system should be allocated as follows:
• 20% to the “sunny day” scenario – the basic function-fulfilling activities of the system
• 80% to mitigate contingencies due to the cyber-physical gap
2. The cyber-physical triple redundancy ruleWhen instrument readings are critical, ensure triple redundancy to enable majority voting
Two rules derived from this analysis:
48
Summary 1/2• The cyber-physical gap is a critical
factor • It must be accounted for when designing
systems, notably safety-critical ones• OPM is suitable for modeling cyber-
physical gaps • This is due to its notion of essence –
physical vs. informatical things
49
Summary 2/2• The model can be instrumental in
helping designers consider how hazardous situations might arise
• This still leaves us with the hard state explosion problem: • How to consider the exponential number of
system states (combinations of all object states)
• How to test the sheer number of system states to determine the potential hazard of each –the 20/80 rule is a partial answer
