Systems Dependability Assessment E-Book

Contents

Preface

Introduction

PART 1: PRedicted Reliability of Static Systems; A Graph-Theory Based Approach

1. Static and Time Invariant Systems With Boolean Representation

1.1. Notations

1.2. Order relation on

1.3. Structure of a system

1.4. Cut-set and tie-set of a system

2. Reliability of a Coherent System

2.1. Demonstrating example

2.2. The reliability block diagram (RBD)

2.3. The fault tree (FT)

2.4. The event tree

2.5. The structure function as a minimal union of disjoint monomials

2.6. Obtaining the reliability equation from the Boolean equation

2.7. Obtain directly the reliability from the ordered graph

3. What About Non-Coherent Systems?

3.1. Example of a non-coherent supposed system

3.2. How to characterize the non-coherence of a system?

3.3. Extension of the ordered graph method

3.4. Generalization of the weighted graph algorithm

Conclusion to Part 1

PART 2: Predicted Dependability of Systems in a Dynamic Context

Introduction to Part 2

4. Finite State Automaton

4.1. The context of discrete event system

4.2. The basic model

5. Stochastic Fsa

5.1. Basic definition

5.2. Particular case: Markov and semi-Markov processes

5.3. Interest of the FSA model

5.4. Example of stochastic FSA

5.5. Probability of a sequence

5.6. Simulation with Scilab

5.7. State/event duality

5.8. Construction of a stochastic SFA

6. Generalized Stochastic Fsa

7. Stochastic Hybrid Automaton

7.1. Motivation

7.2. Formal definition of the model

7.3. Implementation

7.4. Example

7.5. Other examples

7.6. Conclusion

8. Other Models/Tools For Dynamic Dependability Versus Sha

8.1. The dynamic fault trees

8.2. The Boolean logic-driven Markov processes

8.3. The dynamic event trees (DETs)

8.4. The piecewise deterministic Markov processes

8.5. Other approaches

Conclusion and Perspectives

Appendix

A.1. Some basic definitions of dependability indicators

A.2. Elements of Boolean algebra in

A.3. Elements of the language theory

A.4. Operations on automata

A.5. Markov and semi-Markov models

Bibliography

Index

First published 2015 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd27-37 St George’s RoadLondon SW19 4EUUK

www.iste.co.uk

John Wiley & Sons, Inc.111 River StreetHoboken, NJ 07030USA

www.wiley.com

© ISTE Ltd 2015The rights of Jean-François Aubry and Nicolae Brînzei to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2014956809

British Library Cataloguing-in-Publication DataA CIP record for this book is available from the British LibraryISSN 2051-2481 (Print) ISSN 2051-249X (Online) ISBN 978-1-84821-765-2

Preface

Systems dependability assessment

Systems dependability assessment! Many excellent books deal with this subject and describe its evolution from its beginning, at the end of World War II. We can recall the ability of the first computers that were occasionally in an operating state. From this time, a lot of robust methods and tools made the analysis and the assessment of their failures possible, in order for the potential users of these new technologies to rely on them. The word “reliability” was born. The safe development of electronics and then of computing, aerospace and nuclear technologies became possible. So it is logical to ask the question of the relevancy of a new book. In fact, it was found that the simplifying hypotheses commonly used to access the predictive measures of reliability are sometimes difficult to justify and that they can produce pessimistic values compared to the feedback experience or optimistic forecasting of rare dangerous events. This induced a lot of research in the specialized community, for example in the Automatic Control Research Center (Centre de Recherche en Automatique de Nancy – CRAN) of the University of Lorraine, France.

These are some of the works that we will modestly report in this book. They constituted significant contributions to recent approaches of predictive dependability due to resorting to concepts developed in automatic control but not yet turned to account of dependability. We can cite, for example, graph theory, finite-state automata, Petri nets, Bayesian approach and fuzzy sets.

These developments spanned over approximately the last two decades and gave some original advances in the field, and it is difficult for us not to make a connection with the Nancy School of Art Nouveau one century ago. In fact, perhaps we could have called this book Systems Dependability Assessment; Beyond traditional approaches, the Nancy School!

Let us enter now into more technical and scientific considerations to give the clarifications that the title of this book deserves.

Dependability

The CEI 50 (191) standard [IEC 90] defines dependability as the ability of an entity to assume one or more requested functions in given conditions. This very general and non-quantitative notion may be further specified by its generally associated attributes which are [LAP 95]: hindering or barriers, achievement means, validation means and measures. Our contribution rightly takes a place within the latter, and especially in quantitative measures. Nevertheless, it is difficult to give a single value for this measure as the dependability is actually a concept including three components [IEC 90]: reliability, maintainability and availability. These three components, as well as their measures which are probabilities, are formally defined in the CEI 50 (191) standard. The lifetime (or time before failure) and the repair time of an entity are considered as random time variables whose distribution functions define, respectively, the reliability and the maintainability of the entity. The availability is the probability for the entity of being in operation at a given time instant, knowing that the entity could have been alternatively in operation or in repair states. Its asymptotic value is generally an interesting measure. In the Appendix, the basic mathematical definitions are recalled.

However, the CEI 50 (191) standard does not consider safety as a component of dependability. Safety is the ability of an entity to avoid the appearance of critical or catastrophic events that may affect equipment or staff. The measure of the safety may be defined as a probability; however, it is also important to assess it with regard to the consequence of the occurrence of these critical or catastrophic events. This leads to the concept of risk, a risk being evaluated by the association of the occurrence frequency (or probability) of a dangerous event and the damage it induces on goods, people and environment. It is not the main purpose for this book to deal with risk management; nevertheless, it may be considered that a system may be in a dangerous state as well as in an availability state, both being sometimes compatible. As we will see later, it is possible to assess the probability for a system of being in any subset of its possible states and, for example, the subset of safe states. We can find in the CEI 61508 [IEC 98] a probabilistic approach of the functional safety that we can qualify as the reliability of systems responsible for safety loops in industrial plants. That is why it is difficult not to consider safety as a fourth element of dependability, especially when it is a matter of probabilistic assessment. Many authors and agencies prefer the RAMS acronym for reliability, availability, maintainability and safety instead of dependability. However, RAMS has a wider extension, covering all the attributes of dependability and safety: hindering, achievement means, validation means, and quantitative as well as qualitative measures.

System

By the term “system”, we mean a set of components interacting together to perform one or more predefined functions. Components and system are included in the definitions of “dependability” under the generic term “entity”; however, their measures are issued from different approaches. For the components, they are based, for example, on known probabilistic laws whose parameters are adjusted from statistical data. For a system, the dependability measure is a prediction obtained by a dedicated model starting from the knowledge of the dependability measures of its components.

This definition of system does not evoke the complexity level of the system. The complexity may be expressed in terms of number of components, but it must be more particularly understood in terms of interactions between them. As we will see, many types of models may be combined to describe these interactions and the solving method may be a matter of analytical calculus or simulation process. For large systems, it is usual to build hierarchical models with several levels of subentities, etc. It is not our purpose to discuss system engineering and we will only consider a sole decomposition level with the objective of finding a relationship model between one dependability measure of a system and that of its components.

Assessment

In the dependability or RAMS domain, two types of assessment are predominantly performed: qualitative and quantitative. Qualitative assessment is generally performed as a preliminary study to identify and qualify the components, events, interactions and limits of the system in order to eventually be able to start the quantitative assessment which must be understood as the set of means, methods and tools to give a quantitative measure of the systems dependability. As said previously, this measure is predictive and is based on models. These models are very large in number and more or less known for a long time, and it is not our goal to give an exhaustive description.

Jean-François AUBRYDecember, 2014

Introduction

In this book, we are interested in the problem of characterizing the probabilistic indicators of the dependability of a complex system knowing a priori the dysfunctional characteristics of their components. These components may be material (machines, hardware, devices, structures, subsystems, etc.), immaterial (software, strategies, etc.) or people (designers, operators, repairers, etc.). It is supposed that the definition, the modeling and the assessment of the dysfunction of these components are well known as an issue of the application of probabilities and statistics theories. The reader may refer to so many books and publications on the subject that it is impossible to mention them all. We will only cite, for example, the following authors: Meeker [MEE 98], Modarres [MOD 93] and Cocozza [COC 97].

It may be thought that all, or almost all, has been written on the dependability of systems and that the electronics, aeronautic, space, chemical, transportation or nuclear industries practice this activity with expertise. Nevertheless, the interest developed in the past 20 years by many research experts on the so-called “dynamic reliability” shows that this is not exactly the case. A community of specialists is engaged in reconsidering a lot of simplifying hypotheses requested for the elaboration of analytical models but leading to the risk of impasses relative, for example, to insidious conditions, rare event sequences or complex interactions between functional and dysfunctional behaviors.

More extensively considering all the problems impacting a dependability assessment process today becomes possible due to the borrowing of concepts developed in other scientific domains and due to the power improvement of engineering tools (computers, network, languages, software, etc.).

From such a perspective, we propose in Part 1 to revisit the traditional approach of systems reliability modeling by the means of the monotone structure function concept and its representation by a graph, the concept that we will progressively transform in Part 2 into that of stochastic hybrid automaton. So, we will take advantages of concepts developed in the fields of graph and finite-state automata theories in which probabilistic aspects have been introduced.

We will present some simple examples and the associated tools to illustrate the pedagogical approach as well as results obtained with more complex case studies in the context of research programs. We thank Dr G.-A. Perez Castaneda and Dr G. Babykina for their important contribution to the research partially reported in the final part.

PART 1

Predicted Reliability of Static Systems; a Graph-Theory Based Approach

1

Static and Time Invariant Systems with Boolean Representation

A system whose outputs are only dependent at any time on its variables states is generally called a time invariant system or stationary system. Furthermore, a static system is a system whose outputs do not depend on the past of its inputs; it has no memory. Translated in the context of reliability, these definitions become: at any time, the same combination of components states induces the same state of the system and, at a given time, the knowledge of the reliability of each component is sufficient to access the reliability of the system. In addition, we will only consider in this section systems and components with Boolean behaviour (“ON or Operating” and “FAIL” states that will be represented by the Boolean variables “1” and “0”).

1.1. Notations

Let us suppose that a system S with Boolean states is composed of r components ci. The state of a component ci is defined by the Boolean variable ui. We will use the following notation:

1.2. Order relation on

Let us recall that a relation R on a variable set is an order relation if it is reflexive (aRa), antisymmetric (aRb and ) and transitive (aRb and ). A set provided with such a relation is an ordered set. In the Boolean set , two operations establish an order: the identity operation noted and the implication operations sometimes noted and , (analog of the operations defined on the integers with the same symbols).

It is really a matter of order relations on because it is reflexive ( and ), transitive ( and ) and antisymmetric ( and ).

For example we can write: (1, 1, 0, 1, 1) (1, 1, 0, 1, 0) (1, 1, 0, 1, 1)

But (1, 0, 1, 1, 0) is not in relation with (1, 1, 0, 1, 0).

A drawing of this order relation is given by its Hasse diagram [VEL 05], that is to say, a graph in which the nodes are the possible values of and the arcs are the representations of the order relation. It is a subset of the sagittal diagram of the relation where the loops and the arcs representing respectively the reflexivity and the transitivity properties are removed. Such a structure is sometimes called r-cube [ARN 97].

For example, Figure 1.1 gives a representation of the order relation in . This example shows that the values (101) and (010) are not in relation illustrating that the order relation is not total but only partial (all the elements are not in relation with each other).

Theoretically, the diagram would be oriented according to the chosen relation ( or ). Practically both relations are represented as they are symmetrical and the placement top/down of the nodes, according to the number of zero they contain, means that the arcs are oriented top-down for the relation and bottom-up for the other one.

Figure 1.1.Hasse diagram of the set

An interpretation of this diagram as a state graph of the system is interesting considering that an arc is associated with a component failure when oriented top-down and to a component repair when oriented bottom-up. With the physically admissible hypothesis of non-simultaneity of events, two failures, two repairs or a failure and a repair, the paths of this graph are associated with all possible sequences of these events. This will be widely exploited in the second part.

A. Kaufmann et al. [KAU 75] introduced this concept in the field of reliability but not in the Boolean context. He considered a set reduced to the two integers 0 and 1 and defined the concept of an analytical structure function on this set using operators on integers. We think however that the Boolean context is naturally suitable.

1.3. Structure of a system

Let us consider Y, the Boolean variable representing the state of the system S.

The structure function (notated as SF from here on) of the system S is the Boolean function associating a value to for each value of . It will be noted .

1.3.1. State diagram of a system

The structure function may be materialized on the Hasse diagram by affecting to the nodes different marks for the two values of Y: “1” or “0”. We propose only to surround the first ones by solid lines and call “state diagram” the obtained representation of the SF of the system. Figure 1.2 shows the state diagram of a three components system.

The formal definition of the state diagram is as follows:

DEFINITION 1.1.– A state diagram is a graph formally defined as a 5-tuple:

[1.1]

where:

Figure 1.2.State diagram of a three components system

1.3.2. Monotony of an SF, coherence of a system

The definition of the monotony property of a function applied to the structure function gives:

DEFINITION 1.2.– A structure function is monotone if it satisfies the following property:

A coherent system is usually defined as follows:

DEFINITION 1.3.– A coherent system is defined by three conditions:

Consequently, for coherent systems, any path starting from the upper node of the state diagram (1r) and ending to the lower node (0r) will encounter a sole change of the Y value.

A non-coherent system would be a system running with n components in ON state and failing under the repair of one of the (r – n) failing components or, failing with m components in FAIL state and running again after the failure of one of the (r – m) running components. Figure 1.3 shows the state diagram of a non-coherent system.

Figure 1.3.State diagram of a non-coherent system

Starting from the top state (111) where the system is running, we can see that the failure of the component c2 causes the failure of the system. From this fail state (101), we can see that the failure of c1 or c2 bring the system back to an operating state (001) or (100). We will dedicate a specific chapter to such systems in the following.

1.4. Cut-set and tie-set of a system

Let us first introduce formally two very general notions: the cutsets and the tie-sets of a system. Kaufmann et al. [KAU 75] formally demonstrated that these concepts are derived from those of cuts and paths in the graph theory:

1.4.1. Tie-set

The cardinal of I is the order of the tie-set, that is to say the number of components of the tie-set.

On the state diagram, any combination of the component’s states assuming the system in operating state corresponds then to a tie-set: the component subset whose state variable values are “1”. In Figure 1.2, the tie-sets correspond to the nodes surrounded by solid lines and are then: {c1, c2, c3}, {c2, c3}, {c1, c3}, {c1, c2} and {c1}.

Among these subsets (the tie-sets), some are minimal:

DEFINITION 1.5.– A minimal tie-set is a tie-set not including strictly any component subset being itself a tie-set.

For a minimal tie-set (or min tie-set), the operation state of all of its components guarantees the operation state of the system. In our example, {c2, c3} and {c1} are minimal tie-sets.

1.4.2. Cut-set

The cardinal of I is the order of the cut-set, that is to say, the number of components of the cut-set.

On the state diagram, any combination of the component’s states assuming the system in fail state corresponds then to a cut-set: the component subset whose state variable values are “0”.

In Figure 1.2, the cut-sets correspond to the nodes surrounded by dotted lines, they are: {c1, c2}, {c1, c3}, {c1, c2, c3}.

The definition of minimal cut-sets is also possible.

DEFINITION 1.7.– A minimal cut-set is a cut-set not including strictly any component sub-set being itself a cut-set.

For a minimal cut-set (or min cut-set), the failure of all of its components guarantees the failure of the system. In our example, {c1, c2} and {c1, c3} are minimal cut-sets.

We can refer to Kaufmann et al. [KAU 75] to know the relations between the sets of cut-sets and tie-sets.