A Meta-model for Integrating Safety Concerns into System Engineering Processes  LURPA – ENS Cachan (France) Pierre-Yves Piriou Jean-Marc Faure  MRI – EDF R&D Clamart (France) Gilles Deleuze Wednesday 17 th April 2013

A Meta-model for Integrating Safety Concerns into System Engineering Processes  Context and objective of the work General industrial concern Application domain: safety of nuclear power plants Objective  Related work  Contribution General description of the meta-model Details  Illustration: instantiation of the meta-model Brief description of the example Some instance diagrams  Conclusion and outlook 2 IEEE Systems Conference 2013 Outline

General concern  Bridging the gap between System Engineering and Safety Analysis. 3 IEEE Systems Conference 2013 Functional studies Models and tools (UML-SysML, arKItect, Obeo Designer, …) Standards and documents (ISO-IEC 15288, ISO-IEC 26702, INCOSE SE Handbook…) Meta-model Dysfunctional studies Models and tools (FTA,SPN, Markov chains, AltaRica,…) Standards and documents (NF X60-500, NF EN 13306, [Villemeur, 1988], …) System Engineering Safety Analysis Context and objective of the work

Safety of Nuclear Power Plant (1)  This field considers Phased Mission Systems. Each mission phase determines: A specific system structure A specific success criterion Specific failure and recovery processes 4 IEEE Systems Conference 2013 Context and objective of the work t Power Phase 2: Production phase Phase 3: Power decreasing Phase 1: Power increasing

Safety of Nuclear Power Plant (2)  Many components can be repaired.  The component states are defined by the combination of one failure mode and one operation mode 5 IEEE Systems Conference 2013 Context and objective of the work OFF RUN OVERSPEED RUPTURE failure repair OK LEAK Operation Mode: deterministic evolution Failure Mode: stochastic evolution State OFF-OK State RUN-OK State RUN-LEAK State OVERSPEED-LEAK State OVERSPEED-OK State RUN-OK State OFF-RUPTURE

Safety of Nuclear Power Plant (3)  Redundancy policies declarations have to be formalized. A component can spare another one simply by changing its operation mode 6 IEEE Systems Conference 2013 Context and objective of the work OFF RUN OVERSPEED OFF RUN OVERSPEED RUPTURE failure repair OK LEAK RUPTURE failure repair OK LEAK P1 P2 REDUNDANCY

7 IEEE Systems Conference 2013 Objective  To refine an existing System Engineering meta-model for easily defining models dealing with safety concerns: studies Models Tools Standards documents studies Models Tools Standards Documents Phased Mission Systems (PMS) Repairable components Realistic failure/repair scenarios Redundancy policies Resulting Meta-model Safety Analysis knowledge Failure mode Redundancy … System Engineering Meta-Model Requirements Architecturing … Context and objective of the work

Integrating safety concerns into SE processes  For the first steps of the system lifecycle: [Guillerm 2011]: Safety requirements elicitation. [Cancila 2009]: Integrating the preliminary risk analysis process.  It is assumed that these issues are solved.  [David 2010]: A method for modeling realistic failure/repair scenarios in a complex system design. Phased Mission Systems not considered Nor Redundancy Policies 8 IEEE Systems Conference 2013 Related work

The existing System Engineering meta-model  [Pfister 2012]: A meta-model for formalizing systems knowledge, based on functional architecture patterns. A meta-model is a model of model. It should be used in addition to the SE processes. 9 IEEE Systems Conference 2013 Related work

A Meta-model for Integrating Safety Concerns into System Engineering Processes  Context and objective of the work General industrial concern Application domain: safety of nuclear power plants Objective  Related work  Contribution General description of the meta-model Details  Illustration: instantiation of the meta-model Brief description of the example Some instance diagrams  Conclusion and outlook 10 IEEE Systems Conference 2013 Outline

The Meta-model 11  Meta-model specified with an UML class diagram and OCL constraints  Minimal describing classes for modeling: Mission phases Component states: -Operation modes -Failure modes Effect of a component on a function Redundancy policies IEEE Systems Conference 2013 Contribution

Details: Component State  A component may be in several States.  A state is defined by one Failure Mode and one Operation Mode  The possible evolution between the states are driven by probability rates 12 IEEE Systems Conference 2013 Contribution Faulty State failureRate repairRate Non-faulty State

Details: Redundancy Policy (1) 13 IEEE Systems Conference 2013 Contribution

Details: Redundancy Policy (2)  For validating the redundancy policy, the current state of the component C R must be in the set of m states S = {S i } i[1,m]. 14 IEEE Systems Conference 2013 Contribution

Details: Redundancy Policy (3) 15 IEEE Systems Conference 2013 Contribution When a reconfiguration occurs, the allocation of components to functions may be changed.

A Meta-model for Integrating Safety Concerns into System Engineering Processes  Context and objective of the work General industrial concern Application domain: safety of nuclear power plants Objective  Related work  Contribution General description of the meta-model Details  Illustration: instantiation of the meta-model Brief description of the example Some instance diagrams  Conclusion and outlook 16 IEEE Systems Conference 2013 Outline

Example description (1)  Two feeding turbo pumps 17 IEEE Systems Conference 2013 Steam Generator Sensors PID Controller Other Components Reference input Secondary circuit of the power plant steamwater Water level control system FTP1 FTP2 Illustration : Instantiation of the Meta-Model

Example description (1)  Two feeding turbo pumps  One Function: « To supply enough water »  Three considered mission phases P1: To increase the power (0%Pn < Power < 60%Pn) P2: To produce energy (60%Pn < Power < 100%Pn) P3: To decrease the power(0%Pn < Power < 60%Pn) 18 IEEE Systems Conference 2013 Steam Generator Sensors PID Controller Other Components Reference input Secondary circuit of the power plant steamwater Water level control system FTP1 FTP2 Illustration : Instantiation of the Meta-Model

Example description (2)  P1: Only one pump is active. In case of failure of that pump, the spare component is activated.  P2: The two pumps are active. In case of failure of one of them, the other is over-speeded  P3: same as phase P1 19 IEEE Systems Conference 2013 P2 P1 P3 t Power/Pn 100 % 60 % 150 : FTP1 RUN; FTP2 OFF Curve of power : FTP1 RUN; FTP2 RUN : FTP1 OFF; FTP2: RUN : FTP1 OFF; FTP2 OVERSPEED Failure of FTP1Repair of FTP1 Failure of FTP1 Illustration : Instantiation of the Meta-Model

Instance diagram for the Components (Modes) 20 IEEE Systems Conference 2013 FTP2 Illustration : Instantiation of the Meta-Model FTP1

Instance diagram for the Components (Tables of attributes values)  Each combination of Operation Mode and Failure Mode is a state that is featured by failure (λ) / repair (μ) rates. 21 IEEE Systems Conference 2013 Illustration : Instantiation of the Meta-Model Failure Mode Operation Mode OKLEAKRUPTURE OFF OFF-OK Not relevant OFF-LEAK λ = 0 / μ = 0.2 OFF-RUPTURE λ = 0 / μ = 0.1 RUN RUN-OK Not relevant RUN-LEAK λ = 0.01 / μ = 0.1 RUN-RUPTURE λ = / μ = 0 OVERSPEED OVERSPEED-OK Not relevant OVERSPEED- LEAK λ = 0.05 / μ = 0 OVERSPEED- RUPTURE λ = / μ = 0

22 IEEE Systems Conference 2013  R2.1: If the set of components {FTP1} does not perform fittingly the function F during the phase P2, … R2.1: Redundancy policy name = R2a threshold = 50.0 C1: Component name: FTP1 P2: Phase name: Production description: “Maximum production” F: Function name = F description = “To supply enough water” goal = 60.0 definedFor aimedFunction spared Instance diagram for a redundancy policy Illustration : Instantiation of the Meta-Model

23 IEEE Systems Conference 2013  …and if the component FTP2 is available (i.e. its current state is in the set of states {(RUN, Ok)}, … Instance diagram for a redundancy policy R2.1: Redundancy policy name = R2a threshold = 50.0 C1: Component name: FTP1 P2: Phase name: Production description: “Maximum production” F: Function name = F description = “To supply enough water” goal = 60.0 definedFor spared C2: Component name: FTP2 (RUN,OK)2: State failureRate: 0.0 repairRate: 0.0 redundant available aimedFunction Illustration : Instantiation of the Meta-Model

24 IEEE Systems Conference 2013 R2.1: Redundancy policy name = R2a threshold = 50.0 C1: Component name: FTP1 P2: Phase name: Production description: “Maximum production” F: Function name = F description = “To supply enough water” goal = 60.0 definedFor spared Instance diagram for a redundancy policy C2: Component name: FTP2 (RUN,OK)2: State failureRate: 0.0 repairRate: 0.0 redundant available (OVERSPEEED,OK)2: State failureRate: 0.0 repairRate: 0.0 rescue  …then FTP2 has to be powered on the state (OVER-SPEED, OK) for participating in the achievement of F. aimedFunction Illustration : Instantiation of the Meta-Model

Conclusion and Outlook  The meta-model offers a framework for integrating safety analysis into SE processes.  The meta-model has been implemented with the modeling tool arKItect ®.  For assessing safety attributes, a dynamical model is necessary.  The definition of an algorithm for automating the construction of a formal dynamical model from an instance of this meta-model is an ongoing work. 25 IEEE Systems Conference 2013 Conclusion and Outlook

A Meta-model for Integrating Safety Concerns into System Engineering Processes  LURPA – ENS Cachan (France) Pierre-Yves Piriou Jean-Marc Faure  MRI – EDF R&D Clamart (France) Gilles Deleuze Wednesday 17 th April 2013 Thank you for your attention Question Time

References (1) 27 IEEE Systems Conference 2013 [1] F. Pfister, V. Chapurlat, M. Huchard, C. Nebut, and J.-L. Wippler, “A proposed meta- model for formalizing systems engineering knowledge, based on functional architectural patterns,” Systems Engineering, vol. 15, pp. 321–332, Autumn [2] R. Guillerm, N. Sadou, and H. Demmou, “Combining FMECA and Fault Trees for declining safety requirements of complex systems,” in ESREL 2011, C.. G. Soares, Ed., Troyes (France), september 2011, p [3] D. Cancila, F. Terrier, F. Belmonte, H. Dubois, H. Espinoza, S. Gérard, and A. Cuccuru, “Sophia: a modeling language for model-based safety engineering,” in MoDELS ACES- MB, Denver, Colorado, USA, October, 6th 2009, pp. 11–25. [4] P. David, V. Idasiak, and F. Kratz, “Reliability study of complex physical systems using sysml,” International Journal in Reliability Engineeringand System Safety, vol. 95, no. 4, pp. 431 – 450, [5] OMG, Uml 2.0 OCL specification, Object Management Group, [6] A. Villemeur, Reliability, Availability, Maintainability and Safety Assessment, Methods and Techniques. Wiley, 1992.

28 IEEE Systems Conference 2013 [7] G.-R. Burdick, J.-B. Fussell, D.-M. Rasmuson, and J.-R. Wilson, “Phased mission analysis: A review of new developments and an application,” IEEE Transactions on Reliability, vol. R-26, pp. 43–49, April [8] L. Meshkat, L. Xing, S. Donohue, and O. S.K., “An overview of the phase-modular fault tree approach to phased mission system analysis,” in Proceedings of the International Conference on Space Mission Challenges for Information Technology, Pasadena, CA, USA, July 2003, p. 10. [9] M. Kothare, B. Mettler, M. Morari, P. Bendotti, and C.-M. Falinower, “Level control in the steam generator of a nuclear power plant,” in Decision and Control, 1996, Proceedings of the 35th IEEE (10 pages), vol. 4, Kobe, Hyogo, Japan, December 11th-13th 1996, pp. 4851–4856. [10] H. Zhang, B. de Saport, F. Dufoura, and G. Deleuze, “Dynamic reliability: Towards efficient simulation of the availability of a feedwater control system,” in NPIC-HMIT 2012, San Diego, USA, July [11] H. Aboutaleb, M. Bouali, M. Adedjouma, and E. Suomalainen, “An integrated approach to implement system engineering and safety engineering processes: Sasha project,” in ERTS2012 (6 pages), Toulouse, France, February 2nd References (2)

 A software for multi-scale and multi-job design.  Developed by the French company: Knowledge Inside  The tool offers a graphical and collaborative environement.  Two layers of design: The Domain Specific Language design (meta-model) The System design (instanciation) 29 IEEE Systems Conference 2013

PyCATSHOO (EDF R&D)  Pythonic Context (Object-Oriented) for modeling and computing the Hybrid Stochastic Automaton  A computation engine for the Monte Carlo simulation  Using Knowledge Bases  [12] H. Chraibi, Dynamic reliability and assessment with PyCATSHOO: Application to a test case. in PSAM (10 pages), Tokyo, Japan, April, 14th-18th IEEE Systems Conference 2013

Definition of a Mission Phase (step 1)  The Mission Phase determines for the system: The system structure The failure and recovery processes The success criteria 31 IEEE Systems Conference 2013

Definition of the effect of a component on a function (step 3)  The components which perform a function have to reach a quantified goal in order to fittingly achieve it.  If a function is allocated to a component, then that component performs this function with an achievement rate to be defined. 32 IEEE Systems Conference 2013