Dynamic Reliability Modeling of Cooperating Digital-Based Systems

Dynamic reliability explicitly handles the interactions between the stochastic behavior of system components and the deterministic behavior of process variables. However, its industrial level applications are still limited, notably due to the inherent complexity of the theory and the lack of a generic modeling framework. The increased use of digital-based systems has also introduced additional modeling challenges related to the interactions between cooperating digital components. For solving these challenges, the present paper first extends the mathematical framework of dynamic reliability to handle 1) information and data computed and exchanged between digital components; and 2) random parameter deviations. A formalized Petri net approach is then proposed to perform the corresponding reliability analyses, using a finite element method. Finally, the framework’s effectiveness is demonstrated on a simplified model of a nuclear reactor case study. 2 DYNAMIC RELIABILITY FRAMEWORK FOR COOPERATING DIGITAL-BASED SYSTEMS 2.1 Problem Formulation In addition to time t, four types of variables are used to describe the complete system state. The process and components state variables remain the same as those defined by Devooght & Smidts (1992a). Data variables are introduced in order to characterize digital systems; and deviation variables extend the possibilities of failure modeling. All these variables are time-dependent. The process, data, and deviation variables are continuous and depicted by vectors of reals, respectively denoted x(t), y(t), and e(t). Components state variables are discrete and depicted by a vector of integers, denoted i(t). (cf. Table 1). The process variables x(t) represent the physical variables involved in the system dynamics (e.g. pressure, temperature, volume). They evolve deterministically, given components state, and with deviations as parameters (e.g. the level in a tank is determined by the configuration of the valves, and the amount of leakage). The evolution of process variables may then usually be defined by a set of first order differential equations, indexed by the components state: dt d x(t) = x’i(x, e, t) (1) The data variables y(t) represent any information or data which are computed, stored, and/or exchanged between system components (e.g. commands, measurement results, diagnostic information). By nature, they do not directly affect process and deviation variables, but are used to change components state. The data variables may usually be expressed as a function of process and deviation variables, given components state (e.g. when a transmitter is in a non-fully operating mode i.e. a component state, its measurement results depend on the quantities to be measured i.e. process variables, and drifts i.e. deviation variables). The data variables may also depend on their previous values (e.g. stored data, locked signals), denoted y(t), with y(t) = y(t – ε) and ε which tends to 0: y(t) = yi(x, y, e, t) (2) The deviation variables e(t) represent continuous errors or deviations in system properties, which evolve stochastically (e.g. system degradations, drifts), depending on process variables and components state (e.g. the leak in a closed valve follows a random distribution influenced by the flow rate). Because the evolution of deviation variables is continuous, it may usually be defined by a set of first order differential equations which include random variables (e.g. the rate of crack growth is a random variable which depends on the current crack level), indexed by the components states: Table 1. Nomenclature __________________________________________________ Variable Description __________________________________________________ t time x(t) vector of process variables at time t y(t) vector of data variables at time t y(t) vector of previous values of y(t) up to time t e(t) vector of deviation variables at time t i(t) vector of components state variables at time t x’i(x, e, t) expression of derivatives of process variables at time t, given i(t), x(t), and e(t) yi(x, y, e, t) expression of data variables at time t, given i(t), x(t), y(t), and e(t) E’i( x, e, t) vector of random variable which provides the rate of change of deviation variables at time t, given i(t), x(t), and e(t) i specific value of vector i(t), indexed by k p(i→i | x,y,e,t) components transition rate from state i to state i at time t, given x(t), y(t), and e(t) λik(x, y, e, t) total components transition rate from state i at time t, given x(t), y(t), and e(t) Fik(τ | x, y, e, t) probability of leaving components state i in time interval [t, t + τ[ Pi(x, y, e, t) ∙ Ï product of vectors which determine randomly i(t+Δt) according to transition rates (i, x, y, e, t) notation for (i(t), x(t), y(t), e(t)), description of the complete system state at time t Δt time step __________________________________________________ dt d e(t) = E’i(x, e, t) (3) where E’i(x, e, t) is a (function of) random variable. The components state variables i(t) represent the structure (configuration) of the system and is a function of the states of its components (operating or failed) and of human operations (e.g. opening or closing a valve). The state of any system component (e.g. operational, degraded, or failed) can be described by integers which are arranged in vector i(t). The components state variables may evolve both deterministically and stochastically, depending on process and data variables (e.g. a valve is controlled by a signal; a transmitter failure rate depends on the temperature), and deviations (e.g. after a certain level of degradation, a component transition occurs from a degraded mode into a fully non-operating mode). The components transition rate from state i to state i at time t, given process, data, and deviation variables, is denoted p(i → i | x, y, e, t). Then, the total components transition rate from state i is: λik(x, y, e, t) =   k l i i p(i → i | x, y, e, t) (4) The transitions between components states are assumed instantaneous. When the components state at time t is i(t) = i, the probability that the components leave this state before time t + τ is therefore: Fik(τ | x,y,e,t) = 1 – exp       0 λik(x,y,e,t+u)∙du    (5) 2.2 Mathematical Solution Using a Finite Element Method For the numerical analyses of the complete system evolution according to time, a finite element method is adopted. A time step Δt is used which should be small enough to assume that variables x(t), y(t), e(t), and i(t) are constant in any time interval [t, t + Δt[ without loss of accuracy. These variables at time t + Δt can then be determined by their values at time t. In particular, a components state transition which occurs between time t and time t + Δt is considered to occur exactly at time t + Δt. In the same way, the evolution of the process, data, and deviation variables between time t and time t + Δt are considered to occur as “jumps” exactly at time t + Δt. It is then possible to approximate the values of process and deviation variables at time t + Δt, according to the complete system state at time t, using the finite differences of the derivatives given in Section 2.1: x(t + Δt) ≈ x(t) + Δt ∙ x’i(x, e, t) (6) e(t + Δt) ≈ e(t) + Δt ∙ E’i(x, e, t) (7) In addition, the probability that the components remain in their current state at time t, denoted i(t) = i, up to time t + Δt, that is i(t + Δt) = i, is: Pr[i(t + Δt) = i | i(t) = i, x, y, e, t] = 1 – Fik(Δt | x, y, e, t) ≈ 1 – Δt ∙ λik(x, y, e, t) (8) And similarly, the probability that the components leave their current state at time t, denoted i(t) = i, for another specific state at time t + Δt, denoted i(t +Δt) = i, with i ≠ i, can be approximated by: Pr[i(t + Δt) = i ≠ i | i(t) = i, x, y, e, t] ≈ Δt ∙ p(i → i | x, y, e, t) (9) Note that a deterministic (certain) transition can then be modeled using a rate equal to 1/Δt. The couple (Ï, Pi(x, y, e, t)) is defined, with Ï a vector composed of all possible combinations of components states, and Pi(x, y, e, t) a vector with all its components equal to 0 except one that is equal to 1 whose components are determined randomly according to Equations (8) and (9), in such a way that: i(t + Δt) ≈ Pi(x, y, e, t) ∙ Ï (10) Once the components state, process and deviation variables are defined at time t + Δt, the data variables at time t + Δt can also be determined, using ε = Δt which implies that y(t + Δt) = y(t): y(t + Δt) ≈ yi(x, y, e, t + Δt) (11) Equations (6)-(11) show that the complete state of the system at time t + Δt, i.e. (i, x, y, e, t + Δt), can be fully determined according to its state at time t, i.e. (i, x, y, e, t), according to deterministic and stochastic evolutions. The system is therefore a piecewise-deterministic process (PDP), (Davis 1993). 2.3 Petri Net Formalism for Numerical Analyses Petri nets and their extensions, including stochastic and colored characteristics, provide natural and effective tools for modeling dynamic systems (David & Alla 1994), notably for risk analysis (Vernez et al. 2003). Stochastic Petri nets were also used efficiently in dynamic reliability (Dutuit et al. 1997). In the present paper, a Petri net formalism, using stochastic and colored properties, is proposed in order to provide a generic framework to:  flexibly model the dynamic reliability of a system with the help of a visual interface easy to handle;  simulate the evolution of the complete system state, using a finite element method. In the proposed approach, each place of the Petri net is associated to one set of variables, and vice-versa. The number of places then increases linearly according to the number of variables, which avoids any combinatorial explosion. According to the nature of the variables (continuous or discrete, stochastic or deterministic), different representations are used for graphical convenience (cf. Figure 1). The values of the variables are given by the (colored) token, with real or integer numbers (according to the places) inside the corresponding places, and are changed by the transitions. Each place therefore always contains one and only one token, and thus, all the transitions are always enabled. Guards are then used for each transition and denoted sj[Δt], which means that the transition is fired at each time instant sj + k ∙ Δt, with k = 0, 1, 2,... Each transition of the Petri net is associated to a place, denoted “managed place.” This place is linked to the transition by an input arc, which means that the corresponding variables are changed by the transition (“the token is removed from the place”); and linked to the same transition by an output arc, which attributes to the variables their new values (“the token is deposited in the place”). An expression is given on this output arc to specify these new values, which may depend on the previous values of the variables (handled by the input arc) and also on variables from other places. The latter places are then denoted “dependence places” and are linked to the corresponding transition by bi-directed arcs, which means that the values of their variables may be used by the transition, but are not changed. The new values of variables (specified by the output arcs from the transitions to their “managed places”) may also depend on random variables. Contrarily to the “classical” stochastic Petri nets, the stochastic aspects therefore do not relate to time instants, but to values of variables (i.e. the token “color”). In this approach, the time, as a variable, is modeled by a place. Besides, all the transitions are fired at deterministic time instants (specified by the transition guards). This approach can therefore be classified as an “untimed stochastic (and colored) Petri net.” Figure 1. Petri net tool box. A generic Petri net for the dynamic reliability modeling of systems is depicted in Figure 2, using the elements described in Figure 1. The five types of variables defined in Section 2.1 are modeled, and depicted using different varieties of places. In Figure 2, the variables are represented by vectors (except for time t). For more detailed models, it is also possible to split these vectors into subsets with one place for each (subset), and to treat them separately. Each transition is fired at every time step Δt, changing the variables modeled by the corresponding “managed place,” according to the equations given in Section 2.2 and specified on the output arcs. The transition that changes the time variable t is not linked to any “dependence place” and is simply used to increment time t by Δt at each solicitation. On the other hand, the components state variables i(t) are changed by random variables defined by Equation (10), which depend on all the variables. Figure 3. Meta-transition for Petri net. In each time interval [t, t + Δt], all the values of variables at time t + Δt are computed following a specific order defined by the sj (cf. top of Figure 2). (Such specific orders may also be required to deal with dependencies between subsets of variables.) Note that the values of variables at time t + Δt depend on values at time t (cf. Equations (6)-(11)). In particular, x(t + Δt) and e(t + Δt) both depend on x(t) and e(t). To avoid “losing” the values of x(t) (resp. e(t)) after computing x(t + Δt) (resp. e(t + Δt)), “Metatransitions” are introduced. They are used to first compute all the derivatives at time t (i.e. x’i(x, e, t) and E’i(x, e, t)), storing them as additional variables (cf. Figure 3), and then to change the variables of the complete system state. A “Meta-transition” has therefore a double guard denoted (sj, sk)[Δt], which means that the derivative is computed at each time instant sj + k ∙ Δt, and the variables of the “managed place” at sk + k ∙ Δt. Figure 2. Generic Petri net for the dynamic reliability modeling of systems. 3 CASE STUDY OF A FAST REACTOR 3.1 The Europa Fast Reactor The case study is the primary circuit of the Europa fast reactor. This system has been proposed as a benchmark problem on accident sequences (Wider et al. 1989). Several dynamic reliability analyses have been also performed on this application (Amendola & Reina 1984, Smidts & Devooght 1992, Swaminathan & Smidts 2000). A comprehensive description of the system is provided by Smidts & Devooght (1992). In the present paper, the physical variables have been simplified to allow us to focus more specifically on other aspects. In particular, new transmitter features have been introduced (communications and drift corrections), and deviation variables. The simplified model of the primary circuit of the Europa fast reactor is depicted in Figure 4. This system is comprised of two channels (C1 and C2) where sodium is introduced as a coolant by a pump (PM). The lack of coolant, for example in case of a pump failure, increases the temperature in the channels and may yield hazardous events. The sodium temperatures in the channels (T1 and T2) are therefore monitored by transmitters (ST1 and ST2) which send their results (T1 and T2) to a common controller (CT). Similarly, the flow rate (G) is monitored by a third transmitter (SG) which sends its result (G) to another controller (CG). CT and CG send their signals (yCT and yCG) to a central controller (SDL). If a high temperature threshold (Tmax) or a low flow rate threshold (Gmin) is detected, then SDL sends a signal (ySDL) which should activate an emergency shutdown (SCM). This safety device, commonly named SCRAM, consists in inserting (under gravity) control rods into the core which quickly stop the nuclear reaction by absorbing neutrons. The system variables are described in Sections 3.2 to 3.5. Figure 4. The Europa Fast Reactor 3.2 Components State Variables The state of each of the eight system components is represented using a finite integer and constitutes one of the components of vector i(t), i.e. i(t) = (SPM(t), SSG(t), SCG(t), SST1(t), SST2(t), SCT(t), SSDL(t), SSCM(t)). In the following, and in accordance with the formalism presented in Section 2, each component of vector i(t) is modeled separately. The components state variables are then defined in Table 2. The normal (full) operating modes of the components are represented by state variables equal to 1. When a component state variable is equal to 0, the corresponding failure mode is “dangerous,” that is, it may directly yield an inability of the system to perform its safety function (i.e. inserting the control rods into the core). On the contrary, when a component state variable is equal to 2, the corresponding failure mode is “safe,” that is, it may directly yield a spurious activation of the safety function. Other values of component state variables (3 or 4) correspond, for example, to “degraded” modes of operation. The state variables of the “mechanical” components, that is, the pump and the SCRAM, directly affect process variables as described in Section 3.3. On the other hand, the state variables of the controllers and transmitters directly determine data variables defined in Section 3.4. Finally, the effects of the “degraded” modes of operations are modeled using deviations variables defined in Section 3.5. The transition rates between the possible states of each component are given in Table 3. Note that transition rates depend on time t, process variables, deviation variables, and states of other components. A deterministic (certain) transition is also assumed for the SCRAM activation (using a rate equal to 1/Δt). Table 2. Components state variables __________________________________________________ System State Possible value with description component variable __________________________________________________ pump SPM(t) = 1 normal operation (PM) = 0 full failure = 3 degraded operation flow rate SSG(t) = 1 perfect results transmitter = 0 results locked to current value (SG) = 2 results locked to low value flow rate SCG(t) = 1 correct signals controller = 0 signals locked to “unsafe” value (CG) = 2 signals locked to “safe” value temperature SSTi(t) = 1 perfect results transmitters = 0 results locked to current value (STi) = 2 results locked to high value with i = 1, 2 = 3 results subject to negative drifts = 4 results subject to positive drifts temperature SCT(t) = 1 correct signals controller = 0 signals locked to “unsafe” value (CT) = 2 signals locked to “safe” value central SSDL(t) = 1 correct signals controller = 0 signals locked to “unsafe” value (SDL) = 2 signals locked to “safe” value SCRAM SSCM(t) = 1 normal operation (SCM) = 0 full failure = 5 SCRAM activation __________________________________________________ Table 3. Transition rates between components states __________________________________________________ State From To Transition rate* [s] variable state state __________________________________________________ SPM(t) 1 or 3 0 1∙10 ∙ exp(δM(t) ∙ 5∙10) 1 3 1∙10 SSG(t) 1 0 2∙10 1 2 2∙10 SCG(t) 1 0 or 2 1∙10 SST1(t) 1, 3 or 4 0 4∙10∙(1+Ι1(SST2(t)=0))∙r(T1(t)) 1, 3 or 4 2 4∙10∙(1+Ι1(SST2(t)=2))∙r(T1(t)) 1 3 or 4 1.5∙10 SST2(t) 1, 3 or 4 0 4∙10∙(1+Ι1(SST1(t)=0))∙r(T2(t)) 1, 3 or 4 2 4∙10∙(1+Ι1(SST1(t)=2))∙r(T2(t)) 1 3 or 4 1.5∙10 SCT(t) 1 0 or 2 1∙10 SSDL(t) 1 0 or 2 1∙10 SSCM(t) 1 0 3.125∙10 ∙ t ∙ r((T1(t)+T2(t))/2) 1 5 (1/Δt) ∙ Ι1(ySDL(t)=1) __________________________________________________ * T1(t) and T2(t) are process variables defined in Section 3.3, δM(t) is a deviation variable defined in Section 3.5, Ι1(.) and r(.) are functions defined by Equations (12) and (13). The following function is used to model the effect of the temperature process variables (T1 and T2) on transition rates (cf. Table 3): r(T) = 6.17∙10 ∙ exp(5.21∙10 ∙ T) (12) The following function is used to model dependencies with component states (e.g. between the temperature transmitters, cf. Table 3): Ι1(A) = 1 if assertion A is true, and 0 otherwise (13) Figure 5. Flow rate evolution according to time t (G(t)), in scenarios s1, s2 (equivalent to s1), and s3, cf. Section 3.3 Figure 6. Temperature evolution according to time t (T1(t) and T2(t)), in scenarios s1, s2, and s3, cf. Section 3.3 3.3 Process Variables The thirteen process variables are x(t) = (ω(t), G(t), Tc,1(t), Tc,2(t), T1(t), T2(t), P(t), C1(t), C2(t), C3(t), C4(t), C5(t), C6(t)) and defined hereafter. Expressions of the derivatives are given by the following equations, with the initial conditions at time t0 = 0. The parameters and their values are reported in Table 4. Angular speed of the pump, denoted ω(t) [rad/s]: