A Model-Based Method for System Reliability Analysis

2nd International Workshop on

Model-driven Approaches for Simulation Engineering

held within the

SCS/IEEE Symposium on Theory of Modeling and Simulation

part of SpringSim 2012, March 26-29, 2012, Orlando, FL (USA)

A Model-Based Method for System Reliability Analysis

Alfredo Garro, Andrea Tundis{garro, atundis}@deis.unical.it

Department of Electronics, Computer and System Sciences (D.E.I.S.)University of Calabria – ITALY

Mod4Sim'12 - Alfredo Garro - DEIS - University of Calabria 2

� Introduction and Proposal

� A Model-Based method for System Reliability Analysis

� Exploiting the proposed approach: Reliability Analysis of a Flight Management System (FMS)

� Conclusions and future works

Outline


Aim of the proposal

� Define a model-based approach for the Reliability Analysis of systems which � combines in a unified framework the benefits of

popular OMG modeling languages (UML, SysML) with wide adopted simulation and analysis environments (Mathworks Matlab, Simulink)

� can be easily integrated into modern System Engineering methodologies

� Why another approach for reliability analysis?

� What is the relationship between the proposed approach and the already available reliability analysis techniques?


System Dependability and RAMS Analysis

� Dependability : “ the collective term used to describe the availability performance and its influencing factors: reliability performance, maintainability performance and maintenance support performance” (IEC - International Electrotechnical Commission)

� RAMS (Reliability, Availability, Maintainability and Safety): the engineering discipline which aims at providing an integrated and methodological approach to deal with system dependability



� The main objective od RAMS analyses is to identify causes and consequences of system failures

� RAMS analyses are typically carried out using a layered approach and through both quantitative and qualitative analysis techniques as:� series-parallel system reliability analysis � Markov Chain models� FMECA (Failure Modes Effects and Critical Analysis)� FTA (Fault Tree Analysis)� ….



Quantitative Analysis

Qualitative Analysis

Suitable for Software Intensive Systems

Series-Parallel (RBD)

x - -

Markov Chains x - -

FMEA/FMECA - x x(S-FMEA/S-FMECA)

FTA - x x(S-FTA)

HAZOP - x xHSIA - x x

SCCFA - x xPSH - x x


Limitations of the traditional approach and new perspectives

� The increase in both system complexity and accuracy required in the reliability analysis often makes inadequate the above mentioned techniques which are mainly based on:� statistical and probabilistic tools;� a hierarchical decomposition of the system in terms of

its components



there is a strong demand for new, more powerful and flexibleanalysis tools and techniques …

centered on model-based approaches so to benefit from the available modeling practices and …

which should incorporate the use of simulation to flexibly evaluate the system reliability indicesand compare different design choices


Reliability and other non-functional requirements… a brief reflection

� great attention has been devoted to functional requirements analysis and traceability BUT

� there is still a lack of methods which specifically address these issues for non-functional requirement s� the analysis concerning if and how non-functional

requirements are met by the system under development is not typically executed contextually to the design o f the system but still postponed to the last stages of th e development process (e.g. system verification)

� a high risk of having to revise even basic design choices and with a consequent increase in both completion time and development cost



� Despite a general consensus on the advantages that could derive from the exploitation of model-based approaches for system reliability analysis

� … the use of these techniques has been traditionally unusual and has not been recommended by international standards until recently (see IEC 61508, 2010)

This delay in the adoption is mainly due to the lack of methods able to integrate available modeling languag es,

tools and techniques in a consistent modeling frame work .


Our Proposal

A Model-Based approach for System Reliability Analy sis:� centered on a popular UML-based language for system

modeling (SysML)� exploiting a de facto standard platform for the simulation of

multi-domain dynamic and embedded systems (MathworksSimulink)

� fully specified as a method (in terms of phases, input and output workproducts, etc.) and thus “pluggable” in a complete System Development Process (e.g. based on a V-Model)


Our ProposalRAMSAS: A Model-Based method for

System Reliability Analysis

The RAMSAS method is centered on a classical iterative process which consists of four main phases: � Reliability Requirements Analysis� System Modeling� System Simulation� Results Assessment


When and where to exploit our method in a typical System Development Process

� According to Method Engineering, the proposed method can be integrated in various phases of a typical System Development Process, e.g. in a V-Cycle process:

� In the verification phase to support the evaluation of system reliability

� In the design phases to support the valuation and evaluation of configuration scenarios and settings of system parameters so to guide and suggest design choices

The proposed method is not intended to be an alternative to other RAMS techniques (FMECA, FTA, RDB, etc.) but rather

a complement able to provide additional analysis capabilities


RAMSAS: The Reliability Requirements Analysis phase

� In the Reliability Requirements Analysis phase, the objectives of the system reliability analysis are specified.

� INPUT work-products: System Design, System Requirements (functional and non-functional)

� OUTPUT work-products: Reliability Analysis Objectives � The functions that the system has to perform, the related

operative conditions , and the reference time horizons must be clearly individuate along with the main systemfailures and their local and global effects

� The reliability functions and indicators , to be derived from the analysis of the simulation results, must be identified along with the main analysis techniques to be applied to the data gathered from simulation


RAMSAS: The System Modeling phase

� In the System Modeling phase the structure and behavior of the System are modeled by using a SysMLbased notation.

� In this phase the System is decomposed in component entities by applying in-out zooming mechanisms.



� Each component entity is modeled as a SysML Block:� Block structure is defined by both a SysML

Block Definition Diagram (BDD) and an Internal Block Diagram (IBD)

� Block behavior is defined by SysML Activity, Sequence, State Machine, and Parametric Diagrams



� Block Structure :� the BDD describes the Block with its port

interfaces , internal attributes , operations , constraints , parts and relationships with other blocks

� the IBD provides a description of the Blockinternal structure , the organization of its component blocks, the type of composition and the topology of internal communication



� Block Behavior :� specified trough a set of Tasks whose

execution is characterized by pre and postconditions and can be periodically scheduledor triggered by events



� Block Behavior :Each Task is modeled using different types of SysMLDiagrams: (i) an Activity Diagram which allows modeling the Task as a flow of actions; (ii) a set of Sequence Diagrams which allows modeling specific scenarios, each of which corresponds to a given sequence of actions in the Activity Diagram of the Task

� special T asks, which model the onset, propagation and management of Block failures, are also introduced



� Block Behavior :For each Block a State Machine Diagram can be derived by combining the Activity and Sequence Diagrams associated with the Tasks in which the Block is involved so to obtain a state-based representation of the Behavior of the Block



SysML Parametric Diagrams are also introduced for supporting specific analysis…

…by defining constraint blocks which express mathematical equations and their parameters that may correspond to block properties


RAMSAS: The System Simulation phase

� In the System Simulation phase, the previously obtained Models of the System are represented in terms of the constructs offered by Mathworks Simulink

� The model transformation is enabled by IBM Rational Rhapsody



� Transformation between models is based on a mapping between the basic SysML and Simulink constructs :

Moreover, the Mealy Machines which model the behavior of a Simulink Block is obtained by the corresponding SysML Behavioral Diagrams

Entity SysML SimulinkSystem/Subsystem/

Equipment/ComponentBlock, Part Block, Subsystem

BlockBehavior/Constraint Activity diagram,

Sequence diagram, Parametric diagram

S-Function, State Flow diagram

Input/Output Interface Flow Port Input/Output Simulink Block

Association/Binding Connection Line



� The resulting Simulink System is a network of blocks which is executed according to a synchronous reactive model of computation : � at each step, Simulink computes, for each

block, the set of outputs as a function of the current inputs and the block state, then it updates the block state


RAMSAS: The Results Assessment phase

� In the Results Assessment phase, the data gathered from the simulations are analyzed with reference to the objectives of the reliability analysis identified i n the initial phase of the process:� directly in Simulink� by using useful add-on like SIMLOG� by external analysis tools

� As for any iterative process, new (partial or complete) iterations can be executed for achieving new or mis sed analysis objectives


Exploiting the RAMSAS methodfor System Reliability Analysis

� Reliability analysis of a Flight Management System (FMS)� Integrated Modular Avionics (IMA):the high level of integration of an IMA makes its reliability analysis a challenging task due to the difficulty in identifying the occurrences and propagation of faults and then the consequent system failures


The Reliability Requirements Analysis phase

� a qualitative analysis of the System reliability requires accurately identifying the weaknesses of the system, its critical components, how they can break down, the way in which faults propagate and the impacts of each failure on the entire system

� moving from qualitative to quantitative reliability evaluations , the Reliability Function of the System should be evaluated along with main reliability indices (e.g. Mission Capable Rate (MCR) = (MTTCF+MTTR)/(MTTCF+2MTTR))

� By combining qualitative and quantitative results, a clear picture of the reliability performances of the system can be obtained and alternative design solutions to effectively address the design and maintenance of the system can be compared


The System Modeling phase

� The system is decomposed according to the following four-stage hierarchy: system, subsystems, equipment, and components

� By applying the well-known zooming-in mechanisms, the internal structure of each subsystem is represented in details by an IBD which shows its constituting equipment;

� in turn, each equipment is further specified in terms of its components by a related IDB diagram







� Beside the System structure, the behavior of the System is also specified following the same layered approach but in a bottom-up fashion : from the component level to the equipment, subsystem, and system level…



� An example of behavioral modeling: the specification of the behavior of the Inertial Reference Unit , a key component of the IRS equipment

Tasks of the of the Inertial Reference Unit compone ntTask Pre conditions Post conditions Execution

Schedule

Alignment Operation Mode and Initial Position values

available

Component state changed

Triggered

Attitude Calculation

flight status and parameters

Attitude parameters calculated

Triggered

… … … …Failure

ManagementComponent failure Safety state reached Triggered

Fault Generation

Component is working

(Possible) fault generation

Periodical

Fault Evaluation

Fault generated (Possible) component failure

Triggered

Failure Propagation

Component failure (Possible) failure propagation

Triggered


The System Simulation phase

� The System Simulation is a semi-automatic process that starts by transforming the SysML diagrams into Simulink models

� After obtaining the Simulation Model, the setting of the simulation parameters are performed according to the analysis objectives, then simulation are executed and data gathered for the analysis phase


The System Simulation phase


The Results Assessment phase

� Several simulations have been executed for analyzing the behavior of the System in different scenarios and evaluating its reliability functions and indicators

� Usually, an analytic definition of these reliability characteristics is very difficult due to the complexity of the System in terms both of its structure and behavior.

� The scalability and flexibility of the proposed modeling and simulation approach allowed the evaluation of the main reliability functions and indices in an inductive fashion as well as the observation of macro-level phenomena which are hardly captured by classical analytical/deductive models



� The analysis of the simulation data provided useful indications which allowed obtaining a more descriptive and predictive reliability system model and suggested some design choices which could improve the system reliability indicators



� As an example, the analysis of the simulation data of different and extreme operative scenarios have shown that the MCR of the considered System significantly varies (from 63,9% to 75,6% in the carried out experiments) on the basis not only of the system organization and behavior but also of its configuration and parameter settings


Conclusions and Future Work

� The proposed a model-based method for the Reliability Analysis of systems combines in a unified framework the strengths of:� powerful visual languages (as OMG SysML), suitable

to flexibly model the architectural and behavioral aspects of complex, dynamics, and heterogeneous systems

� mature and popular tools (as Mathworks Simulink), suitable for the simulation and analysis of multi-domain systems



� The proposed method is not intended to be an alternative to other RAMS techniques (FMECA, FTA, RDB, etc.) but rather a complementable to provide additional analysis capabilities

� The method can be integrated in various phases of a typical System Development Process (e.g. in the Verification and/or Design phases of a V-Cycle)

� This allows supporting the satisfaction and traceability of an important non-functional requirement, such as relia bility, in the early stages of a development process with considerable time and cost reductions respect to more traditional reliability analyses techniques which are often carried on in the last stages of the development with the risk of having to revise even basic design choices.



The concrete exploitation of the proposed has allowed appreciating:� its flexibility and scalability in complex

system modeling � its effectiveness in valuating and evaluating

through simulation the system reliability performances



Ongoing research efforts are devoted to:� enrich and improve RAMSAS � extensively experiment RAMSAS in the analysis

of mission-critical systems in different application domains

� integrate RAMSAS in the IBM Rational Harmony for Systems Engineering process

� support other environments for carrying out the Simulation Phase (e.g. OpenModelica)


Acknowledgments

� IBM Haifa Research Center (Henry Broodney, Michael Masin)

� ESA-ESTEC (Daniele Gianni)

� Z-Lab Engineering (Gabriele Luceri, Nicola Chirillo)


[email protected]

Thank you

Technology

A Model-Based Method for System Reliability Analysis