Reliability of Safety-Critical Systems 5.4 Petrinets

Transcription

1 Reliability of Safety-Critical Systems 5.4 Petrinets Mary Ann Lundteigen and Marvin Rausand RAMS Group Department of Production and Quality Engineering NTNU (Version 1.0) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 1 / 24

2 Reliability of Safety-Critical Systems Slides related to the book Reliability of Safety-Critical Systems Theory and Applications Wiley, 2014 Theory and Applications Marvin Rausand Homepage of the book: books/sis M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 2 / 24

3 Purpose The purpose of this slide series is to: 1. Explain the main attributes and concepts associated with Petri Nets 2. Explain how Petri Nets may be used for system reliability analysis 3. Discuss some pros and cons for the application of Petri Nets M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 3 / 24

4 About Petri nets Petri Nets is a well known approach in many application areas, but has not until recently got a high status within the field of system reliability. Petri Nets was introduced by Carl Adam Petri in the 1960s It has bee widely used for analysis of telecommunication, software engineering, and transportation Petri Nets are now referenced by IEC as a suitable approach for reliability analysis IEC defines terminology and gives requirements for the use of Petri Nets We will use the abbreviation PN for Petri nets in the following slides. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 4 / 24

5 Places, transitions, and arcs A PN constiute two basic nodes: places, drawn as circles, and transitions, drawn as bars. Places: Circles used to model local states or conditions (e.g., failed or functioning). Transitions: Bars used to model local events (e.g., failure or restoration). Arcs: Directed arcs that links places and transitions. Input place p 1 p 2 Output place Figure: Input places vs output places M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 5 / 24

6 Tokens and firing Tokens (black circles) are dynamic elements used to illustrate the system state at a certain point in time. p 1 t1 p p 2 1 t 1 p 2 (a) (b) Note that: Figure: Simple PN, without (a) and with (b) tokens A PN with tokens is called a marked PN Firing is the event where one or more tokens are moved from one place to another M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 6 / 24

7 Multiplicity and enabling Multiplicity (or weight): A digit (e.g., 1, 2 etc) assigned to an arc, and which represents the number of tokens the arc delivers at a time. It may be remarked that: When multiplicity is 1, it is not specified in the PN A transition is enabled (ready for firing) if the number of tokens in each of its input places is equal to or greater than the multiplicity of the associated arcs. Not enabled p1 p2 2 (a) 2 t 1 p 3 Enabled, before firing p1 p2 2 (b) 2 t 1 p 3 After firing p1 p2 Figure: PN before and after firing 2 (c) 2 t 1 p 3 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 7 / 24

8 Inhibitor arc Inhibitor arc: A directed arc with by a small circle, and whose main purpose is to block the output transition if the number of tokens is in the input places are equal to or higher than the multiplicity (weight) of the arc. p 1 p 2 t p 1 3 Figure: PN with inhibitor arc Figure above: Transition t 1 is inhibited as long as there is a token in place p 2. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 8 / 24

9 Transition types Transitions may be immidiate (when enabling conditions are fulfilled), or timed with a delay > 0. The delays may be deterministic or stochastic, as shown in the table below: Type of transition in PN Deterministic Stochastic Parameter Delay is zero Delay is d Exponentially or geometrically distributed Arbritrary distributed d λ Symbol M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 9 / 24

10 Stochastic PNs Stochastic PN (SPN): A PN with stochastic transitions only. A generalized SPN (GSPN) allows timed as well as immidiate transitions, but only exponentially distributed firing times are accepted for the timed transitions. This means that GSPN is not so general, in the meaning that it allows any type of stochastic distributions for the times transitions. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 10 / 24

11 State of an item A PN may be used to model the functioning and failure of a single item, as shown below: p 1 Functioning t 2 t 1 Repair ended p 2 Failure Not functioning M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 11 / 24

12 Fault tree A PN may be used to model an OR gate in a fault tree, as shown below: TOP p 3 t 1 t p 1 p 2 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 12 / 24

13 Fault tree A PN may be used to model an AND gate in a fault tree, as shown below: TOP p 3 t p 1 p 2 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 13 / 24

14 Having different failure modes A PN may be used to model an item that can experience a dangerous detected (DD) or dangerous undetected (DU), as shown below: p SW p SW puw tdu puf tsdu tsdd puw t DU puf tsdu tsdd p SF p SF pdw λ DU tdd p DF pdw λ DU tdd pdf λ DD λ DD (a) (b) Note: Notations are explained in the next slide slide. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 14 / 24

15 Notations (previous slide) Parameter p UW p DW p SW Parameter p UF p DF p SF Parameter t DU t DD t SDU t SDD Working states (when token is present) State where no DU failure is present State where no DD failure is present State where system is working (no DU or DD failure present) Failed states (when token is present) State where a DU failure is present State where a DD failure is present State where the system has failed (DU or DD failure is present) Transitions Firing of a DU failure (exponentially distributed) with rate λ DU Firing of a DU failure (exponentially distributed) with rate λ DD (Immidiate) firing of a system failure caused by a DU failure (Immidiate) firing of a system failure caused by a DD failure M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 15 / 24

16 1oo2 voted system (non-repairable) A PN may be used to model a non-repairable 1oo2 voted system, as seen below. p SW p1w t1f p 1F t SF p SF p 2W t 2F p 2F Note: Notations are provided on the next slide. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 16 / 24

17 Notations (previous slide) Parameter p SW p 1W p 2W Parameter p 1F p 2F p SF Parameter t 1F t 2F t SF Working states (when token is present) State where system is working State where channel 1 is working State where channel 2 is working Failed states (when token is present) State where channel 1 has failed State where channel 2 has failed State where system has failed Transitions Firing of a failure (exponentially distributed) with rate λ 1F Firing of a DU failure (exponentially distributed) with rate λ 2F (Immidiate) firing of system failure if both channels have a failed M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 17 / 24

18 1oo2 voted system (repairable) A PN may be used to model a repairable 1oo2 voted system, as seen below. p SW t 1R p1w t1f p 1F t SF tsr1 tsr2 p SF p 2W t 2F p 2F t 2R Note: Notations are provided on the next slide. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 18 / 24

19 Notations (previous slide) Parameter Parameter Parameter t 1F t 2F t SF Parameter t 1R t 2R t SR1 t SR1 Working states (when token is present) See notations for non-repairable 1oo2 system Failed states (when token is present) See notations for non-repairable 1oo2 system Transitions (failure) Firing of a failure (exponentially distributed) with rate λ 1F Firing of a failure (exponentially distributed) with rate λ 2F (Immidiate) firing of system failure when both channels have failed Transitions (repair) Firing of a repair (exponentially distributed) with rate µ 1R Firing of a repair (exponentially distributed) with rate µ 2R (Immidiate) firing of a return to functioning state after repair of channel 1 (Immidiate) firing of a return to functioning state after repair of channel 1 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 19 / 24

20 Modularization of PNs It may be feasible to modularize the PN, by modeling each functional block (in a reliability block diagram). A module can include two parts: Intrinsic part: Modules that describes the behavoir of the items in the module Extrinsic part: Module that links the intrinsic part to system properties (e.g., failure, repair, working) S t 1R C1 p SW p1w t1f p 1F p1w t S p2w p1f tsr1 p SF p2f tsr2 p 2W t 2F p 2F t 2R C2 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 20 / 24

21 Predicates and Assertions By Predicates (?? ) and Assertions (!! ), the modeling of the 1oo2 system may be simplified as follows: Ci!!nb pw = nbpw + 1 t ir!!nb pf = nbpf 1??nbpF > 0 p SW S piw ti F p i F?? nbp W == 0 t S t SR??nbp W > 0!!nbpF = nbpf + 1!!nbpW = nbpw 1??nbp W > 0 p SF Note: Notations are as defined on previous slides. Explanation of?? and!! are found in the textbook. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 21 / 24

22 Reliability block diagram driven PNs Reliability block diagram (RBD) driven PNs may be constructed with basis in modules of item/channel states, as seen in the illustration on the next slide. The following features are added to the model: States variables: Local item or channel level, here denoted C i Global/system level, here denoted S Temporary states (local or global), here global and denoted A and B Global assertions, which are statements that are related to global state variables (by pointing at global states)!!a = In.Ci means that the temporary state A is assigned the value of the local state Ci M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 22 / 24

23 Reliability block diagram driven PNs!C1 C1!!nbpW = nbpw + 1 t 1R!!nbpF = nbpf 1??nbp F > 0!!A = In.C1 p1w t1f p1f A In = 1 1!-C1!!nbpF = nbpf + 1!!nbpW = nbpw 1??nbp W > 0 S C2 t 2R!C2!!nb pw = nbpw + 1!!nb pf = nbpf 1??nbp F > 0!!B = In.C2!!S = A + B p2w t 2F p2f B!-C2!!nb pf = nbpf + 1!!nb pw = nbpw 1??nbp W > 0 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 23 / 24

24 Analysis (of reliability) Software tool is more or less required in order to use PNs for reliability analysis. Some alternatives are: SHARPE developed by Duke University GRIF developed by Total Matlab (?) For repairable systems, availability (or unavailability) may be found by calculating the (average) time spent in places p SW and p SF. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.0) 24 / 24