Project topics and materials
Get Complete Project Material File(s) Now! »
Reliability Analysis of Safety Systems
Safety Instrumented Systems (SIS) are crucial safety barriers for preventing hazardous accidents in industrial systems. These systems are composed of sensors (e.g. pressure sensors), logic solvers (e.g. programmable logic controllers), and final elements (e.g. isolation valves). Logic solvers translate signals transmitted from sensors into decisions made on final elements. SIS have received huge attention fromvarious industrial sectors. Associated standards are proposed in specific industries, such as the process industry [56], the nuclear power industry [52], the machinery industry [46, 61], the automotive industry [59], as well as the railway industry [45, 54, 49]. The main standard is IEC 61508 [50]. Sound performance of SIS is crucial for protected systems (i.e. Equipment Under Control: EUC). Reliability issues of SIS have been studied extensively (see e.g. [60, 104, 105, 29]). Many aspects related to SIS have been investigated, including proof tests (see e.g. [73, 21, 79]), K-out-of- N voting structures (see e.g. [121, 92, 62]), common cause failures (see e.g. [81, 66, 40]), spurious failures (see e.g. [82, 64]), human and organizational factors (see e.g. [109, 100]), uncertainty (see e.g. [57, 65]), and optimization issues (see e.g. [120, 80]). In particular, Markov Chain models are applied to study proof tests considering demand rate and imperfect behaviors in [73]. In [21], FT and PN are used to investigate proof tests. Another way to study SIS is to use (simplified) equations/formulae. In [79], PN and approximation formulae are employed to analyze the safety performance of insert testing (proof test after the repair of a dangerous detected failure by the same maintenance team). In [121], MooN structures (i.e. k-out-of-n: G system with added voters) are analyzed using FT and formulae. In [92], the authors generalize an analytical equations for analyzing any KooN structures. In [62], the authors give a generalized PFD formula for KooN systems used in IEC 61508. In [81], a Common Cause Failure (CCF) defense approach is presented, which comprises checklists and analytical tools, for SIS in oil and gas industry. SIS normally operate in low demand mode, which means that regular testing and inspection are required to reveal SIS failures. In [66], average PFD formulae for KooN systems are proposed. They take into account both CCF and non-periodic partial testing. In [40], generic estimates of beta-factors for CCF are discussed. In [82], generic formulae are established for spurious trips, and in [64], the authors further develop available analytical formulae for spurious trip rate. In [109], a methodology is proposed to evaluate human and organizational factors in operational phase of SIS. In [100], a framework is given to manage factors influencing beta-factor (for modeling CCF) of SIS in operational phase. Uncertainty of the PFD estimate is classified as completeness uncertainty, model uncertainty, and parameter uncertainty [65]. In order to avoid evaluation uncertainties, influencing factors (e.g. design, environment, and use) in reliability are discussed [18, 19]. A methodology for failure rate evaluation of SIS considering influencing factors is proposed. In [57], an approach combining Monte Carlo and fuzzy set is put forward to handing uncertainties in SIS. In [120], the researchers showmulti-objective optimization of proof testing policies using genetic algorithms. In [80], the authors gave a model to optimize operation and testing of SIS, applying modeling by fault trees together with optimization by genetic algorithm. Few works related to patterns of SIS have been carried out. Related works can be found in [60, 114], where the Reliability Block Diagram driven Petri nets are proposed for reliability analysis of SIS. The readability of PN is improved by means of RBD. FT patterns are proposed to model safety mechanisms of automotive electric and electronic functions [23]. FT patterns include classic second order Safety Mechanisms (SM2) representation, maintenance, periodic tests, and the scenario without SM2. The proposed FT pattern models are tested using XFTA1, a Fault Tree calculation engine. SIS have common behaviors such as periodic test policies to discover dangerous undetected failures. In a recent work, we propose a pattern-based methodology for reliability assessment of SIS [87]. Based on a series of SIS provided in ISO/TR 12489, a set of modeling patterns is put forward.
Model-based Safety Assessment
The classical safety assessment techniques suffer from several intrinsic and incidental limitations. One of main limitations is that FT and ET, the two formalisms that are mainly used to design models, stand at a relative low level. Not only their expressive power is limited, but models are distant from systems under study. As a consequence, models are hard to design and even harder to share amongst stakeholders and to maintain throughout the life-cycle of systems. Hence the interest for higher level modeling formalisms increases steadily. Major advantages ofModel-Based Systems Engineering (MBSE) include enhanced communications between stakeholders and team members. MBSE also allows shared understanding of the domain, improved knowledge capture, design precision and integrity without disconnections among data representations, better information traceability, enhanced reuse of artifacts, and reduced development risk [101]. The model-based approach for safety analysis is gradually winning the trust of safety engineers but is still a wide domain of research [76]. Model- Based Safety Assessment (MBSA) is a reliability engineering branch ofMBSE.MBSA techniques have been developed in recent years to address challenges in analyzing and verifying complex safety–critical systems. MBSA focuses on developing effective and robust safety assessment techniques through the automation of the safety analysis process [110]. 1see e.g. http://www.altarica-association.org Among the MBSA techniques, the AltaRica language is introduced in IEC 61508 [50] as a technique for calculating probabilities of hardware failures in SIS. It is also mentioned in ISO/TR 12489 as a formal language to model the functioning and dysfunctioning of industrial systems [60]. AltaRica has become a defacto European industrial standard for MBSA [15]. It is currently employed as an internal representation language by several safety analysis workshops: Cecilia OCAS (Dassault Aviation), Simfia (EADS Apsys), Safety Designer (Dassault Systemes), and AltaRica Studio (LaBRI) [76].
The first version of AltaRica has been designed at the end of 1990s [95, 3]. Since then, a significant amount of scientific research has been done and a solid industrial experience has been acquired, including the certification of aircrafts. Commercially distributed environments make it possible to create, to edit, to assess and to simulate models graphically. AltaRica Data-Flow, the 2.0 version of AltaRica, has already been used for evaluating the production availability of an oil production system [11]. Mathematical foundations of AltaRica Data-Flow [11] and AltaRica 3.0 [99] are mode automata and guarded transition systems, respectively. Guarded transition systems make the new version of the language possible to handle systems with instant loops and to define acausal components [108]. Several assessment tools are available for analyzing AltaRica 3.0models. These tools include Markov chain generator, fault tree compiler, stepwise simulator, and stochastic simulator. The last one is currently the most powerful one, especially when other tools cannot work [76]. Indeed, stochastic simulation is an important tool for safety and reliability analysis of the systems, which could generate reasonable results for safety and reliability indicators [10, 128].
Modeling Languages
Modeling languages are indispensable for performance analysis. These languages can be classified into two categories: classical and model-based approaches, as shown in Figure 2.1. Classical approaches are those traditionally leveraged for reliability assessment. They are further classified into Boolean and state/transition formalisms. Boolean formalisms are commonly used in safety and reliability studies of industrial systems. Boolean formalisms can describe static (logical) links between elementary failures and system failure. Reliability block diagrams, fault trees, and event trees belong to Boolean formalisms. State/transition formalisms can describe how a system behaves (jumps between states) according to arising events (e.g. failures and repairs). Markov Chains (MC) and Stochastic Petri Nets (SPN) are example of such formalisms. Classical approaches are well established and are used extensively for reliability assessment. Nevertheless, models designed with these formalisms are far from the functional architecture of the system. As a consequence, models are hard to design and to maintain throughout the lifecycle of systems. A small change in specifications may require a complete revisit of safety models, which is both resource consuming and error prone [76]. Therefore model-based approaches are proposed to track this issue. Model-based approaches describe system with high modeling formalisms. Many approaches have been developed, such as Hip-HOPS, SAML, FIGARO, and AltaRica.
Formal Definition of Guarded Transition Systems
A GTS is a quintuple 〈V,E,T, A, ι〉, where V is a finite set of variables, E is a finite set of events, T is a finite set of transitions, A is an assertion, and ι is the initial assignment of variables. (i) V is the disjoint union of the set S of state variables and the set F of flow variables: V = S F. Each variable v ∈ V takes its value from a domain denoted by domain(v). Variables can be Boolean, Integers, Floating point numbers, members of finite sets of symbolic constants or anything convenient for the modeling purpose. A variable assignment is a function from V to v∈V domain(v). A variable update is a function from v∈V domain(v) into itself. It is a function that transforms a variable assignment into another one.(ii) Each event e ∈ E is associated with:
– A monotonically increasing and invertible function delaye from [0,1] into ℜ+, the set of positive real numbers.
– A weight (a real number) weighte (by default, weighte = 1.0). (iii) Each transition t ∈ T is a triple 〈e, g ,a〉, denoted by g e− →a, where e is an event in E, g is a Boolean condition (guard) over the variables in V and a is an instruction over the variables of V , that is a variable update. a is called the action of the transition. (iv) The assertion A is an instruction over the variables of V . Let σ be a variable assignment and t : g e− → a be a transition which is potentially fireable in σ, such that σ(g ) = true. Firing t updates σ into the assignment ρ = A(a(σ)), which means applying on σ the update of a first, then the update A (the global assertion). We say that a variable v ∈ V is impacted by the update of σ into ρ if ρ(v) = σ(v). By extension, we say that the transition ge−→a is affected by this variable update if at least one of the variablesoccurring in g is impacted by the update.Let t : g e−→ a be a transition in T . By extension, we define weightt as weighte . If the twotransitions can be fired at the same time, then the weight is used to choose randomly amongthem.
Notion ofModeling Patterns
In some modeling languages, for instance Modelica [33], modeling experience is capitalized by designing libraries of reusable components. The experience with AltaRica shows that when designing models, same modeling patterns occur systematically. For instance, modeling two components in cold redundancy involves basically the same AltaRica mechanisms, regardless of these components are pumps, valves, or repair crews. Designing libraries of modeling patterns is applying model engineering principles and techniques that have been proved to be very efficient in software engineering [35, 119]. The pattern can be utilized for reusing capitalized knowledge, which was initially proposed in civil engineering [2]. The concept was adopted in software engineering subsequently as design patterns [35]. These patterns are descriptions of communicating objects and classes that are customized to solve a general design problem in a particular context [35]. A design pattern promotes design reuse, conforms to a literary style, and defines a vocabulary for discussing design [34]. Some researchers tried to provide a general framework of reusing patterns. Pattern based system engineering was proposed [24], whose procedure includes pattern definitions and system development with patterns [39]. The basic idea of pattern-related studies is that the design should be specific to the present problem but also general enough to solve future problems and to meet requirements [35]. Reuse of components and subsystems is a usual practice in modeling safety-critical sys- tems. To reuse system behaviors, we need to standardize the representation of reusable components and figure out the way they exchange information [67]. A library of reusable argumentation patterns is put forward to capture known solution algorithms and architectural measures/ constraints in [70]. This library focuses on safetymechanisms in automotive domain. InRAMS(Reliability, Availability,Maintainability, and Safety) community, patterns have been discussed in [96]. Patterns involved in accident analysis are discussed in traffic domain [38] and industrial plants [123], albeit these studies mainly employ statistical methods to discover patterns of accident causes. Dependability pattern is the description of a particular recurring dependability problem that arises in specific contexts and presents a well-proven generic scheme for its solution [39]. Resilience design patterns are raised to meet demand of extreme-scale highperformance computing systems [43]. In order to conduct safety analysis efficiently and avoid redesign, the researchers proposed a framework termed SafeSysE which merges safety assessment and systems engineering [88]. FMEA and FTA are automatically generated. Block design patterns are proposed to automatically generate fault trees. Each pattern leads to a sub-fault tree.
An advantage of high level modeling languages (like AltaRica) is to reuse models of components or even subsystems. There are two ways for attaining such an objective [98]: reuse of components (objective-oriented), and reuse of modeling patterns (prototype-oriented). The reuse of components comes directly from programming languages (like C++ [117]) or modeling languages (likeMatlab/Simulink [84] andModelica). The reuse of modeling patterns starts from an existing code and adapts it to specific requirements [98].
Frommodeling experience of several aircraft systems using the AltaRicaData-Flowlanguage, Safety Architecture Patterns (SAP) are proposed to simplify modeling missions [69]. SAP are component assemblies used to ensure the safety of architectures [69]. The application of SAP can be found in the avionics domain [69, 89]. Unlike their work, first, we use the AltaRica 3.0 language rather than AltaRica Data-Flow language. Mathematical backgrounds of the AltaRica Data-Flow language and the AltaRica 3.0 language are mode automata [106] and Guarded Transition Systems (GTS) [108], respectively. GTS extends mode automata with the capabilities of modeling instant loops and acausal components (i.e. inflows and outflows are decided at run time). Second, we propose patterns for modeling production and safety systems mainly in process industry. Their work primarily locates in aviation industry. Third, they mainly proposed a collection of redundancy based architecture patterns, while we describe behavioral, flow propagation, and composition behaviors of production and safety systems with modeling patterns. A set of SAP is also listed in [97], where they focus on patterns of the redundancy and software faults.
It also deserves to learn fromCase-based reasoning (CBR). CBR is the process of solving new problems based on the solutions to similar past problems [1]. It is carried out in four steps: retrieve, reuse, revise, and retain.
Categories ofModeling Patterns
Modeling Patterns (MP) are a general means of modeling frequently occurring functional and physical behaviors. They can be classified according to their purpose, which reflects what a modeling pattern works for. Modeling patterns can have either a behavioral, a flow propaga4.2. tion, or a composition purpose. Behavioral Patterns (BP) describe basic behaviors of components. For instance, the repairable behavior is regarded as a basic character in production and safety systems. Flow Propagation Patterns (FPP) depict flow propagations inside and between components. Composition Patterns (CP) represent cooperations in a system, such as the cooperation between main and standby units. FPP and inter-component FPP. Specific modeling patterns are discussed in detail in Chapter 5. In the following subsections, we discuss categories of modeling patterns in the framework of GTS.
Table of contents :
Acknowledgment
1 Introduction
1.1 Production and Safety Systems
1.2 Performance Analysis
1.3 Problem Formulation
1.4 Modeling Patterns
1.5 Objectives of the Thesis
1.6 Structure of the Thesis
2 Performance Analysis of Production and Safety Systems
2.1 Glossary for Performance Analysis
2.2 Production-performance Analysis
2.3 Reliability Analysis of Safety Systems
2.4 Model-based Safety Assessment
2.5 Modeling Languages
2.5.1 Classical Approaches
2.5.2 Model-based Approaches
2.6 Summary
3 AltaRicaModeling Language
3.1 Formal Definition of Guarded Transition Systems
3.2 States and Transitions
3.3 Flow Propagation
3.3.1 Looped Assertions
3.3.2 Data-flow Assertions
3.4 SynchronizationMechanisms
3.5 Prototypes and Classes
3.6 Semantics
3.7 Comparison with other State/transitionModeling Languages
3.7.1 Differences
3.7.2 Similarities
3.8 Summary
4 Modeling Patterns
4.1 Notion ofModeling Patterns
4.2 Categories ofModeling Patterns
4.2.1 Behavioral Patterns
4.2.2 Flow Propagation Patterns
4.2.3 Composition Patterns
4.3 Methodology to DevelopModeling Patterns
4.4 Summary
5 Catalog ofModeling Patterns
5.1 Behavioral Patterns
5.1.1 PERFECT
5.1.2 NonRepairable
5.1.3 CorrectiveMaintenance
5.1.4 PreventiveMaintenance
5.1.5 DEGRADATION
5.1.6 PeriodicTest
5.1.7 RevealUndetectedFailure
5.1.8 StaggeredPeriodicTest
5.2 Flow Propagation Patterns
5.2.1 SISO: Single-Input-Single-Output
5.2.2 SIMO: Single-Input-Multiple-Output
5.2.3 MISO:Multiple-Input-Single-Output
5.2.4 SOURCE
5.2.5 SINK
5.2.6 MIMO:Multiple-Input-Multiple-Output
5.2.7 SERIES
5.2.8 PARALLEL
5.2.9 KooN
5.2.10 SwitchKooN
5.2.11 SequentialWork
5.2.12 BYPASS
5.2.13 LOOP
5.3 Composition Patterns
5.3.1 Main unit/Cold standby unit Coordination (MCC)
5.3.2 Main unit/Hot standby unit Coordination (MHC)
5.3.3 Repairable unit/Repair crew Coordination (RRC)
5.4 Relationships betweenModeling Patterns
5.5 Modeling Patterns Reuse
5.6 Summary
6 Experimental Studies
6.1 Production Systems in Process Industry
6.1.1 A Production Facility
6.1.2 A Floating Production Storage and Offloading System
6.1.3 An Oil Production System
6.1.4 An Offshore Installation
6.2 Safety Systems in Process Industry
6.2.1 An Overpressure Protection System with Single Channel
6.2.2 An Overpressure Protection System with Dual Channel
6.2.3 An Overpressure Protection System with Redundant Architecture
6.2.4 AMultiple Safety System
6.2.5 An Emergency Depressurization System of A Hydrocracking Unit
6.3 Summary
7 Conclusion and FutureWorks
7.1 Conclusion
7.2 FutureWorks
A Production Availability Analysis using Stochastic Petri Nets
B Modeling Patterns for Production Performance Analysis
C Modeling Patterns for Reliability Analyses of Safety Systems
D Acronyms and Abbreviations
Bibliography
