David C. Jensen

Flow State Logic (FSL) for Analysis of Failure Propagation in Early Design

For safety critical complex systems, reliability and risk analysis are important design steps. Implementing these analyses early in the design stage can reduce costs associated with redesign and provide important information on design viability. In the past several years, various research methods have been presented in the design community to move reliability analysis into the early conceptual design stages. These methods all use a functional representation as the basis for reliability analysis. This paper asserts that, in non-nominal system states, the functional representation limits the scope of failure analysis. Specifically, when failures are modeled to propagate along energy, material, and signal (EMS) flows, a nominal-state functional model is insufficient for modeling all types of failures. To capture possible failure propagation paths, a function-based reliability method must consider all potential flows, and not be limited to the function structure of the nominal state. In this light, this paper introduces the Flow State Logic (FSL) method as a means for reasoning on the state of EMS flows that allows the assessment of failure propagation over potential flows that were not considered in a functional representation of a “nominally functioning” design. A liquid fueled rocket engine serves as a case study to illustrate the benefits of the methodology.Copyright

Modeling the Propagation of Failures in Software Driven Hardware Systems to Enable Risk-Informed Design

Software-driven hardware configurations account for the majority of modern complex systems. The often costly failures of such systems can be attributed to software specific, hardware specific, or software/hardware interaction failures. The understanding of the propagation of failures in a complex system is critical because, while a software component may not fail in terms of loss of function, a software operational state can cause an associated hardware failure. The least expensive phase of the product life cycle to address failures is during the design stage. This results in a need to evaluate how a combined software/hardware system behaves and how failures propagate from a design stage analysis framework. Historical approaches to modeling the reliability of these systems have analyzed the software and hardware components separately. As a result significant work has been done to model and analyze the reliability of either component individually. Research into interfacing failures between hardware and software has been largely on the software side in modeling the behavior of software operating on failed hardware. This paper proposes the use of high-level system modeling approaches to model failure propagation in combined software/hardware system. Specifically, this paper presents the use of the Function-Failure Identification and Propagation (FFIP) framework for system level analysis. This framework is applied to evaluate nonlinear failure propagation within the Reaction Control System Jet Selection of the NASA space shuttle, specifically, for the redundancy management system. The redundancy management software is a subset of the larger data processing software and is involved in jet selection, warning systems, and pilot control. The software component that monitors for leaks does so by evaluating temperature data from the fuel and oxidizer injectors and flags a jet as having a failure by leak if the temperature data is out of bounds for three or more cycles. The end goal is to identify the most likely and highest cost paths for fault propagation in a complex system as an effective way to enhance the reliability of a system. Through the defining of functional failure propagation modes and path evaluation, a complex system designer can evaluate the effectiveness of system monitors and comparing design configurations.© 2008 ASME

Modeling and Analysis of Safety in Early Design

Abstract In this paper we present a method of explicit inclusion of safety into a model-based design method for cyberphysical systems. This approach enables an analysis where component-level failures can be mapped to potential system-level hazards. Application of this work presents several significant advances to the fields of safety engineering and design. This paper present a method of representing the safety property of a system by the introduction of the concept called the “safety function.” Further, the function of achieving safety is mapped to the performance functions of the system. We present a process of concurrently developing a system concept from the safety and functional perspective. The end result of this process is a system architecture where components of the system are explicitly mapped to both the functions they perform and the role it plays in ensuring safe system operation. The benefit of this approach is having a system representation that allows for analysis of critical events and off- nominal component behavior to identify potential losses in function and safety constraint violations. The approach is demonstrated on a software controlled hardware system. Namely, a generic spacecraft reaction control system.

Simulation of Interactions and Emergent Failure Behavior During Complex System Design

Emergent behavior is a unique aspect of complex systems, where they exhibit behavior that is more complex than the sum of the behavior of their constituent parts. This behavior includes the propagation of faults between parts, and requires information on how the parts are connected. These parts can include software, electronic and mechanical components, hence requiring a capability to track emergent fault propagation paths as they cross the boundaries of technical disciplines. Prior work has introduced the functional failure identification and propagation (FFIP) simulation framework, which reveals the propagation of abnormal flow states and can thus be used to infer emergent system-wide behavior that may compromise the reliability of the system. An advantage of FFIP is that it is used to model early phase designs, before high cost commitments are made and before high fidelity models are available. This has also been a weakness in previous research on FFIP, since results depend on arbitrary choices for the values of model parameters and timing of critical events. Previously, FFIP has used a discrete set of flow state values and a simple behavioral logic; this has had the advantage of limiting the range of possible parameter values, but it has not been possible to model continuous process dynamics. In this paper, the FFIP framework has been extended to support continuous flow levels and linear modeling of component behavior based on first principles. Since this extension further expands the range of model parameter values, methods and tools for studying the impact of parameter value changes are introduced. The result is an evaluation of how the FFIP results are impacted by changes in the model parameters and the timing of critical events. The method is demonstrated on a boiling water reactor model (limited to the coolant recirculation and steam outlets) in order to focus the analysis of emergent fault behavior that could not have been identified with previously published versions of the FFIP framework. [DOI: 10.1115/1.4007309]

An integrated multidomain functional failure and propagation analysis approach for safe system design

Abstract Early system design analysis and fault removal is an important step in the iterative design process to avoid costly repairs in the later stages of system development. System complexity is increasing with increased use of software to control the physical system. There is a dearth of techniques to evaluate inconsistencies, incompatibility, and fault proneness of the system design in an integrated manner. The early design analysis technique presented in this paper aids a designer to understand the interplay between the multifaceted components and evaluate his/her design in an integrated manner. The technique allows simultaneous propagation of different types of faults from various domains and evaluates their functional impact over a period of time. The structure of the technique is explained using domain-specific conceptual metamodels, whereas the execution is based on the event sequence diagram, which is one of the established reliability and safety analysis techniques. One of the notable features of the proposed technique is the object-oriented nature of the system design representation. The technique is demonstrated with the help of a case study, and the execution results of two scenarios are evaluated to demonstrate the analysis capability of the proposed technique.

Capturing interactions and emergent failure behavior in complex engineered systems at multiple scales

Large complex systems exhibit complex nominal and failure behavior and understanding that behavior is critical to the accurate assessment of risk. However, this assessment is difficult to accomplish in the early design stage. Multiple subsystem interactions and emergent behavior further complicate early design risk analysis. The goal of this paper is to demonstrate necessary modifications of an existing function-based failure assessment tool for application to the large complex system design domain. Specifically, this paper demonstrates how specific adaptations to this early, qualitative approach to system behavioral simulation and analysis help overcome some of the challenges to large complex system design. In this paper, a boiling water nuclear reactor design serves as a motivating case study for showing how this approach can capture complex subsystem interactions, identify emergent behavior trends, and assess failures at both the component and system level.Copyright

Systematic benchmarking of diagnostic technologies for an electrical power system

Automated health management is a critical functionality for complex aerospace systems. A wide variety of diagnostic algorithms have been developed to address this technical challenge. Unfortunately, the lack of support to perform large-scale V&V (verification and validation) of diagnostic technologies continues to create barriers to effective development and deployment of such algorithms for aerospace vehicles. In this paper, we describe a formal framework developed for benchmarking of diagnostic technologies. The diagnosed system is the Advanced Diagnostics and Prognostics Testbed (ADAPT), a real-world electrical power system (EPS), developed and maintained at the NASA Ames Research Center. The benchmarking approach provides a systematic, empirical basis to the testing of diagnostic software and is used to provide performance assessment for different diagnostic algorithms.

Reasoning about System-Level Failure Behavior from Large Sets of Function-Based Simulations

Abstract This paper presents the use of data clustering methods applied to the analysis results of a design-stage, functional failure reasoning tool. A system simulation using qualitative descriptions of component behaviors and a functional reasoning tool are used to identify the functional impact of a large set of potential single and multiple fault scenarios. The impact of each scenario is collected as the set of categorical function “health” states for each component-level function in the system. This data represents the space of potential system states. The clustering and statistical tools presented in this paper are used to identify patterns in this system state space. These patterns reflect the underlying emergent failure behavior of the system. Specifically, two data analysis tools are presented and compared. First, a modified k-means clustering algorithm is used with a distance metric of functional effect similarity. Second, a statistical approach known as latent class analysis is used to find an underlying probability model of potential system failure states. These tools are used to reason about how the system responds to complex fault scenarios and assists in identifying potential design changes for fault mitigation. As computational power increases, the ability to reason with large sets of data becomes as critical as the analysis methods used to collect that data. The goal of this work is to provide complex system designers with a means of using early design simulation data to identify and mitigate potential emergent failure behavior.

Using Fault Propagation Analyses for Early Elimination of Unreliable Design Alternatives of Complex Cyber-Physical Systems

The Functional Failure Identification and Propagation (FFIP) framework has been proposed in prior work to study the reliability of early phase designs of complex systems. For the specified functionality, a model of mechanical, electrical and software components has been defined to support simulation and discovery of fault propagation paths. The advantage of this approach has been the possibility to identify unreliable designs before high cost design commitments have been made. However, a weakness is that the results are specific to the component model that is created for the purpose of running the FFIP simulations; it is unclear how the results would change if different modeling choices would have been made. Further, the usefulness of the method in design has been limited to evaluating reliability rather than actively finding more robust design alternatives. In order to address these weaknesses, the FFIP component model needs to incorporate a capability to describe design alternatives. The feature modeling syntax and semantics, which has been successfully used by software engineers to describe customer variations in product lines, is applied here to specify alternative mechanical, electrical and software features of a cyber-physical system. In the concept phase, all plausible design alternatives are described with a feature model. FFIP analyses can be performed for each valid configuration of this model, and all alternatives that are found unreliable are removed. The result is a restricted feature model, comprising significantly fewer design alternatives, that is delivered as source information for the detailed design phase. A toolchain for performing these analyses is presented, integrating open source feature modeling and configuration tools to the FFIP environment. The methodology is illustrated with a case study from boiling water nuclear reactor design.© 2012 ASME

Clustering Function-Based Failure Analysis Results to Evaluate and Reduce System-Level Risks

For complex, safety-critical systems failures due to component faults and system interactions can be catastrophic. One aspect of ensuring a safe system design is the analysis of the impact and risk of potential faults early in the system design process. This early design-stage analysis can be accomplished through function-based reasoning on a qualitative behavior simulation of the system. Reasoning on the functional effect of failures provides designers with the information needed to understand the potential impact of faults. This paper proposes three different methods for evaluating and grouping the results of a function failure analysis and their use in design decision-making. Specifically, a method of clustering failure analysis results based on consequence is presented to identify groups of critical failures. A method of clustering using Latent Class Analysis provides characterization of high-level, emergent system failure behavior. Finally, a method of identifying functional similarity provides lists of similar and identical functional effects to a system state of interest. These three methods are applied to the function-based failure analysis results of 677 single and multiple fault scenarios in an electrical power system. The risk-based clustering found three distinct levels of scenario functional impact. The Latent Class Analysis identified five separate failure modes of the system. Finally, the similarity grouping identified different groups of scenarios with identical and similar functional impact to specific scenarios of interest. The overall goal of this work is to provide a framework for making design decisions that decrease system risks.Copyright