Dov Dori Massachusetts Institute of Technology (visiting) Technion, Israel Institute of Technology Nuclear Engineering Seminar Series Department of Mechanical and Nuclear Penn State Engineering October 23, 2014 Mirror, Mirror on the Wall – Do You See Me at All? The Cyber-Physical Gap and its Implications on Risks: Modeling Nuclear Hazards Mitigation

2 Multiple engineering professionals talk different languages Mechanical Engineers Civil Engineers Software Engineers Electronics Engineers Systems engineers are supposed to integrate these – What language do they talk?

3 Required: A graphical formal language for conceptually conveying system architectures & designs

4 Systems Engineers Do Have Languages –Systems Modeling Language – SysML OMG Standard since 2007 –Object-Process Methodology – OPM OPM book published in 2002 ISO Standard as of Aug (formally: Publically Available Specification) OPM software: OPCAT, freely downloadable from OPM software: OPCAT, freely downloadable from Along with papers and other resources

5 Ontology A set of concepts for describing a domain (industry, banking, military, healthcare, nuclear engineering…) and systems within it Ontology A set of concepts for describing a domain (industry, banking, military, healthcare, nuclear engineering…) and systems within it Universal Ontology A set of concepts for describing the universe and systems within it

6 Towards ontological grounding of model-based systems engineering Towards ontological grounding of model-based systems engineering Let us try to determine the minimal set of concepts required to model the universe and systems in it We begin with a series of Socratian questions

7 First fundamental question: What are the things that exist in the universe? Answer: Objects exist (or might exist)

8 Second fundamental question: What are the things that happen in the universe? Answer: Processes happen (or might happen) But - processes happen to things!

9 A Follow-up question: What are the things to which processes happen ? Answer: Processes happen to objects Processes happen to objects

10 So: What do processes do to objects? Answer: Processes transform objects

11 What does it mean for a process to transform an object? Transforming of an object by a process means 1. creating (generating) an object 2. destroying (consuming) an object 3. affecting an object

12 What does it mean for a process to affect an object? – A process affects an object by changing its state – Hence, objects must be stateful; they must have states they must have states

13 Another key question: What are the two complementary aspects from which any system can be viewed? Answer: 1.Structure – the static aspect: what is the system made of? 2.Behavior – the dynamic aspect: how does the system change over time?

14 What additional aspect pertains to man-made systems? Function – the utilitarian, subjective aspect: why is the system built? for whom? who benefits from operating it?

15 conceived realitymodeled reality Is modeled by Bus Aircraft Vehicle Gas Filling Is modeled by objectsprocesses Using graphical symbols, the model expresses real things – objects and processes – and relations among them. is a affects Object Process Energy Replenishing is Car The idea behind conceptual modeling

16 The Object-Process Theorem Stateful objects, processes, The Object-Process Theorem Stateful objects, processes, and relations among them constitute a necessary and sufficient universal ontology Corollary stateful objectsprocesses Corollary Using stateful objects, processes, and relations among them, one can model systems in any domain

17 Proof: Part 1 - necessity Stateful objects processes Stateful objects and processes are necessary to specify the two system aspects, structure and behavior: statefulobjects –Specifying the structural, static system aspect requires stateful objects and relations among them processes –Specifying the procedural, dynamic system aspect requires processes and relations between them and the objects they transform

18 Proof: Part 2 - sufficiency Stateful objects processes Stateful objects and processes are sufficient to specify any system in any domain: exists statefulobjects –Anything that exists can be specified in terms of stateful objects and relations among them happens processes Q.E.D. –Anything that happens to an object can be specified in terms of processes and relations between them and the object they transform Q.E.D.

19 Keys to good conceptual modeling: processesobjects structurebehavior Keys to good conceptual modeling: 1. Telling processes apart from objects 2. Modeling them concurrently to express the interdependence of the systems’ structure and behavior 3. Managing complexity via abstraction- refinement (enables modeling systems at any level of complexity) 4. Utilizing dual channel processing: graphics and text (enables using “both sides of the brain”)

20 The Six Leading MBSE Methodologies (INCOSE Task Force, Estefan, 2008 p 43) (INCOSE Task Force, Estefan, 2008 p 43)  IBM Telelogic Harmony-SE  INCOSE Object-Oriented Systems Engineering Method (OOSEM)  IBM Rational Unified Process for Systems Engineering (RUP SE) for Model-Driven Systems Development (MDSD)  Vitech Model-Based System Engineering (MBSE) Methodology  JPL State Analysis (SA)  Object-Process Methodology (OPM): 2014 – expected ISO PAS SysML was not surveyed since it is a language, not a methodology

21 Object-Process Methodology (OPM) ObjectsProcesses Things: Objects and Processes A thing that exists or might exist physically or informatically A thing that transforms one or more objects

22 Processesobjects Processes transform objects by (1) Consuming them:

23 Processesobjects Processes transform objects by (2) Creating them:

24 Processesobjects Processes transform objects by (3) Changing their state:

25 So the OPM Things are: 1. Stateful Object 2. Process All the other elements are relations between things, expressed graphically as links

26 OPM unifies the system’s structure and behavior throughout the analysis and design of the system within one frame of reference using a small alphabet: –Two types of things: (1) stateful objects (2) processes –Two families of links: (1) structural links: connect objects with objects (2) procedural links: connect processes with objects Compact Ontology: A Minimum Length OPM alphabet

27 OPM Aspect Unification The three system aspects: –Function (why the system is built), –Structure (static aspect: what is the system made of), and –Behavior (dynamic aspect: how the system changes over time) Are expressed bi-modally, in graphics and equivalent textAre expressed bi-modally, in graphics and equivalent text In a single modelIn a single model

Risk-Aware Modeling – The Epistemic Challenge “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” (Donald Rumsfeld on going to war in Iraq) Knowns (which can be correct,, incorrect, or unknown) Correct knowns: Things we know and are correct. Incorrect knowns: Things we know we know, but are incorrect (called beliefs in epistemic modal logic): Wrong/misread measurements Wrong assumptions Misconceptions Misunderstood situations/communications Unknown knowns: Things we don’t know we know Tacit (correct) knowledge Knowledge owned by some member groups but not by others… Unknowns (so they cannot be correct or incorrect) Known unknowns: Things we know we don’t know Natural variability Knowledge gaps Unknown unknowns: Things that we don’t know we don’t know

29 Cyber-Physical Systems: Characteristics Software-controlled physical systems Include physical and cybernetic components An agent – a human decision-maker or an information & decision-making system – is the cybernetic component Hardware (motors, actuators, VLSI chips…) is the physical component Physical processes signal and induce cybernetic events Cybernetic processes signal and induce physical events

30 Thing’s Essence and Affiliation Attributes In OPM, a Thing (Object or Process) has two key attributes: Essence and Affiliation Essence pertains to the thing’s nature Denotes whether the thing is physical or informatical. Affiliation pertains to the thing’s scope Denotes whether the thing is systemic, i.e. part of the system, or environmental, i.e. part of the system’s environment The Essence- Affiliation attribute value combinations

31 Essence is key to the Cyber-Physical Gap Thing’s Essence is key to understanding and modeling the cyber-physical gap physical objects in the OPM model represent what is really “out there” – actual states and values of objects informatical objects in the OPM model represent information about their corresponding physical objects available to a decision making agent (human or artificial) A cyber-physical gap exists when the state of the informatical object incorrectly indicates the state of the physical object is supposed to represent

32 Two main sources of cyber-physical gaps Incorrect instrument reading causes agents to create a different world view than what is really out there Preview: Agent’s misconception or incorrect assumption possibly triggered or supported by incorrect measurement reading Preview:

33 The Three-Mile Island 2 Accident March 28, Modeling the cyber-physical gap with OPM:

34 2:00 – 2:15 We start with an OPM model of normal operation of Electric Energy Generating system – by a Pressurized Water Reactor

35 Electric Energy Generating – An OPM Model Electric Energy Generating – An OPM Model (OPCAT simulation)

36 Electric Energy Generating In-Zoomed: Animated Simulation

37 Turbine Spinning In-Zoomed: Animated Simulation

38 Electric Energy Successfully Generated

39 Auto-generated Object-Process Language (OPL) Example Feedwater can be cooling tower, condensor, or steam generator. cooling tower is initial. Pressurized Water Reactor consists of Reactor Secondary Unit, Reactor Primary Unit, and Cooling Tower. Reactor Secondary Unit consists of Turbine, Generator, and Main Feedwater Pump. Turbine consists of Condensate Pump. Condensate Pump can be operational or tripped. operational is initial. Main Feedwater Pump can be operational or tripped. operational is initial. Reactor Primary Unit consists of Reactor Core and Steam Generator. Cooling Tower consists of Circulating Water Pump. Electric Energy Generating is physical. Electric Energy Generating consists of Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Electric Energy Generating requires Pressurized Water Reactor and Cooling Tower. Electric Energy Generating yields Electric Energy. Electric Energy Generating zooms into Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Controlled Nuclear Reaction affects Reactor Core. Controlled Nuclear Reaction yields Heat Energy. Steam Generating affects Steam Generator. Steam Generating consumes Heat Energy. Steam Generating yields Steam. Turbine Spinning consists of Turbine Water Circulating, Water Cooling, Turbine Heat Removing, and Steam Generator Water Circulating. Turbine Spinning affects Turbine. Turbine Spinning consumes Steam. Turbine Spinning yields Mechanical Energy. Turbine Spinning zooms into Water Cooling, Turbine Water Circulating, Turbine Heat Removing, and Steam Generator Water Circulating. Water Cooling consumes Steam. Water Cooling yields cooling tower Feedwater. Turbine Water Circulating requires Circulating Water Pump. Turbine Water Circulating changes Feedwater from cooling tower to condensor. Turbine Heat Removing requires condensor Feedwater. Turbine Heat Removing yields Mechanical Energy. Steam Generator Water Circulating occurs if Main Feedwater Pump is operational and Condensate Pump is operational. Steam Generator Water Circulating changes Feedwater from condensor to steam generator. Electricity Generating requires Generator. Electricity Generating consumes Mechanical Energy. Electricity Generating yields Electric Energy.

40 When Things Start Going Wrong: Summary of Events The [TMI2] accident began about 4 a.m. on Wednesday, March 28, 1979, when the plant experienced a failure in the secondary, non-nuclear section of the plant (one of two reactors on the site). Either a mechanical or electrical failure prevented the main feedwater pumps from sending water to the steam generators that remove heat from the reactor core. This caused the plant's turbine-generator and then the reactor itself to automatically shut down. Immediately, the pressure in the primary system (the nuclear portion of the plant) began to increase. In order to control that pressure, the pilot-operated relief valve (a valve located at the top of the pressurizer) opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve.

41 Failing Pressurized Water Reactor Operation: An OPM Model

42 Pump Failing Changes Pump from operational to tripped

43 Tripped Pumps Cause too high Pressure

44 Too High Pressure Causes PORV to open normally

45 PORV Mechanical Failing causes POPV stuck open

46 Due to POPV stuck open Primary Cooling Water Escape!

47 Reactor Core is melted 

48 As if this is not bad enough - The Cyber-Physical Gap The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve. As coolant flowed from the primary system through the valve, other instruments available to reactor operators provided inadequate information. There was no instrument that showed how much water covered the core. As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. As alarms rang and warning lights flashed, the operators did not realize that the plant was experiencing a loss-of-coolant accident. They took a series of actions that made conditions worse. The water escaping through the stuck valve reduced primary system pressure so much that the reactor coolant pumps had to be turned off to prevent dangerous vibrations. To prevent the pressurizer from filling up completely, the staff reduced how much emergency cooling water was being pumped in to the primary system. These actions starved the reactor core of coolant, causing it to overheat.

49 The Cyber-Physical Model Version

50 Secondary pumps are tripped; Problems start…

51 Pressure builds; PORV opens to relieve the too high pressure

52 PORV Closing fails due to sticky PORV; PORV gets stuck open

53 Crew uses false indication to determine that PORV is closed First cyber-physical gap – Incorrect instrument reading: PORV is (stuck) open, but due to the false PORV closed indication, the Crew determines PORV is closed! Physical object – shaded Informatical object – not shaded

54 Since PORV is closed Crew determines Core Water Level high Second cyber-physical gap – Agent misconception: Since PORV is believed to be closed, the Crew determines That Core Water Level is too high while in reality they are low and Depleting! Physical object – shaded Informatical object – not shaded Physical object – shaded Informatical object – not shaded

55 When Pressure is too high Emergency Water is supplied… Second cyber-physical gap: Since PORV is believed to be closed, the Crew determines That Core Water Level is too high while in reality they are low and Depleting!

56 … but the Crew stops the water supply, starving the reactor core of coolant, causing it to overheat Final blow due to the second cyber-physical gap: Crew applies Emergency Water Supply Stopping since it determined Core Water Level to be too high, making it too low

57 Summary The cyber-physical gap is a critical factorThe cyber-physical gap is a critical factor It must be accounted for when designing systems, notably safety- critical onesIt must be accounted for when designing systems, notably safety- critical ones OPM is most suitable for modeling cyber-physical gapsOPM is most suitable for modeling cyber-physical gaps This is due to its notion of essence – physical vs. informatical thingsThis is due to its notion of essence – physical vs. informatical things

58 Questions and (hopefully) Answers Contact: Dov Dori –