ESA PetriNet: Petri Net Tool for Reliability Analysis Romaric Guillerm, Nabil Sadou, Hamid Demmou 14 Oct LAAS-CNRS

Outline 2  General Context and Motivation  System Modelling  Feared Scenario Deriving Algorithm  The Tool: ESA PetriNet  Case Study  Conclusion

General Context 3  Complexity of embedded system  Integration of mechanic, hydraulic, electric, electronic and information technologies  Existence of reconfigurations to maintain the system in safe degraded states  Hybrid aspect (both discrete and continuous)  Complexity of the modelling  Complexity of safety analysis

Motivations 4  Why searching for critical scenarios?  To evaluate safety as soon as possible during the design phase  To minimize the cost and the time of design  What is a feared scenario?  List of events which leads from a normal operating state to a feared one with a partial order relation between these events The order of occurrence of the events is important !

System Modelling 5  Hybrid aspect:  Continuous dynamic: energetic system (differential equations)  Discrete dynamic: operation mode, failure and reconfiguration mechanisms (Petri net)  Use of Petri nets with a temporal abstraction  temporal Petri nets  The discrete part is deal with the Petri net structure and the continuous part is deal with the temporal aspect (through a temporal abstraction)

6  Algorithm:  Automatic method for deriving feared scenarios.  It is not a classical Petri nets player.  It is a player based on linear logic which guides the construction of partial order. It avoids the state space explosion. Petri nets player Algorithm A B C D E t21t21 t11t11 I1I1 I2I2 F2F2 F1F1 F G F t41t41 t31t31 I1I1 F1F1 t32…t32… t11t11 t31t31 I1I1 t41t41 t21t21 … interlacement partial orders A B C D E t 1 t 2 G F t4t4 t3t3 Feared Scenario Deriving Algorithm

7 It is done on four steps: 1. Determine the normal states: The places that when marked represent a normal operation states. These ‘normal’ places will be used as stop criteria for the backward reasoning. 2. Determine the target state (partial feared state or state to be analysed): It can be either a partial feared state or another partial state with a direct or indirect link to the feared state (Simulation, PHA). Feared Scenario Deriving Algorithm

3. Backward Reasoning 8  Starting from the feared state in the reversed Petri net: OK S rSrS KO S dSdS OK 1 r2r2 KO 1 d1d1 OK 2 r2r2 KO 2 d2d2 OKe rere KOe dede  The goal is to determine the normal states from which the system goes to the feared state.  Only the necessary transitions are fired.  The objects are introduced progressively.  Normal ‘conditioning’ states are the stop criterion. Potentially enabled transition Marking enrichment Obj1 – satellite 1 Obj2 – satellite 2Obj3 – ground station Obj4 – alimentation

4. Forward Reasoning 9  Starting from the conditioning state in the initial Petri net:  Analysis of the bifurcations (transition conflict in the Petri net) between the normal behavior and the feared one.  Determination of the complete context of the feared state.  Scenario deriving OK S rSrS KO S dSdS OK 1 r1r1 KO 1 d1d1 OK 2 r2r2 KO 2 d2d2 OKe rere KOe dede Initial Marking : IM 1 =OKs OKe OKe de KOe ds KOs OKs I1I1 I2I2 F1 F2 KOe Obj1 – satellite 1 Obj2 – satellite 2Obj3 – ground station Obj4 – alimentation

The Tool: ESA PetriNet  Web link: 10

Example – Presentation 11  2 main tanks  1 electrovalve for each tank  1 relief electrovalve shared between the 2 tanks Volume regulation system of two tanks Objective: To keep the volume of each tank inside the interval [V imin, V imax ] Interest: Overflow of the tank 1

Example – Modelling 12  “tank” class: tank1tank2

Example – Modelling 13  “electrovalve” and “relief electrovalve” classes: EV1 EVS EV2

Example – Scenarios Research 14  Research of the feared scenarios with the Petri net modelling:  Feared state: overflow of the tank 1

Example – Scenarios Research 15

Conclusion 16  The approach that we have presented in this paper is the deriving feared scenario method in hybrid systems.  The T-temporal Petri net modeling approach allows to address the two aspects separately:  The discrete aspect by linear logic, through the Petri net structure  The continuous aspect by temporal abstractions, through the t-temporal aspect.  The extraction of the feared scenarios is automated by a tool: ESA PetriNet - temporal edition  But the great disadvantage of the approach is the temporal abstraction required for the system modelling…

Further Information… 17  … We have developed another new approach based on Differential Predicate Transition Petri net (DPT Petri net).  The DPT Petri net modelling approach, in which the continuous and the discrete parts are represented by two different formalisms, allows to address the two aspects separately:  The discrete aspect by linear logic  The continuous aspect by local simulation of the differential equations.  The causal relations are determined by combining the initial deriving feared scenarios algorithm (discrete simulator) and a differential equations solver (continuous simulator).  These two simulators evolves alternatively, the discrete simulator determines the state changes according to the timed data transmitted by the continuous simulator.

18 Thank you for your attention Questions?

Annexes 19 Hybrid Edition of ESA PetriNet

Differential Predicate Transition Petri Nets (DPT Petri Nets) 20  The main features to take into account the continuous part are :  A set of variables (xi) is associated with each token.  A differential equation system (Fi) is associated with each place (Pi):  An enabling function (ei) is associated with each transition (ti):. It triggers the firing of the enabled transitions.  A junction function (ji) is associated with each transition (ti):. It defines the value xi associated with the tokens of the output places

Continuous Scenario Deriving Algorithm 21  The discrete algorithm is limited to discrete systems or hybrid systems in which the continuous dynamic is approximated by temporal abstraction  To deal with continuous dynamic, it is necessary exploit directly the hybrid model  Combines the Discrete Scenario Driving Algorithm with differential equation solver

P1P1 P2P2 P3P3 P4P4 t1t1 t3t3 t2t2 Algorithm Solver Configuration change Definition of the equations to integrate List of the enabled transitions List of enabling functions to keep a watch on Execution of the junction functions Integration of the equations Dates of firing of the transitions T3T3 T2T2 T 2 <T 3 22 List of junction functions to keep a watch on Continuous Scenario Deriving Algorithm

Example – Presentation 23  2 main tanks  1 electrovalve for each tank  1 relief electrovalve shared between the 2 tanks Volume regulation system of two tanks Objective: To keep the volume of each tank inside the interval [V imin, V imax ] Interest: Overflow of the tank 1

Example – Modelling 24  “tank” class: tank1 Variables associated to places: X V1_cr = {v 1 } ; X V1_dec = {v 1 } ; X V1_dec_s = {v 1 } Enabling functions: e T11 : v 1 =V 1max =110 e T12 : v 1 =V 1min =90 e T14 : v 1 =V 1L =115 e T15 : v 1 =V 1min =90 e T13 : v 1 =V 1S =120 Junction functions: j T11 =j T12 =j T13 =j T14 =j T15 =O Differential equations: F V1_cr : Dv 1 =0.017 F V1_dec : Dv 1 = F V1_dec_s : Dv 1 =-0.017

Example – Modelling 25  “electrovalve” and “relief electrovalve” classes: ev1evs

Example – Scenarios Research 26  Research of the feared scenarios with the Petri net modelling:  Feared state: overflow of the tank 1

Example – Scenarios Research 27