No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Model-Based Resilience Assessment Framework for Autonomous Systems
Abstract
While automation technologies advance faster than ever, gaps of resilience capabilities between autonomous and human-operated systems have not yet been identified and addressed appropriately. To date, there exists no generic framework for resilience assessment that is applicable to a broad spectrum of domains or able to take into account the impacts on mission-scenario-level resilience from system-specific attributes. In the proposed framework, resilience is meant to describe the ability of a system, in an open range of adverse scenarios, to maintain normal operating conditions or to recover from degraded or failed states in order to provide anticipated functions or services to achieve mission success. The term resilience is introduced in relation with classical terms such as fault, error, failure, fault-tolerance, reliability, and risk. The proposed model-based resilience assessment framework is based on a resilience ontology that enables the use of system models into reliability and risk models for transparent, persistent, and up-to-date modeling and quantification. A SysML profile and associated OWL ontology are defined to enable the use of a range of resilience mechanisms into the design and operation of a system.
... Eventually, only a few papers (i.e., [32], [33], [34], [35], [36], [37], [38], [39], [40], [41], [42], [43]) fulfilled the criteria and were evaluated. Hartsell et al. [34] present ReSonAte, a dynamic risk estimation and assessment framework for autonomous systems. ...
... Diaconeasa et al. [37] propose a model-based resilience assessment framework that exploits a resilience ontology to guarantee transparent and up-to-date modeling and quantification of the system risk and reliability metrics. The main objective of this work is to overcome the usually weak integration of reliability analysis in the model-based software engineering process. ...
This paper proposes an evaluation framework for autonomous systems, called LENS. It is an instrument to make an assessment of a system through the lens of abilities related to adaptation and smartness. The assessment can then help engineers understand in which direction it is worth investing to make their system smarter. It also helps to identify possible improvement directions and to plan for concrete activities. Finally, it helps to make a re-assessment when the improvement has been performed in order to check whether the activity plan has been accomplished.
Given the high variability in the various domains in which autonomous systems are and can be used, LENS is defined in abstract terms and instantiated to a specific and important class of medical devices, i.e., Programmable Electronic Medical Systems (PEMS). The instantiation, called LENS PEMS , is validated in terms of applicability , i.e., how it is applicable to real PEMS, generalizability , i.e., to what extent LENS PEMS is generalizable to the PEMS class of systems, and usefulness , i.e., how it is useful in making an assessment and identifying possible directions of improvement towards smartness.</p
... Method (DEPM) [63], where failures can be defined descriptively or systematically extracted from SysML/UML [64] graphs or by modeling the flow of control and associated data in a logical software block [65]. ...
... Building DEPM models bears significant upfront investment in system decomposition analysis, simulation, and incorporating the applicable failure mechanisms. Analysts can partially offload this burden for some models by including guided automation tools that generate DEPM from SysML/UML [64] or by directly compiling source code to a DEPM target [65]. At the same time, model checking using expressive temporal logic notation, the generalizability of Markov chain analysis, and inherently small model sizes improve readability and model reusability. ...
This thesis introduces an integrated framework for enhancing the safety assessment of fission batteries—nuclear reactors designed with battery-like features for autonomous operation— by combining two advanced risk modeling techniques: the dual error propagation graph (DEPM) and event modeling risk assessment using linked diagrams (EMRALD). Fission batteries are an emerging concept in nuclear power, characterized by their modularity, minimal human intervention, and advanced control systems. To ensure their safe operation, especially in unattended settings, it is crucial to employ probabilistic risk assessment (PRA) methods that can dynamically model the complex interactions within these systems.
DEPM is a method that uses probabilistic model checking, a technique for verifying that a system meets certain reliability criteria, to analyze how errors can propagate through a system's components. EMRALD is a tool that employs discrete dynamic event trees (DDETs), which are models that simulate how sequences of events unfold over time, allowing for the assessment of time-specific operational risks. By integrating DEPM with EMRALD, the framework can capture detailed, time-specific behaviors of fission battery operations, including the advanced features of self-diagnosis and self-adjustment.
The effectiveness of this approach is demonstrated through case studies that simulate the step-by-step shutdown response of a fission battery during a fire event. The analysis tracks the reliability of the reactor control system, focusing on the control logic implemented by redundant programmable logic controllers (PLCs). The study progresses through three stages: starting with a traditional PRA, extending to a dynamic model that includes hardware-induced software failures, and finally, modeling the possibility of multiple recoveries from such failures.
The results show that the integrated DEPM-EMRALD framework provides a more realistic representation of the fission battery's behavior under rapidly changing conditions compared to traditional methods. However, the development of effective DEPM models requires a significant upfront investment in understanding the system's components and potential failure mechanisms. Despite these challenges, the integration of DEPM into DDETs is essential for high-resolution analysis, particularly when detailed modeling is necessary to outweigh the complexities involved.
This work lays the groundwork for using DEPM to model the reliability of digital control systems in current and future nuclear reactors, contributing to the advancement of Industry 4.0. Future research directions include verifying the framework against other methods, validating it with operational data, automating the model-building process, and expanding case studies to cover a wider range of scenarios.
... This allows the extending of AADL models with error models and hazard models for safety and hazard analysis [11], [12], [13]. SysML v1 resilience profiles for reliability analysis were introduced in [14] and [15]. In our previous work [16], [17], [18] we used and extended the SysML v2 RiskMetadata package [19]. ...
In modern and complex production systems, the focus is shifted toward the software part. Software-Defined Manufacturing (SDM) and Cyber-Physical Production Systems (CPPS) characterize this trend. SDM and CPPS enable the concept of adaptive, flexible, and self-configuring production systems. These software-intensive robotic systems are safety- critical because they usually are applied in the same environ- ments as human workers. Therefore they require a continuous risk assessment. The uploading of a new software to the system can change its behavior drastically and therefore, the risk assessment needs to be redone. Key enabling technologies are digital twins, advanced and hybrid risk models, and Model-to- Model (M2M) transformation methods.
In this paper, we introduce a new approach to the automated and continuous risk assessment based on Robot Operating System (ROS) code of a software-defined robotic system. The approach pipelines four key elements: (i) a logger that logs the data of the digital twin, (ii) an adder algorithm that creates risk annotated code based on the given ROS code, the output of the logger, and the hardware description including risk data of robot parts, (iii) an M2M transformation algorithm that automatically generates hybrid risk models from risk-annotated code, and (iv) OpenPRA solvers for numerical evaluation of the generated hybrid risk models.
... HCL and its constituent BNs have been used previously for many of the areas of interest for AV analysis, including software safety 54,55 , organizational factors 50,56,57 , human performance 51,58,59 , complex interactions 60 , and security 61 .HCL provides a logic context for integrating ESDs, FTAs, and BNs, as well as indirectly incorporating other analysis tools such as FMEA or Markov Chains. Research has also been undertaken to integrate HCL into a modern Model-Based Systems Engineering framework.62 ...
Autonomous Vehicles (AVs), also known as self-driving cars, are a potentially transformative technology, but developing and demonstrating AV safety remains an open question. AVs offer some unique challenges that stretch the limits of traditional safety engineering practices. Most current safety standards and methodologies in the AV industry were not originally intended for application to autonomous vehicles, and they have significant limitations and shortcomings. In this article, we analyze the literature to first build an argument that a new safety framework is needed for AVs. We then use the identified limitations of current methodologies as a basis to formulate a set of fundamental requirements that must be met by any proposed AV safety framework. We propose a new AV safety framework based on the Hybrid Causal Logic (HCL) methodology, which combines Event Sequence Diagrams (ESDs), Fault Tree Analysis (FTA), and Bayesian Networks (BNs). The HCL framework is developed at a conceptual level and then evaluated versus the identified fundamental requirements. To further illustrate how the framework may meet the requirements, a simple example of an AV perception system scenario is developed using the HCL framework and evaluated. The results demonstrate that the HCL framework provides an integrated approach that has the potential to satisfy more completely the fundamental requirements than the current methodologies.
The notion of nuclear reactors with battery-like capabilities, called fission batteries, puts forth system re-
quirements and design constraints that have so far been unseen in the nuclear power production industry. Such
restrictions require fission batteries to be modular, integrated, autonomous, tamper-proof (i.e., resilient, fault-
tolerant, all-weather, and safe), and affordable. With design requirements specifying no human intervention
for operation, and minimal connectivity to remote monitoring networks, fission batteries are unique among
existing nuclear power plants and emerging advanced reactor designs. Given these attributes, traditional prob-
abilistic risk assessment (PRA) of fission batteries is expected to require dynamic methods to model advanced
aspects, such as self-diagnosis, self-adjustment, and duration-prediction capabilities, as they are key ingredients
for unattended operations. In addition, availability models need to integrate autonomous control, associated
error-detection algorithms, and adversarial human actions. Currently, no existing framework demonstrably as-
sesses these advanced attributes. This paper introduces and demonstrates an integrated framework for the dy-
namic modeling of fission battery designs. The proposed framework comprises a combined modeling strategy
that uses the dual-graph error propagation methodology (DEPM) based on the continuous-time Markov chain
(CTMC) models implemented in OpenPRA Error Propagation (OpenErrorPro) and the dynamic PRA tool, Event
Modeling Risk Assessment using Linked Diagrams (EMRALD), based on discrete dynamic event trees (DDET).
This combination overcomes some of the limitations of the tools when used independently. It enables detailed
dynamic analysis to produce time explicit results to support the development of fission battery traditional PRA
models. To evaluate the utility of this novel approach, a demonstration case is shown that models the hypoth-
esized response of a fission battery design to an external fire event. DEPM CTMCs and alternative failure ap-
proaches are coupled with EMRALD to characterize and quantify the likelihood of the event sequences. The
results show that the combined framework effectively captures the dynamic aspects of fission battery design in
terms of the timing and realism of modeled events. Given the complexity of the failure scenarios, we believe that
EMRALD and DEPM are necessary and complementary when the need for high-resolution analysis offsets the
challenges of detailed modeling.
ResearchGate has not been able to resolve any references for this publication.