Conference PaperPDF Available

Automated Generation of Hybrid Probabilistic Risk Models From SysML V2 Models of Software-Defined Manufacturing Systems

Authors:

Abstract and Figures

The concepts of Software-Defined Manufacturing (SDM) and Digital Twins emphasize the current trend in production system development. These systems are characterized by frequent software updates to address adjustable production processes and higher system flexibility. These software-intensive systems are safety-critical and require a thorough reliability analysis. This implies the necessity to automatically re-evaluate the reliability before each software update. In this paper, we introduce a new Model-to-Model (M2M) transformation method that enables the automatic generation of hybrid reliability models from the Digital Twin formalism based on SysML v2. The models of the Digital Twin are extended with reliability data. The method includes (i) transformation of behavioral models to Markov chains, (ii) transformation of structural models to fault trees, and (iii) the generation of hybrid reliability models based on the software and system structure. Besides, this paper describes an SDM-system, based on a robotic manipulator, that fulfills two different tasks depending on the uploaded software. This case study shows that our M2M transformation method enables continuous reliability assessment of SDM-systems.
Content may be subject to copyright.
Automated Generation of Hybrid Probabilistic Risk
Models From Sysml V2 Models of
Software-Defined Manufacturing Systems
Philipp Grimmeisen
University of Stuttgart
Germany
Yuliang Ma
University of Stuttgart
Germany
Mihai A. Diaconeasa
North Carolina State University
Raleigh, NC
Andrey Morozov
University of Stuttgart
Germany
Abstract—The concepts of Software-Defined Manufacturing
(SDM) and Digital Twins emphasize the current trend in pro-
duction system development. These systems are characterized
by frequent software updates to address adjustable production
processes and higher system flexibility. These software-intensive
systems are safety-critical and require a thorough reliability
analysis. This implies the necessity to automatically re-evaluate
the reliability before each software update.
In this paper, we introduce a new Model-to-Model (M2M)
transformation method that enables the automatic generation of
hybrid reliability models from the Digital Twin formalism based
on SysML v2. The models of the Digital Twin are extended
with reliability data. The method includes (i) transformation
of behavioral models to Markov chains, (ii) transformation of
structural models to fault trees, and (iii) the generation of hybrid
reliability models based on the software and system structure.
Besides, this paper describes an SDM-system, based on a robotic
manipulator, that fulfills two different tasks depending on the
uploaded software. This case study shows that our M2M transfor-
mation method enables continuous reliability assessment of SDM-
systems.The concepts of Software-Defined Manufacturing (SDM)
and Digital Twins emphasize the current trend in production
system development. These systems are characterized by frequent
software updates to address adjustable production processes and
higher system flexibility. These software-intensive systems are
safety-critical and require a thorough reliability analysis. This
implies the necessity to automatically re-evaluate the reliability
before each software update.
In this paper, we introduce a new Model-to-Model (M2M)
transformation method that enables the automatic generation of
hybrid reliability models from the Digital Twin formalism based
on SysML v2. The models of the Digital Twin are extended
with reliability data. The method includes (i) transformation
of behavioral models to Markov chains, (ii) transformation of
structural models to fault trees, and (iii) the generation of
hybrid reliability models based on the software and system
structure. Besides, this paper describes an SDM-system, based on
a robotic manipulator, that fulfills two different tasks depending
on the uploaded software. This case study shows that our M2M
transformation method enables continuous reliability assessment
of SDM-systems.
Keywords: Reliability Analysis, Hybrid Reliability Models, M2M
Transformation, Markov Chains, Fault Trees.
I. INTRODUCTION
In modern production systems, the focus is increasingly
centered on the software part. This trend is characterized
by the Software-Defined Manufacturing (SDM) concept [1].
SDM divides the manufacturing ecosystem into Physical Man-
ufacturing Layers and Software Definition Layers. The whole
production software, such as embedded software, machine
control software, and cloud services is based on the description
of the product. Key technologies for SDM are Digital Twins
(DTs) [2] of the physical system and Model-Based System
Engineering (MBSE). MBSE provides modeling languages,
such as SysML, to describe the backbone of a DT.
SDM production systems are safety-critical and require a
thorough reliability analysis. Traditional production systems
are characterized by rare software updates, standard software
components, and fixed production lines. The parts of such a
production system are dedicated to a specific task and the re-
liability analysis is conducted only once before the execution.
The reliability analysis of such traditional production lines is
based on classical reliability models, such as event trees, fault
trees, or reliability block diagrams. The concept of SDM and
flexible production lines brings new challenges to reliability
analysis. SDM-systems are characterized by frequent software
updates. Each update changes the behavior of the system
significantly, and must be automatically evaluated before each
software update. To accomplish this, advanced, highly flexible,
and hybrid reliability models are required. Moreover, these
models must be automatically generated and synchronized
with the DT of the production system via Model-to-Model
(M2M) transformation methods.
Contribution: This paper presents the method for the
generation of hybrid reliability models from SysML v2 models
of SDM-systems extended with reliability data. The method
consists of (i) the generation of Markov Chains (MC) from
behavioral diagrams, (ii) the generation of Fault Trees from
structural diagrams, and (iii) the generation of hybrid MC and
FT reliability models. The new method enables the automated
and continuous reliability analysis of SDM-systems. Figure
1 demonstrates how our M2M transformation algorithm is
integrated into the continuous analytical workflow. The algo-
rithm automatically generates hybrid reliability models from
the structural and behavioral models of the Digital Twin.
These hybrid reliability models serve as input for the Open-
PRA framework. OpenPRA computes the numerical reliability
values, such as the probability that the system will perform
the required task, and provides this data to the reliability,
availability, maintainability, and safety engineer.
II. STATE OF THE ART
A. Model-Based Systems Engineering (MBSE)
MBSE is the formalized system modeling to support
requirements, analysis, design, validation, and verification
phases of the system development life cycle [3].
In this paper, we choose SysML v2 as the modeling
language and follow a simplified modeling method based
on structural and behavioral diagrams. As a modeling tool,
we use Eclipse extended with the SysML v2 plugin. The
presented M2M transformation method can be transferred to
other modeling languages, such as MonitArc [4], SysML v1.6
[5], or Architecture Analysis & Design Language (AADL) [6].
SysML [7], [5] is a standardized modeling language that
provides system engineers the ability to visualize and design
models for various aspects of hardware and software systems
and their components. SysML v2 enhances the precision,
integration, expressiveness, consistency, and interoperability
of the language as compared to SysML v1.X. SysML v2
is an extension of the kernel metamodel defined by the
Kernel Modeling Language and SysML v1.X is a profile of
UML. SysML v2 includes both complete textual and graphical
notation [7].
B. Reliability analysis
AMarkov chain [8], [9] describes a mathematical ab-
straction of a stochastic process. It consists of a set of states
and transitions between them. The process starts from an
initial state. The transition to jump from the current state to
the next one is described by the transition probability and
depends only upon the current state. The most commonly
used Markov chains are Continuous-Time Markov Chains
(CTMCs) and Discrete-Time Markov Chains (DTMCs). A
DTMC defines a Markov process as a directed graph weighted
with transition probabilities. In reliability analysis, a Markov
chain describes the system operation process considering
stochastically-defined reliability-related events such as activa-
tion of faults, repairs, propagation of errors, or component
replacement.
For reliability analysis, the most common ones are absorb-
ing Markov chains. An absorbing Markov chain has at least
one absorbing (final) state that can be reached from any other
state. It is impossible to leave an absorbing state, the other
states in the Markov chain are transient. The reliability-related
questions are (a) ”What is the probability that the process ends
in an absorbing state?” and (b) ”How many steps will it take
on average?”. The answers are given by the computation of
the probability of absorption and the time to absorption [9]. A
variety of numerical methods for quantifying a Markov chain
exist.
AFault Tree (FT) [10] models how failures can propagate
through the system and cause a system failure. The failure of
the system or subsystem is represented as the top event. The
leaves of an FT are basic events that model the failures of
individual system components. Intermediate events are logical
gates such as OR, AND, and K/N and demonstrate how
failures in individual components can propagate through the
system to a system failure. The fault tree analysis is the most
common quantitative technique for reliability evaluation.
Hybrid reliability models: To assess the reliability of the
system from various points of view it is important to combine
different reliability models into so-called hybrid reliability
models. The hybrid casual logic defines the common way of
combining event trees, fault trees, and Bayesian networks [11].
The classical approach to combine event trees and fault trees
is to connect fault trees to the nodes of an event tree. In our
previous paper [12], we introduced the open-source software
platform OpenPRA. OpenPRA supports the analysis of hybrid
reliability models including combined event and fault trees and
Markov chain with interconnected fault trees. The standard
approach to combine a Markov chain and fault trees is to
link the failure probabilities of fault trees to the Markov chain
transitions.
C. Model-to-Model (M2M) transformation
M2M transformation methods enable the continuous relia-
bility assessment of SDM-systems. The automated generation
of fault trees has been investigated in many research works
[13], [14], [15], [16], [17], [18]. The M2M transformation to
Markov chains has been subject of different research works
[19], [20], [21], [22], [23], [24]. The main difference between
these works is the type of the source model. We generate
the fault trees and Markov chains from SysML v2 whereas
other methods use SysML v1, AADL, MATLAB & Simulink,
Unified Modeling Language etc. [25] and [26] introduce
SysML v1 resilience profiles for dependability analysis.
In [13], fault trees are generated from SysML v1 structural
diagrams. The structure of the system and the interaction
between components are modeled with SysML v1 internal
block diagrams. The M2M transformation method is based on
predefined patterns and a graph traversal algorithm. Another
automatic fault tree generation approach from SysML v1 is
introduced in [14]. An automatic transformation method to
fault trees from AADL model is presented in [15]. The system
structure is modeled in AADL annotated with fault and failure
information. The fault trees are automatically transformed
from the annotated AADL models.
A transformation of SysML v1 activity diagrams to DTMC
models is proposed in [19]. The SysML v1 activity diagrams
are extended with a time constraint annotation. The DTMCs
were analyzed by the means of Probabilistic Model Checking
[27].
None of the discussed M2M transformation methods sup-
port the transformation to hybrid reliability models. Our M2M
transformation algorithm can automatically generate a top-
level Markov chain linked with fault trees from the structural
and behavioral system models.
III. SOURCE MODEL: EXTENDED SYSML V2
SYSTEM MODEL
We assume that the DT of the SDM-system is defined with
SysML v2 formalism extended with risk metadata. SysML
Fig. 1. THE INTEGRATION OF THE PROPOSED M2M TRANSFORMATION ALGORITHM INTO THE AUTOMATED CONTINUOUS RELIABILITY
ANALYSIS WORKFLOW OF SDM-SYSTEMS. THE M2M TRANSFORMATION ALGORITHM IS THE KEY CONTRIBUTION OF THIS PAPER.
v2 covers several concepts and methods to model systems,
their components, structure, behavior, and environment. In our
approach, we focus on structural and behavioral diagrams.
Structural Diagrams (SDs) use packages and parts to model
the structure of a system. A package acts like a container that
orchestrates other elements of the model. A part is a modular
structural unit that models a system or a component. Each
part can include several features such as actions, ports, or
attributes. Parts can either directly or indirectly interact with
other elements of the model [7].
Behavioral Diagrams (BDs) model the behavior of a system
with actions. Each action can be linked, inside the structural
diagram, to several parts of the system. The sequencing of
actions consists of connected actions and control nodes and
shows the software flow of the system. This is illustrated in
Figure 7. ControlNodes such as DecisionNode,MergeNode,
JoinNode, and ForkNode can control the software flow. In this
paper, we limit the behavioral diagrams to have only Deci-
sionNodes. A DecisionNode represents a control flow decision
with one incoming and one or more outgoing successions [7].
The RiskMetadata package, provided by SysML v2, allows
the embedding of reliability data such as failure probabilities
to parts or actions [7]. We have extended the RiskMetadata
package with the ability to highlight redundant components.
In this paper, we focus only on classical redundancy. However,
similarly we can model other reliability-related properties such
as spares, dependencies, or k/n switches for dynamic fault
trees, etc.
A. Structural diagrams
a) Mathematical notation:: The following set-based
mathematical notation of a structural diagram (SD) is used
8part CPU :Controller [2] {
9@RiskLevel {
10 probability = 2.167e-10;
11 redundancy =true;
12 }
13 action move :Move;
14 action piece_recognition :ObjectRecognition;
15 "..."
16 }
Fig. 2. EXCEPT OF THE TEXTUAL REPRESENTATION OF SYSML V2
STRUCTURAL DIAGRAMS.
in this paper:
SD := (P, A, S, R) :
P:={p1, . . . , pn},set of parts;
A:={a1, . . . , an},set of actions;
S(P×P×N)(P×A);
R(P×prob ×redundancy)(A×prob).
Sis a relation that maps connection between parts and their
quantity, or parts and actions. Ris a relation that maps
the probability and redundancy to parts or the probability to
actions, with prob [0; 1] and redundancy {0,1}.
b) Graphical notation:: Figure 5 illustrates a structural
diagram. The parts are, e.g. PandaRobot (A) and emotor
(B). The aggregation shows, that the PandaRobot consists of
seven e motors. The SD contains among others the action
move (D). The actions are associated with several parts. The
RiskMetadata, highlighted in (C), embedded the probability of
failure and redundant information to the part CPU.
c) Textual representation:: Figure 2 demonstrates the
textual representation of the part CPU.
B. Behavioral diagrams
a) Mathematical notation:: Behavioral diagrams (BDs)
are in this paper represented by the following set-based
5action Sorting {
7first start;
9then action piece_recognition;
11 then decide;
12 if "detected == true; @prob = 0.7" then move;
13 if "detected == false; @prob = 0.3" then done;
15 action move;
17 "..."
19 then piece_recognition;
20 }
Fig. 3. EXCEPT OF THE TEXTUAL REPRESENTATION OF SYSML V2.
mathematical notation:
BD := (N, E ) :
N:= (NA, NI, N F, N C);
E(N×N×prob).
NAis a set of actions.NIis a set of InitialNodes, this
set contains only one element. NFis a set of FinalNodes,
this set contains only one element, and NCis a set of
ControlNodes, this set contains only DecisionNodes.Eis a
relation that maps connection between nodes and probabilities,
with prob [0; 1].
b) Graphical notation:: Figure 6 shows the graphical
representation of a behavioral diagram. It consists of sev-
eral actions, e.g. box detection (A), as well as an InitialN-
ode,FinalNode, and two DecisionNodes (B). We attach the
probability of occurrence to the outgoing successions of the
DecisionNodes (C).
c) Textual notation:: A except of the textual representa-
tion of the behavioral diagram (Figure 6) is given in Figure
3.
IV. TARGET MODEL: HYBRID RELIABILITY
MODEL
A. OpenPRA format of hybrid reliability models
The automatically generated hybrid reliability models in
the OpenPRA format contain a top-level Markov chain with
interconnected fault trees. Figure 4 demonstrates the structure
and links of the hybrid reliability model in the OpenPRA
format. First, the Markov chain, absorbing states, and transient
states are defined (lines 3 - 10). Second, the edges between
states extended with transition probabilities are defined. Lines
17 - 20 demonstrate the linking to an interconnected fault tree.
The transition probability to jump from state piece recognition
to failure is given by the top-event piece recognition failure.
3<define-markov-chain name="PickAndPlace">
4<define-state name="failure" type="absorbing"/>
5<define-state name="piece_recognition" type="transient
"/>
6<define-state name="move" type="transient"/>
7<define-state name="done" type="absorbing"/>
8<define-state name="pick" type="transient"/>
9<define-state name="move_with_piece" type="transient"/
>
10 <define-state name="place" type="transient"/>
11 <define-edge from="failure" to="failure">
12 <double value="1"/>
13 </define-edge>
14 <define-edge from="done" to="done">
15 <double value="1"/>
16 </define-edge>
17 <define-edge from="piece_recognition" to="failure">
18 <include top-event="piece_recognition_failure" fault-
tree="piece_recognition_action"/>
19 <double value="1"/>
20 </define-edge>
21 "..."
22 </define-markov-chain>
Fig. 4. EXCEPT OF THE HYBRID RELIABILITY MODEL IN OPENPRA
FORMAT.
B. Mathematical notation of fault trees
The following set-based mathematical notation of fault trees
is used in this paper:
F T := (E, G, C ) :
E:= (EB, eT, EI),set of FT nodes;
EB:={eB
1, . . . , eB
n},set of basic events;
EI:={eI
1, . . . , eI
n},set of intermediate events;
G:={g1, . . . , gn}, gi {AND, O R}∀i , set of gates;
C(G×EB)(G×EI)(G×eT).
eTdefines the top event of the fault tree. Cis a relation that
maps gates and basic events, gates and intermediate events, or
gates and the top event.
C. Mathematical notation of Markov chains
The following set-based mathematical notation of Markov
chains is used in this paper:
MC := (S, E, s0, L) :
S:={s1, . . . , sn},set of states, s0S , initial state;
E(S×S×prob), prob [0; 1];
L(E×eT),links to interconnected fault trees.
Eis a relation that maps edges from state to state extended
with transition probabilities.
V. TRANSFORMATION METHOD
A. Overview
Our transformation algorithm parses the given SysML v2
files and searches for defined keywords. This enables us to
understand the structure of behavioral and structural diagrams
and to read the reliability-related data for further processing.
The actions are transformed into transient DTMC states and
one or several absorbing failure states are created. Also, the
absorbing done state is created. The interconnected fault trees
provide the transition probabilities. The probabilities of control
nodes are added to the associated transitions. Our algorithm
creates a fault tree for each action based on the structural
diagram of the system. In this fault tree, only the used parts
appear as basic events. The reliability data provides the failure
probabilities for each basic event. Additionally, the reliability
data includes redundancy information. Within this information,
we automatically generate the fault trees from the structural
diagram.
B. Transformation algorithm
The transformation algorithm from SysML v2 structural and
behavioral diagrams to hybrid reliability models is described
with pseudo code in Algorithm 1 and Algorithm 2.
Algorithm 1 Markov chain transformation algorithm
//Step (0): Read BD
read(’BD’)
//Step (1): Create empty sets
MC.S :
=
MC.E :
=
for node in Ndo
//Step (2): Transform actions to states, create failure state for each
action
if node NANFthen
MC.S.add(node)
MC.S.add(failure node)
end if
//Step (3): Map the connection between states and transition probs or
links
if node NCthen
MC.E[old state].add(state)
MC.E[old state].add(prob)
end if
MC.E[old state].add(state)
MC.E[old state].add(L)
end for
//Step (4): Write MC
write(MC)
VI. CASE STUDY
A. System overview
The robotic manipulator consists of four redundant CPUs,
a camera, a suction cup, seven non-redundant electric motors,
seven non-redundant torque sensors, and two redundant power
systems, as shown in Figure 5. Depending on the software,
the robotic manipulator can perform two tasks. The software
is modeled as a behavioral diagram.
a) Task 1 ”Sorting”:: The software for sorting pieces
into a box, Figure 6, consists of the following steps: initially,
the manipulator tries to recognize a piece to pick. If the piece
is recognized, the manipulator moves to the position. After
moving to the desired position, the position is checked one
more time. If the position is correct, the manipulator picks
the piece, detects the box, moves to the box, and releases the
piece into the box. If not, the manipulator adjusts itself. After
Algorithm 2 Fault tree transformation algorithm
//Step (0): Read SD
read(’SD’)
//Step (1): Create empty sets
F T.E :
=
F T.G :
=
F T.C :
=
action parts :
=
//Step (2): Transform parts to basic events and add prob and redundancy
for part in Pdo
FT.E.add(part)
if prob == TRUE then
FT.E[part].add(prob)
end if
if redundancy == TRUE then
FT.E[part].add(redundancy)
end if
end for
//Step (3): Map the relation between parts and actions
for action in Sdo
for part in Sdo
if part ×action then
action parts[action].append(part)
end if
end for
end for
//Step (4): For each action create one FT
for action in action parts do
eT=str(action ft
FT.G.add(OR)
FT.C.add(OR, eT)
//Step (5): Add all the associated basic events, for redundant parts add
AND gate
for part in action parts[action] do
if FT.E[part].redundancy == TRUE then
FT.G.add(AND)
FT.C.add(AND, FT.E[part])
end if
if basic events[part].redundancy == FALSE then
FT.C.add(OR, FT.E[part])
end if
end for
//Step (6): write FT
write(FT)
end for
the successful release of the piece, the manipulator tries to
recognize another piece. In the case that there is no recognized
piece, the task is finished.
b) Task 2 ”Puzzle game”:: The puzzle software, seen in
Figure 7, consists of the following steps: (1) the manipulator
makes a picture of the created puzzle figure and the puzzle
algorithm calculates the trajectory. (2) The manipulator tries to
recognize the first piece according to the algorithm. (3) If the
piece is recognized, the manipulator moves to the position. (4)
After moving to the desired position, the position is checked
one more time. (5) If the position is correct, the manipulator
picks the piece, checks the path again, and moves to the
desired position. (6) The rotation of the piece is checked.
(7) If the rotation is correct, the piece is placed. If not,
the manipulator rotates the piece. (8) If the position of the
manipulator is not correct, it adjusts itself. In the case that
there is no recognized piece, the puzzle is finished.
Fig. 5. EXCEPT OF THE SYSTEM STRUCTURE OF THE ROBOTIC
MANIPULATOR MODELED IN SYSML V2.
B. System models
We model the system in a SysML v2 structural diagram. It
consists of a high-level package and parts. Figure 5 shows the
structural diagram of the system. We model the components
of the PandaRobot (A) as parts extended with reliability data.
The reliability data contain the probability of failure and the
possibility to mark redundancy, we extended for example
the part CPU with the probability of failure and mark the
redundancy (C). Each action uses different parts of the system.
Thus, the actions are connected to the associated components.
For example, the action move is connected to the parts CPU,
Fig. 6. THE SOFTWARE FLOW OF THE SORTING TASK.
Fig. 7. THE SOFTWARE FLOW OF THE PUZZLE TASK.
TABLE I
PROBABILITY OF ABSORPTION OF THE MARKOV CHAINS. THE
PROBABILITY OF ABSORPTION IS GIVEN FOR ABSORBING IN
THE FAILURE STATE.
Markov chain Probability of absorption
Puzzle 7.31e-06
Sorting 4.983e-06
TorqueSensor,E Motor, and PowerSystem (D). SysML v2
provides the possibility to add reliability data to actions. We
use this to override the probability of failure of the E Motor
during the move with piece action with a higher probability of
failure (E), due to the additional weight. Behavioral diagrams
model the software flow of the system with actions. The
sorting and puzzle software flows are shown in Figure 6 and
7.
C. Hybrid reliability models
We automatically transform the two software flows (Figure
7 and 6) into two-hybrid reliability models. These consist of
a Markov chain with interconnected fault trees. The Markov
chain of the sorting software flow is shown in Figure 8. It
contains, among others, the transient states piece recognition,
check position,move with piece, and release as well as one
absorbing failure state for each action and the absorbing state
done. It is possible to jump directly from each transient state to
the corresponding failure state. The transition probabilities are
given by the interconnected fault trees. Similarly, we automat-
ically transform the puzzle software flow into a Markov chain
with interconnected fault trees. It contains, among others, the
transient states pic,puzzle algorithm,move,pick, and place
as well as one absorbing failure state for each action and the
absorbing state done. Our M2M transformation method also
creates automatically the interconnected fault trees. Based on
the system structure our method generates a fault tree for
each action, including all required components. The failure
probabilities of the associated components are defined for one
minute of operation. The data is derived from the NPRD-95
[28] and FIDES 2009 [29]. Figure 9 demonstrates the fault tree
of the action piece recognition. The piece recognition failure
is modeled as the top event. The top event occurs either
because of the Loss of CPU,Loss of PowerSystem, or failure
of the camera. The CPU fails if all four CPUs will fail. The
power system fails if both PowerSystems will fail. In the scope
of this paper, the other fault trees are not shown.
VII. RESULTS
The reliability analysis of the presented hybrid reliability
models is conducted with OpenPRA framework. First, we
focus on the puzzle software flow. Second, we consider
the sorting software flow. Table I gives the results of the
hybrid reliability models, which consists of a top-level Markov
chain with interconnected fault trees. Both Markov chains
contain one failure state. The probability of absorption in
the failure state during the puzzle task is 7.31e06 (first
row). The starting state is the pic state. The probability of
Fig. 8. MARKOV CHAIN OF THE SORTING SOFTWARE FLOW. WITH
ONE ABSORBING FAILURE STATE FOR EACH ACTION AND THE
ABSORBING STATE DONE.
Fig. 9. FAULT TREE OF THE PIECE RECOGNITION FAILURE. THE TOP
EVENT OCCURS EITHER BECAUSE OF THE LOSS OF CPU, LOSS OF
POWER SYSTEM, OR FAILURE OF THE CAMERA.
absorption in the failure state of the sorting task, starting
in the piece recognition state, is 4.893e06 (second row).
We also generate top-level Markov chains with a failure state
for each action. Table II presents the results for the Markov
chain with several absorbing failure states during the puzzle
task. The starting state is again the pic state. The probability
of getting absorbed in the move with piece failure or rotate
failure state is highest. In comparison Table III shows the
results of the Markov chain of the sorting task, starting in
the piece recognition state, with several absorbing failure
TABLE II
PROBABILITY OF ABSORPTION OF THE MARKOV CHAIN OF
THE PUZZLE SOFTWARE FLOW.
Failure state Probability of absorption
pic failure 1.029e-09
puzzle algorithm failure 4.454e-15
piece recognition failure 3.43e-09
move failure 1.551e-06
check position failure 2.401e-09
pick failure 1.714e-07
adjust failure 7.753e-07
check path failure 1.039e-14
move with piece failure 2.135e-06
check rotation failure 2.401e-09
rotate failure 1.893e-06
place failure 7.753e-07
TABLE III
PROBABILITY OF ABSORPTION OF THE MARKOV CHAIN OF
THE SORTING SOFTWARE FLOW.
Failure state Probability of absorption
piece recognition failure 3.43e-09
move failure 1.551e-06
check position failure 2.401e-09
pick failure 1.714e-07
adjust failure 7.753e-07
box detection failure 2.401e-09
move with piece failure 2.135e-06
release failure 3.425e-07
states. The move failure or move with piece failure states are
the most likely absorbing states. For completeness, Table IV
presents the top event failure probabilities of all given fault
trees.
The results show that our M2M transformation algorithm
is a suitable candidate to generate hybrid reliability models
from the Digital Twin (based on extended SysML v2). This
enables the automated and continuous reliability analysis of
SDM-systems. Our results also show that we can compute
the reliability of the system depending on the software. The
results of the fault trees are checked and compared against
XFTA [30].
TABLE IV
FAILURE PROBABILITIES OF THE FAULT TREES.
Fault tree Failure probability top event
Pic 1.029e-09
Puzzle algorithm 4.454e-15
Piece recognition 1.029e-09
Move 6.646e-07
Check position 1.029e-09
Pick 7.344e-08
Adjust 6.646e-07
Check path 4.454e-15
Move with piece 9.149e-07
Check rotation 1.029e-09
Rotate 6.646e-07
Place 8.114e-07
Box detection 1.029e-09
Release 1.468e-07
VIII. CONCLUSION
In this paper, we introduce a new M2M transformation
method for hybrid reliability models from Digital Twin (based
on SysML v2) formalism. We integrate our method into the
automated and continuous reliability analysis of SDM-systems
and demonstrate the applicability using a robotic manipulator
case study. Our method consists of (i) the generation of
Markov chains from behavioral diagrams, (ii) the generation
of fault trees from structural diagrams, and (iii) the generation
of hybrid reliability models consisting of top-level Markov
chains with interconnected fault trees for each software. The
automatically generated hybrid reliability models can adapt
to modifications in the system behavior and structure. The
transfer from other modeling languages that include MonitArc,
SysML v1.6, or AADL is possible. Also, the extension to other
hybrid reliability models, such as interconnected CTMCs,
Bayesian networks, or dynamic fault trees is feasible. This
will require further research and development of the M2M
transformation and will be the subject of our future work.
ACKNOWLEDGMENT
This work has been partly funded by the German Federal
Ministry of Economic Affairs and Climate Action (Bun-
desministerium f¨
ur Wirtschaft und Klimaschutz, BMWK)
under the project ”Software-defined Manufacturing f¨
ur die
Fahrzeug- und Zulieferindustrie” (SDM4FZI, funding code
13IK001ZE).
REFERENCES
[1] Lechler, A., Riedel, O., and Coupek, D., 2017. “Virtual representation
of physical objects for software defined manufacturing”. International
Conference on Production Research.
[2] Kritzinger, W., Karner, M., Traar, G., Henjes, J., and Sihn, W., 2018.
“Digital twin in manufacturing: A categorical literature review and
classification”. IFAC-PapersOnLine, 51(11), pp. 1016–1022.
[3] INCOSE, S., 2007. Vision 2020 (incose-tp-2004-004-02).
[4] Haber, A., Ringert, J. O., and Rumpe, B., 2014. “Montiarc-architectural
modeling of interactive distributed and cyber-physical systems”. arXiv
preprint arXiv:1409.6578.
[5] Hause, M., et al., 2006. “The sysml modelling language”. In Fifteenth
European Systems Engineering Conference, Vol. 9, pp. 1–12.
[6] Feiler, P. H., Gluch, D. P., and Hudak, J. J., 2006. The architecture
analysis & design language (aadl): An introduction. Tech. rep., Carnegie-
Mellon Univ Pittsburgh PA Software Engineering Inst.
[7] Object Management Group (OMG), 2021. OMG Systems Modeling
Language (SysML) Version 2.0. See also URL https://github.com/
Systems-Modeling/SysML- v2-Release.
[8] Fuqua, N. B., 2003. “The applicability of markov analysis methods
to reliability, maintainability, and safety”. Selected Topic in Assurance
Related Technologies (START), 2(10), pp. 1–8.
[9] Grinstead, C. M., and Snell, J. L., 1997. Introduction to probability.
American Mathematical Soc.
[10] Ruijters, E., and Stoelinga, M., 2015. “Fault tree analysis: A survey of
the state-of-the-art in modeling, analysis and tools”. Computer science
review, 15, pp. 29–62.
[11] Wang, C., 2007. Hybrid causal logic methodology for risk assessment.
University of Maryland, College Park.
[12] Grimmeisen, P., Karimov, A., Diaconeasa, M. A., and Morozov, A.,
2021. “Demonstration of a limited scope probabilistic risk assessment
for autonomous warehouse robots with openpra”. In ASME Interna-
tional Mechanical Engineering Congress and Exposition, Vol. 85697,
American Society of Mechanical Engineers, p. V013T14A030.
[13] Mhenni, F., Nguyen, N., and Choley, J.-Y., 2014. “Automatic fault
tree generation from sysml system models”. In 2014 IEEE/ASME
International Conference on Advanced Intelligent Mechatronics, IEEE,
pp. 715–720.
[14] Yakymets, N., Jaber, H., and Lanusse, A., 2013. “Model-based system
engineering for fault tree generation and analysis”. In International
Conference on Model-Driven Engineering and Software Development,
Vol. 2, SCITEPRESS, pp. 210–214.
[15] Joshi, A., Vestal, S., and Binns, P., 2007. “Automatic generation of static
fault trees from aadl models”.
[16] Feiler, P., and Delange, J., 2017. “Automated fault tree analysis from
aadl models”. ACM SIGAda Ada Letters, 36(2), pp. 39–46.
[17] Zhao, Z., 2014. “Uml model to fault tree model transformation for
dependability analysis”. PhD thesis, Carleton University.
[18] Papadopoulos, Y., and Maruhn, M., 2001. “Model-based synthesis
of fault trees from matlab-simulink models”. In 2001 International
Conference on Dependable Systems and Networks, IEEE, pp. 77–82.
[19] Jarraya, Y., Soeanu, A., Debbabi, M., and Hassaine, F., 2007. “Auto-
matic verification and performance analysis of time-constrained sysml
activity diagrams”. In 14th Annual IEEE International Conference and
Workshops on the Engineering of Computer-Based Systems (ECBS’07),
IEEE, pp. 515–522.
[20] Debbabi, M., Hassaine, F., Jarraya, Y., Soeanu, A., and Alawneh, L.,
2010. Verification and validation in systems engineering: assessing
UML/SysML design models. Springer Science & Business Media.
[21] Baouya, A., Bennouar, D., Mohamed, O. A., and Ouchani, S., 2015.
“A probabilistic and timed verification approach of sysml state machine
diagram”. In 2015 12th International Symposium on Programming and
Systems (ISPS), IEEE, pp. 1–9.
[22] Ouchani, S., Mohamed, O. A., and Debbabi, M., 2014. “A formal
verification framework for sysml activity diagrams”. Expert Systems
with Applications, 41(6), pp. 2713–2728.
[23] Zhang, T., Jiang, Y., Ye, J., Jing, C., and Qu, H., 2014. An aadl model-
based safety analysis method for flight control software”. In 2014 Inter-
national Conference on Computational Intelligence and Communication
Networks, IEEE, pp. 1148–1152.
[24] Joshi, A., and Heimdahl, M. P., 2005. “Model-based safety analysis of
simulink models using scade design verifier”. In International conference
on computer safety, reliability, and security, Springer, pp. 122–135.
[25] Diaconeasa, M. A., Mosleh, A., Morozov, A., and Tai, A. T., 2019.
“Model-based resilience assessment framework for autonomous sys-
tems”. In ASME International Mechanical Engineering Congress and
Exposition, Vol. 83501, American Society of Mechanical Engineers,
p. V013T13A027.
[26] Steurer, M., Morozov, A., Janschek, K., and Neitzke, K.-P., 2018.
“Sysml-based profile for dependable uav design”. IFAC-PapersOnLine,
51(24), pp. 1067–1074.
[27] Katoen, J.-P., 2016. “The probabilistic model checking landscape”. In
Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in
Computer Science, pp. 31–45.
[28] Denson, W., Chandler, G., Crowell, W., Clark, A., and Jaworski, P., 1994.
Nonelectronic parts reliability data 1995. Tech. rep., RELIABILITY
ANALYSIS CENTER GRIFFISS AFB NY.
[29] Group, F., 2010. FIDES guide 2009, Reliability Methodology for
Electronic Systems.
[30] Rauzy, A., 2020. Probabilistic Safety Analysis with XFTA.
... SysML v1 resilience profiles for reliability analysis were introduced in [14] and [15]. In our previous work [16], [17], [18] we used and extended the SysML v2 RiskMetadata package [19]. The RiskMetadata package allows the integration of reliability-related data, such as the failure probability of parts into SysML v2 models. ...
... To adequately describe and analyze flexible softwaredefined systems, M2M transformation methods that automatically generate risk models are indispensable. In our previous papers [18], [16], [17] we introduced a new method that includes a transformation method from SysML v2 to hybrid risk models. This enables the automated and continuous reliability assessment based on the SysML v2 [19] models of the digital twin. ...
Conference Paper
Full-text available
In modern and complex production systems, the focus is shifted toward the software part. Software-Defined Manufacturing (SDM) and Cyber-Physical Production Systems (CPPS) characterize this trend. SDM and CPPS enable the concept of adaptive, flexible, and self-configuring production systems. These software-intensive robotic systems are safety- critical because they usually are applied in the same environ- ments as human workers. Therefore they require a continuous risk assessment. The uploading of a new software to the system can change its behavior drastically and therefore, the risk assessment needs to be redone. Key enabling technologies are digital twins, advanced and hybrid risk models, and Model-to- Model (M2M) transformation methods. In this paper, we introduce a new approach to the automated and continuous risk assessment based on Robot Operating System (ROS) code of a software-defined robotic system. The approach pipelines four key elements: (i) a logger that logs the data of the digital twin, (ii) an adder algorithm that creates risk annotated code based on the given ROS code, the output of the logger, and the hardware description including risk data of robot parts, (iii) an M2M transformation algorithm that automatically generates hybrid risk models from risk-annotated code, and (iv) OpenPRA solvers for numerical evaluation of the generated hybrid risk models.
Conference Paper
Full-text available
Probabilistic Risk Assessment (PRA) is an indispensable technology to evaluate the risk, dependability, and resilience characteristics of safety-critical systems. Therefore, PRA uses widely adopted methods, such as classical event trees, fault trees, Markov chains, Bayesian networks, and their numerous combinations. To analyze challenging failure scenarios of modern, intelligent, autonomous, and highly dynamic Cyber-Physical Systems (CPS), the integration of multiple PRA methods is needed. This paper presents a PRA approach based on classical Event Tree Analysis (ETA) and Fault Tree Analysis (FTA) and provides the technical description of a new open-source software platform called OpenPRA. Besides, this paper describes a representative case study from the autonomous system domain, focusing on autonomous warehouse robots.
Article
Full-text available
A ship collision accident is one of the most dangerous and common types of maritime accidents. Traditional probabilistic risk assessment (PRA) of ship collision accidents is a methodology that can be adopted to ensure maritime safety. Nevertheless, a need for better approaches to model human behavior, such as risk identification, communication, and decision-making, has been identified. Such advanced PRA methods require a more explicit way of taking human factors into consideration than the traditional risk assessment methods. Hybrid causal logic (HCL) is an advanced PRA method due to its unique three-level framework that includes event sequence diagrams, fault trees, and Bayesian networks, which makes it suitable for modeling human behavior that is important to ship collision accidents. This paper discusses the applicability of the HCL methodology for the ship collision accident. Firstly, the event sequences of typical ship collision accidents are summarized based on the study of 50 accident investigation reports. Then, fault trees for mechanical failure events and the Bayesian networks for human error events are constructed to analyze the events in a structured way at a more detailed level. Finally, the three main end-state types of ship collision avoidance scenario have been quantified. The result of the probability of a ship collision accident is verified by estimating the annual frequency of collision accidents in the Singapore Strait. Comparing with the historical data, the estimation results are quite near to the real case. By taking advantage of the HCL methodology, the modeling of ship collision scenarios can be carried out at a deep logical level. At the same time, it is possible to combine a detailed analysis of various primary events with a comprehensive analysis at the system level.
Conference Paper
Full-text available
Dams are a part of the critical infrastructure on which modern society relies. Probabilistic safety analysis (PSA) is one of the key tools for assessing the risks behind such critical infrastructure and is vital for the decision-making towards mitigation of risk. The current paper presents an overview of the procedure behind PSA of dams along with two case-studies. Seismic hazard for a large double-curvature arch dam is considered for the first case-study and flooding hazard for an embankment dam for the second case study. Overall conclusions are made about the obtained results and the effectiveness of the proposed analysis approaches.
Conference Paper
Full-text available
Randomization is a key element in sequential and distributed computing. Reasoning about randomized algorithms is highly non-trivial. In the 1980s, this initiated first proof methods, logics, and model-checking algorithms. The field of probabilistic verification has developed considerably since then. This paper surveys the al-gorithmic verification of probabilistic models, in particular prob-abilistic model checking. We provide an informal account of the main models, the underlying algorithms, applications from reliability and dependability analysis—and beyond—and describe recent developments towards automated parameter synthesis.
Conference Paper
Full-text available
In this paper, we focus on the integration of formal approaches for automatic FT generation within a MBSE workflow. We describe a safety modelling framework for FT generation that leverages features of SysML modelling language and includes facilities to make semantic connections with formal verification and FTA tools. MBSE methods and tools (metamodels, profiles, model transformation) are fully exploited to propose a seamless workflow customizable for safety engineers. We illustrate the FT generation and analysis flow associated with the proposed framework using the example of the train detection system and the AltaRica formal environment.
Article
The Digital Twin (DT) is commonly known as a key enabler for the digital transformation, however, in literature is no common understanding concerning this term. It is used slightly different over the disparate disciplines. The aim of this paper is to provide a categorical literature review of the DT in manufacturing and to classify existing publication according to their level of integration of the DT. Therefore, it is distinct between Digital Model (DM), Digital Shadow (DS) and Digital Twin. The results are showing, that literature concerning the highest development stage, the DT, is scarce, whilst there is more literature about DM and DS.
Article
Cyber-physical systems, used in domains such as avionics or medical devices, perform critical functions where a fault might have catastrophic consequences (mission failure, severe injuries, etc.). Their development is guided by rigorous practice standards that prescribe safety analysis methods in order to verify that failure have been correctly evaluated and/or mitigated. This laborintensive practice typically focuses system safety analysis on system engineering activities. As reliance on software for system operation grows, embedded software systems have become a major source of hazard contributors. Studies show that late discovery of errors in embedded software system have resulted in costly rework, making up as much as 50% of the total software system cost. Automation of the safety analysis process is key to extending safety analysis to the software system and to accommodate system evolution. In this paper we discuss three elements that are key to safety analysis automation in the context of fault tree analysis (FTA). First, generation of fault trees from annotated architecture models consistently reflects architecture changes in safety analysis results. Second, use of a taxonomy of failure effects ensures coverage of potential hazard contributors is achieved. Third, common cause failures are identified based on architecture information and reflected appropriately in probabilistic fault tree analysis. The approach utilizes the SAE Architecture Analysis & Design Language (AADL) standard and the recently published revised Error Model Annex V2 (EMV2) standard to represent annotated architecture models of systems and embedded software systems. The approach takes into account error sources specified with an EMV2 error propagation type taxonomy and occurrence probabilities as well as direct and indirect propagation paths between system components identified in the architecture model to generate a fault graph and apply transformations into a fault tree representation to support common mode analysis, cut set determination and probabilistic analysis.
Conference Paper
Safety analysis techniques have traditionally been performed manually by the safety engineers. Since these analyses are based on an informal model of the system, it is unlikely that these analyses will be complete, consistent, and error-free. Using precise formal models of the system as the basis of the analysis may help reduce errors and provide a more thorough analysis. Further, these models allow automated analysis which may reduce the manual effort required. The process of creating system models suitable for safety analysis closely parallels the model-based development process that is increasingly used for critical system and software development. By leveraging the existing tools and techniques, we can create formal safety models using tools that are familiar to engineers and we can use the static analysis infrastructure available for these tools. This paper reports our initial experience in using model-based safety analysis on an example system taken from the ARP Safety Assessment guidelines document.