FIELD OF INVENTION

The present invention relates to the technical field of a framework for reliability & performance analysis of safety-critical system using stochastic modeling.
More particularly, the present invention is related to a framework for
10 reliability & performance analysis of safety-critical system using stochastic modeling.
.
BACKGROUND & PRIOR ART
The subject matter discussed in the background section should not be
15 assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art.
The subject matter in the background section merely represents different
20 approaches, which in-and-of-themselves may also be inventions.

Non-functional requirement analysis is the most important factor for safety critical system construction as it reduces the risk of catastrophic loss of assets by taking measurable actions in the design phase. Reliability and performance analysis are the two main components of non-functional requirement analysis. In
25 this paper, a reliability analysis framework is devised, which maps the Unified Modeling Language (UML) state chart model into the state-space model to analyze dynamic behavior and state transition probabilities of a safety-critical system. A system that does not meet the performance requirement in the state space analysis is considered to be a failure. The proposed framework is validated

with thirty- two safety-critical system instances of the Nuclear Power Plant on the Reactor Core Isolation Cooling System module.

Modeling a UML diagram of a complex system, which considers concurrency, choice, and iteration as the key characteristics, is a difficult task to
5 perform. Again nonfunctional requirement analysis is itself a challenge in practice. Most of the existing approaches are based on the Markov model. These models either use the assumed transition probabilities of previous and present state or estimate them based on the operational profile that scarcely considers the results to find the reliability of the software system during the architectural design
10 phase. Therefore, such assumptions sometimes may induce system collapse.

Etienne Andre et al. [2] introduced a transformation model in which the UML state machine is converted into colored PETRI NET for formal verification. However, the proposed model unable to handle concurrent states of the system. Further, this model also suffers from the state explosion problem for the complex
15 system.

Christine Choppy et al. [3] came up with a framework for formal verification of a unified state chart design state (USCDS). This framework is concerned about checking model by a USCDS which is converted into a colored Petri net in the process. However, this approach lacks to find the efficiency of
20 validation on a real-time case study.

Shuang Liu et al. [4] proposed a framework that addresses the interface between two machines (e.g., synchronous state machine and Asynchronous). It also deals with the dynamic nature of SCSs. This approach captures all requirements and specification of UML machines based on operational semantics.
25 However, the framework lacks to define constraints formally.

Robert G. Pettit IV and Hassan Gomma [5] proposed a method for analysis and modeling of object-oriented software design by using a design pattern based on a behavioral model. In this proposed framework, the authors try

to transform a UML object into Petri Nets (Colored Petri Nets). The framework, however, fails to analyze the effect of state changes in the system.

Using the state-space model, a framework for safety analysis of SCS has been presented by Kumar et al. [6]. In this work, a framework is devised using a
5 UML based modeling scheme. However, the proposed framework uses assumed transition probability, which may lead to an erroneous result.
L. K. Singh et al. [7], [8] proposed two different approaches to perform safety and reliability analysis of the SCS, which validates real-time case study, respectively. Authors proposed approaches to convert a state-space model to a
10 mathematical model, and this model does not use requirement characteristics of a system to construct the state-space model. Hence there may be a high probability of missing some critical requirements.
F. Ahmad and S. A. Khan [9] proposed a framework for railway crossing critical system in which safety analysis, minimization of delay, and increase the
15 capacity of track is achieved. This approach has designed an Arc-Constant Colored Petri Nets, which advocates a bottom-up approach. The model has been used to analyze using the coverability tree to ensure safety and deadlock freeness. However, this paper does not consider the reliability and performance scenarios of SCS.
20 A. Giua and C. Seatzu [10] proposed an approach based on local computation. The model is applied to a distributed system that provides high-level railway network descriptions using a class of Petri Nets. In this work, structural analysis and liveliness of the system are verified and characterized. However, the reliability and performance analysis remain untouched, which is a dire need for
25 such a critical system.

Groupings of alternative elements or embodiments of the invention disclosed herein are not to be construed as limitations. Each group member can be referred to and claimed individually or in any combination with other members of the group or other elements found herein. One or more members of a group can be

included in, or deleted from, a group for reasons of convenience and/or patentability. When any such inclusion or deletion occurs, the specification is herein deemed to contain the group as modified thus fulfilling the written description of all Markush groups used in the appended claims.

5 As used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
The recitation of ranges of values herein is merely intended to serve as a
10 shorthand method of referring individually to each separate value falling within the range. Unless otherwise indicated herein, each individual value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context.
15 The use of any and all examples, or exemplary language (e.g. “such as”) provided with respect to certain embodiments herein is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention otherwise claimed. No language in the specification should be construed as indicating any non-claimed element essential to the practice of the invention.
20 The above information disclosed in this Background section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.
SUMMARY

25 The present invention mainly cures and solves the technical problems existing in the prior art. In response to these problems, the present invention is related a framework for reliability & performance analysis of safety-critical system using stochastic modeling.

.
.
OBJECTIVE OF THE INVENTION

The principle objective of the present invention is to provide a framework for
5 reliability & performance analysis of safety-critical system using stochastic modeling.

BRIEF DESCRIPTION OF DRAWINGS

10 Further clarify various aspects of some example embodiments of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. It is appreciated that these drawings depict only illustrated embodiments of the invention and are therefore not to be considered limiting of its
15 scope. The invention will be described and explained with additional specificity and detail through the use of the accompanying drawings.
In order that the advantages of the present invention will be easily understood, a detailed description of the invention is discussed below in conjunction with the appended drawings, which, however, should not be
20 considered to limit the scope of the invention to the accompanying drawings, in which:
Fig. 1 shows UML Model of RCICS.
Fig. 2.shows a Petri net Model derived from UML model of RCICS.
25 Fig. 3 shows Reachability graph obtained from Petri Net Model.
Fig. 4 shows Markov chain derived from the reachability tree. Fig. 5 shows Reliability computation model
.

DETAIL DESCRIPTION

The present invention disclosure presents a framework for reliability & performance analysis of safety-critical system using stochastic modeling.
Although the present disclosure has been described with the purpose of a framework
5 for reliability & performance analysis of safety-critical system using stochastic modeling, it should be appreciated that the same has been done merely to illustrate the invention in an exemplary manner and to highlight any other purpose or function for which explained structures or configurations could be used and is covered within the scope of the present disclosure.
10 To demonstrate the proposed framework Reactor Core Isolation Cooling System (RCICS) of Nuclear Power Plant (NPP) is considered as the subject of the case study.

RCICS DESCRIPTION:

The main aim of RCICS is to maintain a sufficient amount of water level into the core vessel, because whenever the reactor vessel is isolated, then core cooling is surely
15 maintained. RCICS is a standby system for safely shut down the Nuclear Power Plant. Complete failure or loss of AC power from the auxiliary plant is the operational condition of the RCICS. The maximum number of valves are opened when the system is in stand condition, and the rest of the valves require to open when DC power loss. The RCICS uses a steam turbine pump to
20 send water to the vessel. The steam is exhausted through the RCIC turbine to the suppression pool. The components of the system are Steam Supply Isolation valves, Steam to turbine valves, RCIC Turbine, RCIC Oil System, Safety relief valves, Condensate Storage Tank, and RCIC Pump, etc. The Lube Oil Cooler provides coolant to the turbine, and some portion of pump discharge is routed through it. For the
25 dependability analysis, components such as valves, pump, and control system tested monthly with the help of feed water system test software, and the positions of all these components are sensed through sensors. Sensors are used to collect data using different sources like analog and digital inputs. RCICS has a circuitry mechanism to automatic closure of components, the RCIC turbine, steam supply isolation valves, and turbine
30 exhaust valves on the event of the steam line failure. Due to following reasons, RCICS might fail-
Whenever DC Power goes off.

Increase of temperature in the Suppression chamber due to fill with steam rather than water, leading the situation to loss of suction of the pump.
Inadequate cooling of the lubricant of the system.
Excessive increase of high pressure in the reactor vessel.

5 The Proposed Framework for Reliability analysis with a Case Study Illustration
In this section, a framework is proposed to carry out a reliability analysis of the Safety Critical System (SCS). Our proposed reliability analysis framework aims to conquer the limitations of existing approaches identified in the [2]-[9]. The proposed framework is
10 beneficial to measure all types of possible threats which can be the root cause of a possible system failure. The framework is generic in nature. Thus it can be carried out for any SCS of any domain. The proposed framework is comprised of three phases. All phases are being illustrated as follows
UML MODEL CREATION FROM THE REQUIREMENTS OF THE SYSTEM AND
15 TRANSFORMATION OF UML MODEL INTO PETRI NET
In this phase, we analyze the functional requirements of the SCS to identify the needs of different stakeholders based on the failure perspective. During the process, documents are analyzed and validated. Table I describes the action of primary segments under specific conditions.
20 Thereafter, all the possible failures of RCICS are identified when it diverges from its primary objective of catering cooling to the reactor in course of damage of the ultimate heat sink, i.e. the river, sea or lake and failure of electrical power which operates to retain water flow.
When the RCICS receives the initiation signal, the required actions are executed
25 automatically to retain the water flow rate in the Reactor Pressure Vessel (RPV). During this process, there may be 14 possible failures of RCICS as shown in Table II that can be considered as the triggering events.
TABLE I
System Requirements

Component Working Behavior Condition

RCIC Turbine, RCIC Pump Recirculation Pump(RP) Shutdown Turbine running speed exceeds specified speed.
From the turbine exhaust, pressure is higher than marked pressure.
The pump suction pressure is low than marked pressure.
Signal automatically shut down.
Recirculation Valve(RV) & Safety Relief Vale (SRV) Fail to Open Failures mechanically.
Failure, DC power supply.
Lube Oil Cooler Fail to start Inadequate coolant.

TABLE II
Events and Nature of Critical Components of RCICS

Events Description
e1 Sensors fail to sense
e2 Control System fails to work
e3 Water below of minimum specified level in RPV
e4 Above the Specified maximum level of water in RPV
e5 Fails DC power supply
e6 Inadequate Oil Coolant
e7 Turbine fails to start of RCICS
e8 Fails to on RP
e9 Pump fails to ON of RCICS
e10 Turbine fails to shut down of RCICS
e11 Fails to open RV
e12 Fails to open SRV
e13 Fails to close SRV
e14 Reset of System

5 After that, we construct the UML state chart model of RCICS based on system requirements. The state chart model is then validated to assure that the UML of the system obeying system requirements is compliant to the requirement of the stakeholders. If any functional requirements are sidestepped, those are incorporated into the requirement analysis and the respective model. Fig. 1 depicts
10 the constructed UML model of the RCICS.
The next step in this phase is to convert the UML state chart model into the Petri Net. The mapping of the state chart model to Petri Net is dependent upon the various types of UML state chart diagrams: simple or orthogonal. In [6], the mapping algorithms are presented to convert the state chart diagram to the Petri Net model.
15 The Petri Net model of RCICS is devised using the Agorithm1 with the help of Algorithm 2 discussed in [6]. The Petri Net model then is presented in Fig. 2. The Petri Net model evaluates its behavioral and structural qualities. Analysis of the Petri Net

model provides precious information, like roundedness, liveness, deadlock, etc. It also supports the validation of critical properties of the system, such as mutual exclusion etc.
PHASE2: FORMATION OF REACHABILITY TREE AND CONSTRUCTION OF CORRESPONDING MARKOV CHAIN FROM THE TREE
5

In this phase, a reachability tree is derived from the Petri Net that consists of only reachable states of the system. To construct the reachability tree, the marking matrix is

P

(1)
produced in which all event places are characterized by Place Event ( ). It possesses a token that always has a self-loop. Petri Net places that are used to support transition firing
10 of RCICS are not displayed unlike equation (1). Equation (1) demonstrates the initial
marking, where

15

5

10

Figure 3 shows the reachability graph that we created from the Stochastic Petri Net using the transition throughput values, as shown in Table III. From the steady-state distribution of transitions in the stochastic Petri Net, we can observe long-term behavior, which is measurable with a tool for modeling and analyzing Petri Nets, such as
15 PIPEv4.3.0. To maintain a communication delay within acceptable limits, we use a 1-ms transition delay for all transitions. Then the Markov chain is developed based on the reachability tree that is being displayed in Fig. 4.

TABLE III
20 TRANSITION THROUGHPUT VALUES

Transition Throughput (per msec) Values
T0 ?0 0.98726
T1 ?1 0.00588
T2 ?2 0.00196
T3 ?3 0.00056
T4 ?4 0.00028
T5 ?5 0.00028
T6 ?6 0.00056
T7 ?7 0.00056
T8 ?8 0.00056
T9 ?9 0.00056
T10 ?10 0.00028
T11 ?11 0.00028
T12 ?12 0.00028
T13 ?13 0.00028
T14 ?14 0.00056
T15 ?15 0.0035
T16 ?16 0.0035
T17 ?17 0.0035
T18 ?18 0.00588
T19 ?19 0.00028
T20 ?20 0.00028
T21 ?21 0.97942
T22 ?22 0.97942

PHASE3: RELIABILITY QUANTIFICATION THROUGH COMPUTATION OF TRANSITION PROBABILITIES AND TRANSITION PROBABILITY MATRIX OF THE MARKOV CHAIN

In this phase, to compute the probabilities of the transition of the Markov chain, we used a matrix for transition-rate in which the elements represent all Markov chain throughputs of transition. The matrix for transition rate denoted by is given as equation (2).

Q_R=

(2)

Where

5 ,
, ,
.

In the transition-rate matrix , where for is exponential sojourn time in states is where

10

It is the negative summation of all the elements on the row of the transition rate matrix. As such the sum of all the elements (rates) of the matrix, row-wise Q is 0;

We computed the transition probability
15 matrix, for Markov-Chain using
and the following equation:

(5)

The computed transition probability matrix is shown in equation (6). From the
Markov chain analysis, as shown in Fig. 4, we say that the RCICS fails only when it reaches the and states. Assume that to be
probability that the RCICS in state at given time , where

When RCICS executes for infinite time, these probabilities converge into a steady states distribution.

(6)

With

10

The above linear equations (8) and (9) could be solving by standard numerical techniques such as system of equations. Therefore, we can obtain predicted reliability:

15 From equation (9), we get equation (11) after the simplification.

(11)

Substitute, the values of throughput in equation (11) from Table III and Solve; we get 18 linear equations-

5

10

5

Substitute the values of throughputs in the linear equations from equation 12 to 29 and
10 solve, we get-

, ,

, ,

, ,

, ,

15 , ,

, ,

, ,

, ,

, .

In addition to the above 18 linear equations, we have another linear equation from equation (8)

Now, using equation (7), we obtain –

5

10 Hence, The RCICS predicted reliability could be computed using equation (10).

.

15 Here, we obtained the predicted reliability of RCICS is

PERFORMANCE ANALYSIS
High-speed microprocessors, large memory, heterogeneous and low-cost design of distributed systems bring the attention of system designers towards developing SCSs. A safety system is considered to be valid if and only if it meets the performance
20 requirements. To analyze the performance analysis in the validation process of the design of SCSs of NPP, Petri Net is considered to be a good choice due to its ability to predict performance when all the system characteristics are unknown and vaguely understood. This predicted value avoids delays in system development by saving a significant amount of effort.

25 The average delay of a subsystem when the system in steady-state condition can compute using little’s law [11]:

Where is the throughput of the system and is the average time spends in the system. is the average number of token density in the system:

Now, after solving equation (32) using TABLE IV, we get .
TABLE IV
TOKEN PROBABILITY DENSITY
Places


PE 0.01274 0.98726
P0 0.99944 0.00056
P1 0.99999 0.00001
P2 0.99902 0.00098
P3 0.99972 0.00098
P4 0.99972 0.00028
P5 0.99972 0.00028
P6 0.99944 0.00056
P7 0.99972 0.00028
P8 0.99972 0.00028
P9 0.99916 0.00084
P10 0.99916 0.00084
P11 0.99972 0.00028
P12 0.9965 0.00028
P13 0.9965 0.0035
P14 0.99804 0.0035

are the token probability density in each place of the RCICS.
5
Further, with the help of equation (31), we compute the average time spent in the system, i.e., milliseconds. Therefore the average delay in the entire system is .
EXPERIMENTAL VALIDATION
In this section, we estimate the rate of failure for confirmation of the proposed method
10 experimentally by using the Brown and Lipow Input Model [12], [13]. In this process, completely input course divided into sub courses. To estimate the reliability of our model following steps it to be carried out-
? is the probability specified from the operational profile, and input course must be selected from each comparable class.
15 ? There must have number of the trial cases or runs from each comparable class.
? is the number of trial cases which are failed.
To compute actual reliability, six steps are to be followed, as shown in Fig. 5. Using
20 equation (33), and data from Table V, the actual reliability is calculated –

Since the predicted reliability is higher than actual reliability with a difference:

5

Hence, the Error percentage [14] can be calculated as

Therefore, Accuracy of our proposed reliability estimation framework is
which shows the validation of our proposed
10 framework.

TABLE V
RELIABILITY COMPUTATION USING USING BROWN AND LIPOW MODEL
Comparable Class

RCICT_Start
1


RCICP_On
2

RP_On
3

RV_Open
1

DC_Power On
5

RCICT_Start, RCICP_ON
1

RV_Open RP_On
3 100

SRV_Open
6 30

RCICT_Start, RCICP_On, SRV_Open
3 30

RV_Open, RP_On, SRV_Open
5 40

Claims:

1.A Safety critical system is designed to function in a safe manner so that its
5 failure should not lead to the catastrophic effects, including injury or death to humans, and harm to the environment and it takes itself to a safe state, ensuring goals of performance and safety, using an approach for reliability & performance analysis of the safety-critical systems by stochastic modeling through the following steps of :
10 a. Analyzing functional requirements of the safety-critical system, based on failure perspectives to identify the safety parameters;
b. Modeling of the requirements using UML state chart models and validating the model for all the functional requirements to ensure that there are no inconsistencies and faults;
15 c. Converting the UML state chart model into a Petri Net model, which is a stochastic model;
d. Deriving a reachability tree from the Petri Net to identify the state space of the system;
e. Determining the possibility factor of the failure or generation of any fault
20 in the model of the safety–critical system related to reliability, stability and performance, which are to be considered for normal operating condition, recessive malfunction state, recessive tripping state and total failure mode;
f. Setting up an Reliability Evaluation Model based on Markov state space modeling using reliability parameter, wherein the Reliability Evaluation Model
25 uses plurality of running status parameter with computing secure stabilization, recessive malfunction, and running time evaluation; and
g. Computing of the Reliability quantification through Computation of Transition Probabilities and Transition Probability Matrix of the Markov Chain.

2. The Safety critical system as claimed in claim 1, to compute the probabilities of the transition of the Markov chain a matrix for transition-rate is used in which the elements represent all Markov chain throughputs of transition.

5 3. The Safety critical system as claimed in claim 1, the mapping of the state chart model to Petri Net is dependent upon the various types of UML state chart diagrams.

4. The Safety critical system as claimed in claim 1, Reactor Core Isolation
10 Cooling System (RCICS) of Nuclear Power Plant (NPP) is considered as the Safety critical system.