Transcript Stochastic models and methods for the safety and

Stochastic modeling
techniques for the safety and
dependability analysis of DES
Andrea Bobbio
Dipartimento Informatica,
Università del Piemonte Orientale,
Alessandria (Italy)
[email protected]
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
1
Dependability and DES
Technological objects (as well as natural and
biological beings) age in time reducing their
ability to perform their functions until,
eventually, a final catastrophic breakdown
occurs.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
2
Dependability and DES
We adopt the term dependability to identify the
ability of a system to deliver service that can
justifiably be trusted.
Dependability is an integrating concept that
encompasses various attributes:
Reliability: continuity of correct service.
Availability: readiness for correct service.
Maintainability: ability to undergo modifications
and repairs.
Safety: absence of catastrophic consequences.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
3
Andrea Bobbio
What dependability
theory and practice
MED-08, Ajaccio, June 26, 2008
4
wants to avoid
Andrea Bobbio
Are these
connections
MED-08, Ajaccio, June 26, 2008
5
reliable ?
Dependability and DES
The obvious statement that any object ages, implies
that any model of any technological system, to be
realistic, should include the dependability aspects.
However, this inclusion has two undesirable effects:
it increases the model complexity;
it introduces time scales spread over various orders
of magnitude.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
6
Dependability and DES
The separation in time scales can be invoked to
theoretically justify the decomposition of the
functional model with respect to the dependability
model and to consider each one in isolation.
P.J. Courtois - Decomposability: Queueing and Computer System
Applications, Academic Press, 1977
A. Bobbio and K.S. Trivedi.
An aggregation technique for the transient analysis of stiff Markov chains.
IEEE Transactions on Computers, C-35:803-814, 1986.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
7
Safety and DES
Even if safety is considered to be an attribute of
the dependability, it often requires autonomous and
specific modeling techniques.
Safety problems usually requires to account for
some critical continuous variables that exceed
acceptable limits.
Safety (and dependability) analysis of DES leads
to the need to combine into a single modelling
framework continuous and discrete variables.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
8
Dependability and DES
A discrete event system is an event-driven
system, that is, its state evolution depends entirely
on the occurrence of discrete events over time.
The admissible time instances are taken from a
continuous or discrete set
Lothar Thiele Computer Engineering and Networks Laboratory
Discrete Event Systems - Introduction
Since dependability related phenomena are event
driven, models and method for DES are very
similar to models and method for dependability.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
9
Outline
 Correctness verification vs stochastic analysis
 Heterogeneous dependability modeling of DES:
Fault tree and Bayesian networks;
 Example of safety analysis: Fluid models;
 Draw-net tool.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
10
Modelling Methods for DES
To deal with the modeling and analysis of
dependable and time critical DES two main
methodologies can be envisaged:
functional models - whose aim is to ascertain
for conformity to specification and reachability
properties.
stochastic models - whose aim is to provide
performance and dependability measures;
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
11
Modeling paradigms
Various classifications are possible.
 For what concerns the timing:
stochastic vs non stochastic;
discrete vs continuous
For what concerns the state space:
discrete vs continuous
(or hybrid).
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
12
Timed Models
In Timed (or non-stochastic) models the timing of
events is represented by constant values or
(non-deterministic) intervals.
Typical fields of application:
 Scheduling
 Real time
Validation and Verification
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
13
The Model Checking Problem
Model checking: Automated verification
technique that checks whether a given finitestate model satisfies a given requirement, by:
systematic exhaustive state-space
exploration
Simulation: Checks whether specification
holds on some executions.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
14
Functional vs stochastic models
Functional models explore the area of
what is possible.
Stochastic models explore the area of
what is probable.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
15
Outline
 Correctness verification vs stochastic analysis
 Heterogeneous dependability modeling of DES:
Fault tree and Bayesian networks;
 Example of safety analysis: Fluid models;
 Draw-net tool.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
16
Stochastic Models
In Stochastic Models the timing of events is
represented by random variables.
Typical fields of application:
 Performance evaluation (stochastic attributes are:
inter-arrival times of jobs, duration of service …)
 Dependability analysis (stochastic attributes are:
failure times, recovery and repair times….)
The obtainable measures are mean values, moments
and distributions.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
17
Models properties
Several modeling paradigms are available. The
usability of a model can be classified according to
two main properties:
The Modeling Power - Refers to the ability of
the model to allow an accurate and faithful
representation of the system;
The Decision Power - Refers to the ability of the
model to be analytically tractable and to provide
results with a low space and time complexity.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
18
Model Types in Dependability
Combinatorial models assume that components
are statistically independent: poor modeling power
coupled with high analytical tractability.
Reliability Block Diagrams, FT, Network
Reliability ….
State-space models rely on the specification of
the whole set of the possible system states and of
the possible transitions among them.
CTMC, Petri nets, ….
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
19
Combinatorial Models:
Network Reliability
Random Network
Andrea Bobbio
Scale Free Network
MED-08, Ajaccio, June 26, 2008
20
Poisson Distribution
Random Network
Power-law Distribution
Scale Free Network
State-Space Models
A system state encodes a complete description of the state
of each component, the stochastic behaviour of each
component may depend on the state of all the other
components.
This extreme flexibility is very seldom exploited in practice
since it is very rare to encounter applications in which each
component changes its stochastic behavior according to
the state of all the other components.
The state space description appears overspecified with
respect to the real modeling needs.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
22
New Model Types in
Dependability
Local dependencies: Between combinatorial
and state space models, research is currently
carried on to include localized dependencies.
Dynamic FT (DFT)
Bayesian Networks (BN)
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
23
Heterogeneous Models
Modeling power and decision power are in
competition.
A single modeling paradigm is not sufficient in
any practical situation and we need to resort to a
combination of Heterogeneous Models.
SHARPE, Möbius, Galileo, Drawnet are examples
of tools based on heterogeneous modeling.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
24
Multiformalism Models
From FT
to Bayesian Networks (BN)
to Dynamic FT (DFT)
Solved by CTMC or PN
Converted into a
Bayesian Network BN
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
25
Fundamental assumptions for FT
Widespread diffusion; simple to manipulate;
powerful software tools (combinatorial solutions, BDD)
 Events are binary events (working/non-working);
 Events are statistically independent;
 Relationships between events and causes are
logical AND and OR (Boolean) gates;
 The root of the FT is the catastrophic undesired
event called the Top Event (TE).
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
26
Case study: a PLC architecture
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
27
PLC architecture:
FTA
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
28
Bayesian Networks
Bayesian Networks have become a widely used
formalism for representing uncertain knowledge in
probabilistic systems and have been applied to a
variety of real-world problems.
BN are defined by a directed acyclic graph in
which discrete random variables are assigned to
nodes, together with the conditional dependence
on the parent nodes.
Root nodes are nodes with no parents, and
marginal prior probabilities are assigned to them.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
29
References
This work has been done with my collegues:
L. Portinale, S. Montani, and D. Codetta-Raiteri
 L. Portinale and A. Bobbio. Bayesian networks for dependability analysis: an
application to digital control reliability. In: 15-th Conf Uncertainty in Artificial
Intelligence, UAI-99, July, 551-558, 1999.
 A. Bobbio and L. Portinale and M. Minichino and E. Ciancamerla. Improving the
Analysis of Dependable Systems by Mapping Fault Trees into Bayesian
Networks. Reliability Engineering and System Safety, 71:249-260, 2001.
 A. Bobbio, D. Codetta-Raiteri, S. Montani, L. Portinale. Reliability analysis of
Systems with Dynamic Dependencies. In: Bayesian Networks: A Practical Guide
to Applications, O. Pourret, P. Naim and B.G. Marcot Eds., pages 225-238, John
Wiley & Sons, March 2008
 S. Montani, L. Portinale, A. Bobbio, D. Codetta-Raiteri. Radyban: A tool for
reliability analysis of dynamic fault trees through conversion into dynamic
Bayesian networks. Reliability Engineering and System Safety, 93:922-932, 2008
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
30
BN versus FTA
BNs may improve both the modeling and the analysis
power wrt FT:
Modeling Issues:
 Local conditional dependencies, probabilistic gates,
multi-state variables, dependent failures, uncertainty
in model parameters.
Analysis Issues:
 A forward (or predictive) analysis
 A backward (diagnostic) analysis, the posterior
probability of any set of variables is computed.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
31
FTA OR Gate vs BN Node
}cpt
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
32
FTA AND Gate vs BN Node
} cpt
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
33
FTA k:n Gate vs BN Node
cpt
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
34
The BN model of the PLC
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
35
Advanced BN modeling features
BN can also improve the modeling power wrt FT:
Probabilistic Gates;
Multi-state Variables;
Sequentially dependent failures;
Parameter uncertainty.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
36
Probabilistic Gates:
Common Cause Failures
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
37
Multi-state Variables
prior
cpt
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
38
Multi-state nodes and
sequentially dependent failures
cpt
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
39
Parameter uncertainty in
BN models
Node PS becomes a non-root node but a child of a
new root node where the multi-variable PS is defined.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
40
Diagnostic inference on BN
Any probabilistic computation that can be performed
in FT can also be performed in BN (using only prior
information).
Standard BN inference deals with posterior
probability computation of any set of variables Q
given the evidence set E (i.e. P(Q|E) ).
By considering the evidence E as the occurrence of
a failure, posterior information can be very relevant
for criticality and diagnostic (fault localization)
aspects.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
41
Local dependencies: Dynamic
Fault Trees
As proposed by Joan Dugan et al. local dependencies
can be included into a FT by defining a new class of
gates, called Dynamic gates
This extension has been called
Dynamic Fault Tree (DFT)
J. Bechta Dugan, S.J. Bavuso, and M.A. Boyd. Dynamic fault-tree models for
fault-tolerant computer systems. IEEE Trans Reliability, 41:363.377, 1992.
J. Bechta Dugan, K.J. Sullivan, and D. Coppit. Developing a low-cost high quality
software tool for dynamic fault-tree analysis. IEEE Trans Reliability, 49:49-59, 2000.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
42
Dynamic Gates
(Dugan et al.)
They allow to model local
Warm Spare Gate dependencies among basic
components or among their
failure events.
Andrea Bobbio
Sequence Enforcing
43 Gate
MED-08, Ajaccio, June 26, 2008
Functional Dependency Gate
Priority And
HSS Sprinkler
System
L. Meshkat and J.B. Dugan. Dependability analysis of systems with on demand
and active failure modes using Dynamic Fault Trees. IEEE Transactions
on Reliability, 51(2):240-251, 2002.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
44
DFT Representation
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
45
DFT Solution via CTMC or GSPN
Separation into dynamic modules
Generation of the corresponding CTMC for dynamic
modules
Translation of the DFT in GSPN.
It can be done through graph
transformation rules.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
46
Transformation technique
Basic Event is isolated and transformed in GSPN.
Each gate with its input events and its output event,
is isolated and transformed in a GSPN.
All the GSPNs are merged together by
superposition over the common places.
The resulting GSPN corresponds to the DFT.
D. Codetta Raiteri, "The Conversion of Dynamic Fault Trees to Stochastic Petri
Nets, as a case of Graph Transformation", In Electronic Notes on Theoretical
Computer Science vol. 127(2), pages 45-60, Elsevier, March 2005.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
47
WSP gate transformation
S is the spare component.
S replaces M if M fails.
S is initially dormant (stand-by)
S has two failure rates:
•  when dormant (0<<1)
•  when working
Andrea Bobbio
M is the main component
MED-08, Ajaccio, June 26, 2008
48
FDEP gate transformation
Input events:
• one trigger event (T)
• a set of dependent events (D1, D2, …)
If T fails, D1, D2, … are forced to fail.
Output event: Y=T
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
49
PAND gate transformation
Y fails if
• X1, … Xn are all failed (AND condition)
• X1, …, Xn failed in the specified order
(priority condition)
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
50
DFT model
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
51
Dynamic
Module
State Space Solution
via conversion into GSPN
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
52
Conversion
into GSPN


, 




Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
53
Conversion
into GSPN
Pr{#PumpFault=1}
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
54
DFTFTBDD

Pr{PumpFault, t=1000h} =
= 1.14275598e-04




Pr = 1.14275598e-04
Pr{SystemFault, t=1000h}=
= Pr{DigCon, t=1000h}Pr{F1, t=1000} +
+ (1-Pr{DigCon, t=1000h})Pr{F0, t=1000h}=
=0.0265295
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008




55
Bayesian Networks to solve DFT
The use of BNs is an alternative way to analyze FTs:
Bayesian Networks
• Remove the assumption on binary events
• Remove the assumption on statistical independence
• Remove the assumption on Boolean gates (AND, OR)
• Noisy OR, noisy AND
• Provide a more flexible forward and backward analysis
• Forward (predictive) analysis: Pr(TE), Pr(Sub)
• Backward (diagnostic) analysis: Pr(A|TE), Pr(TE|A), …
• Avoid the state space generation
• Avoid the representation of the global state model
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
56
Dynamic Bayesian Networks (DBN)
• DBN is a discrete model
– The system is represented at several time slices
– Conditional dependencies among variables at
different slices, are introduced to capture the
temporal evolution.
• 2TBN:
– Markovian assumption
– 2 time slices: t, t+
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
57
DFT conversion into DBN
Modular approach:
• First, every single gate is converted into DBN
• Then, the resulting DBNs are connected together in
correspondance to the nodes they share.
• An adjustment to the CPT of a node is required when
new arcs enter the node, due to the connection of two
DBNs.
• The connection of all the DBNs corresponding to the
single gates, provides the DBN expressing the DFT
model.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
58
Warm Spare gate
• A is the main component
• failure rate: 
• S1, S2 are the warm spare components
• stand by    is the dormancy factor (0<<1)
• working  
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
59
Functional Dependency gate
Pr{T(t+Δ)=1|T(t)=1}=1
Pr{T(t+Δ)=1|T(t)=0}=1-e-T t
Pr{A(t+Δ)=1|A(t)=1}=1
Pr{A(t+Δ)=1|A(t)=0,T(t+Δ)=0}=1-e-A t
Pr{A(t+Δ)=1|A(t)=0,T(t+Δ)=1}=pdep(=1)
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
60
Priority AND gate
t
t+1
010
110 oper
0
Pr{A(t+Δ)=1|A(t)=1}=1
Pr{A(t+Δ)=1|A(t)=0}=1-e-A t
Pr{B(t+Δ)=1|B(t)=1}=1
Pr{B(t+Δ)=1|B(t)=0}=1-e-B t
Pr{PF(t+Δ)=1|*,PF(t)=1}=0
Pr{PF(t+Δ)=1| A(t)=0, B(t)=0,PF(t)=0}=0
Pr{PF(t+Δ)=1| A(t)=1, B(t)=0,PF(t)=0}=1
Pr{PF(t+Δ)=1| A(t)=0, B(t)=1,PF(t)=0}=0
Pr{PF(t+Δ)=1| A(t)=1, B(t)=1,PF(t)=0}=1
0000
1010
Andrea Bobbio
111 0fail
MED-08, Ajaccio, June 26, 2008
61
RADYBAN tool
DBNet allows the analysis of
a DBN (DBN solver) and is a
Drawnet module.
The DBN can be manually
drawn or obtained from the
conversion of a DFT model
(DFT2DBN).
The DFT or the DBN can be
drawn by means of the
DrawNet graphical interface
Andrea Bobbio
The DFT or the DBN are
saved in XML files.
MED-08, Ajaccio, June 26, 2008
62
HSS – DBN representation
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
63
Outline
 Correctness verification vs stochastic analysis
 Hyerachical dependability modeling of DES:
Fault tree and Bayesian networks;
 Example of safety analysis: Fluid models
 Draw-net tool.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
64
Hybrid models for Safety
problems
Safety problems usually requires to account for
some critical continuous variables that exceed
acceptable limits.
Example of application of a hybrid model to a
safety problem.
Modeling a Car Safety Control in a road tunnel
using Fluid Stochastic Petri Nets
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
65
Hybrid Models
Hybrid models contain discrete as well as
continuous variables in the same model.
Typical examples are discrete controllers that
control continuous variables.
Recent modelling and analysis techniques:
Hybrid Automata
Fluid Petri Nets.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
66
The Fluid Petri Net Model
FPN's are an extension of PN able to model
the coexistence of discrete and continuous
variables.
The primitives of FPN (places, transitions and
arcs) are partitioned in two groups:
discrete primitives that handle discrete
tokens (as in standard PN);
continuous (or fluid) primitives that handle
continuous (fluid) quantities.
FPN is suitable for modeling and analyzing
hybrid systems.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
67
FSPN Primitives
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
68
Fluid Petri Nets
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
69
Hybrid models: an example
Modeling a Car Safety Control Using Fluid Stochastic
Petri Nets
This work has been done with my collegues:
A. Horvath and M. Gribaudo
Bobbio and M. Gribaudo and A. Horvàth.
Modeling a car safety controller using fluid stochastic Petri nets.
In: Proceedings 6-th International Workshop on Performability Modeling of
Computer and Communication Systems (PMCCS6), pp 27-30, September, 2003.
Bobbio and M. Gribaudo and A. Horvàth.
Modelling a Car Safety Controller in Road Tunnels using Hybrid Petri Nets.
In: 9th International IEEE Conference on Intelligent Transportation Systems,
Toronto, September 2006
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
70
Road Tunnel safety: Motivation
• Major Road tunnel accidents in the last years
• EU project Safetunnel: ”to reduce the number of
accident inside road tunnels through preventive
safety measures”
• Safety measures should not compromise the
road system, slowing down the traffic and
creating long queues.
• It has usually been modeled using hybrid
systems.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
71
The model
Controlled variables are position, speed
and distance.
Fluid places to describe the speed,
position and distances.
Different configurations of driver behaviors
and installed safety equipments.
The traffic is modelled by a target car and
the one in front of it.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
72
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
73
Model of the truck
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
74
Model of the car
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
75
Model of the distance
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
76
Completely random (I)
• Both the truck and car ignore each other
and the speed limits!
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
77
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
78
Completely random (II)
• Simulation trace
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
79
Completely random (III)
• Car will crash!
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
80
Speed Control
• The reasonable drivers try to keep a fixed
maximum speed.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
81
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
82
Safety distance
• Car may still crash due to human reaction
time, if safety distances are not respected!
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
83
Alarm (I)
• Add an alarm that sounds when the
distance becomes smaller than a given
threshold…
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
84
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
85
Alarm (II)
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
86
Alarm (III)
• The alarm prevents short distances among
vehicles that may cause car-crashes.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
87
Sudden Stop (I)
• We may also experience what happens if
the car in front has a sudden stop.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
88
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
89
Sudden Stop (II)
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
90
Sudden Stop (III)
• The alarm should be able to prevent a car
accident.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
91
Outline
 Correctness verification vs stochastic analysis
 Hyerachical dependability modeling of DES:
Fault tree and Bayesian networks;
 Example of safety analysis: Fluid models
 Draw-net tool.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
92
The DrawNET Modelling System
DMS goals
• The Draw-Net Modeling Systems (DMS) is a
framework supporting the design and the solution of
models expressed in any graph-based formalism:
– Building models by composition of submodels
• Submodels can be conforming to different formalisms (multiformalism)
– Defining and executing solution procedures based on
• A single solver
• A set of solvers (multi-solution)
– Models or submodels can be conforming to
• existing available formalisms
• formalisms defined by the user
– Integration of existing solution tools
– Use of the Data Definition Language (DDL), a common
formal language to express formalisms and models
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
94
DMS architecture
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
95
DNForGe: Editor
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
96
Draw-Net tool: model editor
(GSPN model)
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
97
DrawNET: the main GUI
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
98
References about DMS
•
•
•
•
•
•
G. Franceschinis, M. Gribaudo, M. Iacono, V. Vittorini, C. Bertoncello, "DrawNet++: a flexible
framework for building dependability models", Proc. of the Int. Conf. on Dependable
Systems and Networks, Washington DC, USA, June 2002.
M. Gribaudo, D. Codetta-Raiteri, G. Franceschinis, "Draw-Net, a customizable multiformalism multi-solution tool for the quantitative evaluation of systems”, Proceedings of
the 2nd International Conference on Quantitative Evaluation of Systems, pages 257-258, Turin,
Italy, September 2005.
M. Gribaudo, D. Codetta-Raiteri, G. Franceschinis, “The Draw-Net modeling system: a
framework for the design and the solution of single-formalism and multi-formalism
models”, Tech. Rep. TR-INF-2006-01-01-UNIPMN, Dipartimento di Informatica, Università del
Piemonte Orientale, Jan. 2006.
M. Gribaudo, “FSPNEdit: A fluid stochastic Petri net modeling and analysis tool", Tools of
Aachen 2001, Int Multiconfernce on Measurements Modelling and Evaluation of computer
Communication Systems, pages 24-28, University of Dortmund, Bericht No. 760/2001, 2001.
A. Bobbio, D. Codetta-Raiteri, “Parametric Fault-trees with dynamic gates and repair
boxes", Proc. Reliability Maintainability Symp, 459-465, Los Angeles, CA USA, January 2004.
S. Montani, L. Portinale, A. Bobbio, M. Varesio, D. Codetta-Raiteri, “A tool for automatically
translating Dynamic Fault Trees into Dynamic Bayesian Networks”, Proceedings of the
Annual Reliability and Maintainability Symposium, pages 434-441, Newport Beach, CA USA,
January 2006.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
99
Conclusions
Stress the need for multi-formalism multi-solution
techniques
New data structures
Non exponential models
Safety critical systems
Systems of systems and interdependencies of
critical infrastructures.
Andrea Bobbio
MED-08, Ajaccio, June 26, 2008
100