This section gives an example of customization of the generic CDs for the CESI pilot application within the DepAuDE project: only a subset of the generic CDs have been used in the PSAS specific case. The PSAS [29]
is an automation system that provides tele-control and protection of the Primary Sub-stations (PSs) of electricity distribution network. PSs are nodes of the electric distribution grid connecting the High Voltage transportation network to the Medium Voltage distribution. The application is distributed both geographically and locally to the PS. Figure 3.19 shows the customization of the CD Structure of Figure 3.2: more than one copy have been generated from some classes of the generic CD, e.g., the two classes PS Automation Site and Operation Centre Automation Site that have been copied from the generic class Automation Site as stated by the value assigned to the corresponding is-a attributes. The aggregation association defined in the generic CD between classes Plant and Plant Component becomes a set of aggregation associations each one defined between the PS plant and a class of PS plant component; the multiplicities of these aggregations have been restricted with respect to the corresponding multiplicity 1..n of the generic aggregation. The association control defined in the generic CD between classes Automation Component and Plant Component corresponds as well to a set of associations with the same name: note that each PS plant component may be controlled by more than one PS automation component, in case of automation hardware redundancy, and that there exist some PS plant components that are not controlled by any PS automation component (i.e., MV-busbar, Induttance, MV-lines, MV/LV Transformer, HV/MV Transformer, Condenser, HV Circuit Braker).
Customization of the generic CD Relationships of Figure 3.3 results in the five CDs of Figures 3.20 and 3.21 in which new application specific classes of automation functions have been added (i.e., the classes of
hierar-PS Automation Site Operator Centre
$is-a: Plant $is-a: Automation Component
Figure 3.19: The customization of the CD Structure
chy/logical views that does not have the is-a attribute specified). Moreover, values have been set to the input attributes of the PS communication functions (CD4 and CD5 of Figure 3.21). The customization of the CD Constraints of Figure 3.4 results in two CDs shown in Figure 3.22: in CD1 upper bound values are set for the attributes execution time of the different classes of PSAS functions. Given the real-time constraint required by PSAS functions, an upper bound value for the attribute cycle time of PS automation system is assigned. The attribute sampling period of the generic class Automation System has not been retained. The type of usage of the attributes is preserved except for the attributes delivery performance degree characterizing communication functions in CD2that become input values. Moreover, values are given for the input parameter bandwidth for the PS inter-network and for the PS intra-network. CD3is instead the result of the customization of the generic CD Properties of Figure 3.5, in which intervals for the required availability of LCL automation functions and of PU automation functions have been set.
The type of faults affecting the PSAS are basically permanent physical faults, transient physical faults and intrusions: customization of the CDs representing faults, i.e., CDs of Figures 3.6,3.7 and 3.8 results in the CD
CHAPTER 3. USE OF CLASS DIAGRAMS IN THE DEPAUDE METHODOLOGY 65
$ is-a: Automation Elab. Function
LCL
$ is-a: Automation Comm. Function
PS Intra-site Communication PS Centre Inter-site Communication
$ is-a: Intra-site Automation Comm. Function $ is-a: Inter-site Automation Comm. Function 1
PU Explicit Command PU Data Measurement LCL Automatic Command
CD3 LCL Automation
Function
PU Supervision
LCL Explicit Command Spare Protection
Figure 3.20: The customization of the CD Relationships
of Figure 3.23. Associations affect have been refined and only leaf classes of the fault hierarchy have been associated to the PSAS entities: permanent and transient physical faults affect PS automation components, PS net components and PS network links, while gateways may be affected by intrusions also. The customization of the cause-effect Chain 1 (CD1) of Figure 3.10 is shown in Figure 3.24: the focus is on physical faults affecting the PS automation components that may cause errors on the PS automation functions performed by the formers.
An error, if not recovered in due time, causes the failure of the faulty PS automation component: PS automation components are the smallest units of failure. Fault propagation is considered among PS automation components:
a failure of a PS automation component may turn into a fault affecting the automation components that interact with the former.
PSAS dependability strategy represented by the CDs of Figure 3.25, aims at tolerating physical faults affecting PS automation components as well as avoiding fault propagation. It consists of four steps, as specified by the
Remote Operator Communication Command Data Communication
Configuration Data Communication
Centre Requests Communication Control Data Communication
Maintenance Data Communication Alarm Communication Periodic Monitoring
Data Communication
$ inter-site traffic class: command
$content type: data
$ transmission mode: on-command
$packet_length: few bytes
$ inter-site traffic class: monitoring
$content type: data
$ transmission mode: on-request
$packet_length: few bytes
$ inter-site traffic class: maint.
$content type: data
$ transmission mode: on-request
$packet_length: max 1 Mbyte
$ inter-site traffic class: alarm
$content type: data
$ transmission mode: on-var.
$packet_length: few bytes
$ inter-site traffic class: config.
$content type: data file
$ transmission mode: on-request
$packet_length: max 1 Mbyte
$ inter-site traffic class: control
$content type: data
$ transmission mode: on-variation
$packet_length: few bytes
$ inter-site traffic class: monit.
$content type: data
$ transmission mode: periodic
$packet_length: few bytes
CD4 PS Centre Inter-site Communication
$ is-a: Inter-site Automation Comm. Function
Operator
$ is-a: Intra-site Automation Comm. Function
Figure 3.21: The customization of the CD Relationships
multiplicity µ2= 4 of the aggregation association defined between PSAS Dependability Strategy class and PSAS Dependability Step class (CD1(a)), and it combines error processing with failure treatment. Error processing, represented by CD2 of Figure 3.25, includes a detection step and an error recovery step from transient faults.
Error recovery is aimed at 1) ensuring system evolution, 2) confining any loss of control (e.g., live-lock, dead-lock) within a single application cycle and 3) avoiding that errors caused by non detectable temporary faults should become permanent (e.g., flips of registers or memory cells caused by EMI which has overcome protecting barriers).
Failure treatment, represented by CD3(h) of Figure 3.25, includes a fault passivation step from permanent faults and a failure handling step. Fault passivation is based on reconfiguration activities (CD3(a) of Figure 3.25) that perform the exclusion of the faulty components. The failure handling step is executed in case of either permanent faults or un-recovered errors due to transient faults: activities carried out in this step consist in disconnecting
CHAPTER 3. USE OF CLASS DIAGRAMS IN THE DEPAUDE METHODOLOGY 67
cycle_time < min {execution_time }
Command Data Communication
/$ cycle_time: max 100 ms.
$ is-a: Autom. System
$ bandwidth: 20 Kbps
$ is-a: Network System
PS Automation Comm. Infrastructure (from PSAS Composition)
$ bandwidth: 10 Mbps
$ is-a: Automation Comm. Infrastructure
LCL Automatic Command
Figure 3.22: The customization of the CDs Constraints (CD1,CD2) and Properties (CD3).
the PS automation component from the plant (auto-exclusion), leaving the plant in an acceptable degraded state, forcing the output to assume a pre-defined secure configuration, and providing appropriate signalling to the operator and to the remote systems.
Concerning dependable mechanisms to be used in the PSAS dependability strategy, only error detection mech-anisms have been identified. They are PSAS specific mechmech-anisms, as represented in the customized CD of Figure 3.26 by the new added classes Detection Logic, PS Component Diagnosis and Network Monitoring. De-tection of anomaly on PS automation component is performed by a deDe-tection logic mechanism, a diagnostic mechanism local to each PS component and a centralized one that monitors the status of the PS network.
PSAS Fault
PS Gateway (from PSAS Composition)
PSAS Physical Faults PSAS Interaction Faults
PSAS Transient Physical Faults PSAS Permanent
$is-a: Physical Faults $is-a: Interaction Faults
$is-a: Fault
Figure 3.23: The customization of the CDs of the package Fault Model.
PS Automation Component
Figure 3.24: The customization of the CD cause-effect Chain1
CHAPTER 3. USE OF CLASS DIAGRAMS IN THE DEPAUDE METHODOLOGY 69
PSAS Dependability Step PSAS Dependability
Strategy
PSAS Error Processing Step PSAS Failure Treatment Step
PSAS Physical Faults
$is-a: Physical Faults $is-a: Error $is-a: Failure
PSAS Dependability Step
$is-a: Dependability Step
$is-a: Failure Treatment Step
$is-a:Error Processing Step
PSAS Error Detection PSAS Error Recovery PSAS Error Processing Step
PSAS Failure Handling PSAS Reconfiguration 1..n
1
$is-a:Failure Treatment Step
PSAS Fault Passivation
$is-a: Fault Passivation $is-a: Failure Handling
PSAS Fault Passivation
$is-a: Fault Passivation
$is-a: Reconfiguration
Figure 3.25: The customization of the CDs of the Step Model package
PSAS Error Detection
Figure 3.26: The customization of the CD of the Mechanism Model package.
Use of Stochastic Petri nets in the DepAuDE methodology
Stochastic Petri Nets (SPNs) are used in the DepAuDE methodology to support the analyst in the construction and in the analysis of dependability models by exploiting the information contained in the CD schemes. In this chapter we focus on the derivation of SPN models.
The methodology suggests to adopt a compositional approach based on a layered view of the system to build an analyzable SPN model, that is a SPN (either GSPN or SWN) model of the system suitable to be analyzed through either numerical or simulation techniques in order to get performance/dependability results. An analyzable SPN model should be then obtained by applying “proper” composition formulae of SPN component models that repre-sent the behavior of system entities laying either in the same system level or in two different neighboring levels.
As SPN component we mean a GSPN/SWN system [2] (multi)-labeled over transitions and/or places, parametric with respect to transition rates (weights) and/or initial marking. Moreover, it is characterized by a list RESU LT S of indices to be computed and/or verified and by a list CONST R of constraints to be verified.
The generic CD scheme, described in Section 3.1 of Chapter 3, contains a lot of useful information for the construction of a SPN model and, in particular, the following links have been identified:
link1 the package structure provides indication on the organization of SPN component models;
link2 concrete classes identify the system entities whose behavior can be represented by a SPN component;
link3 the aggregation system view provides information that allows to identify SPN components and the structure of the composition;
link4 hierarchy views can indicate reuse of SPN component through inheritance [86];
link5 binary general associations (association from now on) among classes may indicate interactions and syn-chronization and can therefore be used to identify labels to be assigned to SPN component and to define
70
CHAPTER 4. USE OF STOCHASTIC PETRI NETS IN THE DEPAUDE METHODOLOGY 71
the composition formulae;
link6 class definition views are rich of attributes that depending on their “type of usage” are useful to define model parameters, and to set their corresponding values when classes are customized to a specific applica-tion, or to define the performance/dependability indices to be computed and checked;
link7 the FEF chain represented by the CDs cause-effect Chain 1 and cause-effect Chain 2 of the scheme is fundamental to set the relationship among faults, errors, and failures and the system components in the corresponding SPN component models;
link8 the Strategy Model package, customized for the application, allows to identify the dependability strategy to be verified through modeling that is, in terms of SPN models, it allows to select the SPN component models of the mechanisms used to add fault tolerance capabilities to the system.
Some of the links between the CDs and SPN mentioned above can be considered domain-independent - such as links 1, 2, 3, 4 and 5 - since they are based only on the feature of the CD notation, so that they can be a valuable help to the modeler also outside the dependable automation system domain. Besides the domain-independent links, links based on the features of the CD schemes - such as links 6, 7 and 8 - provide further information for the modeling of dependable automation systems through SPNs. These links have been exploited to suggest a structure for the system model construction, and to identify a number of models that are expected to be common to all applications that share the same CD generic scheme. In the next section (Section 4.1) we will describe the structuring of the SPN model suggested by the methodology, while Section 4.2 is devoted to illustrate how the library of predefined SPN component models has been set up. In Section 4.3 guidelines on how to select, customize and refine the SPN component models and their interaction according to the application-specific CD scheme are given.
4.1 Structure of the Stochastic Petri Net models
An inspiring source for the structuring of SPN models within the methodology has been the work in [74], that contains an example of organization of dependability GSPN model into layers to clearly separate the architecture model and the service model. The interface between the architecture layer and the service layer consists of a failure mode model that allows to easily analyze the system under different service degradation levels. This organization focuses on the construction of dependability models for multipurpose and multiprocessor systems by following a modular approach and by elaborating generic reusable sub-models: modularity and re-usability are two characteristics that have been taken into account in the DepAuDE methodology also.
However, in [74] the FEF chain is not explicitly modeled and no high level requirement models have been used as a starting point for the construction of analyzable models as in the DepAuDE methodology.
To give structure and organization to the model we have followed the PSR layered approach proposed in [28].
In PSR the model is organized into three levels: resources, services and processes. Resources are placed at the
idleRes
E_op_n S_op_n
L1: services L0: resources
IdleServ
E_Serv S_Serv
op_n
E_op_1 S_op_1
op_1 lockRes
unlockRes
L2: processes
IdleServ
Serv S_op_i
E_op_i
Figure 4.1: Basic GSPN models in the PSR layered approach.
bottom level L0of the structure, and they provide operations for the services, placed at the middle level L1, where a service is basically a complex pattern of use of the resources. Services are then requested by the model placed at the highest level L2, that of processes. All timed activities are concentrated in the resource level.
PSR provides a schema of how the resource and service nets should look like, while the process level can be made up of arbitrary nets. The left part of Figure 4.1, shows a model of a single resource as originally defined in [28]. A resource can be idle, and it can offer one or more operations through the sequence of actions “start operation”, “operation”, “end operation” (respectively modeled by immediate transitions labeled as S op i, timed transitions with label op i and immediate transitions labeled as E op i, with i=1,..n), either with or without a lock request.
The middle part of Figure 4.1 shows a single service as defined in [28]. A service can be requested by a process through the pair of labels of “start” and “end” service (S Serv, E Serv) and, once activated, it can request resource operations via the S op i, E op i labels. The right part of Figure 4.1 depicts a skeleton of the process model that uses the services of level L1: the request of a service is performed through the label corresponding to the name of the service (Serv) and through a matching functionαthat maps the label Serv of level L2in the pair of labels S Serv,E Serv of level L1that offer that service.
Resource and service levels are defined through net composition operators based on transition superposition (the horizontal composition). In particular, the resource level L0 is obtained by composing the single resource models over the set of labels associated to the timed transitions, and then by deleting all the labels used in the composition. Services placed at level L1are meant as independent services, so that the service level is obtained
CHAPTER 4. USE OF STOCHASTIC PETRI NETS IN THE DEPAUDE METHODOLOGY 73
Automation Component
service resource
Failure
Automation Function
Error
Fault
Software Mechanism
process
Automation System
ACi FTj
AFk ERh Ml
AS
affect(FTj,ACi) perform(ACi,AFk)
affect(FTj,ACi) effect(FTj,ERh) perform(ACi,AFk)
affect(ERh,AFk)
affect(ERh,AFk)
effect(FTj,ERh) Eeffect(ERh,ERh’) effect(ERh,FAILn)
FAILn
effect(ERh,FAILn) affect(FAILn,AS)
affect(FAILn,AS)
is-part-of(AFk,AS) is-part-of(AFk,AS)
address(Ml,ERh) address(Ml,ERh)
Mo address(Mo,FAILn) address(Mo,FAILn)
Software Mechanism
Figure 4.2: Organization of the dependability scheme models in the layered approach.
by parallel composition, i.e., by composing the single service models over the empty set.
The resource level is composed with the service level through a vertical composition that corresponds to the composition of a labeled injective GSPN model with a multi-labeled non-injective GSPN model over the set of common transition labels. Finally, to compose the resulting net with the process level through the vertical composition the expansion of the process model is previously carried out. The expansion consists of replacing each transition that requires a service Serv into the sequence transition t0 - place - transition t00, where t0 and t00 are immediate transitions labeled with the first and the second component ofα(Serv), respectively.
To use the PSR within the methodology it is necessary to identify the main system entities involved and their interaction. This identification is driven by the generic CD scheme, analyzing the various views, determining which classes can be considered “concrete” from a quantitative analysis point of view, and hence suitable to be represented by a SPN component model.
We have focused on the FEF chain diagrams, since the goal of the proposed approach is the dependability
analysis of systems, in order to establish which entities are affected by either faults, or errors or failures. Fault, Error and Failure classes, together with their sub-classes, have been assumed “concrete” since it is possible to represent the behavior of their instances (i.e., occurrences) with a SPN component model as it will be illustrated in the next section. Within the PSR structure, fault models, error models and failure mode models are considered as a type of resource models, service models and process models, respectively.
Taking in account the relations existing between the faults, errors, failures and the system classes visualized in the CD Structure (Figure 3.2), the following partial mapping between the system classes and the three-layered structure has been then defined:
Class Level
Plant Component resource
Automation Component resource
Network link resource
Intra-site Net Component resource
Gateway resource
Automation Functions service
Automation System process
Plant
-Network System
-Automation Communication Infrastructure
-Automation Site
-Automated System
-Some classes of the CD Structure have not been associated to a specific layer since they are not affected directly by either faults or errors or failures. However, it is worth to notice that, although the classes Plant and Network System have not been mapped explicitly into any layer of the structure, they are aggregations of system entities placed at resource level: their behavior can be represented by composite resource models obtained by composing simple resource models that correspond to their parts. The organization of models into layers is sketched in Figure 4.2. At the resource level we have placed the SPN models of those system entities that can be directly
-Some classes of the CD Structure have not been associated to a specific layer since they are not affected directly by either faults or errors or failures. However, it is worth to notice that, although the classes Plant and Network System have not been mapped explicitly into any layer of the structure, they are aggregations of system entities placed at resource level: their behavior can be represented by composite resource models obtained by composing simple resource models that correspond to their parts. The organization of models into layers is sketched in Figure 4.2. At the resource level we have placed the SPN models of those system entities that can be directly