dov dori massachusetts institute of technology (visiting) technion, israel institute of technology...
TRANSCRIPT
Dov DoriMassachusetts Institute of Technology (visiting)
Technion, Israel Institute of Technology
Nuclear Engineering Seminar Series
Department of Mechanical and Nuclear
Penn State Engineering
October 23, 2014
Mirror, Mirror on the Wall – Do You See Me at All?
The Cyber-Physical Gap and its Implications on Risks:
Modeling Nuclear Hazards Mitigation
2
Multiple engineering professionals talk different languages
Mechanical Engineers Civil Engineers
Software EngineersElectronics Engineers
Systems engineers are supposed to integrate these – What language do they talk?
3
Required:
A graphical formal language for conceptually conveying system architectures & designs
4
Systems Engineers Do Have Languages– Systems Modeling Language –
SysML• OMG Standard since 2007
– Object-Process Methodology – OPM • OPM book published in 2002
• ISO Standard 19450 as of Aug. 2014
(formally: 19450 Publically Available Specification)
OPM software: OPCAT, freely downloadable from http://esml.iem.technion.ac.il/
Along with papers and other resources
5
OntologyA set of concepts for describing a domain (industry, banking, military, healthcare, nuclear engineering…) and systems within it
Universal OntologyA set of concepts for describing the universe and systems within it
6
Towards ontological grounding of model-based systems engineeringLet us try to determine the minimal set of concepts required to model the universe and systems in it
We begin with a series of Socratian questions
7
First fundamental question:
What are the things that exist in the universe?
Answer: Objects exist (or might exist)
8
Second fundamental question:
What are the things that happen in the universe?
Answer: Processes happen (or might happen)
But - processes happen to things!
9
A Follow-up question:What are the things to which processes happen?
Answer: Processes happen to objects
10
So:What do processes do to objects?
Answer: Processes transform objects
11
What does it mean for a process to transform an object?
Transforming of an object by a process means
1. creating (generating) an object
2. destroying (consuming) an object
3. affecting an object
12
What does it mean for a process to affect an object?
– A process affects an object by changing its state
– Hence, objects must be stateful; they must have states
13
Another key question:What are the two complementary aspects from which any system can be viewed?
Answer:
1. Structure – the static aspect:
what is the system made of?
2. Behavior – the dynamic aspect:
how does the system change over time?
14
What additional aspect pertains to man-made systems?
Function – the utilitarian, subjective aspect:
why is the system built? for whom?who benefits from operating it?
1515
conceived reality modeled reality
Is modeled by
Bus
Aircraft
Vehicle
Gas Filling
Is modeled by
Is modeled by
Using graphical symbols, the model expresses real things – objects and processes – and
relations among them.
is a
is a
affects
Object
Process
Energy Replenishing
is
Car
The idea behind conceptual modeling
16
The Object-Process Theorem Stateful objects, processes, and relations among them constitute a necessary and sufficient universal ontology
CorollaryUsing stateful objects, processes, and relations among them, one can model systems in any domain
17
Proof: Part 1 - necessityStateful objects and processes are necessary to specify the two system aspects, structure and behavior:
–Specifying the structural, static system aspect requires stateful objects and relations among them
–Specifying the procedural, dynamic system aspect requires processes and relations between them and the objects they transform
18
Proof: Part 2 - sufficiencyStateful objects and processes are sufficient to specify any system in any domain:
–Anything that exists can be specified in terms of stateful objects and relations among them
–Anything that happens to an object can be specified in terms of processes and relations between them and the object they transform
Q.E.D.
19
Keys to good conceptual modeling:
1. Telling processes apart from objects2. Modeling them concurrently to express the interdependence of the systems’ structure and behavior3. Managing complexity via abstraction-refinement (enables modeling systems at any level of complexity)4. Utilizing dual channel processing: graphics and text (enables using “both sides of the brain”)
20
The Six Leading MBSE Methodologies
(INCOSE Task Force, Estefan, 2008 p 43) IBM Telelogic Harmony-SE
INCOSE Object-Oriented Systems Engineering Method (OOSEM)
IBM Rational Unified Process for Systems Engineering (RUP SE)
for Model-Driven Systems Development (MDSD)
Vitech Model-Based System Engineering (MBSE) Methodology
JPL State Analysis (SA)
Object-Process Methodology (OPM): 2014 – expected ISO
19450 PAS
SysML was not surveyed since it is a language, not a methodology
21
Object-Process Methodology (OPM)Things: Objects and Processes
A thing that exists or might exist physically or informatically
A thing that transforms one or more objects
22
Processes transform objects by
(1) Consuming them:
23
Processes transform objects by
(2) Creating them:
24
Processes transform objects by
(3) Changing their state:
25
So the OPM Things are:
1. Stateful Object
2. Process
All the other elements are relations between things, expressed graphically as links
26
OPM unifies the system’s structure and behavior throughout the analysis and design of the system within one frame of reference using a small alphabet:
– Two types of things: (1) stateful objects
(2) processes
– Two families of links:(1) structural links: connect objects with objects
(2) procedural links: connect processes with objects
Compact Ontology: A Minimum Length OPM alphabet
27
OPM Aspect Unification
The three system aspects:
– Function (why the system is built), – Structure (static aspect: what is the
system made of), and – Behavior (dynamic aspect: how the
system changes over time)• Are expressed bi-modally, in graphics and
equivalent text• In a single model
Risk-Aware Modeling – The Epistemic Challenge “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.”
(Donald Rumsfeld on going to war in Iraq)
• Knowns (which can be correct,, incorrect, or unknown)• Correct knowns: Things we know
and are correct.• Incorrect knowns: Things we know
we know, but are incorrect (called beliefs in epistemic modal logic):
• Wrong/misread measurements• Wrong assumptions• Misconceptions• Misunderstood
situations/communications
• Unknown knowns: Things we don’t know we know
• Tacit (correct) knowledge• Knowledge owned by some
member groups but not by others…
• Unknowns (so they cannot be correct or incorrect)
• Known unknowns: Things we know we don’t know
• Natural variability• Knowledge gaps
• Unknown unknowns: Things that we don’t know we don’t know
29
Cyber-Physical Systems: Characteristics
• Software-controlled physical systems• Include physical and cybernetic components• An agent – a human decision-maker or an
information & decision-making system – is the cybernetic component
• Hardware (motors, actuators, VLSI chips…) is the physical component
• Physical processes signal and induce cybernetic events
• Cybernetic processes signal and induce physical events
30
Thing’s Essence and Affiliation Attributes
• In OPM, a Thing (Object or Process) has two key attributes: Essence and Affiliation
• Essence pertains to the thing’s nature • Denotes whether the thing is physical or informatical.• Affiliation pertains to the thing’s scope • Denotes whether the thing is systemic, i.e. part of the
system, or environmental, i.e. part of the system’s environment
The Essence-Affiliation attribute value combinations
31
Essence is key to the Cyber-Physical Gap
• Thing’s Essence is key to understanding and modeling the cyber-physical gap
• physical objects in the OPM model represent what is really “out there” – actual states and values of objects
• informatical objects in the OPM model represent information about their corresponding physical objects available to a decision making agent (human or artificial)
• A cyber-physical gap exists when the state of the informatical object incorrectly indicates the state of the physical object is supposed to represent
32
Two main sources of cyber-physical gaps• Incorrect instrument reading
causes agents to create a different world view than what is really out there
Preview:
• Agent’s misconception or incorrect assumption possibly triggered or supported by incorrect measurement reading
Preview:
33
The Three-Mile Island 2 Accident March 28, 1979
http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#tmiview
Modeling the cyber-physical gap with OPM:
34
https://www.youtube.com/watch?v=0J7kHfBBBmk 2:00 – 2:15https://www.youtube.com/watch?feature=player_detailpage&v=0J7kHfBBBmk#t=121
We start with an OPM model of normal operation of Electric Energy Generating system – by a Pressurized Water Reactor
35
TMI2 Reactor Normal Operation.opx
Electric Energy Generating – An OPM Model (OPCAT simulation)
36
Electric Energy Generating In-Zoomed: Animated Simulation
37
Turbine Spinning In-Zoomed: Animated Simulation
38
Electric Energy Successfully Generated
39
Auto-generated Object-Process Language (OPL) ExampleFeedwater can be cooling tower, condensor, or steam generator. cooling tower is initial.Pressurized Water Reactor consists of Reactor Secondary Unit, Reactor Primary Unit, and Cooling Tower. Reactor Secondary Unit consists of Turbine, Generator, and Main Feedwater Pump. Turbine consists of Condensate Pump. Condensate Pump can be operational or tripped. operational is initial. Main Feedwater Pump can be operational or tripped. operational is initial. Reactor Primary Unit consists of Reactor Core and Steam Generator. Cooling Tower consists of Circulating Water Pump. Electric Energy Generating is physical.Electric Energy Generating consists of Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating.Electric Energy Generating requires Pressurized Water Reactor and Cooling Tower.Electric Energy Generating yields Electric Energy.Electric Energy Generating zooms into Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Controlled Nuclear Reaction affects Reactor Core. Controlled Nuclear Reaction yields Heat Energy. Steam Generating affects Steam Generator. Steam Generating consumes Heat Energy. Steam Generating yields Steam. Turbine Spinning consists of Turbine Water Circulating, Water Cooling, Turbine Heat Removing, and Steam Generator Water Circulating. Turbine Spinning affects Turbine. Turbine Spinning consumes Steam. Turbine Spinning yields Mechanical Energy. Turbine Spinning zooms into Water Cooling, Turbine Water Circulating, Turbine Heat Removing, and Steam Generator Water Circulating. Water Cooling consumes Steam. Water Cooling yields cooling tower Feedwater. Turbine Water Circulating requires Circulating Water Pump. Turbine Water Circulating changes Feedwater from cooling tower to condensor. Turbine Heat Removing requires condensor Feedwater. Turbine Heat Removing yields Mechanical Energy. Steam Generator Water Circulating occurs if Main Feedwater Pump is operational and Condensate Pump is operational . Steam Generator Water Circulating changes Feedwater from condensor to steam generator. Electricity Generating requires Generator. Electricity Generating consumes Mechanical Energy. Electricity Generating yields Electric Energy.
40
When Things Start Going Wrong: Summary of Events
http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#summary
The [TMI2] accident began about 4 a.m. on Wednesday, March 28, 1979, when the plant experienced a failure in the secondary, non-nuclear section of the plant (one of two reactors on the site). Either a mechanical or electrical failure prevented the main feedwater pumps from sending water to the steam generators that remove heat from the reactor core. This caused the plant's turbine-generator and then the reactor itself to automatically shut down. Immediately, the pressure in the primary system (the nuclear portion of the plant) began to increase. In order to control that pressure, the pilot-operated relief valve (a valve located at the top of the pressurizer) opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve.
41
Failing Pressurized Water Reactor Operation: An OPM Model
TMI2 Reactor Failure.opx
42
Pump Failing Changes Pump from operational to tripped
43
Tripped Pumps Cause too high Pressure
44
Too High Pressure Causes PORV to open normally
45
PORV Mechanical Failing causes POPV stuck open
46
Due to POPV stuck open Primary Cooling Water Escape!
47
Reactor Core is melted
48
As if this is not bad enough - The Cyber-Physical Gaphttp://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#summary
The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve. As coolant flowed from the primary system through the valve, other instruments available to reactor operators provided inadequate information. There was no instrument that showed how much water covered the core. As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. As alarms rang and warning lights flashed, the operators did not realize that the plant was experiencing a loss-of-coolant accident. They took a series of actions that made conditions worse. The water escaping through the stuck valve reduced primary system pressure so much that the reactor coolant pumps had to be turned off to prevent dangerous vibrations. To prevent the pressurizer from filling up completely, the staff reduced how much emergency cooling water was being pumped in to the primary system. These actions starved the reactor core of
coolant, causing it to overheat.
49
The Cyber-Physical Model Version
TMI2 Reactor Failure Cyberphysical.opx
50
Secondary pumps are tripped; Problems start…
51
Pressure builds; PORV opens to relieve the too high pressure
52
PORV Closing fails due to sticky PORV; PORV gets stuck open
53
Crew uses false indication to determine that PORV is closed
First cyber-physical gap – Incorrect instrument reading:
PORV is (stuck) open, but due to the false PORV closed indication, the Crew determines
PORV is closed!
Physical object – shaded
Informatical object – not shaded
54
Since PORV is closed Crew determines Core Water Level high
Second cyber-physical gap – Agent misconception:
Since PORV is believed to be closed, the Crew determines
That Core Water Level is too highwhile in reality they are low and
Depleting!
Physical object – shaded
Informatical object – not shaded
Physical object – shaded
Informatical object – not shaded
55
When Pressure is too high Emergency Water is supplied…
Second cyber-physical gap: Since PORV is believed to be closed, the Crew determines
That Core Water Level is too highwhile in reality they are low and
Depleting!
56
… but the Crew stops the water supply, starving the reactor core of coolant, causing it to overheat
Final blow due to the second cyber-physical gap: Crew applies Emergency Water Supply Stopping
since it determined Core Water Level to be too high, making it too low
57
Summary• The cyber-physical gap is a critical
factor • It must be accounted for when
designing systems, notably safety-critical ones
• OPM is most suitable for modeling cyber-physical gaps
• This is due to its notion of essence – physical vs. informatical things
