论文信息 - A method of identifying and analyzing irrational system behavior in a system of systems

A method of identifying and analyzing irrational system behavior in a system of systems

ing away from physical components and subsystems to the functional level can help practitioners to consider potential new initiating event sources that otherwise may bemissed. • Step 2, Part 2: Remove all flows from the list of potential irrationality initiators that are alreadymodeled as initiating events throughother failure analysis methods, such as FFIP and PRA. • Step 2, Part 3: Identify any potentially impossible candidate irrationality initiators that cannot be emitted by the generic black box system. Before eliminating a candidate irrationality initiator, the practitioner must attempt to identify ways that the irrationality initiator may be able to be generated even if it is highly implausible or unlikely. For instance, almost any material can produce spectral emissions that would normally be unexpectedwith sufficient energy applied to thematerial. • Step 2, Part 4: Assign probabilities of occurrence to each of the irrationality initiators remaining on the list. We advocate that practitioners follow initiating event probability guidance from PRA, such as Refs. 10 and 49. Now that potential irrationality initiators within an SoS that may impact the SoI have been identified and probabilities assigned, the flow paths by which the irrationality initiators enter the system must be defined. Irrationality initiators may be introduced to a system along nominal flow paths or along non-nominal flow paths, such as the uncoupled failure flow paths advanced in the UFFSR method.24 Additions to or modifications of the failure model for a systemmay be necessary to sufficiently capture irrationality initiator entry points. 3.3 Analysis of potential irrationality initiators The next step in the method is to conduct failure analysis on the SoI using the identified potential irrationality initiators. We advocate for and use in the case study the FFIP family of failure analysis tools to conduct failure analysis on the SoI. In order to produce a more accurate analysis of potential irrationality initiators using FFIP and F IGURE 2 Steps to developing irrationality initiators VANBOSSUYT ET AL. 525 related tools, we recommend that the analysis be performed using data collected from the proposed physical architecture that solves the functional architecture of the SoI. The number of potential failure scenarios, often called “cut-sets” in PRA and sometimes in FFIP, resulting from the analysis of irrationality initiators, is directly related to thenumberof irrationality initiators and the functionalmodel of the SoI. Each irrationality initiatormayproceed along many different flow paths in an SoI, causing functional failure along the way, which in turn may lead to system failure. The number of potential failure scenariosmay further be expanded by havingmultiple potential component solutions available for specific functions before down-selection of component solutions has been conducted. While probabilities for specific irrationality initiators were calculated in a prior step in the method, there are several options for how irrationality initiators are analyzed based on what type of analysis results a practitioner is interested in reviewing. These include an uninformative prior and an informative prior. Further, irrationality initiators that are either independent or dependent can be considered to provide additional insights into potential irrational failure scenarios, such as when multiple irrationality initiators often occur together. Informative and uninformative priors, and independent and dependent irrationality initiators may be combined together. Further explanation immediately follows: 3.3.1 Uninformative and informative priors In order to understand the sensitivity of an SoI to irrationality initiators, the uninformative prior sets all irrationality initiators to the same probability of occurrence. It should be noted that using the uninformative prior approachdoes not allow for direct comparisonof resultswith other FFIP results. The results are specifically useful to understand what high severity failure outcomes are present that otherwise may be truncated during computation. The uninformative prior method can also be used to perform a sensitivity analysis on the irrationality initiators by changing their probabilities and comparing results. This may help to identify irrationality initiators that are not particularly sensitive to changes in their probabilities of occurrence and may also identify specific irrationality initiators that warrant extended scrutiny to ensure a higher degree of accuracy and realism in the probability statistics. In contrast to the uninformative prior that uses arbitrarily assigned probabilities to determine potential low probability but very severe outcomes and to examine irrationality initiator probability sensitivity, the informative prior uses probabilities of occurrence that were already developed in a previous step of the methodology and that are based in reality. This allows for direct comparison of irrationality initiator-derived failure scenario probabilities with failure scenario probabilities produced from FFIP. In the event that a probability was unable to be developed previously because of a lack of information, we suggest using a probability value that is 3x the highest probability of the highest known irrationality initiator probability. Using a 3x higher probability may help to ensure that any potential high consequence failure scenarios are identified and will help to motivate the development of a better estimation of the probability. If a failure scenario of a particular irrationality initiator that used the 3x higher probability is sufficiently probable, then this indicates the irrationality initiator probability needs to be better understood. However, if no failure scenarios are within a few orders of magnitude of the most likely failure scenario, then this is an indication that there is likely no further refinement of that irrationality initiator’s probability. It is worth noting that we do not advocate for setting the multiplier higher than 3x for irrationality initiators without well-founded probabilities. While such an approach would almost certainly highlight every single potential failure scenario caused by the irrationality initiator in question, setting the irrationality initiator probability needlessly high without a rigorous analysis to back up the choice is likely to overwhelm a user of this method with many failure scenarios that masquerade as being of high likelihood while in reality being of vanishingly small probability. This in turn may lead to much wasted time and effort to disprove all of the failure scenarios. The suggestion of a 3x multiplier is based on our prior professional experience as risk analysts and reliability engineers and from examining the sensitivity of several failure models to which we have access to changing initiating event probabilities.Whilewe believe the 3x multiplier is a good starting point, we recommend that systems engineering practitioners carefully examine the sensitivity of their own systems to initiating event probabilities and make adjustments as warranted and using their professional engineering judgment. We recommend that both the informative and uninformative prior methods are used to analyze irrationality initiators in the SoI. The uninformative prior can shed light on potential high consequence failure scenarios that otherwise may be missed and can also be used to perform sensitivity studies on the irrationality initiators. The informative prior quantifies failure scenarios in a way that can be directly compared with standard FFIP results. This may help practitioners to prioritize wheremoney and time is spent tomitigate potential issues. 3.3.2 Independent and dependent irrationality initiators In almost every implementation of FFIP that we have encountered, initiating events are exclusively considered to be independent from each other. The same is true in many PRA analyses. However, we suspect based on our professional practice and observations that irrationality initiators may have a higher likelihood of being dependent upon one another to some extent. In other words, if one irrationality initiator occurs, then it is more likely that another will occur at the same time. We propose that irrationality initiators should be modeled both as independent and dependent events. By analyzingmultiple irrationality initiators as single events, a practitioner can gain insight into scenarios where a system in an SoS begins emitting many irrationality initiators. This may help to identify “worst case scenarios” where completely unanticipated emergent system behaviors occur due to the SoI receiving several irrationality initiators at once. Recent research on external initiating events for autonomous robotic systems has indicated that unique emergent system behaviors not predicted by other research 526 VANBOSSUYT ET AL. methods can be caused by several external initiating events simultaneously occurring and interacting with one another inside of an SoI.59,89 We suggest that all possible irrationality initiator-dependent combinations be investigated. For example, in the case of three irrationality initiators [A, B, C], the following initiator-dependent combinations should be investigated: [A & B], [A & C], [B & C], and [A, B, & C]. A generalized formula to determine the number of dependent combinations is shown by Equation (1). Note that the formula intentionally subtracts 1 to acknowledge that the baseline case of no irrationality initiators being present in the SoI is assumed to have been previously assessed.

[1] Didier Sornette,et al. Reassessing the safety of nuclear power , 2016 .

[2] Nancy G. Leveson,et al. A new accident model for engineering safer systems , 2004 .

[3] Donna H. Rhodes,et al. Enabling better supply chain decisions through a generic model utilizing cause-effect mapping , 2016, 2016 Annual IEEE Systems Conference (SysCon).

[4] Zhao Yang Dong,et al. The 2015 Ukraine Blackout: Implications for False Data Injection Attacks , 2017, IEEE Transactions on Power Systems.

[5] Robert L. Winkler,et al. Uncertainty in probabilistic risk assessment , 1996 .

[6] ZhangMing,et al. Robust System Design with Built-In Soft-Error Resilience , 2005 .

[7] Gregory W. Fischer,et al. UTILITY MODELS FOR MULTIPLE OBJECTIVE DECISIONS: DO THEY ACCURATELY REPRESENT HUMAN PREFERENCES?* , 1979 .

[8] Irem Y. Tumer,et al. Risk attitudes in risk-based design: Considering risk attitude using utility theory in risk-based design , 2012, Artificial Intelligence for Engineering Design, Analysis and Manufacturing.

[9] B. Gert. Coercion and Freedom , 2017 .

[10] John H. Fielder,et al. The Ford Pinto Case: A Study in Applied Ethics, Business, and Technology , 1994 .

[11] Siddharth Sridhar,et al. Cyber–Physical System Security for the Electric Power Grid , 2012, Proceedings of the IEEE.

[12] K.K. Aggarwal,et al. Redundancy Optimization in General Systems , 1976, IEEE Transactions on Reliability.

[13] Irem Y. Tumer,et al. A functional failure reasoning methodology for evaluation of conceptual system architectures , 2010 .

[14] Madhav Erraguntla,et al. Using Simulation for Robust System Design , 1995, Simul..

[15] Kristin Decker,et al. Uml Distilled A Brief Guide To The Standard Object Modeling Language , 2016 .

[16] Douglas L. Van Bossuyt,et al. Conceptual design of sacrificial sub-systems: failure flow decision functions , 2018 .

[17] Karl J. Friston,et al. Encoding of Marginal Utility across Time in the Human Brain , 2009, The Journal of Neuroscience.

[18] Philippe Jorion. Risk Management Lessons from the Credit Crisis , 2009 .

[19] Leon F. McGinnis,et al. System and simulation modeling using SYSML , 2007, 2007 Winter Simulation Conference.

[20] E. Weber,et al. A Domain-Specific Risk-Taking (DOSPERT) Scale for Adult Populations , 2006, Judgment and Decision Making.

[21] A. D. Swain. Accident Sequence Evaluation Program: Human reliability analysis procedure , 1987 .

[22] Jeffrey C. Mogul,et al. Emergent (mis)behavior vs. complex software systems , 2006, EuroSys.

[23] David W. Coit,et al. System reliability optimization with k-out-of-n subsystems and changing k , 2011, The Proceedings of 2011 9th International Conference on Reliability, Maintainability and Safety.

[24] Colin Camerer,et al. Neural Systems Responding to Degrees of Uncertainty in Human Decision-Making , 2005, Science.

[25] Clifton A. Ericson,et al. Hazard Analysis Techniques for System Safety , 2005 .

[26] Marko Cepin. Analysis of truncation limit in probabilistic safety assessment , 2005, Reliab. Eng. Syst. Saf..

[27] Bruce G. Link,et al. Psychotic Symptoms and the Violent/Illegal Behavior of Mental Patients Compared to Community Controls , 1994 .

[28] Douglas C. Schmidt,et al. Guest Editor's Introduction: Model-Driven Engineering , 2006, Computer.

[29] Warren Gilchrist,et al. Modelling Failure Modes and Effects Analysis , 1993 .

[31] Yong Bai,et al. Human Reliability Assessment , 2003 .

[32] M. Modarres,et al. A Truncation Methodology for Evaluating Large Fault Trees , 1984, IEEE Transactions on Reliability.

[33] Enrico Zio,et al. Uncertainty in Risk Assessment: The Representation and Treatment of Uncertainties by Probabilistic and Non-Probabilistic Methods , 2013 .

[34] Simon Szykman,et al. Enhancing Virtual Product Representations for Advanced Design Repository Systems , 2005, J. Comput. Inf. Sci. Eng..

[35] G. L'her,et al. Prognostic systems representation in a function-based Bayesian model during engineering design , 2020 .

[36] R. J. Borkowski,et al. In-plant reliability data base for nuclear power plant components: data collection and methodology report , 1982 .

[37] Vinh N. Dang,et al. Probabilistic Safety Assessment and Management , 2004 .

[38] Eugene P. Paulo,et al. The Naval Postgraduate School's Department of Systems Engineering Approach to Mission Engineering Education through Capstone Projects , 2019, Syst..

[39] Irem Y. Tumer,et al. Flow State Logic (FSL) for Analysis of Failure Propagation in Early Design , 2009 .

[40] Jian-Wei Wang,et al. Cascade-based attack vulnerability on the US power grid. , 2009 .

[41] José Suárez-Lledó,et al. The Black Swan: The Impact of the Highly Improbable , 2011 .

[42] J.J. Gertler,et al. Survey of model-based failure detection and isolation in complex plants , 1988, IEEE Control Systems Magazine.

[43] S.D. Wall. Model-based engineering design for space missions , 2004, 2004 IEEE Aerospace Conference Proceedings (IEEE Cat. No.04TH8720).

[44] H. Schneider. Failure mode and effect analysis : FMEA from theory to execution , 1996 .

[45] Clifton A. Ericson,et al. Fault Tree Analysis , 2005 .

[46] Clifton A. Ericson,et al. Event Tree Analysis , 2005 .

[47] I. Kamwa,et al. Causes of the 2003 major grid blackouts in North America and Europe, and recommended means to improve system dynamic performance , 2005, IEEE Transactions on Power Systems.

[48] Erik Kaestner,et al. The Mechanical Design Process , 2016 .

[49] Diane Vaughan,et al. The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA , 1996 .

[50] Enrico Zio,et al. Challenges in the vulnerability and risk analysis of critical infrastructures , 2016, Reliab. Eng. Syst. Saf..

[51] Hans Jochen Scholl,et al. Agent-based and system dynamics modeling: a call for cross study and joint research , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[52] Douglas L. Van Bossuyt,et al. Toward a Dedicated Failure Flow Arrestor Function Methodology , 2015, DAC 2015.

[53] Jan Erik Vinnem,et al. Risk modelling of maintenance work on major process equipment on offshore petroleum installations , 2012 .

[54] Ronald L. Iman,et al. The Repeatability of Uncertainty and Sensitivity Analyses for Complex Probabilistic Risk Assessments , 1991 .

[55] Jean-Marc Jézéquel,et al. Model Driven Engineering , 2017, Encyclopedia of GIS.

[56] Hendrik Van Brussel,et al. On the design of emergent systems: an investigation of integration and interoperability issues , 2003 .

[57] G. Becker,et al. Irrational Behavior and Economic Theory , 1962, Journal of Political Economy.

[58] Leonard E. Miller,et al. NASA systems engineering handbook , 1995 .

[59] B. Caplan. Terrorism: The relevance of the rational choice model , 2006 .

[60] R. Hogarth,et al. BEHAVIORAL DECISION THEORY: PROCESSES OF JUDGMENT AND CHOICE , 1981 .

[61] Simon Szykman,et al. A functional basis for engineering design: Reconciling and evolving previous efforts , 2002 .

[62] Thomas B. Sheridan,et al. Risk, Human Error, and System Resilience: Fundamental Ideas , 2008, Hum. Factors.

[63] Ed M. Dougherty. Context and human reliability analysis , 1993 .

[64] X. T. Wang. Domain-specific rationality in human choices: violations of utility axioms and social contexts , 1996, Cognition.

[65] Gareth W. Parry,et al. The characterization of uncertainty in probabilistic risk assessments of complex systems , 1996 .

[66] A. Breton. Manifestoes of Surrealism , 1969 .

[67] David J. Wagg,et al. ASME 2007 International design engineering technical conferences & computers and information in engineering conference , 2007 .

[68] Pierre Le Bot. Human reliability data, human error and accident models - illustration through the Three Mile Island accident analysis , 2004, Reliab. Eng. Syst. Saf..

[69] Dedy Ng,et al. Harnessing database resources for understanding the profile of chemical process industry incidents , 2010 .

[70] Kristin L. Wood,et al. Development of a Functional Basis for Design , 2000 .

[71] G. Loewenstein. Out of control: Visceral influences on behavior , 1996 .

[72] Kenji Doya,et al. The Cyber Rodent Project: Exploration of Adaptive Mechanisms for Self-Preservation and Self-Reproduction , 2005, Adapt. Behav..

[73] Nikolaos Papakonstantinou,et al. Common cause failure analysis of cyber–physical systems situated in constructed environments , 2013, Research in Engineering Design.

[74] Farrokh Mistree,et al. VALIDATING DESIGN METHODS & RESEARCH: THE VALIDATION SQUARE , 2000 .

[75] Edward A. Lee,et al. Modeling Cyber–Physical Systems , 2012, Proceedings of the IEEE.

[76] Victor F. Weisskopf,et al. Reactor safety study , 1976 .

[77] Irem Y. Tumer,et al. On Measuring Engineering Risk Attitudes , 2013 .

[78] Phillip Y. Lipscy,et al. The Fukushima disaster and Japan's nuclear plant vulnerability in comparative perspective. , 2013, Environmental science & technology.

[79] Janet L. Yellen,et al. Rational Models of Irrational Behavior , 1987 .

[80] Ali Mosleh,et al. Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents: Part 1: Overview of the IDAC Model , 2007, Reliab. Eng. Syst. Saf..

[81] Seung Jun Lee,et al. AN OVERVIEW OF RISK QUANTIFICATION ISSUES FOR DIGITALIZED NUCLEAR POWER PLANTS USING A STATIC FAULT TREE , 2009 .

[82] Hilla Peretz,et al. The , 1966 .

[83] Russell J. Branaghan,et al. An empirically derived taxonomy of pilot violation behavior , 2012 .

[84] W. Edwards. Behavioral decision theory. , 1961, Annual review of psychology.

[85] Nikolaos Papakonstantinou,et al. Cable routing modeling in early system design to prevent cable failure propagation events , 2016, 2016 Annual Reliability and Maintainability Symposium (RAMS).

[86] M. Knochenhauer,et al. Guidance for External Events Analysis , 2004 .

[87] Charles B. Keating,et al. Emergence in System of Systems , 2008 .

[88] Edward F. Crawley,et al. System Architecture: Strategy and Product Development for Complex Systems , 2015 .

[89] Michael Rossi,et al. Failure Mode, Effects, and Criticality Analysis (FMECA) , 1993 .

[90] D. J. Woollons,et al. Failure modes and effects analysis of complex engineering systems using functional models , 1998, Artif. Intell. Eng..

[91] Nicholas Roy,et al. Planning in information space for a quadrotor helicopter in a GPS-denied environment , 2008, 2008 IEEE International Conference on Robotics and Automation.

[92] K. Phillips-Fein. The 9/11 Commission Report , 2007 .

[93] Irem Y. Tumer,et al. Design of complex engineered systems , 2014, Artificial Intelligence for Engineering Design, Analysis and Manufacturing.

[94] N. Taleb. Black Swans and the Domains of Statistics , 2007 .

[95] John Haigh,et al. Probabilistic Risk Analysis: Foundations and Methods , 2003 .

[96] Nikolaos Papakonstantinou,et al. Modeling of function failure propagation across uncoupled systems , 2015, 2015 Annual Reliability and Maintainability Symposium (RAMS).

[97] K. Frenken,et al. The Early Development of the Steam Engine: An Evolutionary Interpretation using Complexity Theory , 2004 .

[98] Tommaso Sgobba,et al. Safety Design for Space Systems , 2009 .

[99] A. Tversky. Utility theory and additivity analysis of risky choices. , 1967, Journal of experimental psychology.

[100] C.J.H. Mann,et al. A Practical Guide to SysML: The Systems Modeling Language , 2009 .

[101] Irene Eusgeld,et al. Analyzing vulnerabilities between SCADA system and SUC due to interdependencies , 2013, Reliab. Eng. Syst. Saf..