Mirror, Mirror on the Wall Do You See Me at All? The Cyber-Physical Gap and its Implications on Risks: Modeling Nuclear Hazards Mitigation

Transcription

1 Mirror, Mirror on the Wall Do You See Me at All? The Cyber-Physical Gap and its Implications on Risks: Modeling Nuclear Hazards Mitigation Dov Dori Massachusetts Institute of Technology (visiting) Technion, Israel Institute of Technology UTSA Nov. 7, 2014

2 Multiple engineering professionals talk different languages Mechanical Engineers Civil Engineers Electronics Engineers Software Engineers Systems engineers are supposed to design systems and integrate these languages What language do they talk? 2

3 Systems Engineers Do Have Languages Systems Modeling Language SysML OMG Standard since 2007 Object-Process Methodology OPM OPM book published in 2002 ISO Standard as of Aug (formally: Publically Available Specification) OPM software: OPCAT, freely downloadable from Along with papers and other resources 3

4 The Six Leading MBSE Methodologies (INCOSE Task Force, Estefan, 2008 p 43) IBM Telelogic Harmony-SE INCOSE Object-Oriented Systems Engineering Method (OOSEM) IBM Rational Unified Process for Systems Engineering (RUP SE) for Model-Driven Systems Development (MDSD) Vitech Model-Based System Engineering (MBSE) Methodology JPL State Analysis (SA) Object-Process Methodology (OPM): 2014 ISO Standard (PAS) SysML was not surveyed since it is a language, not a methodology 4

5 The idea behind conceptual modeling conceived reality Is modeled by modeled reality Object is a Aircraft is a Vehicle Is modeled by Is modeled by Bus Gas Filling is Energy Replenishing Process Using graphical symbols, the model expresses physical things objects and processes and relations among them. Car 5 5

6 The Object-Process Theorem Stateful objects, processes, and relations among them constitute a necessary and sufficient universal ontology Corollary Using stateful objects, processes, and relations among them, one can model systems in any domain 6

7 Compact Ontology: OPM as a language with minimal alphabet OPM uses the smallest alphabet: Two types of things: (1) stateful objects (2) processes Two families of links: (1) structural link: connects two objects (2) procedural link: connects a processes with an object or object state 7

8 Object-Process Methodology (OPM) Things: Objects and Processes A thing that exists or might exist physically or informatically A thing that transforms one or more objects 8

9 Processes transform objects by (1) Consuming them: 9

10 Processes transform objects by (2) Creating them: 10

11 Processes transform objects by (3) Changing their state: 11

12 Any OPM Thing is one of: 1. Stateful Object 2. Process All the other elements are relations between things, expressed graphically as links 12

13 OPM Unifies the three main system aspects: Function (why the system is built), Structure (static aspect: what is the system made of), and Behavior (dynamic aspect: how the system changes over time) These aspects are expressed bi-modally, in graphics and equivalent text in a single model 13

14 Thing s Essence and Affiliation Attributes In OPM, a Thing (Object or Process) has two key attributes: Essence and Affiliation Essence pertains to the thing s nature Denotes whether the thing is physical or informatical. Affiliation pertains to the thing s scope Denotes whether the thing is systemic, i.e. part of the system, or environmental, i.e. part of the system s environment The Essence- Affiliation attribute value combinations 14

15 Cyber-Physical Systems: Characteristics Software-controlled physical systems Include physical and cybernetic components An agent a human decision-maker or an information & decision-making system is the cybernetic component Hardware (motors, actuators, VLSI chips ) is the physical component Physical processes signal and induce cybernetic events and vice versa 15

16 Essence is key to the Cyber-Physical Gap Thing s Essence is key to understanding and modeling the cyber-physical gap physical objects in the OPM model represent what is really out there actual states and values of objects informatical objects in the OPM model represent information about their corresponding physical objects available to a decision making agent (human or artificial) A cyber-physical gap exists when the state of the informatical object incorrectly indicates the state of the physical object is supposed to represent 16

17 Two main sources of cyber-physical gaps Incorrect instrument reading causes agents to create a different world view than what is really out there Agent s misconception or incorrect assumption possibly triggered or supported by incorrect measurement reading 17

18 Modeling the cyber-physical gap with OPM: The Three-Mile Island 2 Accident March 28,

19 2:00 2:15 We start with an OPM model of normal operation of Electric Energy Generating system by a Pressurized Water Reactor 19

20 Three OPM Models First OPM Model: We start with an OPM model of normal operation of Electric Energy Generating system by a Pressurized Water Reactor Second OPM Model: We continue with an OPM model of the reactor with the particular chain of faults with no human involvement, which culminated in the reactor core meltdown but could be prevented if humans stayed out Third OPM Model: We end with an OPM model of the reactor with the particular chain of faults, accounting for the cyberphysical gap that worked against the built-in security measures, ensuring the reactor core meltdown 20

21 First OPM Model: Electric Energy Generating by a Pressurized Water Reactor 21

22 Electric Energy Generating In-Zoomed: Animated Simulation 22

23 Turbine Spinning In-Zoomed: Animated Simulation 23

24 Electric Energy Successfully Generated 24

25 Auto-generated Object-Process Language (OPL) Example Feedwater can be cooling tower, condensor, or steam generator. cooling tower is initial. Pressurized Water Reactor consists of Reactor Secondary Unit, Reactor Primary Unit, and Cooling Tower. Reactor Secondary Unit consists of Turbine, Generator, and Main Feedwater Pump. Turbine consists of Condensate Pump. Condensate Pump can be operational or tripped. operational is initial. Main Feedwater Pump can be operational or tripped. operational is initial. Reactor Primary Unit consists of Reactor Core and Steam Generator. Cooling Tower consists of Circulating Water Pump. Electric Energy Generating is physical. Electric Energy Generating consists of Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Electric Energy Generating requires Pressurized Water Reactor and Cooling Tower. Electric Energy Generating yields Electric Energy. Electric Energy Generating zooms into Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Controlled Nuclear Reaction affects Reactor Core. Controlled Nuclear Reaction yields Heat Energy. Steam Generating affects Steam Generator. Steam Generating consumes Heat Energy. Steam Generating yields Steam. Turbine Spinning consists of Turbine Water Circulating, Water Cooling, Turbine Heat Removing, and Steam Generator Water Circulating. Turbine Spinning affects Turbine. Turbine Spinning consumes Steam. Turbine Spinning yields Mechanical Energy. Turbine Spinning zooms into Water Cooling, Turbine Water Circulating, Turbine Heat Removing, and Steam Generator Water Circulating. Water Cooling consumes Steam. Water Cooling yields cooling tower Feedwater. Turbine Water Circulating requires Circulating Water Pump. Turbine Water Circulating changes Feedwater from cooling tower to condensor. Turbine Heat Removing requires condensor Feedwater. Turbine Heat Removing yields Mechanical Energy. Steam Generator Water Circulating occurs if Main Feedwater Pump is operational and Condensate Pump is operational. Steam Generator Water Circulating changes Feedwater from condensor to steam generator. Electricity Generating requires Generator. Electricity Generating consumes Mechanical Energy. Electricity Generating yields Electric Energy. 25

26 When Things Start Going Wrong: Summary of Events The [TMI2] accident began about 4 a.m. on Wednesday, March 28, 1979, when the plant experienced a failure in the secondary, non-nuclear section of the plant (one of two reactors on the site). Either a mechanical or electrical failure prevented the main feedwater pumps from sending water to the steam generators that remove heat from the reactor core. This caused the plant's turbine-generator and then the reactor itself to automatically shut down. Immediately, the pressure in the primary system (the nuclear portion of the plant) began to increase. In order to control that pressure, the pilot-operated relief valve [PORV] (a valve located at the top of the pressurizer) opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open. 26

27 Second OPM Model: Failing Pressurized Water Reactor Operation: no cyber-physical gap 27

28 Pump Failing Changes Pump from operational to tripped 28

29 Tripped Pumps Cause too high Pressure 29

30 Too High Pressure Causes PORV to open normally 30

31 PORV Mechanical Failing causes POPV stuck open 31

32 Due to POPV stuck open Primary Cooling Water Escape! 32

33 Reactor Core is melted 33

34 As if this is not bad enough - The Cyber-Physical Gap The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve. As coolant flowed from the primary system through the valve, other instruments available to reactor operators provided inadequate information. There was no instrument that showed how much water covered the core. As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. As alarms rang and warning lights flashed, the operators did not realize that the plant was experiencing a loss-of-coolant accident. They took a series of actions that made conditions worse. The water escaping through the stuck valve reduced primary system pressure so much that the reactor coolant pumps had to be turned off to prevent dangerous vibrations. To prevent the pressurizer from filling up completely, the staff reduced how much emergency cooling water was being pumped in to the primary system. These actions starved the reactor core of coolant, causing it to overheat. 34

35 Third OPM Model: The Cyber-Physical Model Version 35

36 Secondary pumps are tripped; Problems start 36

37 Pressure builds; PORV opens to relieve the too high pressure 37

38 PORV Closing fails due to sticky PORV; PORV gets stuck open 38

39 Crew uses false indication to determine that PORV is closed Physical object shaded First cyber-physical gap Incorrect instrument reading: PORV is (stuck) open, but due to the false PORV closed indication, the Crew determines PORV is closed! Informatical object not shaded 39

40 Since PORV is closed Crew determines Core Water Level high Physical object shaded Second cyber-physical gap Agent misconception: Since PORV is believed to be closed, the Crew determines That Core Water Level is too high while in reality they are low and still Depleting! Informatical object not shaded Informatical object not shaded Physical object shaded 40

41 When Pressure is too high Emergency Water is supplied Second cyber-physical gap: Since PORV is believed to be closed, the Crew determines That Core Water Level is too high while in reality they are low and Depleting! 41

42 but the Crew stops the water supply, starving the reactor core of coolant, causing it to overheat Final blow due to the second cyber-physical gap: Crew applies Emergency Water Supply Stopping since it determined Core Water Level to be too high, making it too low 42

43 Summary 1/2 The cyber-physical gap is a critical factor It must be accounted for when designing systems, notably safetycritical ones OPM is suitable for modeling cyberphysical gaps This is due to its notion of essence physical vs. informatical things 43

44 Summary 2/2 The model can be instrumental in helping designers consider how hazardous situations might arise This still leaves us with the hard state explosion problem: How to consider the exponential number of system states (combinations of all object states) How to test the sheer number of system states to determine the potential hazard of each 44

45 Questions and (hopefully) Answers Contact: Dov Dori 45