WIXLIB

modeledwith Markovmodels.We then discusssome addi-tional issues arising from the use of Markov modeling whichmust be considered.These include options for generating andvalidating Marker models, the difficulties presented by stiffness in Markov models and methods for overcoming them,and the problems caused by excessive model size (i.e. toomany states) and ways to reduce the number of states in amodel. Finally, we provide an overview of some selectedsoftware tools for Markov modeling that have been developedin recent years, some of which are available for general use.SystemDesignand Validationance and dependabilityof their candidate designs and assistthem in selecting which design to actually build.Non-optimal(but common)of DependabilityAnalysisSystemPerformed4inDesignafter designother constraintuseis committedcriteria(cost,based onweight,etc.)Used for post-mortemconfirmationthat the designmeets the minimal reliabilityrequirementsGiven: A target application with specified reliability and performancerequirementsEngineer's Task:Design a system to satisfy the intended application which meetsthe specified reliability, performance, and other (weight, powerconsumption, size, etc.) requirementsOften performedby modeling specialists(reliabilityanalysts) on designs "throwntransom",ratherthemselvesthan by the designas the designover theengineersis evolvingIlow do you estimate the reliability, availahiliO', saJety, t bet, tr builtSlideyet?Models:Use of nOnly/k tractReal-World5SystemMathematicalSlideSlide 4: Role of Dependabilityand Validation(No n- Opti in al Use)Model4ModelingSystemin SystemRFDesignDesigntternreThe process of designing and building a system often begins when a team of design engineers is presented with a target application by an outside agency (for example, NASA, theDoD, or a commercialcustomer) or by their management.This target application may have specified dependabilityandperformance requirements,particularlyif the application is asafety-criticalsystem (dependabilityis an umbrella termwhich encompassesreliability, availability,safety, etc.[l]).The engineers' task then is to design a system (or subsystem)which satisfies the requirementsof the application (includingfunction, performance, and dependability)while simultaneously adhering to other constraintssuch as limits on weight,power consumption,physical size, etc. The required functionmay be able to be satisfied by any one of a number of differentdesigns, each of which may have different characteristics.Typically it is desirable to maximize performanceand dependability while minimizing cost, weight, size, and power.Characteristicslike cost, weight, and power are relatively easyto predict for a given design because they tend to be straightforward functions of the numbers and properties of the individual componentsused to construct the overall system. Performance and dependabilityare more difficult to predict because they depend heavily on the configurationin which thecomponentsare arranged.They may also depend on the workload imposed on the system and the environmentin which thesystem operates.Short of actually building each proposeddesign and observing the performance and dependabilityfromreal-life experience (an option which is impractical),the system designers need tools with which to predict the perform-DebugDesignDependabilityale(for V&V)sMisfit-dSlideSlides 5 & 6." bility, availability,mairR, inability. performance6(Post-Design-PhaseOnly) Use ofModeling for System Design andMathematical modeling (of which Markov modeling is onemethod) provides such tools that can assist in providing theneeded performance and dependability predictions.Often thedesign process is evolutionary, proceeding in a series of iterative refinements which may give rise to a sequence of decisionpoints for quent decision points may depend on earlier ones. ideally, the system designers should be able to use dependabilitymodeling throughout the entire design process to provide thedependability predictions required to make the best configuration selections at all decision points at all levels of systemrefinement.Having dependability modeling tools continuously available for use on a "what-if" basis by the system designers is important because of the exploratorynature thattends to characterize human creative work.However, in practice the use of dependability modeling inthe design of systems often falls short of this ideal. Instead of#98RM-31 3 page 2To Be Presented6at the 1998 Reliabilityand MaintainabilitySymposium,RFJanuary16-19,1998, Anahiem,CA

playing a role as an integral part of the design process, it maybe used, after the design has been selected and committed,simply as a method for providing officially recognized evidence that the design meets contractuallymandated dependability requirements,in this capacity, it is often performed bymodeling specialists (i.e., reliability analysts) rather than bythe design engineers.capabilities for guarding against inadvertentapplication of inappropriate modeling techniques.For this reason it is wisefor a design engineer to have a modeling specialist review anydependabilitymodel upon which important design decisionsdepend. Hopefully this double-checkingwill be less important as dependabilitymodeling computer programs developmore sophisticatedchecking capabilities.But the current stateof the art for these programs makes it still prudent to include amodeling specialist in the loop in this verificationrole.This strategy for using dependabilitymodeling has severaldisadvantages.The system designers are not given the benefitof the insight into the candidate designs that dependabilitymodeling could provide while the design is still in its formative stage. The result may be that an acceptabledesignmight be produced which meets the specified dependabilityrequirements,but it is less likely that the best design will beproduced than if dependabilitymodeling was used throughoutthe design process.The use of dependabilitymodeling duringdesign rather than afterward can improve the quality of the system design that is produced.Optimal Use of DependabilityAnalysis in System DesignDependabilityModeling should be an.Bz/ g/ al part of theSystem Design Process: Used throughout the design process at all levels of system evolutionand refinement Used on a "what-if' basis by the Design Engineers to comparecompeting design optionsAnother disadvantagearises when the dependabilityanalysisis performed by modeling specialists rather than by the designengineers.Modeling a system requires intimate knowledge ofthe system and how it operates.The design engineers havethis more than anyone else. For a modeling specialist tomodel the system, the engineers must essentially teach themodeling specialist the technical subtleties of the system.Often these fall in a technical field that is outside the expertiseof the modeling specialist.The engineers may not know exactly what informationis important to give to the specialist,and the specialist may not know enough to ask for all the appropriate information.The result can be that important detailsmay be omitted from the system model, and the reliabilityprediction obtained from the model may not be completelyaccurate or appropriate.Even if the information transfer fromthe designers to the modeling specialist is eventually adequate, there may be delays from false starts and errors (caughtand corrected) that arise during the communicationand are dueto the unfamiliarityof each professional with the field of theother.Benefits: When modeling is done by the Design Engineers as much as possible:- Reduces delays and errors due to communication problemsbetween the Design Engineers and the Modeling Specialists- Can help the Design Engineers gain new insights into the systemand understand it better Can help produce not just a minimally acceptable design, but the.he.xtdesign possibleSlideIntegrationthe Systemsit should be noted, however, that dependabilitymodeling isstill quite a bit of an art and can involve some subtle aspectsthat can be overlooked or misunderstoodby inexperiencedmodelers.This is particularlytrue when Markov modelingtechniques are used, and is especially true when performingthe validation analysis on the final design.Even the mostrecent reliability modeling programs do not yet have robustRFISyat the 1998 ReliabilityAnalysisintoDesignProcess;;x 1--I:.-.,.-I--I-,-,,.--,' ,COlItBcN IIIDerDependabiliteYlllU411lJO ,SeklCtIychartresItIo iltcrlNilmllnlldnabiltty,s41 ety,ore.analysisFinalIReFDe,,1 DependabilityVerificationthat.isf.,,[ " I a.a,,.i, t;ignJ(forV .V}SlideSlide 9: The Place of MarkovModeling Methodsreli.'lbillty,requirements.f .].Javail:lbilily.8Modelingin the SpectrumofThe range and capabilities of available methods for mathematical modeling have increased greatly over the last severaldecades. A dependability analyst has a full spectrum of methods from which to choose. Generally, the best strategy is tomatch the modeling method to the characteristics and requiredlevel of detail in the behavior of the system that must be modeled. It is important to select the simplest modeling methodthat will suffice. For this reason, it is helpful to have aknowledge of the characteristics,capabilities,and limitationsof all modeling methods in the spectrum.While obtaining athorough knowledge of all of this would be very timeconsuming,it is possible to make a good selection with only#98RM-313To Be Presentedof DependabilityEngineeringledialeStart7 & 8: Optimal Use of DependabilityModeling forSystem Design and Validation:as an IntegralPart of the Systems EngineeringDesign CycleFor these reasons, it is generally preferable for the designengineers themselvesto do as much as possible of the initialmodeling (particularlythe "what-if'modeling) of their systemrather than to pass the full modeling job to a modeling specialist. The engineer may consult the modeling specialist ifquestions arise about the modeling process.The advent ofsophisticatedgeneral-usereliability modeling computer programs, which insulate the user from much of the mathematicaldetails and subtleties involved in modeling, has helped quitea bit to grant design engineers this kind of independenceto dotheir own modeling.78!Slides7and Maintainabilitypage 3Symposium,RFJanuary16-19,1998, Anahiem,CAIJ

a general working familiarity with the various modelingmethods.The spectrum (depicted in the slide) extends fromthe simplest types of models on the left up through the mostcomplex on the right. The more complex techniques on theright generally encompass the simpler techniques on the leftwith respect to the range of system behavior that can be modeled. The further to the right a modeling technique appears inthe diagram, the more sophisticatedit tends to be relative tothose to its left, and the wider the range of system behavior itcan model. This capability is not without cost, however.The more sophisticateda method is, the more sophisticatedthe evaluation technique required to solve the model usuallyis. This occasionallymeans that solving the model will require more execution time than that needed to solve a simplermodel of comparablesize. Also, the more complex the modeling technique the harder it usually is for the user to specifythe model, and the easier it is to make errors during modelconstruction,in addition, it is generally more difficult to usethe more sophisticatedmodeling techniques correctly, requiring greater modeling knowledge and experience on the part ofthe analyst. In summary, the decision of which modelingtechnique to use to model a system involves a tradeoffofsimplicity vs. flexibility.This fact provides the motivation touse the simplest modeling technique that suffices to model thesystem for the required level of detail.SpectrumCombinatonaloI ModelingMethodsModels.e,,ab.,IyS,oc. ia rams,au.Tree.II :ac,va :,. cc., , : ::: ,a:c.:, c.a,:s,DigrephsDyna rnicGeneralizeFault TreesTechniquesontheiron rightleft('./ ahiiilyAblegenerallycomplexityto mod .lBenefits: Increased wrt(butnot strictly)of systempower",a widerSimu tionPetd Nels (GSPNs)m rca i.:.,Iv"modelingto model.Stochastic,Omld Vmoreencompassbehaviorthaivystemsophisticatedrange of systemscanthe techniquesbemodeledhehm,ie)imodelingtmp/ie :techniquethan less sophisticatedtechniquesDrawbacks:*Usually Harder to specifymodel:errors in the modelrequir tiserequired;easierto makeare similar techniques like reliability block diagrams).Thesetechniques model the system by expressingsystem behaviorin terms of the combinationsof individual events (for example, component failures) which cause the system to fail (forfailure space models) or to operate correctly (for success spacemodels).Models of these types are usually the easiest to construct and solve compared to the other more complex techniques. However, they are relatively limited in the types ofsystem behavior they can model compared to the other techniques. More complex are dynamic fault trees[3, 4], whichare a generalizationof traditional fault trees that allow sequence dependent system behavior to be included in themodel (sequence dependent behavior is behavior that dependsin some way on the order in which events occur). Next on thescale are the Markov modeling techniques which are the topicof this tutorial. In addition to being able to model much ofthe combinatorialand sequence dependentbehavior that theprevious model types can, they can model a wide range of behavior that arises from many techniques used in present stateof-the-art fault tolerant systems, including the use of complexrepair strategies, dynamic reconfigurationusing spares, andcomplex fault/error recovery procedures that are not alwaysperfectly effective. Next are hybrid and hierarchical modelingtechniques.These essentially provide methods for combiningmodels of the types already mentioned together into largermodels. At the top of the scale is simulation.Simulationprovides the ability to capture the most detailed system behavior of all the other modeling techniques, but at a cost ofgreater relative difficulty in constructingand validating themodel, and also much greater execution time required to obtain highly accurate evaluations of the model.The reader may note that Markov modeling techniques areapproximatelymidway along the complexityspectrum ofmodeling techniques, and this indicates their place relative tothe other modeling techniques.However, the reader should becautioned that the spectrum in the slide is not to scale withrespect to an absolute measure of modeling complexity andsophistication,and moreover the referenceto Markov modelsitself represents several modeling techniques which cover arange of system behavior.These Markov modeling techniques will be discussed in the remainder of this tutorial.BasicsSlide9The leftmost modeling techniques appearing in the spectrum shown in the slide are the combinatorialmodeling techniques, digraphs and fault trees[2] (included with fault treesThis is not to say that the more complex techniques on theright strictly encompass the simpler techniques on the left; itis only a general tendency.There are cases where a techniquecan model a certain type of system behavior that a techniquefarther to the right cannot, or can model only awkwardly.Forexample, digraphs are the only modeling technique in thespectrum that can model fault propagation elegantly.As afurther example, combinatorialmodels can model system behavior which is combinatorialin nature but for which component lifetimes have a general (i.e. non-exponential)distribution; Markov models cannot model this type of system behavior at all.RF#98RM-313To Be Presentedat the 1998 Reliabilityof MarkovModelsA discussion of Markov modeling begins with the basiccomponentsof Markov models: states and transitions. Alsoto be considered are the topics of how the states and transitions are used to express system behavior, what "solving" aMarkov model involves, and how reliability/availabilityestimates may be obtained from the solution ofa Markov model.In addition, it is important to know the advantagesand disadvantages of Markov modeling compared to other modelingtechniques, and when Markov modeling is and is not preferredover other modeling techniques.SlideI0: MarkovhaviorModels - Basic Model Componentsand Be-There are two basic components common to all of theMarkov models discussed in this tutorial:a set of states, anda set of transitionsbetween the states. The models considered here are limited to those having a countableand Maintahlabilitynumberpage 4Symposium,RFJanua16-19,1998, Anahiem,CA

(possibly infinite) of states. The model operates in the following way: the system is envisioned as being in one of thestates at all times throughout the time period of interest.Thesystem can be in only one state at a time, and from time totime it makes a transition from one state to another state byfollowing one of the set of inter-state transitions.There aretwo types of models that can be considered at this point, depending on how the transitions are permitted to occur in thetime domain.If the transitions are restricted to occur only atfixed, unit time intervals with a transition required at each interval, then the model is called a Discrete Time Markov Chain(DTMC).If, however, this restriction is relaxed and the transitions are permitted to occur at any real-valued time interval,the model is called a ContinuousTime Markov Chain(CTMC).The time between transitions is called the stateholding time. This tutorial will be concerned only with thelatter type, i.e. CTMCs.MarkovModels:Modeland ModelBasicModelA set of states A set of The systemmustThe systemmay From timeanotherto time,DiscreteTime:Cnntinu lus the statesbe in one of the statesbe in onlyone statethe systemat all timesa transitionfromone nd(eont)--Imagine a frog in a lily pond:Lily pads tlttcs yslem'shoppingTimefrogutlrl':.'nl l, itusfromspendsFrom any specificsubset of the otherMaynot be possible(usuallyrepresentonelily pad to anotheron a lily pad beforeI1: Markov : hlic holdinglily pad, may be possibleto hop to onlylily padslalcotl{ oing,/ran iliimsto leavefailurecertainModelslily padstilnca certain"'ahvwhin -l;ne 'states)SlideSlide tiansitionhopping1I- A SimpleAnalogyAn analogy may help with envisioning how the Markovmodel works: imagine a frog in a lily pond where he is free tohop among the lily pads in the pond, and with the furtherprovision that he never falls into the water[5].The lily padsin the pond correspondto states in a Markov model.The frogcorrespondsto the system's current status or state of being.RF#9gRM-31To Be Presentedat the 1998 Reliabilityconfigurationsor operationalCan representinstanceswhere the system- operational, failed- experienced specific sequences ofevenis- undergoing recover/repair- operating in a degraded me.de, etc.Slide11Frogsystemstatusof thes componentsstate holding times may be any

Slides 2 & 3: Outline of Tutorial This tutorial will be organized in the following way: we will begin with a discussion of the role that reliability model-ing in general plays in system design and validation and the place that Markov modeling in particular occupies within the spectrum of the various modeling techniques that are widely used.