0% found this document useful (0 votes)

13 views15 pages

TR3244365

Uploaded by

Nand Kumar Jyotish

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

13 views15 pages

TR3244365

Uploaded by

Nand Kumar Jyotish

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 15

This article has been accepted for publication in IEEE Transactions on Reliability.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TR.2023.3244365

Reliability and Performance Measurement of Safety-Critical

Systems based on Petri nets: A Case Study of Nuclear Power
Plant
Nand Kumar Jyotisha,∗, Student Member, IEEE, Lalit Kumar Singhb, Senior Member, IEEE,
Chiranjeev Kumar a , Senior Member, IEEE, Pooja Singhc , Senior Member, IEEE

such systems for performance measurement before its actual

Abstract— Safety-Critical Systems (SCSs) mitigate the risk of implementation.
catastrophic loss of assets and hence do have high dependability Instrumentation and control (I&C) systems are nervous
targets. Performance and reliability are the critical systems of NPP, which are CBS. These systems perform their
dependability attributes, particularly in control and safety functions in normal, abnormal, and emergency conditions [2].
systems, and hence essential to measure to ensure the I&C systems identify fundamental physical elements,
dependability. Traditional methods either are not capable to
capture the system dynamics or encounter state explosion
monitors performance, combine data, and automatically
problem. Also, the methods are not able to measure all critical change plant operations to keep process variables within the
performance attributes. This article proposes a novel approach design limits. I&C systems, in conjunction with the human
to measure the performance and reliability of SCSs. Such operator, is responsible for ensuring the plant's safety and its
systems contain multiple interconnecting processing nodes, the efficient power generation [3]. Therefore, this system should
functional requirements of which are modelled using Petri net. A be carefully planned, designed, built, and maintained to allow
set of ordinary differential equations (ODEs) is derived from the the human operator to take appropriate action during
Petri net model that represents the state of the system. The ODE abnormal operations. Various logic circuits maintain the
solution can be used to measure the critical performance NPP's protection and safety in an abnormal situation. Some of
attributes such as latency time, and throughput of the system.
The proposed method can avoid the state explosion problem and
the significant I&C logic circuits that provide protection and
also introduces new metrics of performance, along with their ensure the performance of safety systems of nuclear power
measurement: deadlock, liveness, stability, boundedness, and plants, such as: emergency shutdown system, initiation of
steady state. The proposed technique is applied to a case study of auxiliary feedwater system, streamline isolation, and the
Nuclear Power Plant (NPP). We obtained 99.887% and 99.939% initiation of the safety injection system [4]. Even though I&C
accuracy of performance and reliability measurement is only a small part of a typical plant's maintenance and
respectively, which proves the effectiveness of our approach. capital upgrade budget, it considerably impacts system
dependability issues [2], [4]. Reliability and performance
Index Term— Performance Measurement, Reliability, analysis are two important attributes of dependability and
Throughput, Latency time, Safety-Critical Systems, Markov hence must be measured.
Chain, Petri nets (PN), Ordinary differential equation.
The results of performance measurement using system
model help to identify any potential bottlenecks to take design
I. INTRODUCTION decisions. A model can be thought of as a conceptual

S
afety-critical systems could result in a loss of life, abstraction of a particular system. In the past few decades,
significant property damage, environmental damage, or researchers have increasingly relied on analytical tools to
loss of goal-oriented mission, if they fail. These are the measure various performance metrics. Many of these
computer-based systems (CBS) on which we rely on a daily analytical methods use the Petri net, which can explain the
basis [1]. The most effective strategy to avoid these failures is information flow of a system in a more meaningful way and
to remove or minimize dangers early in the design and compute several dependability attributes [5].
development phase, instead of later when the system becomes Many CBS are used to measure critical process parameters
unmanageable complex. Such systems have grown in network to take important decisions [6-7] and hence measuring their
connectivity and distribution, and thus become more performance and reliability is essential. In this research work,
perplexed. The growing complexity of the system may impact a novel approach is devised to measure the performance and
their overall performance. Therefore, it is necessary to model reliability of SCS that is based on Closed Process net (a
variant of PN). We have derived the ODEs system from PN
* Corresponding author. model and evaluated the different performance parameters
a. Nand Kumar Jyotish, and Chiranjeev Kumar are with the Department of using MATLAB. The design of a system with merely an
Computer Science & Engineering, Indian Institute of Technology (ISM),
Dhanbad, India (e-mail: [email protected], and
informal definition is more difficult. Under such scenarios,
[email protected]). the proposed method can aid in this situation. The modeled
b. Lalit Kumar Singh is with the Department of Computer Science & system can be analyzed by satisfying various PN properties
Engineering, Indian Institute of Technology (BHU), Varanasi, India (e-mail: such as liveness, reversibility, boundedness, deadlock
[email protected]).
c. Pooja Singh is with the Department of Mathematics, SIES-Graduate
absence, etc. that are performance indicators. Reliability and
School of Technology, Navi Mumbai, India (e-mail: other performance indices, such as response time, and
[email protected]) throughput are also measurable. The proposed approach is
validated on multiple SCS of NPP, and exhibited on shutdown

© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Reliability. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TR.2023.3244365

system (SDS). The obtained measurement accuracy of specifies a state change in the service composition. Each
performance and reliability are 99.887% and 99.939% service state is quantified by a time-dependent fuzzy number
respectively, which proves the effectiveness of our approach. indicating the degree to which the state is reachable during
The breakdown of the paper's structure is as follows. execution. However, fuzzy logic-based approaches are based
Section II summaries known techniques as well as their on unrealistic assumptions and hence contain several
shortcomings. The preliminary concepts and definitions are parametric and epistemic and aleatoric uncertainties.
covered in Section III. Section IV gives the brief idea about Therefore, such approaches are not suitable for SCS.
proposed methodology for performance & reliability analysis. Furthermore, a single equation category can contain several
Section Ⅴ discusses the case study of the Shutdown System equations, and MATLAB may not have the computing power
(SDS) & its PN model. Performance & Reliability analysis is to handle such calculations.
described in Section Ⅵ. Section Ⅶ discusses the validation Singh and Singh [13] proposed a method to measure the
of our approach. Conclusions are brought out in Section Ⅷ. dependent failures of the components in a system, known as
common cause failures. The proposed framework performs
II. RELATED WORK qualitative and quantitative screening analysis and detailed
Singh et al. [1], [8] used PN to present a framework for analysis, in which a probability model is developed to
modeling and prediction of the performability of SCS. A SCS estimate the common cause basic event probabilities.
of NPP is used to demonstrate the technique. It deals with the Although the authors consider these dependencies for risk and
dynamic simulation of a test facility for an SCS used in an reliability measurement, however, such dependencies need to
NPP. However, because the methodology depends solely on be considered for performance measurement of the system.
the TimeNET tool for calculation, it cannot properly consider Rodríguez et al. [14] transformed Unified Modeling
the component interfaces. Authors assume that firing delays Language profiles into PN for analyzing software
of the transitions can be approximated by their mean values. performance based on the maximum productive capacity. The
Additionally, the provided technique does not support more authors employ the PeabraiN tool to determine the maximum
than one parallel transition and hence fails to model the through-put bounds using the iterative LPP algorithm. The
concurrency. Further, the paper does not discuss any method proposed transformation improves the data analysis
to measure the response time of the systems. capability. However, there is no method mentioned for
Liu et al. [9] suggested a deterministic and stochastic Petri measuring the performance. As a result, the model only
Nets based methodology for evaluating the subsea blown-out ensures the performance in subjective manner and does not
prevention system's performance. The method breaks the provide its quantitative assessment.
system into two parts to determine the system's Kumar et al. [15] measured SCS performance by using the
performability: 1) mechanical system, and 2) computer-based timed Petri nets, and Markov Chain. System functional
system. Additionally, the component failure’s effect along requirements are first modelled in PN, which was transformed
with their maintenance period on total system performance is into Markov chain. However, for large scale system the
also examined. However, the authors assume a constant number of states can grow exponentially and hence leads to
component’s failure rate, which is not a true in practical state space explosion problem. The proposed method does not
scenarios in case of SCS. Existing models cannot efficiently consider many important metrics such as liveness, deadlock,
assess SCS software's performance due to a lack of failure steady state analysis and boundedness, which are important
data and unreal assumptions. performance indicators.
Singh and Rajput [10] employed PN to analyze the Xia et al. [16] evaluated the performance of Canada
dependability of an SCS's shutdown system SDS-2. The Deuterium Uranium (CANDU) reactor shutdown system
suggested method takes advantage of the Petri net's modeling SDS-1 using MATLAB/Simulink, signal processing system,
power by turning it to a Markov Chain for quantification. The and existing power management. The proposed methodology
authors developed a linear programming-based technique for significantly improves trip response time in comparison to the
state-space reduction. Only reliability is main focus of this present system. Additionally, it enhances the safety margin
paper and the accuracy of reliability is not measured. and provides economic benefits to the NPP. However, the
Jyotish et al. [11] surveyed various approaches for validity of considering all the functional requirements is not
evaluating the performance of Petri net-based models of SCS, ensured, which may lead to conservative estimates.
their limitations, the tools utilized, and the performance Rhee et al. [17] developed a 3-D Computational Fluid
measures employed. This survey paper discusses the Dynamics (CFD) system for analyzing the performance of the
suitability analysis of SCS usage in an NPP. Based on our SDS-2 CANDU reactor's liquid poison injection process. The
findings, some of the papers used deterministic approach for authors conducted a series of studies to construct a restricted
performance evaluation and hence are not able to quantify the validation CFD model. However, the experiment does not
performance during run time. The approaches that are based provide a detailed dispersion profile of the liquid poison's
on state space of the system have considered many unrealistic distribution in the moderator CANDU reactor.
assumptions such as constant failure rate of the hardware and By leveraging observations of safety parameters in an
software components. Some approaches lack validation also. NPP's SDS, Rankin and Jiang [18] suggested a Kalman filter-
Ding et al. [12] presented a Business Process Execution based technique for developing predictive SDS and predicting
Language-based technique for measuring the performance of the attainment of trip set-points. When compared to
service compositions. The method is described using a traditional SDSs, the given prognostic SDS significantly
collection of fuzzy differential equations, each of which brings down time-to-trip. As a result, a large power spike is

less likely to harm the reactor core and other crucial differential flatness approach, and then the trajectory tracking
components. However, the method is just a preliminary step performance was achieved using a dynamic inversion method.
toward developing a potentially beneficial plan to improve the The safety constraint is fulfilled using the control barrier
performance of ceremonious SDS. function. However, model predictive control, the most
Aslansefat et al. [19] suggested a method for evaluating promising control tool for performance measurement, is not
performance using the semi-Markov process of the threshold included in the proposed technique. As a result, the accuracy
alarm system. The authors demonstrated three cases and of performance evaluation is questionable.
analyzed their performance based on the Priority-AND gate Ding et al. [29] proposed a flow-based multimodal safety-
and a semi-Markov process. It is difficult to identify complete critical scenario generator for assessing decision-making
state space of large-scale system and hence, the Markov algorithms. This technique provides efficient and diversified
model would not be complete. Therefore, the accuracy of evaluations of decision-making algorithms by evaluating their
reliability and performance measure of the system is doubtful. robustness against worst-case scenarios that span all risk
Also, it is not possible to model event driven systems. modes more comprehensively. To accelerate the training
Tripathi et al. [20] emphasize on the importance of process, an adaptive sampler-based feedback mechanism is
dependability of safety critical systems and study the existing provided, which can adjust the sampling region based on the
methodologies for reliability quantification of such methods. generator's learning process. However, combining the
Authors give a comparative study of two methods: dynamic evaluation and training processes may give the existing
flowgraph and PN, which are used for reliability algorithm a stronger boost for safety-related attacks and can
measurement. Experimental study was carried out on a safety jeopardise the performance.
critical system of NPP. In conclusion, PN model is able to Jiang et al. [30] considered various levels of criticality into
measure many dependability attributes with higher accuracy. account for designing the SCSs on a common hardware
Cheung et al. [21] enhanced Wang’s [22] work by platform. This Mixed-criticality systems (MCSs) have been
incorporating performance and reliability studies to support a extensively studied in academics, but they are challenging to
variety of architectural types. However, they make implement in industrial circumstances. The authors found
performance predictions based on the information from practical gaps between theory and reality and proposed a
operational profile and testing data, and the intuition of generic industrial architecture known as P-MCS. The P-MCS
software architecture and hence the method is not fruitful to is then assessed for safety and for performance metrics such
take early design decisions. as system schedulability, throughput, and overheads. The
Mamdikar et al. [23] employed a transformation process in presented technique incurs additional costs to meet industrial
which the UML model is converted into the Petri nets for the safety requirements and its hardware-based implementation.
non-functional requirement analysis of safety-critical systems. Also, reliability analysis of the technique is not validated.
The authors analyzed dynamic behaviors and state-transition Weng et al. [31] provided a scenario-based evaluation
probabilities of SCS to evaluate the performance and framework to give the safety performance of a black-box
reliability accuracy. The suggested framework is tested with system. Under a test subject, the proposed scenario sampling
the 32 SCS instances of NPP on the reactor core isolation algorithm is asymptotically optimal to obtain the safe
cooling system module. However, the methodology uses the invariant with high accuracy. However, work does not address
assumed probabilities, which can lead to an erroneous result. the non-scenario-based testing regime and system reliability.
Chen and Li [24] uses sparse autoencoder and artificial Thota et al. [32] suggested a new safety broadcast system
neural network for multisensory feature fusion to perform the to meet the requirements of vehicle-to-vehicle (V2V)
fault diagnosis of the bearing and also to improve the applications for latency and reliability. The authors then tested
reliability of fault diagnosis. In this method time and the system's performance in rural and urban areas with a
frequency domain characteristics are gathered from diverse varying number of vehicles using various wireless
sensors, which are fed to neural networks and these fused technologies, such as cellular and IEEE 802.11p. The
feature vectors are health indicators of the machine. However, application layer raptor Q codes help to enhance the
performance is also an essential health indicator, which has performance of the V2V system. However, due to the half-
not been considered in this work. duplex nature of cellular V2V, this improvement is reduced in
Singh and Singh [25-27] emphasized on the dependability the urban situation. Also, The IEEE 802.11p suffers from
aspects of SCS. Practitioners from the leading research preamble channel estimation and excessive collision, both of
organizations e.g., aerospace, nuclear energy, petrochemical which can affect the system reliability.
defense, etc. were interviewed to discuss the current state-of- Hammadi et al. [33] used human brainwaves and a new
the-art and practices adopted by the industries to ensure the framework based on deep learning to find the insider threats
dependability of SCS. The different methodologies used for for the safety-critical industrial infrastructure. The authors
quantitative assessment of the dependability were also used electroencephalograms (EEG) to record the brainwaves,
discussed, which are based on stochastic modelling which they then fed into a network of long short-term
techniques that include Petri nets, and Markov Chains. memories to make a detection network for detecting the
For an autonomous vehicle system, Seo et al. [28] threats. The EEG-based threat detection is more accurate and
presented SCS feedback control architecture. While building reliable than the previous method. But the technique doesn't
the framework, the authors considered the major challenges of consider system dynamics while evaluating the performance.
autonomous vehicle systems, such as safety and trajectory The authors in [34] used the dynamic fault trees (DFTs)
tracking performance. The model was built using a framework to conduct a reliability analysis of dynamic

systems. The strategy reduces the state space explosion t fires, it takes token from each of their input place(s) p, based
problem to some extent by putting input/output interactive on the weight of the arc(s) (p, t) and adds them in their every
Markov chains. The authors explained that the standard output places.
analysis for DFT is state based, and treating as continuous Fig. 1 depicts the working of a PN-modeled system. Fig. 1a
time Markov chain, is not applicable in all the scenarios due demonstrates that each of the place X, and Y holds one token,
to a possibility of multiple interpretations in DFT. A semantic enabling the transition T1. After firing of T1, the new
interpretation of DFT is introduced that make easy to configuration of the net is depicted in Fig. 1b. The firing of T1
understand the interactions among FT building blocks. This takes the token from X, and Y and puts it into Z. The place Z
approach helps in addressing state explosion problem by in Fig. 1b has one token, which enables transition T2. Fig. 1c
exploiting the DFT structure to build the smallest Markov is the final configuration of the net after firing of T2.
chain. K. Aslansefat and G. -R. Latif-Shabgahi [35] also try
to address state explosion problem using semi-Markov X Y X Y X Y
process theorem for DFT solution. The approach considers
nonexponential failure distribution through a hierarchical 𝑇1 𝑇1 𝑇1
solution. Kabir et al. [36] proposed a framework by 𝑻𝟏
𝑻𝟐
Z Z
incorporating complicated fundamental events in Z
hierarchically performed hazard origin and propagation 𝑇2
studies (HiP-HOPS), which may effectively ensure the 𝑇2 𝑇2
modeling capabilities for complex failures and the
a. Initial Marking b. Marking after 𝑇𝟏 fires c. Marking after 𝑇𝟐 fires
effectiveness of model-based safety analysis (MBSA). The
approach combines Petri-nets with other methods like Fig. 1. Petri net execution.
algebraic solutions to reduce the state explosion and improve The performance of the systems depends on its reliability
the calculation. Cai et al. [37] proposed a Markov model to and safety [25-27], [38-39]. Therefore, while assessing
perform reliability analysis of subsea blowout preventer performance, we must analyze factors that might endanger
control systems subjected to multiple error shocks. The SCS's reliability and safety. Deadlock, boundedness, liveness,
authors addressed the state explosion problem by splitting the stability, Reachability, and reversibility are the important
system into three independent modules, and the corresponding metrics of safety, and reliability.
Markov models are proposed subsequently. However, system The liveliness or deadlock presence in a PN is determined
analyst needs to design the interfaces very carefully and by a set of places known as a siphon. A non-empty set S ⊆P is
mechanism to analyze the results of integration should be called a siphon iff °S⊆ 𝑆° and it is a trap iff 𝑆° ⊆°S, where °S
effective. Also, the validation of the approaches on safety denotes collection of input transitions of the place set S and 𝑆°
critical systems is an important concern. refers collection of output transitions of the place set S. Once
a siphon becomes token-free under some marking, it stays
III. PRELIMINARY CONCEPTS AND DEFINITIONS empty for subsequent marking. Whereas if a trap has any
A Petri net is a directed, weighted, and bipartite graph token in it, it remains marked for the rest of the time. As long
containing two different types of nodes: places (shown by as a marked trap exists in the siphon, there is no danger of
circles) and transitions (depicted by bars or boxes). The potential deadlock in any siphon and therefore PN is
positive weight-labeled directed arcs connect these places and deadlock-free and live [5].
transitions. Places may contain zero or more tokens. The The bounded property assures the absence of overflow at
black dots inside the places denote tokens held by that any place of the PN. The token count at any place of a
respective place. Formally, a PN is described as a 5-tuple PN bounded PN never surpasses a finite integer l for any marking
= {P, T, α, β, 𝑀0 }, where 𝑃 = {𝑝1 , 𝑝2 , 𝑝3 , . . . , 𝑝𝑚 } is a non- reachable from initial marking and PN is safe in all cases for
empty finite set of places, which describe the state of a l=1. If the boundedness property is satisfied for every possible
system, 𝑇 = {𝑡1 , 𝑡2 , . . . , 𝑡𝑛 } is a non-empty finite set of firing sequence, then PN becomes stable, and it is called
transitions which help in changing the state of the system, α : steady if the following conditions are met [5], [11], [15].
(𝑃 × 𝑇 ) → 𝑁 is the pre-incidence function that defines (∆𝑀(𝑡))/∆𝑡 = 0, where ∆𝑡 = 𝑡 − 𝑡0 (1)
directed arcs from place to transition, β : (𝑇 × 𝑃) → N is the PN can exist in steady state, and hence steady-state analysis
post-incidence function that defines directed arcs from can be performed. The proof is given below.
transition to place. Here, N refers set of natural numbers. 𝑀0 ∶ Lemma: PN(N, 𝑀0 ) can stay in steady-state condition.
𝑃 → {0, 1, 2, . . . } is the initial marking, i.e., a m-vector Proof: We know that the change in markings in PN model
whose element representing the token present in each of the m with time is given by the following equation:
places of the net. Also, 𝑃 ∩ 𝑇 =  and 𝑃 ∪ 𝑇 ≠  [5]. 𝑀′ = M + [N]⸱𝜎⃗(∆t),
′
The token movement in PN model delineates the dynamic where 𝑀 and M are the markings of a place at time t and 𝑡0
behavior of the system, represented by a change in token respectively, [N] is the incidence matrix of the PN, and 𝜎⃗(∆t)
distribution among the places. The necessary condition to =𝜎⃗(t) − 𝜎⃗(𝑡0 ) denotes the firing count vector between t and 𝑡0 .
change the token distribution is that at least one transition We have, 𝑀′ − M = [N]⸱𝜎⃗(∆t)
must be in the enabled state. When every input place(s) p of ⇒ ∆ M = [N]⸱𝜎⃗(∆t)
∆𝑀 ⃗⃗(∆𝑡)
𝜎 ⃗⃗ (𝑡) − ⃗𝜎⃗(𝑡0 )
𝜎
transition t contains a minimum number of tokens equal to the ⇒ ∆𝑡
= [N]⸱ ∆𝑡
= 𝑡 − 𝑡0
weight of the arc (p, t), then the transition t is said to be in the
enabled state. The enabled transition can fire. When transition

Because PN is consistent, therefore firing sequence causes the are modelled using Petri nets (PN). The computation
system to go from M to M, i.e., [N]⸱𝜎⃗ = 0 methodology of these metrics is demonstrated on a case study
⃗⃗ (𝑡) − 𝜎
𝜎 ⃗⃗(𝑡0 ) of NPP system in section VI. The framework for performance
⇒ = Ξ⸱𝜎⃗:[N]⸱ 𝜎⃗(∆t) = 0
& reliability analysis, is based on the concept of continuous
∆𝑡
∆𝑀
 ∃ = 0. (2) Petri net (CPN) and is generic in nature. So, it can be applied
∆𝑡 to any type of SCS in any domain.
It demonstrates that the PN can exist in a steady-state.
Continuous Petri net (CPN) is a relaxation strategy of
Reachability is a key basis to study the dynamic aspects of
stochastic Petri net (SPN), which helps to prevent
the system. A firing sequence in a Petri net leads to a marking
exponentially growing reachable marking resulting from
sequence. If a sequence of firing transforms marking 𝑀1 to
increased PN size. The CPN markings are assigned time-
another marking 𝑀𝑛 , then 𝑀𝑛 is said to be reachable from 𝑀1 .
dependent nonnegative real numbers. Formally, it is defined
In a reversible net, one can always go back to the initial
as a 3-tuple CPN = {𝑃𝑁 𝑀 , 𝑀0 , 𝑅}, where {𝑃𝑁 𝑀 , 𝑀0 } is a
marking 𝑀1 or some home state [5].
marked message passing (MP) net [12], [40-41]. An MP net is
The above structural properties must exist for the Petri
a subclass of PN in which places are categorized as idle,
net-based modeled system. The PN model's steady-state
activity, and buffer; whereas transitions are characterized as
probability distribution is computed after creating an
activity, input communication, and output communication.
equivalent Markov Chain from its reachability graph and
The place is idle if it contains no token, it becomes activity
solving the following linear system.
Π×𝑄 =0 place if it processes the token, and it is called a buffer place if
{ 𝑛 (3) it holds token(s). CPN consists of a set of closed process nets,
∑𝑖=0 𝜋𝑖 = 1
along with various synchronous and asynchronous
and
𝑗=𝑛,𝑗≠𝑖 mechanisms; R: T → (0, +∞), R (𝑡𝑖 ) = 𝑟𝑖 (i = 1,2, …, m) is a
𝑞𝑖𝑗 = − ∑𝑗=1 𝑞𝑖𝑗 (4) function which assigns a firing rate 𝑟𝑖 to 𝑡𝑖 . In the
where, Π = (𝜋1 , 𝜋2 , 𝜋3 ,∙ ∙ ∙, 𝜋𝑛 ) is the steady-state probability synchronous mechanism, one closed process net sends a
and 𝜋𝑖 denotes the probability of being in state 𝑆𝑖 . 𝑄 = [𝑞𝑖𝑗 ] is request to other and waits for acknowledgement. Whereas, in
the transition rate matrix such that (𝑖 ≠ 𝑗) and 𝑞𝑖𝑗 denotes the asynchronous mechanism, other closed process can continue
transition rate from state 𝑆𝑖 to 𝑆𝑗 [10]. For no transition, 𝑞𝑖𝑗 =0. further without sending the acknowledgement. If all the input
A process net PRN = (P ∪ {𝑝𝑠 , 𝑝𝑒 }, T, F, 𝑀0 ) is a strongly places of a CPN transition have nonzero markings, then the
connected, conservative, and live Petri net. Where, 𝑝𝑠 is a transition is said to be enabled.
start place with |°𝑝𝑠 | = 0, and |𝑝𝑠 °| = 1; 𝑝𝑒 is an end place with Let 𝑝𝑘1 and 𝑝𝑘2 are the input places of transition 𝑡𝑖 with their
|°𝑝𝑒 | = 1, and |𝑝𝑒 °| = 0; 𝐹 ⊂ ( 𝑃 × 𝑇 ) ∪ (𝑇 × 𝑃) denotes a respective markings 𝑚1𝑘 and 𝑚𝑘2 . Suppose the transition 𝑡𝑖
collection of arcs connecting places and transitions. Here, °𝑝𝑠 fires at time 𝜏 during a period ∆𝜏, then
is a set of input transitions of 𝑝𝑠 and 𝑝𝑠 ° is a set of output 𝑝𝑘  °𝑡𝑖 : 𝑚𝑘 (τ + ∆τ) = 𝑚𝑘 (τ) − 𝑣𝑖 (τ) ∆τ. (5)
transition of 𝑝𝑠 . Similarly, °𝑝𝑒 and 𝑝𝑒 ° can be defined. A 𝑝𝑘  𝑡𝑖 °: 𝑚𝑘 (τ + ∆τ) = 𝑚𝑘 (τ) + 𝑣𝑖 (τ) ∆τ. (6)
process net becomes closed process net if 𝑝𝑠 = 𝑝𝑒 . The term where, 𝑣𝑖 is the instantaneous firing speed of transition 𝑡𝑖 and
"strongly connectedness" refers to the fact that when 𝑝𝑠 is equals the maximum firing speed (defined by David and Alla)
removed, the resulting net becomes acyclic. It means that given by 𝑣𝑖 = 𝑟𝑖 × min {𝑚1𝑘 , 𝑚𝑘2 } [41-42].
there is a directed path between any pair of nodes of the net.
Consistency is described as a presence of firing sequence Step 1: Formulation of
from 𝑀0 to 𝑀0 such that each transition fires at least once. Ordinary Differential Equation System
The closed process net has strong reversibility properties,
which means we can always return to 𝑀0 from any other
marking M ∊ R(𝑀0 ) upon firing of transitions [40-41].
Step 2: Solution of ODEs Using Runge-Kutta Method
IV. Proposed Methodology for Performance &
Reliability Analysis
Step 3: Evaluation of Performance Measures Using
The existing literature deals with mean latency time and ODE Solution
system throughput for performance analysis. However, it is
essential to consider deadlock, liveness, stability, Find Mean Latency Time Find Throughput
boundedness and steady state metrics as well. Deadlock may
lead to delay in process execution or even hold the state of the
system for infinite time. Liveness refers to a set of properties
that require a system to make progress despite the fact that it Step 4: Reliability Measure
is concurrently executing components. Stability is a property
to ensure that the output of the system is under control. Fig. 2. Framework for Performance & Reliability Analysis.
Boundedness ensures that all the entities in the system is
restricted to some finite region of space. Steady state analysis The proposed framework for performance & reliability
verifies the consistent behavior of system. Therefore, these analysis consists of four steps, as shown in Fig. 2 and
are good performance indicators and hence must be analyzed. explained as follows.
In order to compute these metrics, the systems requirements

Step 1: Formulation of ODE System 𝑚′ (τ) = 𝑟1 ⸱min{ 𝑚1 (τ), 𝑚2 (τ)} − 𝑟2 ⸱m(τ). (9)
A collection of ODEs of a PN model are developed based Readers can refer [12], [41] for more details on CPN, closed
on the equations (5) & (6), and semantics, discussed in Process nets, and the formulation of ODEs using CPN.
Section Ⅲ. These ODE help in computing the marking. Let Step 2: Solution of ODEs Using Runge-Kutta Method
𝑚𝑖 and m are the markings of places 𝑝𝑖 and p respectively and The Runge-Kutta method can be used to solve a family of
𝑟𝑖 denotes the firing rate of transition 𝑡𝑖 . We consider the ordinary differential equations. It can be implemented using
following cases in the formulation of ordinary differential the MATLAB function "ode45." The ode45 function is the
equation system: (A) Two places to two places model, (B) fourth or fifth order of Runge-Kutta method.
One place to two places model, and (C) two places to one Step 3: Evaluation of Performance measures using ODE
place model. 𝑚 𝑚
Solution
1 2
𝑝1 The ODEs solution is used to find the various performance
𝑝2
measures of a system. These performance metrics can be
𝑟1 𝑡1 mean latency time, system throughput etc. The mean latency
𝑚3
m time can be evaluated based on the queueing theory and
p Little’s law [43], whereas the system throughput can be
𝑝3
𝑟2 𝑡2 measured by using the firing frequency of the transition.
Step 4: Reliability Measure
Fig. 3. Two places to Two places model. By using the system throughput value, we can measure the
Case A: Two places to two places model: As Fig. 3 shows, reliability of the system using equation, 𝑅(𝑡) = 𝑒 −𝜆𝑡 , where λ
place p is getting markings from both the place 𝑝1 and place is the firing rate of transition and 𝑡 is the target time.
𝑝2 , while it sends some marking along with place 𝑝3 . That is,
𝑝1 and 𝑝2 are the input places for 𝑡1 , while p and 𝑝3 are the V. CASE Study: SDS and its PN Model
input places for 𝑡2 . If each transition fires, then the marking m
The shutdown system is a safety system that allows the
for a time increment ∆τ is written as,
reactor to shut down in any unfavorable plant conditions to
m(τ + ∆τ) = m(τ) + 𝑟1 ⸱ min{ 𝑚1 (τ), 𝑚2 (τ)}∆τ avoid potentially dangerous situations. Safety systems of NPP
− 𝑟2 ⸱ min{𝑚(τ), 𝑚3 (τ)}∆𝜏
are deployed to ensure the safety of the plant and public in all
⇒ the normal operating conditions, anticipated operational
𝑚 (𝜏 + ∆𝜏)− 𝑚(τ)
= 𝑟1 ⸱min{ 𝑚1 (τ), 𝑚2 (τ)}−𝑟2 ⸱min{𝑚(τ), 𝑚3 (τ)} occurrences and emergency conditions. The regulatory board
∆𝜏
Let ∆τ → 0, then we get the following ODE of each country sets and imposes the guidelines/standards for
𝑚′ (τ) = 𝑟1 . min{𝑚1 (τ), 𝑚2 (τ)} − 𝑟2 . min {𝑚(τ), 𝑚3 (τ)} (7) robust design of these safety systems. The pressurized heavy
𝑚1
water reactor (PHWR) has 2 independent, fast-acting, and
𝑝1 diverse SDS to ensure safe shutdown. Each of these shutdown
𝑟1 𝑡1 systems, SDS1 and SDS2, operates on a distinct concept and
𝑚2 can completely shut down the reactor in case of a design basis
p m
𝑝2 accident.
𝑟2 𝑡2 Both the systems are fully automated, however, can be
Fig. 4. One place to two places model. activated manually also, for increased reliability. SDS1 stops
Case B: One place to two places model: As Fig. 4 shows, place the reactor operation and keeps it safe by dropping mechanical
p gets marking from 𝑝1 , and it produces some marking with the rods into the reactor core. SDS2 is intended to function at
help of 𝑝2 . If every transition fires, then for a time interval ∆τ, greater 'trip' set-point as compare to SDS1 to ensure the reactor
the marking m can be represented as, shutdown in case of unavailability or failure of SDS1. It
m(τ + ∆τ) = m(τ) + 𝑟1 𝑚1 (τ)∆τ − 𝑟2 ⸱min{ 𝑚(τ), 𝑚2 (τ)}∆τ rapidly injects the poison into the NPP reactor, which absorbs
𝑚 (𝜏 + ∆𝜏)− 𝑚(τ) neutrons and terminates the fission reaction. We have taken
⇒ = 𝑟1 𝑚1 (τ) − 𝑟2 ⸱min{ 𝑚(τ), 𝑚2 (τ)}
∆𝜏 SDS2 as a case study to illustrate our approach to measure
Let ∆τ → 0, then we obtain a below ODE reliability and performance.
𝑚′ (τ) = 𝑟1 𝑚1 (τ) − 𝑟2 . min{𝑚(𝜏), 𝑚2 (𝜏)} (8)
A. SDS-2
𝑚1 𝑚2 To achieve shutdown criteria, certain essential factors,
𝑝1 known as trip parameters, must be monitored at all times.
𝑝2
There are two types of trip parameters: absolute and
𝑟1 𝑡1 conditional. The absolute trip parameters are applicable at any
p m power level of the reactor, while the conditional parameters are
𝑟2 𝑡2 applicable only when the power level of the reactor is equal to
or higher than 2% of the full power of the reactor [44]. SDS-2
Fig. 5. Two places to one place model. triggers in auto mode when any of the nine parameters, as
listed in Table 1 [45] deviated from its normal range. Fig. 6 is
Case C: Two places to one place model: As Fig. 5 shows, place the simplified schematic diagram of SDS-2.
p obtains marking from 𝑝1 and 𝑝2 , and it produces a marking
for another place. Then, we can derive the below differential Table 1: Trip Parameters and Detectors used
equation: S.no Trip Parameter Detector

1 Neutron Power Vertical In-core Detector The functional requirements of SDS2 are implemented in a
CBS that consists of various hardware and software
2 Rate Log Neutron Power Ion Chamber
Differential Pressure Transmitter components, such as sensors, actuators, digital I/O cards, relay
3 Heat transport system Flow output modules, software for data processing, graphical user
(DPT)
4
Heat transport system
Pressure Transmitters interface, etc. The liquid poison is injected into the calandria
Pressure via a 2-out-of-3 trip circuit employing control valves.
5 Reactor building Pressure DPT
6 Steam generator Level DPT on each steam generator
Steam generator Feedline Pressure Transmitter B. PN Model of SDS-2
7 The failure of SDS-2 will result in exponential increase in
Pressure Individual Feedline
8 Moderator Level DPT the power and the deign parameters will exceed its range that
9 Low pressurizer level DPT may jeopardize the integrity of mechanical components by
which the radioactivity may get exposed to the public. The
SDS-2 is composed of many components, including sensors,
logic, actuators, and a specific human-machine interface to
achieve its intended function. Each QOV line has two vent
valves; both are normally open (during normal conditions) to
relieve pressure in that line, if any, and prevent an erroneous
poison injection. Fig. 7 shows Petri net model of SDS-2 and is
explained as follows.

𝒕𝟒

𝒎𝟐 𝒕𝟐 𝒎𝟑 𝒕𝟑
𝒎𝟏 𝒕𝟏 𝒎𝟒

𝒎𝟏𝟒
𝒎𝟕 𝒎𝟏𝟏
𝒎𝟓
Fig. 6. Simplified diagram of SDS-2 Liquid Poison Injection
System. 𝒎𝟏𝟑
There is a poison tank, from which the poison is injected 𝒕𝟓 𝒕𝟕
𝒎𝟖
into the calandria, where the nuclear chain reaction is taking
place, to terminate the nuclear reaction. The poison tank is
cylindrical in shape and are fixed to the exterior fence of 𝒎𝟔 𝒎𝟏𝟐
reactor vault [10]. The nozzle connects with all the poison
tanks so that the poison can be pumped into the moderator. The
poison tank contains a plastic ball that floats. The poison is 𝒕𝟔 𝒎𝟗 𝒕𝟖
injected, when any of the trip parameters deviates from its 𝒎𝟏𝟎
normal range, for which instrumentation logics are
implemented. This poison tank is connected with Helium
supply tank through 6 quick opening valves (QOV). These 6 Fig. 7. Petri net model of poison injection system of SDS-2.
quick opening valves are arranged in series and parallel
combination as shown in Fig. 6. There are three parallel lines, A token in place 𝑚1 represents the deviation of any of the
in each of which 2 QOV are arranged. These QOV normally trip parameters from their design limits. A token in 𝑚2
remains in close state, i.e., when reactor is in operating mode. represents the creation of logic condition (LC), a token in 𝑚3
Because they operate on the principle of air closure and spring represents the hold state of logic condition. A relay is
opening mechanism, the QOV ensure that they open reliably on energized to close the vent valves, which is represented by a
demand. There are 3 vent valves, one in each line to vent the token in 𝑚5 . The poison is injected into the moderator when
helium pressure, if any, during the operating mode of the the QOV is opened, which is represented by a token in place
reactor. These vent valves remain in open state normally. 𝑚10 . For improved reliability, a duplicate information about
When any trip parameter deviates with the normal range, QOV state, from redundant sensor is monitored, which is
the vent valves get closed by energizing the relays, followed represented by a token in 𝑚8 place. The place 𝑚13 is included
by opening of the QOV and helium pressurizes poison into to prioritize 𝑡6 over 𝑡2 when they are race conditions. This will
the calandria, and the poison ball is driven into the lower seat ensure the opening of QOV, in case any security threat leads to
of the poison tank. The ball takes position at the poison tank false information (closed state) about the QOV state. The
exit in the bottom, preventing helium gas from over- description of transitions and places of Fig. 7 are shown in
pressurizing the calandria. Table 2a and Table 2b respectively.
After shutting down the reactor, it is taken into As shown in Fig. 7., our model consists of following two
maintenance and to restart the reactor, the vent valves are closed process nets:
opened followed by closing of QOV.

(a) First set of Closed process net is {𝑚1 , 𝑚2 , 𝑚3 , 𝑚4 }, satisfies the liveness criteria as mentioned in Section III
and (b) second set of closed process net is made up of because it has no potential deadlock.
{𝑚5 , 𝑚6 , 𝑚13, 𝑚3, 𝑚11, 𝑚7 , 𝑚8, 𝑚12, 𝑚9 , 𝑚10 , 𝑚14 , 𝑚1 }. 2) Stability, Boundedness and Steady State Analysis: From
These two closed process nets communicate with each other SDS-2 PN-model, shown in Fig. 7, each place contains either
via asynchronous message passing mechanism. zero or one token for each marking, which is reachable from
the initial marking 𝑀0 , i.e., 𝑀0 ≤ 1. It concludes that the
Table 2a: SDS-2 Process Transitions system is stable. Additionally, because the model is one-
Transitions Description bounded, it indicates that it is safe. We can also see that
𝑡1 Sends signal to create LC and to energize the relays to ∆𝑀/∆𝑡 = 0. As a result of equation (1), the system is steady
close the vent valves also. Thus, the SDS-from the analysis of Petri net model of
𝑡2 Trigger signal to hold LC at the created state
SDS-2, it satisfies all of the performance metrics.
𝑡3 Trigger signal to restore LC and relay de-energizes
𝑡4 Resend signal to open QOV if it fails to open
𝑡5 Trigger to close the vent valves
3) Performance Analysis: To carry out the performance
𝑡6 Trigger to open all QOV analysis, Petri net model is transformed into a CPN that can
𝑡7 Trigger to open the vent valves
be represented by a collection of ODEs. The CPN is
𝑡8 Trigger to close all QOV explained in Section Ⅳ. The success criteria of SDS-2 is that
it should be able to inject poison into the nuclear core within 1
second [10] to ensure the termination of nuclear chain
Table 2b: SDS-2 Process Places
Places Description
reaction in safe manner. We use the proposed framework
shown in Fig. 2 to perform the performance analysis
𝑚1 Deviation of trip parameters
described below.
𝑚2 LC gets created
𝑚3 LC is on hold state Step 3.1: Formulation of ODE System
𝑚4 LC is restored As structure of Fig. 3, 4, and 5 are part of our PN model of
𝑚5 Relay energized to close the vent valves Fig. 7. Therefore, we use equations (7), (8), and (9) to derive
𝑚6 Vent valves get closed the ODEs system from the PN model. Assume that it is
𝑚7 Redundant information of QOV in the closed state possible to achieve the firing constants 𝑟𝑖 in advance for every
𝑚8 Redundant information of QOV in the opened state activity modeled by a transition. Then, the ODEs system of
𝑚9 QOV close the Petri net model given in Fig. 7, can be formulated as
𝑚10 QOV open below:
𝑚11 Relay de-energized to open the vent valves 𝑚1′ = 𝑟4 min{ 𝑚4 , 𝑚14 } − 𝑟1 𝑚1
𝑚12 Open the vent valves 𝑚2′ = 𝑟1 𝑚1 − 𝑟2 min{ 𝑚2 , 𝑚13 }
𝑚3′ = 𝑟2 min{ 𝑚2 , 𝑚13 } − 𝑟3 𝑚3
𝑚13 Ensures the precedence of 𝑡6 over 𝑡2 𝑚4′ = 𝑟3 𝑚3 − 𝑟4 min{ 𝑚4 , 𝑚14 }
𝑚14 Ensures reversibility properties 𝑚5′ = 𝑟1 𝑚1 − 𝑟5 min { 𝑚5 , 𝑚7 }
𝑚6′ = 𝑟5 min { 𝑚5 , 𝑚7 } − 𝑟6 min { 𝑚6 , 𝑚9 }
𝑚7′ = 𝑟7 min { 𝑚8 , 𝑚11} − 𝑟5 min { 𝑚5 , 𝑚7 } (10)
𝑚8′ = 𝑟5 min { 𝑚5 , 𝑚7 } − 𝑟7 min { 𝑚8 , 𝑚11}
Ⅵ. PERFORMANCE & RELIABILITY ANALYSIS 𝑚9′ = 𝑟8 min { 𝑚10 , 𝑚12} − 𝑟6 min { 𝑚6 , 𝑚9 }
′
𝑚10 = 𝑟6 min { 𝑚6 , 𝑚9 } − 𝑟8 min { 𝑚10 , 𝑚12}
1) Deadlock and Liveness Analysis: The modeling of SDS-2 𝑚11 ′
= 𝑟3 𝑚3 − 𝑟7 min { 𝑚8 , 𝑚11}
was carried out using a timed Petri net (TPN), as shown in 𝑚12 ′
= 𝑟7 min { 𝑚8 , 𝑚11} − 𝑟8 min { 𝑚10 , 𝑚12}
Fig. 7. The deadlock and liveness analysis using siphons and ′
𝑚13 = 𝑟6 min { 𝑚6 , 𝑚9 } − 𝑟2 min{ 𝑚2 , 𝑚13 }
traps is explained in Section Ⅲ. We run the TimeNET tool 𝑚14 ′
= 𝑟8 min { 𝑚10 , 𝑚12} − 𝑟4 min{ 𝑚4 , 𝑚14 }
[46] to calculate the number of siphons and traps present in
the SDS-2 Petri net model. It has 12 minimal siphons and 12 The initial values for the ODE system are: 𝑚1 (0) = 𝑚7 (0)
marked traps. The siphons are: = 𝑚9 (0) = 1, and all others are 0. Where, 𝑚𝑖 is marking of the
S1 ={m6, m13, m3, m11, m7}, respective place and 𝑟𝑖 is the firing rate assigned to 𝑡𝑖 .
𝑆2 = { m3, m11, m12, m14, 𝑚1 m5, m6, m13 },
𝑆3 = {m1, m5, m6, m13, 𝑚3 , 𝑚4 }, 𝑆4 = {𝑚1 , 𝑚2 , 𝑚3 , 𝑚4 }, 𝑆5 = {𝑚1 , Step 3.2: Solution of ODEs Using Runge-Kutta Method
𝑚2 , 𝑚3 , m11, m12, 𝑚14}, 𝑆6 = {𝑚3 , m11, m12, 𝑚9 , 𝑚13}, 𝑆7 = {𝑚3 , 𝑚4 , We use step 2 of the proposed framework, as explained in
m1, m5, 𝑚8 , m12, 𝑚9 , 𝑚13}, 𝑆8 = {𝑚1 , 𝑚2 , 𝑚3 , m11, m7 , m6, 𝑚10,
𝑚14 }, 𝑆9 = {m7 , m8 }, 𝑆10 = {𝑚5 , 𝑚8 , 𝑚12, 𝑚14 , 𝑚1 }, 𝑆11 = {𝑚9 , 𝑚10},
section Ⅳ to solve the above ODEs system. For the ODEs
𝑆12 = {𝑚5 , m6, 𝑚10 , 𝑚14 , 𝑚1 }. system (10) of the SDS-2 Petri net model, with the simulation
The traps are: data, we have 𝑟1 = 0.05, 𝑟2 = 0.40, 𝑟3 = 0.25, 𝑟4 = 0.15, 𝑟5 =
𝑇1 = {m1, m5, m8, m12, m14 }, 𝑇2 = {m1, m5, m6, m13 , 0.3, 𝑟6 = 0.03, 𝑟7 = 0.10, and 𝑟8 = 0.20. Using this method, we
m3, m11, m12, m14 }, 𝑇3 = {m1 , m2 , m3 , m11, m12, m14 }, 𝑇4 = get the result as illustrated in Fig. 8. When t >133.6481 msec,
{m3, m11, m7 , m6, m13}, 𝑇5 = {m3 , m11, m12, m9 , m13}, 𝑇6 = every result approaches a unique fixed value: m1 (t) ≈ 0.2355,
{m1, m2, m3, 𝑚4 }, 𝑇7 = {m1, m5, m8 , m12, m9 , m13, m3 , m4 }, 𝑇8 =
m2 (t) ≈ 0.4621, m3 (t) ≈ 0.0472, m4 (t) ≈ 0.2552, m5 (t) ≈
{m7 , m8 }, 𝑇9 = {m1, m5, m6, 𝑚10 , m14}, 𝑇10 = {m9 , 𝑚10}, 𝑇11 = {m3,
m4 , m1, m5, m6, m13 }, and 𝑇12 = {m1, m2 , m3 , m11, m7, m6, 𝑚10, 𝑚14}. 0.0393, m6 (t) ≈ 0.3933, m7 (t) ≈ 0.4321, m8 (t) ≈ 0.5899, m9 (t)
We can observe that S1 , S2 , S3 , S4 , S5 , S6 , S7 , S9 , S10 , S11 , and ≈ 0.7488, m10 (t) ≈ 0.2535, m11 (t) ≈ 0.1179, m12 (t) ≈ 0.0590,
S12 are also marked trap but S8 do not contain any trap. It m13 (t) ≈ 0.0295, and m14 (t) ≈ 0.0784. The ODEs solution is
means our PN model is deadlock-free. Also, the Petri net used to find the system's delay.

Fig. 9. The mean latency time of the poison injection process

Fig. 8. The solutions (state measures) of the Petri net model of SDS-2.
of SDS-2.
(B) System Throughput: - The firing frequency is a metric
Step 3.3: Evaluation of Performance measures using ODE for measuring throughput. In Fig. 7, place 𝑚5 is the first place
Solution of the subsystem among the place set of closed process nets
Based on the ODE solution of step 3.2, we can now {𝑚5 , 𝑚6 , 𝑚13, 𝑚3 , 𝑚11 , 𝑚7 , 𝑚8 , 𝑚12 , 𝑚9 , 𝑚10 , 𝑚14, 𝑚1 }which
evaluate the different performance measures of SCS as below. can accept the token request from 𝑚1 . Therefore, the state
(A) Mean Latency Time: - It is defined as the delay time to measure of 𝑚5 represents the token request i.e., the token is
inject the poison into calandria of the SDS-2. i.e., For the accepted for the second closed process nets
closed process net based system, it is the delay time spent in a {𝑚3, 𝑚5 , 𝑚6 , … , 𝑚13 } from the first closed process nets
process, from the start of SDS-2 until the finish when the
{𝑚1, 𝑚2 , 𝑚3 , 𝑚4 } via the transition 𝑡5 . Hence, the throughput
poison is completely injected into the system. The mean
t of the system depends on the firing of the transition 𝑡5 .
latency of a subsystem is computed while the system is
Thus, throughput of system, t = marking rate of 𝑡5 = 𝑟5 𝑚5 .
present at the steady-state. Based on the queueing theory and
i.e., it is given by,
Little's law, the mean latency time can be computed as:
𝑡 = (0.30 × 0.0393) = 0.01179 msec (16)
𝑊 = 𝐿⁄𝜆 (11)
4) Reliability Analysis: The reliability criteria of SDS-2 is
that it must be able to inject the poison within the one-second
where L indicates the average token count present in the to ensure the safe shutdown of the reactor. Because of the
system, λ is the mean token arrival rate in the system, and W criticality of mission time, it is necessary to carry out
represents the mean latency time of subsystem. Because, the reliability analysis. In Fig. 7, the transition 𝑡5 is used as a
ODE solutions indicate the average marking of each place trigger for proper closing of all the fast-acting valves and it is
while the system is in steady-state, therefore L can be the first transition by which second closed process net will get
calculated as:
token. If the firing of 𝑡5 doesn’t happen in a proper way, then
𝐿 = ∑𝑙 ∊ 𝑀 𝑚 𝑙 (12) our system may lead to the unreliable condition. The
where M represents the set of places that model either other reliability of the system is given by [47],
component of SDS-2 waiting for the token so that they can
𝑅(𝑡) = 𝑒 −𝜆𝑡 (17)
perform their task or their token request in the process.
Here, λ is the firing rate of transition 𝑡5 whose firing may
Therefore, in the steady state, the mean delay time is defined
cause system to be in unreliable condition, t is the system
as the task's queue length divided by the average number of
throughput as calculated in equation (16). The PN model of
markings entering the subsystem in unit time.
Fig. 7 was run using TimeNET tool to measure the transition
In our Petri net model as shown in Fig. 7, after the initiation
firing rates as indicated in Table 3. 𝜆𝑖 denotes the firing rate
of poison injection process at the place 𝑚1 , all the remaining
of transition 𝑡𝑖 (where i = 1, 2, …, 8). Therefore, the reliability
places from other closed process nets {𝑚5 , 𝑚6 , 𝑚13, 𝑚3,
of the system is
𝑚11 , 𝑚7 , 𝑚8 , 𝑚12 , 𝑚9 , 𝑚10 , 𝑚14, 𝑚1 } are waiting for tokens
𝑅𝑂𝐷𝐸 (0.01179) = 𝑒 −(0.148 ×0.01179 )
so that they can perform their intended task. Therefore, = 0.9982566 (18)
𝐿 = 𝑚5 + 𝑚6 + 𝑚13 + 𝑚3 + 𝑚11 + 𝑚7 + 𝑚8 + 𝑚12 + Unreliability = 1- 0.9982566 = 0.0017434
𝑚9 + 𝑚10 + 𝑚14 + 𝑚1 = 3.0244 (13) i.e., our model gives a reliability of 99.82%.
The mean token arrival rate λ is computed as, Table 3: Transition’s firing rate (in per msec)
λ = 𝑟1 𝑚1 = (0.05 × 0.2355) = 0.011772 (14) 𝜆1 𝜆2 𝜆3 𝜆4
Thus, mean delay time using ODE solution is
3.0244 0.01256 0.820 0.532 0.650
𝑊𝑂𝐷𝐸 = 𝐿⁄𝜆 = = 256.91 𝑚𝑠𝑒𝑐 (15)
0.011772 𝜆5 𝜆6 𝜆7 𝜆8
From Fig. 9, we find that when t >133.6486 msec, the mean 0.148 0.020 0.0185 0.150
latency time approaches a fixed value i.e., 256.91 msec.
Hence, the average delay of the SDS-2 system is computed as Algorithmic complexity analysis of Performance
0.25691 seconds. measurement:

The complexity analysis lies in the solution of ODEs. In the ∑(…, 𝑏1,𝑏2 ,𝑏,… )∊𝑆 𝐵′ (… , 𝑏1 , 𝑏2 , 𝑏, … )(τ)=
framework of performance analysis, we employed Runge– ∑(…, 𝑏1,𝑏2 ,𝑏,… )∊𝑆 𝑟1 min(𝑏1 + 1, 𝑏2 + 1) × 𝐵(… , 𝑏1 +
Kutta method to solve a family of ODEs. This method is 1, 𝑏2 + 1, 𝑏 − 1, … )(τ) −
better than Newton's method if the accuracy is less than ∑(…, 𝑏1,𝑏2 ,𝑏,… )∊𝑆 𝑟2 𝑏𝐵(… , 𝑏1 , 𝑏2 , 𝑏, … )(τ) (20)
0.000001. We know that the Newton's method has complexity Since the marking of each place is either 0 or 1, thus (20) can
O(m𝑛3 ). Here, m indicates number of iterations, whereas n is be written as
the number of variables. m is generally O(n) and never ∑(…,0,0,1,… )∊𝑆 𝐵′ (… ,0, 0,1, … )(τ) =
exceeds O(𝑛2 ). As a result, the Runge–Kutta method's
∑(…,0,0 ,1,… )∊𝑆 𝑟1 𝐵(… ,1, 1,0, … )(τ) −
complexity is around O(𝑛4 ) and never surpasses O(𝑛5 ). Thus,
∑(…,0,0,1,… )∊𝑆 𝑟2 𝐵(… ,0, 0,1, … )(τ) (21)
computing the state measures of an ODE model requires a
maximum of O(𝑛5 ), where n denotes number of equations and Since, S does not have states like (…,1,1,1,…), (…,1,0,1,…),
n ≤ |P|. In our model, n = 14 i.e., system have 14 places (as (…,0,1,1,…), (…,0,1,1,…), (…,1,0,1,…) for the left hand
shown in Fig. 7), and 14 ordinary differential equations (as side of equation (21), the expectation can be written as
shown in equation (10)). For the more complex system having (𝐸[𝑚(τ)])′ = ∑(…,0,0,1,… )∊𝑆 𝐵′ (… ,0, 0,1, … )(τ) (22)
larger value of n, the proposed approach may give higher For the second term on the right-hand side of (21), we have
latency time. ∑(…,0,0,1,… )∊𝑆 𝑟2 𝐵(… ,0, 0,1, … )(τ) = 𝑟2 . 𝐸[𝑚(𝜏)] (23)
For the first term on the right-hand side of (21), we have
Reduction of state space explosion problem: E[min (𝑚1 (τ), 𝑚2 (τ))]=
One method to address the state explosion problem is ∑(…, 𝑏1,𝑏2 ,0,… )∊𝑆 min(𝑏1 , 𝑏2 ) 𝐵(… , 𝑏1 , 𝑏2 , 0, … )(τ)+
proposed by Cai et al. [37], in which the functions of SDS-2 ∑(…, 𝑏1,𝑏2 ,1,… )∊𝑆 min(𝑏1 , 𝑏2 ) 𝐵(… , 𝑏1 , 𝑏2 , 1, … )(τ)
can be decomposed into smaller functions and each function =∑(…,1,1,0,… )∊𝑆 𝐵(… ,1, 1,0, … )(τ)+
can be implemented in a module, such as, (i) data acquisition ∑(…,0,0,1,… )∊𝑆 𝐵(… ,1, 1,0, … )(τ).
module to acquire the state of process parameters (ii) Therefore, (21) can be written as
processing module to process the logic, (iii) decision module (𝐸[𝑚(τ)])′ = 𝑟1 E[min (𝑚1 (τ), 𝑚2 (τ))] − 𝑟2 ⸱E[m(τ)] (24)
to actuate the actuators according to the outcome of the Now, using the following assumption [48] in (24), for two
processing logic. However, a careful consideration is required stochastic processes, 𝑚1 (τ) and 𝑚2 (τ), we have
to design the proper interfaces to integrate the results of E[min (𝑚1 (τ), 𝑚2 (τ))] ≈ min(E[(𝑚1 (τ), E[(𝑚2 (τ)]).
reliability and performance analysis. Our proposed method is Hence, (24) becomes
as follows. The polynomial time complexity O(𝑛5 ) of the (𝐸[𝑚(τ)])′ = 𝑟1 min(E[(𝑚1 (τ), E[(𝑚2 (τ)]) − 𝑟2 ⸱E[m(τ)] (25)
state measure of ODE model demonstrates that the proposed (25) can be written as,
strategy is capable of avoiding the state explosion problem, 𝑚′ (τ)= 𝑟1 ⸱min{ 𝑚1 (τ), 𝑚2 (τ)} − 𝑟2 ⸱m(τ), which is ODE
which is generally experienced by the traditional Markov measure of fig. 5, as expressed in equation (9). We can give
chain based approaches. Since, CPN is a relaxation strategy of the similar explanation for fig. 3 and fig. 4, which have been
SPN and if both are able to model the same system, then the used in our CPN modelling. It proves that the mean token
following lemma holds good for the system [41]: count at a place in SPN model is equal to the state measure of
Lemma: The mean token count at a place in SPN and the state that place in the CPN model. Also, our system can be
measure for that place in CPN are nearly equal. modelled using SPN. As a typical SPN model requires the
Proof: We use the following notations and [48] to proof this Petri net structure (as shown in fig. 7), the reachability graph
lemma. The random variables m(τ) and 𝑚𝑖 (τ) are used to of the PN model (as shown in fig. 10), and the Markov Chain
express the marking of the places p and 𝑝𝑖 respectively at time (as shown in fig. 11). For the SPN model, we used the
τ, which can take a value of either 0 or 1. The notation TimeNET tool for the performance measurement and for
(… , 𝑏𝑖 , 𝑏, … ) denotes an SPN's reachable state in which reachability graph creation. To check the performance, we
where 𝑏𝑖 and b can take the value 0 or 1. 𝐵(…, 𝑏𝑖, 𝑏,… ) (τ) is have taken 17 different NPP system. The number of places in
the probability that the SPN stays in the state (… , 𝑏𝑖 , 𝑏, … ) at our model, [15], [23] are 14, 12, and 15 respectively, and the
time t. S denote every possible reachable state of SPN. number of states present in the respective reachability graph
It is sufficient to show that the expectation of marking m of are 8, 13, and 14. The TimeNET take 25 sec, 42 sec, 54 sec to
SPN also satisfies the state measure 𝑚 of ODE. i.e., if the build the reachability graph of our model, [15], and [23]
ODE for the place m is 𝑚′ (τ)= f (τ, m(τ)), then it can be respectively. When we used TimeNET to model various NPPs
written as (𝐸[𝑚(τ)])′ = 𝑓 (τ, E[m(τ)]). We consider fig. 5 to with 19, 24, 36, 58, and 62 places, the corresponding
prove the above lemma. As this structure is a part of SPN, we reachability graph contained 32, 43, 68, 112, and 144 states,
can apply the Chapman-Kolmogorov (C-K) equation to find and the time needed to construct these reachability graphs was
the average token count for the associated SPN model, i.e., 114 sec, 322 sec, 1019 sec, 2751 sec, and 3769 sec
𝐵′ (… , 𝑏1 , 𝑏2 , 𝑏, … )(τ)= 𝑟1 min(𝑏1 + 1, 𝑏2 + 1) 𝐵(… , 𝑏1 + respectively. For the CPN method, we used MATLAB
1, 𝑏2 + 1, 𝑏 − 1, … )(τ) − 𝑟2 𝑏𝐵(… , 𝑏1 , 𝑏2 , 𝑏, … )(τ) (19) R2022a to solve ODEs. The experiment has been done using
a personal computer with the Windows 10 Operating System,
Where, 𝑟1 min(𝑏1 + 1, 𝑏2 + 1) and 𝑟2 𝑏 are firing rates of Intel Core i7-10750H CPU processor, CPU speed 2.60 GHz,
transition at time τ. After summing all the possible states, we and 16.0 GB RAM. Using the CPN approach, an ODE system
get with up to 3000 nodes can be computed within 18 sec. It
proves that our proposed strategy is capable to avoid the state
explosion problem.

ⅤⅠⅠ. PERFORMANCE & RELIABILITY VALIDATION d) Markov Chain Creation

An effective method for performance assessment is proposed The reachability graph of the PN model is used to generate
recently, by P. Kumar et. al [15]. The authors claim that the the Markov chain [5, 10]. Fig. 11 illustrates the Markov chain
proposed method is very effective and gives the performance for a timed Petri net model of Fig. 7.
estimates with an accuracy of more than 99% and
demonstrated the approach on a case study of NPP. To prove 𝝀𝟏 𝝀𝟓 𝝀𝟔 𝝀𝟐 𝝀𝟑 𝝀𝟕 𝝀𝟖
𝑺𝟏 𝑺𝟐 𝑺𝟑 𝑺𝟒 𝑺𝟓 𝑺𝟔 𝑺𝟕 𝑺𝟖
the effectiveness of our proposed approach, we carried out
two steps: (i) we compute the performance of our case study
𝝀𝟒
using the recent method proposed in [15] and compare the
results with the real data to find the accuracy of this method.
(ii) we compute the performance using our proposed ODE Fig. 11. Markov chain for the Petri net model of SDS-2.
method and compare the results with the real data to find the
accuracy of our ODE method. Thereafter, both the accuracies e) Steady-State Marking Probability Calculation
are compared to find the method that gives higher accuracy. Equations (3) and (4) can be used to calculate the steady-
In this section, we also compare our approach with the state marking probabilities. The transition rate matrix Q is
existing approaches. shown in equation (26). The resulting equation is shown in
equation (27). The steady-state marking probabilities are
1. Performance Validation with [15], [23]: It involves calculated using equation (27) and the transition’s firing rate
following seven steps. values of the Table 3. These values are shown in Table 4.
a) Petri net model creation
We create TPN model of SDS-2 using the TimeNET tool, 𝑆1 𝑆2 𝑆3 𝑆4 𝑆5 𝑆6 𝑆7 𝑆8
as shown in Fig. 7. 𝑆1 𝑞11 𝜆1 0 0 0 0 0 0
b) Model Parameter Assignment 𝑆2 0 𝑞22 𝜆5 0 0 0 0 0
In this step, the delay of each transition is input into the 𝑆3 0 0 𝑞33 𝜆6 0 0 0 0
model as per specification, expert’s elicitation and 𝑄 = 𝑆4 0 0 0 𝑞44 𝜆2 0 0 0 (26)
experiences from similar projects. The model was run using 𝑆5 0 0 0 0 𝑞55 𝜆3 0 0
TimeNET tool to measure the transition firing rates as 𝑆6 0 0 0 0 0 𝑞66 𝜆7 0
indicated in Table 3. 𝜆𝑖 denotes the firing rate of transition 𝑡𝑖 𝑆7 0 0 0 0 0 0 𝑞77 𝜆8
(where i = 1, 2,…, 8). [𝑆8 𝜆4 0 0 0 0 0 0 𝑞88 ]
c) Reachability Graph Creation
The reachability graph determines the system's boundary 𝜋1 • 𝜆1 = 𝜋8 • 𝜆4 ; 𝜋2 • 𝜆5 = 𝜋1 • 𝜆1 ; 𝜋3 • 𝜆6 = 𝜋2 • 𝜆5 ;
conditions, which may indicate the number of possible states 𝜋4 • 𝜆2 = 𝜋3 • 𝜆6 ; 𝜋5 • 𝜆3 = 𝜋4 • 𝜆2 ; 𝜋6 • 𝜆7 = 𝜋5 • 𝜆3 ; 𝜋7 •
during the system's operational life. The total number of 𝜆8 = 𝜋6 • 𝜆7 ; 𝜋8 • 𝜆4 = 𝜋7 • 𝜆8 (27)
possible markings shows the entire number of states that a
system can go through. From the PN-model depicted in Fig. f) Steady-State Token Probability Density Calculation
7, the corresponding reachability graph is constructed [5, 10] It calculates the likelihood of a specific amounts of token
and presented in Fig. 10. being present at a particular place in the steady-state. These
values are shown in Table 5 for the presence of a single token
𝑺𝟏 10000010100000 at each place.
𝒕𝟏 Table 4: Steady-State Probabilities
𝝅𝟏 𝝅𝟐 𝝅𝟑 𝝅𝟒
𝑺𝟐 01001010100000
𝒕𝟓 1.4988 1.7347 2.2204
0.0191
× 𝑒 −15 × 𝑒 −18 × 𝑒 −16
𝑺𝟑 01000101100000
𝒕𝟔 𝝅𝟓 𝝅𝟔 𝝅𝟖 𝝅𝟕
2.8961
𝑺𝟒 01000001010010 0.0295 0.8470 0.1045
× 𝑒 −15
𝒕𝟐 g) Use Queuing Theory for the Delay Measurement
𝑺𝟓 00100001010000 The mean latency of a subsystem while the system is
𝒕𝟑 present at the steady-state is computed using Little's law. It is
defined as: D = Mean tokens arrival rate in the system, S =
𝑺𝟔 00010001011000 Mean latency of subsystem, and V = The system's average
𝒕𝟕 token count.
𝑺𝟕 00010010010100 Then, using Little’s law, V = DS (28)
The value of V is obtained after summing of all the steady-
𝒕𝟖
state probability density values obtained from Table 5.
𝑺𝟖 00010010100001 ∴ V = 3.9705 (29)
𝒕𝟒 Initially, there is one token present in the positions 𝑚1 , 𝑚7 ,
and 𝑚9 . Therefore, the mean token arrival rate can be found
Fig. 10. Reachability Graph of the Petri net model of SDS-2. by multiplying the values of these places' steady-state

probability density to their respective transition rates, and situation, we use Little's law N = μT, to calculate the latency,
then they are added. i.e., where, μ is the throughput rate. Using the values mentioned
D = (𝑃(𝑚1 ) • 𝜆1 ) + (𝑃(𝑚7 ) • 𝜆5 ) + (𝑃(𝑚9 ) • 𝜆6 ) above and throughput values of table 6, the mean latency time
∴ D = 0.015592 (30) for the poison injection in the SDS-2 is 0.2572 sec.
∴ 𝑆= =
𝑉 3.9705
= 254.6498 (31) So, mean delay time using Little’s law is
𝐷 0.015592
𝑊𝐿𝐿 = 257.2 𝑚𝑠𝑒𝑐 (33)
So, mean delay time by comparing other’s approach is
Comparing equation (15) and (33), the accuracy of our
𝑊[15] = 254.65 𝑚𝑠𝑒𝑐 (32)
proposed approach for performance assessment using ODE
It means that, on average, a single token is in use for about can be computed by:
254.65 msec of time in the system. Therefore, the modeled |𝑊𝐿𝐿 − 𝑊𝑂𝐷𝐸 |
SDS-2 Petri net injects the poison to trip the reactor in 𝑒𝑟𝑟𝑜𝑟% = × 100%
𝑊𝐿𝐿
0.25465 seconds in an emergency event. It depicts the SDS -2 |257.2 − 256.91|
= × 100 = 0.11275%
system's average delay. 257.2
Table 5: Steady-state token probability density values ∴ 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = (100 − 0.11275)% = 99.887% (34)
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚1 ) = 𝑃(𝑚1 ) = 𝜋1 Now, comparing equation (32) and (33), the accuracy of
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚2 ) = 𝑃(𝑚2 ) = 𝜋2 + 𝜋3 + 𝜋4 other’s approach [15] for performance assessment can be
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚3 ) = 𝑃(𝑚3 ) = 𝜋5
computed as:
|𝑊𝐿𝐿 − 𝑊[15] |
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚4 ) = 𝑃(𝑚4 ) = 𝜋6 + 𝜋7 + 𝜋8 𝑒𝑟𝑟𝑜𝑟% = × 100%
𝑊𝐿𝐿
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚5 ) = 𝑃(𝑚5 ) = 𝜋2 |257.2 − 254.65|
= × 100 = 0.99145%
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚6 ) = 𝑃(𝑚6 ) = 𝜋3 257.2
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚7 ) = 𝑃(𝑚7 ) =𝜋1+ 𝜋2 + 𝜋7 + 𝜋8
∴ 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = (100 − 0.99145)% = 99.008% (35)
The comparison of equations (34) and (35) proves that the
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚8 ) = 𝑃(𝑚8 ) =𝜋3 + 𝜋4 + 𝜋5 + 𝜋6
accuracy of the performance assessment method using ODE
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚9 ) = 𝑃(𝑚9 ) = 𝜋1+ 𝜋2 + 𝜋3
solution is remarkable. The deviation in the accuracy of our
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚10 ) = 𝑃(𝑚10 ) = 𝜋4 + 𝜋5 + 𝜋6 + 𝜋7 approach is less compare to some other approach on a real-
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚11 ) = 𝑃(𝑚11 ) = 𝜋6 time data of NPP. The results were validated on 17 NPP
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚12 ) = 𝑃(𝑚12 ) = 𝜋7 systems, out of which nine are control systems, six are SCSs,
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚13 ) = 𝑃(𝑚13 ) = 𝜋4 and two are monitoring systems. This validates the
𝑃(1 𝑇𝑜𝑘𝑒𝑛 𝑖𝑛 𝑚14 ) = 𝑃(𝑚14 ) = 𝜋8 effectiveness of our approach.
Table 6: Firing rate in communication network of SDS-2
Transition Throughput Rate (firing/sec)
2. Performance Validation: An SDS-2 system is expected to Send, Send Ack 9.375
inject poison into the calandria of the nuclear reactor if any of Msg Drop, Ack Drop CRC Ok, 3.91
the trip parameters listed in the Table 1 deviates from their Ack Ok 74.22
intended values. As soon as the token is deposited in 𝑚1 , the Timeout 1.000
poison injection procedure begins in accordance with the Petri
net model, as shown in Fig. 7. However, prior to the poison 3. Reliability Validation: To validate our technique, we have
injection process, adequate communication occurs between used the operational profile data of 880 days of SDS2. The
the various components of the SDS2. The communication hardware components are inspected and maintained on a
between transitions requires reading a message, sending a regular basis and generally fail due to manufacturing defect.
message, and sending/receiving acknowledgment, each of These practices ensure the high-reliability requirements of
which has an exponentially distributed execution time. If a hardware components. Consequently, hardware failures can
sent message is lost in transit, or the sender does not receive be neglected compare to software failures. Therefore, in our
an acknowledgment within a time limit then there is a need to validation approach, we consider only the software failures.
send the message again. The message retransmission is done We employed the Ramamoorthy and Bastani [49] model,
after a fixed timeout interval, and it does not follow an which has been shown to be the suitable model for the
exponential distribution. It is important to note that the software-based safety critical systems. The experimental
random variable time with an Erlangian probability density validation for the reliability analysis includes three major
function represents the timeout. The cyclic redundancy check steps: operational profile data collection, data analysis to find
computation is also performed during communication. The the number of failures, and Reliability computation.
trip values conveyed to the SDS-2 system are denoted by a a) Operational profile data collection: - The operational
token in the place 𝑚1 having a poison rate of μ. Thus, the profile data is collected from 6 different running units of NPP.
SDS-2 system's actual throughput is μ(1 - ρ). Here, ρ denotes A test and monitoring system is run once in a day to monitor
the probability that there is no token in place 𝑚1 implies that the healthiness of the system. While testing, the poison
the subsystem is too busy to take new messages. injection is disabled, and the logic circuitry and overall
In our scenario, the SDS-2 communication network's baud healthiness of the equipment are examined by simulating the
rate is 9600 with a 5% error rate and a packet size of 128B. trip parameters. Hardware logic automatically bypasses the
Then, we conduct a performance analysis of our system using test mode on actual trip parameters, and all equipment
the transition firing rates given in Table 6. The mean latency operates in accordance with the actual scenario. Every change
time can be calculated when the system is congested or there in the process state, such as an LC closed or the opening of a
is a loss of packet acknowledgment or is on-hold. In this QOV, is timestamped and gets recorded in a database of test

and monitoring system. Table 7 shows the collection of |𝑅𝑜𝑝𝑛 − 𝑅𝑂𝐷𝐸 |

𝑒𝑟𝑟𝑜𝑟% = × 100%
operational profile data for one unit in terms of number of test 𝑅𝑜𝑝𝑛
days (d), number of test runs (𝑁𝑟 ), and number of failures up |0.9988636 − 0.9982566|
= × 100 = 0.06077%
to a given time (𝑁𝑓 ). 0.9988636
∴ 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = (100 − 0.06077)% = 99.939%
Table 7: Operational profile data of 880 days of SDS-2. This proves that the accuracy of the reliability assessment
d 𝑁𝑟 𝑁𝑓
method using ODE solution is higher. The results were
1 1 0 validated on 17 NPP systems, the way it is done for
60 60 1 performance assessment. This validates the effectiveness of
120 120 2 our approach.
240 240 3
4. Comparison of our proposed approach with other existing
390 390 4 approaches: As shown in Table 9, to prove the effectiveness
500 500 5 of our proposed method, we compare it with various existing
620 620 6
PN and ODE approaches that are used to measure
performance and reliability. Table 9 summarizes the details
760 760 7 of various frameworks for measuring the performance and
880 880 8 reliability of SCS along with their measurement accuracies
and indicates whether or not these frameworks can address the
issue of state space explosion. From the available
b) Data analysis to find the number of failures: - The data
frameworks, it was found that [15], [41], and [50] are only
gathered in the previous stage is thoroughly analysed to
capable of measuring the performance of SCS, while [1], [10],
determine the number of failures. If the state changes from
[20], and [51] can only assess the reliability of SCS. The
safe to unsafe then an alert message is displayed in red colour,
method described in [23] and our approach can measure both
and if the state returns to normal state, then a recovery
the performance and reliability of SCS. Except for [41] and
message is displayed in green colour. Every alert and
our solution, none of the strategies overcome the state space
recovery message has a timestamp in the format of
explosion problem caused by conventional PN-based
"dd/mm/yyyy hr:min:sec:msec" as shown in Table 8. From
methods. Also, the measurement accuracies of performance
the Table 7, it can be observed that there is no failure occur
and reliability measurement using our proposed method is
till 59 days. The second failure was after 119 days, and so on.
significantly higher as compare with other approaches.
Further no method considers liveness, stability, boundedness
Table 8: ALERT/RECOVERY MESSAGE
and steady state analysis, which are the critical metrics of the
S. No. Alert/Recovery Message
performance. Consequently, our method can measure both the
1 01/03/2015 22:12:30:21 LC creation
performance and reliability of SCS considering important
2 01/03/2015 22:12:30:22 Vent Valve open metrics, and addresses the state space explosion problem. It
3 01/03/2015 22:12:30:23 QOV failed to open proves that our method outperforms the other methods.
c) Reliability computation: - At this stage, we employed Table 9: Comparative analysis with other existing approaches
Ramamoorthy and Bastani model to assess the reliability, Ref. Method/ Performance Reliability State Space
Tools Used Measure Measure Explosion
according to which
−𝜆 (accuracy) (accuracy) Problem
𝑡
𝑖 ∫0 𝑓(𝑇𝑖 (𝑠))𝑑𝑠 Solved?
𝑅𝑖 (𝑡) = 𝐸𝜆𝑖 [𝑒 ] (36)
[1] SPN   98.956% 
Where; 𝜆𝑖 : failure rate after ith failure; 0 ≤ 𝜆𝑖 ≤ ∞, 𝑇𝑖 (𝑠): [10] PN   98.652% 
testing process at time s after ith failure, and f(𝑇𝑖 (𝑠)): severity [15] TPN  98.654%  
of testing process relative to operational distribution; 0 ≤ [20] PN & 𝐷𝐹𝑀 ∗   98.859% 
f(𝑇𝑖 (𝑠)) ≤ ∞. [23] PN & UML  96.985%  96.843% 
For operational profile data, let f(𝑇𝑖 (𝑠)) = 1. Hence the [41] SPN & ODE  97.458%  
−𝜆 𝑡 [50] PN  95.896%  
𝑖 ∫0 𝑑𝑠
equation (36) will reduce to 𝑅𝑖 (𝑡) = 𝐸𝜆𝑖 [𝑒 ]. [51] PN   99.58% 
Our PN &  99.887%  99.939% 
Therefore, the reliability of the poison injection system of
Method ODE
SDS2 from the operational profile data (Table 7) can be
* indicates Dynamic Flowgraph Methodology.
calculated as
0∗1 −1∗1 0∗1 −1∗1 0∗1 −1∗1
59𝑒 + 𝑒 + 59𝑒 + 𝑒 + 119𝑒 + 𝑒
+ 149𝑒 0∗1 + 𝑒 −1∗1 + 109𝑒 0∗1 + 𝑒 −1∗1 ⅤⅡⅠ. CONCLUSIONS
𝑅𝑜𝑝𝑛 = + 119𝑒 0∗1 + 𝑒 −1∗1 + 139𝑒 0∗1 + 120
860
This research paper aims to measure the performance and
reliability of the SCS using an ODE and timed Petri net. We
i.e., 𝑅𝑜𝑝𝑛 = 0.9988636 (37) introduced some important metrics of performance, which is
∴ Unreliability = 1- R = 0.0011364. essential to be verified in case of SCS such as deadlock,
Comparing equation (37) and (18), the accuracy of our stability, steady state, etc. The proposed approach is
proposed approach for reliability assessment using ODE can illustrated on a SCS of NPP. The suggested technique can
be computed by: address the constraints and limits of existing methods, as
stated in section II. The presented methodology involves

modelling of SCS using Petri net and then converting the [13] P. Singh and L. K. Singh, “Modeling and Measuring Common Cause
Failures in Measurement of Reliability of Nuclear Power Plant
model into a series of ODEs systems for the performance
Systems,” IEEE Transactions on Instrumentation and Measurement,
evaluation. The proposed approach is demonstrated on a case vol. 70, pp. 1–8, 2021.
study of SDS-2. The mechanism explained here calculates the [14] R. J. Rodríguez, “A Petri net tool for software performance estimation
time required for the successful poison injection to trip the based on upper throughput bounds,” Autom Softw Eng, vol. 24, no. 1,
pp. 73–99, Mar. 2017.
NPP by the SDS-2. The MATLAB simulation results help in
[15] P. Kumar, L. K. Singh, and C. Kumar, “Performance evaluation of
the evaluation of the outcome. The system may give higher safety-critical systems of nuclear power plant systems,” Nuclear
latency time for the more complex system having large Engineering and Technology, vol. 52, no. 3, pp. 560–567, Mar. 2020.
number of places. It is to be noted that a major issue in [16] L. Xia, H. A. Gabbar, M. U. Isham, and V. Ponomarev, “Performance
evaluation of a new signal processing system design to improve
developing Petri net model is state explosion problem when
CANDU SDS1 trip response during large break LOCA events,” Journal
the number of states of a system are more, which may occur of Nuclear Science and Technology, vol. 53, no. 10, pp. 1513–1520,
in large scale systems. The proposed ODE based solution is Oct. 2016.
capable to deal with this limitation. Furthermore, the state [17] B. W. Rhee, H. Choi, J. H. Park, K. M. Chae, and H. J. Yun, “A Three-
Dimensional CFD Model for a Performance Verification of the Liquid
explosion problem can be dealt with large scale system
Poison Injection System of a CANDU-6 Reactor,” Nuclear Technology,
through decomposition technique as given in [1]. The vol. 159, no. 2, pp. 158–166, Aug. 2007.
obtained average accuracy of our method for performance and [18] D. J. Rankin and J. Jiang, “Predictive Trip Detection for Nuclear Power
reliability assessment are 99.887% and 99.939% respectively. Plants,” IEEE Transactions on Nuclear Science, vol. 63, no. 4, pp.
2352–2362, Aug. 2016.
The proposed technique can be applied to a class of
[19] K. Aslansefat, M. Bahar Gogani, S. Kabir, M. A. Shoorehdeli, and M.
concurrent systems that consist multiple processes, which can Yari, “Performance evaluation and design for variable threshold alarm
communicate via message passing. Such systems may also systems through semi-Markov process,” ISA Transactions, vol. 97, pp.
have other mechanisms for synchronization, such as resource 282–295, Feb. 2020.
[20] M. Tripathi, L. K. Singh, S. Singh, and P. Singh, “A Comparative
sharing. The proposed technique has not been validated for
Study on Reliability Analysis Methods for Safety Critical Systems
non-exponential failures, which will be considered in our Using Petri-Nets and Dynamic Flowgraph Methodology: A Case
future work. We intend to expand our work in the future to Study of Nuclear Power Plant,” IEEE Transactions on Reliability, pp.
improve the proposed technique for other classes of 1–15, 2021.
[21] L. Cheung, R. Roshandel, N. Medvidovic, and L. Golubchik, “Early
concurrent systems and to validate the technique for non-
prediction of software component reliability,” in Proceedings of the
exponential failures. We shall also try to integrate several 30th international conference on Software engineering, New York,
dependability measures that influence the performance and NY, USA, May 2008, pp. 111–120.
reliability of the SCS. [22] W.-L. Wang, D. Pan, and M.-H. Chen, “Architecture-based software
reliability modeling,” Journal of Systems and Software, vol. 79, no. 1,
pp. 132–146, Jan. 2006.
REFERENCES [23] M. R. Mamdikar, V. Kumar, P. Singh, and L. Singh, “Reliability and
[1] L.K. Singh, G. Vinod, and A.K. Tripathi, “Design Verification of performance analysis of safety-critical system using transformation of
Instrumentation and Control Systems of NPP,” in IEEE Transactions on UML into state space models,” Annals of Nuclear Energy, vol. 146, p.
Nuclear Science, vol.61, pp.921-930, April 2014. 107628, Oct. 2020.
[2] Modern Instrumentation and Control for Nuclear Power Plants: a [24] Z. Chen and W. Li, "Multisensor Feature Fusion for Bearing Fault
Guidebook, International Atomic Energy Agency, 1999. Diagnosis Using Sparse Autoencoder and Deep Belief Network," IEEE
[3] Nuclear Power Plant Simulators for Use in Operator Training, U.S. Transactions on Instrumentation and Measurement, vol. 66, no. 7, pp.
Nuclear Regulatory Commission, 1981. 1693-1702, July 2017.
[4] W.C. Lipinski, Nuclear Power Plant Instrumentation and Control- A [25] P. Singh and L. K. Singh, "Reliability and Safety Engineering for Safety
Guidebook, International Atomic Energy Agency, Vienna, Austria, Critical Systems: An Interview Study with Industry Practitioners," IEEE
1984. Transactions on Reliability, vol. 70, no. 2, pp. 643-653, June 2021.
[5] T. Murata, “Petri nets: Properties, analysis and applications,” in [26] P. Singh and L. K. Singh, “Engineering Education for Development of
Proceedings of the IEEE, vol. 77, no. 4, pp. 541-580, April 1989. Safety-Critical Systems,” IEEE Transactions on Education, vol. 64,
[6] J. Siebert, D. Petri and M. Fedrizzi, "From Measurement to Decision: no. 4, pp. 398–405, Nov. 2021.
Sensitivity of Decision Outcome to Input and Model Uncertainties," [27] P. Singh and L. K. Singh, “Reliability and Safety Engineering for
IEEE Transactions on Instrumentation and Measurement, vol. 68, no.9, Safety-Critical Systems in Computer Science: A Study Into the
pp. 3100-3108, Sept. 2019. Mismatch Between Higher Education and Employment in Brazil and
[7] G. Xu, M. Liu, Z. Jiang, W. Shen and C. Huang, "Online Fault India,” IEEE Transactions on Education, vol. 64, no. 4, pp. 353–360,
Diagnosis Method Based on Transfer Convolutional Neural Networks," Nov. 2021.
in IEEE Transactions on Instrumentation and Measurement, vol. 69, no. [28] J. Seo, J. Lee, E. Baek, R. Horowitz, and J. Choi, “Safety-Critical
2, pp. 509-520, Feb. 2020. Control With Nonaffine Control Inputs Via a Relaxed Control Barrier
[8] L. K. Singh, G. Vinod, and A. K. Tripathi, “Modeling and Prediction of Function for an Autonomous Vehicle,” IEEE Robotics and
Performability of Safety Critical Computer Based Systems Using Petri Automation Letters, vol. 7, no. 2, pp. 1944–1951, Apr. 2022.
Nets,” in 2012 IEEE 23rd International Symposium on Software [29] W. Ding, B. Chen, B. Li, K. J. Eun, and D. Zhao, “Multimodal Safety-
Reliability Engineering Workshops, Nov. 2012, pp. 85–94. Critical Scenarios Generation for Decision-Making Algorithms
[9] Z. Liu, Y. Liu, B. Cai, X. Li, and X. Tian, “Application of Petri nets to Evaluation,” IEEE Robotics and Automation Letters, vol. 6, no. 2, pp.
performance evaluation of subsea blowout preventer system,” ISA 1551–1558, Apr. 2021.
Transactions, vol. 54, pp. 240–249, Jan. 2015. [30] Z. Jiang et al., “Bridging the Pragmatic Gaps for Mixed-Criticality
[10] L. K. Singh and H. Rajput, “Dependability Analysis of Safety Critical Systems in the Automotive Industry,” IEEE Transactions on
Real-Time Systems by Using Petri Nets,” IEEE Transactions on Control Computer-Aided Design of Integrated Circuits and Systems, vol. 41,
Systems Technology, vol. 26, no. 2, pp. 415–426, Mar. 2018. no. 4, pp. 1116–1129, Apr. 2022.
[11] N. K. Jyotish, L. K. Singh, and C. Kumar, “A state-of-the-art review on [31] B. Weng, L. Capito, U. Ozguner, and K. Redmill, “A Formal
performance measurement petri net models for safety critical systems of Characterization of Black-Box System Safety Performance With
NPP,” Annals of Nuclear Energy, vol. 165, p. 108635, Jan. 2022. Scenario Sampling,” IEEE Robotics and Automation Letters, vol. 7,
[12] Z. Ding, H. Shen and A. Kandel, “Performance Analysis of Service no. 1, pp. 199–206, Jan. 2022.
Composition Based on Fuzzy Differential Equations,” IEEE
Transactions on Fuzzy Systems, vol. 19, no. 1, pp. 164-178, Feb. 2011.

[32] J. Thota, N. F. Abdullah, A. Doufexi, and S. Armour, “V2V for interests include software reliability, mathematical modeling, safety critical
Vehicular Safety Applications,” IEEE Transactions on Intelligent systems, fog/edge computing, machine learning, and software engineering.
Transportation Systems, vol. 21, no. 6, pp. 2571–2585, Jun. 2020.
[33] A. Y. Al Hammadi et al., “Novel EEG Sensor-Based Risk Framework Lalit Kumar Singh (Senior Member, IEEE)
for the Detection of Insider Threats in Safety Critical Industrial received his Ph.D. degree in software reliability
Infrastructure,” IEEE Access, vol. 8, pp. 206222–206234, 2020. from the Indian Institute of Technology (BHU),
[34] H. Boudali, P. Crouzen, and M. Stoelinga, “A Rigorous, Varanasi, India, in 2014. He is a scientist, level F,
Compositional, and Extensible Framework for Dynamic Fault Tree at the Nuclear Power Corporation of India,
Analysis,” IEEE Transactions on Dependable and Secure Computing, Mumbai.
vol. 7, no. 2, pp. 128–143, Apr. 2010. Dr. Singh is recipient of many prestigious awards
[35] K. Aslansefat and G.-R. Latif-Shabgahi, “A Hierarchical Approach for and member of Indian Nuclear Society. He is
Dynamic Fault Trees Solution Through Semi-Markov Process,” IEEE reviewer of several prestigious journals of high
Transactions on Reliability, vol. 69, no. 3, pp. 986–1003, Sep. 2020. impact factor and supervising many Ph.D. students. He has completed several
[36] S. Kabir, K. Aslansefat, I. Sorokos, Y. Papadopoulos, and Y. industrial projects. He plays a vital role in various academic committees.
Gheraibia, “A conceptual framework to incorporate complex basic
events in HiP-HOPS,” International Symposium on Model-Based Chiranjeev Kumar (Senior Member, IEEE)
Safety and Assessment, 2019, pp. 109–124. received his Ph.D. degree from University of
[37] Baoping Cai, Yonghong Liu, Zengkai Liu, Xiaojie Tian, Hang Li, Allahabad, India in 2006.
Congkun Ren, Reliability analysis of subsea blowout preventer control He is currently working as a professor in the
systems subjected to multiple error shocks, Journal of Loss Prevention Department of Computer Science and Engineering,
in the Process Industries, Volume 25, Issue 6, 2012, Pages 1044-1054. Indian Institute of Technology (Indian School of
[38] RA Sahner, K Trivedi, A Puliafito, “Performance and Reliability Mines) Dhanbad, Jharkhand, India. He is Reviewer
Analysis of Computer Systems: an Example-Based Approach Using the of several prestigious journals of high impact factor
SHARPE Software Package”, Springer Science & Business Media, and supervising many Ph.D. students. His current
2012. research interests include software testing, wireless sensor network, IoT, and
[39] N. G. Leveson and J. L. Stolzy, “Safety Analysis Using Petri Nets,” software reliability. He has completed several projects of government of
IEEE Transactions on Software Engineering, vol. SE-13, no. 3, pp. 386- India, including the organisations CSIR, DRDO, IIT(ISM), UGC, and Coal
397, March 1987. India Limited.
[40] MuDer Jeng, Xiaolan Xie and MaoYu Peng, “Process nets with
resources for manufacturing modeling and their analysis,” IEEE Pooja Singh (Senior Member, IEEE) received the
Transactions on Robotics and Automation, vol. 18, no. 6, pp. 875-889, Ph.D. degree in mathematical sciences from the
Dec. 2002. Indian Institute of Technology (BHU), Varanasi,
[41] Z. Ding, Y. Zhou and M. Zhou, “A Polynomial Algorithm to India, in 2014.
Performance Analysis of Concurrent Systems Via Petri Nets and She is currently working as an Assistant Professor
Ordinary Differential Equations,” IEEE Transactions on Automation with Department of Mathematics, SIES-Graduate
Science and Engineering, vol. 12, no. 1, pp. 295-308, Jan. 2015. School of Technology, Navi Mumbai, India. Dr.
[42] R. David and H. Alla, Discrete, continuous, and hybrid Petri nets, vol. Singh is recipient of many prestigious awards and
1. Springer, 2010. member of Indian Nuclear Society. She is a reviewer
[43] S.-H. Kim and W. Whitt, “Statistical Analysis with Little’s Law,” of several prestigious journals of high impact factor
Operations Research, vol. 61, no. 4, pp. 1030–1045, Aug. 2013. and supervising many Ph.D. students. She has completed several industrial
[44] CANDU 6 Program Team, CANDU 6 Tech. Summary, May 2005. projects.
[45] T. L. Chu et al., “Workshop on philosophical basis for incorporating
software failures into a probabilistic risk assessment,” Brookhaven Nat.
Lab., Upton, NY, USA, Tech. Rep. BNL-90571-2009-IR, Nov. 2009.
[46] TimeNET 4.0 A Zimmermann, M Knoke - 2007 - depositonce.tu-
berlin.de.
[47] C. Lin and Y. Wei, “Stochastic process algebra and stochastic petri
nets,” J. Softw., vol. 13, no. 2, pp. 203-213, 2002.
[48] R. A. Hayden and J. T. Bradley, “A fluid analysis framework for a
Markovian process algebra,” Theoretical Computer Science, vol. 411,
no. 22, pp. 2260–2297, May 2010.
[49] C. V. Ramamoorthy and F. B. Bastani, “Software Reliability—Status
and Perspectives,” IEEE Transactions on Software Engineering, vol.
SE-8, no. 4, pp. 354–371, Jul. 1982.
[50] P. Singh and L. K. Singh, “Design of safety critical and control
systems of Nuclear Power Plants using Petri nets,” Nuclear
Engineering and Technology, vol. 51, no. 5, pp. 1289–1296, Aug.
2019.
[51] L. Singh, H. Rajput, G. Vinod, and A. K. Tripathi, “Computing
Transition Probability in Markov Chain for Early Prediction of
Software Reliability,” Quality and Reliability Engineering
International, vol. 32, no. 3, pp. 1253–1263, 2016.
[52] S. Hinz, K. Schmidt, and C. Stahl, “Transforming BPEL to Petri
Nets,” in Business Process Management, Berlin, Heidelberg, 2005, pp.
220–235.

Nand Kumar Jyotish (Student Member, IEEE)

received the M.Tech degree in the year 2015 in
Computer Science & Engineering, and currently
pursuing the Ph.D. degree in Computer Science &
Engineering both from Indian Institute of
Technology (Indian School of Mines), Dhanbad,
Jharkhand, India. He is a reviewer of IEEE
Transactions on Reliability. His current research

Real Time Systems
79% (14)
Real Time Systems
394 pages
Reliability and Availability Engineering Modeling, Analysis, and Applications (Kishor S. Trivedi, Andrea Bobbio) (Z-Library)
100% (1)
Reliability and Availability Engineering Modeling, Analysis, and Applications (Kishor S. Trivedi, Andrea Bobbio) (Z-Library)
730 pages
Testing of Safety Systems - Bad Effects and Their Modelling With Comparative Studies
No ratings yet
Testing of Safety Systems - Bad Effects and Their Modelling With Comparative Studies
90 pages
Development of Safety-Critical Systems - Architecture and Software
No ratings yet
Development of Safety-Critical Systems - Architecture and Software
373 pages
Dod3235 1-H PDF
0% (1)
Dod3235 1-H PDF
287 pages
Ajit Kumar Verma, Srividya Ajit, Manoj Kumar - Dependability of Networked Computer-Based Systems
No ratings yet
Ajit Kumar Verma, Srividya Ajit, Manoj Kumar - Dependability of Networked Computer-Based Systems
212 pages
Reliability Engineering Notes
100% (5)
Reliability Engineering Notes
40 pages
PDS Example Collection 24-01-11 - Open PDF
No ratings yet
PDS Example Collection 24-01-11 - Open PDF
52 pages
Complex Systems and Dependability - Zamojski
No ratings yet
Complex Systems and Dependability - Zamojski
325 pages
IEEE Trans On Rel
No ratings yet
IEEE Trans On Rel
17 pages
Pds Example Collection 24 01 11 - Open PDF
No ratings yet
Pds Example Collection 24 01 11 - Open PDF
52 pages
TR3244365
No ratings yet
TR3244365
36 pages
IEEE Trans On Rel 2
No ratings yet
IEEE Trans On Rel 2
16 pages
Safety-Control Systems
No ratings yet
Safety-Control Systems
48 pages
Thesis 6
No ratings yet
Thesis 6
32 pages
Performance Analysis of A Selected System in A Process Industry
100% (1)
Performance Analysis of A Selected System in A Process Industry
5 pages
Reliability Analysis of Instrumentation and Control System: A Case Study of Nuclear Power Plant
No ratings yet
Reliability Analysis of Instrumentation and Control System: A Case Study of Nuclear Power Plant
15 pages
Issues in System Reliability
No ratings yet
Issues in System Reliability
23 pages
Rel Assess Ned
No ratings yet
Rel Assess Ned
9 pages
Krishna 1987
No ratings yet
Krishna 1987
11 pages
Fault Detection and Fault Tolerant Control
No ratings yet
Fault Detection and Fault Tolerant Control
207 pages
NPP Safety Automation Systems Analysis State of The Art
No ratings yet
NPP Safety Automation Systems Analysis State of The Art
63 pages
Electronics 14 01157
No ratings yet
Electronics 14 01157
18 pages
UNavailability Assessment of Redundant SIS
No ratings yet
UNavailability Assessment of Redundant SIS
43 pages
Kumar 2018
No ratings yet
Kumar 2018
24 pages
A Comprehensive Evaluation of Interrupt Measurement Techniques For Predictability in Safety-Critical Systems
No ratings yet
A Comprehensive Evaluation of Interrupt Measurement Techniques For Predictability in Safety-Critical Systems
10 pages
System Reliability Evaluation Based On C
No ratings yet
System Reliability Evaluation Based On C
11 pages
1 s2.0 S1738573321002990 Main
No ratings yet
1 s2.0 S1738573321002990 Main
10 pages
Beta Factor
No ratings yet
Beta Factor
89 pages
Calculating Total System Availability: Hoda Rohani, Azad Kamali Roosta
No ratings yet
Calculating Total System Availability: Hoda Rohani, Azad Kamali Roosta
27 pages
EEng6021 Lec 01 Reliability 1
No ratings yet
EEng6021 Lec 01 Reliability 1
40 pages
Power Sytems Cyber Physical Benchmark
No ratings yet
Power Sytems Cyber Physical Benchmark
10 pages
Aigner 2020
No ratings yet
Aigner 2020
4 pages
Technical Seminar - 23311a0243
No ratings yet
Technical Seminar - 23311a0243
7 pages
Unit 2
No ratings yet
Unit 2
50 pages
Reliable System Design: Hardware Design Checklist Testing Embedded Systems Critical Systems
No ratings yet
Reliable System Design: Hardware Design Checklist Testing Embedded Systems Critical Systems
28 pages
AMethodologyfor Choosingan Emergency Shutdown System
No ratings yet
AMethodologyfor Choosingan Emergency Shutdown System
8 pages
A Security-Aware Framework For Designing Industrial Engineering Processes
No ratings yet
A Security-Aware Framework For Designing Industrial Engineering Processes
21 pages
Chapter - 33 Reliability Prediction Models Reliability Prediction Models
No ratings yet
Chapter - 33 Reliability Prediction Models Reliability Prediction Models
46 pages
Software Engineering
100% (2)
Software Engineering
131 pages
ARMET Approach
No ratings yet
ARMET Approach
15 pages
IEC 61508 Intro2
No ratings yet
IEC 61508 Intro2
48 pages
Power System Reliability333
No ratings yet
Power System Reliability333
8 pages
Outline of The Requirements of Application of Computer Based Instrumentation and Control Systems in The Systems Important To Safety On Bohunice Npps
No ratings yet
Outline of The Requirements of Application of Computer Based Instrumentation and Control Systems in The Systems Important To Safety On Bohunice Npps
6 pages
Ann Lund Tei Gen 2010
No ratings yet
Ann Lund Tei Gen 2010
8 pages
Safety Critical Computer Systems: Failure Independence and Software Diversity Effects On Reliability of Dual Channel Structures
No ratings yet
Safety Critical Computer Systems: Failure Independence and Software Diversity Effects On Reliability of Dual Channel Structures
10 pages
Power System Protection and Resilient Metrics: Resilience Week 2015
No ratings yet
Power System Protection and Resilient Metrics: Resilience Week 2015
9 pages
Unit 2
No ratings yet
Unit 2
46 pages
Modeling and Analysis of RBTS IEEE-6 BUS System Based On Markov Chain
No ratings yet
Modeling and Analysis of RBTS IEEE-6 BUS System Based On Markov Chain
12 pages
Reliability Engineering and System Safety: Steven Verlinden, Geert Deconinck, Bernard Coupe
No ratings yet
Reliability Engineering and System Safety: Steven Verlinden, Geert Deconinck, Bernard Coupe
13 pages
Notes Reliability
No ratings yet
Notes Reliability
41 pages
Reliability Assessment of Safety and Production Systems: Analysis, Modelling, Calculations and Case Studies
No ratings yet
Reliability Assessment of Safety and Production Systems: Analysis, Modelling, Calculations and Case Studies
3 pages
Reliability Safety and Security of Innov
No ratings yet
Reliability Safety and Security of Innov
6 pages
Validation of Safety-Critical Distributed
No ratings yet
Validation of Safety-Critical Distributed
181 pages
Critical Software For Nuclear Reactors: 11 Years of Field Experience Analysis
No ratings yet
Critical Software For Nuclear Reactors: 11 Years of Field Experience Analysis
5 pages
Reface
No ratings yet
Reface
3 pages
17ise41st Unit1
No ratings yet
17ise41st Unit1
176 pages
Perspectives of BPR
100% (1)
Perspectives of BPR
64 pages
Process Modelling Exercises - Feedback Session
No ratings yet
Process Modelling Exercises - Feedback Session
31 pages
CS ZG524ES ZG524MEL ZG524 - Real Time Operating System - Comprehensive - Regular - Answer Keys-Final
No ratings yet
CS ZG524ES ZG524MEL ZG524 - Real Time Operating System - Comprehensive - Regular - Answer Keys-Final
11 pages
KRR IV
No ratings yet
KRR IV
63 pages
Decision Support System Tools and Techniques Susmita Bandyopadhyay PDF Download
No ratings yet
Decision Support System Tools and Techniques Susmita Bandyopadhyay PDF Download
79 pages
BS Iso Iec 15909-1-2004
100% (1)
BS Iso Iec 15909-1-2004
50 pages
Unit - II - Lecture Notes
No ratings yet
Unit - II - Lecture Notes
44 pages
(Lecture Notes in Computer Science 6547 Lecture Notes in Artificial Intelligence) Terrance Swift (Auth.), Salvador Abreu, Dietmar Seipel (Eds.) - Applications of Declarative Programming and Knowledge
No ratings yet
(Lecture Notes in Computer Science 6547 Lecture Notes in Artificial Intelligence) Terrance Swift (Auth.), Salvador Abreu, Dietmar Seipel (Eds.) - Applications of Declarative Programming and Knowledge
250 pages
Model Petri Net of Adaptive Traffic Lights and Its Collaboration With A Special Event
No ratings yet
Model Petri Net of Adaptive Traffic Lights and Its Collaboration With A Special Event
7 pages
Petri Nets Refesher: Prof - Dr.ir. Wil Van Der Aalst
No ratings yet
Petri Nets Refesher: Prof - Dr.ir. Wil Van Der Aalst
159 pages
Design and Embedded Control Systems
No ratings yet
Design and Embedded Control Systems
267 pages
Course Notes DES (TU Berlin)
No ratings yet
Course Notes DES (TU Berlin)
93 pages
Combining Petri Nets and Fuzzy Sets For
No ratings yet
Combining Petri Nets and Fuzzy Sets For
11 pages
Proceedings of The 16TH PHD Mini-Symposium
No ratings yet
Proceedings of The 16TH PHD Mini-Symposium
61 pages
Process Mining Embeddings
No ratings yet
Process Mining Embeddings
22 pages
TimeNET UserManual40 PDF
No ratings yet
TimeNET UserManual40 PDF
104 pages
DFG, FSM, Petri-Net, UML
No ratings yet
DFG, FSM, Petri-Net, UML
3 pages
Rajib Hayat Khan Algo
No ratings yet
Rajib Hayat Khan Algo
25 pages
BPM2&3 - Process Modelling - Feedback Session
No ratings yet
BPM2&3 - Process Modelling - Feedback Session
46 pages
Process Analysis Techniques and Tools For Business Improvements
No ratings yet
Process Analysis Techniques and Tools For Business Improvements
18 pages
Master examUE6 2020
No ratings yet
Master examUE6 2020
3 pages
A Fuzzy Petri Net Model For Intelligent Databases
No ratings yet
A Fuzzy Petri Net Model For Intelligent Databases
29 pages
Reliability Modelling and Evaluation of Dynamic Systems With Stochastic Petri Nets
No ratings yet
Reliability Modelling and Evaluation of Dynamic Systems With Stochastic Petri Nets
4 pages
Coloured Petri Nets Kurt Jensen PDF
No ratings yet
Coloured Petri Nets Kurt Jensen PDF
1 page
A Petri Net Approach Based Elementary Siphons Supervisor For Flexible Manufacturing Systems
No ratings yet
A Petri Net Approach Based Elementary Siphons Supervisor For Flexible Manufacturing Systems
8 pages
Systems Analysis and Design 3 (HSAD300-1) : Higher Education Programmes
No ratings yet
Systems Analysis and Design 3 (HSAD300-1) : Higher Education Programmes
6 pages
Fault Diagnosis of Discrete Event Systems Using Hybrid Petri Nets
No ratings yet
Fault Diagnosis of Discrete Event Systems Using Hybrid Petri Nets
6 pages
A Graphical Environment For AUV Mission Programming and Verication
No ratings yet
A Graphical Environment For AUV Mission Programming and Verication
12 pages

TR3244365

Uploaded by

TR3244365

Uploaded by

This article has been accepted for publication in IEEE Transactions on Reliability.

Reliability and Performance Measurement of Safety-Critical

such systems for performance measurement before its actual

Fig. 9. The mean latency time of the poison injection process

ⅤⅠⅠ. PERFORMANCE & RELIABILITY VALIDATION d) Markov Chain Creation

and monitoring system. Table 7 shows the collection of |𝑅𝑜𝑝𝑛 − 𝑅𝑂𝐷𝐸 |

Nand Kumar Jyotish (Student Member, IEEE)

You might also like