Jul 31, 2013 - Black and White Swans | David Slater ... The module is essentially a âblack boxâ. .... Each SWAN can have a symbol and a Text Descriptor. 11.
Commercial in Confidence
CAMBRENSIS
INTERSYSTEM DEPENDENCY MODELLING Black and White Swans | David Slater 1
SWANS 0.1 DS
© Cambrensis Ltd. 2013
Commercial in Confidence
INTERSYSTEM DEPENDENCY MODELLING BACKGROUND These are some Initial thoughts on how to handle dependency modelling of the complex systems of systems we will be dealing with in the TSB Water Security1 and ECOSSIAN2 Projects. We have already shown how to deal with linked in systems (Dutch El Metodo3) and can cope with outputs of one system being inputs to another (and vice versa). But for these more complicated studies we will need a way of handling multiple systems, with multiple interactions, some intended, some not. Also the sheer number and scale of the systems and potential interactions involved means we need to be more formal and disciplined in how consistently and rigorously we build the individual system models. As we are finding with the IMPEL project4, we may need to standardize and help the users with Templates to ease the problem of compatibility, feasibility and usefulness for both individual systems, but also to ensure realistic System Wide (Dynamic) behaviour. There are some interesting ideas we could draw on to build these Templates
TSB ECOSSIAN 3 El Metodo 4 IMPEL 1 2
SWANS 0.1 DS
© Cambrensis Ltd. 2013
2
Commercial in Confidence In our original concept for the approach (TSB15`), we envisaged individual systems floating freely and interacting naturally in a “sea” of external influences. (Cells in an organism’s bloodstream, animals a real life jungle, fish in the sea, or digital ecosystem?). Something similar although simpler and qualitative has been developed in parallel, by Hollnagel, in his Functional Resonance Analysis Model6 (FRAM – means “ Forward “in Swedish and Norwegian). Here he defines a Module, which has a standard set of interactions with other similar “standard” modules essential to the task in hand. The module is essentially a “black box”. What happens inside is not modelled, only the inputs, outputs and external influencing factors are defined for the whole set of modules in that particular application. This is now well established in the medical and aviation safety fields as a way of handling critical interactions in risky operations7. We propose to express our dependency modelling “Rules for Complex Systems of Systems" in a similar way.
Variability of Inputs and Outputs • In the real world these required interchanges will almost always not be exactly what is required • The success of the system is the how well it can cope with these necessary adjustments (Resilience?) • But if the variability is outside the range it can cope with we may have a problem • The analysis systematically identifies possible deviations and predicted resulting system behaviours, rather like a HAZOP • It also looks at unexpected outcomes from unintended resonance between these individual deviations. • This is the Functional Accident 31/07/2013 Complexity 101 Resonance Model - FRAM
18
In the FRAM approach this is all done qualitatively and on a case by case basis. It is popular in some medical and aviation sector applications, but in general there is a perception it is a lot of effort for admittedly valuable but limited insights. The attractions of being able to build on these insights to give a lasting and dynamic framework, to hopefully allow continuous learning and improvement (and management of change) are obvious. This note is proposing to develop this SADT/FRAM approach to provide the Templates we will require for the larger systems and organisations; and starts by applying it to the simple El Metodo example. TSB FRAM 7 Comair 5 6
SWANS 0.1 DS
© Cambrensis Ltd. 2013
3
Commercial in Confidence FUNCTION NAME FUNCTION DESCRIPTION INPUT (That which activates the function and/or is used or transformed to produce the output. Constitutes the link to upstream functions.) OUTPUT (That which is the result of the function. Constitutes the links to downstream functions.) P RE-CONDITIONS (System conditions that must be fulfilled before a function can be carried out.) RESOURCES / EXECUTION CONDITIONS (That which is needed or consumed by the function when it is active (matter, energy, .) competence, software, manpower CONTROL (That which supervises or regulates the function. E.g., plans, procedures, guidelines or other functions.) TIME (Temporal aspects that affect how the function is carried out (constraint, resource).
FRAM Template
Background function Foreground function Timing
Precision
Elaborated
Human
Tech.
Org. 59
Potential variability Actual variability 31/07/2013
Rome Presentation Function type
This gives a number of interacting Functions / activities, each of which supplies particular dependencies to the other functions. Below is an example of the technique applied to the Financial Sector and seems to give much more reliable insights into how the system is supposed to work; and more to the point which inputs could cause problems if they were not what was expected!
Finance sector risk?
Financial Modelling
• Unfortunately this isn’t a simple magical mathematical formula (like the Gaussian Copula* which got us into so much trouble) • Nevertheless it arguably can give us much more useful (and necessary !) insights into the systems our civilisation seems to depend on so heavily; • and over which we seem to have limited understanding and control! (*An equation intended to price collateralised Debt!) 31/07/2013
SWANS 0.1 DS
Complexity 101
© Cambrensis Ltd. 2013
22
4
Commercial in Confidence The attraction from our point of view is that the analysis reflects our early aspirations of interactive systems swimming in an interacting environment, as below.
FRAM Modules Environ ment
• Link By Inspection?
ISP
A Net
IP Connect
Electric Supply
B net
31/07/2013
Complexity 101
60
In incident investigations then the pattern of interactions reveals patterns not envisaged by “linear” thinking designers and operators.
Functional Resonance in Critical Dependencies The Functional Resonance Accident Model, Erik Hollnagel and Örjan Goteman - Aviation Risk Management
13/07/2013
SWANS 0.1 DS
Rome Presentation
© Cambrensis Ltd. 2013
7
5
Commercial in Confidence
PROPOSED METHODOLOGY We propose to extend the SADT/FRAM approach in the following way:-
• The FRAM analysis defines the Systems and their inter dependencies, and • Dependency Modelling provides the “Engine” to drive the Hollnagel FRAM Modules
C
T
I
O
13/07/2013
? FRAM Dependency Module P
R Rome Presentation
10
The iDEPEND “Engine” Primary Model
LINKING
Downstream Models
Registry of paragons
Distributed query engine
9 13/07/2013
This would give us a new discipline in building dependency Trees which have consistently defined roots and leaves
SWANS 0.1 DS
© Cambrensis Ltd. 2013
6
Commercial in Confidence The Methodology then would require the analyst to:_ 1. 2. 3. 4.
First establish (the boundaries of) the “SYSTEM” we wish to model. Define the “FUNCTION” that the System has to deliver successfully. The single OUTPUT is then the successful deliverable Decide how many “SYSTEM WIDE ANALYSIS NODES” (SWANS) are needed to include all the correct leaves. 5. There may be one or more SWANS in a system and the multiple inputs etc will come in through the leaves of all these Swans 6. Develop the DEPENDENCY MODEL for the master(Client) “NODE, keeping the sub Swans(Cygnets) as separate, but linked (El Metodo) models”. 7. A SYSTEM can involve multiple SWANS – (El Metodo), but the overall System Module will still have Root and Leaf dependencies corresponding to the FRAM Classification. 8. For each SWAN, identify and order these critical dependencies using the FRAM classification. These can be used to create standard models and templates, e.g. Data centres, Pumping stations, Storage / Reservoirs, Raw material supplies, etc. 9. Each of these SWAN’s can, in turn, be modelled as separate SYSTEMS, fractally, as necessary(Swans within Swans!). 10. (E.g. 1 Fukushima site, 6 reactors, 100’s Control Systems, Millions of Components, etc. Each SWAN can have a symbol and a Text Descriptor 11. And then displayed on the GPS locator maps 12. These symbols, labelled with the descriptor could be coloured - White – this system, organisation, normal - Red – Competitor, Conflicting, Bad guys - Blue – Collaborators, Suppliers, Good guys - Brown – Electrics - Light Blue – Water Services, - Silver – Cyber, IT, BT - Green - Environmental - Yellow – Social - Purple – Gov’t, Regulators - Black Swans would then naturally be the “unknown unknowns”!
ANALYSIS OF “SYSTEMS OF SYSTEMS” -THE EL METODO EXAMPLE Consider a Business unit (functionality) that provides IP-connectivity between various locations.” Its manager defines the “objective “ or goal of this functionality and models what he is in turn dependent on to meet his obligation, Examples: • IP-connectivity needs to be provided for at least 99.9% of the time. • IP-connectivity services need to comply with the Data Protection Act. SWANS 0.1 DS
© Cambrensis Ltd. 2013
7
Commercial in Confidence • Annual revenue of IP-connectivity Unit should be at least € R and annual costs are at most € C. A manager can only meet his “goal” if he can rely on his dependencies to be fulfilled, either •
within his own scope of control (internal dependencies)
•
or, by some other business unit or functionality (external dependencies)”.
SWAN DEPENDENCIES •
OUTPUT – IP-connectivity needs to be provided for at least 99.9% of the time.
•
INPUT – Acceptable connection and performance of the glass fibre networks A and B
•
PRECONDITIONS – IP-connectivity services need to comply with the Data Protection Act.
•
RESOURCE – We can see that he is dependent on his network infrastructure working
•
CONTROLS – Comms and Services OK and manning OK
•
TIME – Response time acceptable
METHOD DETAILS CODING Need a system identifier SY – try 1 = IP? – and author? A (1 =DS) Need a node identifier SW –1 etc An Organisation identifier – prefix C, or Company 1 (1,1,1) Then multiple Leaves – I1,I2 ----,P1, P2---- etc C, A, SY, SW, (O,I,P,R, C, T, U, V F?) 1,1,1,1, O1 ---P1 etc (How do fractal layers F work; do they take care of themselves?)
SWANS 0.1 DS
© Cambrensis Ltd. 2013
8
Commercial in Confidence
OBJECTIVE
FOR IP CONNECTIVITY SYSTEM? “Deliver acceptable internet connection (I/O)”
OUTPUT – = O1 - ACTIVITY/ FUNCTION IT PROVIDES Working IP Link for networks A and B? Depends on: -
INPUT = OUTPUT FROM ANOTHER SWAN (S) – OR ASSIGNED IP ADDRESS Connection from (working?)A net and B net
PRECONDITIONS ? (ISDP CONNECTION/DELIVERY FUNCTION?) Working Connection to ISP/Paid the bills? P1
RESOURCES OK – WHAT WE NEED TO MAKE IT WORK Hardware ok, electric, etc) (R1, R2 etc.) BT/ ISP Lines OK (R3, R4)
CONTROLS OK (MANAGEMENT FUNCTION?) Manning and competency/ ability/intent (C1, C2, C3, etc
TIME CONSTRAINTS = CRITICAL FUNCTIONS, NEEDED?)
FOR RESPONSE, SPEEDS, CAPABILITIES
Provide Resource availability > 99% T1 Line Speed/ Capacity? The first level Dependencies then look like this:-
But now we only need to develop the Tree to the point where the Leaf is an output of another Function/ activity, or an IP address of where we can find a status, or yet still the IP address of the live “external Feed” is located. SWANS 0.1 DS
© Cambrensis Ltd. 2013
9
Commercial in Confidence So the input is that which is needed for the function, which is the connection to the two glass fibre networks installed, so two inputs look like : -
Similarly we can go on to develop the functions / activities needed to work to supply the other needs. For example you may think an ISP and working ASDL or BT or other, line connections have to be available. Do you also have to have paid the bill? So we can identify the first three Functions as separate SWANS each needing the full set of I/O and Receptors for external signals? For example the A net function could look like this:-
And similarly for the Service provider, we can develop a model using the Template.
SWANS 0.1 DS
© Cambrensis Ltd. 2013
10
Commercial in Confidence
Similarly for the electricity supplier
As you build the models, the software automatically picks up and starts to display the links it finds.
SWANS 0.1 DS
© Cambrensis Ltd. 2013
11
Commercial in Confidence
On completion the best approach is to ensure each “Swan” is working as expected before running the entire system of systems. But they couple up very smoothly and any glitches seem to be the responsibility of the model builder not the software.
SWANS 0.1 DS
© Cambrensis Ltd. 2013
12
Commercial in Confidence
Full iDEPEND Model of the Interacting Systems • WE can now do three types of Quantitative Analysis 1. What if? Vary the inputs ad look at the way the predicted behaviour changes, or 2. Hook it up to real external feeds and monitor/ Manage behaviour, or 3. Run Monte Carlo simulations with different input probability distributions and look for the Resonances – The Black Swans! 31/07/2013
SWANS 0.1 DS
Complexity 101
© Cambrensis Ltd. 2013
63
13
