12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 1 Simulation-Based Analysis of Reconfigurable System of System Network Topologies for Resilience Using Bayesian Networks Royce A. Francis Assistant Professor, Dept. of Engineering Management and Systems Engineering, The George Washington University, Washington, DC, USA ABSTRACT: An emerging understanding of resilient systems is as a management principle or framework allowing for reconfiguration or adaptation in the face of threats or shocks. This is a new approach engineered system resilience: the more traditional approach is that systems may focus on resistance to threats, and speedy recovery if vulnerabilities are breached. This notion can potentially integrate interdisciplinary research currently pursued in systems engineering, design theory, infrastructure risk analysis, and statistical learning to create an approach that permits both evaluation of system resilience and also the value of system evolvability in the face of operational hazards. In prior work, a vision for reconfigurable systems based on Bayesian Networks was articulated but not tested or demonstrated. In this paper, we demonstrate a Bayesian Network inspired approach to measuring the value of re-configurability in systems of systems that can be represented in directed acyclic graphs using a simulation-based approach. For the purpose of our investigation, re-configurability means that a system can adapt its structure to structural failures in either system components or links between components. The latter is called structural flexibility, whereas the former is called functional flexibility. Undirected Bayesian Networks are used to structure the relationships between the subsystem components, and the graphical model is then used in conjunction with concepts from functional dependency network theory to evaluate the response the system under updated configurations. 1. INTRODUCTION The objective of this paper is to study the use of Bayesian Belief Network structures in a proposed probabilistic approach to evaluating re-configurability in networked systems of systems. This re-configurability can refer to the system of requirements that determines a system’s behavior, or it can refer to the physical configuration of system components. Researchers have modeled configurations, in both these senses of the term, using Functional Dependency Analysis, Bayesian Belief Networks, tree-structured hierarchies, and other graphical forms. The original motivation of this work derives from insights drawn from the similarities between Bayesian Networks and Functional Dependency Network Analysis (FDNA) for modeling networked, interdependent infrastructure systems. Both of these tools seem like good candidates for studying the role of flexibility in infrastructure system performance and design. Thus, the long-term goal of this research is to create a method for evaluating optimal levels of flexibility in engineered infrastructure systems. Although some investigations study the role of runtime configuration of system modules in improving system hardness to contingencies (e.g., to make them “fault-tolerant”), this approach may not be suitable for some critical infrastructure systems. On the contrary, the reason flexibility must be considered in the initial design of infrastructure systems is that they require large capital costs and must be very stable. As the lifelines of socio-technical 12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 2 systems, critical infrastructures must be somewhat resistant to shocks and modification. At the same time, these requirements are opposed to rapid response to environmental changes. Because lifeline infrastructures cannot rapidly respond to these changes, these systems can fail catastrophically to extreme environmental changes. Consequently, flexibility to adapt to modest environmental changes that require modification of the relationships among systems of interlinked systems should be considered a design criterion. The specific short-term objectives of this paper include: • Characterization of similarities and important differences in representing re-configurable systems using FDNA and BBN. • Presentation of a re-configurable system ontology for modeling systems-of-systems with the goal of measuring the resilient operation of the interlinked system. • Demonstration of preliminary application of the resilient, re-configurable system ontology to a case study. Here, ontology means roughly standardized data structures that help improve the consistency and availability of critical information frequently operationalized by domain stakeholders. The case study presented in this paper is an industrial symbiosis previously studied by Gonela and Zhang (2014). While, as we discuss below, the proposed ontology uses the BBN theory for structuring relationships between actors, this paper neither discusses, nor demonstrates, the parameterization of the BBN joint and marginal probability distributions. Moreover, this paper presents a case study using a simplified threat set to illustrate the data form. This paper will be extended to incorporate these features in future work. The key benefit of the paper is in showing the value of synthesizing both fragility and flexibility when evaluating system of system configurations. The benefit of studying fragility is obvious to many researchers in probabilistic risk analysis. However, systems engineers and civil engineers are beginning to emphasize the critical role of flexibility in improving long-term system performance (de Neufville and Scholtes 2011). This work will provide important insights into the design of tools used to evaluate options system planners might employ in order to enhance their system’s flexibility. 2. BACKGROUND The two main areas of prior research drawn upon in this paper to propose a reconfigurable resilient systems ontology are Functional Dependency Network Analysis and engineering systems resilience measurement. Much of the discussion of this prior resilience research appears in the author’s prior research (Francis and Bekera 2013; 2014), while the resilience ontology for re-configurable systems was introduced in the proceedings of CESUN 2014 (Francis 2014). The FDNA discussion is adapted from CESUN 2014 as well. For more detailed discussion of these two main areas of motivation, the reader is referred to these prior works. In short, the author’s prior work establishes the idea that engineers and system analysts can enhance system resilience, without committing to any particular definition of resilience, through the use of modeling approaches that emphasize re-configurability, modularity, and morphology. In other words, resilience modeling techniques must both enable analysts to actively investigate known potential changes in underlying system structure while also encouraging analysts to continue to investigate or identify potential changes that are not reflected in the original system model. A Functional Dependency Network (FDN), introduced by Garvey and Pinto (2009), is a capability portfolio in which supplier-provider relationships within a system of systems are represented in a directed graph. FDNA networks have parent nodes (feeder nodes), child nodes (receiver nodes), and leaf nodes (terminating 12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 3 nodes). The direction of links between nodes indicates the dependence of the “receiver node” on the state of the “feeder node.” In other words, the operability of the receiver node is conditional on the operability of the feeder node. In FDNA, the performance of the systems at each node is represented by dimensionless functions analogous to utility functions. In FDNA, the two most important parameters, aside from the baseline operability level of performance, are the strength of dependency and criticality of dependency. The strength of dependency of a receiver node on a feeder node is the proportion of increased functionality over baseline directly attributable to the input from the feeder node. The criticality of dependency captures the idea that a receiver node cannot perform above its baseline level of operability if the feeder node with the highest level of criticality is not operable. FDNA is very similar to BBN analysis. First, both involve acyclic, directed graphs. Both require specification of conditional dependence relationships. However, BBNs may be more flexible than FDNAs. Both criticality of dependency and strength of dependency can be represented in BBN theory. At the same time, BBNs allow probabilistic reasoning, whereas FDNA does not. Thus FDNA is restricted to deterministic functional dependencies. Both BBNs and FDNAs can be difficult to re-configure if a link is broken during the simulation of an adverse event. As a result, an intermediate model is required. The re-configurable systems approach proposed below uses a graphical modeling approach, but aims to achieve hybrid FDNA-BBN functionality. In fact, some readers may feel the re-configurable systems approach has less in common with Bayesian Networks than with Markov networks in that the re-configurable system analysis requires knowledge of conditional dependence, but not necessarily an acyclic direction of causality due to bi-directional resource flows in interdependent lifeline infrastructures. 3. METHODOLOGY—RECONFIGURABLE RESILIENT SYSTEMS ONTOLOGY There are five main components to the resilience ontology: 1. A set of systems from which a larger system may be constructed; 2. Partially directed edges characterizing interrelationships; 3. An edge “transition” matrix indicating the probability of retaining a link between systems given the occurrence of a shock; 4. A “connection possibility frontier” indicating the possible nodes a given node may connect to if the current must be modified; and, 5. A set of fragility curves characterizing the failure probability of the systems under threat. Suppose we have a set of threats, T: Τ = τi: i ∈1,2,...,nΤ⎡⎣⎤⎦ Here, T is composed of individual threats or shocks, τi, and the number of threats of concern to stakeholders, nT. Next, suppose we have a set of systems, S, from which the overall network model must be constructed: S = sj: j ∈1,2,...,nS⎡⎣⎤⎦ As before, we have individual systems, sj, from which the interlinked system will be constructed, and the total number of systems involved is nS, indexed by j. The partially directed graph indicating the relationships among the systems in the network is Θ. Nodes may have marginal and conditional probability density functions. The partially directed graph Θ, has edges ε and k nodes θ. Undirected edges represent flows that can travel both directions along the link, while directed edges indicate flows traveling in only one direction along the link. The values of the nodes of the partially directed graph are ζθ. Thus, the system of systems is represented by: Θ = Ε,S ,Ζ{ } Where the edge set is Ε = εjk: j,k ∈1,2,...,nS; j ≠ k⎡⎣⎤⎦ , and the states 12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 4 characterizing the system levels of service are Z = Zs: s ∈1,2,...,nS⎡⎣⎤⎦ . Note that ζθ could be interpreted as either the range of levels of service for the system indexed by θ or the probability distribution indexed by θ. The link matrix can be given, for any configuration, by Λ: Λ =λjk= 1:εjk∈Ελjk= 0 :εjk∉Ε⎡⎣⎢⎢⎤⎦⎥⎥ Note that the indices j and k indicate the direction of the link, that is: ε jk ~ sj → sk . If both εjk~ sj→ sk and ε kj ~ sk → sj , the link is undirected indicating two-way flow. The link matrix can be indexed by time as follows: Λt=λjk( )t= 1: εjk( )t∈Εtλjk( )t= 0 : εjk( )t∉Εt⎡⎣⎢⎢⎢⎤⎦⎥⎥⎥ This notation indicates that at time, t, the system is configured according to the links included in Et. Next, we have a three-dimensional link “transition” matrix indicating the probability of retaining λjk after Θ has been subjected to a threat, τ. The transition matrix is given by Μ = Μτ :τ ∈T⎡⎣⎤⎦ , and each layer of M can be given by: Μτ = piiτ pijτ . . pinSτpijτ piiτ .. . .. . .pnSjτ . . . pnSnSτ⎡⎣⎢⎢⎢⎢⎢⎢⎢⎤⎦⎥⎥⎥⎥⎥⎥⎥ In other words, the layers of the transition matrix represent the probabilities the links persist under each threat faced. If more than one threat is of concern, there is a layer for each threat evaluated. Note that the fragility curves for individual system components is given by the diagonal of the transition matrix: fi,τ = piiτ and, F =fiiτ fijτ . . finSτfijτ fiiτ .. . .. . .fnSinT. . . fnSnSnT⎡⎣⎢⎢⎢⎢⎢⎢⎢⎤⎦⎥⎥⎥⎥⎥⎥⎥ If a threat instantiates, and a link between subsystems fails, the system reconfigures by selecting a configuration from the connection “possibility” frontier, in which a set of potential node connections, ρik, is posited in conjunction with a connection score, U(ρik). The possibility frontier is indicated by: ρi= ρik,U ρik( ): i,k ∈ns and i ≠ k{ } while the choice among ρik is given by a decision rule. For example, one decision rule might be to maximize the connection score, ρik= argmax U ρik( ): i,k ∈nS and i ≠ k{ }. 4. CASE STUDY APPLICATION As an example, we apply the re-configurable systems analysis methodology to an industrial symbiosis park studied by Gonela and Zhang (2014). Industrial symbiosis is a concept that aims to reduce the cost of industrial production by facilitating co-location or collaboration among industries with symbiotic potential. These industries may then form symbiotic links in which the waste- or by-product of one firm may be used as an input or feedstock to another. If successful, they can have the advantage of improved environmental performance at increased profitability to each firm included in the symbiosis. One major challenge in designing an industrial symbiosis is selecting the industrial partners to be included. Gonela and Zhang have addressed this problem by formulating a decision problem in which the optimal industrial symbiosis for supporting bio-energy production is constructed. Their approach represents the bio-energy based industrial symbiosis (BBIS) as a mixed-integer linear program in which the optimal configuration among a set of anchor tenants and their supporting industries is 12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 5 approximated as a closed-loop supply chain. While Gonela and Zhang address the selection of plants into the BBIS using a deterministic approach, they do not address the profit of the BBIS given the possibility of failure or exit by any of the BBIS entities. In our application, we provide a simple extension of their industrial symbiosis work to show the value of studying the response of the BBIS to shocks or threats that may require re-configuration of the BBIS using the re-configurable systems methodology presented above. The BBIS includes 8 firms that can collaborate or co-locate: a barley farm (BF), biorefinery (BRF), malt plant (Malt), combined heat and power plant (CHP), wastewater treatment plant (WWTP), anaerobic digestion facility (AD), cattle farm (CF), and cement plant (Cem). There are five priority participants (BRF, CHP, AD, Malt, Cem). The CHP unit includes the WWTP facility, while the barley farm exists outside the industrial symbiosis facility but provides input to the BRF and Malt plants on a contract basis if required. Of the five priority participants, the BRF and CHP/WWTP units are denoted “anchor tenants.” The BBIS will fail if any of these three anchor tenants are not operational. The BBIS example for a 25-year design life cycle is parameterized for the re-configurable system analysis following the proposed ontology as: • The system set. The firms constitute S, the potential participants in the symbiosis: S = BRF,BF,CHP,WWTP,Malt,AD,CF,Cem{ }. • Partially directed edges characterizing interrelationships, and the edge “transition” matrix. Gonela and Zhang indicate four potential configurations among the plants. These are called BBIS2, BBIS3, BBIS4, and BBIS5, where the number following BBIS indicates the number of priority participants included in the symbiosis. The smallest possible configuration is symbiosis between the anchor tenants CHP/WWTP and BRF. The largest configuration includes all five of the priority participants and their supporting partners. For this case study, the edge transition matrix is the simplest case where all edges are equally likely to be deleted during each year of the project. No specific threats are examined. Notice that from above, the edge transition matrix is equal to F, where the diagonal of F is the failure probability for each individual component, while the off-diagonal elements are the failure probabilities of the links. We present our analysis with five possibilities for link failure probabilities fij∈ 0.0001,0.001,0.01,0.05,0.1{ }, j ≠ i and five possibilities for system failure probabilities fij∈ 0.0001,0.001,0.01,0.05,0.1{ },i = j . This constitutes 16 design points for the example analysis. • The “Connection possibility frontier.” The connection possibility frontier, shown in Figure 1 is defined by the inputs and outputs of each firm. However, the analysis is simplified by using the decision rule that the maximum profit for any number of priority participants will be sought. Because Gonela and Zhang have identified the optimal configuration for 2,3,4, and 5 priority participants, the connection possibility frontier is equivalent in this case to a “configuration possibility frontier” consisting of BBIS2, BBIS3, BBIS4, and BBIS5. The annual profit under each of the four possible configurations is 822.27,884.40, 888.79, and 890.94 million USD, respectively. If none of these four BBIS configurations are chosen, the profit of the BBIS is zero. We do not consider the profit of each 12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 6 individual plant after exiting the industrial symbiosis. a) b) c) d) Figure 1. Industrial Symbiosis Connection Possibility Frontiers. a.) BBIS2; b.) BBIS3; c.) BBIS4; d.) BBIS5 BRFCHPWWTPBRFCHPWWTPCFADBFBRFMaltCHPWWTPCFADBFBRFMaltCHPWWTPCemCFAD12th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 7 5. RESULTS We show our results for each design point represented by the fii, fij failure probability combinations. The results presented include the net present value of the overall BBIS profit, the probability of BBIS failure, and the mean time to BBIS failure. 5.1. Overall BBIS Profit. Table 1 presents the net present value of the 25-year profits for the BBIS at each design point. The main cells show the median profit over 10,000 simulations, while the cells below show the 0.05 and 0.95 quantiles of profit. The interest rate assumed for these simulations is 0.08. The maximum median profit is achieved for four design points where the failure probabilities for links and sub-systems are 0.0001 and 0.001. At the same time, the lower bounds of profit decreases as the failure probabilities increase. At the other extreme, the median profit declines rapidly as the failure probabilities increase. At even one order of magnitude greater for either system failure or link failure, the lower bound of profit approaches zero. The median profit is actually zero for the design point with the highest failure probabilities simulated. Table 1. Median Net Present Value of BBIS Profit over 25-Year Life Cycle 5.2. Probability of BBIS Failure. Table 2 presents the probability of BBIS failure at each design point. The BBIS fails if one of the anchor tenants fails or exits the industrial symbiosis. In the approach presented above, starting in BBIS5, the industrial symbiosis can re-configure to another profitable state following a disruption to the underlying configuration as long as the anchor tenants are operational. Table 2 shows that there are synergistic interactive effects between the failure probabilities, and that the system has a very high probability of failing before the 25-year life cycle if either failure probability is greater than 0.001. This is important as it suggests that the successful operation of BBIS must either use contracts with a short life cycle, or take precaution to ensure the stability of each of the anchor tenants under a wide range of contingencies. Table 2. Probability of BBIS failure during 25-Year Life Cycle 5.3. Expected Time to Failure. Table 3 shows the conditional expected time to failure of the BBIS. The conditional expected time to failure of the BBIS indicates the profitable lifetime of the symbiosis, conditional on the BBIS failing during the 25-year life cycle. These results show that the BBIS lifetime decreases rapidly as the probability of either system failure or link failure increases. Table 3. Conditional Expected Time to Failure of the BBIS 6. CONCLUSIONS The results suggest that the study of flexibility in engineered infrastructure systems is critically important. While techniques exist for deterministic selection of supply chain elements, applying the novel re-configurable resilient system ontology developed by Francis (2014) to the BBIS of Gonela and Zhang (2014) demonstrates that important implications of the interdependency can be missed when using existing tools. These ideas are the subject of ongoing research by the author. First, the stability of entities constituted by interconnected systems depends strongly on the probabilities of failure (or exit) of the systems or their links. While established critical Pr[Sys]=0.0001 Pr[Sys]=0.001 Pr[Sys]=0.01 Pr[Sys]=0.05 Pr[Sys]=0.1$9,510.59 $9,510.59 $7,844.35 $2,182.65 $824.949508.60,69510.59 6360.39,69510.59 824.94,69493.18 0,67030.75 0,64092.54$9,510.59 $9,510.59 $7,604.05 $2,182.65 $824.947625.98,69510.59 4638.56,69510.59 824.94,69491.85 0,67038.20 0,64281.04$8,834.45 $8,563.40 $5,557.71 $1,588.78 $818.89824.94,69510.59 824.94,69510.59 0,69376.68 0,66373.66 0,63858.78$2,950.91 $2,935.30 $2,296.04 $824.94 $761.360,68260.17 0,68191.79 0,67291.71 0,64725.29 0,63283.09$1,523.85 $1,466.33 $824.94 $818.89 $0.000,65259.09 0,65300.81 0,64788.87 0,63443.20 0,62723.46Pr[Link]=0.0001Pr[Link]=0.001Pr[Link]=0.01Pr[Link]=0.05Pr[Link]=0.1Pr[Sys]=0.0001 Pr[Sys]=0.001 Pr[Sys]=0.01 Pr[Sys]=0.05 Pr[Sys]=0.1Pr[Link]=0.0001 0.0147 0.1042 0.64 0.9939 1Pr[Link]=0.001 0.0794 0.1646 0.6624 0.9934 1Pr[Link]=0.01 0.536 0.5706 0.8376 0.9976 1Pr[Link]=0.05 0.9766 0.9792 0.9914 1 1Pr[Link]=0.1 0.9998 0.9997 1 1 1Pr[Sys]=0.0001 Pr[Sys]=0.001 Pr[Sys]=0.01 Pr[Sys]=0.05 Pr[Sys]=0.1Pr[Link]=0.0001 12.69 12.60 10.93 5.27 2.89Pr[Link]=0.001 12.56 12.87 10.80 5.24 2.91Pr[Link]=0.01 11.32 11.33 9.50 4.67 2.72Pr[Link]=0.05 6.54 6.41 5.49 3.28 2.25Pr[Link]=0.1 3.67 3.65 3.34 2.46 1.9312th International Conference on Applications of Statistics and Probability in Civil Engineering, ICASP12 Vancouver, Canada, July 12-15, 2015 8 infrastructure firms may be able to weather some of the contingencies that may force firms to consider an exit, industrial symbiosis among emerging industries may lead to short lifetimes of the symbiosis. Second, these results suggest that the re-configurable resilient system ontology may be able to inform the design of agreements structuring symbiotic links among infrastructure systems. However, future research into the use of this model must incorporate agency of the individual firms to respond to a more realistic model of exogenous pressures, and changes in the operations of BBIS partners. This type of future research may draw on insights from research into networked decision making under heterogeneous environmental requirements and firm connection costs (Heydari and Dalili 2014). Future research will focus on using BBN-inspired methods to model decision making under uncertainty for each firm given evolution in its input or output relationships. Third, the high cost of re-configurability for critical infrastructures requires that flexibility be an explicit part of the design of interconnections among these systems. Yet, it is not clear that existing modeling techniques used to study these interconnections studies their evolution. The preliminary results presented here concerning the probability of the BBIS lasting for the 25-year life cycle of the symbiosis, in conjunction with the mean failure time, indicate that the need for research into the design of interdependent critical infrastructure subject to evolving firm interrelationships is critically important. 7. REFERENCES de Neufville, R., and Scholtes, S. (2011). Flexibility in Engineering Design. MIT Press, Cambridge, MA. Francis, R. A. (2014). “A Vision for Probabilistic Analysis of Re- Configurable Resilient Engineered and Infrastructure Systems.” CESUN2014, Hoboken, NJ,. Francis, R. A., and Bekera, B. (2013). “Resilience Analysis for Engineered and Infrastructure Systems Under Deep Uncertainty or Emergent Conditions.” ESREL 2013, Amsterdam, The Netherlands, 1–7. Francis, R., and Bekera, B. (2014). “Reliability Engineering and System Safety.” Reliability Engineering and System Safety, Elsevier, 121(C), 90–103. Garvey, P. R., and Moynihan, R. A. (2010). Introduction to Functional Dependency Network Analysis. MITRE Corporation. Garvey, P. R., and Pinto, A. C. (2009). “Introduction to Functional Dependency Network Analysis.” Cambridge, MA, 1–17. Gonela, V., and Zhang, J. (2014). “Design of the optimal industrial symbiosis system to improve bioethanol production.” Journal of Cleaner Production, 64, 513–534. Heydari, B., and Dalili, K. (2014). “Emergence of Modularity in System of Systems: Complex Networks in Heterogeneous Environments.” IEEE Systems Journal, http://dx.doi.org/10.1109/JSYST.2013.2281694.