Hybrid stochastic approach for the modelling and analysis of fire safety systems

Nonlinear Analysis 65 (2006) 1123–1149 www.elsevier.com/locate/na

Hybrid stochastic approach for the modelling and analysis of fire safety systems Emilia Villani a , Percy Igei Kaneshiro b , Paulo Eigi Miyagi b,∗ a Instituto Tecnol´ogico de Aeron´autica – Department of Mechanical Engineering, 12228-900,

S˜ao Jos´e dos Campos - SP, Brazil b Escola Politecnica, University of S˜ao Paulo, Av. Prof. Mello Moraes, 2231 S˜ao Paulo - SP, Brazil

Abstract This paper approaches the problem of analysing control strategies for Fire Safety Systems. The components of Fire Safety Systems present behaviours of different nature and therefore the use of a hybrid modelling formalism is necessary. Petri net is used to model the discrete dynamics. Algebraic and differential equations are used for the continuous one. In order to realistically evaluate the performance of Fire Safety Systems, failures and other uncertainties, such as people’s behaviour, should be included in the model. Due to the model complexity, results are obtained by Monte Carlo simulation. c 2005 Elsevier Ltd. All rights reserved.  Keywords: Fire Safety System; Hybrid system; Petri net; Uncertainty; Monte Carlo simulation

1. Introduction This paper presents and discusses the use of hybrid system modelling and analysis techniques in the design of integrated control strategies for Fire Safety Systems. In a building, the Fire Safety System provides the means for preventing, detecting and combating fire occurrences, minimizing damages and assuring the safe evacuation of occupants [19]. Usually, the Fire Safety System includes smoke and fire detectors, sprinklers, alarms, emergency communication systems and emergency lights, among others. In almost every ∗ Corresponding address: Mechatronics Engineering, University of Sao Paulo, Av. Prof. Mello Moraes, 2231, 05508030 Sao Paulo, Brazil. Tel.: +55 1130915580; fax: +55 11 30915461. E-mail addresses: [email protected] (E. Villani), [email protected] (P.E. Miyagi).

c 2005 Elsevier Ltd. All rights reserved. 0362-546X/$ - see front matter  doi:10.1016/j.na.2005.11.048

1124

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

country, Fire Safety Systems are mandatory for new non-residential buildings and are essential for occupants’ safety [1]. Fire Safety Systems are usually designed based on a set of rules and standards that specifies the basic components and characteristics of the system. These rules are defined by regulating agencies, such as ABNT (Brazilian Association of Technical Standards) [1] in Brazil and NFPA (National Fire Protection Association) [26] in the USA. However, they consider only the case of conventional buildings, where the Fire Safety System operates independently from other building systems. Recently, in the context of the so-called “intelligent building”, intelligence and automation have been incorporated into the design of building systems [5,35]. These facilities open the possibility of specifying a new range of control strategies that are based on the integration of the Fire Safety System with other building systems. Examples are its integration with the Elevator Management System, HVAC (Heating Ventilation and Air-Conditioning) System and Lighting System, among others. The coordinated cooperation of all building systems aims to reduce the damage caused by a fire. In this way, it may be possible to achieve better performance and increase the safety functions of a Fire Safety System. Because of their innovative aspects, these new strategies are not specifically considered by the traditional standards and rules mentioned before, which does not mean that they are not allowed. On the contrary, integrated control strategies have been encouraged by NFPA [26], which recommends their incorporation as additional features along with the traditional ones and recognizes the importance of research initiatives on this field. Although many approaches and tools have already been proposed for studying and predicting what would happen in a building in the case of fire [15], they can only be used for the analysis of conventional Fire Safety Systems and do not have the necessary flexibility for incorporating new technologies and strategies. The research about new integrated control strategies is strongly limited by this problem and the development of methods and tools for their evaluation is therefore of great importance. In this context, this work proposes an alternative approach for analysing integrated control strategies of Fire Safety Systems. For this purpose, the whole system, composed of the control system, building equipment, people and fire, is considered as a Hybrid System. Generally, systems can be classified according to their behaviour and the nature of their state variables. In this case, they are divided into Continuous Variables Dynamic Systems, Discrete Event Dynamic Systems, and Hybrid Systems [2] and [3]. In Continuous Variable Dynamic Systems, the system state is modelled by a set of continuous variables. The values of these variables form an interval of real numbers and they change continuously with time. They are therefore described as time-driven. On the other hand, Discrete Event Dynamic Systems have discrete state variables that take their values from an enumerable set of values (e.g. integer numbers, Booleans, etc.). They are constant between events and are modified in a discrete way by the occurrence of instantaneous events. They are therefore described as discrete event-driven. The time duration of events is not relevant for the system dynamics, they are modelled as instantaneous events [7]. Hybrid systems mix the characteristics of Discrete Event Dynamic Systems and Continuous Variables Dynamic Systems, including discrete and continuous variables, as well as piecewise continuous variables. In the case of Fire Safety Systems, examples of continuous variables are those related to the fire spread and amount of smoke. According to the system configuration, these variables can also be piecewise continuous, modifying their dynamics when fire equipment, such as a sprinkler, is switched on. In this case, switching devices on and off are examples of

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1125

discrete events. The speed of a person can also be modelled as piecewise continuous. When escaping, a person may traverse a number of rooms and halls. Its speed can vary according to the characteristics of the current room, such as whether it is almost empty or completely full, whether there is fire and smoke in the room or only smoke, etc. The proposed approach models Fire Safety Systems using Petri net for the discrete eventdriven dynamics. The continuous dynamics is represented using algebraic equations and differential algebraic equations. In order to ensure modularity and reuse, object-oriented concepts are also considered. Furthermore, the approach takes into account uncertain behaviour by incorporating probabilistic elements into the model. The focus of the approach is on how to estimate the Fire Safety System performance when using integrated control strategies, and compare different proposals. This paper is organized as follows. Section 2 discusses the limitations of the current approaches and tools for the analysis of a Fire Safety System, motivating the use of hybrid system modelling formalisms. Section 3 introduces the proposed approach, which is applied to two examples in Section 4. Finally, Section 5 draws some conclusions. 2. Current approaches and tools for Fire Safety System analysis For the purposes of this work, the design of a Fire Safety System is divided into three main activities: specification, modelling and analysis. The specification of the Fire Safety System encompasses the definition of a Fire Safety System equipment, escaping routes, and control strategies. One or more proposals can be generated. Each proposal is then modelled using the available tools and approaches. Due to the model complexity, analysis results are almost always obtained by simulation. The choice of the modelling approach limits the kind of information that can be incorporated into the model. Consequently, it also limits the size of the models that are feasibly analysable, and the precision of results obtained from the model analysis. Different tools and approaches have already been proposed for this purpose [15]. Some of them are commercially available and have been largely employed by the Fire Safety System industrial community. Most of the tools are specialized in modelling only one aspect of the Fire Safety System, such as the fire spread or people evacuation. Fire spread models are divided into zone models and field models [27]. A zone model is a computer program that predicts the effects of a fire inside a relatively enclosed volume. The zone approach divides the area of interest into a number of uniform zones that, when combined, describe the area of interest as a whole. The advantage of this model is its simplicity. It is possible to include more phenomena in a given zone model without being overwhelmed by complexity. Simulation usually runs far more rapidly and inexpensively. Examples of zone model tools are ARGOS [9], BRI-2 [25] and CALTECH [37], among others. Field models are used to model the fire development inside a large number (on the order of thousands) of control volumes. They solve the conservation equations (i.e. mass, energy and momentum) inside each control volume. They provide a more precise and detailed solution when compared with zone models. Examples of field models are FLOTRAN [21] and FLUENT [11], among others. People evacuation models can also be classified in two main classes: microscopic approaches and macroscopic approaches [22]. In the case of microscopic approaches [20], each person in the building is individually considered. He is modelled as an autonomous entity (an agent) whose behaviour is mostly independent of the presence of other people in the building.

1126

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 1. Dependence among tools.

The complexity of the models varies greatly and affects significantly the results. Examples of tools based on microscopic approaches are B-GRAF [28], EXITT [6], E-SCAPE [31], EVACSIM [30] and EXODUS [14], among others. Each person has his own set of attributes, such as being an adult, a child, an aged or a handicapped person, etc. These attributes restrict and influence the person’s behaviour when escaping. The behaviour of the person is determined by a set of pre-defined rules such as “if he is in a room full of smoke, he must go to the nearest room”. According to the tool, the decisions taken by each person can be either deterministic or stochastic, such as in EVACSIM and EXODUS. It is important to observe that in microscopic approaches, the behaviour of a crowd “emerges” from the combined behaviour of all the people. In the case of macroscopic approaches, all the people in the building are modelled as a single entity (a crowd) whose behaviour is approximated by fluid dynamics equations [10]. People are a homogeneous entity, and the individual behaviour of each person is not recognized. An example is EVACNET [15]. Although these tools can be used successfully in the design of conventional Fire Safety Systems, they present a set of disadvantages that make impossible their application for the analysis of integrated control strategies. Once most of the tools are designed based on the rules and standards defined by the regulating agencies, they contain only the definition of models for the equipment and control strategies used in Fire Safety Systems of conventional buildings. The lack of flexibility makes impossible the study of systems that incorporate new technologies, control strategies, or equipment from other building systems, such as HVAC fans, automatic controlled windows, etc. The second problem is that they model one aspect of the Fire Safety System, such as the fire’s or the people’s behaviour. In order to predict the combined effects of all the aspects, different tools must be integrated. This is possible only for open cycles of dependence among tools (if Tool 1 uses the results of Tool 2, Tool 2 cannot use the result of Tool 1). An example is when the fire behaviour is simulated using CFAST [18], the results are recorded and then used as an input to EXODUS, which models the people’s behaviour (Fig. 1(a)). However, in the case of intelligent buildings, integrated control strategies must react to the people’s behaviour, which varies according to the fire evolution, which depends on the control strategies, closing the cycle (Fig. 1(b)). It is therefore necessary to simultaneously execute all the models and synchronously exchange data among them during the simulation. Finally, most of the tools simulate the behaviour of the system under nominal conditions. Errors, faults or failures are not considered. These uncertainties are particularly important for the analysis of risks and estimation of system reliability. Motivated by these problems this work proposes a new modelling approach for Fire Safety Systems based on Hybrid System formalisms.

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1127

3. The proposed modelling and analysis approach The Fire Safety System model can be divided in two blocks: control system and plant. The control system is basically composed of the set of control strategies that activates the equipment related to fire control (sprinklers, emergency doors, etc.) and interfaces with other building systems (HVAC, Access Control, Elevator Management Systems, etc.). The plant model is composed not only of the fire control equipment, but it also includes equipment from other building systems, the fire’s behaviour, smoke diffusion and people’s behaviour. The parameters used for evaluating the performance of a control strategy are building evacuation time, ability to control fire and smoke, number of deaths, number of injured people, among others. Due to the diversified behaviour and complexity of the elements that must be modelled, the choice of the modelling formalism is particularly important. This issue is discussed on the next section. 3.1. The choice of the modelling formalism As the Fire Safety System dynamics has already been classified as hybrid, the focus of this section is on the Hybrid System modelling formalisms. A detailed review of these formalisms is outside the scope of this paper. For this purpose see [8,13] and [4]. Briefly, some approaches are extensions of continuous models (such as differential equation systems) where some variables can be discontinuously modified. Others are Discrete Event Dynamic System modelling techniques where new elements are introduced for representing the continuous dynamics, such as the Hybrid Petri nets [2]. There is also a third group where continuous models, described by differential equation systems, are combined with discrete ones, such as Petri nets or automata. An interface is introduced to connect the two parts of the model. The main proposals for this group are described and compared in [13]. For the purpose of this work, this last group is especially interesting because of their broader modelling power and flexibility, when comparing with the first two groups. Among the approaches of this group, the Petri net derived formalisms are particularly considered because of their well-known advantages for representing features such as parallelism, concurrency, synchronism and conflict. These features are particularly important in the case of Fire Safety Systems due to the diversified behaviour that may emerge from its integration with other building systems. An example of concurrency is the activation of fire equipment in different building zones when fire is detected. An example of parallelism is the people’s escaping movement when the alarm is switched on. An example of synchronism is to turn the Elevator Management System off when all the elevators are on the ground floor and with the doors opened. An example of conflict is when a person is escaping and must choose among different paths. The main proposals that combine two formalisms and are based on Petri nets are the Mixed Petri nets [33] and the Differential Predicate-Transition Petri nets [8]. The last one is based on the Predicate-Transition nets, a high-level Petri net formalism proposed by Genrich [12] for modelling the Discrete Event Dynamic System. The Predicate-Transition net explicitly introduces the concept of “variable” associated with tokens.1 Furthermore, a Differential Predicate-Transition Petri net does not limit to one the capacity of the Petri net places. 1 In this text, variable names and structural elements of Petri nets, such as place, transition and token are printed in Arial type.

1128

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 2. Layout of the hall.

It is considered more suitable for the purposes of this work, as it makes possible a concise representation of the system. On the other hand, a Differential Predicate-Transition Petri net does not provide the means for a structured decomposition/composition of the system, making difficult, if not impracticable, the modelling of large complex systems. Looking for a solution to this problem, the object-oriented (OO) paradigm [32] is introduced to the Differential Predicate-Transition Petri net, as described in the next section. 3.2. The OO-DPT net The OO-DPT net (Object-Oriented Differential Predicate-Transition Petri net) formalism merges Petri nets for representing the discrete dynamics, algebraic and differential equation systems for the continuous one and the object-oriented paradigm for ensuring modularity. It is important to observe that this paper does not describe in detail all the features of the OO-DPT net. It focuses on the features that are necessary to understand the modifications introduced in Section 3.3 and the examples presented in Section 4. A detailed description of the OO-DPT net can be found in [36]. Following the object-oriented paradigm, the model of a system is composed of a finite set of objects organized in classes. A class can be a physical entity, such as a device, a person or a sensor. It can also represent part of the control system, such as a control strategy, or the interface with another building system. In the proposed approach, an OO-DPT net models the behaviour of a system and is composed of a set of OO-DPT sub-nets. Each OO-DPT sub-net is associated with a class and models the behaviour of the objects of that class. The marking of the OO-DPT sub-net indicates the current state of the objects of that class. 3.2.1. Modelling of discrete dynamics In OO-DPT sub-nets, a Petri net represents the discrete dynamics of the class [24]. Each token of the Petri net marking is associated with an object and indicates the current state of the object from the discrete point of view. As a system may be composed of more than one object of the same class, the places of the corresponding OO-DPT sub-net may have more than one token. However, two tokens in the same place cannot belong to the same object. Eventually, one object can be modelled by more than one token, indicating parallel behaviour inside the object. As an example, Fig. 4 presents the Petri net of the class C1 -Person. This class models the behaviour of a person while escaping through a hall that is illustrated in Fig. 2. According to this figure, there are three objects of this class: O1.1 - Paul, O2.1 - David, O3.1 - Fred. Place p1 1 indicates that the person is working somewhere in the building and does not know about the fire. Usually this is the initial state of the objects of the class C1 -Person. When the person becomes aware of a fire in the building (firing of the t1 1 ), he starts running to the hall

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1129

Fig. 3. Discrete part of the class C1 -Person.

Fig. 4. Continuous part of the class C1 -Person.

(place p2 1 ). When he reaches the entrance door (firing of the t3 1 ) and analyses the situation in the hall, he must decide what to do (place p3 1 ). He can return to the rooms and offices (firing of t2 1 ) or enter the hall (firing of t5 1 ) and run to the exit (place p5 1 ). If he enters the hall, he may change direction at any moment (firing of t6 1 ) and run back to the rooms and offices (place p4 1 ). While in the hall, the person may die (firing of t7 1 or t8 1 ) or reach the exit (firing of t9 1 ). According to the marking of the Petri net in Fig. 3, Paul is currently at the entrance door of the hall, while David and Fred are running to the exit. 3.2.2. Modelling of continuous dynamics In order to model the continuous dynamics, the following elements are associated with the Petri net of each class Ci (each OO-DPT sub-net) that composes the system model: • A set of variables (Xi ), which models the class attributes. They are divided into internal variables (Xint i ), public variables (Xpb i ), image variables (Xim i ) and constants (Xco i ). • An application that associates a sub-set (Xpx i ) of the internal and public variables (Xint i ∪ Xpb i ) to each place (px i ). • A set of algebraic and/or differential equation systems. Each equation system (Fx i ) is associated with a place (px i ). It determines the dynamics of the variables of Xpk i when the place is marked. • A set of enabling functions. Each enabling function (ex i ) is associated with a transition (tx i ) and triggers the firing of the enabled transitions according to the value of Xi . • A set of junction functions. Each junction function (jx i ) is associated with a transition (tx i ) and defines the value of internal and public variables of Xi after the transition firing. In this paper, the subscript “i” is the class identification. The subscript “x i” indicates a transition or place “x” of a class “i”. The subscript “w.i” indicates an object “w” of a class “i”.

1130

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

From the continuous point of view, the state of an object Ow.i of a class Ci is modelled by an instantiation Xw.i of the variables Xi . It is important to observe that the Petri net structure and the initial marking of objects must ensure that only one place at a time determines the value of each variable of Xw.i . If eventually the object state is represented by two tokens, one in px i and the other in py i , then Xpx i ∩ Xpy i = ∅. In the OO-DPT net, two objects can exchange data by sharing variables. Basically, the instances of internal variables (Xint w.i ) of an object Ow.i can only be read and written by the object itself. On the other hand, instances of public variables (Xpb w.i ) can be read but not written by other objects. If a second object Ov.z reads the value of a variable M of Xpb w.i , then M will be part of Xim v.z (image variables of Ov.z ). It means that M must be specified in the set Xpb i of class Ci as well as in the set Xim z of class Cz . However, the specification of Xpb i and Xim z is not enough for implementing a variable sharing. It is necessary to specify the identity of the object that has the instantiation of the variable to be read. In other words, the object Ov.z must store the information that M must be read from Ow.i and not from any other object of class Ci . This information is record in a variable of Xz , such as I1 and when the variable M is listed in Xim z , it is named as MI1.Ci . Fig. 4 presents the set of variables, equation systems, the enabling functions and the junction functions for the class C1 -Person. Basically, after becoming aware of a fire (firing of t1 1 ), the person runs to the hall (place p2 1 ). The continuous variable θaux indicates the elapsed time from the firing of t1 1 . It is therefore reset by the junction function j1 1 . The time taken by the person to reach the hall entrance door (firing of t3 1 ) is determined by e3 1 , according to the value of Kθ . The variable dg indicates if the person considers the hall too dangerous (dg = 1) or not (dg = 0). As he has not yet visited the hall, he initially considers it a safe escape route (j1 1 sets dg = 0, making e3 1 true). When he reaches the hall, his position is x = x0 (set by j3 1 ). The junction function j3 1 also updates the value of dg according to the situation in the hall. The algebraic equation of dg is associated with the junction function j3 1 because the person spends no time in place p3 1 , as either t2 1 or t5 1 is always enabled. If the algebraic equation of dg was associated with p3 1 , the decision of firing t2 1 or t5 1 would be taken before dg was actually calculated. According to the junction function j1 3 , the amount of smoke and the presence of fire in the hall are informed by the image variables smI1.C3 and frI1.C3 , from the class C3 -Fire (presented in Section 4.1.3). The person analyses the situation ahead in the hall (at x + Δx). If the amount of smoke is higher than a certain threshold (smI1.C3 (x + Δx) ≥ smmax ) or if the hall is on fire (frI1.C3 (x + Δx)> 0), e2.1 is true and the person returns to the rooms and offices (place p2 1 ). In this case, the value of dg remains as “1” and the enabling function of t3 1 (dg = 0) prevents the person from returning to p3 1 . On the contrary, when the person arrives in the hall for the first time, if the situation is not dangerous (dg = 0), he enters the hall (firing of t5 1 ) and runs to the exit (place p5 1 ). The image variable vpI2.C2 is the person’s speed in the hall. It depends on the amount of people in the hall and therefore is calculated by another class, C2 -Hall (presented in Section 4.1.2). At any moment, if the situation ahead in the hall is too dangerous (enabling function e6 1 is true), the person changes direction (firing of t6 1 ). While in the hall, the person dies if he is caught by the fire (frI1.C3 (x) > 0) or if the amount of inhaled carbon monoxide (coacc ) crosses the threshold of coacc max . The person reaches the exit when x = xL (e9 1 is true) and is finally safe (place p9 1 ).

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1131

Fig. 5. Discrete interface of the class C1 -Person.

3.2.3. Communication between objects Two objects of a system can interact and exchange data. This communication between objects is either discrete or continuous. The continuous communication is made by variable sharing and has already been described in the previous section. The discrete communication is performed through method calls and it is modelled by the dynamic fusion of two transitions. Basically, in the OO-DPT net, the transitions of a class Ci can be associated with methods provided by the class. Objects of other classes may call these methods in order to change the state of objects of Ci . In order to call the method associated with a transition tx i of a class Ci , another class C z must associate a method call with one of its transitions ty z . As for the case of variable sharing, if an object Ov.z of the class C z calls the method tx i of the class Ci , it must know which object of Ci it wants to perform the method. A variable of C z stores this information and is associated with the method call. When both tx i and ty z are enabled, they fire as a single one. As an example, the discrete interface of class C1 -Person is presented in Fig. 5. Transitions associated with methods provided by the class are graphically represented as white-filled bars, while transitions associated with methods called by the class are black-filled bars. The transitions t2 1 , t3 1 and t9 1 call methods provided by class C2 -Hall (presented in Section 4.1.2). They are used by the objects of class C1 -Person to indicate whether they are or not in the hall. This information is used by the object of class C2 indicated in the variable I2 . This object calculates the people “density” in the hall (the portion of the hall area occupied by people). Using this information, the object of C2 establishes the people’s speed and shares it with the people in the hall (image variable vpI2.C2 ). It is assumed that all the people in the hall, i.e., all the objects of class C1 , have similar physical conditions and therefore run with the same speed. On the other hand, the transition t1 1 is associated with a method provided by the class. An object of another class can use this method to alert the person of a fire and change his state from p1 1 (working) to p2 1 (running to hall). It is important to observe that the transition fusion is dynamic. Transition t2 2 of class C2 can be merged with t2 1 or t9 1 . However, it is possible to build an unfolded version of the OO-DPT net where the state of each object of each class is represented in a different OO-DPT sub-net. In this case, transitions associated with method calls may be duplicated, resulting in an OO-DPT net with a static structure. The unfolding procedure is described in [36].

1132

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

3.3. Introduction of uncertainty in the OO-DPT net When connected to other classes of the system, the model of class C1 -Person can be used to determine important parameters of the Fire Safety System such as the evacuation time, the amount of smoke inhaled by people and the number of deaths, among others. However, this model does not consider any uncertainty in the people’s behaviour. It also assumes that the alarm system never fails and always warns people in the building in the appropriate time. Everyone in the building knows the escape route and behaves in the appropriate way. Although a significant percentage of the people do behave as described above, the remaining percentage, and any other uncertain event, can significantly affect the Fire Safety System performance. In order to obtain more reliable results, uncertainty should be introduced in the system model. Probabilistic events and uncertain behaviour are particularly important for the analysis of Fire Safety Systems due to their critical nature. The cost of an eventual equipment failure can result in the lost of a number of human lives, and therefore must be considered in the control strategies analysis. Among the sources of uncertainty in Fire Safety Systems are: • People’s behaviour: a number of reasons can make people behave in a way different than expected. One of the most important is fear. Different people react to panic in different ways. Some of them may face a dangerous path in a desperate attempt to leave the building. Others may simply run away from the fire as far as possible, even if it means not trying to leave at all. There are also people that do not know the escape route and may take a wrong direction, or take another route in order to find a family member. • Fire behaviour: the uncertainty in this case is related to the conditions under which the fire occurs. It comprises the kind of material that is burned, humidity, temperature and other airrelated variables, among many others. • Equipment failures: most of the time failures are due to inadequate maintenance or inappropriate use. A common situation in Fire Safety Systems is when smoke sensors (and also sprinklers) are wrongly regulated and detect smoke when there is no fire. In such a case, the occupants frequently disconnect the sensor instead of adjusting its sensitivity. The incorporation of uncertainty in the modelling approach is a contribution of this paper. The problem of modelling uncertainty in hybrid systems has already been approached in many works in the literature (e.g. [29]). These works can be classified according to how the uncertainty is introduced into the models. Most of them consider one or more of the following cases: • • • •

The continuous dynamics is modelled by using stochastic differential equations. The date of the occurrence of a discrete event is set according to probabilistic distributions. The choice in the case of conflicts is made according to pre-defined probabilities. After an event, the new state of the system is set according to probabilistic laws.

Another important point is the formalism used as a background. Most of the works already published are based on hybrid automata. Examples are [29] and [16]. Among the formalisms that model the discrete dynamics using a Petri net is the Fluid Stochastic Petri net [17] and [34]. It starts from the definition of Generalized Stochastic Petri net and incorporates elements for the modelling of continuous dynamics, such as continuous places. Due to the reasons described in Section 3.1, only proposals that merge Petri nets and differential equation systems have been considered for the analysis of Fire Safety Systems.

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1133

Fig. 6. Example of probabilistic junction function.

Fig. 7. Example of probabilistic junction function for solving conflict.

A proposal with these characteristics is briefly discussed in [23]. It is also based on Generalized Stochastic Petri net. It considers that the dates of transition firings can be set according to stochastic distributions and, in the case of conflict among two or more transitions, the decision can be made by associating a fixed probability with each transition. This paper adopts a slightly modified definition. Instead of associating stochastic distributions to the dates of transition firings, we introduce probabilistic junction functions that set the value of the continuous variables after a transition firing according to probabilistic distributions (PD). No restriction is made on the kind of distribution that can be used. It can be a well-known distribution such as normal or exponential distribution or it can be described by any other function. After the firing, these variables can be used in enabling functions or equation systems, influencing both the discrete and continuous dynamics. An example is presented in Fig. 6. The probabilistic distribution PD1 is associated with transition t1 . Each time t1 fires, a new value is attributed to the continuous variable y. This new value can vary from 1 to 3 and is chosen according to the probabilistic distribution PD1 . The new value of y determines the time interval for the firing of transition t2 . The evolution of the variable y is presented on the right side of Fig. 6 and includes 4 firings of t1 . The values of y after each firing are 2.2, 1.7, 2.9 and 2.1. In the case of conflict among transitions probabilistic junction functions can generate random numbers that are used in the enabling function of the conflicting transitions, in order to choose the one that should fires. An example is presented in Fig. 7. The probability of firing t2 is 80% and in the remaining 20% of the cases, t3 fires.

1134

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

The main advantage of the proposed approach is the flexibility to model different kinds of uncertain behaviour with the same structural element, the probabilistic junction functions. Basically, the use of probabilistic distributions in junction functions can model the following kinds of uncertainties: • Time delays set according to probabilistic distributions. In Fire Safety Systems, examples are the time for a person to become aware of the fire and the time for the fire brigade to reach the building. • Probabilistic choices in the case of conflicts. Examples are the occurrences of faults in the Fire Safety System equipment and the choice made by people while escaping. • Probabilistic initial values for the variables and parameters of algebraic and differential equations. An example is the conditions under which the fire occurs, which affects the fire’s behaviour. Comparing our proposal with those based on Generalized Stochastic Petri nets, it is important to observe that the definition of OO-DPT net does not include timed transitions, though time intervals can still be modelled by a set of junction function, differential equation and enabling function. The definition of timed transitions would bring additional complexity to the model formalism with no extra gain. In the same way, the definition of probabilities associated with groups of conflicting transitions generates extra rules for the transition firings in the OO-DPT net. Comparing our proposal with those based on Stochastic Differential Equations, the choice of not explicitly including uncertainty into the equation systems is based on the characteristics of Fire Safety Systems. Although the fire’s behaviour is uncertain, it basically depends on the conditions under which the fire occurs. These conditions can vary significantly from one fire occurrence to another, but they are approximately constant during the same fire. An example is the effects of the furniture materials and air humidity on the amount of smoke generated by the fire and the fire spread speed. The values of these variables can be generated by a probabilistic junction function and used as parameters in the equation systems. In order to illustrate the application of probabilistic junction function in Fire Safety Systems, a new probabilistic model of class C1 -Person is presented in Fig. 8. In the initial state, when the fire starts, the person can become aware of a fire due to the alarm system (firing of t1 1 ) or in the case of failure of the alarm system (firing of t10 1 ), he becomes aware with a delay of θw that is set according to the probabilistic distribution PD4 (junction function of t10 1 ). After becoming aware of the fire the person takes θe seconds to reach the entrance door. In contrast to the deterministic model of Fig. 4 where the time to reach the hall is fixed and equal to Kθ , in this case θe is set according to the probabilistic distribution PD1 (junction function of t1 1 and t11 1 ). When the person reaches the entrance door (firing of t3 1 ), he must make a decision. He can either go to the left (firing of t12 1 ), to the right (firing of t5 1 ) or return to the offices and rooms (firing of t2 1 ). His decision is based on the analysis of the situation ahead in the hall in both directions. The variables dgright and dgleft indicate the presence of fire (frI1.C3 (x±x) > 0) and/or excess of smoke (smI1.C3 (x±x) > smmax ) in the hall. According to dgright and dgleft , a set of probabilities is attributed to t2 1 , t5 1 and t12 1 and is stored in the variables P2 1 , P5 1 and P12 1 (Table 1). A random number is also generated by the firing of t3 1 (rd = PD3 ) and compared with P2 1 , P5 1 and P12 1 , enabling one of the transitions. If the person decides to return to the rooms and offices, he can eventually return again to the hall in a time θe , set by PD2 .

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1135

Fig. 8. Model of class C1 -Person with uncertainties.

Table 1 Probabilities attributed to t2 1 , t5 1 and t12 1 according to the situation in the hall Situation ahead in the hall

P2 1

P5 1

P12 1

Not dangerous in any direction (dgright = 0) AND (dgleft = 0) Dangerous only to the left (dgright = 0) AND (dgleft = 1) Dangerous only to the right (dgright = 1) AND (dgleft = 0) Dangerous in both directions (dgright = 0) AND (dgleft = 1)

PA2 PB2 PC2 PD2

PA5 PB5 PC5 PD5

1 − P2 1 − P2 1 − P2 1 − P2

1 −P5 1 1 −P5 1 1 −P5 1 1 −P5 1

If the person decides to go to the right (or left), after a certain time Kmin and when the situation ahead in the hall is dangerous (enabling function of t6 1 and t14 1 ) he may change his mind and go to the opposite direction. Every time he passes in front of the entrance door, he stops and analyses the situation again (he generates a random number rd by the firing of t4 1 and t13 1 and calculates P2 1 , P5 1 and P12 1 ). In the case he reaches the dead-end of the hall (x = 0), he always changes direction. In the case he reaches the exit door (firing of t9 1 ), he is safe (p6 1 ). While in the hall he may die because of the fire (frI1.C3 (x) > 0) or inhaled smoke (coacc > coacc max ). The next section describes two examples where the proposed approach is applied to the analysis of Fire Safety System control strategies.

1136

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 9. Layout of the main exit.

4. Integration of the Fire Safety System with the HVAC This section applies the proposed approach to the analysis of three control strategies that integrate the Fire Safety System to the HVAC (Heating Ventilation and Air Conditioning) System. The purpose is to analyse which of the three strategies has the best performance in the case of a fire. – Strategy 1: limits the amount of air introduced into the building. In this way, the oxygen available for the fire is reduced, reducing also the speed of fire spread. On the other hand, no oxygen is available also for the people trapped in the building and the smoke is not removed. It is implemented by closing all the HVAC dampers and turning off the fans. – Strategy 2: focuses on removing the smoke and providing fresh air for people’s evacuation. On the other hand, the fresh air also feeds the fire. It is implemented by opening all HVAC dampers and turning on the fans. – Strategy 3: imposes the airflow in the opposite direction of people’s evacuation. This strategy tries to find a compromise between Strategies 1 and 2. It provides fresh air for people’s evacuation and, at the same time, directs the spread of fire. It is implemented by opening the HVAC supply dampers and closing the return dampers near the exit doors, and doing the opposite in the opposite direction. The three strategies are applied to different parts of a commercial building. Due to the limited space, the examples presented in this paper are limited to the evacuation through the main exit of the building (Example 1) and the evacuation of a cinema (Example 2). 4.1. Example 1 The layout of the main exit of Example 1 is presented in Fig. 9. The main exit is located in one of the ends of a hall. There are a restaurant and a kitchen on one of the sides of the hall. Due to the kitchen’s nature, this is an area particularly sensitive to fires. Supposing a fire happens in the kitchen, the fire reaches the hall by one of the three doors (Door 1, 2 and/or 3). The HVAC equipment is composed of a set of air supply and return points distributed along the hall and controlled by dampers. Return and supply fans impose the airflow (Fig. 10). The HVAC equipment is used for the implementation of airflow control strategies when requested by the Fire Safety System. In the case of Strategy 3, the supply dampers on the left side of the entrance door and the return damper on the right side are closed. The remaining dampers are opened. The model of Example 1 is composed of 7 classes: C1 -Person, C2 -Hall, C3 -Fire, C4 -Smoke Detector, C5 -HVAC Management, C6 -Fan, C7 -Damper. There is only one object of classes C2 , C3 , C4 and C5 . There are 2 objects of class C6 and 12 objects of class C7 (6 supply dampers and 6 return dampers). The number of objects of class C1 varies according to the building occupation stipulated for the analysis.

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1137

Fig. 10. HVAC equipment—Example 1.

Fig. 11. Model of the class C2 -Hall.

4.1.1. Model of class C1 -Person The model of this class has already been presented in Section 3.3 (Fig. 8). It models the behaviour of an individual during the fire. In this paper, an intermediate solution between the macroscopic and microscopic approaches is adopted. According to the proposed model, each person takes his own decisions and behaves as an independent entity. However, when the person is in the hall, his speed is set according to the amount of people in the hall. The external variable vpI2.C2 of class C2 -Hall models the speed. This model assumes that all the people in the building have similar physical conditions and therefore are able to run at the same speed when subjected to the same environmental conditions. A more detailed model can be build by considering the speed vpI2.C2 as the maximum speed of a person. The current speed would be then determined as a fraction of vpI2.C2 . This fraction can be established using a probabilistic distribution. In this way, it is possible to model percentages of children, aged people and handicapped people among the building occupants. 4.1.2. Model of class C2 -Hall The model of this class is presented in Fig. 11. The only object of this class is O1.2 -Hall and its initial state is illustrated in Fig. 11. The methods provided by t1 2 and t2 2 set the number of people in the hall (Np) according to the method calls of objects of class C1 -Person. The junction functions of t1 2 and t2 2 set the speed (vp) of the people according to the amount of people (Np) in the hall. dp is the portion of the hall area that is occupied by people. The expression of vp is discussed in [10]. K0 , K1 , K2 , K3 , K4 , K5 , K6 and K7 are numerical constants determined empirically according to [10]. Particularly K0 is obtained by dividing the average area of a person by the total area of the hall. This model considers the hall as a single entity. A more detailed model could be implemented by dividing it into zones and calculating different dp and vp for each zone.

1138

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 12. Model of the class C3 -Fire.

4.1.3. Model of class C3 -Fire The model of this class is presented in Fig. 12. From the discrete point of view, there are two possible states for the fire: the fire is still in the kitchen/restaurant and there is only smoke in the hall (place p1 3 ), or the fire has reached the hall (p2 3 ). The variables sm(θ, x) and fr(θ, x) indicate the level of smoke and the presence of fire in the hall. It is important to observe that they are distributed parameters and change not only with the time θ but also with the position x in the hall. fr(θ, x) is a discrete variable. It can be either “0” (no fire) or “1” (fire). The smoke and fire enter the hall through one of the doors (Fig. 9), which is located at xf . The fire reaches the hall (firing of t1 3 ) when the level of smoke reaches a threshold (smxf ≥ K3 ). K1 , K2 and K3 are constant numbers. The variables vsmR.I1.C5, vsmL.I1.C5 , vfrL.I1.C5 , and vfrR.I1.C5 are external variables from class C5 -HVAC Management. They model the growth rate of smoke and fire to the left and to the right, respectively. These rates are set according to the state of HVAC fans and dampers, i.e., according to the strategy implemented by the Fire Safety System. The only object of this class is O1.3 - Fire and its initial state is illustrated in Fig. 12. The fire model presented in Fig. 12 does not consider that the fire can be eliminated from the hall, i.e., the place p1 3 cannot be reached after the firing of t1 3 . The reason is that the equipment that effectively controls the fire, such as the sprinklers, is not included in the model in order to highlight the influence of the HVAC System on the results. 4.1.4. Model of class C4 -Smoke Detector The model of this class is presented in Fig. 13. When the smoke in the hall reaches the threshold of Ksd a fire is detected (firing of t1 4 ). If there is no failure, transition t2 4 fires. An alarm is activated and warns the people in the building (firing of t5 4 ). There is one firing of t5 4 for each person in the building (Nb is the number of people in the building). After warning everyone, the smoke detector communicates the fire occurrence to the object of class C5 -Fire Management, which executes the HVAC strategy (firing of t4 4 ). However, with probability of (1 − Psm OK ) the smoke detector fails and transition t3 4 fires instead of t2 4 . In this case, people are warned with delay (firing of t6 4 ) and the HVAC strategy is not executed (firing of t7 4 ). 4.1.5. Model of class C5 -HVAC Management The model of this class is presented in Fig. 14. In the case of fire, an object of the class C4 -Smoke Detector sends a message to the HVAC Management System informing the detection

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1139

Fig. 13. Model of the class C4 -Smoke Detector.

Fig. 14. Model of the class C5 -HVAC Management.

of a fire (firing of t1 5 ). The object of class C5 will then perform the appropriate HVAC strategy (indicated by the variable S. The Fire Safety System supposes that the HVAC System has all the dampers open and fans on. I3 and I4 are auxiliary variables. I3 store the identity of the supply damper that is currently being closed by transition t8 5 , while I4 store the identity of the return damper being closed by transition t10 5 . Ds and Dr are the identity of the last supply and return dampers that must be closed by the HVAC Management System. When S = 1, the fans are switched off (firing of t5 5 and t6 5 ) and the dampers are closed (firings of t8 5 and t10 5 ). In this case, I3 varies from 1 to Ds = 6, and I4 varies from 7 to Dr = 12. When S = 2 no action is taken, since the HVAC System is already in the chosen configuration. When S = 3 only the left supply dampers and right return dampers are closed: I3 varies from 1 to Ds = 3, and I4 varies from 10

1140

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 15. Model of the classes C6 -Fan and C7 -Damper.

to Dr = 12. By firing t11 5 , t3 5 or t12 5 , each strategy sets the variables vsmR , vsmL , vfrR and vfrL with the appropriate values. 4.1.6. Models of classes C6 -Fan and C7 -Damper The models of classes C6 -Fan and C7 -Damper are presented in Fig. 15. Basically, the possible states for the HVAC fans are off (place p1 6 ) and on (place p2 6 ). There are two objects of this class: O1.6 -Supply Fan and O2.6 -Return Fan, both are initially on. Similarly, dampers can be closed (place p1 7 ) and open (place p2 7 ). There are 12 objects of this class: O1.7 -Supply Damper 1, . . . , O6.7 -Supply Damper 6, O7.7 -Return Damper 1, . . . , O12.7 Return Damper 6. All the dampers are initially open. 4.1.7. HVAC strategy analysis Due to the system complexity, analysis results are obtained by Monte Carlo simulation. The R subroutine. The translation follows OO-DPT model of each class is translated into a MatLab the structure of a Petri net token-player. Each object is associated with a set of variables. Each R . class is then implemented as a subroutine and the model is simulated using MatLab For each strategy, the models have been simulated with the building occupancy varying from 1 to 200 people, and considering that the fire enters the hall through each one of the doors. Simulation is interrupted when the hall is completely taken by the fire (fr(0 ≤ x ≤ xL )= 1). An equivalent deterministic model has also being simulated in order to analyse the influence of uncertainty on the results. This deterministic model considers that people always know the escape route, and always go to the right when it is not considered dangerous. Furthermore, the smoke sensor never fails. It uses the OO-DPT model of class C1 -Person presented in Figs. 3–5. The time necessary for computing the models is strongly dependent on the number of people in the building. It also varies according to the simulation parameters, i.e., the Fire Safety System strategy and initial location of the fire. For the same number of people and the same strategy, when the fire begins in the middle of the hall it takes half of the time to fill the hall than when it begins in one of the extremities. For the same initial location and same strategy, the simulation time is approximately proportional to the number of objects in the system, i.e, the number of people in the building. It is important to observe that these results are not valid for other models. The complexity of the class models and, particularly, the complexity of the continuous dynamics, have a major contribution to the simulating time. The fire near Door 3 is the most critical situation and therefore is analysed in detail. The percentage of dead people is presented in Fig. 16. It corresponds to the tokens in place p7 1 (Figs. 3 and 8). The percentage of safely evacuated people is presented in Fig. 17. It corresponds

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1141

Fig. 16. Percentage of Dead people—deterministic and probabilistic simulation, Example 1.

Fig. 17. Percentage of Safe people—deterministic and probabilistic simulation, Example 1.

to the tokens in place p6 1 . The remaining people (Fig. 18) are blocked in other rooms and offices of the building (place p2 1 ). By the end of the simulation, the fire has taken the entire hall and they are not able to leave. They must stay there until the fire brigade controls the fire. An important point about the results is that the values of model parameters and probability distributions have been determined based on data provided in [10] and interviews with people from the fire brigade. They have not been checked and therefore are not presented in the paper. One important observation about the number of safe people in deterministic simulation (Fig. 17) is that when a large amount of people try to leave the building at the same time, the agglomeration in the hall reduces the people’s speed to a point that no one is able to leave the hall safely. When comparing with the results of probabilistic simulation, the percentage of safe people is smaller for a small number of people in the building. However, as the number of people increases, probabilistic simulation gives slightly better results than deterministic simulation. This is expected because in probabilistic simulation the time each person takes for reaching the hall is given by a probabilistic distribution (θe and, in the case of sensor failure, θw ). Therefore it attenuates the agglomeration problem.

1142

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 18. Percentage of Blocked people—deterministic and probabilistic simulation, Example 1.

Analysing the number of dead people, Strategy 2 is the one that has a slightly better performance in both deterministic and probabilistic simulations. Basically, both Strategies 1 and 3 augment the amount of smoke on the left side of the corridor, causing some deaths due to inhaled smoke. Regarding the number of deaths, which is the most critical parameter, the results of the probabilistic simulation are significantly worse than those of the deterministic simulation for the three strategies. Basically, a percentage of the people who finish the deterministic simulation as “blocked” becomes “dead” in the probabilistic simulation. In the case of deterministic simulation, these people return to the rooms and offices just in time for not dying. The safety margin for these people is narrow and, in the probabilistic simulation, a wrong decision about the direction in the hall or a second attempt to enter the hall is fatal. These results highlight the importance of adopting policies such as equipment maintenance and people training, which aim at reducing uncertainty and approximating the probabilistic model to the deterministic one. It is interesting to observe that the introduction of uncertainty into the models attenuated the differences among strategies. One of the reasons is that when the smoke detector fails, the HVAC configuration is not modified. This situation is equivalent to choosing Strategy 2. 4.2. Example 2 The second example models the occurrences of fire in a cinema. The cinema layout is illustrated in Fig. 19. It is composed of Nr rows with Ns seats each. It also has two passages (left and right passages) that give access to the two exit doors (left and right door). It is considered that the fire starts somewhere in the rows (at x0 and y0 ). The people on the right of x0 should go to the right and then down through the right passage until they reach the right door. People on the left of x0 should use the left door. HVAC equipment is composed of a set of supply and return fans and dampers. The location of supply and return dampers is presented in Fig. 20. The three HVAC strategies are implemented in a way similar to that of Example 1. For Strategy 1, all dampers are closed and all fans are turned off. For Strategy 2, all dampers are opened and all fans switched on. Strategy 3 opens the supply dampers and closes the return dampers for y ≤ y L /2, and does the opposite for y > y L /2. The model of Example 2 is also composed of 7 classes: C8 -Person, C9 -Row, C10 -Fire, C11 -Smoke Detector, C12 -HVAC Management, C13 -Fan and C14 -Damper.

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1143

Fig. 19. Layout of the cinema.

Fig. 20. HVAC configuration in the cinema.

Each person inside the cinema is modelled as an object of class C8 -Person. Each row is modelled as an object of class C9 -Row. The two passages on the left and right side of the rows are also modelled as objects of class C9 -Row. They are the objects Nr +1 and Nr +2, where Nr is the number of rows in the cinema. An object of class C10 -Fire models the current state of the fire in each row and passage. 4.2.1. Model of class C8 -Person The model of this class is presented in Fig. 21. It is structured in a way similar to the class C1 -Person of Example 1. Initially each person in the cinema is seated in a predefined row, at x(θ = 0) and y(θ = 0), watching the film. The number of the row is stored in I1 . When the fire starts, either t1 8 or t17 8 fires. In the case of t1 8 , the smoke detector detects the fire and immediately warns everyone in the cinema. In the case of t17 8 , the smoke detector fails and each person becomes aware of the fire with a delay θw , set according to the probabilistic distribution PD2 . After becoming aware of the fire, the person is in p2 8 and must decide between going to the right (firing of t2 8 ) or to the left (firing of t3 8 ). If he is on the left side of the fire (x ≤ x0 ), he goes to the left with a probability of PA2 and to the right with a probability of (1 − PA2 ). If he is on the right of the fire, PA2 is the probability of going to the right. When going to the right (left), if the situation ahead in the row is dangerous (with fire or the level of smoke too high), he changes direction and starts going to the left (right). When he reaches x = 0 or x = xL , he is on the right or left passage (firing of t6 8 or t7 8 ) and he must decide if he goes up or down the passage (firing of t8 8 or t9 8 ). The decision is made according to the situation ahead in the passage (in both up and down directions). If he goes down, when he reaches y = 0, he exits the cinema (firing of t12 8 ) and is safe. Whenever in the rows or passages the person dies if he is caught by fire or if the amount of inhaled smoke is beyond a certain threshold (firing of t13 8 , t14 8 , t15 8 and t16 8 ).

1144

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 21. Model of class C6 -Person.

The variables I2 and I1 indicate the identities of the objects of class C9 -Row and C10 -Fire that are currently interfacing with the object of class C8 -Person. The speed of the person is set according to the number of people in that row and is indicated by the external variable vpI2.C9 , from the object of class C9 . Similarly, the amount of smoke and the fire are modelled by the external variables frI1.C10 and smI1.C10 , from the object of class C10 . 4.2.2. Models of classes C9 , C10 , C11 , C12 , C13 and C14 With the exception of minor details, classes C9 , C11 , C12 , C13 and C14 are identical to classes C2 , C4 , C5 , C6 and C7 of Example 1. This is an example of model reuse provided by the objectoriented paradigm.

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1145

Fig. 22. Percentage of Dead people—deterministic and probabilistic simulation, Example 2.

Class C10 is similar to class C3 . The spread of smoke and fire in a row is modelled in the same way that the spread of smoke and fire in the hall is in Example 1. However, in the case of the cinema, the amount of smoke also varies according to the distance between the current row and the row where the fire began. The spread of fire and smoke from one row to the next up and down rows varies according to the configuration of the HVAC management system. 4.2.3. HVAC strategy analysis The cinema under analysis contains 20 rows with 15 seats per row. The simulations consider that the cinema is always full. Monte Carlo simulation is performed varying the location of the fire starting point and the HVAC strategy. Particularly, the position y0 of the fire starting point varies from the first to the last row. The position x0 of the fire starting point is fixed at xL /2, in the middle of the row. It has not been varied because it is not significant for the analysis of the HVAC strategies. According to the proposed model, the HVAC strategies differ from each other only in what regards the fire and smoke behaviour along the Y axis. The behaviour along the X axis is not affected by the HVAC strategy. Simulation is performed until all the people in the cinema are either dead or safe. In this example there are no blocked people. All the exits in the cinema lead to the outside. When the cinema is completely taken by the fire everyone inside is dead. There are other important differences between this example and Example 1. In the case of Example 1 the fire starting point is not in the hall, but in the neighbouring kitchen and restaurant. All the people must cross the fire initial point (Door 3) before leaving the hall. As a result, no one could leave after the fire has reached the hall. On the contrary, in the case of Example 2, the fire starting point is inside the cinema room, but it is not on the escape route, although it does block the escape route as it grows and reaches the left and right passage. The results obtained using deterministic and probabilistic models are presented in Fig. 22 (percentage of dead people) and Fig. 23 (percentage of safe people). The deterministic model considers that people always follow the escape route and there is no failure in the Fire Safety System equipment. As would be reasonable to expect, the increase in the fire starting point y0 results in a decrease of the number of deaths. Basically, when the fire starts at the back of the cinema, people have

1146

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

Fig. 23. Percentage of Safe people—deterministic and probabilistic simulation, Example 2.

more time to escape. Furthermore, the number of people that may be blocked (and then dead) when the fire reaches the two passages is smaller than when it starts at the front. It is interesting to observe that the results of this example are the opposite of those obtained for Example 1. Both deterministic and probabilistic simulations shows Strategy 1 as the best strategy and Strategy 2 shows the largest number of deaths in the case of probabilistic simulation. This difference from Example 1 is due to the fact that in Example 2 the amount of inhaled smoke is not significant and most people die because they are caught by the fire. As both Strategies 2 and 3 increases the fire speed in the direction of the exit, they present a large percentage of deaths. An important observation is that the environmental conditions in a cinema are usually different from those in a hall. As a consequence, the two examples do not use the same values for the constant parameters such as fire and smoke spread speeds. Also in contrast to Example 1, in Example 2 the difference between Strategies 2 and 3 is accentuated by uncertainty, although not significantly. There is almost no difference between them in the deterministic simulation. However, in the probabilistic simulation results for Strategy 2 are worse. The reason is that the amount of smoke removed in the case of Strategy 2 is larger than that of Strategy 3. The additional smoke in the case of Strategy 3 prevents people from going in the wrong direction. Another important point is that although probabilistic results are worse, the difference between the deterministic and probabilistic approaches is not as evident as in Example 1. A factor that contributes to this result is the little or no difference in the time that each person takes for starting the escape (θw in the case of smoke detector failure or zero otherwise). In Example 1, this time varies in a significant way. However, in the case of Example 2, people are able to see the fire and start running almost immediately even when the smoke detector fails. 4.3. Toward industrial application The two examples illustrate the flexibility of the proposed approach and how it can be used for the analysis of Fire Safety System strategies. However, an important question that must be answered in order to evaluate the approach is about its applicability in industry. The first point to highlight is that the purpose of the approach is to provide information about systems that cannot be simulated using other tools, such as those presented in Section 2. These

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1147

systems are found basically in those buildings described as “intelligent”, or “highly automated”, where the building systems are deeply integrated. As a result, there is a demand not yet supplied for an industrial solution that allows the study of integrated building systems. The main steps for the proposed approach to become an industrial solution are: (1) Development of a computational tool The tool must either simulate the models or automatically convert them to MatLab subroutines. The additional knowledge required from designers should be minimized. (2) Development of a comprehensive library of object models Specific libraries should be proposed for the components of each building system, such as the Fire Safety Systems, HVAC systems, Elevator System, etc. In this way, it is possible to minimize the effort necessary for the development of new systems. One important point about the development of libraries is the assumptions made for each class. These assumptions limit the conditions under which the class models can be used. A closely related question is how to validate object models. As discussed before, the class models presented in this paper have been developed based on previous works and/or the experience of people from fire brigades. No validation has been performed. The development of procedures for the validation of Fire Safety System models is an open area of research. (3) Definition of databases for the class constant parameters Basically, the model of a class should include a database with the values of constant parameters for the most common situations. This problem is closely related to the problem of validation and is also an open area of research. (4) Support for model reuse techniques Other than the direct reuse of classes, the proposed approach also benefits from the objectoriented relationship among classes. Two relationships are particularly important: compositiondecomposition and specialisation-generalisation. The application of these OO relationships to the OO-DPT net is discussed in [36]. Libraries can model the people’s and fire’s behaviour in basic spaces such as halls and rooms. Then, the people’s and fire’s behaviour in a building is easily obtained by the composition and specialisation of the basic classes. 5. Conclusion This paper presents the application of hybrid concepts for the design of Fire Safety Systems. For this purpose uncertainty is incorporated into the OO-DPT net. Its main advantage is the flexibility provided to the designer for testing and analysing innovative control strategies that may emerge as a result of the integration of building systems. This feature is not provided by the Fire Safety System tools commercially available. Another important feature is that the modelling formalism provides the user with the necessary scalability to model complex and large-scale systems by combining simple models of classes. Among the disadvantages of the proposed approach is the analysis exclusively based on Monte Carlo simulation. No other analytical procedure is available at the present date. When the complexity of the models increases, the computational effort required for obtaining reliable results may be prohibitive. However, this restriction also applies to any other available tool for Fire Safety System simulation and analysis. The proposed approach does not impose or limit the level of refinement of the models. It is up to the designer to find a compromise between the level of detail of the models, the necessary accuracy, the available computational resources and the simulation time.

1148

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

It is important to observe that although this paper focuses on the problem of Fire Safety System, OO-DPT net is a generic modelling proposal and could be applied to systems of other domains. Its adequacy for modelling other hybrid systems with uncertain behaviour depends basically on the system features. The first point to consider is whether or not the discrete and continuous dynamics justify the use of Petri nets and differential equations. Another requirement is that the system must be organized into a collection of objects and classes, where the complexity added by the interaction among objects does not overcome the benefits of the system decomposition. Finally, system uncertainty must be modelled by probabilistic distribution functions, which gives flexibility for modelling different kinds of uncertain behaviour but does exclude those systems where the continuous dynamics is uncertain. Future works must be in the direction of developing a simulation tool for OO-DPT. Acknowledgements This work received financial support of the governmental agencies FAPESP, CNPq and CAPES. Particularly, the authors would like to thank the Kyatera/TIDIA Program, under which the work is developed. References [1] ABNT, NBR 9441 - Sistema de Detecc¸ a˜ o e Alarme de Incˆendio, ABNT, Rio de Janeiro, 1998. [2] H. Alla, R. David, Discrete, Continuous, and Hybrid Petri Nets, Springer Verlag, 2004. [3] P. Antsaklis, X. Koutsoukos, J. Zaytoon, On hybrid control of complex systems: a survey, Journal Europ´een des Syst`emes Automatis´es (JESA) 32 (9–10) (1998) 1023–1045. [4] P. Antsaklis, X. Koutsoukos, Hybrid systems: Review and recent progress, in: T. Samad, G. Balas (Eds.), SoftwareEnabled Control: Information Technologies for Dynamical Systems, IEEE Press, 2003. [5] H. Arkin, M. Paciuk, Service system integration in intelligent buildings, in: Proceedings of IB/IC Intelligent Buildings Congress, Tel-Aviv, Israel, 1995, pp. 19–30. [6] R.W. Bukowski, R.D. Peacock, W.W. Jones, C.L. Forney, Technical Reference Guide for the HAZARD I Fire Hazard Assessment Method, vol. 2, NIST Handbook 146/II, National Institute of Standards and Technology, 1991. [7] C. Cassandras, S. Lafortune, Introduction to Discrete Event Systems, Kluwer Academic Publishers, 1999. [8] R. Champagnat, P. Esteban, H. Pingaud, R. Valette, Petri net based modelling of hybrid systems, Computers in Industry 36 (1–2) (1998) 139–146. [9] T. Deibjerg, B.P. Husted, H. Bygbjerg, D. Westerman, ARGOS user’s guide—A step by step guide to fire simulation, Danish Institute of Fire Technology (DIFT), 2003. [10] R.F. Fahy, High rise evacuation modelling—Data and application, in: Proceedings of 13th Meeting of UJNR Panel on Fire Research and Safety, Gaithersburg, 1997, pp. 35–42. [11] Fluent Inc, Fluent/UNS and Rampant 4.2 User’s Guide, 1997. [12] H. Genrich, Predicate/transition Nets, in: Lecture notes in Computer Science (Petri Nets: Central Models and their Properties, Advances in Petri Nets 1986, Part I), vol. 254, 1987, pp. 207–247. [13] H. Gueguen, M. Lefebvre, A comparison of mixed specification formalisms, Journal Europ´een des Syst`emes Automatis´es (JESA) 35 (4) (2001) 381–394. [14] S. Gwynne, E.R. Galea, P.J. Lawrence, L. Filippidis, Modelling occupant interaction with reconditions using the building EXODUS evacuation model, Fire Safety Journal 36 (2001) 327–357. [15] S. Gwynne, E.R. Galea, M. Owen, P.J. Lawrence, L. Filippidis, A review of the methodologies used in the computer simulation of evacuation from the built environment, Building and Environment 34 (1999) 741–749. [16] J.P. Hespanha, Stochastic hybrid systems: Application to communication networks, in: R. Alur, G.J. Pappas (Eds.), Hybrid Systems: Computation and Control, in: Lecture notes in Computer Science, vol. 2993, 2004, pp. 387–401. [17] G. Horton, V.G. Kulkarni, D.M. Nicol, K.S. Trived, Fluid stochastic Petri nets: Theory, applications and solution, NASA CR-198274 ICASE Report No. 96-5, Inst. for Computer Applications in Science and Eng., NASA Langley Research Center, Hampton, 1996. [18] W.W. Jones, R.D. Peacock, G.P. Forney, P.A. Reneke, CFAST, Consolidated Model of Fire Growth and Smoke Transport (Version 5), Technical Reference Guide, NIST SP 1030, 2004.

E. Villani et al. / Nonlinear Analysis 65 (2006) 1123–1149

1149

[19] V.V. Kafidov, Social and economical importance of fire safety system, Fire Safety Journal 28 (2) (1997) 188–189. [20] H. Kl¨upfel, T. Meyer-K¨onig, M. Schreckenberg, Microscopic modelling of pedestrian motion, in: Proceedings of Int. Conf. on Pedestrian and Evacuation Dynamics, Berlin, 2001, pp. 63–71. [21] P.C. Lichtner, FLOTRAN User Manual. Report LA-UR-01-2349, Los Alamos National Laboratory, Los Alamos, 2000. [22] T.J. Lightfoot, G.J. Milne, Modelling emergent crowd behaviour. in: Proceedings of the 1st Australian Conf. on Artificial Life, Canberra, 2003, pp. 159–169. [23] M. Medjoudj, S. Khalfaoui, H. Demmou, R. Valette, A method for deriving feared scenarios in hybrid systems in: Proc. of Probabilistic Safety Assessment and Management, PSAM’7 - ESREL’04, Berlin, Germany, 2004, p. 6. [24] T. Murata, Petri nets: Properties, analysis and applications, Proceedings of the IEEE 77 (4) (1989) 541–580. [25] K. Nakamura, T. Tanaka, Predicting capability of a multiroom fire model, in: Proc. of the Second International Symposium on Fire Safety Science, Tokyo, 1988. [26] NFPA, Fire Protection Handbook, sixteenth edn, Quincy, MA, 1997. [27] S.M. Olenick, D.J. Carpenter, An updated international survey of computer models for fire and smoke, Journal of Fire Protection Engineering 13 (2003) 87–110. [28] F.A. Ozel, Stochastic computer simulation of the behavior of people in fires: An environmental cognitive approach. in: Proceedings of the International Conference on Building Use and Safety Technology, 1985. [29] G. Pola, M.L. Bujorianu, J. Lygeros, M.D. Di Benedetto, Stochastic hybrid models: An overview in: IFAC Conference on Analysis and Design of Hybrid System, ADHS, St Malo, 2003. [30] L.S. Poon, V.R. Beck, Evacsim: Simulation model of occupants with behavioural attributes in emergency evacuation of high rise building, in: Proceeding of Fourth International Symposium on Fire Safety Science, 1994, pp. 681–692. [31] E. Reisser-Weston, Simulating human behaviour in emergency situations. in: Proc. of the International Conference of Escape, Fire, and Rescue, RINA, 1996. [32] J. Rumbaugh, I. Jacobson, G. Booch, The Unified Modeling Language Reference Manual, second edn, AddisonWesley Longman, Inc., Harlow, 2004. [33] C. Valentin-Roubinet, Hybrid dynamic systems verification with mixed Petri nets, in: Proceedings of the Symposium on Automation of Mixed Processes: Hybrid Dynamic Systems, ADPM, Dortmund, 2000, pp. 231–236. [34] K. Wolter, Modelling hybrid system with fluid stochastic Petri net, in: Proceedings of the 4th Int. Conference on Automation of Mixed Processes: Hybrid Dynamic Systems, ADPM 2000, Shaker Verlag, Aachen, 2000, pp. 287–292. [35] J.K.W. Wong, H. Li, S.W. Wang, Intelligent building research: A review, Automation in Construction 14 (1) (2005) 143–159. [36] E. Villani, J.C. Pascal, P.E. Miyagi, R. Valette, A Petri-net based object-oriented approach for the modelling of hybrid productive systems, Nonlinear Analysis 68 (8) (2005) 1394–1418. [37] E. Zukoski, T. Kubota, Two-layer modelling of smoke movement in building fires, Fire and Materials 4 (1) (1980) 17–27.