Safety-modelling on neural networks

Microelectro,. Reliab., Vol. 31, No. 6, pp. 1257-1267, 1991. Pdnted m Great Britain.

0026-2714/9153.00 + .00 © 1991 Pergamon Press plc

SAFETY-MODELLING ON NEURAL NETWORKS MAMOUN SULIMAN Department of Electrical Engineering, Southern Illinois University, Carbondale, IL 62901, U.S.A. (Received for publication 10 August 1990)

Abstract

Safety modelling of fault-tolerant hardware is as Important as reliability modelling for some applicatlons. Neural networks are employed in thls paper to reallze the safety model of a Duplex system under deslgn. The fallure rate whlch is adequate for the desired safety of the hardware, Is acquired from the neural weights at convergence.

I-Introduction

In many applications of fault-tolerant hardware, the reliability is not the only consideration. The reliability of the system slmply accounts for the probability that the system will perform its functions appropmately Nevertheless, in many cases the designer will also be interested in the safety of the system. In other words If for any reason the hardware fails, then it should fall in a safe manner, that is without messlng wIth the functions it is used to perform, or exposmg the operators/users to hazards and life-threatening Msks. An aircraft automatlc navigational system (autopilot) should indicate and warn for any eminent fallure so that the pilot may take control in proper t]me Likew]se, a robot control system is always deslgned with safety conslderatlons to avold any harm to the user in case of a malfunction. A system fmls safely when the failure does not produce an Incorrect action from the system The Duplex (standby spare) system is one of the well-established fault-tolerant models Hence, It Is used in thls paper to 111ustrate how neural networks ~an be applied in safety design of hardware A feedforward recurslve neural network Is set to realize the dlscrete-time Markov model 1 ~ ~"/

1258

M. SULIM~

of the Duplex system. An energy function and update equations for the neural welghts are established using the least mean square, gradlent-descent learmng rule. The initial conditions satisfying the assumption that the hardware starts operation when the on-lme and spare modules are faultfree, the coverage factor, and the desired safety for the design are injected into the neural network The design failure rate for the hardware Is attained as a function of the neural welghts at convergence The simulation results of the neural realization are verified and presented

2. Duplex hardware

The Duplex system (Standby Spare system) [2,3] consists of two Identical modules as illustrated in Figure 1 The actlve on-line, or hot, module is used to perform the functioning, and the cold, or spare, module is waitlng (standby) to be switched in against the active module fallure Selfdlagnostlcs are used as the only means of fault detection wlth the coverage factor O_
I) the on-line module has failed and the spare has been

EMo,,.o j STANDBY SPARE

ON_LINE MODULE

F

SWITCH i

Input

2

Out )ut

Figure 1 - A baslc configuration of a Duplex system

Safety-modelling on neural networks

1259

successfully switched on-line or 2) the spare has failed, the failure has been detected, and the spare has been taken out of service. State (FS) occurs when both the on-line module and the spare module have failed and both failures are detected and adequately handled. The system is non-operational, but safe, in state (FS) State (FU), representing the condition that the system has failed in an unsafe manner, can be entered In two ways. through the undetected faIlure of the actwe module, or through the undetected failure of the spare module and the subsequent use of the spare when the hot module fails In both cases, the system Is operatlng with modules that have undetected failures In state (US), the system continues to perform its duties since the on-llnemodule has not failed although the spare has failed in an undetected manner. The undetected failure of the spare results in a faulty module bemg substituted for the hot module in case of a detected failure In the last. The equations for the Markov model of the standby spare system can be written as.

P( I,I)(t + At) = ( 1 - 2kat) P( l,i)(t)

P( i,o)(t + At) = 2kat C P( i,i)(t) * (I - k&t) P(l,o)(t)

P(FS)(t + At) = k~t C P(1,0)(t) + P(FS)(t)

(I)

P(FU)(t + At) = kat(l - C) P(l,l)(t) * kat(l - C) P(l,O)(t) + P(FU)(t) + k~t P(us)(t)

P(us)(t + At) = ~t(1

- C) P ( 1 , i ) ( t )

+ (1 - M t ) P ( U S ) ( t )

The standby sparing system wlll be completely operatlonal as long as it is ]n one of three states, state (l,I), state (I,0), or state (US). So the reliability of the standby sparing system can be written as

R(t) = P(1,v)(t) + P(1,o)(t) * P(Us)(t)

(2)

Safety Is defined as the probability of the system either operating correctly, or fail-safe. The Duplex system will be safe as long as it Is in one of four states, state (I, I), state (I,0), state (FS), or state (US) The safety

1260

M. SULI~IAS

can be written as

s(t) = P ( i j ) ( t ) + P(l,o)(t) + P(u$)(t) + P(F$)(t)

(3)

3. Neural Realization

A feed-forward recurslve neural network [1,4] having two layers comprlslng I0 neurons, Figure 2, Is set to realize the dlscrete-tlme Markov model of the Duplex hardware. The input-output relations of the neural network are governed by the transition matrlx entries of the Markov model and have at any time t of operation Xl = P(I,I)(t)

X 2 = P(l,O)(t)

X3 "

P(Fs)(t)

X4=

P(us)(t)

(4)

Xs-- P(FU)(t)

where X represents the neural input The inltla} conditions are given by' XI = 1 and X2 = X3 = X4 = XS = 0

1 - 2},~t

1 -},At

1.0

},At(l-C)

l-~t

I0

Figure 2 - D1screte-tlme Markov model of the Duplex system

Safety-modelling on neural networks

1261

Also, at any tlme t,At. Y I " P( I 1)(t÷At)

Y2" P(10) (t÷*t)

Y3" P(FS)(t+At)

(S)

Y4" P(US)(t+At)

Y5" P(FU)(t÷at)

where YI Is the output of neuron ~ in the output layer Now if W = ~,at then.

Wll " I -2W W21 " 2WC

W22 - I - W

W32-

WC

W33 = I

(6)

W41- W ( l - C )

W44- 1 -W

W51 - W52-W(1 -C)

W55- 1 where Wll gives the self weight of state i, while Wjl describes the feed path directed from state l t o state j ( i , j = I, 2 ....... 5). The energy function for the neural network is obtained [1] by the quadratic equation.

1262

M. SULIMAN

E= ~

( Y1 - DI )2

(7)

I=I

where YI Is the actual output of neuron 11n the output layer, corresponding to the probability of the system being In state i D I Is the desired output of neuron i, equivalent to the deslgn requ]rement of the probability of the

system being in state l for a specified time of operation, and Is determined from the target rel]abll]tylsafety of the design The update equation for the welght W is derived using the gradientdescent learning procedure [I] as follows. The change In the welght W, given by AW, Is related to the energy functlon by the formula. aE A W :-k aw

(8)

I

where k Is a constant of proportionality Now by the chain rule

aE

~

aE

aYm

(9)

I. m=l

and so, from equations (7) and (8), it is deduced that'

aYm A W =-2k

( Ym - Dm ) i~W m=1 (I0) aY m err°rm aW

= - 2k m=l

where errorm = ( Ym - D m ), or the dlfference between the actual and the desired outputs of neuron m in the output layer. Now applying equations ( 1 ), , and (4-6), the above equatlon (9) will yield the following update formula: A W = K [ - 2 X 1 (YI-DI) +(2CX 1 -X 2)(Y2-D2) +Cx 2(Y3-D3) +((I -C) X 1 -X 4)(Y4-D4) ÷((I -C)(X i +X 2)+X 4)(YS-D~)] (11) A W = K { -2X I error I + (2CX 1 - X2) err°r2 + CX2 err°r3 +((I -C) X l-x 4) error4+((l -C)(X 1 +X 2)+x 4) error5} where K is a constant

Safety-modelhng on neural networks

1263

4. S i m u l a t i o n R e s u l t s

A computer program ]s written to simulate the neural realization of the Duplex system for a desired safety 5(t) = 0 9 where t = 10 hours; At 0.1 seconds. The algoMthm is run for different values of the Coverage factor, 0_< C ~ 1, and with the same value of the lnltlal welghts. The simulation results are presented ]n Table 1 The lnlt]al failure rate, corresponding to the initial weights, is denoted by ~,t The deslgn failure rate, glven by ~c, which ls extracted from

the neural weights at

convergence, the d]fferent values of the probabilities of the different states that match the desired safety of the system, and the number of iterations (N) in the convergence cycle of the neural network are also shown in Table 1. Note that no valid results for C = 1 exist since the safety of the system will be umty (or 100%) and so the neural network will never converge to a desired safety of 0 9 for unity coverage Therefore C = I ]s skipped ]n the simulation It ~s observed from Table I that the higher the coverage factor ]s, the more tolerant ls the hardware for a higher value of the failure rate to achieve the same safety requirements This Important and fundamental concept is further illustrated in Figure 4 which plots the design failure rate

Table 1 - S]mulatlon results

Values at Convergence

c 0 O0

!x~ 31 68

xc

P(1.1)

P(1.0)

P(us)

10 464 08112 00000 00895

P(F~)

P(FV)

N

0.0000 00993 05

ix io-3 !x 1o-3 O.10

31.68

11,730 07909 0,0197 00886

00001

0.1007 03

x lo-3 x lO-3 0 25

31,68

13,923 07569 00565

00848

O,OOIl 01007 06

X I0 -3 X I0 -3 050

31.68

20 086 06692 0 1489 00744 0,0083 00992 05

X 10-3 X 10-3 0,75

31,68

38,494 0,4631 0,3261 !00544

0.0574 0.0990 21

X I0 -3 X I0 -3 0.9 M[t. 31/6--N

31,68

99.983,0 1354 0 4186 '0 0232 0.3236 0,0992 13

X I0-3

X 10-3

1264

M. Sunn~o,N

Y1

Y2

~'3

¢4

Y5

Figure 3 - Neural reallzatlon of the Duplex system

OiO

008 ,IZ

"ll

006

b.

004

..~ 0.02

000 0.0

.

0'2

014

0'6

-

O'B

1.0

O~ver~Je FBctor Figure 4 - Simulation results plot

versus the dlfferent values of coverage. The details of the slmulatlon results are more h~ghl]ghted in F~gures 5-8 which focus on the entry of Table I for C = 0 25 (see thlrd row of table) Figure 5 shows the variation of safety and the fallure rate through the dlfferent iteratlons of the convergence cycle. It is clear that the network fln]shes the first iteration with approximately a unlty safety corresponding to the inltial failure rate ),I, and converges in the 6th iteration to the desired safety, wlthin a

Safety-modelling on neural networks

1265

i.O

0 03

,

0 Failurerake

0 02 L ,l=

0.9 14.

0.01

J

0.00

i

0.8 2

3

4

~

7

6

Number of iterations(N) Figure 5 - Convergence data (1) 0.10

I0

"008

i

09

S v

"0.06

! o

0.8 0.04

JI

Zo

0.7

J,.

0.02 o.

•

06

0 O0 7

0 Number of Iteratlons(N) Figure 6 - Convergence data (II)

v

015

0,003

010

"0002

i .=,

.,.=

Z

Zo

0.05

"0001 i

I.

, .

I

2

B

. P (F_) ,

,

Q.

Q.

0.00

3

4

5

6

Number of iterations (N)

Figure 7 - Convergence data (III).

0.000

1266

M SULIMAN

O.2

Io

Ol

09

0 0

.

0

0.8

1

2

3

4

5

6

7

Numberof iterations (N) Figure 8 - Convergence data (I V).

programmed accuracy of + 0.001, giving the design failure rate ~

The

change in the probabil]tles of states (l,l), (I,0), (F5), and (US) In the convergence cycle are lllustrated in Figures 6-7 Note the decrease of the magnitude of P(i,l) at convergence compared with that of the f]rst Iteration, opposite to the Increase in the values of the probabilltles of the other states The reliability of the neural network in the dlfferent stages of the convergence period is plotted wlth the unsafety values in Figure 8. The first iteration glves approxlmately a unlty reliab]llty corresponding to a near zero unsafety, whlle the convergence iteratlon presents a 0 8982 rellab111ty to match the deslred unsafety of 0 1 (0 9 safety) w]thln the accuracy margin mentioned before 5. Conclusion

The safety model of the Duplex system is real]zeal successfully with a feedforward recurswe neural network. The simulat]on results emphasize and support the validity and stab]hty of the new neural network approach [1] to reliability/safety and fault-tolerance design techniques

References

Ill

Mamoun Sullman and Mahmoud Manzoul, "Neural Network Reallzatlon of Markov Reliability and Fault-Tolerance Models," M/croelectron/csand

Re~lability,(accepted for publication), 1990.

Safety-modelling on neural networks

[2]

Johnson, Barry, Design and Analysls of Fault Tolerant Dzgltal System~ Addison-Wesley P. Co, 1989.

[3]

S. Osaki and T. Nishlo, ReliabzlityEvaluation of Some Fault-Tolerant Computer Archltectures, Lecture Notes m Computer Science, 97, Springer-Verlag, Berlin, 1980.

[4]

J. McClelland and D. Rumelhart, Explorations in ParallelDistrlbuted Processing MIT Press/Bradford Books, Cambridge, Massachusetts, 1988

1267