Functional survivability analysis of structurally complex technical systems

Aim.The paper analyzes the functional survivability of structurally complex technical systems. This approach is the evolution of the structural survivability paradigm, when the system/element failure criterion is binary. The paper shows that given a wide variety of probabilistic scenarios of adverse effects (AE) on a system, an invariant model kernel is identified that is responsible for the interpretation of functional redundancy. The aim is to identify the proportion of retained operable states within the acceptable computational time, when the fixed number u of elements is disabled as the result of AE. In this case the analysis of survival law is conducted at the confluence of functional redundancy analysis and probabilistic AE models of arbitrarily wide variety. Methods. A technical system is considered a controllable cybernetic system equipped with specialized survival facilities (SF). System survivability analysis uses logic and probabilistic methods, as well as the results of the combinatorial theory of random allocation. It is assumed that: a) AE are localized and single (one effect affects exactly one element); b) each of the system’s elements has a binary logic (operability – failure) and zero resilience, i.e. destruction after one effect is guaranteed. Subsequently this assumption is generalized for the case of r-fold AE and L-resilient element. Results. The paper reconstructs a number of variants of the destruction law and survivability functions of technical systems. It is identified that those distributions are based on prime and generalized Morgan numbers, as well as Stirling numbers of the second kind that can be recovered using the simplest recurrence formulas. While the assumptions of the mathematical model are generalized for the case of nr-fold AE and L-resilient elements, the generalized Morgan numbers involved in the estimation of the destruction law are identified using the random allocation theory by means of n-fold differentiation of the generating polynomial. In this case it does not appear to be possible to establish a recursive relation between the generalized Morgan numbers. It is shown that under homogeneous assumptions regarding the survivability model (equally resilient system elements, equally probable AEs) in the correlation kernel for the system survivability function, regardless of the destruction law, is the functional redundancy vector F(u, ε), where u is the number of affected elements, ε is the system’s limiting efficiency criterion, below which its functional failure is diagnosed, F(u, ε) is the number of system states operable in terms of ε under u failures (destructions) of its elements. Conclusions. Point models of survivability are an excellent tool of express analysis of structurally complex systems and tentative estimation of survivability functions. The most simple assumptions of structural survivability can be generalized in cases when the system’s operability logic is not binary, yet is associated with the level of system operation efficiency. In this case we must speak of functional survivability. The PNP computational complexity of the survivability evaluation problem does not allow solving it by means of a simple enumeration of the system states and AE variants. Ways must be found of avoiding simple enumeration, e.g. by using conversion of the system operability function and its decomposition by means of generalized logical and probabilistic methods.


Introduction.
In [1][2][3], technical survivability is defined as the property of a structurally complex technical system to maintain its operability under a wide spectrum of adverse effects (AE).
If we talk about survivability as a function of structural redundancy, it is a case of structural survivability. If the system's functional efficiency and capability to maintain at least a part of its functionality are evaluated, then we talk about functional survivability.Our understanding is that structural survivability is a special property of functional survivability that is primarily ensured by the presence of structural redundancy features in the system along with specialized survivability facilities (SF).
At this point we must specify some terms. First, let us compare the categories of "dependability" and "survivability". From our perspective, the conceptual separation of the above properties is along the line of the causes of operability deterioration and associated reduction or complete loss of functional efficiency of a technical system. In dependability those are strictly internal reasons that cause failures and faults; in survivability those are strictly internal reasons of operability deterioration (destruction)of individual elements. "Destruction" can be understood as either failures and faults or direct destruction of elements caused by AE. Large systems energy engineers do not agree with this terminological separation (in their practice survivability per [4] is an individual special property of dependability]. Computer system developers also think that survivability is a special case of dependability (e.g. see [5, p. 179]); there, it is synonymous with fault-tolerance. In this paper we ignore the above differences and understand survivability the way stated above.
We also must separate the definitions of structural and functional survivability. A similar separation is made in [6,7] in the context of information systems dependability. I.B. Shubinsky believes that structural dependability is the dependability of products (objects, elements, systems), while the functional dependability is the dependability of service provision (performance of the processes of collection, processing, transmission of information, management of subordinated objects). We do not completely agree with this dichotomy, at least as regards technical systems. Stated above is, in our opinion, the functional dependability in the narrow sense. But, if we associate the property of the system's functional dependability with the property of its efficiency, the structure evidently contributes to the property of functional dependability. If dependability is not ensured at the level of system components, if the available structural redundancy is not properly managed, functional dependability is not ensured either. It turns out that functional dependability that is understood in the wide sense contains specific properties of structural dependability and functional dependability in the narrow sense. Equally, structural survivability is a separate specific property of functional survivability in the wide sense, as we noted at the very beginning of the paper.
The interpretation that we indirectly propose is substantiated as part of functional survivability standardization. Such standardization goes down two lines: the line of standard accepted efficiency and the line of maximum allowed probability of system survival. The harder is the standard requirement for the maximum allowed (from below) level of retained system efficiency after AE, the lower is the expected structural redundancy in the course of survival, the lower will be the survival probability and the harder must be the requirements for SF (that are formally only assigned to the technical system and are not its components). Naturally, the opposite is also true: the softer are the requirements for efficiency, the higher is the contribution of the structural redundancy into the system's survival.
Here the line must be drawn between the structural and functional redundancy in the narrow sense. In [6, p. 18], redundancy is a property of most existing technical objects (systems) to perform more functions than required and have more resources than required for the performance of only the required functions. In our opinion that is the definition of the functional redundancy in the wide sense that encompasses structural redundancy and functional redundancy in the narrow sense (as the capability to perform the same work using different means [6, p. 48]). The level of functional redundancy in the wide sense is defined in close connection with the standard level of efficiency. For example, if during a special period it is required to maintain 10% of output capacity of a power system after AE (level of emergency reserve), that corresponds to the maximum level of functional redundancy accumulated by the system under normal operational conditions.
Let us touch upon the subject of integration of various types of redundancy for the purpose of survivability (in [6] such integration is called multilevel redundancy). Structural redundancy and functional redundancy in the narrow sense always act together. A separate role is played by the information and algorithmic redundancy concentrated in the object's systems control supersystem. As regards the redundancy of the SF, it is localized outside the technical system. For instance, in the context of special military facilities, appropriate SFs are assigned to all technical systems within the facility together, rather than being part of one of the systems. Accordingly, we cannot assert that redundancy within a system and redundancy of the SFs are integrated for the purpose of ensuring system survivability. They operate in different ways, which can be clearly seen during simulation (we will emphasize it further).
Given the above, the indicator of functional redundancy should be the probability R(n, ε) of the system retaining functional efficiency at level ε in fractions of its standard level under n AEs [2,3]. The derived indicator of structural survivability as a separate special property is probability [2,3].
The central methodological problem of the survivability science is the fact that AEs are not stochastic, manifest themselves as single events that cannot be interpreted in terms of the classic probability theory. Changing from statistical to axiological probabilities in the curse of AE scenario definition is a makeshift solution that is used temporarily for the purpose of identifying the property of survivability. In whole, the probabilistic concept of survivability as at the decline. In the new scientific paradigm there are two main approaches to survivability analysis: • transition from probabilistic description of AEs and system's reaction to AEs to fuzzy set models. This subject requires separate consideration and it is not examined in this paper; • designing a feasible AE test of system (not assuming high accuracy of real AE simulation) and associating the designed AE tests and the system's reaction to it. The purpose of such simulation experiment is to make the system manifest its survivability property and quantify the degree of this property's manifestation. In this case the system will primarily demonstrate the structural and functional types of redundancy.In other words, it will degrade due to AE not immediately, but gradually while retaining some resilience to the effects. Among other things, such gradual degradation will be ensured by efficient algorithms of system reconfiguration and exclusion of destroyed fragments (manifestation of functional redundancy in the narrow sense).
As of today, the most evident scientific results have been achieved with the proposal of the so-called point model of AE, when the AE is aimed at destroying an individual system element that has binary operation (operability or failure). This model can be easily generalized for the case of r-fold AEs for the case of a system with L-resilient elements [8]. In this paper we will demonstrate the application of this approach.
Thus, the aim of this paper is to establish the connection between functional survivability and redundancy in structurally complex systems by identifying this connection by means of AE tests of two types: • independent strategy: AE against a system element can repeat; • dependent strategy: a system element previously affected by AE cannot be targeted by AE again.
This paper examines equally probable AEs (in the axiological sense), i.e. there is no AE preference pattern. It can be compared to a system with homogeneous dependability, in which the elements have the same probability of no failure. We can generalize this result for the case of different AE probabilities in an exhaustive event, but it will in no way contribute to the aim of this paper. Additionally, we are ready to prove the redundancy that we have identified will manifest itself under a wide spectrum of AEs, and the redundancy monotonicity of survivability (the more redundant is the system, the more survivable it is) will be scientifically substantiated.

A brief description of the approach to survivability analysis used in this paper
There is a well-known Shannon's formula of reliability of structurally complex homogeneous non-renewable technical systems [9, p.161]: wheret is the reliability evaluation period, p(t) is the probability of no failure of an individual system element, F N (u), u = 0…N is the number of operable system states under the condition that u of its elements simultaneously failed within the period of reliability evaluation t. Also, in the dependability theory F N (u) is the number of disconnecting sets consisting of u elements. We can also write F N (u) = F N (u, ε=1) while making provisions for the possible extension of the given structural model to the level functional redundancy in a general sense.
Formula (1) can be rewritten as follows: where isthe unconditional probability law of occurrence in a system of N elements of exactly u failures within time t (naturally, here the binomial distribution law is a standard Bernoulli scheme), and isconditional probability that the system remains operational if u random elements are removed from it.
Formula (4) can be named the law of degradation (for the case of dependability) or the law of destruction (for the case of survivability). That is the model of how natural failures or AEs are distributed in the system and cause degradation of its structure and functionality.
Let us return to the problem of functional survivability analysis. If the AE strategy is dependent (elements are chosen in the system consecutively, one after another), the survivability function is the probability of retention by the system of its operability under n single AEs [1-8]: The * sign indicates that the survivability was evaluated on the assumption of dependent strategy. Naturally, in case of dependent strategy n ≤ N. We can rewrite (5) as follows: where is defined out of (4), with extension for the case ε < 1, while Pr N (n, u) is the destruction law for the case when under n AEs exactly u out of N system elements are affected is determined using formula: If the AE strategy is independent, the number n can be arbitrary and in this case the law of destruction formula is correct [1][2][3][4][5][6][7][8]: where M(n, u) are Morgan's combinatorial numbers. For combinatorial Morgan's numbers partition, equation [6] is true: . (9) Destruction law (8) can be developed for the case of r-fold AE, when the scope of a single AE simultaneously covers r elements. In this case [4] Pr N (n, u, r) = * *M (n, u, r) = whereM(n, u , r) are generalized Morgan's numbers for the case of r-fold AEs. As with (9), a combinatorial set can be written: (11) Distribution of type (10) could be named a Markov-Nedosekin distribution, as A.A. Markov first suggested an individual specific case of this distribution (quoted per [18]), while A.O. Nedosekin first formulated this generalization [14]. Out of (10) under r = 1 easily follows (8).
If we make another round of generalization and assume that elements have a determinate resilience L to adverse effects, i.e. are destroyed exactly after (L+1) strikes, then (8) and (10) rewrite as follows: where K = , are generalized Morgan's numbers for the case of r-fold AEs and L-resilient elements, and Q (n, K, ω, L) = {(e t -g(t, L)) ω *(g(t, L)) K-ω }| t=0 , Result (13)  If r = 1, formula (2) after a series of combinatorial transformations becomes as follows: Finally, by substituting L = 0 into (14), in the course of a series of transformations we obtain standard Morgan's operands of the form (8). In this particular case the following is true: If we compare formulas (2) and (6), we will see a certain conceptual invariant. Functional redundancy in the system is demonstrated by vector F N (u, ε) or conditional probability of the form (4), which is identical. The application to such redundancy of the corresponding law of degradation or destruction of the form (3), (7), (8), (10) or (12) generates a corresponding probability response in the system. AE laws change, the system's responses to AEs change, but the kernel of the model, the redundancy vector, remains unchanged. Therefore, our primary aim is to establish the form of the redundancy vector for a milti-element structurally complex system. When the redundancy vector has been established, evaluating the probability of system survival for various AE scenarios though is a technical problem It also must be noted that the property of element resilience characterized by parameter L is in fact not a property of the element itself, but rather an attribute of the survivability facilities that are intended to provide the system with the properties of resilience. For example, in terms of system survivability under seismic impacts, the vibroplatform on which elements of the technical system are installed (one, several or all) has the resilience property. Such platform must be able to withstand an impact characterized by an acceleration multiple of g (gravity factor). If the impact is divisible by (L+1), the vibroplatfrom partially loses stability and is destroyed, while the elements installed upon it are either destroyed or loose connection to the system, which is equivalent in terms of the consequences. The multidirectional manifestation of structural dependability and resilience can be indirectly observed in formulas (6) and (12), where the structural redundancy is associated with one of the probabilities, while the resilience is associated with the other.
Here, we put the emphasis on the fact that identifying the redundancy vector is not an easy task at all. It is NP-hard [3], as it is associated with complete enumeration of 2 N system states with the division of such states into two classes, i.e. functionally operable and functionally fallible. The general logical and probabilistic method (GLPM) comes to help though [11,12]. It allows overcoming the "curse of dimensionality" by means of methods of decomposition of the initial logical operabilityfunction (LOF) with its preliminary identification based on the formalization of the system operation rules, with the identification of the full list of operability paths and minimal failure cross-sections. In today's conditions of industrial automation, this work is performed by the ARBITR software system (developed by SPIKSZMA, Saint Petersburg, Russia). The scientific component of the system was developed by the school of Prof. A.S. Mozhaev.
Thus, let us proceed to the multivariant analysis of survivability using the examples of two trial computational schemesand formulas (4) -(15). In order to simplify the demonstration, let us assume that ε = 1, i.e. we are solving the problems of structural survivability in particular by evaluating the effect of structural redundancy on the survivability. Examples for the case when ε < 1 can also be easily provided. The results will be published in the following papers.

Analysis of structural survivability for three calculation examples
Example 1. Bridge-type structure system (N = 5 elements) Let the system have a two-pole operability model (bridgetype, Figure 1), for which the operability function is as follows [3,9,12]: . (16) Figure 1. Bridge-type structure system In this example 1, as the complete number of system states is 2 5 = 32, all states can be easily enumerated manually in order to choose the operable ones (16 in total). The redundancy vector and conditions probability of the form (4) are given in Table 1.
The survival law R * (n)for dependent AE strategy is the last column of Table 1 on the assumption that n = u. In order to perform the analysis for dependent AE strategy let us first recover the table of Мorgan numbers per (8) for N = 5. The data is given in Table 2. The data in Table 2 is used together in calculations according to formulas (6) and (8). The values of R(n) in case of n≤ 7 are given in Table 3. As an integral factor that can be used as a proper convolution of the redundancy vector, the mean number of AEs that causes the loss of operability in case of dependent AE strategy the following can be used: . (17) In the case of bridge-type structure, = 3. That means that the system can be intentionally disabled at an average with three strikes. In order to remove the N-dependence in choosing the optimal survivability design solution, the system survivability index (SI) can be used: In our case SI = 0.600. To understand whether that is much or little, many networked systems must be evaluated. Such evaluations are not within the scope of this paper. However,  (18) is another example of a distinct connection between structural redundancy and survivability.
Let us now complicate the problem definition. Let us assume that in one AE r = 2 elements are simultaneously affected. In this case the use of formula (10) results in the destruction law as shown in Table 4. The combined application of (6) and (10) results in the values of R(n) shown in Table 5. Naturally, in case of square independent AEs the system degrades faster that in the case described in Table 3. R(n) 0,8000 0,2000 0,0560 0,0164 0,0049 0,0015 0,0004 Example 2. Three-generator electric energy system (N = 10 elements) [13] and [11] describe a three-generator electric energy system (EES, Figure 2). Its operability diagram is shown in Figure 3.
The operability function established based on the diagram in Figure 3 is as follows [11, p. 30]: The total number of operable states in the diagram is 554 of 2 10 = 1024. By making a complete enumeration of system functions per LOF of type (21) we arrive at Table  6 that contains the redundancy vector. According to this definition of the problem, all effects are single, while the system's elements have zero resilience.
The destruction law per example 2 is shown in Table 7; the survival law for the independent AE strategy is shown in Table 8. For the case of Example 2 we also have = 5.737, SI = 0.574. As we can see, the "specific survivability" of EES of Example 2 turns out to be even slightly lower than the bridge-type structure's. We can speak of redundancy concentration, when the growing number of elements does not cause qualitative improvements to the system's survivability performance. Nevertheless, due to the growing hardware component, the AE-related system degradation is smoother than that of the bridge-type operability logic.

Conclusion
The structural survivability know-how developed by Soviet/Russian scientist over the last 30 years significantly help achieving a new level of modeling and analysis of survivability and resilience of complex systems (not necessarily technical ones). The primary goal is the transition Figure 2. Three-generator EES diagram.Source: [11] Figure 3. EES operability diagram.Source: [11] from structural to functional survivability. The first steps in this direction have already been made [14][15][16], however the work must continue with the aim of automatic construction of LOF for multiple systems with arbitrary performance criteria. By changing the level of retained efficiency ε, at the stage of manual search already it can be observed that as ε grows the level of available structural and functional redundancy slowly goes down. Manual search should be abandoned through automated construction and examination of a set of LOFs responsible for various levels of required efficiency ε.
Secondly, AE scenario tolerances should be formulated more strictly. That involves progressive replacement of probabilistic combinatorial models with their simplistic hypotheses of effects on models, where the effect is formulated in terms of the adverse factors themselves. In this case fuzzy logic AE modeling suggests itself, as well as elements' resilience to effects, including the efficiency of survivability facilities. That is the subject of our future activities.