Introduction ¹

The “supervision, safety and security of large systems” theme is currently present at all levels, particularly at the European and national levels. It is relevant to every large facility, infrastructure or organization, whether public or private. It appears, however, that public and private research facilities currently tackle this theme from different angles and in a “scattered” way. This scattering can be explained by the strongly multidisciplinary nature of this area, which does not come under the umbrella of an academic subject. The gathering together of these structures and the industrialists concerned is the best response that can be taken for France to play a leading role in the worldwide development of this major and rapidly emerging field. It is within this framework that at the end of April 2007, MESR (Ministère de l'Enseignement supérieur et de la Recherche - French Ministry of Higher education and Research) founded the scientific interest group: “surveillance, sûreté et sécurité des grands systèmes” (supervision, safety and security of large systems) - GIS 3SGS.

This foundation was prompted by several university laboratories that had noticed that research on models of safety and security assessment is usually contextual, i.e. associated with an industrial object. Scientific initiatives are therefore not really structured around these themes: there is a true scientific challenge to create coherence between global models representing a system and models developed at the scale of a component or subsystem, the latter being necessary because of the source of industrial specifications and maintenance policies. These two scales are necessary, but strongly dependant.

The scientific problems in the area of surveillance, safety and security of large systems, which pose a high risk in the long term, are in constant evolution because of:

– the evolution and replacement of the systems currently in operation;

– the constant complexity of systems;

– the increasing demands in terms of industrial safety;

– the availability constraints; and

– the evolution of information and communication technologies.

All this requires the development of new methodologies, the design of new models, the implementation of new simulation methods, the diffusion of new knowledge, etc.

The supervision approach

Supervision plays a leading role in the operation of large systems. From the realtime analysis of data collected online, it requires quick decision-making and thereby implies the consideration of the time variable. Faced with the complexity of large systems, surveillance has to be robust in relation to the uncertainties and errors that are associated with both the models and the data. The surveillance methods need to be integrated to the systems of control and command (remote machine monitoring) and need to be improved by using information on the reliability of components as well as on the maintenance operations.

The increasing use of systems including software and digital data requires total control of all aspects of safety and security, often already required by current regulations. These aspects play a leading role in the adoption of digital systems in the economic, legal and the societal context, and are an essential factor for innovation, and hence for economic development.

The merging of the currently independent approaches towards surveillance issues (automatics, signal and computer science) requires the cooperation of actors from these different communities.

The safety approach

The control of risks requires a systemic approach when large complex systems are involved. Methods relating to operating safety are developed with this goal in mind and allow for this control from the point of view of the reliability, maintainability and security of large systems.

The development of models and methods of assessment and the optimization of the safety of large systems is therefore organized around several structuring themes:

– “Human factor” (HF) models that are adapted to large systems and/or supporting studies upstream from their design: the operator is a potential source of an undesirable event, but he or she is also a fundamental element in the control or recovery chain following such an event. It is therefore necessary to improve the existing HF models, in particular to help designers at the time of the upstream studies.

– The analysis of positive feedback (APF), or precursors, needs to be developed to make the system effective and efficient. In systems where several components interact that are based at different geographical localizations (several separate rooms, physical separation, etc.), the coexistence of varied human activities requires the use of models enabling us to ensure a common representation of the state of the facility or system. Such tools have yet to be created from an operational point of view. Similarly, the development of models and industrial tools enabling the a priori simulation of risky operations should be encouraged (for instance, studies such as decentralized multifactor operations).

– Modeling of the damage and ageing of systems and optimization of maintenance: the surveillance/maintenance interaction (conditional or predictive maintenance, health monitoring) where maintenance decisions are based on a diagnostic or prognosis of the state of the system, established from surveillance data.

– Safety of instrumented/programmed systems of security and command and control: safety, assessment and certification of software and systems, particularly in the case of embedded systems, in order to obtain fault-tolerant systems, amongst other things.

– Study of fault-tolerant systems with the intention of suggesting new methodologies for the reconfiguration of system control laws subjected to failures: the modeling and development of methods for reliable systems by using (semi)formal methods and demonstration tools in order to define the proven development cycle of a system with a predominant software from a specification, to design a system integrating software elements whose safety or security properties are guaranteed by design, forward-looking maintenance and collaborative maintenance (multiagent systems) for e-maintenance strategies.

The security approach

The issue of the security of large systems integrating software plays a leading role in the adoption of digital systems. The systems that are of interest to us can be “software”, “hardware” or “hybrid” based, as in the case of process control systems. The security of systems is of increasing importance in the prevention of and protection against hacking by the incorporation of confidentiality, access control or anonymity, and by controlling the information flow and its coherence with respect to individual freedom and national constraints.

To address issues regarding security, it is essential to define security policies and their mechanisms of implementation. The definition of a security policy is important since it determines an acceptable level of security. The actions will concern the proven security of services, secured protocols, cryptography, computer virology, the validation of services, the management of certifications and revocations. Particular attention should be paid to the control strategies of resources dependent on economic models, without forgetting the methods of identification and authentication and the control of information management.

The concepts of surveillance, safety and security are complementary and strongly interact. There are tight links between aspects of security (resistance to acts of sabotage) and safety, whose operation is validated against unintentional faults. These links must be developed. The problems of the two systems are often interwoven. As an example, coding errors are taken advantage of to create security breaches: it is therefore also necessary to formally prove the correction and robustness of security. On the other hand, the plans for the continuity of activity are essential. Their design emphasizes a necessary link between safety and security.

The contributions of this area to global security are characterized by two aspects. The first concerns the adaptation of risk analysis methods for the identification and assessment of risks associated with threats of human origin (sabotage). The second aspect is the use of probabilistic and scenario approaches, in order to evaluate the “security” performances of systems (integrated security system).

The scope and organization of GIS 3SGS

The following university laboratories are working with GIS 3SGS in order to cover all of the scientific and technical areas to be implemented within the GIS 3SGS framework:

– CRAN, Nancy research center for automatics (Nancy University, CNRS);

– CReSTIC, Research center for information and communication sciences and technologies (URCA, Reims Champagne-Ardenne University);

– Heudiasyc Laboratory for the heuristics and diagnostics of complex systems (UTC, University of Technology of Compiègne, CNRS);

– ICD, Charles Delaunay Institute (University of technology of Troyes, CNRS);

– LAGIS, laboratory of automatics, computer science engineering and signaling (University of sciences and technologies of Lille, Ecole Centrale de Lille, CNRS);

– LAMIH, Laboratory for automatics, mechanics, and industrial and human computer science (University of Valenciennes and Hainaut-Cambrésis, CNRS);

– LORIA, Laboratory of Lorraine for research in computer science and its applications (Henri Poincaré University, Institut National Polytechnique de Lorraine, INRIA, Research institute in computer science and automatics, CNRS).

The industrial problems have, mainly, been suggested by EDF (Electricity of France), the CEA (French Atomic Commission) and ANDRA (the National Radioactive Waste Management Agency), who are founding members of GIS.

Let us mention that, besides MESR and CNRS, INRIA and the General Council of Aube have also contributed to the running of GIS 3SGS. DGA (the General Army Agency) and SGDSN (the Agency for Defense and National Safety) have also provided constant support.

From a practical point of view, GIS 3SGS has worked under the supervision of a gathering council, led by Christian Lerminiaux, director of the University of Technology of Troyes, and with the help of a very active scientific council, initially led by Sylviane Gentil (INPG), then by Jean Arlat, director of the Laboratory of Systems Analysis and Architecture at Toulouse University (CNRS).

GIS 3SGS aims to make the approaches relative to the research on safety, surveillance and security of large systems transversal and complementary. Within this framework, it has been a breeding ground for collaborative projects between industry and research laboratories in the following application areas: energy, transport, information and digital systems, networks and critical infrastructures. The actions and projects led by GIS 3SGS include:

– call on different methods and complementary disciplines;

– the use of a generic methodology applicable to different areas;

– the favoring of flexibility: small projects have led to more ambitious projects, dealing with complex problems; and

– the implementation of collaborations between laboratories and favoring laboratory/industry networks.

This book presents the research projects carried out within the framework of this scientific interest group, particularly those on surveillance and operating safety. All of the projects supported by GIS 3SGS started as a problem suggested by an industrialist and at least two different university teams had to be assembled. They concerned several novel aspects of supervision, the predictive assessment of maintenance operations, diagnostic and prognosis methods, operating in faulty mode, reliability, performance, command and control, reconfiguration, and uncertainties. This was achieved by using dynamic or probabilistic modeling and by taking into account human factors, environmental factors and feedback.

Organization of the book

Part 1: the presentation of three industrial problems relating to nuclear energy:

– the first being related to aspects of the maintenance of a nuclear power plant in operation;

– the second to the surveillance of the operation of the steam generators of fourth-generation nuclear reactors that are currently being studied (sodium-cooled fast reactors);

– the third to the optimization of the distribution of the instrumentation of an underground nuclear waste storage in space and time.

Part 2: a presentation of research projects carried out within the framework of six projects on the supervision and modeling of complex systems in the areas of transport and energy. The results obtained (fault indicators, tolerance to faults, reliability model for complex, hybrid and dynamic systems) are applicable in many other industrial areas.

Part 3: the presentation of prospective studies of surveillance and analysis relating to the means of operation of a steam generator within the framework of studies of a fourth-generation nuclear reactor. The research re-analyzes the acoustic signals recorded in 1994 in the steam generators of the PFR Scottish reactor during the deliberate injections of gas into the liquid sodium.

Part 4: the presentation of tools and methods enabling us to simultaneously analyze organizational, human, technical and environmental factors and their interdependence; and to identify the factors whose conjunction can weaken the defense system (accidents/incidents on large systems). The research carried out applies to two industrial problems - a methodology enabling us to apprehend the systems according to the organizational levels: “action” (the human operator) and technical.

1 Introduction written by Yves VANDENBOOMGAERDE, Christian LERMINIAUX and Nada MATTA.