-
Notifications
You must be signed in to change notification settings - Fork 11
Pill Production Case Study
The pill production case study is based on the application scenario presented by Chaplin et al. It models a self-organizing system designed to produced personalized medicine. By adapting dosage and composition of medicine to individual factors, negative side effects can be avoided and treatment efficiency can be improved. Self-organizing systems typically have a particularly high resilience to component failures. This resilience presents a challenge to safety analysis frameworks like S#.
The S# version of the case study can be found here.
The system produces personalized pills. To this end, three kinds of production stations process pill containers:
There are stations that load empty pill containers on the conveyor belts connecting the stations, stations that dispense different ingredients (red, blue and yellow particulate) and stations that remove processed pill containers from the system and palletize them. Different recipes specify the personalized composition of the pills. For each recipe, an Observer/Controller
mechanism finds a sequence of connected stations that is capable of processing pill containers according to the recipe and instructs these stations to do so.
As the class diagram shows, the model is based on the Organic Design Pattern, a design pattern for self-organizing resource-flow systems. The production stations are agents, processing resources (the pill containers) as specified by their allocated Roles. The Produce
capability consists of loading pill containers on a conveyor belt, Process
describes the addition of a certain amount of the specified ingredient to a pill container, and Consume
represents the palletization of the processed containers.
Since the objective of the case study was to analyze the limits of the self-organization mechanism, only those faults were modeled that the self-organization mechanism can compensate (tolerable faults). For example, a station might break down completely due to power loss. In this case, the Observer/Controller
can use a different station instead. Furthermore, there are faults that prevent a station from dispensing a certain ingredient, a fault that prevents it from dispensing any ingredient, a fault that prevents the station from loading pill containers on a conveyor belt, and a fault preventing the palletization of pill containers.
The hazard we are interested in is that the system's reconfiguration mechanism does not find a valid reconfiguration. This hazard occurs when too many components have failed and the system's redundancy is exhausted. An analysis of this hazard thus quantifies the self-organization mechanism's limits.
The primary challenge in analyzing this case study is the high number of component faults and the vast state space. In order to conduct this analysis in an acceptable time frame, several optimization approaches were necessary.