## 1. Introduction

Modern automation systems are equipped with multitude of intelligent electronic devices (IEDs) – sensors and actuators that can be remotely accessed, monitored or controlled. These various components within the system form an interrelated network of elements. From a layered architecture standpoint, every device/application/module/sub-system (hereafter referred to as *component*) provides some services to a certain group of components, while receiving services from some others. These components are all prone to incidents (hereafter referred to as *failure*), either internally due to natural faults and malfunctions, or externally due to natural causes or cyber intrusions. Clearly, in a web of interconnected components, failure or degradation of each one can affect the performance of those receiving its services, and ultimately impact the availability and integrity of the underlying automation system.

Therefore, for efficient operation of such a system, the operator has to ensure that the impact of a component’s degradation or failure on the rest of the system is determined as quickly as possible, so that he/she knows what part(s) of the system can continue operating as is, what parts are conditionally operational, and what others cannot continue operating reliably and should be terminated or disconnected from the rest of the system. This indicates a measure of *trustworthiness* for the overall system and its components. In small systems, with few interdependent components, this task is rather trivial. However, an increase in the number of system components or the dimensionality of interdependencies among them can exponentially complicate matters. Although experienced operators and/or automated mechanisms exist in automation systems that can handle individual applications, a uniform solution that can analyze the aftermath and range of impact of a failure does not exist.

The objective of this article is to devise a solution for system-wide situational awareness. Our goal is to identify how the impact of a failure is spread across the automation system, and what components have been affected by it and to what extent. This capability should be a crucial aspect of modern automation systems, since system complexity often prevents the operators from visual and/or heuristic inspection.

We propose a scheme based on graph-theoretic fuzzy cognitive maps (FCM) that, in the event of internal or external failures in one or more components in the system, is able to identify the range of fault activation, and indicate what other components have been (or will be) affected by it most. This provides additional situational awareness for the system operator and allows him/her to isolate untrustworthy functions and applications as soon as possible. To make the solution less dependent on usually subjective human knowledge, the map of interdependencies is developed in two phases:

Building one-step-ahead local relationships based on expert knowledge and qualitative data

Graph-theoretic importance analysis for global impact assessment

The rest of this article is organized as follows: Section 2 provides a review of the literature on situational awareness in automation systems. The basic concepts behind FCM and design challenges are discussed in section 3. The proposed methodology and proof-of-concept simulation results are presented in sections 4 and 5 respectively. Section 6 discusses some practical considerations of the proposed methodology, while its adaptability aspect is briefly discussed in section 7. Finally, conclusions appear in section 8.

## 2. Situational awareness — State of the art

Situational awareness in a system may relate to various aspects such as spatial, mission, resource or crew awareness [1]. Whenever the system needs to process and interpret a large number of data points, situational awareness becomes more vital. In large-scale automation systems, the size and complexity of the network poses its own unique challenges. While during normal conditions, operators may show relatively high situational awareness, their awareness level drops following disturbance onset [2], which is when responsiveness and effective decision making is needed most. This has been attributed to elements such as attention narrowing, memory trap, workload fatigue, data overload and complexity creep [3].

Traditionally, the notion of situational awareness in automation systems has tied in closely with the concept of state estimation (SE). Using the measurements available from across the system, SE algorithm tries to find the set of system states (for example, voltages at various nodes in a power system) that statistically fits this set of measurements best [4]. In order to complete the picture of the system operating condition, extensive research was conducted on estimating the network topology through identification of topology errors [5, 6], which led to the introduction of the concept of generalized state estimation [7] that presented a unified solution for SE using both network measurements and system topology data. To efficiently deal with the large size of the problem, research has been conducted on developing distributed state estimation solutions for large multi-area systems [8-10].

In conjunction with SE techniques, situational awareness solutions have also been developed making use of alarms and signals. However, even the simplest failures in an automation systems could lead to tens to hundreds of alarms brought to the attention of the system operator [11], which echoed the need to convert this raw data to easily-interpretable information for the human operator. The early approaches for this purpose were in the form of organizing and prioritizing alarm messages [12]. Some authors suggested techniques for priority and grouping schemes [13], which were later improved by using Boolean algorithmic and rule-based expert system techniques [14, 15]. However, these modified approaches were still difficult to implement for large systems, and lacked adaptability and flexibility. The trend therefore took a turn towards more powerful intelligent techniques such as artificial neural networks [14, 16], fuzzy systems [17-20], neuro-fuzzy systems [21], genetic algorithm [22] and Tabu search [23] among others.

In parallel to these efforts, many researchers have focused on developing awareness solutions by improving system observability. For instance, in power system automation schemes this has been achieved by adopting additional system-wide dynamic measurements through Phasor Measurement Units (PMU) [24, 25], which can then be used for disturbance event detection and analysis [26, 27]. Also, data visualization tools have been proposed to assist system operators with emergency situations [28-30].

With the advent and large-scale deployment of advanced sensors, the focal point of some researchers shifted towards developing methodologies for sensor data fusion, sensor data interpretation and knowledge extraction, and linking them to operator situational awareness [31, 32].

Although many of the solutions proposed in the literature succeed in providing situational awareness and vigilance for the system operator, some aspects are missing and require more research:

Many of these techniques assist the operator in narrowing down and interpreting events, but are unable to provide information on the breadth (range of impact) and depth (how severely other system components are affected) of the event,

Event detection and identification is the first step towards awareness, but post-event mitigation requires a measure of “trustworthiness” of the rest of the system,

Many of the methodologies proposed in the literature are application-specific, and cannot be readily applied to all systems,

Some of the situational awareness solutions proposed in the literature use the concepts of supervised and unsupervised learning to build a logical model for the system under study, where historical data on the past incidents are used to construct and train the model. However, in most practical systems, training data related to past events are not available. Even if they are, they are likely to be recorded in a qualitative and application-specific format,

Finally, most approaches for sensor data integration and fusion treat the data points at the same level of importance, whereas in large-scale systems different data from different components may have dissimilar importance for the overall performance of the system or the underlying application.

## 3. Graph-theoretic based approach

### 3.1. Basic idea

Cognitive maps were introduced in the 1970s to represent social scientific knowledge [33]. These were signed directional graphs (digraphs) where a positive link from vertex *j* to vertex *i* would indicate that *j* causally increases *i*, whereas a negative link would mean the reverse is true (Fig. 1). In this context, the *indirect effect* of vertex *j* on vertex *i* over a path *P*_{q} is negative if the number of negative signs (of the edges of *P*_{q}) is odd, and is positive otherwise. The *total effect* of *j* on *i* would then be negative if all the indirect effects (over all possible paths) are negative, positive if all indirect effects are positive, and indeterminate otherwise. It is safe to assume that in most real-world applications beyond a trivial level of complexity, the indeterminate case happens more frequently.

To further improve the computational capabilities of cognitive maps, Kosko [34] introduced fuzzy cognitive maps which assigned fuzzy weights to the edges connecting vertices. This allowed for determining the impact of vertices on one another based on the concepts of general fuzzy *t*-norm and *t*-conorm operators (minimum and maximum). Within this context, the indirect effect of vertex *j* on vertex *i* over a path *P*_{q} is defined as the minimum edge weight along that path, and the total effect of *j* on *i* would be the maximum of all indirect effects. In other words, the indirect effect represents the weakest causal link in a path connecting two vertices and the total-effect would be the strongest of the weakest links.

Later versions of FCM used algebraic equations to determine the value of each vertex based on the influence of the interconnected vertices (Fig. 2) [35].

This way, the state (value) *x*_{i} of vertex *i* at any point in time is defined as:

where *u*_{i} represents the excitation level of vertex *i*, *w*_{ij} is the weight of the edge connecting *j* to *i*, and function *f* ( ) is the threshold function defined, common choices being sigmoid or hyperbolic tangent. In matrix form, the state vector **X** of the FCM can be expressed as:

where **W** is the weight matrix.

### 3.2. Challenges with FCM

In a prior work, the author developed FCMs to model and analyze the interdependencies of typical power substations and to assess the impact of non-idealities in data quality on the overall performance of the system [36]. However, the maps were built manually based on expert knowledge, and it was shown that even for a simple system, the resultant FCM could become rather complex, which makes its manual derivation less feasible. One of the main challenges in this regard is how to assign weights to different edges of the graph. Traditionally, this has been done using expert knowledge. Some researchers have proposed modified techniques to measure the agreement between weights proposed by different experts [35], or assigning weights based on majority vote among experts [37]. To help automate the process further, some have used the notions of in-degree and out-degree of a vertex [38], the centrality (total degree) of the vertices [34], or concepts such as the key vertex [39] and the closeness (similarity) of relations between the states of two vertices *i* and *j* [40]. Alternatively, others have focused on methodologies for training the FCM and updating its weights [41].

While many of these techniques have proven effective in certain applications, they may fall short when applied to automation system situational awareness. First and foremost, it is often easy for human experts to identify and analyze *local* relations and interdependencies, but for large systems, an objective *global* system-wide analysis is difficult to obtain, and is likely to become subjective. Moreover, in practice, an expert might be very knowledgeable in certain parts of the system, but not necessarily in all parts. Adopting training techniques to adjust the weights can solve the problem; however, its success largely depends on the availability of comprehensive sample data on system integrity related to past incidents, which is often not the case. Even if this data is available, it is not necessarily quantified and is likely to be qualitative, again subject to human interpretations.

## 4. Proposed methodology

### 4.1. Overview

Accordingly, the approach put forth in this article seeks a solution that takes advantage of the expert knowledge on local interrelations, but then modifies it towards a global perspective using the features of the abstract graph. The FCM is first formed based on the flow of data and communication services that exist between different components. The weights are then developed in a semi-automated fashion through three steps:

Using an expert system to determine the initial weights of the edges based on the short range (1-step ahead) dependencies of components,

Initial weights are then adjusted using the abstract centrality of the vertices (with no knowledge of the criticality/type of their services),

Weights are further tuned based on the relative number of paths from each vertex to the (user-defined) critical ones.

It should be noted that our proposed approach does not require conducting experiments on the system. Instead, it relies on the existing structure of the interdependencies and relations between different components as well as the expert knowledge (likely to be limited and local) on the criticality of these relations. As such, this methodology takes advantage of the graph-theoretic concepts that govern the automation system.

### 4.2. Assumptions

In developing the proposed solution, several assumptions have been made: Both external and internal faults have been considered; however, it is assumed that the faults are operational type (and not development faults [42]). Moreover, failure in service content is considered only, and not in its timing. Furthermore, dependability of components on one another has been analyzed in terms of availability and integrity.

Without loss of generality, notion of *quality* has been attributed to the services provided by different components in accordance with the quality attribute defined in IEC 61850 which is developed for utility automation systems [43]. Here, *validity* is defined as the main identifier of the quality attribute that determines the existence or lack of an abnormal condition of an acquisition function or source of information. Validity may be marked as good, invalid or questionable. An enumerated list *detail quality* further elaborates the reason for an invalid or questionable value. This list of identifiers includes items such as overflow, out of range, bad reference, old data, inconsistent, inaccurate, etc. [43].

While the *quality* attribute provides valuable information for the operator, in many cases converting this information to useable data is not straightforward. For instance, the standard considers the client to be responsible for determining whether or not values marked questionable should be used. Moreover, the impact of each data value on the partial or overall performance of the substation in part depends on the interconnection of the protection, control and measurement functions within the system, which requires a methodology for measuring the propagation of bad data within these functions.

### 4.3. Algorithm

#### 4.3.1. Step 0 — Initializing the FCM

To initialize the structure of the FCM, various components in the system are first modeled as the vertices of the graph. Any physical or logical component can be replaced by a vertex. The flow of data and services between these components determines the directional edges that interconnect the vertices. Data may refer to metering data, alarm signals, setting data, and suchlike. Services may refer to actuation signals, control commands, set-point adjustments, and data retrieval commands, etc. The directions of the edges are determined based on the notion of *client and server*. In other words, FCM edges connect servers (providers of data and services) to clients (users of data and services).

#### 4.3.2. Step 1 — Local weight initialization

In the first step, an expert system is used to determine the initial weights. The weights derived this way would be short-sighted, i.e., the impact of each component on the very next one can be quantified relatively accurately, but the precision is expected to decline as the depth of impact of the component increases. The rational adopted here is based on how a vertex B uses the services from vertex A (see Table 1).

Without loss of generality, weights 1.0, 0.7, 0.4 and 0.1 have been chosen to indicate very critical, critical, semi-critical and non-critical edges respectively. The reader should note how the definition proposed here is purely local, with no system-wide impact in mind.

#### 4.3.3. Step 2 —Weight update based on graph structure

Centrality of a vertex indicates how connected it is to the rest of the graph, and can be used as a measure of importance, since it shows the number of vertices in the graph that are related to this vertex. Centrality *C* of a vertex is defined based on the notions of its in-degree and out-degree. For a vertex *i* [38]:

However, in this article in order to decouple the expert system based weight derivation in step 1 (which can be subjective) from weight update in the current step, the notion of *abstract centrality* is used instead as shown in [44]. Here, the importance (centrality) of vertices will be derived based on abstract in-degree and out-degree as proposed in (5):

The previously derived weights will therefore be adjusted based on the abstract centrality C^{*}(*i*) of each vertex *i*, in such a way that outgoing edges from vertices with high centralities will be further strengthened:

where β is a learning rate parameter (heuristically chosen here to be 0.20) and Ĉ represents the normalized abstract centrality based on the range of [*C*^{*}_{min}, *C*^{*}_{max}] values of all abstract centralities.

#### 4.3.4. Step 3 — Weight update based on relation to critical vertices

Here, the severity of the relationship between vertices and the ones identified as critical (by the operator) are quantified. Definition of critical vertices is application specific. In automation systems, for instance, critical vertices could be defined as those taking an “action”, e.g., protection relays, switch controllers, etc. In a graph with *k* critical vertices, the severity of the relationship between vertex *i* and the set of critical nodes is defined as:

where *L*^{p}_{(i,k)} is the length of the *p*^{th} path that connects vertex *i* to vertex *k*. To maintain decoupling from step 1, calculation of the length of the paths should ignore the weights of the edges in between. In this article, the length is defined as the number of intermediate vertices along the path. Severity is then used to update the weights:

where *η* is the learning rate parameter.

### 4.4. Discussion

It can be seen that relative independence is ensured between the three steps of the algorithm. This is necessary, because part of the information that is obtained from the expert system is subjective, and should not interfere with the other two steps that are graph-dependent.

Validation of the FCM output can be done using the historical data on past failures in the system. Of course, if desired, part of the historical data can be used for updating the weights, as shown in [44]. Here, the available data can be divided into independent training and testing batches to evaluate the efficiency of the training algorithm. However, training using historical data is not adopted here due to the fact that its availability in sufficiently large scale is often unlikely.

## 5. Case study

The system studied in this article is a modified version of the IEEE 34-bus test distribution system [45]. For the purpose of this study, the system has been expanded by adding fixed and switched capacitors, reclosing switches, distributed generation (DG) units, on-load tap changer (OLTC) with line drop compensation (LDC), and various metering IEDs across the feeder and the laterals (Fig. 3).

It is assumed that the system is equipped with advanced distribution automation (DA) system consisting of functions for conservation voltage reduction (CVR), voltage and var control (VVC), electric service restoration (RES), and DG dispatch. These interrelated functions share services from different devices:

CVR: receives voltages from end-of-lateral meters (

*V*_{6}and*V*_{7}in this example) and based on the current through the OLTC*I*_{1}and the substation voltage*V*_{1}regulates the LDC settings so that no voltage across the system drops below ANSI low. It also receives relevant data from VVC.VVC: controls the settings of the tap changers

*T*_{2},*T*_{3}and switched capacitors*C*_{S1},*C*_{S2}in order to minimize the losses. The capacitor switches are equipped with Point-on-Wave switching scheme. The function consults the network configuration, itself being updated based on the statuses of the reclosing switches among other things.RES: manages the reclosing switches

*R*_{1},*R*_{2}and*R*_{3}across the system in the event of a disturbance. For proper performance, the function is updated based on the output of the DG units DG_{1}and DG_{2}, and the power flow meters at certain locations of the feeder, i.e.,*I*_{1},*I*_{2},*I*_{3}and*I*_{4}.DG Dispatch: regulates and manages the power generated by the DG units DG

_{1}and DG_{2}based on economic and environmental considerations, as well as requirements from the RES function.

It can be seen that even this simple example portrays various levels of interdependencies between different DA applications, to an extent that they make visual assessment of system integrity very difficult, if not impractical. The initial structure of the FCM for the system in Fig. 3 has been developed based on the presumed interrelations (flow of data and communication services) between different components (Fig. 4).

The arrows shown in the diagram denote the direction of impact/dependence, i.e., A

A few examples have been provided to indicate the effectiveness of the proposed methodology. For all use cases, matrix **W** is developed based on weights of the FCM (Fig. 4). Simulations have been performed in MATLAB^{®} environment. The system starts from healthy state (all zeroes) except for the vertices that are considered to experience a failure. The state update equation (2) is repeated in a loop until the impact of the unhealthy vertices propagates across the whole system, i.e., the loop is iterated as many number of times as the length of the longest path originated from the unhealthy vertex.

### 5.1. Case study 1: Impact of failures on major functions

The following case studies have been analyzed:

*Non-Verified Voltage Measurement*V1: voltage meter V1 at the distribution substation indicates a value that has not been updated (not verified).*Questionable Recloser Status*R1: the status of recloser R1 is indicated to have a questionable data quality as it has been oscillatory with relatively fast changes.*Outdated Tap Position*T2: the tap position of T2 indicates that the upper threshold is reached, which does not match the expected operation based on engineering judgment (low confidence).*Failed Switch*SW1: switch responsible for controlling switched capacitor CS1 is failed with stuck blades.

Table 2 shows the impact of each case study on some of the main applications within the distribution automation system. The state of each application indicates where it lies in the range of healthy (0) to failure (1). It should be noted that the interpretation of values between 0 and 1 would be subjective; nonetheless, it would provide a qualitative measure of integrity for the application of interest. It can be seen that while some of the conclusions provided in Table 2 are easy to draw based on expert knowledge (e.g., RES would fail if R1 is questionable), others are not easy to infer from the local interrelations (e.g., the impact on DG dispatch and VVC). This is the advantage of the proposed methodology that converts local interrelations to global system-wide impacts.

### 5.2. Case study 2: Range of impact of a failure

It is assumed in this case study that switch SW1 has failed. The goal is to provide an overall view of the system dependability. Colored vertices in Fig. 5 show the range of impact of the failure. It can be seen that the proposed FCM-based solution assists the human operator in detecting what functions/components have been affected by the failure and to what extent. For example, this case study indicates that as a result of failure in SW1, operation of VVC cannot be trusted, which in turn causes the information provided at the HMI to have low confidence or to be questionable. Such a visual overview of system trustworthiness can be extremely beneficial to the operator for making fast decisions during contingencies in order to save the rest of the system. For instance, in this failure scenario, the operator may decide to temporarily deactivate the CVR function so as to avoid instances of non-optimal voltage profile across the distribution system.

## 6. Practical considerations

### 6.1. Scalability

One of the main features in the proposed methodology lies in its ability to model various systems regardless of their size and number of components. In fact, any large system can be modeled as a hierarchical FCM. The key is to decompose the overall system into sub-systems and model each one as an FCM. This would represent the first layer of hierarchy. Each lower layer FCM will then be modeled as an “equivalent vertex” for the FCM at the upper layer (Fig. 6). This allows for masking the dynamics and interrelations of lower layer sub-systems from the upper layers. This way, the operator can first pinpoint which sub-system has been affected by a failure and how this would impact the rest of the sub-systems. If desired, the operator can then study the individual components within that particular sub-system. In theory, there are no limits to the number of the layers defined.

Zhang *et al.* [46] proposed one such solution based on the notion of equivalence relation. In their approach, the set of vertices were first partitioned into blocks, where each block contained a portion of the original FCM. The authors referred to the upper layer as the quotient FCM which was responsible for providing global information about the original system. The sectional FCMs would then provide local information on the interactions and interrelations between vertices.

### 6.2. Reliability and accuracy of the results

The reliability and accuracy of the proposed FCM-based solution depends in part on the accuracy of the initial graph created (initial structure and initial weights). This, in turn, depends on the validity of the expert knowledge on local interrelations between components. Once the correct initial graph is in place, the graph theory rules will modify the “local” solution to a “global” one. However, in achieving that goal, learning rate parameters in equations (7) and (9) play an important role, and if chosen incorrectly may lead to solutions that overestimate or underestimate the impact of failures. These parameters should therefore be assigned carefully, typically starting from low values and gradually increasing them until reasonable outcomes are achieved. In the lack of historical data on the past failures in the system, heuristic selection of these parameters would be the only option. However, if this data exists (even if it is incomplete and partial) it can be used as training data to validate the output of the FCM and modify the learning rate parameters as necessary.

## 7. FCM adaptation

### 7.1. Structural changes to the FCM

Many automation systems may undergo structural changes and modifications as time passes. New components may be installed and/or current components may be upgraded with extended sensing and actuation capabilities. In the context of the logical interconnections mapped by the FCM, this indicates one or more additional vertices.

The following steps need to be undertaken to incorporate a new vertex into the FCM model:

Create the new edges connecting the new vertex to the existing vertices. The direction of these edges will be determined based on the flow of data and services,

Initialize the weights for all edges according to the definition in Table 1. All edges connecting the existing vertices to the new vertex will receive a new initial weight,

Recalculate the abstract centrality for all vertices according to (6),

Normalize the new abstract centrality values based on the new minimum and maximum values,

Update the initial weights for all edges according to (7),

Recalculate the severity index

*S*_{i}for all vertices according to (8),Finally, update all the weights according to (9).

When components (or their sensing/actuation functionalities) are removed from the system, one can either remove the corresponding vertices from the graph and follow the steps above, or simply remove the corresponding entries of state vector** X** and the rows/columns of matrix** W** associated with that vertex.

### 7.2. Training the FCM

In this article, it was assumed that historical data on the past incidents in the system are not available and therefore the weights were only created and adjusted based on heuristic and graph-theoretic rules. However, it is possible that partial data be available on some past instances of failure in the system. This data may be obtained from post mortem analysis following a disturbance, and may be in the form of “when component *x* failed, components *y* and *z*, and applications *a* and *b* failed (completely or partially) as a result.” In all likelihood, this data will be qualitative. If sufficient expert knowledge is readily available to quantify the level and severity of these past failures then the data can be used for updating all or some of the weights of the edges. Two common scenarios are possible: supervised learning and unsupervised learning. For an overview of these two approaches, the reader is referred to [41].

#### 7.2.1. Supervised learning

In this case, for the given input data, the actual values of the system states X_{actual} will be compared with the desired values X_{desired}. The difference between the two vectors will determine the direction of update in the weights. One algorithm may be expressed as:

where α is a learning rate parameter, which can be customized for each individual edge. For other variations of supervised learning, see [48-52].

#### 7.2.2. Unsupervised learning

Unsupervised Learning methods adjust the weights of the FCM without any knowledge of the desired target values of the vertices. As such, this approach would be more appropriate for cases where desired system states are not known exactly (or at least not known in a quantified fashion). Many unsupervised learning schemes are based on the Hebb’s learning law, where the change in the synaptic weight *w*_{ij} linking vertices *j* and *i* is expressed as a function of signal flows before and after the link:

In order to solve the instability issues, Oja modified the rule as [53]:

In essence, this method tries to strengthen the link between two vertices whose state values move in the same direction, and weaken the link should they move in opposite directions (e.g. one increases while the other decreases). For other variants of unsupervised learning, see [54-57].

## 8. Concluding remarks

Latest advances in sensor and actuator technology have made them attractive and, at the same time, affordable for large scale deployment across automation systems. The benefits of improved observability and controllability come at the price of having a more complex system of interrelated components, where failure of one may cause many others to fail or become degraded. System integrity assessment in this case requires a thorough analysis of the scope of impact of component failures. However, the potentially large number of components may prevent human operators from efficiently interpreting and identifying failure impact.

A solution was proposed in this article for providing situational awareness and dependability assessment of components within an automation system that is exposed to partial failure. A combination of expert rule-base and graph-theoretic approaches were used to develop a cognitive map of global interdependencies in the system. Expert knowledge was first used to create an initial directional and weighted graph model of the automation system based on the interrelations between components and their local (one-step ahead) impacts on one another. In this model, a component is modeled as a vertex of the graph, and an edge between two vertices would indicate the existence and direction of flow of data/services between them. This model was then modified based on the assessment of centrality and criticality of different vertices in the graph. This way, the local solution that was developed by a human expert would be converted into a global solution that considers the overall system performance.

By reproducing the fault activation pattern, the proposed solution can provide additional situational awareness for the system operator during or in the aftermath of a fault, and can be used for static as well as dynamic verification of system dependability. It was shown through simulation results that the proposed solution allows the system operator to identify the range of impact of a failure on the overall system and determine what parts of the system remain trustworthy and dependable.