PSA research in SAFIR2014 NPSAG-möte, Vattenfall, Berlin, Febr 2-3, 2011 Jan-Erik Holmberg VTT Technical Research Centre of Finland
2 SAFIR2014 The Finnish Research Programme on Nuclear Power Plant Safety 2011-2014 http://virtual.vtt.fi/virtual/safir2014/
3 SAFIR2014 scope Almost as the previous SAFIR programme (2007-2010) http://virtual.vtt.fi/virtual/safir2010/ Research areas: 1. Man, organisation and society 2. Automation and control room 3. Fuel and reactor physics 4. Thermal hydraulics 5. Severe accidents 6. Structural safety of reactor circuit 7. Construction safety 8. Probabilistic safety analysis (PSA)
4 The objectives of SAFIR2010 and preceding national research programmes on nuclear power plant safety To ensure the basic preparedness in nuclear safety area in Finland, by ensuring that That we have the proper expertise That we have the proper methods To enhance the basic preparedness in nuclear safety area in Finland via education and training in the research projects new experts experienced experts 150 persons working annually in the program, but practically all do also contract work or other projects, since program volume 45-50 person years annually To act as an important network Domestic via the steering and reference group with some 90 persons from the end users (STUK, TVO, Fortum, VTT, others) International via information and decisions on international projects (OECD/NEA and others)
5 Organisation and quality management of SAFIR2014 Steering Group Reference Groups and ad hoc groups Steering and strategic planning Strategic planning in the area and scientific quidance SAFIR2014 management handbook Projects Project realisation According to Management system of research organisation
6 VTT in SAFIR2010 VTT is the coordination unit VTT is the main/responsible partner in 26 out of the 30 research projects in 2008 (25 out of 30 in 2007) VTT has a key role in the funding of VTTs SAFIR projects in 2008 with 2,48 M (2,37 M in 2007)
7 SAFIR funding Reshaping of funding structure by change of legislation, prepared by Ministry of the Employment and Economy (TEM). The change of legislation took place 1.1.2004. Funding by TEM, STUK and Utilities was replaced by funding from a separate fund administrated within VYR (Valtion Ydinjätehuoltorahasto, State Nuclear Waste Management Fund) Funding is collected to VYR fund from Finnish utilities Fortum and TVO pro MWth (currently 240 /MWth) according to their operation/construction permits New permits for TVO and Fennovoima mean significant increase of the VYR-funding for 2011
8 Projects The Steering Group will present an annual proposal to the ministry of VYR-financed entirety of research projects: 8 areas and more than 1 project/area One/several year projects A real project (beginning, end, deliverables) Annual decisions on funding, a promise system for coming years Updated project plans yearly for the call for proposals Funding structure: VYR / other funding Research institutions and organisations conducting technological research can get a maximum of 60 % of VYR-funding of the total cost of a project universities can get a maximum of 100 % of the marginal cost of a project.
9 SAFIR2014 application process Applications for 2011 were submitted in the end of October and were evaluated by the reference groups The steering group made decisions in December, which is practically decisive from the VYR-funding allocation point of view Final decision by the Ministry takes place in March It is always possible to complement the projects with external funding
10 Important contract aspects Rules of the SAFIR framework programme must be followed financing rules publication of results IPR issues otherwise similar flexibility as e.g. in NKS projects each project year is from 1st of January to the next year s 31st of January financing must be applied every year (like NKS) reports must be finalized by end of January
11 SAFIR 2010 Final Seminar March 10-11, Espoo Hanasaari (ASAMPSA2 meeting will be held March 7-9 at Fortum) Call will be sent out very soon Open to all organisations Language of presentations will be English No fee
12 PSA-related projects in 2011(-2014) PRADA (PRA development and application) SARANA (Safety evaluation and reliability analysis of nuclear automation) LARGO (Risk assessment of large fire loads) Simo Hostikka participates in the NBSG-meeting EXWE (Extreme weather and nuclear power plants) SESA (Seismic safety of nuclear power plants) RAIPSYS (RI-ISI analyses and inspection reliability of piping systems)...
13 PRADA PRA development and application 2011 subprojects 1. Phenomena Probability Modelling Human Reliability Method Development Passive System Reliability 2. Level 2 and 3 PRA Dynamic Level 2 PRA ASAMPSA2 (final year of the Euratom FP7 project) 3. PRA Crosscutting Subjects Imprecise probabilities in PRA Risk communication
14 Human Reliability Method Development Nordic-German collaboration EXAM-HRA method comparison and development of guidelines and requirements NKS and NPSAG funding applied VTT s own method development on the definition and assessment of performance shaping factors Other international co-operation WGRISK task(s) on HRA Follow-up of the international HRA benchmarking study (Halden)
15 Passive System Reliability 2011 Pre-study on state-of-the-art and applicable methods issue was researched in the beginning of this decade link to dynamic PSA subproject and the SAFIR project on Thermal Hydraulics of Severe Accidents (behaviour of passive condenser)
16 Dynamic (level 2) PRA collaboration with KTH NKS funding applied (but not received) develop methods for modelling and analysis complex event sequences e.g. level 2 severe accident phenomena combined deterministic/probabilistic modelling of phenomena tools such as MELCOR, MAAP, STUK PSA objectives 2011 to review state of the art in combined deterministic/dynamic - probabilistic (DPSA) analyses identify priorities for further development of the DPSA tools from the perspective of the Nordic industry and regulatory needs develop a plan for collaborative activities between KTH and VTT in 2012-2014
17 Imprecise probabilities in PRA To be mainly performed by Aalto university (previous Helsinki University of Technology) Probabilities will be expressed as confidence intervals in fault tree analysis, where the risk associated with the failure of a component is evaluated with traditional risk measures The result of this approach is a dominance ranking Aalto university has applied this method in portfolio optimisation problems, e.g. allocation of road maintenance resources Computational environment for the method is implemented and the method is applied to realistic test data from a fault tree of a nuclear facility
18 Risk communication 2011 pre-study literature review of practices and guidance on risk communication in the area of reactor safety, spent nuclear fuel management and radiation safety A plan for future work in this topic will be made for 2012-2014 As international co-operation is important in this field, participation in, e.g., Nordic seminars will also be aimed at in future work Note: KTH has interest to make a proposal on this topic
19 SARANA Safety evaluation and reliability analysis of nuclear automation In order to enhance the collaboration between PSA and automation experts, PSA-related research on automation and the formal model checking research have been put in the same project feedback from the SAFIR2010 evaluation The general objective is to develop methods and tools for safety and reliability analysis of digital systems and utilize them in practical case studies Both plant level, system architecture level and component level issues will be addressed
20 Model checking Model checking is a set of methods for analysing whether a model of a system fulfils its specifications by examining all of its possible behaviours The main idea is to represent the behaviour of the system very compactly in a symbolic form rather than explicit one A graph whose nodes represent the reachable states of the system and whose edges represent state transitions
21 SARANA Subprojects 2011 (proposal) Plant level modelling 1.1 Safety assessment of plant design concepts 1.2 Architecture-level modelling 1.3 Applicability of different techniques and abstraction levels in modelling Digital systems reliability 2.1 Guidelines for reliability analysis of digital systems in PRA context 2.2 Use of IEC 61508 in nuclear applications regarding software reliability 2.3 Probabilistic model checking 2.4 Development of the reliability analysis tool YADRAT Model checking of complex safety automation 3.1 Formal analysis of large systems 3.2 System level interfaces and timing issues
22 Safety assessment of plant design concepts The task aims at bringing together deterministic and probabilistic analyses for the safety assessment of plant designs The project aims at compiling a description of state-of-the-art regarding the integrated use of PSA and DSA, e.g. based on related work within NPSAG, IAEA etc. More specifically, the development of joint concepts and example models is seen as an approach that can also support the training of new nuclear safety experts. In 2011, the task is initiated with a pre-study including a compilation of the state-of-the-art on the integrated use of DSA and PSA to be discussed in a Nordic workshop The work is planned to start as Finnish-Swedish co-operation with Scandpower as a partner
23 Architecture-level modelling Single-fault tolerance has been analysed using model checking The possible faults in these models were measurement faults that were seen as fault bits or as changes in the signal s values Physical faults such as faults in telecommunication links, microprocessor faults, and electrical faults influencing all equipment in a cabinet were out of scope in previous models examining fault-tolerance The aim of the sub-task is to determine how model checking could be used in the analysis of high-level architecture descriptions Another objective is to find out if it is possible to combine high abstraction level architecture models with detailed models depicting the function blocks of automation systems
24 Applicability of different techniques and abstraction levels in modelling There are several techniques (e.g. simulation, testing, PRA, and model checking) for analysing the safety of I&C systems in nuclear power plants These techniques are utilized in different phases of the plant lifecycle and they consider various aspects of I&C safety on different abstraction levels The problem is that basically each of the approaches requires its own model, modelling techniques and software tools, which are typically not compatible Additionally, the interfaces between the techniques are unclear, and it is difficult to use the results of one technique as an input for another The aim of this task is to perform a pre-study on how different modelling approaches and tools are used and suited for the safety and reliability analysis of I&C during the different phases of the lifecycle
25 Guidelines for reliability analysis of digital systems in PRA context The objective with the task is to provide guidelines to analyse and model digital systems in PRA context, using traditional reliability analysis methods (FMEA, Fault tree analysis) 1) Nordic activity aiming at developing guidelines for reliability analysis of digital systems in PSA context 2) WGRISK task on Best practice guidelines on failure modes taxonomy for reliability assessment of digital I&C systems for PSA VTT together with the Swedish PSA consultant Risk Pilot are the leaders of the both activities. Work in 2011 is carried out through series of international working meetings where experts of the field will jointly prepare the guidelines To support the preparation of guidelines, a fictive example of digital I&C system of a nuclear power plant will be developed
26 Use of IEC 61508 in nuclear applications regarding software reliability The task aims at exploring what type of methods presented in the IEC 61508 could be applicable in the PSA domain Is the use of SIL a way to determine the failure probability of the software used in NPP applications? What is the appropriate way of defining a function with SIL requirement? What parts of the risk-based approach of IEC 61508 could be applicable in the nuclear probabilistic domain also taking IEC 61513, 60880, 62138 and 61226 in consideration Nordic co-operation, Scandpower applies funding from the Swedish partners of the Nordic PSA Group 2011 a pre-study Interviewing Nordic experts about the use of IEC 61508, 61513, 60880, 62138 and 61226 Establishing a European network and contacts with related project and activities Organising a Nordic workshop
27 Probabilistic model checking To be carried out by the Aalto university Model checking methods have been efficiently employed for checking the functional behavior of various subsystems basic functionality as well as analysis of timing behavior the goal is to investigate how model checking models can be enriched with probabilistic information in order to also do Markov chain based analysis using probabilistic model checkers containing such functionality The goal is not only to find faulty behaviors but also to estimate their probabilities The basic idea is to investigate how close to probability-based reliability can the employed methods get starting from analysis made by model checking The ways of combining these two complementary methods will also be examined. 2011: a state-of-the-art pre-study report on probabilistic model checking tools and continue in 2012 with larger volume by working with a case study The most promising probabilistic symbolic model checking tool is the Prism developed at Oxford University
28 Development of the reliability analysis tool YADRAT The Dynamic Flowgraph Methodology (DFM) is a promising approach for reliability analysis of digital instrumentation and control systems The YADRAT tool developed at VTT is based on interpreting the DFM model as a Binary Decision Diagram (BDD) The algorithms for BDD computation are well studied but scalability is a problem The aim of this task is to study aspects of reliability theory in the domain of DFM and BDD modelling Additionally, the aim is to compare the computational efficiency and scalability of two computation algorithms based on BDD and to study new approaches, e.g. propositional satisfiability (SAT), to support BDD-based algorithms to increase the scalability of YADRAT
29 Formal analysis of large systems Applying model checking methods in a straightforward manner is not always possible in large and complex systems, because the behaviour of the models becomes too rich (i.e. the state explosion problem) The state space explosion can be controlled by creating more efficient modelling techniques a technique based on the modular structure of the model, in which the model can be over-approximated by leaving the behaviour of some of the modules out of consideration The over-approximated model can be used to deduce the truth value of the property in the original, precise model A TRUE property in the over-approximated model proves that the original model also fulfils the property If the over-approximated model does not fulfil the property, the counterexample given by the model checker must be verified in the original model The objective of the task is to create an automatic modular algorithm to iteratively search for a composition of modules that at the same time is computationally manageable, and covers enough modules to prove the fulfilment of temporal properties in the original model
30 System level interfaces and timing issues in model checking To be mainly carried out by the Aalto university Distributed systems, where the subsystems employ different clock signals signals do not always carry over from one part of the distributed system to another during a single clock cycle, as has been usually assumed The goal is to develop methods that allow subsystems, each operating with their own clocks, to be modelled accurately, and to also explicitly model the delays inducing data transmission interfaces between subsystems Asynchronous features of the system are to be handled by creating more detailed models that are closer to the real life implementation, and that can be used to detect, e.g., potential faulty behaviours caused by signal delays that have not been detectable using models ignoring such details of the asynchrony and delays between subsystems New scaling challenges to the employed model checking methods
31 VTT creates business from technology