Methodologies synthesis

This deliverable deals with the modelling and analysis of interdependencies between critical infrastructures, focussing attention on two interdependent infrastructures studied in the context of CRUTIAL: the electric power infrastructure and the information infrastructures supporting management, control and maintenance functionality. The main objectives are: 1) investigate the main challenges to be addressed for the analysis and modelling of interdependencies, 2) review the modelling methodologies and tools that can be used to address these challenges and support the evaluation of the impact of interdependencies on the dependability and resilience of the service delivered to the users, and 3) present the preliminary directions investigated so far by the CRUTIAL consortium for describing and modelling interdependencies

DETAM for accident sequence analysis

Includes bibliographical references (pages 133-138)Final reportSupported by the United States Nuclear Regulatory Commission. NRC-04-88-14

Specification and use of component failure patterns

Safety-critical systems are typically assessed for their adherence to specified safety properties. They are studied down to the component-level to identify root causes of any hazardous failures. Most recent work with model-based safety analysis has focused on improving system modelling techniques and the algorithms used for automatic analyses of failure models. However, few developments have been made to improve the scope of reusable analysis elements within these techniques. The failure behaviour of components in these techniques is typically specified in such a way that limits the applicability of such specifications across applications. The thesis argues that allowing more general expressions of failure behaviour, identifiable patterns of failure behaviour for use within safety analyses could be specified and reused across systems and applications where the conditions that allow such reuse are present.This thesis presents a novel Generalised Failure Language (GFL) for the specification and use of component failure patterns. Current model-based safety analysis methods are investigated to examine the scope and the limits of achievable reuse within their analyses. One method, HiP-HOPS, is extended to demonstrate the application of GFL and the use of component failure patterns in the context of automated safety analysis. A managed approach to performing reuse is developed alongside the GFL to create a method for more concise and efficient safety analysis. The method is then applied to a simplified fuel supply and a vehicle braking system, as well as on a set of legacy models that have previously been analysed using classical HiP-HOPS. The proposed GFL method is finally compared against the classical HiP-HOPS, and in the light of this study the benefits and limitations of this approach are discussed in the conclusions

Analysis of MBLOCA and LBLOCA success criteria in VVER-1000/V320 reactors. New proposals for PSA Level 1

The specific configuration of the safety systems in VVER-1000/V320 reactors allows a comprehensive study of the Loss of Coolant Accident (LOCA). In the present paper, a verification of the success criteria of the event trees headers for the medium and large break LOCA sequences is conducted. A detailed TRACEV5P5 thermal-hydraulic model of the reactor has been developed, including all safety systems. When analyzing the results of all sequences, some conservatism is observed in certain specific configurations as the success criterion of some headers is not consistent with the classic PSA level 1. Therefore, new proposals for the LOCA event trees are performed based on a reconfiguration of LOCA break ranges and the use of the expanded event trees approach

Study of fault-tolerant software technology

Presented is an overview of the current state of the art of fault-tolerant software and an analysis of quantitative techniques and models developed to assess its impact. It examines research efforts as well as experience gained from commercial application of these techniques. The paper also addresses the computer architecture and design implications on hardware, operating systems and programming languages (including Ada) of using fault-tolerant software in real-time aerospace applications. It concludes that fault-tolerant software has progressed beyond the pure research state. The paper also finds that, although not perfectly matched, newer architectural and language capabilities provide many of the notations and functions needed to effectively and efficiently implement software fault-tolerance

Historical review of fire safety at NPP and application of fire PSA to Westinghouse PWR NPP in the frame of risk-informed decision making by

The importance of fire as a potential initiator of multiple-system failures took on a new perspective after the cable-tray fire at Browns Ferry in 1975 The review have shown that the first generation Nuclear Power Plant (NPP) fire safety was not factored as high risk area that needed to be effectively assessed and quantified. This resulted in development of peculiar fire safety regulations, standards and expensive backfits. Lack of appropriate regulations and effective methods of fire risk assessment, prescriptive, difficult and expensive retrofit regulations were instituted in USA. The alternative risk-informed performance based regulation was established in USA to resolve the challenges of the prescriptive rules. The review have revealed that both the prescriptive and risk-informed performance based approaches will not represent adequate design basis for new Nuclear Power Plants. The Japanese were pulled in the path of renew fire safety regulations and risk quantification after the Fukushima accident. It has been recognized that effective fire safety assessment, and culture, in concert with countermeasures to prevent, detect, suppress, and mitigate the effect of fires if they occur, will minimized NPP fire risk. Among the numerous recommendation the fire safety at NPP must be planned and engineered before construction begin using the state-of-the-arts technology. Also, the methods of fire risk assessment must integrate the state-of-the-arts deterministic and probabilistic approaches. Two methods are presented which serve to incorporate the fire-related risk into the current practices in nuclear power plants with respect to the assessment of configurations. The first method is a fire protection systems and key safety functions Unavailability Matrix (UM) which is developed to identify structures, systems, and components significant for fire-related risk. The second method is a fire zones and key safety functions (KSFs) fire risk matrix which is useful to identify fire zones which are candidates for risk management actions. The UM is an innovative tool to communicate fire risk. The Monte Carlo method has been used to assess the uncertainty of the UM. The analysis shows that the uncertainty is sufficiently bounded. The significant fire-related risk is localized in six KSF representative components and one fire protection system which should be included in the maintenance rule. The unavailability of fire protection systems does not significantly affect the risk. The fire risk matrix identifies the fire zones that contribute the most to the fire-related risk. These zones belong to the control building and electric penetrations building. The aggregation of Internal Events PSA model and Fire PSA model have shown that the Fire PSA contributes 38.4% to the Risk increase. The feasibility of developing Fire-related Risk Monitor from the FIRE PSA for the Spanish NPP was carried out. One of the main challenges is that RiskSpectrum® fire PSA has 384 fire cases and 384 CDF but in Risk Monitor one CDF is required. However, CAFTA is unable to convert a Sequential Fault Tree structure of the internal Event tree in the Fire PSA. The conversion fails to implement neither all of the sequences leading to core damage nor the Fault Tree selection of the frequency of fire. The proposal is to suppress exchange events and introduce the alignment of the consequences so that a unique result of core damage can be quantified. The detection and fire suppression Event Trees in the reference model were replaced by detection and fire extinction Fault trees. The frequency of each Fire Case of the conversion model and the reference model are quantified and the frequencies compared. The results shows that 90% of the cases are valid, however, the rest have challenges with MCS. A unique CDF of 7.65x10-7 is quantified compared with 9.83×10-6 of the reference. The conversion of the new model in CAFTA was not successful due to software incompatibility.La importància del incendi com un potencial iniciador de sistema múltiples fallides van agafar una nova perspectiva després del incendi al cable-safata de Browns Ferry el 1975. La revisió ha mostrat que la primera generació de seguretat contra incendis de centrals d'Energia Nuclear (NPP) no va ser àrea de alt risc, àrea que necessitava ser efectivament avaluada i quantificada. Això va resultar en el desenvolupament de normes de seguretat de incendi peculiar, estàndards i cares revisions. La manca d'una reglamentació adequada i mètodes eficaços d'avaluació de risc d'incendi, va fer que als USA foren instituïts mètodes d'adaptació de normativa preceptius, difícils i costós. L'alternativa de regulació informada per el risc es va establir als USA per resoldre els reptes de la regulació preceptiva. La revisió ha mostrat que tant als enfocaments de normativa preceptiva i regulació informada per el risc no representen bases de disseny adequades per a noves NPP. Ha estat reconeguda que la efectiva avaluació de seguretat al incendi i la cultura en concert amb mesures per prevenir, detectar, suprimir i mitigar l'efecte d'incendis, si es produeixen, minimitzarà el risc d'incendi en una NPP. Entre les nombroses recomanacions la seguretat contra incendis a una NPP s'hauran previst i dissenyat abans de començar la construcció i utilitzant estat del art de la tecnologia. També, els mètodes d'avaluació del risc d'incendi tindran que integrar el estat del art en els enfocaments de determinista i probabilístics. Dos mètodes són presentats que serveixen per incorporar el risc relacionats amb el foc a les pràctiques actuals en centrals nuclears en respecte a l'avaluació de configuracions. El primer mètode és un sistema de protecció contra incendis i una matriu de indisponiblitats de les funcions clau de seguretat (MU) que es desenvolupa per a identificar estructures, sistemes i components significatius per riscos relacionats amb els incendis. El segon mètode és zones de focs i matriu de risc d'incendi i funcions (KSFs) clau de seguretat que és útil identificar les zones de foc que són candidats per a les accions de gestió de risc. La MU és una eina innovadora per comunicar el risc d'incendi. El risc significatiu relacionats amb el incendi està localitzat en sis components representatius KSF i un sistema de protecció de foc que cal que figuri en la regla de manteniment. La manca de sistemes de protecció contra incendis no afecta significativament al risc. La matriu de risc d'incendi identifica les zones de foc que mes contribueixen al risc relacionats amb el incendi. Aquestes zones pertanyen a l'edifici de control i edifici de penetracions elèctriques. L'agregació del model de PSA de esdeveniments interns i model de incendis PSA han demostrat que el PSA de incendis aporta 38.4% a l'augment de risc. S'ha desenvolupat la viabilitat del Monitor de risc de incendis a partir del PSA de incendis per a una central nuclear espanyola. Un dels reptes principals és que RiskSpectrum® incendis PSA te 384 casos de incendis i te 384 CDF però en risc Monitor és necessària una CDF. Tanmateix, el CAFTA és incapaç de convertir una estructura seqüencial de arbre de fallida de l'arbre esdeveniment interna en el PSA de incendis. La conversió fracassa al posar en pràctica totes les seqüències de danys al nucli i la selecció de l'arbre de fallida de la freqüència de incendi. La descoberta i supressió de arbres de l'esdeveniment de incendi en el model de referència es van substituir per detecció i els arbres de fallades d'extinció d'incendi. La freqüència de cada cas de incendi del model de conversió i el model de referència son quantificades i les freqüències son comparades. Els resultats demostra que el 90% dels casos són vàlid, no obstant això, la resta té reptes amb MCS. Un únic CDF de 7.65x10-7 s'ha quantificat en comparació amb 9.83 × 10-6 de la referència. La conversió del nou model a CAFTA no va tenir èxit a causa de la incompatibilitat del programari

Comparative Analysis of Nuclear Event Investigation Methods, Tools and Techniques

Feedback from operating experience is one of the key means of enhancing nuclear safety and operational risk management. The effectiveness of learning from experience at NPPs could be maximised, if the best event investigation practices available from a series of methodologies, methods and tools in the form of a ‘toolbox’ approach were promoted. Based on available sources of technical, scientific, normative and regulatory information, an inventory, review and brief comparative analysis of information concerning event investigation methods, tools and techniques, either indicated or already used in the nuclear industry (with some examples from other high risk industry areas), was performed in this study. Its results, including the advantages and drawbacks identified from the different instruments, preliminary recommendations and conclusions, are covered in this report. The results of comparative analysis of nuclear event investigation methods, tools and techniques, presented in this interim report, are of a preliminary character. It is assumed that, for the generation of more concrete recommendations concerning the selection of the most effective and appropriate methods and tools for event investigation, new data, from experienced practitioners in the nuclear industry and/or regulatory institutions are needed. It is planned to collect such data, using the questionnaire prepared and performing the survey currently underway. This is the second step in carrying out an inventory of, reviewing, comparing and evaluating the most recent data on developments and systematic approaches in event investigation, used by organisations (mainly utilities) in the EU Member States. Once the data from this survey are collected and analysed, the final recommendations and conclusions will be developed and presented in the final report on this topic. This should help current and prospective investigators to choose the most suitable and efficient event investigation methods and tools for their particular needs.JRC.DDG.F.5-Safety of present nuclear reactor

Security Evaluation of Substation Network Architectures

In recent years, security of industrial control systems has been the main research focus due to the potential cyber-attacks that can impact the physical operations. As a result of these risks, there has been an urgent need to establish a stronger security protection against these threats. Conventional firewalls with stateful rules can be implemented in the critical cyberinfrastructure environment which might require constant updates. Despite the ongoing effort to maintain the rules, the protection mechanism does not restrict malicious data flows and it poses the greater risk of potential intrusion occurrence. The contributions of this thesis are motivated by the aforementioned issues which include a systematic investigation of attack-related scenarios within a substation network in a reliable sense. The proposed work is two-fold: (i) system architecture evaluation and (ii) construction of attack tree for a substation network. Cyber-system reliability remains one of the important factors in determining the system bottleneck for investment planning and maintenance. It determines the longevity of the system operational period with or without any disruption. First, a complete enumeration of existing implementation is exhaustively identified with existing communication architectures (bidirectional) and new ones with strictly unidirectional. A detailed modeling of the extended 10 system architectures has been evaluated. Next, attack tree modeling for potential substation threats is formulated. This quantifies the potential risks for possible attack scenarios within a network or from the external networks. The analytical models proposed in this thesis can serve as a fundamental development that can be further researched

Guideline for Trustworthy Artificial Intelligence -- AI Assessment Catalog

Artificial Intelligence (AI) has made impressive progress in recent years and represents a key technology that has a crucial impact on the economy and society. However, it is clear that AI and business models based on it can only reach their full potential if AI applications are developed according to high quality standards and are effectively protected against new AI risks. For instance, AI bears the risk of unfair treatment of individuals when processing personal data e.g., to support credit lending or staff recruitment decisions. The emergence of these new risks is closely linked to the fact that the behavior of AI applications, particularly those based on Machine Learning (ML), is essentially learned from large volumes of data and is not predetermined by fixed programmed rules. Thus, the issue of the trustworthiness of AI applications is crucial and is the subject of numerous major publications by stakeholders in politics, business and society. In addition, there is mutual agreement that the requirements for trustworthy AI, which are often described in an abstract way, must now be made clear and tangible. One challenge to overcome here relates to the fact that the specific quality criteria for an AI application depend heavily on the application context and possible measures to fulfill them in turn depend heavily on the AI technology used. Lastly, practical assessment procedures are needed to evaluate whether specific AI applications have been developed according to adequate quality standards. This AI assessment catalog addresses exactly this point and is intended for two target groups: Firstly, it provides developers with a guideline for systematically making their AI applications trustworthy. Secondly, it guides assessors and auditors on how to examine AI applications for trustworthiness in a structured way

Real-time Prediction of Cascading Failures in Power Systems

Blackouts in power systems cause major financial and societal losses, which necessitate devising better prediction techniques that are specifically tailored to detecting and preventing them. Since blackouts begin as a cascading failure (CF), an early detection of these CFs gives the operators ample time to stop the cascade from propagating into a large-scale blackout. In this thesis, a real-time load-based prediction model for CFs using phasor measurement units (PMUs) is proposed. The proposed model provides load-based predictions; therefore, it has the advantages of being applicable as a controller input and providing the operators with better information about the affected regions. In addition, it can aid in visualizing the effects of the CF on the grid. To extend the functionality and robustness of the proposed model, prediction intervals are incorporated based on the convergence width criterion (CWC) to allow the model to account for the uncertainties of the network, which was not available in previous works. Although this model addresses many issues in previous works, it has limitations in both scalability and capturing of transient behaviours. Hence, a second model based on recurrent neural network (RNN) long short-term memory (LSTM) ensemble is proposed. The RNN-LSTM is added to better capture the dynamics of the power system while also giving faster responses. To accommodate for the scalability of the model, a novel selection criterion for inputs is introduced to minimize the inputs while maintaining a high information entropy. The criteria include distance between buses as per graph theory, centrality of the buses with respect to fault location, and the information entropy of the bus. These criteria are merged using higher statistical moments to reflect the importance of each bus and generate indices that describe the grid with a smaller set of inputs. The results indicate that this model has the potential to provide more meaningful and accurate results than what is available in the previous literature and can be used as part of the integrated remedial action scheme (RAS) system either as a warning tool or a controller input as the accuracy of detecting affected regions reached 99.9% with a maximum delay of 400 ms. Finally, a validation loop extension is introduced to allow the model to self-update in real-time using importance sampling and case-based reasoning to extend the practicality of the model by allowing it to learn from historical data as time progresses