Presentazione standard di PowerPoint · (Very) Short BIO Education • B.Mus Conservatory degree (2006) • B.Sc in Energy Engineering, Politecnico di Milano (2004) • M.Sc in Nuclear

Risk Assessment

Francesco Di Maio, PhD

Dipartimento di Energia

Politecnico di Milano

(Very) Short BIO

Education

• B.Mus Conservatory degree (2006)

• B.Sc in Energy Engineering, Politecnico di Milano (2004)

• M.Sc in Nuclear Engineering, Politecnico di Milano (2006)

• Double-PhD in Energy and Nuclear Science and Technology

Politecnico di Milano and Tsinghua University (China) (2010)

Laboratory of Analysis of Signal and Analysis of Risk (LASAR)

Research context

Maintenance &

PHM

Logistics &

Operations

Reliability &

Availability

Vulnerability &

Risk

Laboratory of Analysis of Signal and Analysis of Risk


Research context

Maintenance &

PHM

Logistics &

Operations

Reliability &

Availability

Vulnerability &

Risk

• Energy distribution systems

• Nuclear Power Plants (NPPs)

• Renewable Energy

• Oil&Gas (O&G)

• Transportation

• …


Research context

Large amount of deployed algorithms

(more than 25yrs R&D)

Maintenance &

PHM

Logistics &

Operations

Reliability &

Availability

• Logic and Physical modeling: FT, ET, …

• MC Simulation: SS, LS, PF, …

• Classification, regression and prediction:

NN, DL, RC, SVM, …

• Uncertainty and sensitivity analysis:

VD, KL, HD, …

• Optimization: GA, DE

• Decision making: PDA, RL, …

FT=Fault Tree; ET=Event Tree; MC=Monte Carlo;

SS=Subset Sampling; LS= Line Sampling; PF=Particle

Filtering; NN= Neural Network; DL=Deep Learning;

RC= Reservoir Computing; SVM=Support Vector Machine;

VD=Variance Decomposition; KL=Kullback-Leibler;

HD=Hellinger Distance; PDA=Portfolio Decision Analysis;

RL=Reinforcement Learning; GA=Genetic Algorithms;

DE=Differential Evolution

Vulnerability &

Risk

• Energy distribution systems

• Nuclear Power Plants (NPPs)

• Renewable Energy

• Oil&Gas (O&G)

• Transportation

• …



Risk Assessment: Foundations

c

Risk is conditioned on Knowledge

Probabilistic Risk Assessment (PRA): Foundations

Systematic framework of analysis aimed at identifying accidental scenarios

(Si) and quantifying their consequences (Ci) and probabilities (Pi)

Initiating

Event (IE)

P(A)

P(B)

P(A)

P(B)

= )(P eventPi

IE A B

S1 OK

S2 OK

S3 Failure

P1

P2

P3=P(A) P(B)

System:

Condition monitoring → Condition Based PRA (CB-PRA)

Time (t)

(PRA)

Fa

ilure

pro

ba

bili

ty

Time (t)

Initiating

Event (IE)

IE A B

t=τt=0

t=τ

System:

Plant configuration change


Time (t)


(PRA)

Fa

ilure

pro

ba

bili

ty

Time (t)

Φ(t)

Time (t)

Initiating

Event (IE)

IE A B

t=τt=0

t=τ

System:


**

P(A’|Φ(t))

P(B|Φ(t))

Time (t)

(PRA)

Fa

ilure

pro

ba

bili

ty

P(A’|Φ(t))

P(B|Φ(t))

Time (t)

Φ(t)

Time (t)

***

Time (t)

S1 OK

S2 OK

S3 Failure

Initiating

Event (IE)

P1

P2

IE A

t=τt=0

B

P3

t=τt=0

t=τ

* *

System:



**

P(A’|Φ(t))

P(B|Φ(t))

Time (t)

(PRA)

Fa

ilure

pro

ba

bili

ty

P(A’|Φ(t))

P(B|Φ(t))

(CB-PRA)

Time (t)

Φ(t)

Time (t)

***

decision making

(life extension, maintenance,

operation, …)

Time (t)

S1 OK

S2 OK

S3 Failure

Initiating

Event (IE)

P1

P2

IE A

t=τt=0

B

P3

t=τt=0

P(Failure|Φ(t))

t=τ

* *

System:


Condition Based PRA (CB-PRA): remarks

ADVANTAGES:

• Aging and degradation are considered

• Variable operational conditions are considered

• Effects of plant configurations changes are

considered

• Requires optimal placing of sensors

• Computationally burdensome

o Data management

o Data mining

LIMITATIONS:

Case study: CB-PRA for Spontaneous Steam Generator Tube

Rupture (SGTR) accident scenario

!!!!!!

!!!



Spontaneous

rupture of a SG

tube due to the

Stress

Corrosion

Cracking (SCC)

phenomenon,

during normal

operating

condition



Time (t)

Spontaneous

rupture of a SG

tube due to the

Stress

Corrosion

Cracking (SCC)

phenomenon,

during normal

operating

condition

Tube rupture critical length

Time (t)

P(Core Damage | Ø(t))

= Core Damage Frequency(Ø(t))

Objective:

Φ(t

) =

Cra

ck len

gtt

h



ONSET

Crack onset

probability is

modelled by a

Weibull

distributionCycle

2 4 6 8 10 12 14 16 18 20

Onset

Pro

bab

ility

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

On

se

t p

rob

abili

tyTime [inspection cycle]

Φ(t

) =

Cra

ck len

gth

Time (t)

The SCC failure mechanism: crack onset model

ONSET

Crack onset

probability is

modelled by a

Weibull

distributionCycle

2 4 6 8 10 12 14 16 18 20

Onset

Pro

bab

ility

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

On

se

t p

rob

abili


Φ(t

) =

Cra

ck len

gth

Time (t)

FORMATION

Crack onset

length is

modelled by a

normal

distribution

The SCC failure mechanism: crack onset&formation model

Φ(t

) =

Cra

ck len

gth

Time (t)

ONSET

Crack onset

probability is

modelled by a

Weibull

distribution

On

se

t p

rob

abili


FORMATION

Crack onset

length is

modelled by a

normal

distribution

Cycle

2 4 6 8 10 12 14 16 18 20

Onset

Pro

bab

ility

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

Propagation length (0.1 mm)

PROPAGATION

Propagation is modelled with the

Scott model (that depends on

the operating conditions, such

as pressure)

The SCC failure mechanism: crack propagation model

The overall SCC ModelΦ

(t)

= C

rack len

gth

Time (t)

ONSET

Crack onset

probability is

modelled by a

Weibull

distribution

On

se

t p

rob

abili


FORMATION

Crack onset

length is

modelled by a

normal

distribution

Cycle

2 4 6 8 10 12 14 16 18 20

Onset

Pro

bab

ility

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

Propagation length (0.1 mm)

Tube rupture critical lengthPressure [MPa]

0 10 20 30 40 50 60 70 80

Critic

al L

eng

th [

mm

]

0

10

20

30

40

50

60

70

pre

ssu

re PROPAGATION

Propagation is modelled with the

Scott model (that depends on

the operating conditions, such

as pressure)

The SGTR frequency estimation by CB-PRA approach

Cycle (t)


Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70

Critical crack length

Set the nominal

operating

conditions and

evaluate the

critical crack

length

NRC plugging threshold

Cycle (t)

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70


Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle




Cycle (t)

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70


Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle



Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions


Cycle (t)

Operational

variation (e.g.

power demand)

Total pressure

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70




Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle


MODEL

Cycle (t)

Total pressure

Simulate the stochastic crack evolutions

throughout the following operation time

(predictive modeling)

Cra

ck le

ngth

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Fin

al c

rack le

ngth

0.0

10

.02

0.0

30

.04

0.0

50

.06

0.0

7

Probability [%]

5

10

15

20

25

30

35

40

PDF

(crack length)

Time


Operational

variation (e.g.

power demand)


Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle


MODEL

Cycle (t)

Total pressureSimulate the stochastic crack evolutions

throughout the following operation time

(predictive modeling)

Calculate the probability of exceeding the tube

critical length

Cra

ck le

ngth

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Fin

al c

rack le

ngth

0.0

10

.02

0.0

30

.04

0.0

50

.06

0.0

7

Probability [%]

5

10

15

20

25

30

35

40

PDF

(crack length)

Time


Operational

variation (e.g.

power demand)


Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle


Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70

…

…

Fa

ilure

fre

qu

en

cy

Update the SGTR

frequency (upon

plant configuration

changes (i.e. number

of plugged tubes))

Cycle (t)

Operational

variation (e.g.

power demand)

Total pressure

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length




Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle


MODEL

Cycle (t)

Cra

ck le

ngth

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Fin

al c

rack le

ngth

0.0

10

.02

0.0

30

.04

0.0

50

.06

0.0

7

Probability [%]

5

10

15

20

25

30

35

40

PDF

(crack length)

Time


Operational

variation (e.g.

power demand)


Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle

LOW?

Total pressure

Decide whether to plug or not the tube


Cycle (t)

Operational

variation (e.g.

power demand)

Total pressure

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70




Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle


MODEL

Cycle (t)

Cra

ck le

ngth

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Final crack length

0.01

0.02

0.03

0.04

0.05

0.06

0.07

Probability [%]5

10

15

20

25

30

35

40

PDF

(crack length)

Time


Operational

variation (e.g.

power demand)


Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle

HIGH?

Total pressure


Decide whether to plug or not the tube

Cycle (t)

Operational

variation (e.g.

power demand)

Total pressure

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length

Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70




Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle


Pressure [MPa]

0 10 20 30 40 50 60 70 80

Crit

ical

Len

gth

[mm

]

0

10

20

30

40

50

60

70

…

…

Fa

ilure

fre

qu

en

cy

Periodically update

the SGTR frequency

(upon plant

configuration

changes (i.e. number

of plugged tubes))

Cycle (t)

Operational

variation (e.g.

power demand)

Total pressure

Φ(t

) =

Cra

ck len

gth

Pre

ssu

re

Set the nominal

operating

conditions and

evaluate the

critical crack

length



Plug tubes

exceeding the NRC

plugging threshold,

and update the

operating

conditions

Simulate the

onset,

formation and

propagation of

cracks in the

tubes bundle

Failure


CB-PRA

0

Fa

ilure

fre

qu

en

cy

7E-3

Cycle (t)

PRA

Underestimation

Overconservativism

F. Di Maio, F. Antonello, E. Zio, “Condition-Based Probabilistic Safety Assessment of a Spontaneous Steam Generator Tube Rupture Accident

Scenario”, Nuclear Engineering and Design, 326, pp. 41–54, 2018.

• Physical modeling: Stress Corrosion Cracking degradation (Scott model)

• Simulation: MC Simulation embedding Predictive Modeling

• Logic modeling: Event Tree (ET), with condition based update of events probabilities


Cyber → Risk assessment for safety and security

SAFETY SECURITY

Considers components/systems

failures and human errors

Considers (cyber) attacks by

humans

RISK ASSESSMENT

SAFETY SECURITY

Considers components and systems (stochastic) failures

Considers (intentional) cyber-attacks

Probabilities and consequences

on functionality

Uncertainty and consequences on

functionality

RISK ASSESSMENT

SAFETY SECURITY




humans


INTEGRATED RISK ASSESSMENT

for safety and security

RISK ASSESSMENT

SAFETY SECURITY

Considers components and systems (stochastic) failures

Considers (intentional) cyber-attacks

Probabilities and consequences

on functionality

Uncertainty and consequences on

functionality

SAFETY SECURITY




humans


Risk assessment for safety and security: the GTST-MLD

P(Goal fulfillment)

0

1

The Goal Tree (GT) Success Tree (ST) Master Logic Diagram (MLD) hierarchically

decomposes the system safety goal function into sub-functions, accomplished by

the system components, and impaired by dysfunctional aspects.

Time (t)

Results:

P(Goal fulfillment) P(failure)

0

1

The Goal Tree (GT) Success Tree (ST) Master Logic Diagram (MLD) hierarchically

decomposes the system safety goal function into sub-functions, accomplished by

the system components, and impaired by dysfunctional aspects

Objective:

Time (t)


Results:

Goal function

Sub-function

1Function 1

Sub-function

2

Sub-function

nf…

The Goal Tree (GT) hierarchically

decomposes the system safety goal

function into 𝑛𝑓 sub-functions.


The ST describes the interactions

between the physical elements of the

system.

System

Component

1

Component

2

Component

nc

Support

component 1

…

…

Support

component np

MAIN COMPONENTS

SUPPORT

COMPONENTS


The Influencing Factors (IFs) are

the dysfunctional aspects (i.e.,

components failures & cyber

attacks) that can prevent the

system to achieve the goal function.


The relationships between GT,

ST and IFs are represented by the

Master Logic Diagram (MLD).


The GTST-MLD Risk assessment for safety and security: remarks

ADVANTAGES:

• Intuitive construction of relationships between events

• no need to enumerate all failure scenarios

• Capability of dealing with scarcity of data in defining

events probability

• Expert-based weights assignment


o Data management

LIMITATIONS:

Case study: The Advanced Lead-cooled Fast Reactor European

Demonstrator (ALFRED)

Condenser

Turbine

TL,cold

TL,hot

Gwater

kvhCR pSG

PTh

Tsteam

Water Pump

Attemperator

GattCore

Steam

Generator

Header

Control SystemTsteam

pSG

TL,cold

PTh

kv

Gatt

Gwater

hCR

PI1

PI2

PI3

PI4

Tfeed

Feedforward

Turbine Admission ValveControl

Rods

PMech

Physical System

Note: - sensor

Sensors

Actuators

Controller450oC

180e5Pa

300e6W

400oC

Fuel

assemblies

Main

coolant

pump

Steam

generator

Safety vesselReactor vessel

Wang W., Cammi A., Di Maio F., Lorenzi S., Zio E., “A Monte Carlo-based exploration framework for identifying components vulnerable to cyber

threats in nuclear power plants”, Reliability Engineering and System Safety, 175, pp. 24-37, 2018.

Condenser

Turbine

TL,cold

TL,hot

Gwater

kvhCR pSG

PTh

Tsteam

Water Pump

Attemperator

GattCore

Steam

Generator

Header

Control SystemTsteam

pSG

TL,cold

PTh

kv

Gatt

Gwater

hCR

PI1

PI2

PI3

PI4

Tfeed

Feedforward

Turbine Admission ValveControl

Rods

PMech

Physical System

Note: - sensor

Sensors

Actuators

Controller450oC

180e5Pa

300e6W

400oC

Fuel

assemblies

Main

coolant

pump

Steam

generator

Safety vesselReactor vessel



Case study: The Advanced Lead-cooled Fast Reactor European

Demonstrator (ALFRED)

The GTST-MLD for the ALFRED control system


COMPONENTS

FAILURES

Sensors: bias, drift, wider

noise, freezing

PIs: proportional gain

change, integral gain

change, set point change

Actuators: stuck

CYBER-ATTACKS

Doorknob rattling

STUXNET virus

Key logger

Man in the middle

Denial of Service (DoS)

Message spoofing

Replay

Buffer overflow



The integrated safety and security risk assessment: results

Bounded failure probability

Average failure probability

Average failure probability,

considering only safety-related accidents

• Physical modeling: Modelica (Dymola)

• Logic modeling: GTST-MLD (Goal-Tree Success Tree Master Logic Diagram)

• MC Simulation for uncertainty propagation trough the GTST-MLD

Fa

ilure

pro

ba

bili

tyo

f th

e A

LF

RE

D c

on

tro

l syste

m



Overconservative risk

assessment

Bounded failure probability

Average failure probability

Average failure probability,

considering only safety-related accidents

decision making

(barriers optimization)

PHYSICAL

CYBER

Fa

ilure

pro

ba

bili

tyo

f th

e A

LF

RE

D c

on

tro

l syste

m

• Physical modeling: Modelica (Dymola)

• Logic modeling: GTST-MLD (Goal-Tree Success Tree Master Logic Diagram)

• MC Simulation for uncertainty propagation trough the GTST-MLD

W. Wang, F. Di Maio, E. Zio. “Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Nuclear Power Plants from Cyber

Attack”, Risk Analysis,2019.

The integrated safety and security risk assessment: results

energy grid smart meters electric

car

smart city

smart

factory

Conclusions & Perspectives


car

smart city

smart

factory



o Data management

o Data mining

LIMITATIONS:

→ CB-PRA



car

smart city

smart

factory



o Data management

o Data mining

LIMITATIONS:

→ CB-PRA

• Value of Information (VOI) for

optimal placing of sensors

• Artificial Intelligence (AI)

for predictive modeling



car

smart city

smart

factory

• Expert-based weights assignment


o Data management

→ GTST-MLD

LIMITATIONS:

• Simulation-based weights

assignment

• Artificial Intelligence (AI)

for surrogate modeling

Computationally burdensome



car

smart city

smart

factory


Documents

Presentazione standard di PowerPoint · (Very) Short BIO Education • B.Mus Conservatory degree (2006) • B.Sc in Energy Engineering, Politecnico di Milano (2004) • M.Sc in Nuclear