Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Risk Assessment
Francesco Di Maio, PhD
Dipartimento di Energia
Politecnico di Milano
(Very) Short BIO
Education
• B.Mus Conservatory degree (2006)
• B.Sc in Energy Engineering, Politecnico di Milano (2004)
• M.Sc in Nuclear Engineering, Politecnico di Milano (2006)
• Double-PhD in Energy and Nuclear Science and Technology
Politecnico di Milano and Tsinghua University (China) (2010)
Laboratory of Analysis of Signal and Analysis of Risk (LASAR)
Research context
Maintenance &
PHM
Logistics &
Operations
Reliability &
Availability
Vulnerability &
Risk
Laboratory of Analysis of Signal and Analysis of Risk
Laboratory of Analysis of Signal and Analysis of Risk (LASAR)
Research context
Maintenance &
PHM
Logistics &
Operations
Reliability &
Availability
Vulnerability &
Risk
• Energy distribution systems
• Nuclear Power Plants (NPPs)
• Renewable Energy
• Oil&Gas (O&G)
• Transportation
• …
Laboratory of Analysis of Signal and Analysis of Risk
Research context
Large amount of deployed algorithms
(more than 25yrs R&D)
Maintenance &
PHM
Logistics &
Operations
Reliability &
Availability
• Logic and Physical modeling: FT, ET, …
• MC Simulation: SS, LS, PF, …
• Classification, regression and prediction:
NN, DL, RC, SVM, …
• Uncertainty and sensitivity analysis:
VD, KL, HD, …
• Optimization: GA, DE
• Decision making: PDA, RL, …
FT=Fault Tree; ET=Event Tree; MC=Monte Carlo;
SS=Subset Sampling; LS= Line Sampling; PF=Particle
Filtering; NN= Neural Network; DL=Deep Learning;
RC= Reservoir Computing; SVM=Support Vector Machine;
VD=Variance Decomposition; KL=Kullback-Leibler;
HD=Hellinger Distance; PDA=Portfolio Decision Analysis;
RL=Reinforcement Learning; GA=Genetic Algorithms;
DE=Differential Evolution
Vulnerability &
Risk
• Energy distribution systems
• Nuclear Power Plants (NPPs)
• Renewable Energy
• Oil&Gas (O&G)
• Transportation
• …
Laboratory of Analysis of Signal and Analysis of Risk
Laboratory of Analysis of Signal and Analysis of Risk (LASAR)
Risk Assessment: Foundations
c
Risk is conditioned on Knowledge
Probabilistic Risk Assessment (PRA): Foundations
Systematic framework of analysis aimed at identifying accidental scenarios
(Si) and quantifying their consequences (Ci) and probabilities (Pi)
Initiating
Event (IE)
P(A)
P(B)
P(A)
P(B)
= )(P eventPi
IE A B
S1 OK
S2 OK
S3 Failure
P1
P2
P3=P(A) P(B)
System:
Condition monitoring → Condition Based PRA (CB-PRA)
Time (t)
(PRA)
Fa
ilure
pro
ba
bili
ty
Time (t)
Initiating
Event (IE)
IE A B
t=τt=0
t=τ
System:
Plant configuration change
Condition monitoring → Condition Based PRA (CB-PRA)
Time (t)
Plant configuration change
(PRA)
Fa
ilure
pro
ba
bili
ty
Time (t)
Φ(t)
Time (t)
Initiating
Event (IE)
IE A B
t=τt=0
t=τ
System:
Condition monitoring → Condition Based PRA (CB-PRA)
**
P(A’|Φ(t))
P(B|Φ(t))
Time (t)
(PRA)
Fa
ilure
pro
ba
bili
ty
P(A’|Φ(t))
P(B|Φ(t))
Time (t)
Φ(t)
Time (t)
***
Time (t)
S1 OK
S2 OK
S3 Failure
Initiating
Event (IE)
P1
P2
IE A
t=τt=0
B
P3
t=τt=0
t=τ
* *
System:
Plant configuration change
Condition monitoring → Condition Based PRA (CB-PRA)
**
P(A’|Φ(t))
P(B|Φ(t))
Time (t)
(PRA)
Fa
ilure
pro
ba
bili
ty
P(A’|Φ(t))
P(B|Φ(t))
(CB-PRA)
Time (t)
Φ(t)
Time (t)
***
decision making
(life extension, maintenance,
operation, …)
Time (t)
S1 OK
S2 OK
S3 Failure
Initiating
Event (IE)
P1
P2
IE A
t=τt=0
B
P3
t=τt=0
P(Failure|Φ(t))
t=τ
* *
System:
Plant configuration change
Condition Based PRA (CB-PRA): remarks
ADVANTAGES:
• Aging and degradation are considered
• Variable operational conditions are considered
• Effects of plant configurations changes are
considered
• Requires optimal placing of sensors
• Computationally burdensome
o Data management
o Data mining
LIMITATIONS:
Case study: CB-PRA for Spontaneous Steam Generator Tube
Rupture (SGTR) accident scenario
!!!!!!
!!!
Case study: CB-PRA for Spontaneous Steam Generator Tube
Rupture (SGTR) accident scenario
Spontaneous
rupture of a SG
tube due to the
Stress
Corrosion
Cracking (SCC)
phenomenon,
during normal
operating
condition
Case study: CB-PRA for Spontaneous Steam Generator Tube
Rupture (SGTR) accident scenario
Time (t)
Spontaneous
rupture of a SG
tube due to the
Stress
Corrosion
Cracking (SCC)
phenomenon,
during normal
operating
condition
Tube rupture critical length
Time (t)
P(Core Damage | Ø(t))
= Core Damage Frequency(Ø(t))
Objective:
Φ(t
) =
Cra
ck len
gtt
h
Case study: CB-PRA for Spontaneous Steam Generator Tube
Rupture (SGTR) accident scenario
ONSET
Crack onset
probability is
modelled by a
Weibull
distributionCycle
2 4 6 8 10 12 14 16 18 20
Onset
Pro
bab
ility
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
On
se
t p
rob
abili
tyTime [inspection cycle]
Φ(t
) =
Cra
ck len
gth
Time (t)
The SCC failure mechanism: crack onset model
ONSET
Crack onset
probability is
modelled by a
Weibull
distributionCycle
2 4 6 8 10 12 14 16 18 20
Onset
Pro
bab
ility
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
On
se
t p
rob
abili
tyTime [inspection cycle]
Φ(t
) =
Cra
ck len
gth
Time (t)
FORMATION
Crack onset
length is
modelled by a
normal
distribution
The SCC failure mechanism: crack onset&formation model
Φ(t
) =
Cra
ck len
gth
Time (t)
ONSET
Crack onset
probability is
modelled by a
Weibull
distribution
On
se
t p
rob
abili
tyTime [inspection cycle]
FORMATION
Crack onset
length is
modelled by a
normal
distribution
Cycle
2 4 6 8 10 12 14 16 18 20
Onset
Pro
bab
ility
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
Propagation length (0.1 mm)
PROPAGATION
Propagation is modelled with the
Scott model (that depends on
the operating conditions, such
as pressure)
The SCC failure mechanism: crack propagation model
The overall SCC ModelΦ
(t)
= C
rack len
gth
Time (t)
ONSET
Crack onset
probability is
modelled by a
Weibull
distribution
On
se
t p
rob
abili
tyTime [inspection cycle]
FORMATION
Crack onset
length is
modelled by a
normal
distribution
Cycle
2 4 6 8 10 12 14 16 18 20
Onset
Pro
bab
ility
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
Propagation length (0.1 mm)
Tube rupture critical lengthPressure [MPa]
0 10 20 30 40 50 60 70 80
Critic
al L
eng
th [
mm
]
0
10
20
30
40
50
60
70
pre
ssu
re PROPAGATION
Propagation is modelled with the
Scott model (that depends on
the operating conditions, such
as pressure)
The SGTR frequency estimation by CB-PRA approach
Cycle (t)
Tube rupture critical length
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
Critical crack length
Set the nominal
operating
conditions and
evaluate the
critical crack
length
NRC plugging threshold
Cycle (t)
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
Critical crack length
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
Tube rupture critical length
NRC plugging threshold
The SGTR frequency estimation by CB-PRA approach
Cycle (t)
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
Critical crack length
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
Tube rupture critical length
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
The SGTR frequency estimation by CB-PRA approach
Cycle (t)
Operational
variation (e.g.
power demand)
Total pressure
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
Critical crack length
Tube rupture critical length
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
The SGTR frequency estimation by CB-PRA approach
MODEL
Cycle (t)
Total pressure
Simulate the stochastic crack evolutions
throughout the following operation time
(predictive modeling)
Cra
ck le
ngth
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Fin
al c
rack le
ngth
0.0
10
.02
0.0
30
.04
0.0
50
.06
0.0
7
Probability [%]
5
10
15
20
25
30
35
40
(crack length)
Time
Tube rupture critical length
Operational
variation (e.g.
power demand)
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
The SGTR frequency estimation by CB-PRA approach
MODEL
Cycle (t)
Total pressureSimulate the stochastic crack evolutions
throughout the following operation time
(predictive modeling)
Calculate the probability of exceeding the tube
critical length
Cra
ck le
ngth
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Fin
al c
rack le
ngth
0.0
10
.02
0.0
30
.04
0.0
50
.06
0.0
7
Probability [%]
5
10
15
20
25
30
35
40
(crack length)
Time
Tube rupture critical length
Operational
variation (e.g.
power demand)
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
The SGTR frequency estimation by CB-PRA approach
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
…
…
Fa
ilure
fre
qu
en
cy
Update the SGTR
frequency (upon
plant configuration
changes (i.e. number
of plugged tubes))
Cycle (t)
Operational
variation (e.g.
power demand)
Total pressure
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Critical crack length
Tube rupture critical length
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
The SGTR frequency estimation by CB-PRA approach
MODEL
Cycle (t)
Cra
ck le
ngth
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Fin
al c
rack le
ngth
0.0
10
.02
0.0
30
.04
0.0
50
.06
0.0
7
Probability [%]
5
10
15
20
25
30
35
40
(crack length)
Time
Tube rupture critical length
Operational
variation (e.g.
power demand)
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
LOW?
Total pressure
Decide whether to plug or not the tube
The SGTR frequency estimation by CB-PRA approach
Cycle (t)
Operational
variation (e.g.
power demand)
Total pressure
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
Critical crack length
Tube rupture critical length
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
The SGTR frequency estimation by CB-PRA approach
MODEL
Cycle (t)
Cra
ck le
ngth
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Final crack length
0.01
0.02
0.03
0.04
0.05
0.06
0.07
Probability [%]5
10
15
20
25
30
35
40
(crack length)
Time
Tube rupture critical length
Operational
variation (e.g.
power demand)
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
HIGH?
Total pressure
The SGTR frequency estimation by CB-PRA approach
Decide whether to plug or not the tube
Cycle (t)
Operational
variation (e.g.
power demand)
Total pressure
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
Critical crack length
Tube rupture critical length
NRC plugging threshold
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
The SGTR frequency estimation by CB-PRA approach
Pressure [MPa]
0 10 20 30 40 50 60 70 80
Crit
ical
Len
gth
[mm
]
0
10
20
30
40
50
60
70
…
…
Fa
ilure
fre
qu
en
cy
Periodically update
the SGTR frequency
(upon plant
configuration
changes (i.e. number
of plugged tubes))
Cycle (t)
Operational
variation (e.g.
power demand)
Total pressure
Φ(t
) =
Cra
ck len
gth
Pre
ssu
re
Set the nominal
operating
conditions and
evaluate the
critical crack
length
Critical crack length
Tube rupture critical length
Plug tubes
exceeding the NRC
plugging threshold,
and update the
operating
conditions
Simulate the
onset,
formation and
propagation of
cracks in the
tubes bundle
Failure
The SGTR frequency estimation by CB-PRA approach
CB-PRA
0
Fa
ilure
fre
qu
en
cy
7E-3
Cycle (t)
PRA
Underestimation
Overconservativism
F. Di Maio, F. Antonello, E. Zio, “Condition-Based Probabilistic Safety Assessment of a Spontaneous Steam Generator Tube Rupture Accident
Scenario”, Nuclear Engineering and Design, 326, pp. 41–54, 2018.
• Physical modeling: Stress Corrosion Cracking degradation (Scott model)
• Simulation: MC Simulation embedding Predictive Modeling
• Logic modeling: Event Tree (ET), with condition based update of events probabilities
The SGTR frequency estimation by CB-PRA approach
Cyber → Risk assessment for safety and security
SAFETY SECURITY
Considers components/systems
failures and human errors
Considers (cyber) attacks by
humans
RISK ASSESSMENT
SAFETY SECURITY
Considers components and systems (stochastic) failures
Considers (intentional) cyber-attacks
Probabilities and consequences
on functionality
Uncertainty and consequences on
functionality
RISK ASSESSMENT
SAFETY SECURITY
Considers components/systems
failures and human errors
Considers (cyber) attacks by
humans
Cyber → Risk assessment for safety and security
INTEGRATED RISK ASSESSMENT
for safety and security
RISK ASSESSMENT
SAFETY SECURITY
Considers components and systems (stochastic) failures
Considers (intentional) cyber-attacks
Probabilities and consequences
on functionality
Uncertainty and consequences on
functionality
SAFETY SECURITY
Considers components/systems
failures and human errors
Considers (cyber) attacks by
humans
Cyber → Risk assessment for safety and security
Risk assessment for safety and security: the GTST-MLD
P(Goal fulfillment)
0
1
The Goal Tree (GT) Success Tree (ST) Master Logic Diagram (MLD) hierarchically
decomposes the system safety goal function into sub-functions, accomplished by
the system components, and impaired by dysfunctional aspects.
Time (t)
Results:
P(Goal fulfillment) P(failure)
0
1
The Goal Tree (GT) Success Tree (ST) Master Logic Diagram (MLD) hierarchically
decomposes the system safety goal function into sub-functions, accomplished by
the system components, and impaired by dysfunctional aspects
Objective:
Time (t)
Risk assessment for safety and security: the GTST-MLD
Results:
Goal function
Sub-function
1Function 1
Sub-function
2
Sub-function
nf…
The Goal Tree (GT) hierarchically
decomposes the system safety goal
function into 𝑛𝑓 sub-functions.
Risk assessment for safety and security: the GTST-MLD
The ST describes the interactions
between the physical elements of the
system.
System
Component
1
Component
2
Component
nc
Support
component 1
…
…
Support
component np
MAIN COMPONENTS
SUPPORT
COMPONENTS
Risk assessment for safety and security: the GTST-MLD
The Influencing Factors (IFs) are
the dysfunctional aspects (i.e.,
components failures & cyber
attacks) that can prevent the
system to achieve the goal function.
Risk assessment for safety and security: the GTST-MLD
The relationships between GT,
ST and IFs are represented by the
Master Logic Diagram (MLD).
Risk assessment for safety and security: the GTST-MLD
The GTST-MLD Risk assessment for safety and security: remarks
ADVANTAGES:
• Intuitive construction of relationships between events
• no need to enumerate all failure scenarios
• Capability of dealing with scarcity of data in defining
events probability
• Expert-based weights assignment
• Computationally burdensome
o Data management
LIMITATIONS:
Case study: The Advanced Lead-cooled Fast Reactor European
Demonstrator (ALFRED)
Condenser
Turbine
TL,cold
TL,hot
Gwater
kvhCR pSG
PTh
Tsteam
Water Pump
Attemperator
GattCore
Steam
Generator
Header
Control SystemTsteam
pSG
TL,cold
PTh
kv
Gatt
Gwater
hCR
PI1
PI2
PI3
PI4
Tfeed
Feedforward
Turbine Admission ValveControl
Rods
PMech
Physical System
Note: - sensor
Sensors
Actuators
Controller450oC
180e5Pa
300e6W
400oC
Fuel
assemblies
Main
coolant
pump
Steam
generator
Safety vesselReactor vessel
Wang W., Cammi A., Di Maio F., Lorenzi S., Zio E., “A Monte Carlo-based exploration framework for identifying components vulnerable to cyber
threats in nuclear power plants”, Reliability Engineering and System Safety, 175, pp. 24-37, 2018.
Condenser
Turbine
TL,cold
TL,hot
Gwater
kvhCR pSG
PTh
Tsteam
Water Pump
Attemperator
GattCore
Steam
Generator
Header
Control SystemTsteam
pSG
TL,cold
PTh
kv
Gatt
Gwater
hCR
PI1
PI2
PI3
PI4
Tfeed
Feedforward
Turbine Admission ValveControl
Rods
PMech
Physical System
Note: - sensor
Sensors
Actuators
Controller450oC
180e5Pa
300e6W
400oC
Fuel
assemblies
Main
coolant
pump
Steam
generator
Safety vesselReactor vessel
Wang W., Cammi A., Di Maio F., Lorenzi S., Zio E., “A Monte Carlo-based exploration framework for identifying components vulnerable to cyber
threats in nuclear power plants”, Reliability Engineering and System Safety, 175, pp. 24-37, 2018.
Case study: The Advanced Lead-cooled Fast Reactor European
Demonstrator (ALFRED)
The GTST-MLD for the ALFRED control system
The GTST-MLD for the ALFRED control system
COMPONENTS
FAILURES
Sensors: bias, drift, wider
noise, freezing
PIs: proportional gain
change, integral gain
change, set point change
Actuators: stuck
CYBER-ATTACKS
Doorknob rattling
STUXNET virus
Key logger
Man in the middle
Denial of Service (DoS)
Message spoofing
Replay
Buffer overflow
The GTST-MLD for the ALFRED control system
The GTST-MLD for the ALFRED control system
The integrated safety and security risk assessment: results
Bounded failure probability
Average failure probability
Average failure probability,
considering only safety-related accidents
• Physical modeling: Modelica (Dymola)
• Logic modeling: GTST-MLD (Goal-Tree Success Tree Master Logic Diagram)
• MC Simulation for uncertainty propagation trough the GTST-MLD
Fa
ilure
pro
ba
bili
tyo
f th
e A
LF
RE
D c
on
tro
l syste
m
Wang W., Cammi A., Di Maio F., Lorenzi S., Zio E., “A Monte Carlo-based exploration framework for identifying components vulnerable to cyber
threats in nuclear power plants”, Reliability Engineering and System Safety, 175, pp. 24-37, 2018.
Overconservative risk
assessment
Bounded failure probability
Average failure probability
Average failure probability,
considering only safety-related accidents
decision making
(barriers optimization)
PHYSICAL
CYBER
Fa
ilure
pro
ba
bili
tyo
f th
e A
LF
RE
D c
on
tro
l syste
m
• Physical modeling: Modelica (Dymola)
• Logic modeling: GTST-MLD (Goal-Tree Success Tree Master Logic Diagram)
• MC Simulation for uncertainty propagation trough the GTST-MLD
W. Wang, F. Di Maio, E. Zio. “Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Nuclear Power Plants from Cyber
Attack”, Risk Analysis,2019.
The integrated safety and security risk assessment: results
energy grid smart meters electric
car
smart city
smart
factory
Conclusions & Perspectives
energy grid smart meters electric
car
smart city
smart
factory
• Requires optimal placing of sensors
• Computationally burdensome
o Data management
o Data mining
LIMITATIONS:
→ CB-PRA
Conclusions & Perspectives
energy grid smart meters electric
car
smart city
smart
factory
• Requires optimal placing of sensors
• Computationally burdensome
o Data management
o Data mining
LIMITATIONS:
→ CB-PRA
• Value of Information (VOI) for
optimal placing of sensors
• Artificial Intelligence (AI)
for predictive modeling
Conclusions & Perspectives
energy grid smart meters electric
car
smart city
smart
factory
• Expert-based weights assignment
• Computationally burdensome
o Data management
→ GTST-MLD
LIMITATIONS:
• Simulation-based weights
assignment
• Artificial Intelligence (AI)
for surrogate modeling
Computationally burdensome
Conclusions & Perspectives
energy grid smart meters electric
car
smart city
smart
factory
Conclusions & Perspectives