Jason Kirschenbaum

Construction of event-tree/fault-tree models from a Markov approach to dynamic system reliability

While the event-tree (ET)/fault-tree (FT) methodology is the most popular approach to probability risk assessment (PRA), concerns have been raised in the literature regarding its potential limitations in the reliability modeling of dynamic systems. Markov reliability models have the ability to capture the statistical dependencies between failure events that can arise in complex dynamic systems. A methodology is presented that combines Markov modeling with the cell-to-cell mapping technique (CCMT) to construct dynamic ETs/FTs and addresses the concerns with the traditional ET/FT methodology. The approach is demonstrated using a simple water level control system. It is also shown how the generated ETs/FTs can be incorporated into an existing PRA so that only the (sub)systems requiring dynamic methods need to be analyzed using this approach while still leveraging the static model of the rest of the system.

Building a push-button RESOLVE verifier: Progress and challenges

A central objective of the verifying compiler grand challenge is to develop a push-button verifier that generates proofs of correctness in a syntax-driven fashion similar to the way an ordinary compiler generates machine code. The software developer’s role is then to provide suitable specifications and annotated code, but otherwise to have no direct involvement in the verification step. However, the general mathematical developments and results upon which software correctness is based may be established through a separate formal proof process in which proofs might be mechanically checked, but not necessarily automatically generated. While many ideas that could conceivably form the basis for software verification have been known “in principle” for decades, and several tools to support an aspect of verification have been devised, practical fully automated verification of full software behavior remains a grand challenge. This paper explains how RESOLVE takes a step towards addressing this challenge by integrating foundational and practical elements of software engineering, programming languages, and mathematical logic into a coherent framework. Current versions of the RESOLVE verifier generate verification conditions (VCs) for the correctness of component-based software in a modular fashion—one component at a time. The VCs are currently verified using automated capabilities of the Isabelle proof assistant, the SMT solver Z3, a minimalist rewrite prover, and some specialized decision procedures. Initial experiments with the tools and further analytic considerations show both the progress that has been made and the challenges that remain.

Probabilistic risk assessment modeling of digital instrumentation and control systems using two dynamic methodologies

The Markov/cell-to-cell mapping technique (CCMT) and the dynamic flowgraph methodology (DFM) are two system logic modeling methodologies that have been proposed to address the dynamic characteristics of digital instrumentation and control (I&C) systems and provide risk-analytical capabilities that supplement those provided by traditional probabilistic risk assessment (PRA) techniques for nuclear power plants. Both methodologies utilize a discrete state, multi-valued logic representation of the digital I&C system. For probabilistic quantification purposes, both techniques require the estimation of the probabilities of basic system failure modes, including digital I&C software failure modes, that appear in the prime implicants identified as contributors to a given system event of interest. As in any other system modeling process, the accuracy and predictive value of the models produced by the two techniques, depend not only on the intrinsic features of the modeling paradigm, but also and to a considerable extent on information and knowledge available to the analyst, concerning the system behavior and operation rules under normal and off-nominal conditions, and the associated controlled/monitored process dynamics. The application of the two methodologies is illustrated using a digital feedwater control system (DFWCS) similar to that of an operating pressurized water reactor. This application was carried out to demonstrate how the use of either technique, or both, can facilitate the updating of an existing nuclear power plant PRA model following an upgrade of the instrumentation and control system from analog to digital. Because of scope limitations, the focus of the demonstration of the methodologies was intentionally limited to aspects of digital I&C system behavior for which probabilistic data was on hand or could be generated within the existing project bounds of time and resources. The data used in the probabilistic quantification portion of the process were gathered partially from fault injection experiments with the DFWCS, separately conducted under conservative assumptions, partially from operating experience, and partially from generic data bases. The purpose of the quantification portion of the process was, purely to demonstrate the PRA-updating use and application of the methodologies, without making any particular claim regarding the specific validity and predictive value of the data utilized to illustrate the quantitative risk calculations produced from the qualitative information analytically generated by the models. A comparison of the results obtained from the Markov/CCMT and DFM regarding the event sequences leading to DFWCS failure modes show qualitative and quantitative consistency for the risk scenarios and sequences under consideration. The study also shows that: (a) the risk significance of the timing of system component failures may depend on factors that include the actual variability of initiating conditions of a dynamic transient, even within the nominal control range and (b) the range of dynamic outcomes may also be dependent on the choice of the assumed basic system-component failure modes included in the models, regardless of whether some of these would or would not be considered to have direct safety implications according to the traditional safety/non-safety equipment classifications.

A Benchmark System for Comparing Reliability Modeling Approaches for Digital Instrumentation and Control Systems

Abstract There is an accelerating trend to upgrade and replace nuclear power plant analog instrumentation and control systems with digital systems. While various methodologies are available for the reliability modeling of these systems for plant probabilistic risk assessments, there is no benchmark system that can be used as the basis for methodology comparison. A system representative of the steam generator feedwater control systems in pressurized water reactors is proposed for such a comparison. Dynamic reliability modeling of the benchmark system for an example initiating event is illustrated using the Markov/cell-to-cell mapping technique and dynamic flowgraph methodologies.

Methodologies for the probabilistic risk assessment of digital reactor protection and control systems

Nuclear power plants are in the process of replacing the existing analog instrumentation and control (I&C) systems with digital technology. Digital systems distinguish themselves from other control and instrumentation systems mainly due to the presence of active software/firmware as well as hardware. The U.S. Nuclear Regulatory Commission policy statement on the use of probabilistic risk assessment (PRA) methods in nuclear regulatory activities encourages licensees to use PRA and associated analyses to support the licensing applications to the extent supported by the state-of-the-art and data. Before digital system reviews can be performed in a risk-informed manner, PRAs will need the capability to model digital I&C systems. The available methodologies for the reliability and risk modeling of digital I&C systems are reviewed with respect to their capability to account for the features of the digital I&C systems relevant to digital reactor protection and control systems, as well as the integrability of the resulting model into an existing PRA. It is concluded that the methodologies that rank as the top two with most positive features and least negative or uncertain features (using subjective criteria based on reported experience) are the dynamic flowgraph methodology and the Markov methodology combined with the cell-to-cell mapping technique, each with different advantages and limitations.

Traditional assignment considered harmful

Data movement in nearly all modern imperative languages is based on a single primitive: traditional assignment. (With traditional assignment, data are moved between variables by copying.) Unfortunately, traditional assignment poses many known software engineering drawbacks with respect to efficiency for value types, and with respect to modular reasoning for reference types. Moreover, its entrenched legacy has stifled serious regard of potentially superior data-movement primitives. Exploration of the complete design space for data-movement primitives supports the following conclusions: (1) traditional assignment is fundamentally flawed, and (2) any other data-movement primitive would be better.