Three-loop Monte Carlo simulation approach to Multi-State Physics Modeling for system reliability assessment

HAL Id: hal-01652211

https://hal.archives-ouvertes.fr/hal-01652211

Submitted on 30 Nov 2017

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Three-loop Monte Carlo simulation approach to Multi-State Physics Modeling for system reliability

assessment

Wei Wang, Francesco Maio, Enrico Zio

To cite this version:

Wei Wang, Francesco Maio, Enrico Zio. Three-loop Monte Carlo simulation approach to Multi- State Physics Modeling for system reliability assessment. Reliability Engineering and System Safety, Elsevier, 2017, 167, pp.276-289. �10.1016/j.ress.2017.06.003�. �hal-01652211�

Reliability Engineering and System Safety 167 (2017) 276–289

ContentslistsavailableatScienceDirect

Reliability Engineering and System Safety

journalhomepage:www.elsevier.com/locate/ress

Three-loop Monte Carlo simulation approach to Multi-State Physics Modeling for system reliability assessment

WeiWang^a,FrancescoDiMaio^a,∗,EnricoZio^a,b

aEnergy Department, Politecnico di Milano, Via La Masa 34, Milano 20156, Italy

bChair on System Science and the Energy Challenge, Fondation Electricite ’ de France (EDF), CentraleSupélec, Université Paris-Saclay, Grande Voie des Vignes, Chatenay-Malabry 92290, France

a r t i c le i n f o

Keywords:

Multi-State Physics Modeling Reliability assessment

Three-loop Monte Carlo simulation Reactor protection system Resistance temperature detector

a b s t r a ct

Multi-StatePhysicsModeling(MSPM)providesaphysics-basedsemi-Markovmodelingframeworkforamore detailedreliabilityassessment.Inthiswork,athree-loopMonteCarlo(MC)simulationschemeisproposedto operationalizetheMSPMapproach,quantifyingandcontrollingtheuncertaintyaffectingthesystemreliability model.TheproposedMCsimulationschemeinvolvesthreesteps:(i)theidentificationofthesystemcomponents thatdeserveMSPM,(ii)thequantificationoftheuncertaintiesintheMSPMcomponentmodelsandtheirpropa- gationontothesystem-levelmodel,and(iii)theselectionofthemostsuitablemodelingalternativethatbalances thecomputationaldemandforthesystemmodelsolutionandtherobustnessofthesystemreliabilityestimates.

AReactorProtectionSystem(RPS)ofaNuclearPowerPlant(NPP)isconsideredascasestudyfornumerical evaluation.

© 2017ElsevierLtd.Allrightsreserved.

1. Introduction

Systemreliabilityassessmentreliesonamodelofthesystemfailure process:themoreaccuratelythemodelreproducesthesystembehavior, themoreconfidentthesystemreliabilityassessment.Physicalknowl- edge,expertinformationanddataonthesystembehaviorareusedto buildthemodelandestimateits parameters[2,3].Theuncertainties inthemodelandparameterscanbepropagatedbyMonteCarlo(MC) simulation[12,47,50,51],Bayesianposterior analysis[46]andFuzzy methodology[5,18,21,22].Mostcommonly,MCsimulationisused,con- sistinginrepeatedlysamplingrandomvaluesoftheinputsfromproba- bilitydistributions[52].

MSPMisasemi-Markovmodelingframeworkthatallowsinserting physical knowledgeon thesystemfailureprocess,forimprovingthe systemreliabilityassessmentbyaccountingfortheeffectsofboththe stochasticdegradationprocessandtheuncertainenvironmentalandop- erationalparameters[17,30,38,40].

Inthis work,a three-loopMC simulationschemeis proposed for MSPMsystemreliabilitymodeling.TheproposedMCsimulationismade ofthreesteps:(i)theidentificationofthecomponentsofthesystemfor whichacomponent-levelMSPMisbeneficial,becauseoftheimportance ofthecomponentforthesystemunreliability,(ii)thequantificationand propagationoftheuncertainty,and(iii)theselectionofthepropermod-

∗Corresponding author.

E-mail address: francesco.dimaio@polimi.it (F.D. Maio).

elingdetails,consideringcomputationaldemandandrobustnessofthe result.

Thefirst stepis achievedbySensitivity Analysis(SA),which can beinformedinthreedifferentways:local,regionalandglobal[16,34]. Global SA, in particular, measures the output uncertainty over the wholedistributionsoftheinputparametersandcanbeperformedby parametric techniques, such as the variance decomposition method [10,35,36,43,44] and moment-independentmethod [7,8,13,42]. The variance-basedmethodmeasuresthepartoftheoutputvariancethat isattributedtothedifferentinputsorsetofinputs,withoutresortingto anyassumptionontheformofthemodel[11,31,33–35].Themoment- independentmethodallowsquantifyingtheaverageeffectoftheinput parametersonthereliabilityofthesystemandprovidestheirimpor- tanceranking[48].Inthiswork,weresorttomoment-independentsen- sitivitymeasures,suchasHellingerdistanceandKullback-Leiblerdiver- gence[14,20],forrankingtheinputvariablesmostaffectingthesystem reliabilityuncertainty[16,24].

Thesecondstepconsistsinquantifyingtheuncertaintyintheoutput ofthereliabilitymodel.Themethodadoptedforthisdependsonthe componentsmodelingapproach: forbinary-stateMarkovChainMod- els(MCMs),thevarianceofthetransitionfailurerateisestimatedby FisherInformationMatrix[1,15,26,28];forMSPMcomponentmodels, thetransitionratesuncertaintyispropagatedand,therefore,estimated byMC.

http://dx.doi.org/10.1016/j.ress.2017.06.003

Received 2 June 2016; Received in revised form 29 May 2017; Accepted 6 June 2017 Available online 9 June 2017

0951-8320/© 2017 Elsevier Ltd. All rights reserved.

BPL-A BPL-B

LCL-A LCL-B

S-A S-B

Power supply

system CRDM

RTB

BPL Module

LCL Module

RTB Module

Fig. 1. RPS scheme [41] .

Forthelaststep,MCsimulationisutilizedtopropagateuncertainties inthesystemmodelandestimatetheconfidenceintervalsofthesystem unreliability.

AReactorProtectionSystem(RPS)ofaNuclearPowerPlant(NPP) isconsideredascasestudy.MCMandMSPMarebuiltforthereliability assessment.TheResistanceTemperatureDetector(RTD)isidentifiedas themostimportantcomponent.Confidenceintervalsofthesystemreli- abilityestimatesbyRPS-MCMarecomputedandcomparedwiththose ofRPS-MSPMthatareobtainedbythethree-loopMCsimulation.

Thereminderofthepaperisorganizedasfollows.Section2describes theRPScasestudyanditsMCMreliabilitymodeltakenasreference.In Section3,aSAoftheMCMisperformedandtheembeddedRTDisiden- tifiedasthecomponentmostaffectingtheRPSreliability.RPS-MSPM is,then,builtforit.Section4comparestheconfidenceintervalsofthe systemreliabilityestimatesobtainedbyMCMandMSPM.InSection5, conclusionsaredrawn.

2. TheReactorProtectionSystem

TheRPSfunctionistotriggertheNPPemergencyshutdown,when ananomalyisdetectedinthemeasurementsofarelevantsignal(here assumedtobeatemperaturesignal).Asshownin Fig.1, theRPSis composedoftworedundantchannels(AandB).Eachchannelconsists ofonesignalsensor(S-AandS-B),oneBistableProcessorLogic(BPL) subsystem(BPL-AandBPL-B),andoneLocalCoincidenceLogic(LCL) subsystem(LCL-AandLCL-B).Usually,redundancyisappliedtosen- sorsandsignalprocessingunitsofRPS.However,withrespecttothe developmentofthemethodsproposedinthepaper,wedonotconsider thisforkeepingthemodelingcomplexityataminimumwithoutloss ofgenerality.Furthermore,thesensorsS-AandS-Bareconsideredto beRTDs,becauseoftheimportanceofthesecomponentsinNPPsdigi- talInstrumentationandControl(I&C)systems[6,45].RTDsaresafety-

Fig. 2. The RPS-MCM where states are grouped according to their intra-module and inter- modules characteristics.

criticalcomponentsandtheireffectivenessofdetectionofanomalous temperaturesisveryimportantforplantoperatorsformonitoringthe NPPoperationalconditions[23].ThereliabilityandaccuracyofRTDs isimportantforcontrollingtheNPPpowerratewithconfidence,guar- anteeinglargepowerrateswithsufficientsafetymargins[40,45].

Ifanyoneofthetworedundantmeasuredsignalsexceedsatrigger- ingthresholdvalue,aPartialTrippingSignal(PTS)issenttothecor- respondingBPL.Thesignalprocessingactivatesonlyifbothchannels producethePTS:eachPTSfromaBPLissenttobothLCL-AandLCL-B, whichprocessinformationbyan“AND” gate.Inotherwords,anEmer- gencyShutdownSignal(ESS)isproducedonlywhenreceivingtwoPTSs fromdifferentBPLs;ESSs,then,activatetheReactorTripBreaker(RTB), whenatleastoneESSistriggered,i.e.,theinformationisprocessedby an“OR” gate.OncetheRTBisactivated,thepowersupplysystemand ControlRodDriveMechanism(CRDM)whichareconnectedwiththe RTBactivatetocontrolthepowerofthereactor.

AccordingtotheRPSschemeofFig.1,threemodulesareidentified:

• TheBPLModuleconsistsoftwogroupsofcomponents:sensorand BPL(i.e.,“S-AandBPL-A” and“S-BandBPL-B”);thesecomponents areconnectedinseriesandtheirfailureeffectsonthesystemcanbe combined.

• TheLCLModuleconsistsofthetwoLCLs(i.e.,LCL-AandLCL-B);

sincetheESSistriggeredonlywhenbothLCLssimultaneouslyre- ceivetwoPTSsfromthetwoBPLs,thismoduleishighlydependent oftheBPLmodule.

• TheRTBModule.

2.1. TheRPS-MCM

InthisSection,abinary-stateMCMisbuiltasreferenceforthereli- abilityassessmentoftheRPS.Todothis,intra-andinter-modulestates leadingtothesystemfailureareidentified.Intra-modulestatesreferto eventsleadingtothesystemfailurethatconcernscomponentsbelonging tothesamemodule;inter-modulestatesrelatetosystemfailuresfrom combinedcomponenteventsindifferentmodules.

Fig. 2shows the RPS-MCM,whose states (listedin Table 1) are groupedintofourcategoriesthatrelatetotheintra-andinter-module distinction.Thefollowingassumptionshavebeenmadeforthesubse- quentquantitativeanalysis:

• Transitionscanoccurfromthesystemfunctioningstate(state0)to anyoftheabsorbingfailurestatesoftheintra-modulecategoryand

W. Wang et al. Reliability Engineering and System Safety 167 (2017) 276–289

Fig. 3. Unreliability curves of RPS and its modules.

Table 1 Component states.

State Description 0 RPS functioning state.

1 Either one of the RTD sensors fails.

2 Either one of the BPLs fails to send out PTSs.

3 Either one of the LCLs fails to produce the ESS.

4 RTB fails.

5 One LCL has failed and, then, one sensor fails.

6 One LCL has failed and, then, one BPL fails.

7 Both LCLs fail to produce the ESS.

8 One LCL has failed and, then, the RTB fails.

9 Common cause failure of BPL-A and BPL-B.

10 Common cause failure of LCL-A and LCL-B.

Table 2

Transition rates [25,39] .

Symbol Description Value (/year)

𝜆_S RTD failure rate 8.760e-1 [39]

𝜆_B BPL failure rate 8.760e − 3 [39]

𝜆L LCL failure rate 4.380e − 2 [39]

𝜆R RTB failure rate 3.767e − 4 [25]

𝛽 Common cause factor 0.1

𝜆BS BPL self-fault failure rate (1 − 𝛽) ^∗𝜆B= 7.884e − 3 𝜆_LS LCL self-fault failure rate (1 − 𝛽) ^∗𝜆_L= 3.942e − 2 𝜆_BC BPLs common cause failure rate 𝛽^∗𝜆_B= 8.760e − 4 𝜆_LC LCLs common cause failure rate 𝛽^∗𝜆_L= 4.380e − 3

fromtheintermediatestate(state3)toanyoftheabsorbingstatesof theinter-modulecategory.Thetransitionratesaretakenfrompublic databases[25,39]andreportedinTable2.

• Norepairsareconsidered.

TheRPSunreliabilityP(t),andtheindividualmodulesunreliabili- tiesP_BPL(t),P_LCL(t),P_RTB(t)andPInter-modules(t)arepresentedinFig.3.A visualanalysisoftheunreliabilitycurvesshowsthatmostofthesystem unreliabilityP(t)iscontributedbytheBPL,thatistosay,theabsorbing statesoftheBPLmodulemostcontributetothesystemunreliability.

2.2. Uncertaintyanalysis

ThestandarddeviationvaluesofthetransitionratesofTable2are eitherprovidedbypublicdatabasesorcanbe estimatedbyresorting toFisherInformation[15,26].Theprocedureforthisisheredescribed

withreferencetotheRTD,whosefailureratestandarddeviationisnot providedin[39]:

• Simulationoflifetests.

With the mission time T=6 years[40] as the end of the right- censoredlifetests,werandomlysampleN_R=1000trialsofRTDfailure timesfromanexponentialdistributionwithconstanttransitionrate𝜆S

(Table2).IfthesampledtimeexceedsthemissiontimeT=6years,the testisconsideredright-censored[49].

• Estimationofthestandarddeviation̂𝜎𝑆of𝜆S.

Thevarianceof𝜆ScanbeestimatedbasedontheobservedFisher information[26]. TheFisherInformationMatrix isdefined from the Maximum Likelihoodfunction orits LogLikelihood[26],andcan be estimatedby[49]:

log𝐿( 𝑡,̂𝜆_𝑆)

=log (∏

𝑖 𝑓_𝑇( 𝑡_𝑖;̂𝜆_𝑆)

⋅∏

𝑗 𝑅( 𝑡_𝑗;̂𝜆_𝑆))

(1)

whereiandjaretheRTDfailuretimesbeforeTandthetimesright- censoredby T,respectively, and𝑓_𝑇(𝑡_𝑖;̂𝜆_𝑆)and𝑅(𝑡_𝑗;̂𝜆_𝑆)aretheRTD failuretimeprobabilitydensityfunction(pdf)andtheRTDreliability:

𝑓𝑇( 𝑡𝑖;̂𝜆_𝑆)

= ̂𝜆_𝑆⋅𝑒^{−̂𝜆𝑆𝑡𝑖} (2)

𝑅( 𝑡𝑗;̂𝜆_𝑆)

=𝑒^{−̂𝜆𝑆𝑡𝑖} (3)

Withrespecttotheobservablerandomfailuretimet,theFisherIn- formationMatrix𝐽(̂𝜆_𝑆)canbeexpressedas:

𝐽(̂𝜆_𝑆)

=𝐸⎡

⎢⎢

⎣

(𝜕log𝐿( 𝑡;̂𝜆_𝑆)

𝜕̂𝜆_𝑆 )2⎤

⎥⎥

⎦

(4)

Asaresult,thevariancesoftheparameterŝ𝜆_𝑆canbeprovidedfrom themaindiagonalofitsinversematrix𝐽⁻¹(̂𝜆_𝑆),namely,theestimated standarddeviationŝ𝜎_𝑆oftheparameters:

̂𝜎_𝑆=𝐽⁻¹(̂𝜆_𝑆)

(5) Undertheconditionofmildregularity,𝐽⁻¹(̂𝜆_𝑆)canbecalculatedby Eq.(6):

𝐽⁻¹(̂𝜆_𝑆)

= [

−𝐸

(𝜕²log𝐿( 𝑡;̂𝜆_𝑆)

𝜕̂𝜆²_𝑆

)]−1

(6) andthestandarddeviationcanbeestimatedas:

Table 3

Estimated transition rates.

Symbol Mean value (/year) Standard deviation (/year) 𝜆S 8.760e − 1 7.720e − 1

𝜆B 8.760e − 3 7.867e − 8 𝜆_L 4.380e − 2 1.981e − 6 𝜆_R 3.767e − 4 1.332e − 10

Fig. 4. The flowchart of the two-loop MC simulation for the RPS-MCM system reliability assessment.

̂𝜎_𝑆=𝐽⁻¹(̂𝜆_𝑆)

= [

−𝐸

(𝜕²log𝐿( 𝑡,̂𝜆_𝑆)

𝜕̂𝜆²_𝑆

)]−1

(7)

Thestandarddeviationsof thetransitionratesof theBPLs,LCLs, andRTB arealso estimated by theFisher Information Methodology (Table3).

2.3. Uncertaintypropagation

UncertaintyinbinarytransitionratesispropagatedthroughtheRPS- MCMasfollows(Fig.4):

(1) Setinitialtimet₀=0andmissiontimeT=6years,andpartition thetimeaxisintosmallintervalsoflengthdt=0.01years;

(2) SamplethecomponentfailureratesfromtheGaussiandistribu- tions𝑁(𝜆_𝑘,̂𝜎_𝑘)thatareshowninTable3,where,k=S,B,L,R; (3) ForeachtimeinstanttbeforeT,computethesystemunreliability

fromtheMCM[19,32]; 𝑃(

𝑡|𝜆_𝑆,𝜆_𝐵,𝜆_𝐿,𝜆_𝑅)

=1−

⎛⎜

⎜⎜

⎝ 1+

2(1−𝛽)𝜆_𝐿(

𝑒(𝛽𝜆𝐵+𝜆𝐿)𝑡−1) (𝛽𝜆_𝐵+𝜆_𝐿)

⎞⎟

⎟⎟

⎠

𝑒⁻(²𝜆_𝑆+(2−𝛽)𝜆_𝐵+(2−𝛽)𝜆_𝐿+𝜆_𝑅)𝑡

(8) (4) Repeatthesteps(2)and(3)forNa=1000times;

(5) Computethe5thand95thpercentilesforeachtimeinstantt. Fig.5showstheplotofthepointwisedouble-sided90%confidence intervalofthesystemunreliability.Theconfidenceintervalislargeall overthesystemlifeT,becauseofthelargeuncertaintythataffectsthe MCMtransitionratesduetotheweakknowledgeutilizedtobuildthe, therefore,quiteinaccurateRPS-MCM.

3. RPS-MSPM 3.1. TheSAapproach

Thepurposeofthisstepoftheanalysisistheidentificationofthe componentsmostimportantforthesystemunreliability.Thiscanbea non-trivialproblem, forcomplexsystemswhosecomponentsreliabil- itycharacteristics(i.e.,failurerates)areveryuncertain(i.e.,withlarge standarddeviations).Forclarity,wedescribetheapproachwithrefer- encetothecasestudy.

FortheRPScomponents,aMSPMisbuiltforreliabilityassessment.

TheSAisperformedasfollows:

(1) Calculatethemoment-independentsensitivitymeasuresbetween the unreliability P(t) of Fig. 3 and the unreliability P_k(t) of its k-th module contributor (i.e., P_BPL(t), P_LCL(t), P_RTB(t) and PInter-modules(t)),toidentifythemostimportantmoduleinthesys- tem;

(2) Calculate themoment-independentmeasure forthesensitivity betweenthemoduleunreliabilityP_k(t)andtheunreliabilityofits l-thembeddedcomponentP_l(t),toidentifythecomponentmost affectingthemoduleunreliability.

Themoment-independentsensitivitymeasureshereadoptedarethe HellingerdistanceandKullback-Leiblerdivergence[14,16,20],which restonthecommonrationalethatthesensitivitymeasurescanbecom- putedasexpectedgeneralizeddistancesbetweentheoutputdistribution andtheconditionaloutputdistributiongiventhemodelinput(s)ofin- terest[9].Indetail,theHellingerdistanceH_k[p(t),p_k(t)]measuresthe differencebetweenthepdfp(t)ofthesystemunreliabilityandthepdf p_k(t)ofthek-thcontributortothesystemfailure,i.e.,BPL,LCL,RTB, Inter-modules[14,20]:

𝐻𝑘[

𝑝(𝑡),𝑝𝑘(𝑡)]

= [1

2∫

(√𝑝(𝑡)−√ 𝑝𝑘(𝑡)

)2

𝑑𝑡 ]¹₂

= [

1−

∫

(√𝑝(𝑡)⋅𝑝_𝑘(𝑡))2

𝑑𝑡 ]¹₂

(9)

Thek-thcontributorisimportantifH_kissmall.

TheKullback-LeiblerdivergenceKL_k[p(t),p_k(t)]measuresthediffer- entinformationcarriedbythepdfp(t)ofthesystemfailureandthepdf p_k(t)ofthek-thcontributoraccordingtoEq.(10)[14,20]:

𝐾𝐿𝑘(𝑝(𝑡),𝑝𝑘(𝑡))=

∫

+∞

−∞ 𝑝(𝑡)log (𝑝(𝑡)

𝑝_𝑘(𝑡) )

𝑑𝑡 (10)

withthevalues in[0,+∞].Inpracticalcases,thesymmetric formof Kullback-Leiblerdivergencecanbeutilizedasfollows[27]: