Abstract
The accurate availability and safety assessment of a reactor trip system for nuclear power plants instrumentation and control systems (NPP I&C) application is an important task in the development and certification process. It can be conducted through probabilistic model-based evaluation with variety of tools and techniques (T&T). As each T&T is bounded by its application area, the careful selection of the appropriate one is highly important. This chapter presents the gap-analysis of well-known modeling approach—Markov modeling (MM), mainly for T&T selection and application procedures—and how one of the leading safety standards, IEC 61508, tracks those gaps. The authors discuss how main assessment risks can be eliminated or minimized using metric-based approach and present the safety assessment of typical NPP I&C system. The results analysis determines the feasibility of introducing new regulatory requirements for selection and application of T&T, which are used for MM-based assessment of availability and safety.
TopBackground
System modelers are often interested in transient measures, which provide more useful information than steady-state measures. Modeling components interaction and interdependencies expands the model significantly, thus making the precise computation of system transient measures almost infeasible. Use of Markov models (MM) for modeling the transient behavior of the complex system can lead to the number of description and computational difficulties.
One of the main computational difficulties is model largeness (i.e. structural complexity) (Buchholz, P. 1996), which leads to problems in its construction, storage and solution. Adding the software component behavior into the MM increases its size rapidly. Because of models size the closed-form solutions of transient measures become infeasible, in this case, modeler can rely on the numerical methods or imitation modeling. Modeling components interaction enlarge the state space significantly, and results in sparse matrices of differential equations (DE) coefficients.
Sparsity (Hurleyб N. et al. 2009) corresponds to systems, which are loosely coupled. In the subfield of numerical analysis, a sparse matrix is a matrix populated primarily with zeros (Press, W.H. et al. 2007). If the MM is large it becomes wasteful to reserve storage for zero elements, thus solution methods that do not preserve sparsity, is unacceptable for most large problems (Press, W.H. et al. 2007).
The next complexity in solving large models that effect on numerical solution results is the model stiffness (Bobbio, A. et al. 1986). It is an undesirable property of many practical MMs as it poses difficulties in finding transient solutions. In practice, stiffness in models of complex computer systems is caused by (Bobbio, A. et al. 1986):
- •
In case of repairable systems the rates of failure and repair differ by several orders of magnitude;
- •
Fault-tolerant computer systems (CS) use redundancy. The rates of simultaneous failure of redundant components are typically significantly lower than the rates of the individual components;
- •
In models of reliability of modular software the modules’ failure rates are significantly lower than the rates of passing the control from a module to a module.
Several approaches were developed to deal efficiently with MM largeness and stiffness (Malhotra, M. et al 1994, Bobbio, A. et al. 1986), Arushanyan, O. et al. 1990). In both cases, they can be split into two main groups – “avoidance” and “tolerance” approaches.
The avoidance approach overcomes largeness by exploiting the certain properties of the model to reduce the size of underlying MM (Malhotra, M. et al 1994). In the largeness tolerance approach the new algorithms are designed to manipulate large MM, and special data structures are used to reduce state transition matrix, iteration vector, etc. (Sanders, W. H. et al. 1998).
Key Terms in this Chapter
Largeness: Structural complexity of the model.
Channel: Element or group of elements that independently implement an element safety function.
Multi-Fragment Markov Model: Set of repetitive macromodels (fragments), the internal structure of which and the external relations depend on the sets of selected basic parameters of the model.
Sparsity: Sparse matrix is a matrix populated primarily with zeros.
Safety Integrity Level (SIL): Discrete level (one out of a possible four), corresponding to a range of safety integrity values, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.
Stiffness: Value of that in models of complex computer systems is caused by failure and recovery rates varying by several orders of magnitude.
Architecture: Specific configuration of hardware and software elements in a system.