advanced monte carlo simulation methods and neural

POLITECNICO DI MILANO Dipartimento di Energia – Sezione Nucleare

Dottorato di ricerca in Scienza e Tecnologia delle Radiazioni

ADVANCED MONTE CARLO SIMULATION METHODS AND NEURAL NETWORK REGRESSION FOR THE RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS

Tesi di Dottorato di: Nicola PEDRONI Tutor: Dott. Francesco CADINI Relatore: Prof. Enrico ZIO Coordinatore del Corso di Dottorato: Prof. Carlo Enrico BOTTANI

XXII CICLO

Ringraziamenti Ringrazio il Prof. Zio, relatore della tesi, per vari motivi: per gli spunti che mi ha fornito durante il mio lavoro; per le opportunità che mi ha dato (vedi viaggio negli USA) e che tuttora mi sta dando (vedi opportunità di rimanere a fare ricerca al Politecnico); infine, per i suoi numerosi viaggi all’ estero che ogni tanto mi permettono di dormire qualche ora in più alla mattina…

Ringrazio anche il Prof. Apostolakis per avermi “ospitato” pazientemente al MIT…

Ringrazio poi i miei genitori per il loro supporto costante (ed indipendente dal mio umore pessimo) ed in particolare mia mamma per una infinità di motivi che lei sa e che non sto qui ad elencare… Grazie anche ai miei parenti (mia zia Oriana, mia cugina Alessandra, mia nonna Natalina, …) per farmi comunque sentire sempre la loro presenza…

Grazie a tutti i ragazzi del gruppo LASAR (dottorandi nuovi e vecchi, tesisti nuovi e vecchi, assegnisti, ricercatori, figli di ricercatori, ladri che rubano i computer ai ricercatori, professori, tecnici di laboratorio, la donna cinese delle pulizie che non pulisce mai una fava, ma mi rama costantemente le forchette ed i bicchieri, ecc. ecc.): una citazione particolare però per chi è con me da più tempo, e cioè Giovanni e Dima…

Grazie ai ragazzi della mia compagnia (Andrea, Dario, ecc.) per farmi passare dei fine settimana senza troppi pensieri…

Infine, grazie anche a chi si è eclissato… va beh, eclissiamoli anche dai ringraziamenti…

Table of contents Part I ACRONYMS AND NOTATION ......................................................................................................................... 3 1

2

INTRODUCTION ....................................................................................................................................... 10 1.1

NUCLEAR PASSIVE SYSTEMS................................................................................................................... 12

1.2

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS ......................................................................... 14

1.3

ADVANCED MONTE CARLO SIMULATION METHODS .............................................................................. 15

1.4

EMPIRICAL REGRESSION MODELING ....................................................................................................... 18

1.5

STRUCTURE OF THE THESIS..................................................................................................................... 20

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS ....................................................... 23 2.1

SOURCES

SYSTEMS

2.2

............................................................................................................................................................ 23

METHODS FOR THE RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS .......................................... 27

2.2.1

The independent failure modes approach ...................................................................................... 27

2.2.2

The hardware failure modes approach .......................................................................................... 29

2.2.3

The functional failure approach .................................................................................................... 29

2.3 3

DISCUSSION OF THE METHODS ................................................................................................................ 34

ADVANCED MONTE CARLO SIMULATION METHODS................................................................. 38 3.1

SUBSET SIMULATION .............................................................................................................................. 38

3.1.1

Basics of the method ...................................................................................................................... 39

3.1.2

The Subset Simulation algorithm ................................................................................................... 39

3.2

LINE SAMPLING ...................................................................................................................................... 42

3.2.1

Basics of the method ...................................................................................................................... 43

3.2.2

The Line Sampling algorithm ........................................................................................................ 45

3.3

OPTIMIZATION OF THE LINE SAMPLING METHOD ................................................................................... 50

3.3.1

Identification of the Line Sampling important direction ................................................................ 51

3.3.1.1

Literature methods......................................................................................................................................52

3.3.1.1.1

Center of mass of the failure domain ............................................................................................................................ 52

3.3.1.1.2

Design point .................................................................................................................................................................. 52

3.3.1.1.3

Gradient of the performance function ........................................................................................................................... 52

3.3.1.2

Minimization of the variance of the Line Sampling failure probability estimator ......................................55

3.3.1.2.1

3.3.2 3.4 4

AND TYPES OF UNCERTAINTIES IN THE PERFORMANCE AND MODELING OF NUCLEAR PASSIVE

Optimization algorithms employed............................................................................................................................... 57

Optimized Line Sampling method with very small sample sizes .................................................... 61 METHODOLOGICAL AND APPLICATIVE CONTRIBUTIONS OF THE THESIS WORK ....................................... 62

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE

INTERVAL EVALUATION .............................................................................................................................. 66 4.1

EMPIRICAL REGRESSION MODELING ....................................................................................................... 66

1

5

4.1.1

Artificial Neural Networks............................................................................................................. 67

4.1.2

Quadratic Response Surfaces ........................................................................................................ 70

4.2

THE BOOTSTRAP METHOD....................................................................................................................... 70

4.3

METHODOLOGICAL AND APPLICATIVE CONTRIBUTIONS OF THE THESIS WORK ....................................... 73

CONCLUSIONS .......................................................................................................................................... 75

REFERENCES .................................................................................................................................................... 80

Part II Paper I E. Zio, N. Pedroni, “Estimation of the Functional Failure Probability of a Thermal-Hydraulic Passive System by Subset Simulation”, Nuclear Engineering and Design, Volume 239, Issue 3, Mar. 2009, pp. 580-599. Paper II E. Zio, N. Pedroni, “Functional Failure Analysis of a Thermal-Hydraulic Passive System by Means of Line Sampling”, Reliability Engineering and System Safety, Volume 9, Issue 11, Nov. 2009, pp. 1764-1781. Paper III E. Zio, N. Pedroni, “Reliability Estimation by Advanced Monte Carlo Simulation”, accepted for publication in: Faulin, Juan, Martorell, Ramirez-Marquez (Eds.), Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer. Paper IV E. Zio, N. Pedroni, “An optimized Line Sampling Method for the Estimation of the Failure Probability of Nuclear Passive Systems”, submitted to Reliability Engineering and System Safety. Paper V N. Pedroni, E. Zio, G. E. Apostolakis, “Comparison of Bootstrapped Artificial Neural Networks and Quadratic Response Surfaces for the Estimation of the Functional Failure Probability of a Thermal-Hydraulic Passive System”, Reliability Engineering and System Safety, 2009, doi: 10.1016/j.ress.2009.11.009.

2

Acronyms and Notation ANN

Artificial Neural Network

APSRA

Assessment of Passive System ReliAbility

BBC

Bootstrap Bias Corrected

BWR

Boiling Water Reactor

CDF

Cumulative Distribution Function

CI

Confidence Interval

DR

Dimensionality Reduction

EC

European Commission

ESBWR

Economic Simplified Boiling Water Reactor

FBR

Fast Breeder Reactor

FCRR

Flexible Conversion Ratio Reactor

FMEA

Failure Mode and Effect Analysis

GA

Genetic Algorithm

GBR

Gradient Boosting Regression

GFR

Gas-cooled Fast Reactor

HAZOP

HAZard and OPerability analysis

HWR

Heavy Water Reactor

IAEA

International Atomic Energy Agency

IS

Importance Sampling

ISD

Importance Sampling Distribution

LASAR

Laboratory of Signal Analysis and Risk Analysis

LHS

Latin Hypercube Sampling

LOCA

Loss Of Coolant Accident

LS

Line Sampling

LSF

Limit State Function

LWR

Light Water Reactor

MARS

Multivariate Adaptive Regression Spline

MC

Monte Carlo

MCMC

Markov Chain Monte Carlo

MCS

Monte Carlo Simulation

MHT

Main Heat Transport

OA

Orthogonal Axis 3

PDF

Probability Density Function

PF

Performance Function

PRA

Probabilistic Risk Assessment

RBF

Radial Basis Function

REPAS

Reliability Evaluation of PAssive Safety functions

RF

Random Forest

RHRS

Residual Heat Removal System

RMPS

Reliability Methods for Passive Safety functions

RMSE

Root Mean Square Error

RS

Response Surface

R-S

Resistance-Stress

SQP

Sequential Quadratic Programming

SS

Subset Simulation

SVM

Support Vector Machine

T-H

Thermal-Hydraulic

USNCR

United States Nuclear Regulatory Commission

ε

multiplicative error factor for model uncertainties

c(·)

deterministic correlation implemented in a T-H code (e.g. to calculate heat transfer coefficients, friction factors, Nusselt numbers or thermal conductivity coefficients)

z = c(·)·ε

real value of the quantity to be predicted by means of the correlation c(·) (i.e., the deterministic correlation is corrected by means of the model uncertainty represented by the multiplicative error factor ε)

n

number of uncertain system parameters (i.e., dimension of the parameter space)

j

(j = 1, 2, ..., n) parameter index

x = {x1 , x2 , ..., x j , ..., xn }

state of the system (i.e., vector of uncertain system parameters)

q ( x ) : ℜ n → [0, ∞)

multidimensional PDF of x

q j (x j )

(j = 1, 2, ..., n) one-dimensional PDF of parameter xj

Fj

(j = 1, 2, ..., n) in the independent failure modes approach, critical interval defining the failure criterion for parameter xj: if the parameter lies in its critical interval, then the passive system is failed

4

( )

P F j = ∫ q j ( x j )dx j

(j = 1, 2, ..., n) in the independent failure modes approach,

Fj

failure probability pertaining to the critical interval Fj (obtained by integrating each probability density function, qj(xj), over the corresponding range of failure, Fj) F

failure region of interest

P(F)

failure probability

Y(·)

critical response variable or performance indicator for the passive system

αY

failure threshold for Y(·)

gx(·) = Y(·) – αY

LSF or PF of the passive system: gx(·) < 0 for function

successfully performed; gx(·) = 0 at limit state; gx(·) > 0 for failure of performing the function I F ( x ) : ℜ n → {0,1}

indicator function such that I F ( x ) = 1 , if x ∈ F and I F ( x ) = 0 ,

otherwise NT

total number of random samples generated in a simulation run

Pˆ (F )

failure probability estimate

N Pˆ (F ) T

failure probability estimate obtained with NT samples

(

σ 2 Pˆ (F )N

T

m

)

variance of the failure probability estimate obtained with NT samples in the SS method, number of intermediate events (i.e., number of conditional levels or number of “subsets”)

i

(i = 1, 2, …, m) in the SS method, intermediate event index (i.e., conditional level index or “subset” index)

Fi

(i

=

1,

2,

…,

(F1 ⊃ F2 ⊃ ... ⊃ Fi P( Fi +1 | Fi )

m)

in

the

SS

method,

ith

intermediate

event

⊃ ... ⊃ Fm = F )

(i = 1, 2, …, m – 1) in the SS method, probability of intermediate event Fi +1 conditional on intermediate event Fi

p0

constant conditional probability at each SS level (i.e., P(Fi+1|Fi) = p0 for i = 1, 2, ..., m – 1)

q( x | Fi ) = q ( x ) I F ( x ) / P( F ) (i = 1, 2, …, m) in the SS method, conditional distribution of x given that it lies in Fi y

in the SS method, specified threshold value for Y

5

(i = 1, 2, ..., m) in the SS method, ith intermediate threshold value for Y (y1 < y2

yi

< ... < yi < ... < ym = y)

N

number of samples at each conditional level of the SS method

k

sample index

{

xik = xik,1 , xik, 2 , ..., xik, j , ..., xik,n

}

(i = 1, 2, ..., m, k = 1, 2, ..., N) in the SS method, kth conditional

sample at the ith conditional level, distributed as q(⋅ | Fi )

{

xiu = xiu,1 , xiu, 2 , ..., xiu, j , ..., xiu,n

}

(i = 1, 2, ..., m, u = 1, 2, ..., p0N) in the SS method, uth

{

}

conditional sample among xik : k = 1, 2, ..., N whose response Y lies in lies in Fi+1 = {Y > yi+1}: these samples are at ‘Conditional level i + 1’ and distributed as q(⋅ | Fi +1 ) in the SS method, number of samples among {Y ( xik ) : k = 1, 2, ..., N } that lie in

Nm

the failure region F = Fm, i.e., N m = Dim{Y ( xik ) > ym } Pˆm = N m / N

in the SS method, estimate of the conditional probability Pm = P(Fm|Fm-1)

α = {α1, α2, …, αj, … αn} θ = {θ1 , θ 2 , ...,θ j , ...,θ n }

LS important unit vector (or important direction) in the LS method, state of the system in the standard normal

space

θ*

design point in the standard normal space

θ0

in the LS method, failure point from which a Markov chain starts in order to compute α number of samples in a Markov chain

Ns

{

θ u = θ1u , θ 2u , ..., θ uj , ..., θ nu

}

(u = 1, 2, ..., Ns) in the LS method, uth Markov chain sample

used to compute α

φ j (θ j ) = 1 2π e

−θ 2j / 2

(j = 1, 2, ..., n) in the LS method, standard normal distribution of

parameter θj

ϕ (θ ) = ∏ φ j (θ j ) n

in the LS method, joint normal probability density function of θ

j =1

Txθ(·)

in the LS method, transformation from the physical space to the standard normal space

Tθx(·)

in the LS method, transformation from the standard normal space to the physical space

6

gθ(·)

in the LS method, LSF or PF of the passive system in the standard normal space

O

origin of the standard normal space

{

x k = x1k , x2k , ..., x kj , ..., xnk

}

(k = 1, 2, ..., NT) in the LS method, kth sample in the physical

}

(k = 1, 2, ..., NT) in the LS method, kth sample in the standard

space

{

θ k = θ1k , θ 2k , ..., θ jk , ..., θ nk

normal space 1D , k Pˆ (F )

(k = 1, 2, ..., NT) in the LS method, kth independent conditional one-dimensional failure probability estimate

ck

(k = 1, 2, ..., NT) in the LS method, real number ranging from [- ∞, + ∞]

θ k ,⊥ = θ k − α, θ k α (k = 1, 2, ..., NT) in the LS method, projection of θ k on a direction perpendicular to α ~ θ k = c k α + θ k ,⊥

(k = 1, 2, ..., NT) in the LS method, sum of a deterministic multiple of α

and the vector θ k ,⊥ (it is parallel to α)

ck

(k = 1, 2, ..., NT) in the LS method, intersection between line passing through ~ θ k and parallel to α and the LSF gθ θ k = gθ (c k α + θ k ,⊥ ) = 0

( )

Φ (⋅)

(

σ 2 Pˆ (F )1D

standard normal cumulative distribution function

)

in the LS method, sample variance of the independent conditional “one-

{

1D , k dimensional” failure probability estimates Pˆ (F ) : k = 1, 2, ..., N T

⎡ ∂g (θ ) ∂gθ (θ ) ∂gθ (θ ) ∂gθ (θ ) ⎤ ∇gθ (θ ) = ⎢ θ ... ... ⎥ ∂θ 2 ∂θ j ∂θ n ⎥⎦ ⎢⎣ ∂θ1

}

T

gradient of the performance function

gθ (θ ) in the standard normal space α opt

optimal important direction for LS defined as the one minimizing the variance

[

σ 2 Pˆ (F )N

T

] of the LS failure probability estimator Pˆ (F )

NT

θ opt

vector in the standard normal space such that α opt = θ opt θ opt

ni

in empirical regression modeling, number of model inputs (also: number of

2

ANN/RS inputs) no

in empirical regression modeling, number of model outputs (also: number of ANN/RS outputs)

nh

number of ANN hidden nodes (or neurons)

7

j

(j = 1, 2, …, ni) in empirical regression modeling, index for model inputs

l

(l = 1, 2, …, no) in empirical regression modeling, index for model outputs

x = {x1, x2, ..., xj, ..., xni }

in empirical regression modeling, vector of model inputs

y = {y1, y2, ..., yl, ..., yno }

in empirical regression modeling, vector of model outputs

μ y (⋅)

in empirical regression modeling, nonlinear deterministic function representing the complex, long-running T-H mechanistic model code in empirical regression modeling, noise vector (notice that y(x) = μ y ( x ) +

ε (⋅)

ε( x ) )

Ntrain

number of training patterns for a regression model

Nval

number of validation patterns for a regression model

Ntest

number of test patterns for a regression model

p

(p = 1, 2, ..., Ntrain or Nval or Ntest) in empirical regression modeling, pattern

{

index (for training or validation or test patterns)

xp = x p ,1 , x p , 2 , ..., x p , j , ..., x p ,ni

{

}

(p = 1, 2, ..., Ntrain or Nval or Ntest) in empirical regression

modeling, pth input pattern

}

yp = y p ,1 , y p , 2 , ..., y p ,l , ..., y p ,no = μ y (x p )

(p = 1, 2, ..., Ntrain or Nval or Ntest) in empirical

regression modeling, model output vector in correspondence of input pattern xp

Dtrain = {(x p , y p ), p = 1, 2, ..., N train }

in empirical regression modeling, training data set

Dval = {(x p , y p ), p = 1, 2, ..., N val }

in empirical regression modeling, validation data set

Dtest = {(x p , y p ), p = 1, 2, ..., N test }

in empirical regression modeling, test data set

w*

vector of adaptable parameters for a generic regression model

f(x, w*) = {f1(x, w*), f2(x, w*), …, fno(x, w*)}

{

generic regression model with adaptable

parameter vector w*, evaluated in correspondence of input vector x

}

yˆ p = yˆ p ,1 , yˆ p , 2 , ..., yˆ p ,l , ..., yˆ p ,no = f (x p , w *) (p = 1, 2, ..., Ntrain or Nval or Ntest) estimate of the model output vector yp obtained by regression model f(x, w*) in correspondence of input pattern xp RMSE =

1 N train ⋅ no

N train no

∑∑ (y p =1 l =1

− yˆ p ,l )

2

p ,l

in empirical regression modeling, Root Mean

Square Error computed on the training set R2

in empirical regression modeling, coefficient of determination

al

(l = 1, 2, ..., no) quadratic RS coefficients of order zero 8

(j = 1, 2, ..., ni, l = 1, 2, ..., no) quadratic RS coefficients (multiplying the linear

bjl

terms) cjl

(j = 1, 2, ..., ni, l = 1, 2, ..., no) quadratic RS coefficients (multiplying the squared terms)

doq

(o = 1, 2, ..., ni – 1, q = o + 1, o + 2, ..., ni) quadratic RS coefficients (multiplying the two-factor interaction terms)

Q

generic reliability quantity of interest (e.g., failure probability, percentile, …)

Qˆ

estimate of Q obtained using regression model f(x, w*)

B

number of bootstrapped regression models

b

(b = 1, 2, ..., B) bootstrap index

Dtrain ,b = {(x p ,b , y p ,b ), p = 1, 2, ..., N train }

(b = 1, 2, ..., B) bootstrapped training data set

obtained by random sampling with replacement from the original training data set Dtrain wb

*

(b = 1, 2, ..., B) vector of adaptable parameters for a regression model built on the bootstrapped training data set Dtrain ,b

fb(x, wb*)

(b = 1, 2, ..., B) regression model built on the bootstrapped training data set Dtrain ,b

Qˆ b

(b = 1, 2, ..., B) estimate of Q obtained using regression model fb(x, wb*)

1 B Qˆ boot = ∑ Qˆ b B b =1

estimate of Q obtained as the sample average of the bootstrapped

estimates Qˆ b , b = 1, 2, ..., B Qˆ ( b )

(b = 1, 2, ..., B) bth bootstrapped estimate of Q in the ordered list Qˆ (1) < Qˆ ( 2) < ... < Qˆ ( b ) < ... < Qˆ ( B )

Qˆ BBC = 2· Qˆ - Qˆ boot

Bootstrap Bias Corrected estimate of Q

9

1 Introduction In the performance-based design and operation of modern engineered systems, the accurate assessment of reliability (or, conversely, failure probability) is of paramount importance. This is particularly true for civil, nuclear, aerospace and chemical systems that are safety-critical and must thus be designed and operated within a quantitative risk-informed approach aimed at systematically integrating deterministic and probabilistic analyses to obtain a rational decision on the utilization of resources for reliability assessment. In such rationalization, explicit consideration is given to the likelihood of accidents and to their potential consequences [Thunnissen et al., 2007; Fong et al., 2009]. In order to describe the physical phenomena that may lead to system failure, complex mathematical models are built and subsequently translated into detailed mechanistic computer codes that are used to simulate the response of the system under various operational transients and accident scenarios. This entails the realistic modeling of the structural/mechanical components of the system with their material constitutive behavior, loading conditions and mechanisms of deterioration and failure that are anticipated to occur during the working life of the system [Schueller and Pradlwarter, 2007]. In practice, not all the characteristics of the system under analysis can be fully captured in the model. This is due to: i) the intrinsically random nature of several of the phenomena occurring during system operation (e.g., component degradation; failures, or more generally, stochastic transitions between different performance states); ii) the incomplete knowledge about some of the phenomena (e.g., due to lack of experimental results). Thus, uncertainty is always present in both the values of the model input parameters/variables (parameter uncertainty) and hypotheses (model uncertainty) [Apostolakis, 1990; Helton, 2004]. This translates into variability in the model output whose uncertainty must be estimated for a realistic assessment of the system reliability/failure probability [Helton et al., 2005 and 2006; Pourgol-Mohamad et al., 2009]. Furthermore, the identification by sensitivity analysis of the model parameters and hypotheses that contribute the most to the output uncertainty plays a fundamental role in driving resource allocation for uncertainty reduction [Saltelli et al., 2008; Volkova et al., 2008; Marrel et al., 2009]: this information is of paramount importance for the identification of those parameter and hypothesis uncertainties that are more important in determining system failure. For safety-critical systems, these two tasks of uncertainty and sensitivity

INTRODUCTION analysis are mandatory for reliability/failure probability assessment and safety decisionmaking and assurance [Helton and Sallaberry, 2009]. In practice, the predictive models of the complex real-world systems include a large number of parameters and hypotheses, many of which are uncertain. This so called “highdimensionality” problem constitutes a major challenge for the extensive application of uncertainty and sensitivity analysis methods [Schueller, 2007 and 2009]. Classical analytical or numerical schemes are not suitable. On the other hand, probabilistic simulation methods (e.g. Monte Carlo Simulation-MCS), based on the repeated random sampling of possible model inputs and the running of the code for the different inputs sampled, offer a feasible means. A very large number of random realizations of the uncertain input parameters are typically necessary for a deep exploration of their ranges and a robust estimation of the model output uncertainty; for each input realization sampled, the computer code simulating the system behaviour must be run: the resulting computational cost may be very high and at times impractical [Fong et al., 2009]. This calls for new simulation techniques that allow performing robust uncertainty propagation and sensitivity analysis while reducing as much as possible the number of input samples drawn and the associated computational time. In this thesis, we are concerned with a particular class of safety-critical systems, i.e., nuclear passive safety systems. In extreme synthesis, passive safety systems are safety systems that do not need any external input (especially energy) to operate [IAEA, 1991]. This is the reason why passive systems are commonly considered to be more reliable than active systems (i.e., those systems driven by electrical power sources and so on): as a consequence, they may lead to increased safety and acceptability of nuclear power plants. However, the uncertainties affecting both the performance and modeling of passive safety systems are usually much larger than those associated to active systems: for the reasons described above, this makes the reliability/failure probability assessment of nuclear passive systems much more difficult than for active systems [Burgazzi, 2007a-c]. In this context, the goal of the Ph. D. work here presented is to propose the use of advanced computational methods to increase efficiency in the reliability analysis of nuclear passive systems. The work has been performed at the Laboratorio di Analisi di Segnale ed Analisi di Rischio (LASAR, Laboratory of Signal Analysis and Risk Analysis) of the Department of Energy of the Politecnico di Milano (http://lasar.cesnef.polimi.it/).

11

INTRODUCTION

1.1 Nuclear passive systems In the nuclear safety, the expanded consideration of severe accidents, the increased safety requirements and the goal of introducing effective, yet physically transparent, safety functions has led to a growing interest in passive systems for the safety of the future nuclear reactors. As a result, all innovative reactor concepts make use of passive safety features, to a large extent in combination with active safety and operational systems [Mackay et al., 2008; Mathews et al., 2008 and 2009]. Passive systems are expected to contribute significantly to safety by combining peculiar characteristics of simplicity, reduction of human interaction and reduction or avoidance of external electrical power and signals input [Nayak et al., 2008a and b; Nayak et al., 2009]. On the other hand, a fair evaluation of the effectiveness of passive systems must face, besides their economic competitiveness, the difficulty of assessing their reliability due to lack of data on some underlying phenomena, scarce or null operating experience over the wide range of conditions encountered during operation and an overall less effective and guaranteed performance as compared to active safety systems [Pagani et al., 2005; Burgazzi, 2007a]. According to the International Atomic Energy Agency (IAEA) definitions, a passive component does not need external input (especially energy) to operate [IAEA, 1991]. Then, the term “passive” identifies a system which is composed entirely of passive components and structures, or a system, which uses active components in a very limited way to initiate subsequent passive operation. The currently accepted categorization of passive systems, developed by the IAEA, is summarized in Table 1.1 [IAEA, 1991].

Category

Description

A

Physical barriers and static structures (e.g., concrete building)

B

Moving working fluid (e.g., cooling by free convection)

C

Moving mechanical parts (e.g., check valves)

D

External signals and stored energy (e.g., scram systems) Table 1.1. Categorization of passive systems [IAEA, 1991]

Notwithstanding that passive systems are credited a higher reliability with respect to active ones, because of the reduced unavailability due to hardware failure and human error, the uncertainties involved in the actual operation of passive systems and their modeling are 12

INTRODUCTION usually larger than in active systems. Two different sources of uncertainties are usually considered in passive system safety analyses: randomness due to intrinsic variability in the behavior of the system (aleatory uncertainty) and imprecision due to lack of data on some underlying phenomena (e.g., natural circulation) and to scarce or null operating experience over the wide range of conditions encountered during operation [Apostolakis, 1990; Helton, 2004]. As a consequence of these uncertainties, in practice there is a nonzero probability that the physical phenomena involved in the passive system operation lead to failure of performing the intended safety function even if i) safety margins are present and ii) no hardware failures occur. In fact, deviations in the natural forces and in the conditions of the underlying physical principles from the expected ones can impair the function of the system itself: this event is referred to in the literature as functional failure [Burgazzi, 2003]. The quantification of the probability of this occurrence is an issue of concern both for the “nominal” passive systems (e.g., the ESBWR operating in nominal conditions) [Juhn et al., 2000; Rohde et al. 2008] and the “emergency” passive systems (e.g., accumulators, isolation condensers, etc.) [Chung et al., 2008]. In the following, the discussion will focus on the latter type of systems. The occurrence of functional failures is especially critical in type B passive systems, i.e., those involving moving working fluids and referred to in the jargon as Thermal-Hydraulic (TH) passive systems (Table 1.1). The reason lies behind the small driving forces engaging passive operation and the complex and delicate T-H phenomena determining the system performance. For performing their accident prevention and/or mitigation functions, these passive safety systems rely exclusively on natural forces, e.g. gravity or natural convection, not generated by external power sources. Because the magnitude of the natural forces which drive operation is relatively small, counter-forces (e.g., friction) can not be ignored because of comparable magnitude. This leads to uncertainty in the actual T-H system performance which must be evaluated by a specific, systematic and rigorous methodology: the following Section 1.2 further delves into this issue1.

1

Notice that in the following, the discussion will focus on Type B passive systems, i.e., those involving moving working fluids and referred to as T-H passive systems; thus the locution “passive system” will implicitly mean “T-H passive system” in the remainder of the thesis.

13

INTRODUCTION

1.2 Reliability analysis of nuclear passive systems In recent years, several methodologies have been proposed in the open literature to quantify the probability that nuclear passive systems fail to perform their functions [Burgazzi, 2007b; Zio and Pedroni, 2009b]. A number of methods adopt the system reliability analysis framework. In [Aybar et al., 1999], a dynamic methodology based on the cell-to-cell mapping technique has been used for the reliability analysis of an inherently safe Boiling Water Reactor (BWR). In [Burgazzi, 2007a], the failure probability is evaluated as the probability of occurrence of different independent failure modes, a priori identified as leading to the violation of the boundary conditions and/or physical mechanisms needed for successful passive system operation. In [Burgazzi, 2002], modeling of the passive system is simplified by linking to the modeling of the unreliabilities of the hardware components of the system: this is achieved by identifying the hardware failures that degrade the natural mechanisms upon which the passive system relies and associating the relative unreliabilities of the components designed to assure the best conditions for passive function performance. This concept is also at the basis of the Assessment of Passive System ReliAbility (APSRA) approach which has been applied to the reliability analysis of the natural circulation-based Main Heat Transport (MHT) system of an Indian Heavy Water Reactor (HWR) [Nayak et al., 2008a and b; Nayak et al., 2009]. An alternative approach is founded on the introduction of the concept of functional failures, within the reliability physics framework of load-capacity exceedance [Burgazzi, 2003; Burgazzi, 2007a and c; Burgazzi, 2008]: a passive system fails to perform its function due to deviations from its expected behavior which lead the load imposed on the system to overcome its capacity. This concept is at the basis of the methodologies known as Reliability Evaluation of PAssive Safety (REPAS) systems [D’ Auria et al., 2002; Jafari et al., 2003; Zio et al., 2003] and Reliability Methods for Passive Safety (RMPS) functions [Marquès et al., 2005], which have been developed and employed for the analysis of passive Residual Heat Removal Systems (RHRSs) of Light Water Reactors (LWRs). Similar approaches have been used also to evaluate the failure probabilities of decay heat removal systems in Gas-cooled Fast Reactors (GFRs) [Pagani et al., 2005; Bassi and Marquès, 2008; Mackay et al., 2008; Patalano et al., 2008; Pedroni et al., 2009; Zio and Pedroni, 2009a-d], sodium-cooled Fast Breeder Reactors (FBRs) [Mathews et al., 2008 and 2009; Arul et al., 2009] and the leadcooled, fast spectrum Flexible Conversion Ratio Reactor (FCRR) [Fong et al., 2009]. In these works, the passive system is modeled by a detailed, mechanistic T-H system code and the probability of not performing the required function is estimated based on a Monte Carlo (MC) 14

INTRODUCTION sample of code runs which propagate the epistemic (state-of-knowledge) uncertainties in the model describing the system and the numerical values of its parameters. Because of the existence of these uncertainties, it is possible that even if no hardware failure occurs, the system may not be able to accomplish its mission. The functional failure-based approach provides in principle the most realistic assessment of the T-H passive system, thanks to the flexibility of Monte Carlo simulation which does not suffer from any T-H model complexity and, therefore, does not force to resort to simplifying approximations: for this reason, the functional failure-based approach will be adopted in this thesis work. On the other hand, it requires considerable and often prohibitive computational efforts. The reason is twofold. First, a large number of Monte Carlo-sampled T-H model evaluations must generally be carried out for an accurate estimation of the functional failure probability. Since the number of simulations required to obtain a given accuracy depends on the magnitude of the failure probability to be estimated, with the computational burden increasing with decreasing functional failure probability [Schueller, 2007 and 2009], this poses a significant challenge for the typically quite small (e.g., less than 10-4) probabilities of functional failure of T-H passive safety systems. Second, long calculations (several hours) are typically necessary for each run of the detailed, mechanistic T-H code (one code run is required for each sample of values drawn from the uncertainty distributions) [Fong et al., 2009]2.Thus, alternative methods must be sought to tackle the computational burden associated to the analysis. In this thesis the above mentioned computational challenge is tackled in two different ways: from one side, efficient Monte Carlo Simulation techniques are employed to perform robust estimations with a limited number of input samples drawn and associated low computational time (Section 1.3); from the other side, fast-running, surrogate regression models (also called response surfaces or meta-models) are used to replace the long-running T-H model code in the passive system reliability analysis (Section 1.4).

1.3 Advanced Monte Carlo Simulation methods As previously stated, the computational hurdles described in the previous Section 1.2 can be tackled from one side by resorting to efficient simulation techniques that perform robust estimations with a limited number of input samples and associated low computational time.

2

For example, the computer code RELAP5-3D, which is used to describe the thermal-hydraulic behavior of nuclear systems, may take up to twenty hours per run in some applications.

15

INTRODUCTION To this aim, the Importance Sampling (IS) method has been introduced [Au and Beck, 2003a; Schueller et al., 2004]. This technique amounts to replacing the original Probability Density Function (PDF) of the uncertain variables with an Importance Sampling Distribution (ISD) chosen so as to generate samples that lead to failure more frequently [Au and Beck, 2003a]. IS has the capability of considerably reducing the variance compared with standard Monte Carlo Simulation (MCS), provided that the ISD is chosen similar to the theoretical optimal one. In practice, substantial insights on the system behaviour and extensive modelling work may be required to identify a “good” ISD, e.g. by setting up complex kernel density estimators [Au and Beck, 2003a] or simply by tuning the parameters of the ISD based on expert judgment and trial-and-error [Pagani et al., 2005]. Overall, this increases the effort associated to the simulation; furthermore, there is always the risk that an inappropriate choice of the ISD may lead to worse estimates compared to Standard MCS [Schueller et al., 2004]. Another possible approach is Stratified Sampling. This technique requires dividing the sample space into several non-overlapping subregions (referred to as “strata”) and calculating the probability of each subregion; the (stratified) sample is then obtained by randomly sampling a predefined number of outcomes from each stratum [Helton and Davis, 2003; Cacuci and Ionescu-Bujor, 2004]. By so doing, the full coverage of the sample space is ensured while maintaining the probabilistic character of random sampling. A major issue related to the implementation of Stratified Sampling lies in defining the strata and calculating the associated probabilities, which may require considerable a priori knowledge. As a remark, notice that the widely used event tree techniques in nuclear reactor Probabilistic Risk Assessment (PRA) can be seen as defining and implementing Stratified Sampling of accident events and scenarios [Cacuci and Ionescu-Bujor, 2004]. A popular compromise between plain random sampling (i.e., standard MCS) and Importance/Stratified Sampling is offered by Latin Hypercube Sampling (LHS), which is commonly used in PRA [Morris, 2000] for efficiently generating random samples [MacKay et al., 1979; Helton and Davis, 2003; Sallaberry et al., 2008]. The effectiveness of LHS, and hence its popularity, derives from the fact that it provides a dense stratification over the range of each uncertain variable, with a relatively small sample size, while preserving the desirable probabilistic features of simple random sampling; moreover, there is no necessity to determine strata and strata probabilities like in Stratified Sampling [Helton and Davis, 2003]. For these reasons LHS is frequently adopted for efficiently propagating epistemic

16

INTRODUCTION uncertainties in PRA problems [NUREG-1150, 1990; Helton, 1998; Hofer et al., 2002; Krzykacz-Hausmann, 2006; Helton and Sallaberry, 2009]. On the other hand, LHS is very efficient for estimating mean values and standard deviations in complex reliability problems [Olsson et al., 2003], but only slightly more efficient than standard MCS for estimating small failure probabilities [Pebesma and Heuvelink, 1999], like those expected for passive safety systems. To overcome this limitation in this thesis we investigate the use of two recent Monte Carlo Simulation methods, namely Subset Simulation (SS) [Au and Beck, 2001; Au and Beck, 2003b] and Line Sampling (LS) [Koutsourelakis et al., 2004; Pradlwarter et al., 2005]: these methods were developed to efficiently tackle the multidimensional problems of structural reliability. In the SS approach, the functional failure probability is expressed as a product of conditional probabilities of some chosen intermediate and thus more frequent events (for example, if a structure is assumed to fail when the load exceeds 300 kN, then intermediate events could be represented by the load exceeding 100, 150 and 250 kN, respectively). The problem of evaluating the small probabilities of functional failures is thus tackled by performing a sequence of simulations of more frequent events in their conditional probability spaces; the necessary conditional samples are generated through successive Markov Chain Monte Carlo (MCMC) simulations [Metropolis et al., 1953; Hastings 1970], in a way to gradually populate the intermediate conditional regions until the final functional failure region is reached. In the LS method, lines, instead of random points, are used to probe the failure domain of the high-dimensional problem under analysis [Pradlwarter et al., 2005]. An “important direction” is optimally determined to point towards the failure domain of interest and a number of conditional, one-dimensional problems are solved along such direction, in place of the highdimensional problem [Pradlwarter et al., 2005]. The approach has been shown to perform better than standard MCS in a wide range of reliability applications [Koutsourelakis et al., 2004; Schueller et al., 2004; Pradlwarter et al., 2005 and 2007; Schueller and Pradlwarter, 2007; Lu et al., 2008; Valdebenito et al., 2009; Zio and Pedroni, 2009a and d]. Furthermore, if the boundaries of the failure domain of interest are not too rough (i.e., almost linear) and the “important direction” is almost perpendicular to them, the variance of the failure probability estimator could be ideally reduced to zero [Koutsourelakis et al., 2004]. Two main issues of the LS method are tackled in this thesis which are still under study for its practical application in reliability and risk analysis: 17

INTRODUCTION 1. LS relies on the determination of the important direction, which requires additional runs of the T-H model, with an increase of the computational cost. 2. LS has been shown to significantly reduce the variance of the failure probability estimator, but this must be achieved with a small number of samples (and, thus, of TH model evaluations; say, few tens or hundreds depending on the application), for practical cases in which the computer codes require several hours to run a single simulation [Fong et al., 2009]. The present thesis addresses the first issue above by: •

comparing the efficiency of a number of methods proposed in the literature to identify the important direction [Koutsourelakis et al., 2004; Schueller et al., 2004; Pradlwarter et al., 2005; Valdebenito et al., 2009];

•

employing Artificial Neural Network (ANN) regression models [Bishop, 1995] as fast-running surrogates of the long-running T-H code, to reduce the computational cost associated to the identification of the LS important direction;

•

proposing a new technique to determine the LS important direction, based on the minimization of the variance of the LS failure probability estimator; algorithms based on Sequential Quadratic Programming (SQP) [Boggs and Tolle, 1996] and Genetic Algorithms (GAs) [Konak et al., 2006; Marseguerra et al., 2006] are used as minimization tools in the proposed technique.

With respect to the second issue above, this thesis aims at: •

assessing the performance of the LS method in the estimation of small failure probabilities (e.g., of the order of 10-4) with a very small number of samples drawn (e.g., of the order of 5–50).

1.4 Empirical regression modeling Another viable approach to overcome the computational burden associated to the reliability analysis of nuclear passive systems is that of resorting to fast-running, surrogate regression models, also called response surfaces or meta-models, to approximate the input/output function implemented in the long-running system model code, and then substitute it in the passive system reliability analysis [Storlie et al., 2008]. The construction of such regression models entails running the system model code a predetermined, reduced number of times (e.g., 50-100) for specified values of the uncertain input variables and collecting the corresponding values of the output of interest; then, statistical

techniques

are

employed

for

calibrating/adapting

the

internal 18

INTRODUCTION parameters/coefficients of the response surface of the regression model in order to fit the input/output data generated in the previous step. Several examples can be found in the open literature concerning the application of surrogate meta-models in reliability problems. In [Bucher and Most, 2008; Gavin and Yau, 2008; Liel et al., 2009], polynomial Response Surfaces (RSs) are employed to evaluate the failure probability of structural systems; in [Arul et al., 2009; Fong et al., 2009; Mathews et al., 2009], polynomial RSs are employed for performing the reliability analysis of T-H passive systems in advanced nuclear reactors; in [Deng, 2006; Hurtado, 2007; Cardoso et al., 2008; Cheng et al., 2008], learning statistical models such as Artificial Neural Networks (ANNs), Radial Basis Functions (RBFs) and Support Vector Machines (SVMs) are trained to provide local approximations of the failure domain in structural reliability problems; in [Volkova et al., 2008; Marrel et al., 2009], Gaussian meta-models are built to calculate global sensitivity indices for a complex hydrogeological model simulating radionuclide transport in groundwater. In this thesis, the possibility of using Artificial Neural Networks (ANNs) and quadratic Response Surfaces (RSs) to reduce the computational burden associated to the reliability analysis of nuclear passive systems is investigated. In extreme synthesis, quadratic RSs are polynomials containing linear terms, squared terms and possibly two-factors interactions of the input variables [Iooss et al., 2006; Liel et al., 2009]; the RS adaptable parameters/coefficients are usually calibrated by straightforward least squares methods. ANNs are computing devices inspired by the function of the nerve cells in the brain [Bishop, 1995]. They are composed of many parallel computing units (called neurons or nodes) interconnected by weighed connections (called synapses). Each of these computing units performs a few simple operations and communicates the results to its neighbouring units. From a mathematical viewpoint, ANNs consist of a set of nonlinear (e.g., sigmoidal) basis functions with adaptable parameters/coefficients that are adjusted by a process of training (on many different input/output data examples), i.e., an iterative process of regression error minimization [Rumelhart et al., 1986]. To keep the practical applicability in sight, in this thesis small sets of input/output data examples are considered available for constructing the ANN and quadratic RS models: different sizes of the (small) data sets are considered to show the effects of this relevant practical aspect.

19

INTRODUCTION However, when using the approximation of the system output provided by an ANN or quadratic RS empirical regression model, an additional source of model uncertainty is introduced which needs to be evaluated, particularly in safety critical applications like those related to nuclear power plant technology. To this aim, in this thesis we resort to bootstrapped regression models [Efron and Thibshirani, 1993], i.e., ensembles of regression models, constructed on different data sets bootstrapped from the original one [Zio, 2006; Storlie et al., 2009]. This allows quantifying, in terms of confidence intervals, the model uncertainty associated to the estimates provided by ANN or quadratic RS regression models [Efron and Thibshirani, 1993]. The bootstrap method is a distribution-free inference method which requires no prior knowledge about the distribution function of the underlying population [Efron and Thibshirani, 1993]. The basic idea is to generate samples from the observed data by sampling with replacement from the original data set [Efron and Thibshirani, 1993]: each of these bootstrapped data sets is used to build a bootstrapped regression model which is used to calculate the reliability quantity of interest (e.g., the passive system failure probability in this case). From the theory and practice of ensembles of empirical models, it can be shown that the estimates given by bootstrapped regression models is in general more accurate than the estimate of the best regression model in the bootstrap ensemble of regression models [Zio, 2006; Cadini et al., 2008]. Some examples of the application of the bootstrap method for the evaluation of the uncertainties associated to the output of regression models in safety-related problems can be found in the literature: in [Zio, 2006], bootstrapped ANNs are trained to predict nuclear transients processes; in [Cadini et al., 2008; Secchi et al., 2008], the model uncertainty, quantified in terms of a standard deviation, is used to “correct” the ANN output in order to provide conservative estimates for important safety parameters in nuclear reactors (i.e., percentiles of the pellet cladding temperature); finally, in [Storlie et al., 2009], the bootstrap procedure is combined with different regression techniques, e.g. Multivariate Adaptive Regression Spline (MARS), Random Forest (RF) and Gradient Boosting Regression (GBR), to calculate confidence intervals for global sensitivity indices of the computationally demanding model of a nuclear waste repository.

1.5 Structure of the thesis The thesis comprises two parts. Part I, subdivided in four Chapters, introduces and addresses the problems in further details and illustrates the methodological approaches developed and 20

INTRODUCTION employed in this Ph. D. work. Part II is a collection of five selected papers published (or submitted for publication) as a result of the work and which the reader is referred to for further details. Table 1.2 summarizes the thesis structure. Chapter 2 tackles the issue of reliability analysis of nuclear passive systems. Chapter 3 contains a detailed description of the advanced Monte Carlo Simulation methods employed in this thesis to improve the efficiency of random sampling (i.e., SS and LS); then, it presents the optimization of the LS method introduced within this Ph. D. work: in particular, the issues of i) the identification of the LS important direction and ii) the performance of LS with very small sample sizes are tackled. Chapter 4 presents the empirical regression models adopted in this thesis to replace the long-running TH codes in the reliability assessment of nuclear passive systems (i.e., ANNs and quadratic RSs); then, it provides the details of the bootstrap algorithm for point and confidence interval estimation in empirical regression modeling. Figure 1.1 provides a pictorial view of the issues and the computational methods considered in the present Ph. D. work on reliability analysis of nuclear passive systems. Papers I and II present the application of SS and LS, respectively, to the functional failure analysis of a T-H passive system. Paper III contains the comparison of the SS and LS methods with other advanced Monte Carlo Simulation methods (e.g., Importance Sampling, Dimensionality Reduction, Orthogonal Axis, …) on two structural case studies of literature. Paper IV presents the optimized LS method introduced within this Ph. D. work and its application to a structural case study of literature and to the functional failure analysis of a TH passive system. Finally, paper V contains the comparison of bootstrapped ANNs and quadratic RSs in the estimation of the functional failure probability of a T-H passive system and the associated uncertainties.

Part I

Part II

Topic

Chapter

Paper(s)

Reliability analysis of nuclear passive systems

2

I, II, IV, V

Advanced Monte Carlo Simulation methods

3

I-IV

Empirical regression modeling

4

IV-V

Table 1.2. Structure of the thesis

21

INTRODUCTION

Figure 1.1. Pictorial view of the issues and the computational methods considered in the present Ph. D. work on reliability analysis of nuclear passive systems

22

2 Reliability analysis of nuclear passive systems As previously stated, passive systems are expected to contribute significantly to the safety of nuclear power plants by combining peculiar characteristics of simplicity, reduction of human interaction and reduction or avoidance of external electrical power and signals input [Nayak et al., 2008a and b; Nayak et al., 2009]. On the other hand, a fair evaluation of the effectiveness of nuclear passive systems must face the difficulty of assessing their reliability due to the uncertainties involved in their actual operation and modeling. This Chapter tackles the issue of reliability analysis of nuclear passive systems: in particular, in Section 2.1, the main sources and types of uncertainties involved in the performance and modeling of nuclear passive systems are recalled; in Section 2.2, a detailed survey of the methodologies and approaches for nuclear passive system reliability evaluation is provided; finally, in Section 2.3, the methods described in Section 2.2 are critically discussed.

2.1 Sources and types of uncertainties in the performance and modeling of nuclear passive systems Uncertainties in the performance and modelling of nuclear passive systems must be accounted for in the reliability evaluations within a Probabilistic Risk Assessment (PRA) framework [Burgazzi, 2004; Pagani et al., 2005; Burgazzi, 2007a-c]. To effectively model these uncertainties, it is useful to separate the two kinds of uncertainty, i.e. “aleatory” and “epistemic”, which, because of their nature, must be considered differently [Apostolakis, 1990; Helton, 2004]. Aleatory uncertainty refers to phenomena occurring in a random way: probabilistic modeling offers a sound and efficient way to describe such occurrences. Epistemic uncertainty captures the analyst’s confidence in the PRA model by quantifying the degree of belief of the analysts on how well it represents the actual system; it is also referred to as state-of-knowledge or subjective uncertainty and can be reduced by gathering information and data to improve the knowledge on the system behavior. As might be expected, the uncertainties affecting the operation of nuclear passive systems (Table 2.1) are both of aleatory kind, because of the randomness in the occurrence of some phenomena, and of epistemic nature, because of the limited knowledge on some phenomena and processes and the paucity of the relative operational and experimental data available [Burgazzi, 2007a].

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS Aleatory uncertainties concern, for instance, the occurrence of an accident scenario, the time to failure of a component or the variation of the actual geometrical dimensions (due to differences between the as-built system and its design upon which the analysis is based) and material properties (affecting the failure modes, e.g. concerning undetected leakages and heat losses) [NUREG-1150, 1990; Helton, 1998; USNCR, 1998; Burgazzi, 2007a-c]. Two examples of classical probabilistic models used to describe this kind of uncertainties in PRAs are the Poisson model for events randomly occurring in time (e.g., random variations of the operating state of a valve) and the binomial model for events occurring “as the immediate consequence of a challenge” (e.g., failures on demand) [NUREG-CR-6850, 2005]. The effects of these uncertainties are then propagated onto the risk measure, e.g. by Monte Carlo simulation based on Importance Sampling or Stratified Sampling [Hofer et al., 2002; Cacuci and Ionescu-Bujor, 2004; Krzykacz-Hausmann, 2006]. The contribution of aleatory uncertainty to nuclear passive systems failure is quite clear: for example, natural circulation could be altered by a random disturbance in the system geometry or by a random variation of the operating state of a component [Pagani et al., 2005]. In the present thesis, the representation and propagation of aleatory uncertainties are not considered for the estimation of the reliability (or failure probability) of nuclear passive systems [Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008; Arul et al., 2009]. Epistemic uncertainty is instead associated to the lack of knowledge about the properties and conditions of the phenomena (i.e., natural circulation) underlying the behavior of the passive systems. This uncertainty manifests itself in the model representation of the system behavior, in terms of both (model) uncertainty in the hypotheses assumed and (parameter) uncertainty in the values of the parameters of the model [Cacuci and Ionescu-Bujor, 2004; Helton et al., 2006; Patalano et al., 2008]. Model uncertainty arises because mathematical models are simplified representations of real systems and, therefore, their results may be affected by error or bias. Model uncertainty also includes the fact that the model could be too simplified and therefore would neglect some important phenomena affecting the final result. This latter type of uncertainty is sometimes identified independently from model uncertainty and is known as completeness uncertainty [USNCR, 1998].

24

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS Model uncertainty may for example involve the correlations adopted to describe the T-H phenomena, which are subject to errors of approximation. Such uncertainties may for example be captured by a multiplicative model [Zio and Apostolakis, 1996; Patalano et al., 2008]:

z = c( x ) ⋅ ε ,

(2.1)

where z is the real value of the quantity to be predicted (e.g. heat transfer coefficients, friction factors, Nusselt numbers or thermal conductivity coefficients), c(·) is the mathematical model of the correlation (i.e., the result of the correlation as computed by the T-H code), x is the vector of correlating variables and ε is the associated multiplicative error factor: as a result, the uncertainty in the quantity z to be predicted is translated into an uncertainty in the multiplicative error factor ε. This error is commonly classified as representing model uncertainty. Furthermore, uncertainty affects the values of the parameters used to describe the system (e.g., power level, pressure, cooler wall temperature, material conductivity, …), e.g. owing to errors in their measurement or insufficient data and information. For example, according to industry practice and experience, an error of 2% is usually considered in the determination of the power level in a reactor, due to uncertainties in the measurements. As a consequence, the power level is usually known only to a certain level of precision, i.e., epistemic uncertainty is associated with it [Pagani et al., 2005]. Both model and parameter uncertainties associated to the current state of knowledge of the system can be represented by subjective probability distributions within a Bayesian approach to PRA [Apostolakis, 1990, 1995 and 1999]. A systematic procedure for defining the probability density functions of the parameters in input to the reliability assessment of a T-H passive system model is reported in [Pagani et al., 2005]: in this study, the epistemic probability distributions are assumed normal, with mean values equal to the parameter nominal values and standard deviations proportional to the correlation errors and parameter uncertainties taken from the open literature [Churchill, 1998]. In current PRAs, the effect of these uncertainties is often propagated on the risk measure by Latin Hypercube Sampling (LHS) [Helton and Davis, 2003]. Epistemic uncertainties affect also the identification of the failure criterion to be adopted for the system under analysis: for instance, reactor parameters (e.g. the maximal cladding temperature) as well as passive system variables (e.g. the thermal power exchanged in a cooler) could be equally adopted as indicators of the safety performance of the passive system; furthermore, the failure thresholds may be established as point-targets (e.g., a specific 25

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS quantity of liquid must be delivered within a fixed time) or time-varying targets or even integral targets over a defined mission time (e.g., the system must reject at least a given value of thermal power during the entire system intervention) [Jafari et al., 2003; Marques et al., 2005]. Finally, state-of-knowledge uncertainty affects the identification of the possible failure modes and related causes and consequences, such as leaks (e.g. from pipes and pools), deposit thickness on components surfaces (e.g. pipes or heat exchangers), presence of noncondensable gases, stresses, blockages and material defects [Burgazzi, 2007a]. The identification of all the relevant modes/causes of failure in terms of critical parameters for the passive system performance/stability and the assessment of the relative uncertainty may be attempted by commonly used hazard identification procedures, like HAZard and OPerability (HAZOP) analysis and Failure Mode and Effect Analysis (FMEA) [Burgazzi, 2004 and 2006]. The contribution of epistemic uncertainties to the definition of the reliability/failure probability of nuclear passive systems can be qualitatively explained as follows. If the analyst is not fully confident on the validity of the correlations adopted to estimate, e.g., the design value of the heat transfer coefficient in the core during natural convection (e.g., due to the paucity of experimental data available in support of the use of a particular correlation), he/she admits that in a real accident scenario the actual value of the heat transfer coefficient in the core might deviate from the nominal/design one (i.e., different from the value computed by a deterministic correlation). If this variation (accepted as plausible by the analyst) were to take place during an accident scenario, it may cause the passive system to fail performing its safety function; based on the current state of knowledge of the heat transfer phenomenon in the core under the expected conditions, the likelihood of the heat transfer coefficient variation is to be quantified for estimating the reliability/failure probability. A future improvement in the state of knowledge, e.g. due to the collection of data and information useful to improve the characterization of the heat transfer phenomenon, would lead to a change in the epistemic uncertainty distribution describing the likelihood of the various values of heat transfer coefficient and eventually to a more accurate estimate of the system reliability/failure probability [Pagani, 2004; Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008 and 2009; Patalano et al., 2008; Arul et al., 2009; Fong et al., 2009]. In the present thesis, only epistemic uncertainties are considered for the estimation of the reliability/failure probability of nuclear passive systems [Pagani et al., 2005; Bassi and

26

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008; Arul et al., 2009].

Categories of uncertainties

Occurrence of accident scenarios Failure time of mechanical components ALEATORY

Variation of geometrical dimensions Variation of material properties Model (correlations)

T-H analysis

Parameters

EPISTEMIC

System failure analysis

Failure criteria Failure modes (critical parameters)

Table 2.1. Categories of uncertainties associated to T-H passive systems reliability assessment

2.2 Methods for the reliability analysis of nuclear passive systems As mentioned in Section 1.2, a number of methodologies have been investigated for the reliability assessment of nuclear passive systems. In the following, a synthetic review of three of these is offered: in Section 2.2.1 the approach based on independent failure modes is described; in Section 2.2.2 the hardware failure modes approach is presented; finally, in Section 2.2.3 a detailed description of the functional failure approach is given (notice that this approach is taken as reference and adopted in the present thesis work). 2.2.1 The independent failure modes approach

In this approach, the reliability of a passive system is seen from two main perspectives: system/component reliability (e.g., valves, piping) and physical phenomena reliability. The former calls for soundly-engineered passive components with at least the same level of reliability of the active ones and can be treated in the classical way, i.e., in terms of failures of components. The latter perspective is concerned with the evaluation of the natural physical phenomena underpinning the passive safety function and the long-term effects of the surroundings on its performance/stability; it addresses the critical failures that defeat or degrade the natural mechanisms which sustain the operation of the passive system. In this view, the passive system failure probability is evaluated as the probability of occurrence of the different failure modes, considered independent, critical for the passive 27

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS safety function, i.e. which would violate the boundary conditions and physical mechanisms necessary for the successful operation of the passive system [Burgazzi, 2007a]. A detailed description of the approach is given in [Burgazzi, 2007a] together with an exploratory application to a typical natural circulation, two-phase flow loop of an isolation condenser [Burgazzi, 2002]. The operative steps of the procedure adopted are: 1. Identify the failure modes affecting the natural circulation phenomenon: for this scope, well-structured and commonly used qualitative hazard analyses may be adopted, e.g. FMEA and HAZOP, specifically tailored to considering the phenomenology of the natural circulation [Burgazzi, 2004, 2006 and 2007a]. 2. Identify a set of n critical parameters x = {x1, x2, …, xj, …, xn} as direct indicators of the failure modes identified in step 1. (e.g., non-condensable fraction, undetected leakage size, valve closure area, heat loss and piping layout). 3. Assuming that all of the failure modes identified in step 1. are independent from each other, select proper probability distributions {q1(x1), q2(x2), …, qj(xj), …, qn(xn)} over the ranges of variability of the corresponding critical parameters identified in step 2. [Ricotti et al., 2002]. 4. Identify the critical intervals {F1, F2, …, Fj, …, Fn} defining the failure criteria for all the parameters: if at least one of the critical parameters lies in its critical interval, then the system is failed [Burgazzi, 2007a]. 5. Compute the failure probabilities, P(Fj), j = 1, 2, …, n, pertaining to each failure mode by integrating each probability density function, qj(xj), over the corresponding range of failure, Fj: P (F j ) = ∫ q j ( x j )dx j , j = 1, 2, ..., n

(2.2)

Fj

6. Under the assumption of independence (step 3.), calculate the overall probability of failure of the natural circulation system, P(F), by combining all the failure probabilities for each failure mode, P(Fj), as follows: P(F ) = 1 − ∏ (1 − P (F j )) n

(2.3)

j =1

Thus, for a passive system with n mutually independent failure modes, the total failure probability is computed as for a series system with n critical elements.

28

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS An extension of this approach has been recently proposed in [Burgazzi, 2009] to take into account possible dependencies between the failure modes: actually, it is seen that the independency assumption (step 3. above) may lead to overly optimistic estimates of the passive system reliability. In extreme synthesis, to tackle this issue joint probability density functions are assigned to the (correlated) critical parameters associated to the failure modes which violate the conditions and physical mechanisms necessary for the successful operation of the passive system. No further details are given here for brevity: the interested reader may refer to [Burgazzi, 2009]. 2.2.2 The hardware failure modes approach

In [Burgazzi, 2002], an effort is made to try to associate to each physical failure mode a failure mode of a hardware component designed to ensure the corresponding conditions for successful passive safety function performance (e.g. vent valves opening for removal of noncondensable gases, piping integrity, heat exchanger for heat transfer process). This concept is also at the basis of the Assessment of Passive System ReliAbility (APSRA) approach which has been applied to the reliability analysis of the natural circulation-based Main Heat Transport (MHT) system of an Indian Heavy Water Reactor (HWR) [Nayak et al., 2008a and b; Nayak et al., 2009]. In this approach, the probabilities of physical failures that defeat or degrade the mechanisms upon which the passive system relies are reduced to unreliabilities of the components whose failures challenge the successful passive system operation: for example, the probability that a given fraction of non-condensable gases is present in the pipes (which may reduce the heat transfer coefficients in natural circulation) is associated to the probability of failure of the vent valves designed to remove non-condensable gases [Burgazzi, 2002]. 2.2.3 The functional failure approach

This approach exploits the concept of functional failure to define the probability of failing to successively carry out a given safety function (e.g., decay heat removal) [Burgazzi, 2003]. The idea comes from the Resistance-Stress (R-S) interference model of fracture mechanics [Lewis, 1994]. In the framework of T-H passive systems reliability assessment, R and S express respectively the safety functional Requirement (i.e., the Resistance) (R) on a safety physical parameter (for example, a maximum threshold value for the fuel cladding temperature which cannot be exceeded to guarantee the integrity of the core structure) and system State (i.e., the Stress) (S) (i.e., the actual value of the fuel cladding temperature during an accidental transient). 29

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS Probability distributions are assigned to both R and S to reflect the aleatory and epistemic uncertainties in both the safety thresholds for failure and the actual conditions of the system state (Section 2.1). The function of the passive system defines the safety parameter values that define system failure, whose probability is obtained by comparing the State (S) probability density function with that of the defined safety functional Requirement (R): the probability that the system State (i.e., the Stress) (S) exceeds the safety functional Requirement (i.e., the Resistance) (R) is referred to in the literature as probability of functional failure [Burgazzi, 2003; Pagani et al., 2005; Burgazzi, 2007b and c; Burgazzi, 2008]. A procedure for the quantitative analysis of functional failures has been proposed within an European Commission (EC) supported project called Reliability Methods for Passive Safety (RMPS) functions. The underpinning elements of the method are [Marquès et al., 2005; Bassi and Marquès, 2008]: i) the detailed modelling of the system response by means of a deterministic T-H code, ii) the identification of the parameters which contribute to the uncertainty in the results of the T-H calculations and iii) the propagation of these uncertainties through the T-H code to estimate the probability of functional failure. The conceptual development of the methodology is here summarized in the following steps [Marquès et al., 2005]: 1. Characterize the accident scenarios in which the passive system under consideration will be demanded to operate. 2. Define the function that the passive system is expected to perform, e.g., decay heat removal, vessel cooling and depressurization. 3. Identify the design parameters related to the reference system configuration and corresponding nominal function (e.g., power level, system pressure, heat exchanger initial wall temperature, …) [D’ Auria et al., 2002]. 4. Identify the possible failure modes of the passive system for the accident scenario under consideration. Qualitative analyses are often necessary to identify the potential failure modes, and their causes and consequences, associated with the passive system operation: the FMEA and HAZOP techniques may be adopted to identify the parameters judged critical for the performance of the passive system and to help associate the failure modes and corresponding indicators of the failure causes. To this aim, in addition to mechanical components of the system (piping, valves, …), a “virtual component” is introduced to identify the passive system and evaluated in terms of potential “phenomenological” factors (e.g. non-condensable gas build-up, 30

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS thermal stratification, surface oxidation, …, in the case of a natural circulation passive system) whose presence can affect the passive system performance [Burgazzi, 2004 and 2006]. 5. Evaluate the failure criteria on the basis of the system function (step 2.) and failure modes (step 4.). The occurrence of a failure is verified by comparison between the real performance of the passive system and the expected performance in nominal conditions. Reactor parameters can be adopted as indicators of the performance of the passive system: for instance, the failure criterion can be based on the maximal cladding temperature reached during a specific period [Marquès et al., 2005; Pagani et al., 2005; Bassi and Marquès, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008; Arul et al., 2009; Fong et al., 2009]. Another possibility consists in identifying as performance indicators one or more variables or parameters characteristic of the passive system itself (e.g., thermal power exchanged in the cooler or mass flow rate at the cooler inlet). Again, the failure criteria can be set as singletargets (e.g. the system must deliver a specific quantity of liquid within a fixed time) or as a function of time targets or as integral values over a mission time (e.g. the system must reject at least a mean value of thermal power during the entire system intervention) [D’ Auria et al., 2002; Jafari et al., 2003; Zio et al., 2003; Zio and Pedroni, 2009b]. 6. Build a mechanistic, best estimate T-H model to simulate the system accident response and perform best estimate calculations [Gläser, 2002]. 7. Identify the potentially important contributors to uncertainty in the results of the best estimate T-H calculations. These uncertainties are both of aleatory kind, because of the randomness in the occurrence of some phenomena (e.g., the occurrence of an accident scenario, the failure of a component, ...), and of epistemic nature, because of the limited knowledge on some phenomena and processes and the paucity of the relative operational and experimental data available (e.g., the models, correlations and parameters used in the T-H analysis) [Apostolakis, 1990]. Notice that in the present thesis, only epistemic uncertainties are considered to estimate the functional failure probability of the T-H passive system [Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008; Arul et al., 2009]. 8. Represent the epistemic uncertainties in the identified relevant parameters, models and correlations by selecting proper probability distributions. These distributions quantify

31

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS the state of knowledge on such parameters, in a Bayesian sense [Pagani et al., 2005; Burgazzi, 2007b]. 9. Propagate the epistemic uncertainties associated to the identified relevant parameters, models and correlations (steps 7. and 8. above) through the deterministic T-H code in order to estimate the functional failure probability of the passive system, conditional on the current state of knowledge about the phenomena involved (step 8. above) [Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008; Arul et al., 2009]. Formally, let x = {x1, x2, …, xj, …, xn} be the vector of the relevant system parameters, Y( x ) be the identified scalar performance indicator and αY the threshold value defining the corresponding failure criterion. For illustrating purposes, let us assume that the passive system operates as long as Y( x ) < αY (Figure 2.1): thus, within the Resistance-Stress interference model framework described above, in the present case S = Y(x) and R = αY. Then, introducing a new variable called Limit State Function (LSF) or Performance Function (PF) as g x ( x ) = Y ( x ) − α Y , one writes g x ( x ) = Y ( x ) − αY

⎧< 0 for function successfully performed ⎪ ⎨ = 0 at limit state ⎪ > 0 for failure of performing the function ⎩

(2.4)

Note that the choice of a single-valued performance function does not reduce the generality of the approach, because any multidimensional vector of physical quantities can be conveniently re-expressed as a scalar parameter by resorting to suitable minmax transformations (see Paper II of Part II for details) [Zio and Pedroni, 2009d]. Given the limited state of knowledge and consequent epistemic uncertainties in the model representation of the system behavior, there is a probability of system functional failure, P(F), which can be expressed in terms of the following integral:

P(F ) = ∫∫ ...∫ I F ( x )q( x )dx

(2.5)

where q (⋅) is the joint Probability Density Function (PDF) representing the epistemic uncertainty in the parameters x , F is the failure region (i.e., the region where gx(·) > 0) and IF(·) is an indicator function such that IF(x) = 1, if x ∈ F and IF(x) = 0, otherwise. In practice, the multidimensional integral (2.5) cannot be easily evaluated. MC simulation provides an effective means for estimating its value, albeit it implies sampling from the multidimensional joint PDF which is in general a non-trivial task 32

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS [Schueller, 2007 and 2009]. Indeed, the MC solution to (2.5) entails that a large number NT of samples of the values of the system parameters be drawn from q (⋅) and N used to evaluate the LSF (2.4). An estimate Pˆ (F ) T of the probability of failure P(F)

in (2.5) can then be computed by dividing the number of times that gx(·) > 0 by the total number of samples NT. It can be demonstrated that this estimate is unbiased and N consistent, i.e. that as NT approaches infinity, Pˆ (F ) T approaches the true failure

probability P(F). In general, given the high dimensionality of the problem and the large dimension of the relative sample space compared to the failure region of interest, a large number of samples is necessary to achieve an acceptable accuracy in the estimation of the functional failure probability P(F). This leads to very large computing times due to the long calculations (several hours) of the detailed, bestestimate T-H code (one code run for each sample of parameter values drawn). 10. Perform a sensitivity study to determine the contribution of the individual uncertain parameters (i.e., the inputs to the T-H code) to the uncertainty in the outputs of the TH code and consequently to the functional failure probability of the T-H passive system. As is true for uncertainty propagation (step 9. above), sensitivity analysis relies on multiple evaluations of the code for different combinations of system inputs.

Figure 2.1. Functional failure concept: the passive system is assumed to fail when its performance indicator Y(x) exceeds a given failure threshold αY

33

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS

2.3 Discussion of the methods Table 2.2 synthesizes the main elements of the methods of passive system reliability assessment discussed in the previous Section 2.2; then, in what follows the main advantages and drawbacks of the different approaches are briefly summarized.

34

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS

Concept

Parameters

Independent failure modes (natural circulation)

Critical parameters, indicators of independent failure modes (e.g. non-condensable fraction, valve closure area, leakage size, heat loss)

Passive system hardware components

Unreliabilities of hardware components (e.g. vent valves, heat exchanger, piping)

Functional failure

Passive system performance indicator, Y: - Reactor parameters (e.g. maximal clad temperature) - Passive system safety parameters (e.g. removed thermal power, water mass flow rate, pressure differential)

Failure probability computation

Failure criterion

- Identify critical intervals for all critical parameters - System failure: at least one parameter lies in critical interval - Identify components designed to ensure conditions for successful passive safety function performance - System failure: at least one critical component fails - Compare actual performance (indicator value, Y) to expected performance (threshold value, αY) - System failure: gx = Y – αY > 0

Series system of independent critical elements (failure modes) Conventional PRA techniques (e.g. fault tree analysis) - Resistance-Stress (R-S) interference model - Monte Carlo (MC) estimate by repeated runs of mechanistic T-H code

Table 2.2. Methodologies considered for thermal-hydraulic passive system reliability assessment

35

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS In the independent failure modes approach (Section 2.2.1), once the probability distributions of the critical parameters are assigned (step 3. of Section 2.2.1), the failure probability of the system can be easily obtained from (2.2) and (2.3) if proper failure criteria are assigned in step 4. of Section 2.2.1. Unfortunately, difficulties arise in assigning the range and the probability density functions of the critical parameters defining the failure modes, as well as in defining proper failure criteria, because of the unavailability of a consistent experimental and operating data base. This lack of experimental evidence forces to resort to expert/engineering judgments to a large extent, making thus the results strongly conditional upon the expert judgment elicitation process [Burgazzi, 2002, 2004 and 2007a-c]. Moreover, the hypothesis of independence between the different failure modes infringing passive safety function (step 3. of Section 2.2.1) may represent an excessive simplification of the problem and produce overly optimistic estimates of the passive system reliability. To overcome this drawback, an approach has been recently proposed to take into account possible dependencies between the failure modes [Burgazzi, 2009]. However, in this case even more relevant difficulties arise in assigning the joint probability density functions of the critical (correlated) parameters defining the failure modes. The hardware failure modes approach (Section 2.2.2) may in theory overcome the difficulties of the independent failure modes approach described in Section 2.2.1: actually, no subjective probability distributions have to be assigned to the critical parameters defining the failure modes. On the other hand, some critical issues arise with respect to the effectiveness and completeness of the performance assessment over the entire range of possible failure modes that the system may potentially undergo and their association to corresponding hardware failures [Burgazzi, 2002; Nayak et al., 2008a and b; Nayak et al., 2009]. The functional failure-based approach (Section 2.2.3) provides in principle the most realistic assessment of the T-H passive system, thanks to the flexibility of Monte Carlo simulation which does not suffer from any T-H model complexity and, therefore, does not force to resort to simplifying approximations: for this reason, the functional failure-based approach will be adopted in this thesis work. On the other hand, it requires considerable and often prohibitive computational efforts. The reason is twofold. First, a large number of Monte Carlo-sampled T-H model evaluations must generally be carried out for an accurate estimation of the functional failure probability. Since the number of simulations required to obtain a given accuracy depends on the magnitude of the failure probability to be estimated, with the 36

RELIABILITY ANALYSIS OF NUCLEAR PASSIVE SYSTEMS computational burden increasing with decreasing functional failure probability [Schueller, 2007 and 2009], this poses a significant challenge for the typically quite small (e.g., less than 10-4) probabilities of functional failure of T-H passive safety systems. Second, long calculations (several hours) are typically necessary for each run of the detailed, mechanistic T-H code (one code run is required for each sample of values drawn from the uncertainty distributions) [Fong et al., 2009]. Thus, alternative methods must be sought to tackle the computational burden associated to the analysis. In this thesis, the above mentioned computational challenge is tackled in two different ways: from one side, efficient Monte Carlo Simulation techniques are employed to perform robust estimations with a limited number of input samples drawn and associated low computational time (Section 3); from the other side, fast-running, surrogate regression models (also called response surfaces or meta-models) are used to replace the long-running T-H model code in the passive system functional failure assessment (Section 4).

37

3 Advanced Monte Carlo Simulation methods In this Chapter, the advanced Monte Carlo Simulation methods employed in this thesis are described in detail: in Sections 3.1 and 3.2, thorough presentations of the Subset Simulation (SS) and Line Sampling (LS) techniques are given, respectively; in Section 3.3, the optimized LS method proposed within the present Ph. D. work is presented; finally, the methodological and applicative contributions of the thesis work are highlighted in Section 3.4: in particular, the main results obtained are synthetically summarized. In the Chapter, references are given to the papers included in Part II. In particular, Papers I and II present the application of SS and LS, respectively, to the functional failure analysis of a T-H passive system. Paper III contains the comparison of the SS and LS methods with other advanced Monte Carlo Simulation methods (e.g., Importance Sampling, Dimensionality Reduction, Orthogonal Axis, …) on two structural case studies of literature. Paper IV presents the optimized LS method introduced within this Ph. D. work and its application to a structural case study of literature and to the functional failure analysis of a T-H passive system.

3.1 Subset Simulation Subset Simulation (SS) is an adaptive probabilistic simulation method for efficiently computing small failure probabilities, originally developed for the reliability analysis of structural systems [Au and Beck, 2001]. Structural reliability problems are naturally formulated within a functional failure framework of analysis, because structural systems fail whenever the load applied (i.e., the stress) exceeds their capacity (i.e., the resistance) [Lewis, 1991; Schueller and Pradlwarter, 2007]. This makes SS suitable for application to the functional reliability analysis of T-H passive systems, where the failure is specified in terms of one or more safety variables (e.g., temperatures, pressures, flow rates, ...) crossing the safety thresholds specified by the regulating authorities [Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008 and 2009; Patalano et al., 2008; Arul et al., 2009; Fong et al., 2009]. The idea underlying the SS method is to express a (small) failure probability as a product of (larger) probabilities conditional on some intermediate events (for example, if a structure is assumed to fail when the load exceeds 300 kN, then plausible intermediate events could be represented by the load exceeding 100, 150 and 250 kN, respectively). This allows converting a rare event simulation into a sequence of simulations of more frequent events. During simulation, the conditional samples are generated by means of a Markov chain designed so

ADVANCED MONTE CARLO SIMULATION METHODS that the limiting stationary distribution is the target conditional distribution of some adaptively chosen intermediate event; by so doing, the conditional samples gradually populate the successive intermediate regions up to the target (rare) failure region [Au and Beck, 2003b]. 3.1.1 Basics of the method

For a given target failure event F of interest, let F1 ⊃ F2 ⊃ ... ⊃ Fm = F be a sequence of intermediate events, so that Fk = ∩ ik=1 Fi , k = 1, 2, …, m. By sequentially conditioning on the event Fi, the failure probability P(F) can be written as m −1

P( F ) = P( Fm ) = P( F1 )∏ P( Fi +1 | Fi ) .

(3.1)

i =1

Notice that even if P(F) is small, the conditional probabilities involved in (3.1) can be made sufficiently large by appropriately choosing m and the intermediate events {Fi, i = 1, 2, …, m – 1}. The original idea of SS is to estimate the failure probability P(F) by estimating P(F1) and {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1}. Standard MCS can be used to estimate P(F1). On the contrary, computing the conditional probabilities in (3.1) by MCS entails the non-trivial task of sampling from the conditional distributions of x given that it lies in Fi, i = 1, 2, ..., m – 1, i.e. from q ( x | Fi ) = q ( x ) I Fi ( x ) / P( F ) . In this regard, Markov Chain Monte Carlo (MCMC) simulation provides a powerful method for generating samples conditional on the failure region Fi, i = 1, 2, ..., m – 1 [Au and Beck, 2001; Au and Beck, 2003b]. 3.1.2 The Subset Simulation algorithm

In the actual SS implementation, with no loss of generality it is assumed that the failure event of interest can be defined in terms of the value of a critical response variable Y of the system under analysis being higher than a specified threshold level y, i.e., F = {Y > y}. The sequence of intermediate events {Fi : i = 1, 2, ..., m} can then be correspondingly defined as Fi = {Y > y i }, i = 1, 2, ..., m , where 0 < y1 < y 2 < ... < y i < ... < y m = y is an increasing sequence of intermediate threshold values [Au and Beck, 2001; Au and Beck, 2003b]. The choice of the sequence

{yi :i = 1, 2, ..., m}

affects the values of the conditional

probabilities {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1} in (3.1) and hence the efficiency of the SS procedure. In particular, choosing the sequence {y i : i = 1, 2, ..., m} a priori makes it difficult to control the values of the conditional probabilities {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1} . For this 39

ADVANCED MONTE CARLO SIMULATION METHODS reason, in this work, the intermediate threshold values are chosen adaptively in such a way that the estimated conditional probabilities are equal to a fixed value p0 (p0 = 0.1 has been used) as in the reference papers [Au and Beck, 2001; Au and Beck, 2003b]. The SS algorithm proceeds as follows (Figure 3.1): 1. Sample N vectors

{x

k 0

: k = 1, 2, ..., N } by standard MCS, i.e., from the original

probability density function q(·). The subscript ‘0’ denotes the fact that these samples correspond to ‘Conditional Level 0’; 2. Set i = 0; 3. Compute the values of the response variable {Y ( xik ) : k = 1, 2, ..., N }; 4. Choose the intermediate threshold value yi+1 as the (1 – p0)Nth value in the increasing

{

}

list of values Y ( xik ) : k = 1, 2, ..., N (computed at step 3. above) to define Fi+1 = {Y > yi+1}. By so doing, the sample estimate of P(Fi+1|Fi) = P(Y > yi+1|Y > yi) is equal to p0 (note that it has been implicitly assumed that p0N is an integer value); 5. If yi+1 ≥ ym, proceed to 10. below; 6. Viceversa, i.e. if yi+1 < ym, with the choice of yi+1 performed at step 4. above, identify the p0N samples {xiu : u = 1, 2, ..., p0 N } among {xik : k = 1, 2, ..., N } whose response Y lies in Fi+1 = {Y > yi+1}: these samples are at ‘Conditional level i + 1’ and distributed as q(⋅ | Fi +1 ) ; 7. Starting from each one of the samples {xiu : u = 1, 2, ..., p0 N } (identified at step 6. above), use MCMC simulation to generate (1 – p0)N additional conditional samples distributed as q(⋅ | Fi +1 ) , so that there are a total of N conditional samples

{x

k i +1

}

: k = 1, 2, ..., N ∈ Fi +1 , at ‘Conditional level i + 1’;

8. Set i ← i + 1; 9. Return to step 3. above; 10. Estimate the conditional probability Pm = P(Fm|Fm-1) by Pˆm = N m / N where Nm is the

{ };

}

number of samples among Y ( xik ) : k = 1, 2, ..., N that lie in the failure region F = Fm, i.e., N m = Dim{Y ( xik ) > ym

11. Estimate the failure probability P(F) in (3.1) as Pˆ (F ) : m −1

N P(F ) = P(F1 )∏ P(Fi +1 | Fi ) ≈ Pˆ (F ) = p0m −1 ⋅ m N i =1

(3.2)

40

ADVANCED MONTE CARLO SIMULATION METHODS 12. Stop the algorithm. Notice that the total number of samples employed is NT = N + (m – 1)(1 – p0)N.

Figure 3.1. Flow diagram of the SS algorithm Notice that the procedure is such that the response values {y i : i = 1, 2, ..., m} at the specified probability levels P ( F1 ) = p 0 , P( F2 ) = p( F2 | F1 ) P( F1 ) = p 02 , …, P( Fm ) = p 0m are estimated, rather than the failure probabilities P ( F1 ) , P ( F2 | F1 ) , …, P ( Fm | Fm −1 ) , which are a priori fixed at p0. In this view, SS is a method for generating samples whose response values correspond to specified probability levels, rather than for estimating probabilities of specified failure events. As a result, it produces information about P(Y > y ) versus y at all the simulated values of Y rather than at a single value of y. This feature is important because the 41

ADVANCED MONTE CARLO SIMULATION METHODS whole trend of P(Y > y ) versus y obviously provides much more information than a point estimate [Au, 2005]. It can be demonstrated that the number of samples NT required to obtain a given accuracy (i.e., variance) for the estimator of the failure probability P(F) is roughly N T ∝ log P(F ) , r

where r ≤ 3. Compared to Standard MCS, where N T ∝ 1 / P (F ) , this implies a substantial improvement in efficiency when estimating small failure probabilities. For example, it can be shown that the number of samples required by Standard MCS for estimating a target failure probability of P(F) = 10-6 with a given accuracy is 1030 times larger than that required by SS to obtain the same accuracy [Au and Beck, 2001; Au and Beck, 2003b]. The demonstration of this property is not given here for brevity sake; the interested reader may refer to [Au and Beck, 2001; Au and Beck, 2003b] for the mathematical details and to [Ching et al., 2005; Katafygiotis and Cheung, 2005; Au, 2007; Au et al., 2007; Katafygiotis and Cheung, 2007; Pradlwarter et al., 2007] for illustrative applications to high-dimensional (i.e., n ≥ 100) structural reliability problems. In this thesis, the SS method is applied on a case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) [Pagani et al., 2005]. The benefits gained by the use of SS are demonstrated by comparison with respect to standard MCS: the reader is referred to Paper I of Part II [Zio and Pedroni, 2009c] for details. Moreover, the SS scheme is applied to two structural reliability models of literature, i.e., the cracked plate model [Ardillon and Venturini, 1995] and the Paris-Erdogan thermal fatigue crack growth model [Paris, 1961]. The benefits gained by the use of SS are demonstrated by comparison with respect to the Importance Sampling (IS), Dimensionality Reduction (DR) and Orthogonal Axis (OA) methods [Gille, 1998 and 1999]: the reader is referred to Paper III of Part II [Zio and Pedroni, 2009e] for details. However, a summary of the main results obtained in these applications is given in Section 3.4 (namely, 3.4 Methodological and applicative contributions of the thesis work).

3.2 Line Sampling Line Sampling is a probabilistic simulation method for efficiently computing small failure probabilities. It was originally developed for the reliability analysis of complex structural systems [Koutsourelakis et al., 2004]. The underlying idea is to employ lines instead of 42

ADVANCED MONTE CARLO SIMULATION METHODS random points in order to probe the failure domain of the high-dimensional system under analysis [Pradlwarter et al., 2005]. In extreme synthesis, the problem of computing the multidimensional failure probability integral (2.5) in the original “physical” space is transformed into the so-called “standard normal space”, where each random variable is represented by an independent central unit Gaussian distribution. In this space, a unit vector α (hereafter also called “important unit vector” or “important direction”) is determined, pointing towards the failure domain F of interest (for illustration purposes, two plausible important unit vectors, α1 and α2, pointing towards two different failure domains, F1 and F2, are visually represented in Figure 3.2, left and right, respectively, in a two-dimensional uncertain parameter space). The problem of computing the high-dimensional failure probability integral (2.5) is then reduced to a number of conditional one-dimensional problems, which are solved along the “important direction” α in the standard normal space. The conditional one-dimensional failure probabilities (associated to the conditional one-dimensional problems) are readily computed by using the standard normal cumulative distribution function [Pradlwarter et al., 2005].

Figure 3.2. Examples of possible important unit vectors α1 (left) and α2 (right) pointing towards the corresponding failure domains F1 (left) and F2 (right) in a two-dimensional uncertain parameter space 3.2.1 Basics of the method

Two basic steps are required to implement the LS method: i) the transformation of the physical space into the standard normal space and ii) the identification of the important direction α.

43

ADVANCED MONTE CARLO SIMULATION METHODS Concerning the basic step i) (i.e., the transformation of the physical space into the standard normal space), let x = {x1 , x2 , ..., x j , ..., xn }∈ ℜ n be the vector of uncertain parameters defined in the original physical space x ∈ ℜ n . The parameter vector x can be transformed into the vector θ ∈ ℜ n , where each element of the vector θj, j = 1, 2, …, n, is associated with a central unit Gaussian standard distribution [Schueller et al., 2004]. The joint probability density function of the random parameters {θ j : j = 1, 2, ..., n} is, then:

ϕ (θ ) = ∏ φ j (θ j ) n

(3.3)

j =1

(

where φ j (θ j ) = 1

)

2π e

− x 2j 2

, j = 1, 2, ..., n.

The mapping from the original, physical vector of random variables x ∈ ℜ n to the standard normal vector θ ∈ ℜ n is denoted by Txθ (⋅) and its inverse by Tθx (⋅) , i.e.:

θ = Txθ ( x )

(3.4)

x = Tθx (θ )

(3.5)

Transformations (3.4) and (3.5) are in general nonlinear and are obtained by applying Rosenblatt’s or Nataf’s transformations, respectively [Rosenblatt, 1952; Nataf, 1962; Huang and Du, 2006]. By transformation (3.4), also the performance function g x (⋅) defined in the physical space can be transformed into g θ (⋅) in the standard normal space: gθ (θ ) = g x ( x ) = g x (Tθx (θ ))

(3.6)

Since in most cases of practical interest the function gθ (θ ) is not known analytically, it can be evaluated only point-wise. According to (3.6), the evaluation of the system performance function gθ (⋅) at a given point θ k , k = 1, 2, ..., NT, in the standard normal space requires i) a transformation into the original space, ii) a complete simulation of the system response and iii) the computation of the system response from the model. The computational cost of evaluating the failure probability is governed by the number of system performance analyses that have to be carried out [Schueller et al., 2004]. Concerning the basic step ii) (i.e., the identification of the “important direction” α), as previously stated, it allows “decomposing” the high-dimensional failure probability integral (2.5) into a number of conditional one-dimensional integrals, which are solved along the “important direction” α itself: this is found to significantly reduce the variance of the associated failure probability estimator [Koutsourelakis et al., 2004]. No further details are 44

ADVANCED MONTE CARLO SIMULATION METHODS given here for brevity: since this issue is subject of thorough investigations within this thesis work, Section 3.3.1 is entirely dedicated to it. 3.2.2 The Line Sampling algorithm

The LS algorithm proceeds as follows [Pradlwarter et al., 2005]:

1. Determine the unit important direction α = {α1 , α 2 , ..., α j , ..., α n }. Any of the methods summarized in Section 3.3.1 can be employed to this purpose. Notice that the computation of α implies additional system analyses, which substantially increase the computational cost associated to the simulation method (Section 3.3.1). 2. From

the

original

q(⋅) : ℜ n → [0, ∞) ,

{

multidimensional sample

NT

joint vectors

probability

{x

k

density

: k = 1, 2, ..., N T },

function with

}

x k = x1k , x2k , ..., x kj , ..., xnk by standard MCS.

3. Transform the NT sample vectors {x k : k = 1, 2, ..., N T } defined in the original (i.e., physical) space of possibly dependent, non-normal random variables (step 2. above) into NT samples {θ k : k = 1, 2, ..., N T } defined in the standard normal space where each component of the vector θ k = {θ1k , θ 2k , ..., θ jk , ..., θ nk }, k = 1, 2, ..., NT, is associated with an independent central unit Gaussian standard distribution; also the PF g x (⋅) defined in the physical space have to be transformed into g θ (⋅) in the standard normal space (Section 3.2.1). 4. Estimate

{Pˆ (F )

1D , k

{θ

k

NT

conditional

}

“one-dimensional”

failure

probabilities

: k = 1, 2, ..., N T , corresponding to each one of the standard normal samples

: k = 1, 2, ..., N T } obtained in step 3. above. In particular, for each random sample

θ k , k = 1, 2, …, NT, perform the following steps (Figure 3.3) [Schueller et al., 2004; Pradlwarter et al., 2005; Pradlwarter et al., 2007]: a. Project the random sample vector θ k , k = 1, 2, …, NT, onto the straight line passing through the origin O of the standard normal space and perpendicular to

α, in order to obtain the vector θ k ,⊥ (Figure 3.3, top, left): θ k ,⊥ = θ k − α, θ k α , k = 1, 2, ..., NT

(3.7)

In (3.7), θ k , k = 1, 2, ..., NT, denotes a random realization of the input variables in the standard normal space of dimension n and α, θ k

is the scalar product 45

ADVANCED MONTE CARLO SIMULATION METHODS between α and θ k , k = 1, 2, ..., NT. Finally, it is worth noting that since the standard Gaussian space is isotropic, the vector θ k ,⊥ is also standard normally distributed [Pradlwarter et al., 2007]. ~ b. Define the sample vector θ k , k = 1, 2, ..., NT, as the sum of a deterministic multiple of α and the vector θ k ,⊥ in (3.7), i.e.: ~ θ k = c k α + θ k ,⊥ , k = 1, 2, ..., NT

(3.8)

where ck is a real number in [-∞, +∞]. Again, it is worth noting that since the standard Gaussian space is isotropic, the scalar ck is also standard normally distributed [Pradlwarter et al., 2007]. c. Moving along the straight line passing through θ k and parallel to α, select two or three different values cik for ck (e.g., c1k , c2k and c3k in Figure 3.3, top, right) ~ and calculate the corresponding sample points θik according to (3.8) (e.g.,

~ ~ ~ θ1k = c1k α + θ k ,⊥ , θ2k = c2k α + θ k ,⊥ and θ3k = c3k α + θ k ,⊥ in Figure 3.3, top, right). d. Evaluate the performance function g θ (⋅) in correspondence of the sample ~ ~ ~ points θik calculated at step 3.c. above (e.g., θ1k = c1k α + θ k ,⊥ , θ2k = c2k α + θ k ,⊥

( )

~ ~ and θ3k = c3k α + θ k ,⊥ in Figure 3.3, middle, left) obtaining the values gθ θik

( )

( )

( )

~ ~ ~ (e.g., gθ θ1k , gθ θ2k and gθ θ3k in Figure 3.3, middle, left). Hence, for each

standard normal random sample θ k , k = 1, 2, …, NT, two or three system performance evaluations by the T-H model are required. ~ ~ ~ e. Fit the points cik , gθ θik (e.g., c1k , gθ θ1k , c2k , gθ θ2k

[

( )]

[

( )] [

( )] and [c , g (θ~ )] in k 3

θ

k 3

Figure 3.3, middle, right) by means of a first or second order polynomial and determine its root c k . The value c k represents the intersection between the limit state function gθ (θ ) = 0 and the straight line passing through θ k and parallel to α (e.g., see Figure 3.3, top, right). Also, notice that c k measures the distance between the limit state function gθ (θ ) = 0 and the straight line

perpendicular to α and passing through the origin O of the standard normal space. As a final remark, a word of caution is in order with respect to the effectiveness of the above described fitting procedure (Figure 3.3, middle, right) when the performance function gθ(θ) under consideration is heavily nonmonotonic (e.g., when it presents oscillations). In such a case, if the values cik 46

ADVANCED MONTE CARLO SIMULATION METHODS for ck (step 3.c. above) are chosen too close to each other (e.g., c1k = 3, c 2k = 3.2 and c3k = 3.5), the linear or quadratic interpolating polynomial may capture only the “local behaviour” of the performance function gθ(θ) and lead to erroneous estimates for c k . Thus, in general well spaced values cik for ck (e.g., c1k = 2, c 2k = 4 and c3k = 6) should be chosen by the analyst in order to avoid

this pitfall and capture the “global trend” of the performance function gθ(θ). f. Calculate the conditional one-dimensional failure probability estimate 1D , k Pˆ (F ) , k = 1, 2, …, NT, associated to each random sample θ k , k = 1, 2, …,

NT, as

[

]

[

]

( )

(

1D , k Pˆ (F ) = P N (0,1) > c k = 1 − P N (0,1) ≤ c k = 1 − Φ c k = Φ − c k

)

(3.9)

where Φ (⋅) denotes the standard normal cumulative distribution function (shaded area in Figure 3.3, bottom). N 5. Compute the unbiased estimator Pˆ (F ) T for the failure probability P (F ) as the

sample average of the independent conditional “one-dimensional” failure probability

{

}

1D , k estimates Pˆ (F ) : k = 1, 2, ..., N T in (3.9) (step 4.f. above):

1 N Pˆ (F ) T = NT

NT

∑ Pˆ (F )

1D , k

(3.10)

k =1

The variance of the estimator (3.10) can be then written as

(

)

σ 2 Pˆ (F )N = T

(

1 2 ˆ 1D σ P (F ) NT

)

(3.11)

where

(

)

σ 2 Pˆ (F )1D =

(

NT 1 1D , k N Pˆ (F ) − Pˆ (F ) T ∑ (NT − 1) k =1

)

2

(3.12)

represents the sample variance of the independent conditional “one-dimensional”

{

}

1D , k failure probability estimates Pˆ (F ) : k = 1, 2, ..., N T in (3.9) (step 4.f. above).

Substituting (3.12) into (3.11), an explicit expression for the variance of the estimator (3.10) can be obtained as

(

)

σ 2 Pˆ (F )N = T

(

NT 1 1D , k N Pˆ (F ) − Pˆ (F ) T ∑ N T ( N T − 1) k =1

). 2

(3.13)

Notice that the variance (3.13) of the estimator (3.10) decays as O(1 N T ) (as in all Monte Carlo-type estimators). 47

ADVANCED MONTE CARLO SIMULATION METHODS

Figure 3.3. The Line Sampling procedure [Pradlwarter et al., 2005]. Top, left: projection of the sample vector θ k onto the straight line passing through the origin O and perpendicular to

α in order to obtain θ k ,⊥ (step 4.a.); top, right: selection of three values for ck, e.g. c1k, c2k ~ ~ and c3k, and calculation of the corresponding sample points θ1k = c1k α + θ k ,⊥ , θ2k = c2k α + θ k ,⊥ ~ and θ3k = c3k α + θ k ,⊥ (step 4.c.); middle, left: evaluation of the performance function gθ(·) in

( ) ( ) ~ ~ ~ g (θ ) (step 4.d.); middle, right: interpolation of the points [c , g (θ )] , [c , g (θ )] and

~ ~ ~ ~ ~ correspondence of the sample points θ1k , θ2k and θ3k in order to obtain gθ θ1k , gθ θ2k and θ

k 3

k 1

θ

k 1

k 2

θ

k 2

48

ADVANCED MONTE CARLO SIMULATION METHODS

[c , g (θ~ )] by means of a second order polynomial and determination of its root c k 3

θ

k 3

k

(step

1D , k 4.e.); bottom: calculation of the kth conditional one-dimensional failure probability Pˆ (F )

(

)

as Φ − c k (shaded area) (step 4.f.) N With the described approach the variance of the estimator Pˆ (F ) T of the failure probability

P (F ) is considerably reduced. In general, a relatively low number NT of simulations has to be

carried out to obtain a sufficiently accurate estimate. A single evaluation would suffice for the ideal case in which the limit state function is linear and a Line Sampling direction α perpendicular to it has been identified [Koutsourelakis et al., 2004]. This concept is pictorially represented in Figure 3.4, left. The limit state function gθ(θ) = 0 is a straight line and the Line Sampling important vector α is perpendicular to it: as a consequence, all the values c k , k = 1, 2, ..., NT, corresponding to the sample vectors θ k , k = 1, 2, ..., NT, are equal one to another, i.e., c 1 = c 2 = ... = c k = ... = c NT (step 4.e. above). Since the one-dimensional conditional 1D , k failure probabilities Pˆ (F ) , k = 1, 2, ..., NT, associated to the sample points θ k , k = 1, 2, ...,

NT, are computed as

(

1D , k Pˆ (F ) = Φ − c k

)

(step 4.f. above), then in this case

1D ,1 1D , 2 1D , k 1D , N Pˆ (F ) = Pˆ (F ) = ... = Pˆ (F ) = ... = Pˆ (F ) T . As a consequence, the variance (3.13) of

the failure probability estimator (3.10) turns out to be ideally equal to 0 [Koutsourelakis et al., 2004]. However, it is worth noting that the analyst could not be able to identify the “optimal” Line Sampling direction α (i.e., the one perpendicular to the limit state function gθ(θ) = 0): in this case the failure probability estimator (3.10) would still be unbiased, but its variance (3.13) would obviously increase (i.e., in this case it would be larger than 0) (Figure 3.4, right).

49

ADVANCED MONTE CARLO SIMULATION METHODS

Figure 3.4. Line Sampling failure probability estimation when the limit state function gθ(θ) = N 0 is linear: the variance of the failure probability estimator Pˆ (F ) T is 0 when α is “optimal”

N (i.e., perpendicular to the limit state function gθ(θ) = 0 (left); the variance of Pˆ (F ) T is larger

than 0 when α is not perpendicular to the limit state function gθ(θ) = 0 (right)

In this thesis, the LS method is applied on a case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) [Pagani et al., 2005]. The benefits gained by the use of LS are demonstrated by comparison with respect to Latin Hypercube Sampling (LHS): the reader is referred to Paper II of Part II [Zio and Pedroni, 2009d] for details. Moreover, the LS scheme is applied to two structural reliability models of literature, i.e., the cracked plate model [Ardillon and Venturini, 1995] and the Paris-Erdogan thermal fatigue crack growth model [Paris, 1961]. The benefits gained by the use of LS are demonstrated by comparison with respect to the Importance Sampling (IS), Dimensionality Reduction (DR) and Orthogonal Axis (OA) methods [Gille, 1998 and 1999]: the reader is referred to Paper III of Part II [Zio and Pedroni, 2009e] for details. However, a summary of the main results obtained in these applications is given in Section 3.4 (namely, 3.4 Methodological and applicative contributions of the thesis work).

3.3 Optimization of the Line Sampling method As previously stated in the Introduction, two main issues of the LS method are still under study for its practical application in reliability and risk analysis: 1. LS relies on the determination of the important direction, which requires additional runs of the T-H model, with an increase of the computational cost. 50

ADVANCED MONTE CARLO SIMULATION METHODS 2. LS has been shown to significantly reduce the variance of the failure probability estimator, but this must be achieved with a small number of samples (and, thus, of TH model evaluations; say, few tens or hundreds depending on the application), for practical cases in which the computer codes require several hours to run a single simulation [Fong et al., 2009]. The present thesis addresses the first issue above by (Section 3.3.1): •

comparing the efficiency of a number of methods proposed in the literature to identify the important direction [Koutsourelakis et al., 2004; Schueller et al., 2004; Pradlwarter et al., 2005; Valdebenito et al., 2009] (Section 3.3.1.1);

•

employing Artificial Neural Network (ANN) regression models [Bishop, 1995] as fast-running surrogates of the long-running T-H code, to reduce the computational cost associated to the identification of the LS important direction (Section 3.3.1.1);

•

proposing a new technique to determine the LS important direction, based on the minimization of the variance of the LS failure probability estimator; algorithms based

on Sequential Quadratic Programming (SQP) [Boggs and Tolle, 1996] and Genetic Algorithms (GAs) [Konak et al., 2006; Marseguerra et al., 2006] are used as minimization tools in the proposed technique (Section 3.3.1.2). With respect to the second issue above, this thesis aims at (Section 3.3.2): •

assessing the performance of the LS method in the estimation of small failure probabilities (e.g., of the order of 10-4) with a very small number of samples drawn (e.g., of the order of 5–50).

These issues are investigated within two case studies included in Paper IV of Part II [Zio and Pedroni, 2009a]: the first one deals with the estimation of the failure probability of a nonlinear structural system subject to creep and fatigue damages [Mao and Mahadevan, 2000; Lu et al., 2008]; the second one concerns the above mentioned passive decay heat removal system of a Gas-cooled Fast Reactor (GFR) [Pagani et al. 2005]. 3.3.1 Identification of the Line Sampling important direction

In what follows, the methods used in this thesis to determine the LS important direction α are presented in detail: in Section 3.3.1.1, the techniques proposed in the literature are critically reviewed; in Section 3.3.1.2, a new method based on the minimization of the variance of the LS failure probability estimator is proposed.

51

ADVANCED MONTE CARLO SIMULATION METHODS

3.3.1.1 Literature methods 3.3.1.1.1

Center of mass of the failure domain

The important unit vector α can be computed as the normalized “center of mass” of the failure domain F of interest [Koutsourelakis et al., 2004]. A point θ 0 is taken in the failure domain F: this can be done by engineering judgment when possible. Subsequently, θ 0 is used as the

initial point of a Markov chain which lies entirely in the failure domain F. For that purpose, a Metropolis-Hastings algorithm is employed to generate a sequence of Ns points

{θ

u

: u = 1, 2, ..., N s } lying in the failure domain F [Metropolis et al., 1956]. The unit vectors

θ u θ u , u = 1, 2, …, Ns, are then averaged in order to obtain the LS important unit vector as 2

α=

1 Ns u u ⋅∑θ θ N s u =1

2

(Figure 3.5, top, left). This direction provides a good “map” of the

important regions of the failure domain (at least as the sample size Ns is large); on the other hand, the procedure implies Ns additional system analyses by the T-H model, which may substantially increase the computational cost associated to the simulation method. 3.3.1.1.2

Design point

A plausible selection of α could be the direction of the “design point” in the standard normal space [Schueller et al., 2004; Valdebenito et al., 2009]. According to a geometrical interpretation, the “design point” is defined as the point θ * on the limit state surface gθ ( θ ) = 0 in the standard normal space, which is closest to the origin (Figure 3.5, top, right).

It can be computed by solving the following constrained nonlinear minimization problem: Find θ * : θ *

2

= min

gθ ( θ ) = 0

{θ } 2

(3.14)

where ⋅ 2 denotes the usual Euclidean measure of a vector. Then, the unit important vector α can be easily obtained by normalizing θ * , i.e., α = θ * θ * . 2

3.3.1.1.3

Gradient of the performance function

In [Pradlwarter et al., 2005], the direction of α is taken as the normalized gradient of the PF gθ ( ⋅) in the standard normal space. Since the unit vector α points towards the failure domain

F, it can be used to draw information about the relative importance of the uncertain

parameters {θ j : j = 1, 2, ..., n} with respect to the failure probability P(F): the more relevant an uncertain variable is in determining the failure of the system, the larger the corresponding component of the unit vector α will be [Pradlwarter et al., 2005]. Such quantitative 52

ADVANCED MONTE CARLO SIMULATION METHODS information is obtained from the gradient of the performance function gθ (θ ) in the standard normal space, ∇gθ (θ ) : ⎡ ∂g (θ ) ∂gθ (θ ) ∂gθ (θ ) ∂gθ (θ ) ⎤ ∇gθ (θ ) = ⎢ θ ... ... ⎥ ∂θ 2 ∂θ j ∂θ n ⎦⎥ ⎣⎢ ∂θ1

T

(3.15)

The gradient (3.15) measures the relative importance of a particular uncertain variable with respect to the failure probability P(F): the larger the (absolute) value of a component of (3.15), the greater the “impact” of the corresponding uncertain variable on the performance function gθ (θ ) in the standard normal space. Thus, it is reasonable to identify the LS important direction with the direction of the gradient (3.15) and compute the corresponding unit vector α as the normalized gradient of the performance function gθ (⋅) in the standard normal space, i.e. α = ∇gθ (θ ) ∇gθ (θ ) 2 [Pradlwarter et al., 2005]. For clarity sake, Figure 3.5 bottom shows this procedure with reference to a two-dimensional problem: the important unit vector α = {α1, α2} associated to the two-dimensional

{

performance function gθ (θ1 ,θ 2 ) is computed at a proper (selected) point θ 0 = θ10 ,θ 20

} T (e.g.,

the nominal point of the system under analysis). Notice that since component

α1 =

∂gθ ( θ ) ∂θ1 θ 0

∇gθ ( θ ) θ 0

2

α2 =

∂gθ ( θ ) ∂θ 2 θ 0

∇gθ ( θ ) θ 0

2

(Figure 3.5 bottom, left) is significantly larger than component

(Figure 3.5 bottom, right), uncertain variable θ1 will be far

more important than θ2 in leading the system to failure. Finally, notice that as the PF gθ (θ ) is known only implicitly through the response of a numerical code, for a given vector θ = {θ1 , θ 2 , ...,θ j , ...,θ n } at least n system performance T

analyses are required to determine accurately the gradient (3.15) at a given point of the PF gθ (⋅) , e.g., by numerical differentiation [Ahammed and Melchers, 2006; Fu, 2006].

53

ADVANCED MONTE CARLO SIMULATION METHODS

Figure 3.5. Methods for estimating the Line Sampling important unit vector α. Top, left: normalized “center of mass” of the failure domain F in the standard normal space [Koutsourelakis et al., 2004]; top, right: direction of the design point of the problem in the standard normal space [Schueller et al., 2004; Valdebenito et al., 2009]; bottom, left and right: normalized gradient of the PF gθ(·) evaluated at a selected point θ0 (e.g., the nominal point) in the standard normal space [Pradlwarter et al., 2005]

All the techniques presented require additional runs of the T-H model code, with increase of the overall computational cost associated to the LS method. To improve on this issue, the substitution of the long-running T-H model code by a fast-running surrogate regression model is here investigated. The regression model is constructed on the basis of a limited-size set of data representing examples of the input/output nonlinear relationships underlying the original T-H code. Once built, the model can be used for performing, in an acceptable computational 54

ADVANCED MONTE CARLO SIMULATION METHODS time, the evaluations of the system PF gθ(·) needed for an accurate estimation of the LS important direction α. In this thesis, an Artificial Neural Network (ANN) regression model is considered [Bishop, 1995; Rumelhart et al., 1986]. Thorough details about ANN regression models are not reported here for brevity: the interested reader may refer to the cited references, to the copious literature in the field and to Chapter 4 of this thesis (which is entirely dedicated to the problem of empirical regression modeling). In order to improve the accuracy in the ANN approximation of the system PF gθ(·) (needed for an accurate estimation of the LS important direction α), the employed ANN models are constructed by means of a properly devised sequential, two-step algorithm. In extreme synthesis, a first-step ANN regression model is built using a set of input/output data examples. The resulting ANN model is used (instead of the original, long-running system model code) to provide an approximation to the design point of the problem (Section 3.3.1.1.2): this is meant to provide an approximate, rough indication of the real location of the failure domain F of interest. Subsequently, a new data set is randomly generated centred on the approximate design point previously identified: a second-step (i.e., definitive) ANN model is then constructed on this newly generated data set. This should result in an ANN regression model which is more accurate in proximity of the failure domain F of interest, thus providing reliable estimates of the system PF gθ(·) for the identification of the LS important direction α. 3.3.1.2 Minimization of the variance of the Line Sampling failure probability estimator

The optimal important direction α opt for Line Sampling can be defined as the one minimizing

[

]

N N the variance σ 2 Pˆ (F ) T of the LS failure probability estimator Pˆ (F ) T . Notice that α opt can

be expressed as the normalized version of a proper vector θ opt in the standard normal space, i.e., α opt = θ opt θ opt . Thus, in order to search for a physically meaningful important unit 2

vector α opt (i.e., a vector that optimally points towards the failure domain F of interest), θ opt

( )

should belong to the failure domain F of interest, i.e. θ opt ∈ F or, equivalently, gθ θ opt > 0 . In mathematical terms, the optimal LS important direction α opt is obtained by solving the following nonlinear constrained minimization problem:

[

]

{ [

N N Find α opt = θ opt θ opt : σ 2 Pˆ (F ) T = min σ 2 Pˆ (F ) T 2

subject to θ ∈ F (i.e., gθ (θ ) > 0 ).

α =θ θ

]}

2

(3.16)

The conceptual steps of the procedure for solving (3.16) are (Figure 3.6): 55

ADVANCED MONTE CARLO SIMULATION METHODS 1. An optimization algorithm proposes a candidate solution α = θ θ

2

to (3.16) (see

Section 3.3.1.2.1).

[

N N 2. The LS failure probability estimator Pˆ (F ) T and the associated variance σ 2 Pˆ (F ) T

are calculated using the unit vector α = θ θ

2

]

proposed as important direction in step

1. above; notice that 2·NT or 3·NT system performance analyses (i.e., runs of the system model code) have to be carried out in this phase (see steps 4.c. and 4.d. in Section 3.2.2).

[

N 3. The variance σ 2 Pˆ (F ) T

] obtained in step 2. above is the objective function to be

minimized; it measures the quality of the candidate solution α = θ θ

proposed by

2

the optimization algorithm in step 1. above. 4. The feasibility of the proposed solution α = θ θ

2

is checked by evaluating the

system PF gθ(·) (i.e., by running the system model code) in correspondence of θ: if the proposed solution α = θ θ

2

is not feasible (i.e., if θ ∉ F

or, equivalently,

gθ (θ ) ≤ 0 ), it is penalized by increasing the value of the corresponding objective

[

]

N function σ 2 Pˆ (F ) T through an additive factor [Boggs and Tolle, 1996; Konak et al.,

2006; Marseguerra et al., 2006]. 5. Steps 1. − 4. are repeated until a predefined stopping criterion is met and the optimization algorithm identifies the optimal unit vector α opt = θ opt θ opt . 2

Notice that i) the optimization search requires the iterative evaluation of hundreds or thousands of possible solutions α = θ θ

2

to (3.16) and ii) 2·NT or 3·NT system performance

analyses (i.e., runs of the system model code) have to be carried out to calculate the objective

[

]

N function σ 2 Pˆ (F ) T for each proposed solution; as a consequence, the computational effort

associated to this technique would be absolutely prohibitive with a system model code requiring hours or even minutes to run a single simulation. Hence, it is unavoidable, for practical applicability, to resort to a regression model (ANN-based, in this thesis work) as a fast-running approximator of the original system model for performing the calculations in steps 2. and 4. above, to make the computational cost acceptable. Two different optimization algorithms have been employed as minimization tools in step 1. of the proposed technique: in particular, algorithms based on Sequential Quadratic Programming 56

ADVANCED MONTE CARLO SIMULATION METHODS (SQP) [Boggs and Tolle, 1996] and Genetic Algorithms (GAs) [Konak et al., 2006; Marseguerra et al., 2006] are considered. In the following Section 3.3.1.2.1, a brief description of both optimization algorithms is given for completeness of the thesis.

Figure 3.6. Proposed method for estimating the LS important direction α: minimization of the

[

]

N N variance σ 2 Pˆ (F ) T of the LS failure probability estimator Pˆ (F ) T

3.3.1.2.1

Optimization algorithms employed

In extreme synthesis, in Sequential Quadratic Programming (SQP) algorithms [Boggs and Tolle, 1996] the optimization problem (3.16) is transformed into a simpler subproblem that is solved iteratively. At each iteration s of the algorithm, the original problem (3.16) is modeled around a given candidate solution, say θ s , by a quadratic subproblem, i.e., a problem constituted by a local quadratic approximation of the original objective function (i.e.,

[

]

σ 2 Pˆ (F )N ) and by a local linear approximation of the original inequality constraint (i.e., T

gθ (θ ) > 0 ): the major reason for using a quadratic subproblem is that such problems are

relatively easy to solve and yet, in their objective function, can reflect the nonlinearities of the original problem. Then, the solution to this quadratic subproblem is used to obtain a better approximation θ s +1 to the optimal solution θ * . This process is iterated to produce a sequence of approximations that will hopefully converge to the optimal solution θ * . 57

ADVANCED MONTE CARLO SIMULATION METHODS

Genetic Algorithms (GAs) are optimization methods aiming at finding the global optimum of one (or more) real objective function(s) of one or more decision variables, possibly subject to various linear or non linear constraints. Their main properties are that the search is conducted i) using a population of multiple solution points or candidates, ii) using operations inspired by the evolution of species, such as breeding and genetic mutation, iii) using probabilistic operations, iv) using only information on the objective function and not on its derivatives. GAs owe their name to their operational similarities with the biological and behavioral phenomena of living beings. After the pioneering theoretical work by John Holland [Holland, 1975], in the last decade a flourishing literature has been devoted to their application to real problems. The basics of the method may be found in Goldberg [Goldberg, 1989]; some applications in various contexts are included in Chambers [Chambers, 1995]. GAs differ from most optimization techniques because of their global searching performed by manipulating one population of solutions rather than one single solution. Every proposal of solution is represented by the vector θ = {θ1 , θ 2 , ...,θ j , ...,θ n } of the independent decision variables (control parameters), which is coded in a so-called chromosome, constituted by socalled genes, each one coding one component θj, j = 1, 2, …, n, of θ ; a binary coding is widely used. The GA search starts with the creation of a random initial population of chromosomes, i.e. potential solutions to the problem. Then, these individuals are evaluated in terms of their socalled fitnesses, i.e. of their corresponding objective function values (in the minimization

[

N problem (3.16), the fitness of a candidate solution is the variance σ 2 Pˆ (F ) T

] of the LS

failure probability estimator, which has to be minimized). This initial population is allowed to evolve in successive generations through the following steps: 1. selection of a pair of individuals as parents; 2. crossover of the parents, with generation of two children; 3. replacement in the population, so as to maintain the population number constant; 4. genetic mutation. Every time a new solution θ is proposed by the GA, the objective function is evaluated and a ranking of the individuals in the current population is dynamically updated, based on their fitness values. This ranking is used in the selection procedure which is performed in such a way that in the long run the best individuals will have a greater probability to be selected as 58

ADVANCED MONTE CARLO SIMULATION METHODS parents, in resemblance to the natural principles of the “survival of the fittest”. Similarly, the ranking is used in the replacement procedures to decide who, among the parents and the daughters, should survive in the next population. For example, in the present minimization

[

]

N problem (3.16), individuals with lower fitness values (i.e., lower σ 2 Pˆ (F ) T ) will be

assigned a higher rank (i.e., a higher importance and, consequently, a higher “probability to survive”) in the population of possible solutions [Marseguerra et al., 2006]. With regards to their performance, it is acknowledged that GAs take a more global view of the search space than many other optimization methods. The main advantages are i) fast convergence to near global optimum, ii) superior global searching capability in complicated search spaces and iii) applicability even when gradient information is not readily achievable [Marseguerra et al., 2006]. A thorough descriptions of the GA computational flow is not reported here for brevity sake: for further details, the interested reader may refer to the cited references and the copious literature in the field3. Finally, for clarity sake the characteristics of all the methods described in Sections 3.3.1.1 and 3.3.1.2 (i.e., those employed in this thesis to determine the LS important direction α) are summarized in Table 3.1, with the specification of the computational tools employed for their implementation. In this thesis, a quantitative comparison of all these methods is carried out within two case studies: the first one deals with the estimation of the failure probability of a nonlinear structural system subject to creep and fatigue damages [Mao and Mahadevan, 2000; Lu et al., 2008]; the second one concerns the above mentioned passive decay heat removal system of a Gas-cooled Fast Reactor (GFR) [Pagani et al. 2005]; the reader is referred to Paper IV of Part II [Zio and Pedroni, 2009a] for details. However, a summary of the main results obtained in these applications is given in Section 3.4 (namely, 3.4 Methodological and applicative contributions of the thesis work).

3

Since in this work GAs are found to perform significantly better than SQP algorithms, for brevity sake only the results obtained by means of GAs are reported in the applications included in Paper IV of Part II [Zio and Pedroni, 2009a].

59

ADVANCED MONTE CARLO SIMULATION METHODS

Methods of literature Concept “Center of mass” of F (Section 3.3.1.1.1) Design point (Section 3.3.1.1.2) Gradient (Section 3.3.1.1.3)

Evaluations to be performed

Computational tools adopted

- Evaluation of the performance function gθ(θ) during MCMC to verify if θ belongs to the failure domain F, i.e., if gθ(θ) > 0 - Minimization of the distance ||θ||2 in (3.14)

Original system model code ANN SQP/GA

- Evaluation of the performance function gθ(θ) to verify if θ is a feasible solution to (3.14), i.e., if θ belongs to the failure surface gθ(θ) = 0

Original system model code

- Evaluation of the performance function gθ(θ) to estimate the gradient ∇g θ (θ ) (3.15) by numerical differentiation

Original system model code

ANN ANN

Method proposed in this thesis work Concept

Evaluations to be performed

[

N - Minimization of the variance σ 2 Pˆ (F )

[

N - Calculation of the variance σ 2 Pˆ (F )

Variance minimization (Section 3.3.1.2)

T

T

Computational tools adopted

] of the LS failure probability estimator Pˆ (F )

] of the LS failure probability estimator Pˆ (F )

NT

NT

SQP/GA LS algorithm

- Evaluation of the performance function gθ(θ) for the estimation of the failure probability N N Pˆ (F ) and its variance σ 2 Pˆ (F ) during the LS simulation

ANN

- Evaluation of the performance function gθ(θ) to verify if θ is a feasible solution to (3.16), i.e., if θ belongs to the failure domain F (where gθ(θ) > 0)

ANN

T

[

T

]

Table 3.1. Summary of the methods employed in this thesis work for estimating the LS important direction α

60

ADVANCED MONTE CARLO SIMULATION METHODS

3.3.2 Optimized Line Sampling method with very small sample sizes

As previously stated in Section 3.3, the objective of the study presented in this Section is N verifying the possibility of obtaining accurate and precise estimates Pˆ (F ) T of small failure

probabilities P(F) (e.g., of the order of 10-4) by means of the optimized LS method described in Section 3.3.1.2, even reducing the number of system model evaluations to below one hundred, which may be mandatory in practical applications of computer codes requiring several hours to run a single simulation. Thus, in the present analysis the system performance function gθ(·) is evaluated by means of the original system model code; however, the number NT of samples drawn for the estimation of the system failure probability is very small: indeed,

sample sizes NT ranging from 5 to 50 are employed (more precisely, NT = 5, 10, 20, 30, 40 and 50). In addition, the benefits coming from the use of an optimized Line Sampling method with very small sample sizes NT is shown by means of a comparison between the following simulation methods: i)

optimized Line Sampling (LS) (Sections 3.2 and 3.3.1.2);

ii)

an original combination of optimized Line Sampling (LS) and Latin Hypercube Sampling (LHS) (hereafter referred to as LS + LHS);

iii)

standard Importance Sampling (IS) [Au and Beck, 2003a];

iv)

a combination of standard Importance Sampling (IS) and Latin Hypercube Sampling (LHS) (hereafter referred to as IS + LHS) [Olsson et al., 2003].

Thorough descriptions of methods ii) – iv) above (i.e., LS + LHS, IS and IS + LHS) are not reported here for brevity: the interested reader may refer to the cited references for details. In this thesis, the quantitative comparison between methods i)-iv) is carried out within two case studies: the first one deals with the estimation of the failure probability of a nonlinear structural system subject to creep and fatigue damages [Mao and Mahadevan, 2000; Lu et al., 2008]; the second one concerns the above mentioned passive decay heat removal system of a Gas-cooled Fast Reactor (GFR) [Pagani et al. 2005]; the reader is referred to Paper IV of Part II [Zio and Pedroni, 2009a] for details. However, a summary of the main results obtained in these applications is given in Section 3.4 (namely, 3.4 Methodological and applicative contributions of the thesis work).

61

ADVANCED MONTE CARLO SIMULATION METHODS

3.4 Methodological and applicative contributions of the thesis work The SS and LS methods are tested on a case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) [Pagani et al., 2005]: to the best of the authors’ knowledge, this is the first time that these methods are applied to such kind of systems. In particular: • in Paper I of Part II [Zio and Pedroni, 2009c], SS is compared to standard MCS in the

following analyses: i) determination of the percentiles of the temperature of the coolant gas leaving the reactor core; ii) estimation of small functional failure probabilities of the passive system (e.g., ranging from 10-3 to 10-5) and iii) sensitivity analysis of the passive system performance to the uncertain system input parameters; • in Paper II of Part II [Zio and Pedroni, 2009d], LS is compared to Latin Hypercube

Sampling (LHS) in the following analyses: i) estimation of small functional failure probabilities of the passive system (e.g., ranging from 10-3 to 10-6) and ii) sensitivity analysis of the passive system performance to the uncertain system input parameters. LHS has been chosen as benchmark method due to its popularity and wide use in Probabilistic Risk Assessment (PRA). Based on the results obtained in these works, the following general conclusions can be drawn4: • SS becomes more and more efficient over standard MCS and LHS as the target

probability of functional failure to be estimated gets smaller; • LS significantly outperforms the standard MCS, LHS and SS methods, in particular in

the task of estimating very small failure probabilities (i.e., around 10-5 or 10-6); • the use of preferential lines (instead of random points) to probe the failure domain of

interest makes the effectiveness of the LS methodology almost independent of the failure probability to be estimated: this renders LS the most suitable method for an extremely wide range of real-world reliability problems; • SS generates a large amount of conditional (failure) samples by sequential Markov

Chain Monte Carlo (MCMC) simulations developed in different subsets of the uncertain input space. This allows producing the Probability Density Functions

4

It is worth noting that some of these conclusions have been already drawn in the context of structural reliability analysis (the reader is referred to the copious literature cited throughout the thesis); however, this is the first time that they are numerically demonstrated on a case study involving a nuclear passive system modeled by a realistic, nonlinear and non-monotonous T-H model code.

62

ADVANCED MONTE CARLO SIMULATION METHODS (PDFs) and Cumulative Distribution Functions (CDFs) of all the T-H code outputs of interest (e.g., peak cladding temperatures, pressures, mass flow rates and so on) in a single simulation run;

• different from SS, the LS technique allows only the calculation of the failure

probability of the passive system, but it does not allow a complete uncertainty propagation: actually, no PDFs, CDFs or percentiles of the T-H code outputs of interest can be identified in a single simulation run; • the sensitivity of the passive system performance to the uncertain system input

parameters can be studied through the examination of the conditional sample distributions generated by SS at different failure probability levels: an informative measure of the importance of a given parameter in determining the failure of the system is the deviation of its conditional distribution from the unconditional one. The advantage of this approach is that of being directly “embedded” in the computation of the failure probability: the SS algorithm produces the empirical conditional distributions of interest during the simulation that is performed to compute the functional failure probability of the passive system. In other words, while estimating the functional failure probability of the system, sensitivity analysis results are produced that can be readily visualized for identification (and ranking) of the most important variables; • the sensitivity of the passive system performance to the uncertain system input

parameters can be studied through the examination of the elements of the LS important vector pointing to the failure region: an informative measure of the relevance of a given parameter in determining the failure of the system is the magnitude of the corresponding element in the LS important vector. These conclusions are confirmed also by the results obtained in Paper III of Part II [Zio and Pedroni, 2009e]. In this work, the SS and LS schemes are applied to two structural reliability models of literature, i.e., the cracked plate model [Ardillon and Venturini, 1995] and the Paris-Erdogan thermal fatigue crack growth model [Paris, 1961]. These problems are quite challenging because they entail estimating failure probabilities of the order of 10-7. The effectiveness of the SS and LS techniques is compared to that of other probabilistic simulation methods, e.g. the Importance Sampling (IS), Dimensionality Reduction (DR) and Orthogonal Axis (OA) methods [Gille, 1998 and 1999]. No further details are given here for brevity: the interested reader is referred to Paper III [Zio and Pedroni, 2009e]. 63

ADVANCED MONTE CARLO SIMULATION METHODS

The main methodological contribution of the thesis work is represented by the optimization of the LS method. In particular, two open issues for the practical application of the LS method in the reliability analysis of nuclear passive systems are addressed: 1. LS relies on the determination of the important direction, which requires additional runs of the T-H model, with an increase of the computational cost. 2. LS has been shown to significantly reduce the variance of the failure probability estimator, but this must be achieved with a small number of samples (and, thus, of TH model evaluations; say, few tens or hundreds depending on the application), for practical cases in which the computer codes require several hours to run a single simulation. These issues are investigated within two case studies included in Paper IV of Part II [Zio and Pedroni, 2009a]: the first one deals with the estimation of the failure probability of a nonlinear structural system subject to creep and fatigue damages [Mao and Mahadevan, 2000; Lu et al., 2008]; the second one concerns the above mentioned passive decay heat removal system of a Gas-cooled Fast Reactor (GFR) [Pagani et al. 2005]. Concerning the first issue, the main methodological and applicative contributions of the thesis work its related findings are: • from a critical comparison of the methods currently available in the literature for the

estimation of the LS important direction, it turns out that: ƒ

the technique based on Markov Chain Monte Carlo (MCMC) simulation produces more accurate and precise failure probability estimates than those provided by the design point and gradient methods;

ƒ

the technique based on the identification of the design point performs better than the one based on gradient estimation.

• an Artificial Neural Network (ANN) regression model is built using a sequential, twostep training algorithm on a reduced-size set of examples (e.g., around one hundred) of

the input/output nonlinear relationships underlying the original system model code; then, the ANN model is used as a fast-running surrogate of the original system model code in the determination of the LS important direction: ƒ

the accuracy and precision of the estimates provided by the ANN-based method are shown to be comparable to those produced by running the original system code: however, they have been obtained at a much lower computational effort;

64

ADVANCED MONTE CARLO SIMULATION METHODS ƒ

conversely, when a low number of system model code simulations needs to be a priori imposed due to computational time limitations (which is the case of the

long-running system model codes, typical of nuclear safety), the accuracy and precision of the failure probability estimates provided by the ANN-based method is shown to be consistently higher than those produced by running the original system model code. • a new technique is proposed based on the minimization of the variance of the LS

failure probability estimator; since the proposed method relies on the definition of the optimal LS important direction, it produces more accurate and precise failure

probability estimates than those provided by all the techniques of literature. Concerning the second issue, the main methodological and applicative contributions of the thesis work and the related findings are: • the performance of the LS method is assessed in the estimation of a small failure

probability (i.e., of the order of 10-4) with a reduced number of samples drawn (i.e., ranging from 5 to 50). The results demonstrates that accurate and precise estimates can be obtained even reducing the number of samples to below one hundred and even in realistic, nonlinear and non-monotonous case studies;

• the following probabilistic simulation methods are compared in the estimation of small

failure probabilities, on the basis of a very small number of samples drawn: i) the optimized LS method proposed in this thesis, ii) a combination of the optimized LS method and Latin Hypercube Sampling (LHS), also developed in this thesis, iii) Importance Sampling (IS) [Au and Beck, 2003] and iv) a combination of IS and LHS [Olsson et al., 2003]. It is found that: ƒ

the optimized Line Sampling method (i.e., both LS and the combination of LS and LHS) provides more accurate and precise failure probability estimates than both the IS and the combination of IS and LHS methods;

ƒ

the use of LHS in combination with the optimized LS method slightly increases the accuracy of the failure probability estimates and strongly increases the precision of the failure probability estimates;

ƒ

the use of LHS in combination with the IS method significantly increases both the accuracy and the precision of the failure probability estimates.

65

4 Bootstrapped empirical regression modeling for point and confidence interval evaluation As discussed in the Introduction and in Section 2.3, the computational burden posed by the functional failure analysis of T-H passive systems can be tackled by replacing the longrunning, original T-H model code by a fast-running, surrogate regression model. Because calculations with the surrogate model can be performed quickly, the problem of long simulation times is circumvented. In Section 4.1, the problem of empirical regression modeling is presented; in addition, few details about the Artificial Neural Network (ANN) and quadratic Response Surface (RS) regression models employed in this thesis are given; in Section 4.2, a detailed description of the bootstrap-based method for quantifying, in terms of confidence intervals, the model uncertainty associated to the estimates of safety parameters computed by ANN and quadratic RS regression models is provided; finally, in Section 4.3, the main methodological and applicative contributions of the thesis work are summarized. In the Chapter, references are given to Paper V included in Part II [Pedroni et al., 2009]: in this paper, bootstrapped ANN and quadratic RS regression models are compared on a case study of an emergency passive decay heat removal system of a Gas-cooled Fast Reactor (GFR) [Pagani et al., 2005].

4.1 Empirical regression modeling Let us consider a generic meta-model to be built for performing the task of nonlinear regression, i.e., estimating the nonlinear relationship between a vector of input variables x = {x1, x2, ..., xj, ..., xni } and a vector of output targets y = {y1, y2, ..., yl, ..., yno }, on the basis of a finite

(and

possibly

small)

set

of

input/output

data

examples

(i.e.,

patterns),

Dtrain = {(x p , y p ), p = 1, 2, ..., N train } [Zio, 2006]. It can be assumed that the target vector y is

related to the input vector x by an unknown nonlinear deterministic function μ y ( x ) corrupted by a noise vector ε ( x ) , i.e.,

y( x ) = μ y ( x ) + ε( x ) .

(4.1)

Notice that in the present case of T-H passive system functional failure probability assessment the vector x contains the relevant uncertain system parameters/variables, the nonlinear deterministic function μ y ( x ) represents the complex, long-running T-H mechanistic model code (e.g., RELAP5-3D), the vector y(x) contains the output variables of interest for the

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION analysis and the noise ε ( x ) represents the errors introduced by the numerical methods employed to calculate μ y ( x ) [Storlie et al., 2008; Storlie et al., 2009]; for simplicity, in the following we assume ε ( x ) = 0 [Secchi et al., 2008]. The objective of the regression task is to estimate μ y ( x ) in (4.1) by means of a regression function f(x, w*) depending on a set of parameters w* to be properly determined on the basis of the available data set Dtrain; the algorithm used to calibrate the set of parameters w* is obviously dependent on the nature of the regression model adopted, but in general it aims at minimizing the mean (absolute or quadratic) error between the output targets of the original

T-H code, yp = μ y (x p ) , p = 1, 2, ..., Ntrain, and the output vectors of the regression model,

(

)

yˆ p = f x p , w * , p = 1, 2, ..., Ntrain; for example, the Root Mean Squared Error (RMSE) is

commonly adopted to this purpose [Zio, 2006]: RMSE =

1 N train ⋅ no

N train no

∑∑ (y p =1 l =1

− yˆ p ,l ) . 2

p ,l

(4.2)

Once the regression model has been constructed, a critical question must be considered, i.e., how well can the model predict new outputs. As measures of the regression model accuracy, proper numerical figures (e.g., the commonly adopted coefficient of determination R 2 and RMSE) have to be computed for each output yl, l = 1, 2, ..., no, on a new data set

Dtest = {(x p , y p ), p = 1, 2, ..., N test } of size Ntest, purposely generated for testing the regression

model built [Marrel et al., 2009], and thus different from those used during training. Once tested, the regression model f(x, w*) can be used in place of the T-H code to calculate any quantity of interest Q, such as the 95th percentile of a physical variable critical for the system under analysis (e.g., the fuel cladding temperature) or the functional failure probability of the passive system. In this thesis, the capabilities of three-layered feed-forward Artificial Neural Network (ANN) (Section 4.1.1) and quadratic Response Surface (RS) (Section 4.1.2) regression models are compared in the computational tasks involved in the functional failure analysis of a T-H passive system. 4.1.1 Artificial Neural Networks

In extreme synthesis, ANNs are computing devices inspired by the function of the nerve cells in the brain [Bishop, 1995]. They are composed of many parallel computing units (called neurons or nodes) arranged in different layers and interconnected by weighed connections 67

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION (called synapses). Each of these computing units performs a few simple operations and communicates the results to its neighbouring units. From a mathematical viewpoint, ANNs consist of a set of nonlinear (e.g., sigmoidal) basis functions with adaptable parameters w* that are adjusted by a process of training (on many different input/output data examples), i.e., an iterative process of regression error minimization [Rumelhart et al., 1986]. The particular type of ANN employed in this thesis is the classical three-layered feed-forward ANN trained by the error back-propagation algorithm: by way of example, an ANN architecture with ni = 3 neurons (or nodes) in the input layer (i), nh = 2 neurons in the hidden layer (h) and no = 2 neurons in the output layer (o) is pictorially represented in Figure 4.1.

Figure 4.1. Sketch of a three-layered feed-forward ANN architecture with ni = 3 neurons (or nodes) in the input layer (i), nh = 2 neurons in the hidden layer (h) and no = 2 neurons in the output layer (o)

The choice of the ANN architecture is critical for the regression accuracy. In particular, the number of neurons in the network determines the number of adjustable parameters available to optimally fit the complicated, nonlinear T-H model code response surface by interpolation of the available training data. The number ni of neurons in the input layer (i) is equal to the number of uncertain input parameters; the number no of neurons in the output layer (o) is equal to the number of model outputs of interest; the number nh of nodes in the hidden layer 68

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION (h) is essentially arbitrary. However, in case of a network with too few neurons (i.e., too few parameters), the regression function f(x, w*) has insufficient flexibility to adjust its response surface to fit the data adequately: this results in poor generalization properties of interpolation when new input patterns are fed to the network to obtain the corresponding output; on the opposite side, excessively increasing the flexibility of the model by introducing too many parameters, e.g., by adding hidden neurons, may make the network overfit the training data, leading again to poor generalization performance when interpolating new input data. A tradeoff is typically sought by controlling the neural model complexity, i.e., the number of parameters, and the training procedure, e.g., by adding a regularization term in the error function or by early stopping the training, so as to achieve a good fit of the training data with a reasonably smooth regression function which is not over-fit to the data and therefore capable of generalization when interpolating new input data [Bishop, 1995]. In the present thesis

work,

early

stopping

is

adopted:

a

validation

input/output

data

set

Dval = {(x p , y p ), p = 1, 2, ..., N val } made of patterns different from those of the training set Dtrain

is used to monitor the accuracy of the ANN model during the training procedure; in practice, the RMSE (4.2) is computed on Dval at different iterative stages of the training procedure (Figure 4.2): at the beginning of training, this value decreases as does the RMSE computed on the training set Dtrain; later in the training, if the ANN regression model starts overfitting the data, the RMSE calculated on the validation set Dval starts increasing and training must be stopped [Bishop, 1995]. It is fair to point out that the increased ANN generalization capability typically achieved by early stopping is obtained at the expense of Nval additional code simulations, with an increase in the computational cost for the training of the ANN model.

Figure 4.2. Early stopping the ANN training to avoid overfitting

69

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION

4.1.2 Quadratic Response Surfaces

In extreme synthesis, quadratic RSs are polynomials containing linear terms, squared terms and possibly two-factors interactions of the input variables [Iooss et al., 2006; Liel et al., 2009]: ni

ni

ni −1

j =1

j =1

o =1 q = o +1

yˆ l = al + ∑ b jl x j + ∑ c jl x 2j + ∑

ni

∑d

x x , l = 1, 2, ..., no

oq o q

(4.3)

where yˆ l is the quadratic RS estimate of output yl, l = 1, 2, ..., no, and al, bjl, cjl and doq, l = 1, 2, ..., no, j = 1, 2, ..., ni, o = 1, 2, ..., ni – 1, q = o + 1, o + 2, ..., ni, are the quadratic RS adaptable parameters that are usually calibrated by straightforward least squares methods. Finally, it is worth noting that, differently from ANNs, i) to the best of the authors’ knowledge, no method to avoid overfitting is available for quadratic RSs and ii) a specific quadratic RS must be developed for each output to be estimated.

4.2 The bootstrap method The approximation of the system output provided by an empirical regression model introduces an additional source of model uncertainty, which needs to be evaluated, particularly in safety critical applications like those related to nuclear power plant technology. One way to do this is by resorting to bootstrapped regression models [Efron and Thibshirani, 1993], i.e., an ensemble of regression models constructed on different data sets bootstrapped from the original one [Zio, 2006; Storlie et al., 2009]. The bootstrap method is a distributionfree inference method which requires no prior knowledge about the distribution function of the underlying population [Efron and Thibshirani, 1993]. The basic idea is to generate a sample from the observed data by sampling with replacement from the original data set [Efron and Thibshirani, 1993]. From the theory and practice of ensemble empirical models, it can be shown that the estimates given by bootstrapped regression models is in general more accurate than the estimate of the best regression model in the bootstrap ensemble of regression models [Zio, 2006; Cadini et al., 2008]. In what follows, the steps of the bootstrap-based technique of evaluation of the so-called Bootstrap Bias Corrected (BBC) point estimate Qˆ BBC of a generic quantity Q (e.g., a safety parameter) by a regression model f(x, w*), and the calculation of the associated BBC Confidence Interval (CI) are reported [Zio, 2006; Storlie et al., 2009]: 70

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION 1. Generate a set D train of input/output data examples by sampling Ntrain independent input parameters values xp, p = 1, 2, ..., Ntrain, and calculating the corresponding set of Ntrain output vectors yp = μy(xp) through the mechanistic T-H system code. Plain

random sampling, Latin Hypercube Sampling or other more sophisticated experimental design methods can be adopted to select the input vectors xp, p = 1, 2, ..., Ntrain [Gazut et al., 2008].

2. Build a regression model f(x, w*) on the basis of the entire data set Dtrain = {(x p , y p ), p = 1, 2, ..., N train } (step 1. above) in order to obtain a fast-running

surrogate of the T-H model code represented by the unknown nonlinear deterministic function μy(x) in (4.1). 3. Use the regression model f(x, w*) (step 2. above), in place of the original T-H model code, to provide a point estimate Qˆ of the quantity Q, e.g., the 95th percentile of a system variable of interest or the functional failure probability of the T-H passive system. In particular, draw a sample of NT new input vectors xr, r = 1, 2, …, NT, from the corresponding epistemic probability distributions and feed the regression model f(x,

w*) with them; then, use the corresponding output vectors yr = f(xr, w*), r = 1, 2, …, NT, to calculate the estimate Qˆ for Q (the algorithm for computing Qˆ is obviously

dependent on the meaning of the quantity Q). Since the regression model f(x, w*) can be evaluated quickly, this step is computationally costless even if the number NT of model estimations is very high (e.g., NT = 105 or 106). 4. Build an ensemble of B (typically of the order of 500-1000) regression models

{f (x, w ), b = 1, 2, ..., B} by random sampling with replacement and use each of the b

* b

bootstrapped regression models fb(x, wb*), b = 1, 2, ..., B, to calculate an estimate Qˆ b , b = 1, 2, ..., B, for the quantity Q of interest: by so doing, a bootstrap-based empirical

probability distribution for the quantity Q is produced which is the basis for the construction of the corresponding confidence intervals. In particular, repeat the following steps for b = 1, 2, ..., B:

a. Generate a bootstrap data set Dtrain ,b = {(x p ,b , y p ,b ), p = 1, 2, ..., N train }, b = 1, 2, ..., B, by performing random sampling with replacement from the original data

set Dtrain = {(x p , y p ), p = 1, 2, ..., N train } of Ntrain input/output patterns (steps 1. 71

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION and 2. above). The data set Dtrain,b is thus constituted by the same number Ntrain of input/output patterns drawn among those in Dtrain although, due to the sampling with replacement, some of the patterns in Dtrain will appear more than once in Dtrain,b, whereas some will not appear at all. b. Build a regression model fb(x, wb*), b = 1, 2, ..., B, on the basis of the bootstrap data set Dtrain ,b = {(x p ,b , y p ,b ), p = 1, 2, ..., N train } (step 3.a. above).

c. Use the regression model fb(x, wb*) (step 4.b. above), in place of the original TH code, to provide a point estimate Qˆ b of the quantity of interest Q. It is important to note that for a correct quantification of the confidence interval the estimate Qˆ b must be based on the same input and output vectors xr and yr, r = 1, 2, …, NT, respectively, obtained in step 3. above. 5. Calculate the so-called Bootstrap Bias Corrected (BBC) point estimate Qˆ BBC for Q as Qˆ BBC = 2Qˆ − Qˆ boot

(4.4)

where Qˆ is the estimate obtained with the regression model f(x, w*) trained with the original data set Dtrain (steps 2. and 3. above) and Qˆ boot is the average of the B estimates Qˆ b obtained with the B regression models fb(x, wb*), b = 1, 2, ..., B (step 4.c. above), i.e., Qboot =

1 B ˆ ∑ Qb . B b =1

(4.5)

The BBC estimate Qˆ BBC in (4.4) is taken as the definitive point estimate for Q. The explanation for expression (4.4) is as follows. It can be demonstrated that if there is a bias in the bootstrap average estimate Qˆ boot in (4.5) compared to the estimate Qˆ obtained with the single regression model f(x, w*) (step 3. above), then the same bias exists in the single estimate Qˆ compared to the true value Q of the quantity of interest [Baxt and White, 1995]. Thus, in order to obtain an appropriate, i.e. bias-corrected, estimate Qˆ BBC for the quantity of interest Q, the estimate Qˆ must be adjusted by subtracting the corresponding bias ( Qˆ boot - Qˆ ): as a consequence, the final, biascorrected estimate Qˆ BBC is Qˆ BBC = Qˆ - ( Qˆ boot - Qˆ ) = 2 Qˆ - Qˆ boot .

72

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION 6. Calculate the two-sided Bootstrap Bias Corrected (BBC)-100·(1 - α)% Confidence Interval (CI) for the BBC point estimate in (4.4) by performing the following steps: a. Order the bootstrap estimates Qˆ b , b = 1, 2, ..., B, (step 4.c. above) by increasing values, such that Qˆ ( i ) = Qˆ b for some b = 1, 2, ..., B, and Qˆ (1) < Qˆ ( 2 ) < ... < Qˆ ( b ) < ... < Qˆ ( B ) . b. Identify the 100·α/2th and 100·(1 – α/2)th quantiles of the bootstrapped empirical probability distribution of Q (step 4. above) as the [B·α/2]th and [B·(1 – α/2)]th elements Qˆ ([B⋅α / 2 ]) and Qˆ ([B⋅(1−α / 2 )]) , respectively, in the ordered list Qˆ (1) < Qˆ ( 2) < ... < Qˆ ( b ) < ... < Qˆ ( B ) ; notice that the symbol [·] stands for “closest integer”. c. Calculate the two-sided BBC-100·(1 - α)% CI for Qˆ BBC as

[Qˆ

BBC

(

)

(

)]

− Qˆ boot − Qˆ ([B⋅α / 2 ]) , Qˆ BBC + Qˆ ([B⋅(1−α / 2 )]) − Qˆ boot .

(4.6)

An important advantage of the bootstrap method is that it provides confidence intervals for a given quantity Q without making any model assumptions (e.g., normality); a disadvantage is that the computational cost could be high when the set Dtrain and the number of adaptable parameters w* in the regression models are large.

4.3 Methodological and applicative contributions of the thesis work Bootstrapped ANN and quadratic RS regression models are compared on a case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) [Pagani et al., 2005]: to the best of the authors’ knowledge, this is the first time that bootstrapped regression models are applied to such kind of systems. In particular, in Paper V of Part II [Pedroni et al., 2009], bootstrapped RS and ANN models

are built with training sets Dtrain = {(x p , y p ), p = 1, 2, ..., N train } of input/output data examples of different sizes Ntrain = 20, 30, 50, 70, 100; this allows extensive testing of the capability of the regression models to reproduce the outputs of the nonlinear T-H model code, based on different (small) numbers of example data. Then, the two regression models are compared in the following analyses: i) estimation of the 95th percentile of the temperature of the coolant gas leaving the reactor core and ii) estimation of the functional failure probability of the passive system. 73

BOOTSTRAPPED EMPIRICAL REGRESSION MODELING FOR POINT AND CONFIDENCE INTERVAL EVALUATION Based on the results obtained, the following conclusions can be drawn: • ANNs outperform quadratic RSs in terms of estimation accuracy: as expected, the

difference in the performances of the two regression models is much more evident in the estimation of the 95th percentiles than in the (easier) task of estimating the functional failure probability of the system. Due to their flexibility in nonlinear modeling, ANNs have been shown to provide more reliable estimates than quadratic RSs even when they are trained with very low numbers of data examples (e.g., 20, 30 or 50) from the original T-H model code; • the bootstrap method has been employed to estimate confidence intervals directly on

the quantities computed by the regression models: this uncertainty quantification is of paramount importance in safety critical applications, in particular when few data examples are used. In this regard, bootstrapped ANNs have been shown to produce narrower confidence intervals than bootstrapped quadratic RSs in all the analyses

performed; • bootstrapped ANNs can be considered more effective than quadratic RSs in the

estimation of the functional failure probability of T-H passive systems (while quantifying the uncertainty associated to the results) because they provide more accurate (i.e., estimates are closer to the true values) and precise (i.e., confidence

intervals are narrower) estimates than quadratic RSs; on the other hand, the computational time required by bootstrapped ANNs is somewhat longer (e.g., by a factor 2−4) than that required by quadratic RSs, due to the elaborate training algorithm employed for building the structurally complex neural model.

74

5 Conclusions The assessment of the reliability of T-H passive systems is a crucial issue to be resolved for their extensive use in future nuclear power plants. The reliance of T-H passive systems on inherent physical principles makes their reliability evaluation quite difficult to accomplish, if compared to classical system reliability analysis, due to the lack of data which makes current knowledge of passive system operation somewhat poor, thus introducing large uncertainties in the analysis. These uncertainties are both of aleatory and epistemic nature and are mainly due to poor understanding and modelling of the phenomena affecting the T-H performance of the system and of the relative physical correlations, environmental and boundary conditions used in the T-H analysis. These issues may in principle be detrimental for the public acceptance of future reactor designs, which conversely are expected to offer an overall level of safety higher than the one of the currently operating fleet, especially thanks to the adoption of passive systems. Thus, there is a strong need for the development and demonstration of consistent methodologies and approaches for T-H passive systems reliability evaluation. As a further step forward in this direction, in this thesis the technical issues associated with assessing the reliability of T-H passive systems in the context of nuclear safety have been considered. It emerges that the copious use of expert judgement and subjective assumptions during the assessment process leads to the need of propagating the associated uncertainties by simulating several times the system response under different working conditions: this can be done by Monte Carlo sampling the uncertainties in the system model and parameters, and simulating the corresponding passive system response with a mechanistic T-H computer code. However, this approach requires considerable computational efforts. The reason is twofold. First, a large number of Monte Carlo-sampled T-H model evaluations must generally be carried out for an accurate estimation of the functional failure probability. Since the number of simulations required to obtain a given accuracy depends on the magnitude of the failure probability to be estimated, with the computational burden increasing with decreasing functional failure probability, this poses a significant challenge for the typically quite small (e.g., less than 10-4) probabilities of functional failure of T-H passive safety systems. Second, long calculations (several hours) are typically necessary for each run of the detailed, mechanistic T-H code (one code run is required for each sample of values drawn from the uncertainty distributions). The associated computational burden has been tackled in two

CONCLUSIONS different ways. From one side, efficient Monte Carlo Simulation techniques have been employed to perform robust estimations with a limited number of input samples drawn and associated low computational time; from the other side, fast-running, surrogate regression models (also called response surfaces or meta-models) have been used to replace the longrunning T-H model code in the passive system reliability analysis. In the field of advanced Monte Carlo Simulation, the Subset Simulation (SS) and Line Sampling (LS) methods have been considered. In addition, two relevant issues for the practical application of the LS method have been addressed: 1. the determination of the important direction for LS; 2. the reduction of the overall computational cost associated to the LS method in the estimation of the small functional failure probabilities characteristic of passive systems. Concerning the first issue, the main methodological and applicative contributions of the thesis work presented have been: •

a comparison of the efficiency of a number of methods proposed in the literature to identify the important direction;

•

the use of Artificial Neural Network (ANN) regression models as fast-running surrogates of the long-running T-H code, to reduce the computational cost associated to the identification of the LS important direction;

•

the development of a new technique to determine the LS important direction, based on the minimization of the variance of the LS failure probability estimator.

Concerning the second issue, the main methodological and applicative contribution of the thesis work presented has been: • the assessment of the performance of the LS method in the estimation of small failure

probabilities (e.g., of the order of 10-4) with a very small number of samples (e.g., below one hundred). In the field of empirical regression modeling, Artificial Neural Network (ANN) and quadratic Response Surface (RS) regression models have been considered. The main methodological and applicative contribution of this thesis work is the use of the bootstrap method to directly quantify, in terms of confidence intervals, the uncertainties associated to the ANN and quadratic RS estimates of various reliability quantities of interest.

76

CONCLUSIONS The different approaches and computational methods have been tested and compared on a case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) [Pagani et al., 2005]. On the basis of the results obtained (which have been summarized and critically discussed in Sections 3.4 and 4.3 of Part I and in the papers of Part II), the following general conclusions and recommendations can be drawn for those analysts who approach the problem of passive systems reliability assessment: •

If the analyst is only interested in an accurate and precise estimation of the (typically small) functional failure probability of the T-H passive system (modelled by a longrunning, nonlinear and non-monotonous T-H code), then the following methodology

(based on the optimized LS technique proposed within this thesis work) is strongly suggested (see Section 3.3 of Part I and Paper IV of Part II): a. build an Artificial Neural Network (ANN) regression model using a sequential, two-step training algorithm on a reduced number of examples (e.g., around one

hundred) of the input/output nonlinear relationships underlying the original system model code; b. use the ANN model as a fast-running surrogate of the original system model code in the determination of the LS important direction; for this purpose, the technique proposed in this paper (based on the minimization of the variance of the LS failure probability estimator by means of Genetic Algorithms) is strongly suggested: since it relies on the definition of the optimal LS important direction, it produces more accurate and precise failure probability estimates than those provided by all the techniques of literature; c. estimate the functional failure probability of the T-H passive system by means of Line Sampling with a small number of samples (e.g., few tens); the accuracy and precision of the estimates can be enhanced by combining Line Sampling with Latin Hypercube Sampling. It is worth noting that the LS technique allows only the calculation of the failure probability of the passive system, but it does not allow a complete uncertainty propagation: actually, no Probability Density Functions (PDFs), Cumulative Distribution Functions (CDFs) or percentiles of the T-H code outputs of interest can be identified in a single simulation run.

77

CONCLUSIONS • If the analyst is interested, besides the mere estimation of the failure probability, in a

more complete uncertainty propagation (i.e., determination of the PDFs, CDFs, percentiles of the T-H code outputs of interest and so on), two options are suggested: 1. the SS method offers a feasible means to tackle the problem because it generates a large amount of conditional (failure) samples by sequential Markov Chain Monte Carlo (MCMC) simulations developed in different subsets of the uncertain input space. This allows producing the PDFs and CDFs of all the T-H code outputs of interest (e.g., peak cladding temperatures, pressures, mass flow rates and so on) in a single simulation run. On the other hand, different from the LS method, there does not seem to exist any indication that it is possible to reduce the number of samples (i.e., the number of T-H model code evaluations) to below a few hundreds. Actually, at least one hundred samples have to be generated in each subset to produce reliable failure probability estimates: thus, if the failure probabilities to be estimated are 10-4 or 10-5 (which is often the case for passive safety systems), then an amount of 400 or 500 samples have to be generated, respectively. As a consequence, if the T-H model requires many hours, or days, to perform a single evaluation, SS is not suitable; on the other hand, if the T-H model is sufficiently simple and requires seconds or minutes to run, SS may represent the optimal choice. 2. in those cases where the T-H model requires many hours, or days, to perform a single evaluation, the use of fast-running surrogate regression models (e.g., ANNs or quadratic RSs) instead of the long-running original T-H code seems mandatory. The following procedure should be adopted: a. run the T-H system model code a predetermined, reduced number of times (e.g., 50-100) for specified values of the uncertain input variables; b. collect the corresponding values of the output of interest; c. employ statistical techniques for calibrating/adapting the internal parameters/coefficients of the response surface of the regression model

in order to fit the input/output data generated in the previous steps; d. use the empirical regression model built at step c. to estimate the quantities of interest (e.g., failure probabilities, percentiles, sensitivity indices and so on);

78

CONCLUSIONS e. use the bootstrap procedure to quantify, in terms of confidence intervals, the uncertainties associated to the estimates provided by the empirical regression models. Notice that ANNs provides in general more accurate and precise estimates than quadratic RSs due to their structural complexity; in addition, a single ANN can be trained to estimate all the outputs of the T-H model of interest, whereas a specific quadratic RS must be developed for each output to be estimated. However, the construction of ANNs requires a slightly higher computational effort due to the elaborate training algorithm employed.

79

References [Ahammed and Melchers, 2006] Ahammed, M., Malchers, M. E., 2006. Gradient and parameter sensitivity estimation for systems evaluated using Monte Carlo analysis. Reliability Engineering and System Safety, 91, pp. 594 - 601. [Apostolakis, 1990] Apostolakis, G. E., 1990. The concept of probability in safety assessment of technological systems. Science, 250, 1359. [Apostolakis, 1995] Apostolakis, G. E., 1995. A commentary on model uncertainty. Proc. Workshop on Model Uncertainty: Its Characterization and Quantification, pp. 13-22. In: Mosleh, A., Siu, N., Smidts, C., and Lui, C., Eds, Center for Reliability Engineering, University of Maryland, College Park, Maryland; also published as NUREG/CP-0138, U.S. Nuclear Regulatory Commission, Washington, D.C. (1994). [Apostolakis, 1999] Apostolakis, G. E., 1999. The distinction between aleatory and epistemic uncertainties is important: an example from the inclusion of ageing effects into PSA. Proc. Int. Topl. Mtg. Probabilistic Safety Assessment (PSA ‘99), Washington, D.C., August 22-26, 1999, pp. 135-142, American Nuclear Society, La Grange Park, Illinois. [Ardillon and Venturini, 1995] Ardillon, E. and Venturini, V., 1995. Measures de sensibilitè dans les approaches probabilistes. Rapport EDF HP-16/95/018/A. [Arul et al., 2009] Arul, A.J., Iyer, N.K., Velusamy, K., 2009. Adjoint operator approach to functional reliability analysis of passive fluid dynamical systems. Reliability Engineering and System Safety, 94, pp. 1917-1926. [Au, 2005] Au, S. K., 2005. Reliability-based design sensitivity by efficient simulation. Computers and Structures, 83, pp. 1048-1061. [Au, 2007] Au, S. K., 2007. Augmented approximate solutions for consistent reliability analysis. Probabilistic Engineering Mechanics, 22, pp. 77-87. [Au and Beck, 2001] Au, S. K. and Beck, J. L., 2001. Estimation of small failure probabilities in high dimensions by subset simulation. Probabilistic Engineering Mechanics, 16(4), pp. 263-277. [Au and Beck, 2003a] Au, S. K. and Beck, J. L., 2003. Importance sampling in high dimensions. Structural Safety, 25(2), pp. 139-163. [Au and Beck, 2003b] Au, S. K. and Beck, J. L., 2003. Subset Simulation and its application to seismic risk based on dynamic analysis. Journal of Engineering Mechanics, 129(8), pp. 1-17. [Au et al., 2007] Au, S. K., Wang, Z. H., Lo, S. M., 2007. Compartment fire risk analysis by advanced Monte Carlo simulation. Engineering Structures, 29(9), pp. 2381-2390. [Aybar et al., 1999] Aybar, H. S., Aldemir, T., 1999. Dynamic probabilistic reliability and safety assessment: an application to IS-BWR. In: Proceedings of the Seventh International conference on Nuclear Engineering, Tokio, Japan. [Bassi and Marquès, 2008] Bassi, C., Marquès, M., 2008. Reliability assessment of 2400 MWth gas-cooled fast reactor natural circulation decay heat removal in pressurized situations. Science and Technology of Nuclear Installations, Special Issue “Natural Circulation in Nuclear Reactor Systems”, Hindawi Publishing Corporation, Paper 87376. [Baxt and White, 1995] Baxt, W. G. and White, H., 1995. Bootstrapping confidence intervals for clinic input variable effects in a network trained to identify the presence of acute myocardial infarction. Neural Computation, 7, pp. 624-638. [Bishop, 1995] Bishop, C. M., 1995. Neural Networks for pattern recognition. Oxford University Press. [Boggs and Tolle, 1996] Boggs, P. T., Tolle, J. W., 1995. Sequential quadratic programming. Acta Numerica, 4, pp. 1-51.

REFERENCES [Bucher and Most, 2008] Bucher, C., Most, T., 2008. A comparison of approximate response function in structural reliability analysis. Probabilistic Engineering Mechanics, vol. 23, pp. 154-163. [Burgazzi, 2002] Burgazzi, L., 2002. Passive system reliability analysis: a study on the isolation condenser. Nuclear Technology, 139 (July), 3-9. [Burgazzi, 2003] Burgazzi, L., 2003. Reliability evaluation of passive systems through functional reliability assessment. Nuclear Technology, 144, 145. [Burgazzi, 2004] Burgazzi, L., 2004. Evaluation of uncertainties related to passive systems performance. Nuclear Engineering and Design, 230, 93-106. [Burgazzi, 2006] Burgazzi, L., 2006. Failure mode and effect analysis application for the safety and reliability analysis of a thermal-hydraulic passive system. Nuclear Technology, 146, pp. 150-158. [Burgazzi, 2007a] Burgazzi, L., 2007. Addressing the uncertainties related to passive system reliability. Progress in Nuclear Energy, 49, 93-102. [Burgazzi, 2007b] Burgazzi, L., 2007. State of the art in reliability of thermal-hydraulic passive systems. Reliability Engineering and System Safety, 92, pp. 671-675. [Burgazzi, 2007c] Burgazzi, L., 2007. Thermal-hydraulic passive system reliability-based design approach. Reliability Engineering and System Safety, 92(9), pp. 1250-1257. [Burgazzi, 2008] Burgazzi, L., 2008. About time-variant reliability analysis with reference to passive systems assessment. Reliability Engineering and System Safety, 93(11), pp. 1682-1688. [Burgazzi, 2009] Burgazzi, L., 2009. Evaluation of the dependencies related to passive system failure. Nuclear Engineering and Design, 239(12), pp. 3048-3053. [Cacuci and Ionescu-Bujor, 2004] Cacuci, D. G., Ionescu-Bujor, M., 2004. A comparative review of sensitivity and uncertainty analysis of large scale systems – II: Statistical methods. Nuclear Science and Engineering (147), pp. 204-217. [Cadini et al., 2008] Cadini, F., Zio, E., Kopustinskas, V., Urbonas, R., 2008. An empirical model based bootstrapped neural networks for computing the maximum fuel cladding temperature in a RBMK-1500 nuclear reactor accident. Nuclear Engineering and Design, 238, pp. 2165-2172. [Cardoso et al., 2008] Cardoso, J. B., De Almeida, J. R., Dias, J. M., Coelho, P. G., 2008. Structural reliability analysis using Monte Carlo simulation and neural networks. Advances in Engineering Software, 39, pp. 505-513. [Chambers, 1995] Chambers, L., 1995. Practical handbook of genetic algorithms: applications Vol. I; new frontiers Vol. II, CRC Press. [Cheng et al., 2008] Cheng, J., Li, Q. S., Xiao, R. C., 2008. A new artificial neural networkbased response surface method for structural reliability analysis. Probabilistic Engineering Mechanics, 23, pp. 51-63. [Ching et al., 2005] Ching, J., Beck, J. L., Au, S. K., 2005. Hybrid subset simulation method for reliability estimation of dynamical systems subject to stochastic excitation. Probabilistic Engineering Mechanics, 20, pp. 199-214. [Chung et al., 2008] Chung, Y. J., Lee, S. W., Kim S. H., Kim, K. K., 2008. Passive cooldown performance of a 65MW integral reactor, vol. 238, pp. 1681-1689. [Churchill, 1998] Churchill, S. W., 1998. Combined free and forced convection in channels. Heat Exchanger Design Handbook, Sec. 2.5.10, Hewitt, G. F., Ed., Begell House, New York. [D’ Auria et al., 2002] D’ Auria, F., Bianchi, F., Burgazzi, L., Ricotti, M. E., 2002. The REPAS study: reliability evaluation of passive safety systems. In: Proceedings of the 10th International Conference on Nuclear Engineering ICONE 10-22414, Arlinghton, VA USA, April 14-18. 81

REFERENCES [Deng, 2006] Deng, J., 2006. Structural reliability analysis for implicit performance function using radial basis functions. International Journal of Solids and Structures, 43, pp. 32553291. [Efron and Thibshirani, 1993] Efron, B. and Thibshirani, R. J., 1993. An introduction to the bootstrap. Monographs on statistics and applied probability 57. Chapman and Hall, New York. [Fong et al., 2009] Fong, C. J., Apostolakis, G. E., Langewish, D. R., Hejzlar, P., Todreas, N. E., Driscoll, M. J., 2009. Reliability analysis of a passive cooling system using a response surface with an application to the flexible conversion ratio reactor. Nuclear Engineering and Design, 239(12), pp. 2660-2671. [Fu, 2006] Fu, M., 2006. Stochastic gradient estimation. Chapter 19 in Handbook on Operation Research and Management Science: Simulation, S. G. Henderson and B. L. Nelson, editor, Elsevier. [Gavin and Yau, 2008] Gavin, H. P., Yau, S. C., 2008. High-order limit state functions in the response surface method for structural reliability analysis. Structural Safety, 30, pp. 162-179. [Gazut et al., 2008] Gazut, S., Martinez, J. M., Dreyfus, G., Oussar, Y., 2008. Towards the optimal design of numerical experiments. IEEE Transactions on Neural Networks, 19(5), pp. 874-882. [Gille, 1998] Gille, A., 1998. Evaluation of failure probabilities in structural reliability with Monte Carlo methods. ESREL ’98, Throndheim. [Gille, 1999] Gille, A., 1999. Probabilistic numerical methods used in the applications of the structural reliability domain. PhD Thesis, Universitè Paris 6. [Gläser, 2002] Gläser, H., 2002. Uncertainty evaluation of thermal-hydraulic code results. In: ANS International Meeting on Best-Estimate Methods in Nuclear Installations Safety Analysis (BE-2000), Washington, D.C., USA, November 17-20. [Goldberg, 1989] Goldberg, D. E., 1989. Genetic algorithms in search, optimization, and machine learning, Addison-Wesley Publ. Co., 1989. [Hastings 1970] Hastings, W. K., 1970. Monte Carlo sampling methods using Markov chains and their applications. Biometrika, 57, pp. 97-109. [Helton, 1998] Helton, J. C., 1998. Uncertainty and sensitivity analysis results obtained in the 1996 performance assessment for the waste isolation power plant, SAND98-0365, Sandia National Laboratories. [Helton, 2004] Helton, J., 2004. Alternative representations of epistemic uncertainties. Reliability Engineering and System Safety, 85 (Special Issue). [Helton and Davis, 2003] Helton J. C, Davis, F. J., 2003. Latin hypercube sampling and the propagation of uncertainty in analyses of complex systems. Reliability Engineering and System Safety, 81, pp. 23-69. [Helton et al., 2005] Helton, J.C., Davis, F.J., Johnson, J.D., 2005. A Comparison of Uncertainty and Sensitivity Analysis Results Obtained with Random and Latin Hypercube Sampling. Reliability Engineering & System Safety, Vol. 89, 3, pp. 305330. [Helton et al., 2006] Helton J. C, Johnson J. D., Sallaberry C. J., Storlie C. B., 2006. Survey on sampling-based methods for uncertainty and sensitivity analysis. Reliability Engineering and System Safety, 91, pp. 1175-1209. [Helton and Sallaberry, 2009] Helton, J.C., Sallaberry, C., 2009. Computational implementation of sampling-based approaches to the calculation of expected dose in performance assessments for the proposed high-level radioactive waste repository at Yucca Mountain, Nevada. Reliability Engineering and System Safety, 94, pp. 699-721. [Hofer et al., 2002] Hofer, E., Kloos, M., Krzykacz-Hausmann, B., Peschke, J., Woltereck, M., 2002. An approximate epistemic uncertainty analysis approach in the presence of 82

REFERENCES epistemic and aleatory uncertainties. Reliability Engineering and System safety, 77, pp. 229-238. [Holland, 1975] Holland, J. H., 1975. Adaptation in natural and artificial systems: an introductory analysis with application to biology, Control and Artificial Intelligence. MIT Press, 4-th edition. [Huang and Du, 2006] Huang, B., Du, X., 2006. A robust design method using variable transformation and Gauss-Hermite integration. International Journal for Numerical Methods in Engineering, 66, pp. 1841-1858. [Hurtado, 2007] Hurtado, J. E., 2007. Filtered importance sampling with support vector margin: a powerful method for structural reliability analysis. Structural Safety, 29, pp. 2-15. [IAEA, 1991] IAEA, 1991. Safety related terms for advanced nuclear plant. IAEA TECDOC626. [Iooss et al., 2006] Iooss, B., Van Dorpe, F., Devictor, N., 2006. Response surfaces and sensitivity analyses for an environmental model of dose calculation. Reliability Engineering and System Safety, 91, pp. 1241-1251. [Jafari et al., 2003] Jafari, J., D’ Auria, F., Kazeminejad, H., Davilu, H., 2003. Reliability evaluation of a natural circulation system. Nuclear Engineering and Design, 224, 79104. [Juhn et al., 2000] Juhn, P. E., Kupitz, J., Cleveland, J., Cho, B., Lyon, R. B., 2000. IAEA activities on passive safety systems and overview of international development. Nuclear Engineering and Design, 201, pp. 41-59. [Katafygiotis and Cheung, 2005] Katafygiotis, L., Cheung, S. H., 2005. A two-stage subset simulation-based approach for calculating the reliability of inelastic structural systems subjected to Gaussian random excitations. Computer Methods in Applied Mechanics and Engineering, 194, pp. 1581-1595. [Katafygiotis and Cheung, 2007] Katafygiotis, L., Cheung, S. H., 2007. Application of spherical subset simulation method and auxiliary domain method on a benchmark reliability study. Structural Safety, 29, pp. 194-207. [Konak et al., 2006] Konak, A., Coit, D. W., Smith, A. E., 2006. Multi-objective optimization using genetic algorithms: A tutorial. Reliability Engineering and System Safety, Vol. 91, Issue 9, pp. 992-1007. [Koutsourelakis et al., 2004] Koutsourelakis, P. S., Pradlwarter, H. J., Schueller, 2004. Reliability of structures in high dimensions, Part I: algorithms and application. Probabilistic Engineering Mechanics (19), pp. 409-417. [Krzykacz-Hausmann, B., 2006] Krzykacz-Hausmann, B., 2006. An approximate sensitivity analysis of results from complex computer models in the presence of epistemic and aleatory uncertainties. Reliability Engineering and System safety, 91, pp. 1210-1218. [Lewis, 1994] Lewis, E. E., 1994. Introduction to reliability engineering – Second edition, John Wiley and Sons, Inc. [Liel et al., 2009] Liel, A. B., Haselton, C. B., Deierlein, G. G., Baker, J. W., 2009. Incorporating modeling uncertainties in the assessment of seismic collapse risk of buildings. Structural Safety, 31(2), pp. 197-211. [Lu et al., 2008] Lu, Z., Song, S., Yue, Z., Wang, J., 2008. Reliability sensitivity method by Line Sampling. Structural Safety, vol. 30, pp. 517-532. [MacKay et al., 1979] MacKay, M. D., Beckman, R. J., Conover, W. J., 1979. A comparison of three methods for selecting values of input variables in the analysis of output from a computer code. Technometrics, 21(2), pp. 239-245. [Mackay et al., 2008] Mackay F. J., Apostolakis, G. E., Hejzlar, P., 2008. Incorporating reliability analysis into the design of passive cooling systems with an application to a gas-cooled reactor. Nuclear Engineering and Design, 238(1), pp. 217-228. 83

REFERENCES [Mao and Mahadevan, 2000] Mao, H. and Mahadevan, S., 2000. Reliability analysis of creep– fatigue failure. Int. J. Fatigue, 22: pp. 789-797. [Marquès et al., 2005] Marquès, M., Pignatel, J. F., Saignes, P., D’ Auria, F., Burgazzi, L., Müller, C., Bolado-Lavin, R., Kirchsteiger, C., La Lumia, V., Ivanov, I., 2005. Methodology for the reliability evaluation of a passive system and its integration into a probabilistic safety assessment. Nuclear Engineering and Design, 235, 2612-2631. [Marrel et al., 2009] Marrel, A., Iooss, B., Laurent, B., Roustant, O., 2009. Calculations of Sobol indices for the Gaussian process metamodel. Reliability Engineering and System Safety, vol., 94, pp. 742-751. [Marseguerra et al., 2006] Marseguerra, M., Zio, E., Martorell, S., 2006. Basics of genetic algorithms optimization for RAMS applications. Reliability Engineering and System Safety, Vol. 91, No. 9, pp. 977-991. [Mathews et al., 2008] Mathews, T. S., Ramakrishnan, M., Parthasarathy, U., John Arul, A., Senthil Kumar, C., 2008. Functional reliability analysis of safety grade decay heat removal system of Indian 500 MWe PFBR. Nuclear Engineering and Design, 238(9), pp. 2369-2376. [Mathews et al., 2009] Mathews, T.S., Arul, A.J., Parthasarathy, U., Kumar, C.S., Ramakrishnan, M., Subbaiah, K.V., 2009. Integration of functional reliability analysis with hardware reliability: An application to safety grade decay heat removal system of Indian 500 MWe PFBR. Annals of Nuclear Energy, 36, pp. 481-492. [Metropolis et al., 1953] Metropolis, N., Rosenbluth, A. W., Rosenbluth, M. N. and Taller, A. H., 1953. Equations of state calculations by fast computing machines. Journal of Chemical Physics, 21(6), pp. 1087-1092. [Morris, 2000] Morris, M. D., 2000. Three technometrics experimental design classics. Technometrics, 42(1), pp. 26-27. [Nataf, 1962] Nataf, A., 1962. Determination des distribution dont les marges sont donnees. Comptes Rendus I’ acad. Sci., 225, pp. 42-43. [Nayak et al., 2008a] Nayak, A. K., Gartia, M. R., Antony, A., Vinod, G., Sinha, R. K., 2008. Passive system reliability analysis using the APSRA methodology. Nuclear Engineering and Design, 238, pp. 1430-1440. [Nayak et al., 2008b] Nayak, A. K., Jain, V., Gartia, M. R., Srivastava, A., Prasad, H., Anthony, A., Gaikwad, A. J., Bhatia, S. K., Sinha, R. K., 2008. Reliability assessment of passive isolation condenser system using APSRA methodology. Annals of Nuclear Energy, 35, pp. 2270-2279. [Nayak et al., 2009] Nayak, A. K., Jain, V., Gartia, M. R., Prasad, H., Anthony, A., Bhatia, S. K., Sinha, R. K., 2009. Reliability assessment of passive isolation condenser system of AHWR using APSRA methodology. Reliability Engineering and System Safety, 94, pp. 1064-1075. [NUREG-1150, 1990] NUREG-1150, 1990. Severe accident risk: an assessment for five US nuclear power plants, US Nuclear Regulatory Commission. [NUREG-CR-6850, 2005] NUREG-CR-6850, 2005. EPRI/NRC-RES Fire PRA methodology for nuclear power facilities, Volume 2: detailed methodology. US Nuclear Regulatory Commission. [Olsson et al., 2003] Olsson, A., Sabdberg, G., Dahlblom, O., 2003. On Latin hypercube sampling for structural reliability analysis. Structural Safety, 25, pp. 47-68. [Pagani, 2004] Pagani, L., 2004. On the quantification of safety margins. Ph. D. dissertation thesis, Massachusetts Institute of Technology. [Pagani et al., 2005] Pagani, L., Apostolakis, G. E. and Hejzlar, P., 2005. The impact of uncertainties on the performance of passive systems. Nuclear Technology, 149, 129140. 84

REFERENCES [Paris, 1961] Paris, P. C., 1961. A rational analytic theory of fatigue. The trend of engineering at the university of Washington, 13(1), 9. [Patalano et al., 2008] Patalano, G., Apostolakis, G. E., Hejzlar, P., 2008. Risk-informed design changes in a passive decay heat removal system. Nuclear Technology, vol. 163, pp. 191-208. [Pebesma and Heuvelink, 1999] Pebesma E. J., Heuvelink, G. B. M., 1999. Latin hypercube sampling of Gaussian random fields. Technometrics, 41(4), pp. 203-212. [Pedroni et al., 2009] Pedroni, N., Zio, E., Apostolakis, G. E., 2009. Comparison of bootstrapped Artificial Neural Networks and quadratic Response Surfaces for the estimation of the functional failure probability of a thermal-hydraulic passive system. Reliability Engineering and System Safety, doi: 10.1016/j.ress.2009.11.009. [Pourgol-Mohamad et al., 2009] Pourgol-Mohamad, M., Mosleh, A., Modarres, M., 2009. Methodology for the use of experimental data to enhance model output uncertainty assessment in thermal hydraulics codes. Reliability Engineering and System Safety, doi: doi:10.1016/j.ress.2009.08.003. [Pradlwarter et al., 2005] Pradlwarter, H. J., Pellissetti, M. F., Schenk, C. A., Schueller, G. I., Kreis, A., Fransen, S., Calvi, A., Klein, M., 2005. Realistic and efficient reliability estimation for aerospace structures. Computer Methods in Applied Mechanics and Engineering, 194, pp. 1597-1617. [Pradlwarter et al., 2007] Pradlwarter, H. J., Schueller, G. I., Koutsourelakis, P. S., Charmpis, D. C., 2007. Application of line sampling simulation method to reliability benchmark problems. Structural Safety, 29, pp. 208-221. [Ricotti et al., 2002] Ricotti, M. E., Zio, E., D’ Auria, F., Caruso, G., 2002. Reliability methods for passive systems (RMPS) study strategy and results. In: NEA CSNI/WGRISK Workshop on Passive Systems Reliability – A Challenge to Reliability, Engineering and Licensing of Advanced Nuclear Power Plants, Cadarache, France, March 4-6. [Rohde et al. 2008] Rohde, M., Marcel, C. P., Manera, A., Van der Hagen, T. H. J. J., Shiralkar, B., 2008. Investigating the ESBWR stability with experimental and numerical tools: a comparative study. Nuclear Engineering and Design, 240(2), pp. 275-384. [Rosenblatt, 1952] Rosenblatt, M., 1952. Remarks on multivariate transformations. Ann. Math. Stat., 23(3), pp. 470-472. [Rumelhart et al., 1986] Rumelhart, D. E., Hinton, G. E., Williams, R. J., 1986. Learning internal representations by error back-propagation. In Rumelhart, D. E. and McClelland, J. L. (Eds.), Parallel distributed processing: exploration in the microstructure of cognition (vol. 1). Cambridge (MA): MIT Press. [Sallaberry et al., 2008] Sallaberry, C. J., Helton, J. C., Hora, S. C., 2008. Extension of Latin Hypercube samples with correlated variables. Reliability Engineering and System Safety, 93(7), pp. 1047-1059. [Saltelli et al., 2008] Saltelli, A., Ratto, M., Andres, T., Campolongo, F., Cariboni, J., Gatelli, D., Saisana, M., Tarantola, S., 2008. Global sensitivity analysis. The Primer. John Wiley and Sons Ltd. [Schueller, 2007] Schueller, G. I., 2007. On the treatment of uncertainties in structural mechanics and analysis. Computers and Structures, 85, pp. 235-243. [Schueller, 2009] Schueller, G. I., 2009. Efficient Monte Carlo simulation procedures in structural uncertainty and reliability analysis - recent advances. Journal of Structural Engineering and Mechanics, 32(1):1–20, 2009. [Schueller and Pradlwarter, 2007] Schueller, G. I., Pradlwarter, H. J., 2007. Benchmark study on reliability estimation in higher dimensions of structural systems – An overview. Structural Safety, 29(3), pp. 167-182. 85

REFERENCES [Schueller et al., 2004] Schueller, G. I., Pradlwarter, H. J., Koutsourelakis, P. S., 2004. A critical appraisal of reliability estimation procedures for high dimensions. Probabilistic Engineering Mechanics, 19, pp. 463-474. [Secchi et al., 2008] Secchi, P., Zio, E., Di Maio, F., 2008. Quantifying uncertainties in the estimation of safety parameters by using bootstrapped artificial neural networks. Annals of Nuclear Energy, 35, pp. 2338-2350. [Storlie et al., 2008] Storlie, C. B., Helton, J. C., 2008. Multiple predictor smooting methods for sensitivity analysis: Description of techniques. Reliability Engineering and System Safety, vol. 93, pp. 28-54. [Storlie et al., 2009] Storlie C.B., Swiler L.P., Helton J.C., Sallaberry C.J., 2009. Implementation and evaluation of nonparametric regression procedures for sensitivity analysis of computationally demanding models. Reliability Engineering and System Safety 2009; 94: 1735-1763. [Thunnissen et al., 2007] Thunnissen, D. P., Au, S. K. and Tsuyuki, G. T, 2007. Uncertainty quantification in estimating critical spacecraft component temperature. AIAA Journal of Thermal Physics and Heat Transfer, 21(2), pp. 422-430. [USNCR, 1998] USNRC, 1998. “An approach for using probabilistic risk assessment in riskinformed decisions on plant-specific changes to the licensing basis.” NUREG-1.174, US Nuclear Regulatory Commission, Washington, DC. [Valdebenito et al., 2009] Valdebenito, M. A., Pradlwarter, H. J., Schueller, G. I., 2009. The role of the design point for calculating failure probabilities in view of dimensionality and structural nonlinearities. Structural Safety, 32(2), pp. 101-111. [Volkova et al., 2008] Volkova, E., Iooss, B., Van Dorpe, F., 2008. Global sensitivity analysis for a numerical model of radionuclide migration from the RRC “Kurchatov Institute” redwaste disposal site. Stoch Environ Res Assess, 22: pp. 17-31. [Zio, 2006] Zio, E., 2006. A study of the bootstrap method for estimating the accuracy of artificial neural networks in predicting nuclear transient processes. IEEE Transactions on Nuclear Science, 53(3), pp.1460-1470. [Zio and Apostolakis, 1996] Zio, E., and Apostolakis, G. E., 1996. Two methods for the structured assessment of model uncertainty by experts in performance assessment in radioactive waste repositories. Eliability Engineering and System Safety, Vol. 54, No. 2, 225-241. [Zio et al., 2003] Zio, E., Cantarella, M., Cammi, A., 2003. The analytic hierarchy process as a systematic approach to the identification of important parameters for the reliability assessment of passive systems. Nuclear Engineering and Design, 226, 311-336. [Zio and Pedroni, 2009a] Zio, E., Pedroni, N., 2009. An optimized Line Sampling method for the estimation of the failure probability of nuclear passive systems. Submitted to Reliability Engineering and System Safety. [Zio and Pedroni, 2009b] Zio, E., Pedroni, N., 2009. Building confidence in the reliability assessment of thermal-hydraulic passive systems. Reliability Engineering and System Safety, vol. 94(2), pp. 268-281. [Zio and Pedroni, 2009c] Zio, E. and Pedroni, N., 2009. Estimation of the functional failure probability of a thermal-hydraulic passive systems by means of Subset Simulation. Nuclear Engineering and Design, 239, pp. 580-599. [Zio and Pedroni, 2009d] Zio, E. and Pedroni, N., 2009. Functional failure analysis of a thermal-hydraulic passive system by means of Line Sampling. Reliability Engineering and System Safety, 94(11), pp. 1764-1781. [Zio and Pedroni, 2009e] Zio, E., Pedroni, N., 2009. Reliability Estimation by Advanced Monte carlo Simulation. Accepted for publication in: Faulin, Juan, Martorell, RamirezMarquez (Eds.), Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer. 86

 

Paper I Estimation of the functional failure probability of a thermal-hydraulic passive system by Subset Simulation E. Zio and N. Pedroni Nuclear Engineering and Design 239 (2009) 580-599

Estimation of the functional failure probability of a thermal-hydraulic passive system by Subset Simulation E. Zio and N. Pedroni Dept. of Energy, Polytechnic of Milan, Via Ponzio 34/3, 20133 Milan, Italy Phone: +39-2-2399-6340; fax: +39-2-2399-6309 E-mail address: [email protected]

Abstract In the light of epistemic uncertainties affecting the model of a thermal-hydraulic (T-H) passive system and the numerical values of its parameters, the system may find itself in working conditions which do not allow it to accomplish its function as required. The estimation of the probability of these functional failures can be done by Monte Carlo (MC) sampling of the uncertainties in the model followed by the computation of the system response by a mechanistic T-H code. The procedure requires considerable computational efforts for achieving accurate estimates. Efficient methods for sampling the uncertainties in the model are thus in order. In this paper, the recently developed Subset Simulation (SS) method is considered for improving the efficiency of the random sampling. The method, originally developed to solve structural reliability problems, is founded on the idea that a small failure probability can be expressed as a product of larger conditional probabilities of some intermediate events: with a proper choice of the conditional events, the conditional probabilities can be made sufficiently large to allow accurate estimation with a small number of samples. Markov Chain Monte Carlo (MCMC) simulation, based on the Metropolis algorithm, is used to efficiently generate the conditional samples, which is otherwise a nontrivial task. The method is here developed for efficiently estimating the probability of functional failure of an emergency passive decay heat removal system in a simple steady-state model of a Gascooled Fast Reactor (GFR). The efficiency of the method is demonstrated by comparison to the commonly adopted standard Monte Carlo Simulation (MCS). Keywords: Functional failure probability, natural circulation, Gas-cooled Fast Reactor, efficient random sampling, Markov Chain Monte Carlo, sensitivity analysis.

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

1 Introduction In the nuclear safety, the expanded consideration of severe accidents, the increased safety requirements and the goal of introducing effective, yet physically transparent, safety functions has led to a growing interest in passive systems for the safety of the future nuclear reactors. As a result, all innovative reactor concepts make use of passive safety features, to a large extent in combination with active safety and operational systems (Mackay et al., 2008; Nayak et al., 2008). According to the International Atomic Energy Agency (IAEA) definitions, a passive system does not need external input (especially energy) to operate (IAEA, 1991). Thus, passive systems are expected to contribute significantly to safety by combining their peculiar characteristics of simplicity, reduction of human interaction and reduction or avoidance of hardware failures (Mathews et al., 2008). However, the uncertainties involved are usually larger than in active systems due to lack of data on some underlying phenomena and scarce or null operating experience over the wide range of conditions encountered during operation (Pagani et al., 2005). Thus, in practice there is a nonzero probability that the physical phenomena involved in the passive system operation lead to failure of performing the intended function even if safety margins are present. In fact, deviations in the natural forces and in the conditions of the underlying physical principles from the expected ones can impair the function of the system itself (Burgazzi, 2003; Marques et al., 2005; Burgazzi, 2007b). The quantification of the probability of this occurrence is an issue of concern both for the “nominal” passive systems (e.g., the ESBWR operating in nominal conditions) (Juhn et al., 2000; Rohde et al. 2008) and the “emergency” passive systems (e.g., accumulators, isolation condensers, etc.) (Chung et al., 2008). In the following, the discussion will focus on the latter type of systems. In recent years, several methodologies have been proposed in the open literature to quantify the probability that T-H passive systems fail to perform their functions. A number of methods adopt the system reliability analysis framework. In (Aybar et al., 1999), a dynamic methodology based on the cell-to-cell mapping technique has been used for the reliability analysis of an inherently safe Boiling Water Reactor (BWR). In (Burgazzi, 2007b), the failure probability is evaluated as the probability of occurrence of different independent failure modes, a priori identified as leading to the violation of the boundary conditions and/or physical mechanisms needed for successful passive system operation. In (Burgazzi, 2002), modeling of the passive system is simplified by linking to the modeling of the unreliabilities of the hardware components of the system: this is achieved by identifying the hardware failures that degrade the natural mechanisms upon which the passive system relies and associating the relative unreliabilities of the components designed to assure the best conditions for passive function performance. This concept is also at the basis of the Assessment of Passive System ReliAbility (APSRA) approach which has been applied to the reliability analysis of the natural circulation-based Main Heat Transport (MTH) system of an Indian Heavy Water Reactor (HWR) (Nayak et al., 2008). An alternative approach is founded on the introduction of the concept of functional failures, within the reliability physics framework of load-capacity exceedance (Burgazzi, 2003; Burgazzi, 2007b): a passive system fails to perform its function due to deviations from its expected behavior which lead the load imposed on the system to overcome its capacity. This concept is at the basis of the methodologies known as Reliability Evaluation of PAssive Safety (REPAS) systems (D’ Auria et al., 2002; Jafari et al., 2003; Zio et al., 2003) and Reliability Methods for Passive Safety (RMPS) functions (Marquès et al., 2005), which have been developed and employed for the analysis of passive Residual Heat Removal Systems 2

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

(RHRSs) of Light Water Reactors (LWRs). Similar approaches have been used also to evaluate the failure probabilities of decay heat removal systems in Gas-cooled Fast Reactors (GFRs) (Pagani et al., 2005; Bassi and Marquès, 2008; Mackay et al., 2008) and sodiumcooled Fast Breeder Reactors (FBRs) (Mathews et al., 2008). In these works, the passive system is modeled by a detailed, mechanistic T-H system code and the probability of not performing the required function is estimated based on a Monte Carlo (MC) sample of code runs which propagate the epistemic (state-of-knowledge) uncertainties in the model describing the system and the numerical values of its parameters. Because of the existence of these uncertainties, it is possible that even if no hardware failure occurs, the system may not be able to accomplish its mission. The functional failure-based approach provides in principle the most realistic assessment of the T-H system, thanks to the flexibility of Monte Carlo simulation which does not suffer from any T-H model complexity and, therefore, does not force to resort to simplifying approximations. However, it requires considerable and often prohibitive computational efforts. The reason is twofold: first, long calculations (several hours) are typically necessary for each run of the detailed, mechanistic T-H code (one code run is required for each sample of values drawn from the uncertainty distributions); second, since the probabilities of functional failures are very small, a large number of samples (inversely proportional to the functional failure probability) is necessary to achieve an acceptable accuracy in their estimation (Schueller, 2007). This calls for new simulation techniques that allow performing robust estimations with limited number of input samples and associated computational time. In this respect, a promising approach is offered by Subset Simulation (SS), originally developed to tackle the multidimensional problems of structural reliability (Au and Beck, 2001). Structural reliability problems are naturally formulated within the functional failurebased framework of reliability physics, because structural systems fail when the load applied (i.e., the stress) exceeds their capacity (i.e., the resistance) (Lewis, 1991; Schueller and Pradlwarter, 2007). By analogy, SS is well suited for the quantitative analysis of the functional failures of T-H passive systems, where the failures are specified in terms of one or more safety variables (e.g., temperatures, pressures, flow rates, ...) crossing the safety thresholds specified by the regulating authorities (Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008). In the SS approach, the functional failure probability is expressed as a product of conditional probabilities of some chosen intermediate and thus more frequent events (for example, if a structure is assumed to fail when the load exceeds 300 kN, then intermediate events could be represented by the load exceeding 100, 150 and 250 kN, respectively). The problem of evaluating the small probabilities of functional failures is thus tackled by performing a sequence of simulations of more frequent events in their conditional probability spaces; the necessary conditional samples are generated through successive Markov Chain Monte Carlo (MCMC) simulations (Metropolis et al., 1953), in a way to gradually populate the intermediate conditional regions until the final functional failure region is reached. In this paper, SS is applied within a functional failure framework of analysis regarding a natural convection-based decay heat removal system of a Gas-cooled Fast Reactor (GFR) (Pagani, 2004; Pagani et al., 2005). To the best of the authors’ knowledge, this is the first time that the SS method is applied to such kind of systems. The benefits gained by the use of SS are demonstrated by comparison with respect to standard MCS. Furthermore, a sensitivity analysis based on the conditional samples is carried out to determine the contributions of the individual uncertain parameters (i.e., the inputs to the T-H code) to the functional failure probability. 3

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

2 Functional failure analysis of T-H passive systems A procedure for the quantitative analysis of functional failures has been proposed within an European Commission (EC) supported project called Reliability Methods for Passive Safety (RMPS) functions. The underpinning elements of the method are (Marquès et al., 2005; Bassi and Marquès, 2008): i) the detailed modelling of the system response by means of a deterministic T-H code, ii) the identification of the parameters which contribute to the uncertainty in the results of the T-H calculations and iii) the propagation of these uncertainties through the T-H code to estimate the probability of functional failure. For completeness of the paper, the conceptual development of the methodology is here summarized in the following steps (Marquès et al., 2005): 1. Characterize the accident scenarios in which the passive system under consideration will be demanded to operate. 2. Define the function that the passive system is expected to perform, in terms of the protection and mitigation goals for which the passive system has been designed. For instance, the function of the passive system could be the decay heat removal, the vessel cooling and depressurization. 3. Identify the design parameters related to the reference system configuration and corresponding nominal function (e.g., power level, system pressure, heat exchanger initial wall temperature, …) (D’ Auria et al., 2002). 4. Identify the possible failure modes of the passive system for the accident scenario under consideration (Burgazzi, 2004; Burgazzi, 2006). 5. Evaluate the failure criteria on the basis of the system function (step 2.) and failure modes (step 4.). The occurrence of a failure is verified by comparison between the real performance of the passive system and the expected performance in nominal conditions. Reactor parameters can be adopted as indicators of the performance of the passive system: for instance, the failure criterion can be based on the maximal clad temperature reached during a specific period (Marquès et al., 2005; Pagani et al., 2005; Bassi and Marquès, 2008; Mackay et al., 2008; Mathews et al., 2008). Another possibility consists in identifying as performance indicators one or more variables or parameters characteristic of the passive system itself (e.g., thermal power exchanged in the cooler or mass flow rate at the cooler inlet). Again, the failure criteria can be set as single-targets (e.g. the system must deliver a specific quantity of liquid within a fixed time) or as a function of time targets or as integral values over a mission time (e.g. the system must reject at least a mean value of thermal power during the entire system intervention) (D’ Auria et al., 2002; Jafari et al., 2003; Zio et al., 2003; Zio and Pedroni, 2008). 6. Build a mechanistic, best estimate T-H model to simulate the system accident response and perform best estimate calculations (Gläser, 2002). 7. Identify the potentially important contributors to uncertainty in the results of the best estimate T-H calculations. These uncertainties are both of aleatory kind, because of the stochasticity in the occurrence of some phenomena (e.g., the occurrence of an accident scenario, the failure of a component, ...), and of epistemic nature, because of the limited knowledge on some phenomena and processes and the paucity of the relative operational and experimental data available (e.g., the models, correlations and parameters used in the T-H analysis) (Apostolakis, 1990). 8. Represent the uncertainties in the identified relevant parameters, models and correlations by selecting proper probability distributions. These distributions quantify the state of knowledge on such parameters, in a Bayesian sense (Pagani et al., 2005; Burgazzi, 2007b). 4

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

9. Propagate the uncertainties associated to the identified relevant parameters, models and correlations (steps 7. and 8. above) through the deterministic T-H code in order to estimate the functional failure probability of the passive system conditional on the current state of knowledge about the phenomena involved (step 8. above) (Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008). Different methods can be used to quantify the passive system functional failure probability. Let x = {x1, x2, …, xi, …, xn} be the vector of the relevant system parameters, Y( x ) be the identified safety variable and αY the threshold value defining the corresponding failure criterion. For illustrating purposes, let us assume that the passive system operates as long as Y( x ) < αY (Figure 1). Introducing the so called Limit State Function (LSF) or Performance Function (PF) as GY ( x ) = Y ( x ) − α Y , one can write ⎧ < 0 for function successfully performed ⎪ (1) GY ( x ) = Y ( x ) − α Y ⎨= 0 at limit state ⎪ > 0 for failure of performing the function ⎩ In the light of the current limited state of knowledge and the consequent uncertainties in the model representation of the system behavior, the probability of functional failure, P(F), is given by the following integral: P (F ) = ∫∫ ...∫ I F ( x1 , x2 , ..., xi , ..., xn )q( x1 , x2 , ..., xi , ..., xn )dx1dx2 ...dxi ...dxn (2)

where q (⋅) is the joint Probability Density Function (PDF) representing the uncertainty in the parameters x , F is the failure region (i.e., the region where GY(·) > 0) and IF(·) is an indicator function such that IF(x) = 1, if x ∈ F and IF(x) = 0, otherwise. In practice, the multidimensional integral (2) can not be easily evaluated. Monte Carlo (MC) simulation is an effective mean of estimating its value, albeit it implies sampling from the multidimensional joint PDF which is in general a nontrivial task (Schueller, 2007). Indeed, the MC solution to (2) entails that a large number NT of samples of the values of the system parameters be drawn from q (⋅) and used to evaluate the LSF (1). An estimate Pˆ (F ) of the probability of failure P(F) in

(2) can then be computed by dividing the number of times GY(·) > 0 by the total number of samples NT. It can be demonstrated that this estimate is unbiased and consistent, i.e. that as NT approaches infinity, Pˆ ( F ) approaches the true failure probability P(F). In general, given the high dimensionality of the problem and the large dimension of the relative sample space compared to the failure region of interest, a large number of samples is necessary to achieve an acceptable estimation accuracy. This leads to very large computing times due to the long calculations (several hours) of the detailed, best-estimate code (one code run for each sample of parameter values drawn). One problem associated to this approach to functional failure analysis is the computing cost related to the estimation of the functional failure probability (Marquès et al., 2005). This calls for the development of simulation techniques that allow performing robust estimations while reducing as much as possible the number of input samples drawn and the associated computational time: this issue is addressed in the following Section by resorting to an innovative MC sampling technique called Subset Simulation (Au and Beck, 2001).

5

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Figure 1. Functional failure concept: the passive system is assumed to fail when its safety variable Y(x) exceeds a given failure threshold αY

3 Improving the Simulation

efficiency

of

random

sampling:

Subset

Subset Simulation (SS) is an adaptive stochastic simulation method for efficiently computing small failure probabilities, originally developed for the reliability analysis of structural systems (Au and Beck, 2001). Structural reliability problems are naturally formulated within a functional failure framework of analysis, because structural systems fail whenever the load applied (i.e., the stress) exceeds their capacity (i.e., the resistance) (Lewis, 1991; Schueller and Pradlwarter, 2007). This makes SS suitable for application to the functional reliability analysis of T-H passive systems, where the failure is specified in terms of one or more safety variables (e.g., temperatures, pressures, flow rates, ...) crossing the safety thresholds specified by the regulating authorities (Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008). The idea underlying the SS method is to express a (small) failure probability as a product of (larger) probabilities conditional on some intermediate events (for example, if a structure is assumed to fail when the load exceeds 300 kN, then plausible intermediate events could be represented by the load exceeding 100, 150 and 250 kN, respectively). This allows converting a rare event simulation into a sequence of simulations of more frequent events. During simulation, the conditional samples are generated by means of a Markov chain designed so that the limiting stationary distribution is the target conditional distribution of some adaptively chosen intermediate event; by so doing, the conditional samples gradually populate the successive intermediate regions up to the target (rare) failure region (Au and Beck, 2003).

3.1 Basics of the method For a given target failure event F of interest, let F1 ⊃ F2 ⊃ ... ⊃ Fm = F be a sequence of intermediate events, so that Fk = ∩ ik=1 Fi , k = 1, 2, …, m. By sequentially conditioning on the event Fi, the failure probability P(F) can be written as m −1

P( F ) = P( Fm ) = P( F1 )∏ P( Fi +1 | Fi ) .

(3)

i =1

6

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Notice that even if P(F) is small, the conditional probabilities involved in (3) can be made sufficiently large by appropriately choosing m and the intermediate events {Fi, i = 1, 2, …, m – 1}. The original idea of SS is to estimate the failure probability P(F) by estimating P(F1) and {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1}. Standard MCS can be used to estimate P(F1). On the contrary, computing the conditional probabilities in (3) by MCS entails the non-trivial task of sampling from the conditional distributions of x given that it lies in Fi, i = 1, 2, ..., m – 1, i.e. from q( x | Fi ) = q( x ) I Fi ( x ) / P( F ) . In this regard, Markov Chain Monte Carlo (MCMC) simulation provides a powerful method for generating samples conditional on the failure region Fi, i = 1, 2, ..., m – 1 (Au and Beck, 2001; Au and Beck, 2003). For completeness of the paper, the related algorithm is presented in the Appendix.

3.2 The Subset Simulation algorithm In the actual SS implementation, with no loss of generality it is assumed that the failure event of interest can be defined in terms of the value of a critical response variable Y of the system under analysis being higher than a specified threshold level y, i.e., F = {Y > y}. The sequence of intermediate events {Fi : i = 1, 2, ..., m} can then be correspondingly defined as Fi = {Y > y i }, i = 1, 2, ..., m , where 0 < y1 < y 2 < ... < y i < ... < y m = y is an increasing sequence of intermediate threshold values (Au and Beck, 2001; Au and Beck, 2003). The choice of the sequence {y i : i = 1, 2, ..., m} affects the values of the conditional probabilities {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1} in (3) and hence the efficiency of the SS procedure. In particular, choosing the sequence {y i : i = 1, 2, ..., m} a priori makes it difficult to control the values of the conditional probabilities {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1} . For this reason, in this work, the intermediate threshold values are chosen adaptively in such a way that the estimated conditional probabilities are equal to a fixed value p0 (p0 = 0.1 has been used) (Au and Beck, 2001; Au and Beck, 2003). The SS algorithm proceeds as follows (Figure 2): k 1. Sample N vectors x 0 : k = 1, 2, ..., N by standard MCS, i.e., from the original probability density function q(·). The subscript ‘0’ denotes the fact that these samples correspond to ‘Conditional Level 0’; 2. Set i = 0; k 3. Compute the values of the response variable Y ( x i ) : k = 1, 2, ..., N ; 4. Choose the intermediate threshold value yi+1 as the (1 – p0)Nth value in the increasing k list of values Y ( x i ) : k = 1, 2, ..., N (computed at step 3. above) to define Fi+1 = {Y > yi+1}. By so doing, the sample estimate of P(Fi+1|Fi) = P(Y > yi+1|Y > yi) is equal to p0 (note that it has been implicitly assumed that p0N is an integer value); 5. If yi+1 ≥ ym, proceed to 10. below; 6. Viceversa, i.e. if yi+1 < ym, with the choice of yi+1 performed at step 4. above, identify k u the p0N samples x i : u = 1, 2, ..., p0 N among x i : k = 1, 2, ..., N whose response Y lies in Fi+1 = {Y > yi+1}: these samples are at ‘Conditional level i + 1’ and distributed as q(⋅ | Fi +1 ) ;

{

}

{

{

}

}

{

{

}

{

u

}

}

7. Starting from each one of the samples x i : u = 1, 2, ..., p0 N (identified at step 6. above), use MCMC simulation to generate (1 – p0)N additional conditional samples

7

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

distributed as q(⋅ | Fi +1 ) , so that there are a total of N conditional samples

{x

k i +1

}

: k = 1, 2, ..., N ∈ Fi +1 , at ‘Conditional level i + 1’; 8. Set i ← i + 1; 9. Return to step 3. above; 10. Stop the algorithm.

Notice that the total number of samples employed is NT = N + (m – 1)(1 – p0)N. For clarity sake, a step-by-step illustration of the procedure for Conditional levels 0 and 1 is provided in Figure 3 by way of example.

Figure 2. Flow diagram of the SS algorithm

8

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Figure 3. Illustration of the SS procedure: a) Conditional level 0: Standard Monte Carlo simulation; b) Conditional level 0: adaptive selection of y1; c) Conditional level 1: Markov Chain Monte Carlo simulation; d) Conditional level 1: adaptive selection of y2 (Au, 2005) Notice that the procedure is such that the response values {y i : i = 1, 2, ..., m} at the specified probability levels P ( F1 ) = p 0 , P( F2 ) = p( F2 | F1 ) P( F1 ) = p 02 , …, P( Fm ) = p 0m are estimated, rather than the failure probabilities P ( F1 ) , P ( F2 | F1 ) , …, P ( Fm | Fm −1 ) , which are a priori fixed at p0. In this view, SS is a method for generating samples whose response values correspond to specified probability levels, rather than for estimating probabilities of specified failure events. As a result, it produces information about P(Y > y ) versus y at all the simulated values of Y rather than at a single value of y. This feature is important because the whole trend of P(Y > y ) versus y obviously provides much more information than a point estimate (Au, 2005).

3.3 Qualification proof of Subset Simulation It can be demonstrated that the number of samples NT required to obtain a given accuracy r (i.e., variance) for the estimator of the failure probability P(F) is roughly N T ∝ log P(F ) ,

where r ≤ 3. Compared to Standard MCS, where N T ∝ 1 / P (F ) , this implies a substantial improvement in efficiency when estimating small failure probabilities. For example, it can be shown that the number of samples required by Standard MCS for estimating target failure probabilities of P(F) = 10-3 and 10-6 with a given accuracy is 4 and 1030 times larger than that required by SS to obtain the same accuracy, respectively (Au and Beck, 2001; Au and Beck, 2003). The demonstration of this property is not given here for brevity sake; the interested reader may refer to (Au and Beck, 2001; Au and Beck, 2003) for the mathematical details and to (Ching et al., 2005; Katafygiotis and Cheung, 2005; Au, 2007; Au et al., 2007; Katafygiotis and Cheung, 2007; Pradlwarter et al., 2007) for illustrative applications to high-dimensional (i.e., n ≥ 100) structural reliability problems. 9

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

4 Functional failure analysis of T-H passive systems: a case study of literature The case study considered in this work involves the natural convection cooling in a Gascooled Fast Reactor (GFR) under a post-Loss Of Coolant Accident (LOCA) condition (Pagani et al., 2005). The reactor is a 600-MW GFR cooled by helium flowing through separate channels in a silicon carbide matrix core whose design has been the subject of study in the past several years at the Massachussets Institute of Technology (MIT) (Okano et al., 2002; Eapen et al., 2002; Williams et al., 2003). In these studies the possibility of using natural circulation to remove the decay heat in case of an accident is demonstrated. In particular, in case of a LOCA, long-term heat removal is ensured by natural circulation in a given number Nloops of identical and parallel heat removal loops. However, in order to achieve a sufficient heat removal rate by natural circulation, it is necessary to maintain an elevated pressure even after the LOCA. This is accomplished by a guard containment, which surrounds the reactor vessel and power conversion unit and holds the pressure at a level that is reached after the depressurization of the system (Pagani et al., 2005). A GFR decay heat removal configuration is shown schematically in Figure 4, where only one loop out of Nloops is reported for clarity sake: the flow path of the cooling helium gas is suggested by the black arrows. As shown in Figure 4, the loop has been divided into Nsections = 18 sections; technical details about the geometrical and structural properties of these sections are not reported here for brevity: the interested reader may refer to (Pagani et al., 2005).

Figure 4. Schematic representation of one loop of the 600-MW GFR passive decay heat removal system (Pagani et al., 2005) In the present analysis, the average core power to be removed is assumed to be 18.7 MW, equivalent to about 3% of full reactor power (600 MW): to guarantee natural circulation cooling at this power level, a pressure of 1650 kPa is required in nominal conditions. Finally, 10

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

the secondary side of the heat exchanger (i.e., item 12 in Figure 4) is assumed to have a nominal wall temperature of 90 °C (Pagani et al., 2005). It is worth noting that as in (Pagani et al., 2005) the subject of the present analysis is the quasi-steady-state natural circulation cooling that takes place after the LOCA transient has occurred. Thus, the analyses hereafter reported refer to this steady-state period and are conditional to the successful inception of natural circulation. As a consequence, the analyses do not consider the probability of not starting natural convection or the probability of not building up and maintaining a high pressure level in the guard containment. A qualitative pictorial representation of the difference between a realistic transient analysis and a quasi steady-state analysis of a natural circulation cooling after an hypothetical LOCA is given in Figure 5. The time evolutions of the fuel cladding temperature (top) and of the naturally circulating mass flow rate (bottom) are represented by solid lines. In a realistic transient analysis (left), both the probability of inception of natural circulation and the dynamic variations of the variables of interest are considered (namely, core power and fuel temperature change and directly affect the natural circulation flow rate, which in turn causes variations in core power and fuel temperature). On the contrary, in the simplified steady-state approach adopted in this work (right), these two issues are not taken into account (Figure 5, right, shaded regions): only the regime values (i.e., the values taken by the variables of interest after the transient has exhausted) are used in the probabilistic analysis (Vijayan, 2002; Pagani et al., 2005; Rao et al., 2006; Vijayan et al., 2007).

11

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Figure 5. Qualitative comparison between a realistic transient analysis (left) and a simplified quasi steady-state analysis (right) of a natural circulation cooling after a hypothetical LOCA (dashed arrow): the time evolutions of the fuel cladding temperature (top) and of the naturally circulating mass flow rate (bottom) are represented in solid lines. In the quasi steady-state analysis adopted in this work (right), neither the inception of natural circulation nor the transient development (right, shaded region) are taken into account: only the regime values for the variables of interest are considered

4.1 Deterministic T-H model To simulate the steady-state behavior of the system, a one-dimensional thermal-hydraulic MATLAB code developed at MIT has been implemented (Pagani, 2004). The code treats all the Nloops multiple loops as identical and each loop is divided in Nsections = 18 sections (Figure 4). Further, the sections corresponding to the heater (i.e., the reactor core, item 4 in Figure 4) and the cooler (i.e., the heat exchanger, item 12 in Figure 4) are divided in a proper number Nnodes of axial nodes to compute the temperature and flow gradients with sufficient detail (40 nodes are chosen for the present analysis). Both the average and hot channels are modeled in the core so that the increase in temperature in the hot channel due to the radial peaking factor can be calculated (Pagani et al., 2005). From a strictly mathematical point of view, obtaining a steady-state solution amounts to dropping the time dependent terms in the energy and momentum conservation equations (Vijayan, 2002; Rao et al., 2006; Vijayan et al., 2007); in practice, the code balances the pressure losses around the loops so that friction and form losses are compensated by the buoyancy term, while at the same time maintaining the heat balance in the heater (i.e., the reactor core, item 4 in Figure 4) and cooler (i.e., the heat exchanger, item 12 in Figure 4). Equations (4) and (5) in Table 1 govern the heat transfer process in each node l = 1, 2, …, Nnodes of both the heater and the cooler. 12

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Heat transfer equations  Ql = m c p ,l (Tout ,l − Tin ,l ) , l = 1, 2, …, Nnodes

(4)

m c p ,l (Tout ,l − Tin ,l ) = Sl hl (Twall ,l − Tbulk ,l ) , l = 1, 2, …, Nnodes

Parameter

Description

Q l m l

Heat flux in the lth node

c p ,l Tout ,l Tin ,l Twall ,l Tbulk ,l

(5) Unit of measure kW

Mass flow rate in the lth node

kg/s th

Specific heat at constant pressure in the l node th

Temperature measured at the outlet of the l node th

Temperature measured at the inlet of the l node th

Temperature measured at the wall channel of the l node th

Temperature measured at the bulk of the l node th

kJ/kgK K K K K

Sl

Heat-exchanging surface in the l node

m2

hl

Heat transfer coefficient in the lth node

kW/m2K

Table 1. Equations governing the heat transfer process in each node l = 1, 2, …, Nnodes of both the heater and the cooler of the 600-MW GFR passive decay heat removal system of Figure 4, together with a description of the physical parameters and their units of measure Equation (4) in Table 1 states the equality between the enthalpy increase between the flow at the inlet and the flow at the outlet in any node, whereas equation (5) in Table 1 regulates the heat exchange between the channel wall and the bulk of the coolant. The mass flow rate is determined by a balance between buoyancy and pressure losses along the closed loop according to equation (6) in Table 2.

N sections

∑ s =1

Mass flow rate equation ⎡ Ls m m 2 ⎤ + + ρ gH f K s s ⎢ s s ⎥=0 2 ρ s As2 ⎦ Ds 2 ρ s As2 ⎣ 2

(6)

Parameter

Description

ρs

Coolant density in the sth section of the loop

Unit of measure kg/m3

Hs

Height of the sth section of the loop

m

fs Ls Ds

th

Friction factor in the s section of the loop th

Length of the s section of the loop th

/ m

m As

Hydraulic diameter of the s section of the loop Mass flow rate in the sth section of the loop Flow area of the sth section of the loop

m kg/s m2

Ks

Form loss coefficient of the sth section of the loop

/

Table 2. Equation stating the balance between buoyancy and pressure losses along the closed loop of the 600-MW GFR passive decay heat removal system of Figure 4, together with a description of the physical parameters and their units of measure Equation (6) in Table 2 states that the sum of buoyancy (first term), friction losses (second term) and form losses (third term) should be equal to zero along the closed loop (Pagani et al., 2005). Notice that the heat transfer coefficients hl, l = 1, 2, …, Nnodes, in (5) in Table 1 are functions of fluid characteristics and geometry and are calculated through proper correlations covering 13

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

forced-, mixed- and free-convection regimes in both turbulent and laminar flow (Pagani, 2004); further, different Nusselt number correlations are used in the different regimes to obtain values for the heat transfer coefficients. Also the friction factors fs, s = 1, 2, …, Nsections, in (6) in Table 2 are functions of the fluid characteristics and geometry and are calculated using appropriate correlations (Pagani et al., 2005). An iterative algorithm is used to find a solution that satisfies simultaneously the heat balance and pressure loss equations.

4.2 Uncertainties in the deterministic T-H model The T-H model described in the previous Section 4.1 is a mathematical representation of the behavior of the emergency passive system of Figure 4. Predictions of the system response to given accident conditions are accurate to the extent that the hypotheses made in the mathematical representation, and for its numerical solution, are true. Indeed, concerns arise because of the uncertainties involved in the operation of passive systems and its modeling. On the one side, there are phenomena, like the occurrence of an accident scenario, the time to failure of a component or the random variation of the actual geometrical properties of the system (due to differences between the as-built system and its design upon which the analysis is based) which are random in nature. The associated uncertainty is called aleatory (NUREG1150, 1990; Helton, 1998; USNCR, 1998) and its contribution to functional failure is quite clear: for example, natural circulation could be altered by a random disturbance in the system geometry. In this work, as well as in the reference paper by (Pagani et al., 2005), aleatory uncertainties are not considered for the estimation of the functional failure probability of the T-H passive system of Figure 4. On the other hand, there exists an additional level of uncertainty associated to the lack of knowledge about the properties and conditions of the phenomena (i.e., natural circulation) underlying the behaviour of the passive systems. This uncertainty is called epistemic and it manifests itself in the model representation of the system behaviour, in terms of both (model) uncertainty in the hypotheses assumed and (parameter) uncertainty in the values of the parameters of the model (Cacuci and Ionescu-Bujor, 2004; Helton et al., 2006; Patalano et al., 2008). Model uncertainty arises because mathematical models are simplified representations of real systems and, therefore, their results may be affected by error or bias. Model uncertainty also includes the fact that the model could be too simplified and therefore would neglect some important phenomena affecting the final result. This latter type of uncertainty is sometimes identified independently from model uncertainty and is known as completeness uncertainty (USNCR, 1998). Model uncertainty may for example involve the correlations adopted to describe the T-H phenomena, which are subject to errors of approximation. Such uncertainties may for example be captured by a multiplicative model (Zio and Apostolakis, 1996; Patalano et al., 2008): y = f ( x) ⋅ ε , (7) where y is the real value of the quantity to be predicted (e.g. heat transfer coefficients, friction factors, Nusselt numbers or thermal conductivity coefficients), f(x) is the result of the correlation as computed by the T-H code and ε is the associated multiplicative error factor: as a result, the uncertainty in the quantity y to be predicted is translated into an uncertainty in the multiplicative error factor ε. This error is commonly classified as representing model uncertainty. Furthermore, uncertainty affects the values of the parameters used to describe the system (e.g., power level, pressure, cooler wall temperature, material conductivity, …), e.g. owing to errors in their measurement or insufficient data and information. For example, according to industry practice and experience, an error of 2% is usually considered in the determination of the power level in a reactor, due to uncertainties in the measurements. As a consequence, the 14

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

power level is usually known only to a certain level of precision, i.e., epistemic uncertainty is associated with it (Pagani et al., 2005). The contribution of epistemic uncertainties to the functional failure probability can be explained as follows. If the analyst is scarcely confident about the “goodness” of the correlations adopted to compute, e.g., the heat transfer coefficient in the core during natural convection (e.g., due to the paucity of experimental data available), he/she admits that in a real accident scenario the actual value of the heat transfer coefficient in the core might deviate from the nominal/design one (i.e., different from the value computed by a deterministic correlation). If this variation (accepted as plausible by the analyst) were to take place during an accident scenario, it may cause the T-H passive system to fail performing its safety function; the likelihood of this variation is to be quantified to estimate the functional failure probability at the current state of knowledge. Note that an improvement in the state of knowledge would lead to a change in the epistemic uncertainty distributions and eventually to a more accurate estimate of the system functional failure probability (Figure 6) (Pagani, 2004; Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008).

Figure 6. Effect of the state of knowledge improvement (from a. to c.) on the estimate of the probability of functional failure of a T-H passive system (shaded area). The PDFs represent the uncertainty in the safety variable of the passive system (Section 2) determined by both aleatory and epistemic uncertainties: an increase in the state of knowledge will reduce the uncertainty (which can practically be seen as proportional to the width of the PDFs) In this work, only epistemic (i.e., model and parameter) uncertainties are propagated through the deterministic T-H code (Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008). Parameter uncertainties are associated to the reactor power level, to the pressure established in the loops after the LOCA and to the wall temperature of the cooler (i.e., the heat exchanger, item 12 in Figure 4); instead, model uncertainties are associated to the correlations used to calculate Nusselt numbers and friction 15

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

factors in forced, mixed and free convection. The nine uncertain input parameters {x j : j = 1, 2, ..., 9} considered in the analysis are summarized in Table 3. Both model and parameter uncertainties associated to the current state of knowledge of the system can be represented by subjective probability distributions within a Bayesian approach to PSA (Apostolakis, 1990; Helton and Davis, 2003; Pagani et al., 2005; Bassi and Marques, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008). The subjective probability distributions adopted in this study are normal distributions whose mean values correspond to the nominal values of the uncertain parameters and whose standard deviation is proportional to the estimated uncertainty (Table 3, Pagani et al., 2005). Since a thorough analysis of the practical and conceptual reasons underpinning the choices in Table 3 lies far beyond the scopes of this work, it is not reported here for brevity: the interested reader may refer to (Pagani et al., 2005) for details.

Parameter uncertainty Model uncertainty (error factor, ε)

Name

Mean, μ

Standard deviation, σ (% of μ)

Power (MW), x1 Pressure (kPa), x2 Cooler wall temperature (°C), x3 Nusselt number in forced convection, x4 Nusselt number in mixed convection, x5 Nusselt number in free convection, x6 Friction factor in forced convection, x7 Friction factor in mixed convection, x8 Friction factor in free convection, x9

18.7 1650 90 1 1 1 1 1 1

1% 7.5% 5% 5% 15% 7.5% 1% 10% 1.5%

Table 3. Parameter and model uncertainties together with the related subjective probability distributions for the 600-MW GFR passive decay heat removal system of Figure 4 (Pagani et al., 2005) Finally, for clarity sake, the sequential steps undertaken to propagate the epistemic (i.e., model and parameter) uncertainties through the deterministic T-H equations described in the previous Section 4.1 are outlined: Draw samples of the uncertain input parameters x1 (i.e., power), x2 (i.e., pressure) i. and x3 (i.e., cooler wall temperature) from the respective epistemic probability distributions (Table 3); ii. Using the values sampled for input parameters x1, x2 and x3 (step i. above), compute Nusselt numbers and friction factors in forced-, mixed- and free-convection regimes by means of deterministic correlations (Pagani, 2004). In this way, the deterministically computed values of Nusselt numbers and friction factors are dependent on the values of the uncertain input parameters x1, x2 and x3; iii. Draw samples of the multiplicative error factors x4, x5, …, x9, for Nusselt numbers and friction factors in forced-, mixed- and free-convection regimes, from the respective epistemic probability distributions (Table 3); iv. Multiply the deterministic values of Nusselt numbers and friction factors (computed at step ii. above) by the corresponding error factors (sampled at step iii. above). In this way, the model uncertainties (i.e., the multiplicative error factors) are treated independently from the parameter uncertainties; yet, notice that the model uncertainties are applied to the results of deterministic correlations, which in turn depend on the uncertainties in the input parameters (i.e., power, pressure and cooler wall temperature); v. Using an iterative algorithm, find a solution that satisfies simultaneously the heat balance (Table 1 in Section 4.1) and the pressure losses equations (Table 2 in Section 4.1). 16

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

4.3 Failure of the T-H passive system The passive decay heat removal system of Figure 4 is assumed to fail whenever the temperature of the coolant helium leaving the core (item 4 in Figure 4) exceeds either 1200 °C in the hot channel or 850 °C in the average channel: these values are driven by the need to limit the fuel temperature to avoid excessive release of fission gases and to avoid high thermal stresses in the cooler (item 12 in Figure 4) and in the stainless steel cross ducts connecting the reactor vessel and the cooler (items from 6 to 11 in Figure 4) (Pagani et al., 2005). Thus, letting x be the vector of uncertain system parameters (Table 3 in Section 4.2) and hot avg Tout, core ( x ) and Tout,core ( x ) be the coolant outlet temperatures in the hot and average channels, respectively, in correspondence of x , the failure region F can be written as follows: hot avg F = {x : Tout (8) ,core ( x ) > 1200}∪ {x : Tout ,core ( x ) > 850}. In order to apply Subset Simulation, the failure region F in (8) needs to be parametrized with a single parameter so that the sequence of intermediate regions {Fi : i = 1, 2, ..., m} can be generated by varying the parameter (Section 3.2). This is accomplished as follows. For the failure region F in (8), the system performance indicator (Section 2) or system critical response variable (Section 3.2) Y ( x ) can be defined as hot avg ⎧ Tout ⎫ ,core ( x ) Tout ,core ( x ) , (9) Y ( x ) = max ⎨ ⎬. 850 ⎭ ⎩ 1200 Then, it can be easily verified that F = {x : Y ( x ) > 1}. (10) Thus, referring to the notation adopted in Section 2, the failure threshold αY is equal to 1. The sequence of intermediate regions {Fi : i = 1, 2, ..., m} can then be adaptively generated as Fi = {x : Y (x ) > yi }, i = 1, 2, …, m, (11) where 0 < y1 < y2 < … < yi < … < ym = 1 is the sequence of (normalized) intermediate threshold values (Section 3.2). In practice, for a given vector of uncertain inputs x (i.e., of uncertain parameters x1, x2 and x3 and multiplicative error factors x4, x5, …, x9) the steady-state values of both the hot- and the hot avg average channel coolant outlet temperatures Tout, core ( x ) and Tout,core ( x ) are computed by

simultaneously solving the (steady-state) equations for heat balance (Table 1 in Section 4.1) and for pressure losses (Table 2 in Section 4.1). These values are then used to compute the system critical response variable Y(x) as defined in (9): if Y(x) > 1, then x is a failure configuration for the passive system.

5 Results of the application of SS for the estimation of the functional failure probability of the T-H passive system of Section 4 In this Section, the results of the application of SS for the quantitative functional failure analysis of the 600-MW GFR passive decay heat removal system in Figure 4 are illustrated. First, the percentiles of both the hot-channel and average-channel coolant outlet temperatures are determined (Section 5.1); then, the corresponding probabilities of functional failure of the system are estimated (Section 5.2); finally, the sensitivity of the passive system performance with respect to the uncertain input parameters is studied by examination of the conditional sample distributions at different failure probability levels (Section 5.3).

17

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

5.1 Determination of the percentiles of the coolant outlet temperatures In this analysis, for illustration purposes a configuration with Nloops = 3 loops is considered for the passive system of Figure 4. hot The 100·αth percentiles of the hot- and average-channel coolant outlet temperatures Tout ,core avg hot ,α avg ,α and Tout ,core are defined as the values Tout ,core and Tout , core , respectively, such that hot hot ,α P(Tout , core ≤ Tout ,core ) = α

(12)

and avg avg ,α P (Tout ,core ≤ Tout ,core ) = α

(13)

In order to clarify definitions (12) and (13), a pictorial representation of the operative procedure which is adopted to identify different percentiles for different values of α is given in Figure 7. An hypothetical Cumulative Distribution Function (CDF) for the hot-channel hot coolant outlet temperature Tout ,core is represented by a solid line: as a reminder, for any real

hot hot hot value Touthot,core , the CDF value of the random variable Tout ,core is given by P (Tout ,core ≤ Tout , core ) ,

hot hot i.e., by the probability that Tout , core takes on a value less than or equal to Tout , core . According to

the definitions of percentiles given in (12) and (13) and referring to Figure 7, the 100·αth hot ,α hot percentile Tout , core of the random variable Tout ,core is operatively identified by the dashed arrow that originates at α on the ordinates of Figure 7, extends horizontally on the CDF and then th th hot ,α drops vertically to the abscissas to produce the percentile Tout , core (in Figure 7, the 50 , 90 hot , 0.5 hot , 0.9 hot , 0.99 and 99th percentiles, i.e., Tout , core , Tout , core and Tout , core , respectively, are shown for illustration

purposes). Notice that α (which is formally a cumulative probability value) will be referred to as “confidence level” in the following text (Guba et al., 2003; Nutt and Wallis, 2004; Au et al., 2007).

Figure 7. Example of Cumulative Distribution Function (CDF) for the hot-channel coolant th th th hot hot , 0.5 hot , 0.9 hot , 0.99 temperature Tout ,core : the 50 , 90 and 99 percentiles, i.e., Tout , core , Tout ,core and Tout , core , respectively, are indicated by the dashed arrows Following the approach presented in (Au et al., 2007), Figure 8 shows the empirical hot Cumulative Distribution Function (CDF) of the hot-channel coolant outlet temperature Tout ,core 18

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

for different confidence levels α = 1.0, 0.9, 0.99 and 0.999. The empirical CDF of the avg average-channel coolant outlet temperature Tout , core is not shown for brevity. Empirical Cumulative Distribution Function (CDF);α = 0.9 1

0.9

0.99

0.8

0.98

0.7

0.97

Cumulative probability

Cumulative probability

Empirical Cumulative Distribution Function (CDF) 1

0.6 0.5 0.4 0.3

SS (N T = 280) MCS (N T = 280) MCS (N T = 10000)

0.2 0.1 0 400

600

800

1000

Hot channel coolant outlet

1200

1400

hot temperature,Tout, core

0.96 0.95 0.94 0.93

SS (N T = 280)

0.92

MCS (N T = 280) MCS (N T = 10000)

0.91 0.9 700

1600

0.999

0.9999

0.998

0.9998

0.997

0.9997

0.996 0.995 0.994

0.991 0.99 900

1000

1100

1200

1300

0.9992

1500

1300

1400

1500

1600

[°C]

0.9994 0.9993

hot

1200

0.9995

MCS (N T = 280) MCS (N T = 10000)

1400

1100

0.9996

SS (N T = 280)

Hot channel coolant outlet temperature,Tout, core [°C]

1000

Empirical Cumulative Distribution Function (CDF);α = 0.999 1

Cumulative probability

Cumulative probability

Empirical Cumulative Distribution Function (CDF);α = 0.99

0.992

900

hot

1

0.993

800

Hot channel coolant outlet temperature,Tout, core

[°C]

SS (N T = 280) MCS (N T = 280) MCS (N T = 10000)

0.9991

1600

0.999

1100

1200

1300

1400

1500 hot

Hot channel coolant outlet temperature,Tout, core

1600 [°C]

hot Figure 8. Empirical CDF of the hot-channel coolant outlet temperature Tout , core for the 600-

MW GFR of Figure 4, at different confidence levels: α = 1 (top, left), α = 0.9 (top, right), α = 0.99 (bottom, left), and α = 0.999 (bottom, right). Solid lines: SS with NT = 280 samples; dashed lines: standard MCS with NT = 280 samples; dot-dashed lines: standard MCS with NT = 10000 samples In order to make more traceable the work done, the values of the nine uncertain inputs (i.e., of uncertain parameters x1, x2 and x3 and multiplicative error factors x4, x5, …, x9 in Table 3) used to derive the CDF (produced by SS) in Figure 8, bottom, right (i.e., for α = 0.999) are reported in Table 4; the corresponding values of the hot-channel coolant outlet temperature hot Tout ,core are also shown for completeness.

19

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Values of the uncertain inputs x1 [MW] 18.80 18.89 18.77 18.53 18.64 18.74 18.65 18.65 18.75 18.88

x2 [kPa] 1262 1311 1195 1262 1268 1255 1234 1234 1287 1229

x3 [°C] 90.10 75.92 95.24 87.14 85.87 103.22 100.84 100.84 79.91 89.03

x4 1.05 1.03 1.02 0.97 0.92 1.00 1.04 1.04 1.06 0.96

x5 0.84 0.99 1.00 0.86 0.97 0.84 0.92 0.92 1.21 0.82

x6 1.01 0.99 1.02 0.98 1.03 1.05 0.96 0.96 1.06 0.95

x7 1.01 1.01 0.99 1.01 1.01 0.99 1.02 1.02 1.04 0.95

x8 1.07 1.18 1.09 1.11 1.14 1.13 1.11 1.11 1.18 1.05

x9 0.98 0.99 1.00 0.99 0.98 0.97 1.00 1.00 1.01 1.03

Hot-channel coolant outlet temperature hot Tout, [°C] core 1279,22 1284,31 1288,18 1290,57 1308,84 1338,23 1429,90 1429,90 1519,52 1570,41

Table 4. Values of the nine uncertain inputs (i.e., of uncertain parameters x1, x2 and x3 and multiplicative error factors x4, x5, …, x9 in Table 3) used to derive the CDF (produced by SS) in Figure 8, bottom, right (i.e., for α = 0.999); the corresponding values of the hot-channel hot coolant outlet temperature Tout , core are also reported The results produced by SS with a total of 280 samples (i.e., m = 3 simulation levels, each with N = 100 samples) are shown in solid lines, whereas those produced by standard MCS with the same number of samples (i.e., 280) are shown in dashed lines. The dot-dashed lines correspond to the results obtained by direct MCS with 10000 samples: this number of samples is sufficient for efficiently estimating the CDF even for a confidence level α = 0.999 (Figure 8, bottom, right). Notice that the results from SS are satisfactorily close to this reference solution for all confidence levels. On the contrary, standard MCS with 280 samples is not able to produce accurate results for values of α very close to 1 (Figure 8, bottom, left and right, where α = 0.99 and 0.999, respectively). This is due to the fact that with 280 samples there are on average only 280·(1 – 0.99) = 280·0.01 ~ 3 failure samples in Figure 8, bottom, left, and 280·(1 – 0.999) = 280·0.001 ~ 0.28 failure samples, in Figure 8, bottom, right. In contrast, SS (due to successive conditional MCMC simulations) generates 280, 190, 100 and 10 conditional samples in Figure 8, top, left and right, and bottom, left and right, respectively, giving enough information for an efficient estimation of the CDF. Notice that for the standard MCS with 10000 samples, there are on average 10 samples in Figure 8, bottom, right, i.e., the same number as produced by SS but at a much higher computational effort. Table 5 and Table 6 report the values of the percentiles of the hot-channel and averagechannel coolant outlet temperatures, respectively, for the 600-MW GFR of Figure 4, computed in single runs of SS with 280 samples and standard MCS with 280 and 10000 samples, respectively, at different confidence levels α = 0.9, 0.95, 0.99 and 0.999. For α equal to 0.9, both SS and MCS with 280 samples produce results similar to those of the benchmark simulation approach (i.e., MCS with 10000 samples), whereas for α equal to 0.99 and 0.999, only SS achieves reliable results, as expected. This is particularly evident for the percentiles of the hot-channel coolant temperature at α = 0.999 (Table 5): the value produced by SS with 280 samples (i.e., 1256.70 °C) is very close to the benchmark value produced by standard MCS with 10000 samples (i.e., 1287.23 °C); on the contrary, the percentile identified by standard MCS with 280 samples is dramatically lower (i.e., 1061.16 °C).

20

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

hot Hot-channel coolant outlet temperature, Tout, – Single run core hot ,α Percentile values, Tout, core

Method SS MCS MCS

NT 280 280 10000

α = 0.9 732.28 754.62 752.75

α = 0.95 807.21 842.23 812.30

α = 0.99 982.92 996.77 986.67

α = 0.999 1256.70 1061.16 1287.23

hot Table 5. Percentiles of the hot-channel coolant outlet temperature Tout , core for the 600-MW

GFR of Figure 4, computed in a single run of SS with NT = 280 samples and standard MCS with NT = 280 and 10000 samples, respectively, at different confidence levels α = 0.9, 0.95, 0.99, 0.999

avg Average-channel coolant outlet temperature, Tout, – Single run core avg ,α Percentile values, Tout, core

Method SS MCS MCS

NT 280 280 10000

α = 0.9 546.42 545.34 547.46

α = 0.95 571.64 567.69 564.92

α = 0.99 610.25 607.10 614.32

α = 0.999 677.32 618.26 673.80

avg Table 6. Percentiles of the average-channel coolant outlet temperature Tout , core for the 600-

MW GFR of Figure 4, computed in a single run of SS with NT = 280 samples and standard MCS with NT = 280 and 10000 samples, respectively, at different confidence levels α = 0.9, 0.95, 0.99, 0.999 To assess quantitatively the statistical properties of the percentile estimates produced by SS with 280 samples and standard MCS with 280 and 10000 samples, 50 independent runs have been carried out for each simulation method and the sample means and sample standard deviations of the percentile estimates thereby obtained have been computed: the corresponding results are reported in Table 7 and Table 8 for the hot-channel and averagechannel coolant temperatures, respectively. It can be seen that the sample means of the percentile estimates obtained by SS with 280 samples almost coincide with the benchmark results obtained by standard MCS with 10000 samples, even for α = 0.999: this leads to conclude that in spite of the bias due to the correlation between the conditional samples at different levels, the estimates obtained by SS can be taken as practically unbiased. Moreover, it is worth noting that at the upper confidence level, i.e. α = 0.999, the standard deviations of the percentile estimates produced by SS with 280 samples (i.e., 46.14 and 10.88 in Table 7 and Table 8, respectively) are comparable to those produced by standard MCS with 10000 samples (i.e., 47.86 and 9.58 in Table 7 and Table 8, respectively), but they are obtained at a much lower computational effort (i.e., using a number of samples about 50 times lower). Finally, as expected, the standard deviations of the percentile estimates produced by SS with 280 samples are consistently lower than those of standard MCS with the same number of samples at all confidence levels.

21

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

hot Hot-channel coolant outlet temperature, Tout, – Average over 50 runs core hot ,α Percentile values, Tout, core

Method SS MCS MCS

NT 280 280 10000

α = 0.9 741.02 751.24 752.90

Means α = 0.95 α = 0.99 814.05 982.69 809.47 964.00 811.93 986.76

α = 0.999 1242.90 1052.39 1261.39

α = 0.9 9.70 12.52 1.75

Standard deviations α = 0.95 α = 0.99 α = 0.999 16.06 27.37 46.15 26.34 65.49 99.04 5.19 12.78 47.86

Table 7. Sample averages and standard deviations of the percentiles of the hot-channel hot coolant outlet temperature Tout , core for the 600-MW GFR of Figure 4, computed over 50 runs of SS with NT = 280 samples and standard MCS with NT = 280 and 10000 samples, at different confidence levels α = 0.9, 0.95, 0.99, 0.999 avg Average-channel coolant outlet temperature, Tout, – Average over 50 runs core avg ,α Percentile values, Tout, core

Method SS MCS MCS

NT 280 280 10000

α = 0.9 544.34 546.27 547.40

Means α = 0.95 α = 0.99 565.65 599.57 565.86 604.71 566.70 612.53

α = 0.999 676.12 626.74 675.75

α = 0.9 3.39 5.12 0.85

Standard deviations α = 0.95 α = 0.99 α = 0.999 4.47 6.48 10.88 8.09 15.16 24.36 1.34 3.32 9.58

Table 8. Sample averages and standard deviations of the percentiles of the average-channel avg coolant outlet temperature Tout , core for the 600-MW GFR of Figure 4, computed over 50 runs of SS with NT = 280 samples and standard MCS with NT = 280 and 10000 samples, at different confidence levels α = 0.9, 0.95, 0.99, 0.999

5.2 Functional failure probability estimation In this Section, SS is compared to standard MCS in the task of estimating of the functional failure probability (per demand) of the 600-MW GFR passive decay heat removal system of Figure 4. For illustration purposes, two different system configurations (with Nloops = 3 and 4) are analyzed. Standard MCS has been run with a total of NT = 10000 samples in both cases, whereas SS has been run with NT = 9800 samples (i.e., m = 3 simulation levels, each with N = 3500 samples) and NT = 16100 samples (i.e., m = 5 simulation levels, each with N = 3500 samples) for the configurations with Nloops = 3 and 4 loops, respectively. It is worth noting that the total number of samples NT employed by SS can not be defined a priori since it depends on the number m of conditional simulation levels (Section 3.2); the number m of simulation levels depends in turn on the failure probability P(F) (per demand) to be estimated, which is obviously unknown a priori. Thus, in order to compare the results, the efficiency of the simulation methods under analysis is evaluated in terms of two indices which are independent of the total number NT of samples drawn: the unitary coefficient of variation (c.o.v.), Δ, and the so-called Figure Of Merit (FOM). The unitary c.o.v. Δ is defined as Δ = δ ⋅ NT =

σ

Pˆ (F )

⋅ NT

(14)

where δ is the c.o.v., Pˆ (F ) is the sample estimate of P (F ) and σ is the sample standard deviation of Pˆ (F ) . Since in all Monte Carlo-type estimators the standard deviation σ (and, 22

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

(

)

thus, the c.o.v. δ) decays with a rate O 1 N T , then Δ = δ ⋅ N T is independent of NT (Koutsourelakis et al., 2004). Notice that the lower is the value of Δ, the lower is the variability of the corresponding failure probability estimator and thus the higher is the efficiency of the simulation method adopted. However, in addition to the precision of the failure probability estimator, also the computational time associated to the simulation method has to be taken into account. Thus, the FOM is introduced and defined as 1 (15) FOM = 2 σ ⋅ tcomp where tcomp is the computational time required by the simulation method. Since σ 2 ∝ N T and approximately tcomp ∝ N T , also the FOM is independent of NT. Notice that in this case the higher is the value of the index, the higher is the efficiency of the method. Table 9 reports the values of the estimate of the failure probability Pˆ (F ) (per demand), the unitary c.o.v. Δ and the FOM obtained by standard MCS with NT = 10000 samples and SS with NT = 9800 and 16100 samples in the reliability analysis of the T-H passive system of Figure 4 with Nloops = 3 and 4, respectively; also the computational time tcomp required by each simulation method on a Pentium 4 CPU 3.00GHz is reported (in seconds). Nloops = 3 ˆ Δ P (F ) (per demand) Standard MCS SS

-3

1.600·10 1.317·10-3

25.00 13.50

Nloops = 4 ˆ Δ P (F ) (per demand) Standard MCS SS

0 1.580·10-5

258.20 25.13

FOM

NT

tcomp [s]

216.00 432.49

10000 9800

28937 44535

FOM

NT

tcomp [s]

23147.21 2065378.15

10000 16100

28885 49588

Table 9. Values of the estimate of the failure probability Pˆ (F ) (per demand), unitary coefficient of variation (c.o.v.) Δ and Figure Of Merit (FOM) obtained by standard MCS with NT = 10000 samples and SS with NT = 9800 and 16100 samples in the reliability analysis of the passive system of Figure 4 with Nloops = 3 and 4, respectively. The computational time tcomp required by each simulation method on a Pentium 4 CPU 3.00GHz is also reported (in seconds) It can be seen that SS leads to a substantial improvement in efficiency over standard MCS, especially when estimating small failure probabilities (per demand). For example, for P(F) ~ 10-5 (i.e., Nloops = 4 in Table 9), no failure samples are generated by standard MCS, so that its failure probability estimate Pˆ (F ) is equal to 0. This result is quite reasonable: in fact, the estimation of failure probabilities (per demand) near 10-5 by means of standard MCS with NT = 10000 samples is not efficient since on average only 10000·10-5 ~ 0.1 (i.e., less than one) failure samples are available in the failure region of interest. In contrast, for SS, due to successive conditioning, it is guaranteed that there are N·p0 = 3500·0.1 = 350 conditional failure samples at probability level P(F) ~ 10-5, thus providing sufficient information for efficiently estimating the corresponding failure probability (per demand) (see Sections 3.2 and 5.1). As a consequence, the estimate produced by SS is much more robust than the one produced by standard MCS: actually, the unitary c.o.v. Δ (thus, the variability) of the SS 23

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

estimator is about 12 times lower than that of the standard MCS estimator (conversely, the FOM is about 95 times larger).

5.3 Sensitivity analysis based on conditional samples The Markov chain samples generated by SS can be used not only for estimating the conditional probabilities but also to infer the probable scenarios that will occur in the case of failure (Au, 2005). Intuitively, from the comparison of the probability density function q( x j | F ) of the uncertain parameter xj, j = 1, 2, …, n, conditional to the occurrence of failure F, with the unconditional probability density function q(xj), an indication can be obtained on how important is the parameter xj in affecting the system failure. Formally, for any given value of xj the Bayes’ theorem reads, P( F | x j ) =

q( x j | F ) q( x j )

P( F ) , j = 1, 2, …, n

(16)

so that P ( F | x j ) is insensitive to xj when q( x j | F ) ~ q( x j ) , i.e. when the conditional probability density function q( x j | F ) is similar in shape to the PDF q(xj) (Au and Beck, 2003; Au, 2005; Au et al., 2007). The effectiveness of this approach for sensitivity analysis has been demonstrated by a number of studies conducted in the field of structural reliability: for example, in (Au and Beck, 2003) and (Au, 2005), the approach has been effectively used to address a 1500-dimensional problem concerning a steel frame subject to stochastic ground motion, whereas in (Au et al., 2007) the method has been applied to perform a compartment fire risk analysis where seven uncertain parameters were considered. The sensitivity of the passive system performance to the individual uncertain input parameters of Table 3 can thus be studied by examining the change of the sample distributions at different conditional levels. The histograms of the conditional samples of the uncertain parameters at different conditional levels for a single SS run are shown in Figure 9 (for illustration purposes, only the configuration with Nloops = 3 loops is considered in this analysis). In passing, notice that the empirical distributions (histograms) of the conditional samples of all the uncertain parameters of Table 3 are represented in the range μ ± 4σ: for instance, the lower limit for parameter x1, i.e. power, in Figure 9 is μ - 4σ = 18.7 – 4·0.01·18.7 = 17.952 MW, whereas for parameter x2, i.e. pressure, it is 1650 – 4·0.075·1650 = 1155 kPa. The range adopted for the representation of the empirical distributions of the uncertain parameters has not been defined a priori by the authors, but it is the empirical result of the random variation of the uncertain parameters during the stochastic simulation: in this view, the SS method demonstrates its ability of exploring the whole range of variability (including regions with very low occurrence probability) of each uncertain parameter thanks to the use of MCMC simulation that gradually populates intermediate conditional regions (see Figure 3 of Section 3.2 and the Appendix).

24

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

PDF

Cond. level 0 2

2

2

1.8

1.8

1.8

1.6

1.6

1.6

1.4

1.4

1.4

1.2

1.2

1.2

1

1

1

0.8

0.8

0.8

0.6

0.6

0.6

0.4

0.4

0.4

0.2

0.2

0.2

0 17.952

18.7

19.448

0 19.448 18.7 17.952 Parameter x1 - Power [MW ]

-3

PDF

0 17.952

-3

4.5

4.5

4

4

4

3.5

3.5

3.5

3

3

3

2.5

2.5

2.5

2

2

2

1.5

1.5

1.5

1

1

1

0.5

0.5

0.5

1650

2145

0 1155 2145 1650 Parameter x2 - Pressure [kPa]

0 1155

Cond. level 1

Cond. level 0 2

2

1.8

1.8

1.8

1.6

1.6

1.6

1.4

1.4

1.4

1.2

1.2

1.2

1

1

1

0.8

0.8

0.8

0.6

0.6

0.6

0.4

0.4

0.4

0.2

0.2

0.2

90.00

1650

2145

Cond. level 2

2

0 72.00

19.448

x 10 Cond. level 2

4.5

0 1155

18.7 -3

x 10 Cond. level 1

x 10 Cond. level 0

PDF

Cond. level 2

Cond. level 1

0 0 72.00 108.00 90.00 108.00 72.00 Parameter x3 - Cooler wall temperature [°C]

90.00

108.00

25

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Cond. level 1

PDF

Cond. level 0

Cond. level 2

7

7

7

6

6

6

5

5

5

4

4

4

3

3

3

2

2

2

1

1

1

0 0.8

1

0 0 0.8 1.2 1 1.2 0.8 Parameter x4 - Nusselt number error (forced convection)

1

Cond. level 0

Cond. level 1

Cond. level 2

2.5

2.5

2

2

2

1.5

1.5

1.5

1

1

1

0.5

0.5

0.5

PDF

2.5

1.2

PDF

0 0.4

1

0 0 1 1.6 0.4 1.6 0.4 Parameter x5 - Nusselt number error (mixed convection)

Cond. level 0

Cond. level 1 5

5

4.5

4.5

4.5

4

4

4

3.5

3.5

3.5

3

3

3

2.5

2.5

2.5

2

2

2

1.5

1.5

1.5

1

1

1

0.5

0.5

0.5

1

1.6

Cond. level 2

5

0 0.7

1

0 0 1 1.3 0.7 1.3 0.7 Parameter x6 - Nusselt number error (free convection)

1

1.3

26

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Cond. level 1

PDF

Cond. level 0

35

35

35

30

30

30

25

25

25

20

20

20

15

15

15

10

10

10

5

5

5

0 0.96

1

0 0 0.96 1.04 1 1.04 0.96 x Parameter 7 - Friction factor error (forced convection)

1

Cond. level 1

Cond. level 2

Cond. level 0

PDF

Cond. level 2

3.5

3.5

3.5

3

3

3

2.5

2.5

2.5

2

2

2

1.5

1.5

1.5

1

1

1

0.5

0.5

0.5

0 0.6

1

0 0 0.6 1.4 1.4 0.6 1 Parameter x8 - Friction factor error (mixed convection)

Cond. level 0

1

1.04

1.4

Cond. level 2

Cond. level 1 25

25

20

20

20

15

15

15

10

10

10

5

5

5

PDF

25

0 0.94

1

0 0 0.94 1.06 1 1.06 0.94 Parameter x9 - Friction factor error (free convection)

1

1.06

Figure 9. Empirical conditional distributions of the uncertain input parameters of Table 3 at different conditional levels (histograms) compared to their unconditional distributions (solid lines), with reference to the 600-MW passive decay heat removal system of Figure 4 with Nloops = 3 27

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

It can be seen that the performance of the passive system is strongly sensitive to the pressure level established in the guard containment after the LOCA, as indicated by the significant leftward shift of its empirical conditional distribution (histograms) from the unconditional one (solid lines). A slight sensitivity of the passive system performance is also observed with respect to the correlation errors in both the Nusselt number (leftward shift) and the friction factor (rightward shift) in mixed convection. These results agree with the one-way sensitivity analysis reported in (Pagani et al., 2005). However, the sensitivity analysis based on SS presents the advantage over the standard technique adopted in the reference study, of being directly “embedded” in the computation of the failure probability: the SS algorithm produces the empirical conditional distributions of Figure 9 during the simulation that is performed to compute the functional failure probability of the passive system. In other words, while estimating the functional failure probability of the system, sensitivity analysis results are produced that can be readily visualized for identification (and ranking) of the most important variables. On the contrary, in the one-way sensitivity analysis by (Pagani et al., 2005), additional simulations are performed in order to compute (by straightforward differential analysis) the relative variations of the coolant outlet temperatures for a 1% variation in each parameter value. By so doing, the computational cost associated to the analysis may become impractical if the number of uncertain parameters is large and/or very long-running T-H models are adopted. It is worth noting that the results obtained through the SS-based sensitivity analysis are quite reasonable. In fact, the pressure of the system strongly affects the density of the coolant helium gas and thus the extent of the buoyancy force on which the effective functioning of the natural circulation system is based. In particular, a decrease in the system pressure leads to a decrease in the buoyancy force which may not succeed in balancing the pressure losses around the natural circulation loop (see Equation (6) in Table 2 of Section 4.1). Nusselt numbers instead are directly (i.e., linearly) related to the heat transfer coefficients in both the heater (i.e., the core, item 4 in Figure 4) and the cooler (i.e., the heat exchanger, item 12 in Figure 4) and thus their variations directly impact the global heat removal capacity of the passive system. In particular, a decrease in the heat transfer coefficient in the heat exchanger (where the wall temperature is imposed) leads to a reduction in the heat flux (see Equation (5) in Table 1 of Section 4.1) and consequently to an increase in the coolant temperature (see Equation (4) in Table 1 of Section 4.1). Further, a decrease in the heat transfer coefficient in the heater (where the heat flux is imposed as constant) causes an increase in the coolant wall temperature (see Equation (5) in Table 1 of Section 4.1). Thus, both processes lead to a rapid attainment of the coolant temperature limits. Finally, the friction factors directly determine the extent of the pressure losses which oppose the coolant flow in natural circulation. In particular, an increase in the friction factors determines an increase in the pressure losses along the closed loop and consequently a reduction in the coolant flow rate (see Equation (6) in Table 2 of Section 4.1). The smaller the flow rate in the decay heat removal loop, the higher the coolant temperature rise will be, leading to an earlier attainment of the coolant temperature limits, thus worsening the safety of the operation and of the reactor. As a final remark, care should be taken in drawing practical implications from the sensitivity study performed. Indeed, the simplified steady-state model adopted in this work (equations (5) and (6) of Section 4.1) do not allow to provide any suggestions about the design of the TH passive system analyzed; on the contrary, their physical coherence with the model adopted proves the goodness of the results provided by Subset Simulation.

5.4 Discussion of the results and comparison with other works of literature Although the aim of the present paper is mainly to show the power of Subset Simulation in propagating epistemic uncertainties through deterministic T-H codes for performing efficient 28

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

estimations of the functional failure probability of T-H passive systems, an engineering evaluation of the performance of the passive system considered in the case study is in order. First of all, it is worth noting that the values obtained in this work for the functional failure probability (per demand) of the three- and four-loop configurations of the 600MWth GFR passive decay heat removal system (DHRS) of Figure 4 (i.e., P(F) ≈ 1.32·10-3 and 1.58·10-5, respectively) are different from those of the reference paper by (Pagani et al., 2005) (i.e., P(F) ≈ 4.05·10-4 and 7.19·10-6, respectively): this is due to slight differences in the implementation of the T-H code and in the setting of some parameters in the T-H model. As highlighted by (Pagani et al., 2005), the values of the functional failure probabilities reported above are quite low, but they can not be neglected in the evaluation of the overall failure probability of the passive system. Indeed, it has been shown by (Pagani et al., 2005) that due to functional failures passive systems are not necessarily more reliable than active ones: for example, the value of P(F) for the three-loop active configuration of the DHRS turns out to be 1.58·10-4 (which is lower than both 1.32·10-3 and 4.05·10-4). On the other hand, it is important to note that the values of the functional failure probability (per demand) obtained for the T-H passive system in the present study are lower than or comparable to those reported in other recent works of literature: for example, in (Mackay et al., 2008), a transient analysis of a two-loop passive DHRS of a helium-cooled fast reactor resulted in a functional failure probability P(F) of 0.305 per demand (which is extremely high for such safety-critical application): several improvements were thus integrated into the GFR design, reducing the value of P(F) to 0.125 (Patalano et al., 2008); in (Mathews et al., 2008), the probability of functional failure of the DHRS of a sodium-cooled 500MWe FBR was found to be 2.5·10-3; finally, in (Bassi and Marquès, 2008), an upper bound of 5·10-6 was estimated (by linear regression techniques) for the functional failure probability of the DHRS of a 2400MWth GFR. A final remark is also in order with respect to the results of the sensitivity study reported in the previous Section 5.3. Three parameters have been identified as most important in affecting the uncertainty in the analysis of the T-H passive system performance, i.e., the pressure in the natural circulation loop after the LOCA and the correlation errors in the Nusselt numbers and friction factors in mixed convection. These results agree with those reported in other recent papers dealing with natural circulation decay heat removal in gas cooled systems: for instance, in (Mackay et al., 2008) and (Patalano et al., 2008), pressure in the guard containment is identified as the key parameter for a successful natural circulation-based decay heat removal, whereas in (Bassi and Marques, 2008), the multiplicative error factor for laminar natural circulation pressure drop and Reynolds number for turbulent to laminar transition in the core region are recognized as the most influent parameters for the maximum temperature of materials in the core.

6 Conclusions In this paper, the Subset Simulation method has been considered for propagating epistemic uncertainties through a deterministic T-H code in order to perform an efficient estimation of the functional failure probability of a T-H passive system. A case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) has been taken as reference. For simplicity, the representation of the system behavior has been limited to a steady-state model. The results of Subset Simulation have been compared to those of standard Monte Carlo Simulation in two kinds of analyses: first, the determination of the percentiles of the hotchannel and average-channel temperatures of the coolant gas leaving the reactor core; second, the estimation of failure probabilities as small as 10-5. The results have demonstrated that as the target probability of failure gets smaller, Subset Simulation becomes more and more efficient over standard Monte Carlo Simulation. 29

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Moreover, the sensitivity of the passive system performance to the uncertain system input parameters has been studied through the examination of the conditional sample distributions at different failure probability levels. The analysis has shown that an informative measure of the importance of a given parameter in determining the failure of the system is the deviation of its conditional distribution from the unconditional one. Finally, a word of caution is in order with respect to the fact that the T-H model used in this work to describe the behaviour of a natural circulation-based T-H passive system is a steadystate (thus, simplified) model. As a consequence, the results obtained (both in the failure probability estimation and in the sensitivity analysis) can only serve the purpose of showing the potential effectiveness of Subset Simulation in efficiently propagating uncertainties through a mechanistic T-H code. The actual implementation of the method as a qualified tool for a complete quantitative functional failure analysis of a real T-H passive system would need its verification on a transient analysis supported by dynamic calculation codes (e.g., RELAP5-3D); research is currently underway in this direction. Acknowledgements: The authors wish to thank the anonymous referees for the numerous constructive comments and suggestions which have led to a significantly improved work.

References Apostolakis, G. E., 1990. The concept of probability in safety assessment of technological systems. Science, 250, 1359. Au, S. K., 2005. Reliability-based design sensitivity by efficient simulation. Computers and Structures, 83, pp. 1048-1061. Au, S. K., 2007. Augmented approximate solutions for consistent reliability analysis. Probabilistic Engineering Mechanics, 22, pp. 77-87. Au, S. K. and Beck, J. L., 2001. Estimation of small failure probabilities in high dimensions by subset simulation. Probabilistic Engineering Mechanics, 16(4), pp. 263-277. Au, S. K. and Beck, J. L., 2003. Subset Simulation and its application to seismic risk based on dynamic analysis. Journal of Engineering Mechanics, 129(8), pp. 1-17. Au, S. K., Wang, Z. H., Lo, S. M., 2007. Compartment fire risk analysis by advanced Monte Carlo simulation. Engineering Structures, 29(9), pp. 2381-2390. Aybar, H. S., Aldemir, T., 1999. Dynamic probabilistic reliability and safety assessment: an application to IS-BWR. In: Proceedings of the Seventh International conference on Nuclear Engineering, Tokio, Japan. Bassi, C., Marquès, M., 2008. Reliability assessment of 2400 MWth gas-cooled fast reactor natural circulation decay heat removal in pressurized situations. Science and Technology of Nuclear Installations, Special Issue “Natural Circulation in Nuclear Reactor Systems”, Hindawi Publishing Corporation, Paper 87376. Burgazzi, L., Fiorini, G. L., De Magistris, F., 1998. Reliability assessment of passive safety systems. In: Proceedings of the Sixth International Conference on Nuclear Engineering ICONE 6-6340, San Diego, USA, May 10-15. Burgazzi, L., 2002. Passive system reliability analysis: a study on the isolation condenser. Nuclear Technology, 139 (July), 3-9. Burgazzi, L., 2003. Reliability evaluation of passive systems through functional reliability assessment. Nuclear Technology, 144, 145. Burgazzi, L., 2004. Evaluation of uncertainties related to passive systems performance. Nuclear Engineering and Design, 230, 93-106. Burgazzi, L., 2006. Failure mode and effect analysis application for the safety and reliability analysis of a thermal-hydraulic passive system. Nuclear Technology, 146, pp. 150-158. 30

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Burgazzi, L., 2007a. Addressing the uncertainties related to passive system reliability. Progress in Nuclear Energy, 49, 93-102. Burgazzi, L., 2007b. Thermal-hydraulic passive system reliability-based design approach. Reliability Engineering and System Safety, doi: 10.1016\j.ress.2006.07.008. Cacuci, D. G., Ionescu-Bujor, M., 2004. A comparative review of sensitivity and uncertainty analysis of large scale systems – II: Statistical methods. Nuclear Science and Engineering (147), pp. 204-217. Ching, J., Beck, J. L., Au, S. K., 2005. Hybrid subset simulation method for reliability estimation of dynamical systems subject to stochastic excitation. Probabilistic Engineering Mechanics, 20, pp. 199-214. Chung, Y. J., Lee, S. W., Kim S. H., Kim, K. K., 2008. Passive cooldown performance of a 65MW integral reactor, vol. 238, pp. 1681-1689. D’ Auria, F., Bianchi, F., Burgazzi, L., Ricotti, M. E., 2002. The REPAS study: reliability evaluation of passive safety systems. In: Proceedings of the 10th International Conference on Nuclear Engineering ICONE 10-22414, Arlinghton, VA USA, April 1418. Eapen, J., Hejzlar, P., Driscoll, M. J., 2002. Analysis of a natural convection loop for postLOCA GCFR Decay-Heat removal. MIT-GCFR-002, MIT, Department of Nuclear Engineering. Gläser, H., 2002. Uncertainty evaluation of thermal-hydraulic code results. In: ANS International Meeting on Best-Estimate Methods in Nuclear Installations Safety Analysis (BE-2000), Washington, D.C., USA, November 17-20. Guba, A., Makai, M., Pa’l, L., 2003. Statistical aspects of best estimate method-I. Reliability Engineering and System Safety, 80, 217-32. IAEA, 1991. Safety related terms for advanced nuclear plant. IAEA TECDOC-626. Helton, J. C., 1998. Uncertainty and sensitivity analysis results obtained in the 1996 performance assessment for the waste isolation power plant, SAND98-0365, Sandia National Laboratories. Helton J. C, Davis, F. J., 2003. Latin hypercube sampling and the propagation of uncertainty in analyses of complex systems. Reliability Engineering and System Safety, 81, pp. 2369. Helton J. C, Johnson J. D., Sallaberry C. J., Storlie C. B., 2006. Survey on sampling-based methods for uncertainty and sensitivity analysis. Reliability Engineering and System Safety, 91, pp. 1175-1209. Jafari, J., D’ Auria, F., Kazeminejad, H., Davilu, H., 2003. Reliability evaluation of a natural circulation system. Nuclear Engineering and Design, 224, 79-104. Juhn, P. E., Kupitz, J., Cleveland, J., Cho, B., Lyon, R. B., 2000. IAEA activities on passive safety systems and overview of international development. Nuclear Engineering and Design, 201, pp. 41-59. Katafygiotis, L., Cheung, S. H., 2005. A two-stage subset simulation-based approach for calculating the reliability of inelastic structural systems subjected to Gaussian random excitations. Computer Methods in Applied Mechanics and Engineering, 194, pp. 15811595. Katafygiotis, L., Cheung, S. H., 2007. Application of spherical subset simulation method and auxiliary domain method on a benchmark reliability study. Structural Safety, 29, pp. 194-207. Koutsourelakis, P. S., Pradlwarter, H. J., Schueller, 2004. Reliability of structures in high dimensions, Part I: algorithms and application. Probabilistic Engineering Mechanics (19), pp. 409-417. Lewis, E. E., 1994. Introduction to reliability engineering – Second edition, John Wiley and Sons, Inc. 31

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Mackay F. J., Apostolakis, G. E., Hejzlar, P., 2008. Incorporating reliability analysis into the design of passive cooling systems with an application to a gas-cooled reactor. Nuclear Engineering and Design, 238(1), pp. 217-228. Marquès, M., Pignatel, J. F., Saignes, P., D’ Auria, F., Burgazzi, L., Müller, C., BoladoLavin, R., Kirchsteiger, C., La Lumia, V., Ivanov, I., 2005. Methodology for the reliability evaluation of a passive system and its integration into a probabilistic safety assessment. Nuclear Engineering and Design, 235, 2612-2631. Mathews, T. S., Ramakrishnan, M., Parthasarathy, U., John Arul, A., Senthil Kumar, C., 2008. Functional reliability analysis of safety grade decay heat removal system of Indian 500 MWe PFBR. Nuclear Engineering and Design, doi: 10.1016/j.nucengdes.2008.02.012. Metropolis, N., Rosenbluth, A. W., Rosenbluth, M. N. and Taller, A. H., 1953. Equations of state calculations by fast computing machines. Journal of Chemical Physics, 21(6), pp. 1087-1092. Nayak, A. K., Gartia, M. R., Antony, A., Vinod, G., Sinha, R. K., 2008. Passive system reliability analysis using the APSRA methodology. Nuclear Engineering and Design, doi: 10.1016/j.nucengdes.2007.11.005. NUREG-1150, 1990. Severe accident risk: an assessment for five US nuclear power plants, US Nuclear Regulatory Commission. Nutt, W. T., Wallis, G. B., 2004. Evaluations of nuclear safety from the outputs of computer codes in the presence of uncertainties. Reliability Engineering and System Safety, 83, 57-77. Okano, Y., Hejzlar, P., Driscoll, M. J., 2002. Thermal-hydraulics and shutdown cooling of supercritical CO2 GT-GCFRs. MIT-ANP-TR-088, MIT, Department of Nuclear Engineering. Pagani, L., 2004. On the quantification of safety margins. Ph. D. dissertation thesis, Massachusetts Institute of Technology. Pagani, L., Apostolakis, G. E. and Hejzlar, P., 2005. The impact of uncertainties on the performance of passive systems. Nuclear Technology, 149, 129-140. Patalano, G., Apostolakis, G. E., Hejzlar, P., 2008. Risk-informed design changes in a passive decay heat removal system. Nuclear Technology, vol. 163, pp. 191-208. Pradlwarter, H. J., Schueller, G. I., Koutsourelakis, P. S., Charmpis, D. C., 2007. Application of line sampling simulation method to reliability benchmark problems. Structural Safety, 29, pp. 208-221. Rao, N. M., Sekhar, C. C., Maiti, B., Das, P. K., 2006. Steady-state performance of a twophase natural circulation loop. International Communications in Heat and Mass Transfer, vol. 33(8), pp. 1042-1052. Rohde, M., Marcel, C. P., Manera, A., Van der Hagen, T. H. J. J., Shiralkar, B., 2008. Investigating the ESBWR stability with experimental and numerical tools: a comparative study. Nuclear Engineering and Design, doi: 10.1016/j.nucengdes.2008.01.016. Schueller, G. I., 2007. On the treatment of uncertainties in structural mechanics and analysis. Computers and Structures, 85, pp. 235-243. Schueller, G. I., Pradlwarter, H. J., 2007. Benchmark study on reliability estimation in higher dimension of structural systems – An overview. Structural Safety (29) pp. 167-182. USNRC, 1998. “An approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the licensing basis.” NUREG-1.174, US Nuclear Regulatory Commission, Washington, DC. Vijayan, P. K., 2002. Experimental observations on the general trends of the steady state and stability behaviour of single-phase natural circulation loops. Nuclear Engineering and Design, 215, pp. 139-152. 32

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

Vijayan, P. K., Sharma, M., Saha, D., 2007. Steady state and stability characteristics of single-phase natural circulation in a rectangular loop with different heater and cooler orientations. Experimental Thermal and Fluid Science, vol. 31(8), pp. 925-945. Williams, W., Hejzlar, P., Driscoll, M. J., Lee, W. J., Saha, P., 2003. Analysis of a convection loop for a GFR post-LOCA decay heat removal from a block-type core. MIT-ANP-TR095, Department of Nuclear Engineering. Zio, E., and Apostolakis, G. E., 1996. Two methods for the structured assessment of model uncertainty by experts in performance assessment in radioactive waste repositories. Eliability Engineering and System Safety, Vol. 54, No. 2, 225-241. Zio, E., Cantarella, M., Cammi, A., 2003. The analytic hierarchy process as a systematic approach to the identification of important parameters for the reliability assessment of passive systems. Nuclear Engineering and Design, 226, 311-336. Zio, E., Pedroni, N., 2009. Building confidence in the reliability assessment of thermalhydraulic passive systems. Reliability Engineering and System Safety, vol. 94(2), pp. 268-281.

Appendix Markov Chain Monte Carlo (MCMC) Simulation Markov Chain Monte Carlo (MCMC) simulation comprises a number of simulation techniques for generating samples according to any given probability distribution (Metropolis et al., 1953). In the context of the reliability assessment of interest in the present work, MCMC simulation provides an efficient way for generating samples from the multidimensional conditional PDF q( x | F ) . The distribution of the samples thereby generated tends to the multidimensional conditional PDF q( x | F ) as the length of the Markov chain increases. In the particular case of the initial sample being distributed exactly as the multidimensional conditional PDF q( x | F ) , then so are the subsequent samples (Au and Beck, 2001). In the following it is assumed without loss of generality that the components of x are n

independent, that is, q( x ) = ∏ q j ( x j ) , where q j ( x j ) denotes the one-dimensional PDF of j =1

x j (Au and Beck, 2001). To illustrate the MCMC simulation algorithm with reference to a generic intermediate region u Fi, let x = x1u , x 2u , ..., x uj , ..., x nu be the uth Markov chain sample drawn and let p *j (ξ j | x uj ) , j =

{

}

1, 2, …, n, be a one-dimensional ‘proposal PDF’ for ξ j , centered at the value x uj and satisfying the symmetry property p *j (ξ j | x uj ) = p *j ( x uj | ξ j ) . Such distribution, arbitrarily chosen for each element x j of x , allows generating a ‘precandidate value’ ξ j based on the current sample value x uj . The following algorithm is then applied to generate the next Markov u +1

{

}

= x1u +1 , x 2u +1 , ..., x uj +1 , ..., x nu +1 , u = 1, 2, …, Ns – 1 (Au and Beck, 2001): u +1 x = ~ x1u +1 , ~ x 2u +1 , ..., ~ x ju +1 , ..., ~ x nu +1 : for each 1. Generation of a candidate sample ~

chain sample x

{

}

parameter x j , j = 1, 2, …, n: a. Sample a precandidate value ξ uj +1 from p *j (⋅ | x uj ) ; b. Compute the acceptance ratio: 33

PAPER I – E. Zio, N. Pedroni / Nuclear Engineering and Design 239 (2009) 580-599

r

u +1 j

=

q j (ξ uj +1 )

(1’)

q j ( x uj )

u +1 x as follows: c. Set the new value ~ x ju +1 of the jth element of ~

⎧ξ u +1 with probability min(1, rju +1 ) ~ x uj +1 = ⎨ ju (2’) u +1 − x with probabilit y 1 min( 1 , r ) j j ⎩ u +1 2. Acceptance/rejection of the candidate sample vector ~ x : u +1 u u +1 u x = x (i.e., no precandidate values have been accepted), set x = x . If ~ u +1 u +1 x x ∈ F : if belongs to the intermediate region F , i.e. ~ Otherwise, check whether ~ i

i

it is, then accept the candidate ~ x as the next state, i.e., set x = ~ x ; otherwise, u +1 ~ and take the current sample as the next one, i.e., set reject the candidate x u +1

x

u +1

u +1

u +1

u

=x .

u u +1 x is generated from the current sample x and then either In synthesis, a candidate sample ~ u u +1 u +1 x or the current sample x is taken as the next sample x , the candidate sample ~ u +1 x lies in the intermediate region Fi or not. depending on whether the candidate ~

Finally, notice that in this work, the one-dimensional proposal PDF p *j , j = 1, 2, …, n, is chosen as a symmetrical uniform distribution centered at the current sample xj, j = 1, 2, …, n, with width 2lj, where lj is the maximum step length, i.e. the maximum allowable distance that the next sample can depart from the current one. The choice of lj is such that the standard deviation of p *j is equal to that of qj, j = 1, 2, …, n.

34

Paper II Functional failure analysis of a thermal-hydraulic passive system by means of Line Sampling E. Zio and N. Pedroni Reliability Engineering and System Safety 94 (2009) 1764-1781

Functional failure analysis of a thermal-hydraulic passive system by means of Line Sampling E. Zio and N. Pedroni Energy Department, Polytechnic of Milan, Via Ponzio 34/3, 20133 Milan, Italy Phone: +39-2-2399-6340; fax: +39-2-2399-6309 E-mail address: [email protected]

Abstract Assessing the failure probability of a Thermal-Hydraulic (T-H) passive system amounts to evaluating the uncertainties in its performance. Two different sources of uncertainties are usually considered: randomness due to inherent variability in the system behaviour (aleatory uncertainty) and imprecision due to lack of knowledge and information on the system (epistemic uncertainty). In this paper, we are concerned with the epistemic uncertainties affecting the model of a T-H passive system and the numerical values of its parameters. Due to these uncertainties, the system may find itself in working conditions that do not allow it to accomplish its functions as required. The estimation of the probability of these functional failures can be done by Monte Carlo (MC) sampling of the epistemic uncertainties affecting the model and its parameters, followed by the computation of the system function response by a mechanistic T-H code. Efficient sampling methods are needed for achieving accurate estimates, with reasonable computational efforts. In this respect, the recently developed Line Sampling (LS) method is here considered for improving the MC sampling efficiency. The method, originally developed to solve high-dimensional structural reliability problems, employs lines instead of random points in order to probe the failure domain of interest. An “important direction” is determined, which points towards the failure domain of interest; the high-dimensional reliability problem is then reduced to a number of conditional one-dimensional problems which are solved along the “important direction”. This allows to significantly reduce the variance of the failure probability estimator, with respect to standard random sampling. The efficiency of the method is demonstrated by comparison to the commonly adopted Latin Hypercube Sampling (LHS) and First Order Reliability Method (FORM) in an application of functional failure analysis of a passive decay heat removal system in a Gas-cooled Fast Reactor (GFR) of literature. Keywords: Functional failure probability; Natural Circulation; Gas-cooled fast reactor; Line Sampling; Important direction; Variance reduction.

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

1 Introduction According to the International Atomic Energy Agency (IAEA) definition, a passive system does not need external input (especially energy) to operate [1]. Expanded consideration of severe accidents, increased safety requirements and the goal of introducing effective, yet physically transparent, safety functions has led to a growing interest in the use of passive systems for the safety of the future nuclear reactors. Indeed, passive systems are expected to contribute significantly to safety by combining their peculiar characteristics of simplicity, reduction of human interaction and reduction or avoidance of hardware failures [2]. As a result, all innovative reactor concepts make use of passive safety features, to a large extent in combination with active safety and operational systems [3], [4]. On the other hand, the uncertainties involved in the actual operation of passive systems and their modelling are usually larger than in active systems. Two different sources of uncertainties are usually considered in safety analyses: randomness due to intrinsic variability in the behavior of the system (aleatory uncertainty) and imprecision due to lack of data on some underlying phenomena (e.g., natural circulation) and to scarce or null operating experience over the wide range of conditions encountered during operation [5]. As a consequence of these uncertainties, in practice there is a nonzero probability that the physical phenomena involved in the passive system operation lead to failure of performing the intended function even if safety margins are present. In fact, deviations in the natural forces and in the conditions of the underlying physical principles from the expected ones can impair the function of the system itself [6], [7], [8]. In recent years, various methodologies have been proposed in the open literature to quantify the probability that T-H passive systems fail to perform their functions. A number of methods adopt the system reliability analysis framework. In [9], a dynamic methodology based on the cell-to-cell mapping technique has been used for the reliability analysis of an inherently safe Boiling Water Reactor (BWR). In [8], the failure probability is evaluated as the probability of occurrence of different independent failure modes, a priori identified as leading to the violation of the boundary conditions and/or physical mechanisms needed for successful passive system operation. In [10], modeling of the passive system is simplified as modeling of the unreliabilities of the hardware components of the system: this is achieved by identifying the hardware failures that degrade the natural mechanisms upon which the passive system relies and associating the relative unreliabilities of the components designed to assure the passive function. This concept is also at the basis of the Assessment of Passive System ReliAbility (APSRA) approach which has been applied to the reliability analysis of the natural circulation-based Main Heat Transport (MTH) system of an Indian Heavy Water Reactor (HWR) [4]. An alternative approach is founded on the concept of functional failures in the framework of reliability physics and load-capacity exceedance probability [6], [8]. In this view, a passive system fails to perform its function due to deviations from its expected behavior which lead the load imposed on the system to overcome its capacity. This is the viewpoint of methodologies like the Reliability Evaluation of PAssive Safety (REPAS) [11], [12], [13] and Reliability Methods for Passive Safety (RMPS) [7], developed and employed for the reliability analysis of passive Residual Heat Removal Systems (RHRSs) of Light Water Reactors (LWRs). Similar methods have been devised to evaluate the failure probabilities of decay heat removal systems in Gas-cooled Fast Reactors (GFRs) [3], [5], [14] and sodiumcooled Fast Breeder Reactors (FBRs) [2]. In all these methods, the passive system is modeled by a detailed, mechanistic T-H system code and the probability of not performing the required function is estimated based on a Monte Carlo (MC) sample of code runs which propagate the epistemic (state-of-knowledge) uncertainties affecting the model describing the system and 2

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

the numerical values of its parameters. Because of the existence of these epistemic uncertainties, it is possible that the system may not accomplish its mission. The MC simulation-based approach provides in principle the most realistic assessment of the T-H system functional failure probability, thanks to the flexibility of the MC simulation method which does not suffer from any T-H model complexity and, therefore, does not force to resort to simplifying approximations. However, the procedure requires considerable and often prohibitive computational efforts. The reason is twofold: first, long calculations (several hours) are typically necessary for each run of the detailed, mechanistic T-H code (one code run is required for each sample of values drawn from the uncertainty distributions); second, since the probabilities of functional failures are typically very close to zero, a large number of samples (inversely proportional to the functional failure probability) is necessary to achieve an acceptable estimation accuracy [15]. These computational hurdles call for efficient simulation techniques for performing robust estimations with a limited number of input samples and associated low computational time. To this aim, the Importance Sampling (IS) method has been introduced [16], [17]. This technique amounts to replacing the original Probability Density Function (PDF) of the uncertain variables with an Importance Sampling Distribution (ISD) chosen so as to generate samples that lead to failure more frequently [16]. IS has the capability of considerably reducing the variance compared with standard Monte Carlo Simulation (MCS), provided that the ISD is chosen similar to the theoretical optimal one. In practice, substantial insights on the system behaviour and extensive modelling work may be required to identify a “good” ISD, e.g. by setting up complex kernel density estimators [16] or simply by tuning the parameters of the ISD based on expert judgment and trial-and-error [5]. Overall, this increases the effort associated to the simulation; furthermore, there is always the risk that an inappropriate choice of the ISD may lead to worse estimates compared to Standard MCS [17]. Another possible approach is Stratified Sampling. This technique requires dividing the sample space into several non-overlapping subregions (referred to as “strata”) and calculating the probability of each subregion; the (stratified) sample is then obtained by randomly sampling a predefined number of outcomes from each stratum [18], [19]. By so doing, the full coverage of the sample space is ensured while maintaining the probabilistic character of random sampling. A major issue related to the implementation of Stratified Sampling lies in defining the strata and calculating the associated probabilities, which may require considerable a priori knowledge. As a remark, notice that the widely used event tree techniques in nuclear reactor Probabilistic Risk Assessment (PRA) can be seen as defining and implementing Stratified Sampling of accident events and scenarios [19]. A popular compromise between plain random sampling (i.e., standard MCS) and Importance/Stratified Sampling is offered by Latin Hypercube Sampling (LHS), which is commonly used in PRA [20] for efficiently generating random samples [18], [21]. The effectiveness of LHS, and hence its popularity, derives from the fact that it provides a dense stratification over the range of each uncertain variable, with a relatively small sample size, while preserving the desirable probabilistic features of simple random sampling; moreover, there is no necessity to determine strata and strata probabilities like in Stratified Sampling [18]. For these reasons LHS is frequently adopted for efficiently propagating epistemic uncertainties in PRA problems [22], [23]. On the other hand, LHS is very efficient for estimating mean values and standard deviations in complex reliability problems [24], but only slightly more efficient than standard MCS for estimating small failure probabilities [25], like those expected for passive safety systems. 3

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

To overcome this limitation in this paper we investigate the use of Line Sampling (LS), a technique originally developed to efficiently tackle the multidimensional problems of structural reliability [26]. Lines, instead of random points, are used to probe the failure domain of the high-dimensional problem under analysis [27]. An “important direction” is optimally determined to point towards the failure domain of interest and a number of conditional, one-dimensional problems are solved along such direction, in place of the highdimensional problem [27]. The approach has been shown to perform better than standard MCS in a wide range of structural reliability problems [17], [26], [27], [28]; furthermore, if the boundaries of the failure domain of interest are not too rough (i.e., almost linear) and the “important direction” is almost perpendicular to them, the variance of the failure probability estimator could be ideally reduced to zero [26]. LS is here applied to the functional failure analysis of a natural convection-based decay heat removal system of a Gas-cooled Fast Reactor (GFR) [5], [29]. To the best of the authors’ knowledge, this is the first time that the LS method is applied to such kind of systems. The benefits gained by the use of LS are demonstrated by comparison with respect to LHS. Furthermore, a sensitivity analysis is carried out to determine the contributions of the individual uncertain parameters (i.e., the inputs to the T-H code) to the functional failure probability. The remainder of the paper is organized as follows. In Section 2, the concepts of functional failure analysis for T-H passive systems are summarized. In Section 3, a general presentation of the LS procedure is provided. In Section 4, the case study of literature concerning the passive cooling of a GFR is presented. The results of the application of LS to the reliability analysis of the passive decay heat removal system are reported in Section 5. Some conclusions are proposed in the last Section. For completeness of the contents of the paper, detailed descriptions of the LS algorithm and of the well-known LHS technique are provided in Appendices A and B, respectively.

2 Functional failure analysis of T-H passive systems A procedure for the quantitative analysis of functional failures of T-H passive systems has been proposed within an European Commission (EC) supported project called Reliability Methods for Passive Safety (RMPS) functions. The elements underpinning the method are [7], [14]: i) the detailed modelling of the system response by means of a deterministic T-H code, ii) the identification of the parameters which contribute to the (epistemic) uncertainty in the results of the T-H calculations and iii) the propagation of these (epistemic) uncertainties through the T-H code for estimating the probability of functional failure. For completeness of the paper, the steps for the conceptual development of the methodology are synthetically recalled [7]: 1. Characterize the accident scenario in which the passive system under consideration operates. 2. Define the function that the passive system is expected to perform, e.g. decay heat removal, vessel cooling and depressurization, etc. 3. Identify the design parameters values (e.g., power level, system pressure, heat exchanger initial wall temperature, …) related to the reference configuration of the passive system and the corresponding nominal function [11]. 4. Identify the possible failure modes of the passive system for the accident scenario under consideration [30], [31]. 5. Evaluate the failure criteria for the passive system, on the basis of its function (as defined in step 2.) and failure modes (as defined in step 4.). The occurrence of a failure is verified by comparison between the actual performance of the passive 4

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

6. 7.

8. 9.

system and the expected performance in nominal, reference conditions. For the definition of the failure criteria, various reactor parameters can be adopted as indicators of the performance of the passive system: for instance, the failure criterion could be based on the maximal clad temperature reached during a specific period of operation [2], [3], [5], [7], [14]. Another possibility consists in taking as performance indicators one or more variables or parameters characteristic of the passive system function itself (e.g., thermal power exchanged in the cooler or mass flow rate at the cooler inlet). Again, the failure criteria can be set as point-value targets (e.g. the system must deliver a specific quantity of liquid within a fixed time), as function-oftime targets or integral values over a mission time (e.g., the system must reject at least a given mean value of thermal power during the entire period of system intervention) [11], [12], [13], [32]. Build a mechanistic, best-estimate T-H model to simulate the system accident response and perform best estimate calculations [33]. Identify the factors of uncertainty in the results of the best estimate T-H calculations. These uncertainties are of both aleatory kind, because of the randomness in the occurrence of some phenomena (e.g., the occurrence of an accident scenario, the failure of a component, ...) and of epistemic nature, because of the limited knowledge on some phenomena and processes (e.g., models, parameters and correlations used in the T-H analysis) and of the paucity of the related operational and experimental data available [8]. In the present work, only epistemic uncertainties are considered in this step, as done in the reference paper by [7]. Quantify the epistemic uncertainties in the identified relevant parameters, models and correlations by proper probability distributions, which represent state of knowledge in a Bayesian sense [5], [8]. Propagate the epistemic uncertainties associated to the identified relevant parameters, models and correlations (steps 7. and 8. above) through the deterministic T-H code in order to estimate the functional failure probability of the passive system, conditional on the current state of knowledge about the phenomena involved (step 8. above) [2], [3], [14], [34]. Different methods can be used to quantify the passive system functional failure probability. Formally, let x = {x1, x2, …, xi, …, xn} be the vector of the relevant system parameters, Y( x ) be the identified scalar performance indicator and αY the threshold value defining the corresponding failure criterion. For illustrating purposes, let us assume that the passive system operates as long as Y( x ) < αY (Figure 1). Thus, introducing a new variable called Limit State Function (LSF) or Performance Function (PF) as g x ( x) = Y ( x ) − α Y , one writes g x ( x ) = Y ( x ) − αY

⎧< 0 for function successfully performed ⎪ ⎨ = 0 at limit state ⎪ > 0 for failure of performing the function ⎩

(1)

Note that the choice of a single-valued performance function does not reduce the generality of the approach, because any multidimensional vector of physical quantities can be conveniently re-expressed as a scalar parameter by resorting to suitable minmax transformations (see Section 4.3 for details). Given the limited state of knowledge and consequent epistemic uncertainties in the model representation of the system behavior, there is a probability of system functional failure, P(F), which can be expressed in terms of the following integral: P (F ) = ∫∫ ...∫ I F ( x1 , x2 , ..., xi , ..., xn )q( x1 , x2 , ..., xi , ..., xn )dx1dx2 ...dxi ...dxn (2)

where q (⋅) is the joint Probability Density Function (PDF) representing the epistemic uncertainty in the parameters x , F is the failure region (i.e., the region where gx(·) > 5

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

0) and IF(·) is an indicator function such that IF(x) = 1, if x ∈ F and IF(x) = 0, otherwise. In practice, the multidimensional integral (2) can not be easily evaluated. MC simulation provides an effective means for estimating its value, albeit it implies sampling from the multidimensional joint PDF which is in general a non-trivial task (Schueller, 2007). Indeed, the MC solution to (2) entails that a large number NT of samples of the values of the system parameters be drawn from q (⋅) and used to evaluate the LSF (1). An estimate Pˆ NT (F ) of the probability of failure P(F) in (2) can

then be computed by dividing the number of times that gx(·) > 0 by the total number of samples NT. It can be demonstrated that this estimate is unbiased and consistent, i.e. that as NT approaches infinity, Pˆ NT (F ) approaches the true failure probability P(F). In general, given the high dimensionality of the problem and the large dimension of the relative sample space compared to the failure region of interest, a large number of samples is necessary to achieve an acceptable accuracy in the estimation of the functional failure probability P(F). This leads to very large computing times due to the long calculations (several hours) of the detailed, best-estimate T-H code (one code run for each sample of parameter values drawn).

The computational burden posed by the analysis (step 9. above, [7]) may be tackled on one side by means of efficient simulation techniques for performing robust estimations with an as low as possible number of samples of uncertain values. Techniques like the previously mentioned Importance Sampling [16], [17] and Stratified Sampling [18], [19] have been used to this purpose [22], [23], [35]. In this paper, the issue is addressed by resorting to an innovative MC sampling technique called Line Sampling (LS) [26]; a description of the method is given in the following Section.

Figure 1. Functional failure concept: the passive system is assumed to fail when its performance indicator Y(x) exceeds a given failure threshold αY

6

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

3 The Line Sampling method Line Sampling is a stochastic simulation method for efficiently computing small failure probabilities. It was originally developed for the reliability analysis of complex structural systems [26]. The underlying idea is to employ lines instead of random points in order to probe the failure domain of the high-dimensional system under analysis [27]. In extreme synthesis, the problem of computing the multidimensional failure probability integral (2) in the original “physical” space is transformed into the so-called “standard normal space”, where each random variable is represented by an independent central unit Gaussian distribution. In this space, a unit vector α (hereafter also called “important unit vector” or “important direction”) is determined, pointing towards the failure domain F of interest (for illustration purposes, two plausible important unit vectors, α1 and α2, pointing towards two different failure domains, F1 and F2, are visually represented in Figure 2, left and right, respectively, in a two-dimensional uncertain parameter space). The problem of computing the high-dimensional failure probability integral (2) is then reduced to a number of conditional one-dimensional problems, which are solved along the “important direction” α in the standard normal space. The conditional one-dimensional failure probabilities (associated to the conditional one-dimensional problems) are readily computed by using the standard normal cumulative distribution function [27].

Figure 2. Examples of possible important unit vectors α1 (left) and α2 (right) pointing towards the corresponding failure domains F1 (left) and F2 (right) in a two-dimensional uncertain parameter space

3.1 Transformation of the physical space into the standard normal space

Let x = {x1 , x2 , ..., x j , ..., xn }∈ ℜ n be the vector of uncertain parameters defined in the original physical space x ∈ ℜ n . For problems where the dimension n is not so small, the parameter vector x can be transformed into the vector θ ∈ ℜ n , where each element of the vector θj, j = 1, 2, …, n, is associated with a central unit Gaussian standard distribution [17]. The joint probability density function of the random parameters {θ j : j = 1, 2, ..., n} is, then:

ϕ (θ ) = ∏ φ j (θ j ) n

j =1

(

where φ j (θ j ) = 1

(3)

)

2π e

− x 2j 2

, j = 1, 2, ..., n. 7

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

The mapping from the original, physical vector of random variables x ∈ ℜ n to the standard normal vector θ ∈ ℜ n is denoted by Txθ (⋅) and its inverse by Tθx (⋅) , i.e.: θ = Txθ ( x ) (4) x = Tθx (θ ) (5) Transformations (4) and (5) are in general nonlinear and are obtained by applying Rosenblatt’s or Nataf’s transformations, respectively [36], [37], [38]. By transformation (4), also the performance function g x (⋅) defined in the physical space can be transformed into g θ (⋅) in the standard normal space: gθ (θ ) = g x ( x ) = g x (Tθx (θ )) (6) Since in most cases of practical interest the function gθ (θ ) is not known analytically, it can be evaluated only point-wise. According to (6), the evaluation of the system performance function gθ (⋅) at a given point θ k , k = 1, 2, ..., NT, in the standard normal space requires i) a transformation into the original space, ii) a complete simulation of the system response and iii) the computation of the system response from the model. The computational cost of evaluating the failure probability is governed by the number of system performance analyses that have to be carried out [17].

3.2 The important direction α for Line Sampling Three methods have been proposed in the open literature to estimate the important direction α for Line Sampling. In [26], the important unit vector α is taken as pointing in the direction of the “design point” in the standard normal space. According to a geometrical interpretation, the “design point” is defined as the vector point θ * on the limit state surface gθ (θ ) = 0 which is closest to the origin in the standard normal space [17]. Then, the unit important vector α can be easily obtained by normalizing θ * , i.e., α = θ * θ * , where ⋅ 2 denotes the usual 2

Euclidean measure of a vector. However, the design points, and their neighborhood, do not always represent the most important regions of the failure domain, especially in high-dimensional spaces [17]. Moreover, the computational cost associated with the calculation of the design point can be quite high, in particular if long-running numerical codes are required to simulate the response of the system to its uncertain input parameters [17], as it is the case in the reliability analysis of T-H passive systems. In [27], the direction of α is taken as the normalized gradient of the performance function in the standard normal space. Since the unit vector α = {α1 , α 2 , ..., α j , ..., α n } points towards the failure domain F, it can be used to draw information about the relative importance of the random parameters {θ j : j = 1, 2, ..., n} with respect to the failure probability P(F): the more relevant a random variable in determining the failure of the system, the larger the corresponding component of the unit vector α will be [27]. Such quantitative information is obtained from the gradient of the performance function gθ (θ ) in the standard normal space, ∇gθ (θ ) : T

⎡ ∂g (θ ) ∂gθ (θ ) ∂gθ (θ ) ∂gθ (θ ) ⎤ (7) ∇gθ (θ ) = ⎢ θ ... ... ⎥ ∂θ 2 ∂θ j ∂θ n ⎥⎦ ⎢⎣ ∂θ1 The gradient (7) measures in a unique way the relative importance of a particular uncertain variable with respect to the failure probability P(F): the larger the (absolute) value of a component of (7), the greater the “impact” of the corresponding uncertain variable on the 8

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

performance function gθ (θ ) in the standard normal space. In other words, given a specified finite variation Δθ in the parameter vector θ , the performance function gθ (θ ) will change most if this variation is taken in the direction of (7). Thus, it is reasonable to identify the LS important direction with the direction of the gradient (7) and compute the corresponding unit vector α as the normalized gradient of the performance function gθ (⋅) in the standard normal space, i.e. α = ∇gθ (θ ) ∇gθ (θ ) 2 [27]. On the other hand, when the performance function is defined on a high-dimensional space, i.e. when many parameters of the system under analysis are uncertain, the computation of the gradient ∇gθ (θ ) in (7) becomes a numerically challenging task. Actually, as the function gθ (θ ) is known only implicitly through the response of a numerical code, for a given vector θ = {θ1 , θ 2 , ...,θ j , ...,θ n } at least n system performance analyses are required to determine

accurately the gradient at a given point of the performance function gθ (⋅) by straightforward numerical differentiation, e.g. the secant method [39], [40].

Finally, the important unit vector α can also be computed as the normalized “center of mass” of the failure domain F of interest [26]. A point θ 0 is taken in the failure domain F. This can be done by traditional Monte Carlo sampling or by engineering judgment when possible. Subsequently, θ 0 is used as the initial point of a Markov chain which lies entirely in the failure domain F. For that purpose a Metropolis-Hastings algorithm is employed to generate a sequence of Ns points {θ u : u = 1, 2, ..., N s } lying in the failure domain F [41]. The unit vectors θ u θ u , u = 1, 2, …, Ns, are then averaged in order to obtain the LS important unit vector as 2

1 Ns u u α= ⋅∑θ θ (Figure 3). This direction is not optimal, but it is clear that it provides a 2 N s u =1 good approximation of the important regions of the failure domain (at least as the sample size Ns is large). On the other hand, it should be noticed that the procedure implies Ns additional system analyses by the T-H model, which substantially increase the computational cost associated to the simulation method.

9

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Figure 3. Line Sampling important unit vector α taken as the normalized “center of mass” of the failure domain F in the standard normal space. The “center of mass” of F is computed as an average of Ns failure points generated by means of a Markov chain starting from an initial failure point θ0 [26] In this work, the method based on the normalized “center of mass” of the failure domain F has been employed, because it relies on a “map” approximating the failure domain F under analysis (given by the failure samples generated through a Markov chain) and thus it provides in principle the most realistic and reliable estimate for the LS important direction α. As previously mentioned, the identification of the “important direction” α allows “decomposing” the high-dimensional failure probability integral (2) into a number of conditional one-dimensional integrals, which are solved along the “important direction” α itself; this is found to significantly reduce the variance of the associated failure probability estimator [26]. The description of the Line Sampling algorithm is not reported here for brevity; however, thorough details about its practical implementation issues are given in Appendix A at the end of the paper.

4 Functional failure analysis of a T-H passive system The case study considered regards the reliability of performance of a system of natural convection cooling in a Gas-cooled Fast Reactor (GFR), following a post-Loss Of Coolant Accident (LOCA) [5]. The reactor is a 600-MW GFR cooled by helium flowing through separate channels in a silicon carbide matrix core [29]. In case of a LOCA, long-term heat removal is ensured by natural circulation in a given number Nloops of identical and parallel heat removal loops. However, in order to achieve a sufficient heat removal rate by natural circulation, it is necessary to maintain an elevated pressure even after the LOCA. This is accomplished by a guard containment, which surrounds the reactor vessel and power conversion unit and holds the pressure at a level that is reached after the depressurization of the system [5]. The GFR decay heat removal configuration is shown schematically in Figure 4, with only one loop for clarity of the picture: the flow path of the cooling helium gas is indicated by the black 10

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

arrows. For T-H modeling purposes, the loop has been divided into Nsections = 18 sections; for additional technical details about the geometrical and structural properties of these sections, the interested reader may refer to [5].

Figure 4. Schematic representation of one loop of the 600-MW GFR passive decay heat removal system [5] As in [5] the subject of the present analyses is the quasi-steady-state natural circulation cooling that takes place after the LOCA transient has occurred. Thus, the analyses hereafter reported refer to this steady-state period and are conditional to the successful inception of natural circulation. No consideration is given to the probability of failing to start natural convection or of not building up and maintaining a high pressure level in the guard containment. The average core power to be removed is assumed to be 18.7 MW, equivalent to about 3% of full reactor power (600 MW): to guarantee natural circulation cooling at this power level, a pressure of 1650 kPa is required in nominal conditions. Finally, the secondary side of the heat exchanger (i.e., item 12 in Figure 4) is assumed to have a nominal wall temperature of 90 °C [5].

4.1 The T-H model To simulate the steady-state behavior of the system, a one-dimensional thermal-hydraulic MATLAB code developed at MIT has been implemented [29]. The code treats all the Nloops multiple loops, each one divided in Nsections = 18 sections, as identical (Figure 4). Further, the sections corresponding to the heater (i.e., the reactor core, item 4 in Figure 4) and the cooler (i.e., the heat exchanger, item 12 in Figure 4) are divided in a proper number Nnodes of axial nodes to compute the temperature and flow gradients with sufficient detail (40 nodes are chosen for the present analysis). Both the average and hot channels are modeled in the core so that the increase in temperature in the hot channel due to the radial peaking factor can be calculated [29]. To obtain a steady-state solution, the code balances the pressure losses around the loops so that friction and form losses are compensated by the buoyancy term, while at the same time maintaining the heat balance in the heater and cooler. 11

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Equations (8) and (9) in Table 1 govern the heat transfer process in each node l = 1, 2, …, Nnodes of both the heater and the cooler. Heat transfer equations  Ql = m c p ,l (Tout ,l − Tin ,l ) , l = 1, 2, …, Nnodes

(8)

m c p ,l (Tout ,l − Tin ,l ) = Sl hl (Twall ,l − Tbulk ,l ) , l = 1, 2, …, Nnodes

Parameter

Description

Q l m l

Heat flux in the lth node

c p ,l Tout ,l Tin ,l Twall ,l Tbulk ,l

(9) Unit of measure kW

Mass flow rate in the lth node

kg/s th

Specific heat at constant pressure in the l node th

Temperature measured at the outlet of the l node th

Temperature measured at the inlet of the l node th

Temperature measured at the wall channel of the l node th

Temperature measured at the bulk of the l node th

kJ/kgK K K K K

Sl

Heat-exchanging surface in the l node

m2

hl

Heat transfer coefficient in the lth node

kW/m2K

Table 1. Equations governing the heat transfer process in each node l = 1, 2, …, Nnodes of both the heater and the cooler of the 600-MW GFR passive decay heat removal system of Figure 4 and a description of the relevant physical parameters and their units of measure Equation (8) in Table 1 states the equality of the enthalpy increase between the flow at the inlet and the flow at the outlet in any node, whereas equation (9) regulates the heat exchange between the channel wall and the bulk of the coolant. The mass flow rate is determined by a balance between buoyancy and pressure losses along the closed loop according to equation (10) in Table 2.

N sections

∑ s =1

Mass flow rate equation ⎡ Ls m m 2 ⎤ + Ks ⎢ ρ s gH s + f s ⎥=0 2 ρ s As2 ⎦ Ds 2 ρ s As2 ⎣ 2

(10)

Parameter

Description

ρs

Coolant density in the sth section of the loop

Unit of measure kg/m3

Hs

Height of the sth section of the loop

m

fs Ls Ds

th

Friction factor in the s section of the loop th

Length of the s section of the loop th

/ m

m As

Hydraulic diameter of the s section of the loop Mass flow rate in the sth section of the loop Flow area of the sth section of the loop

m kg/s m2

Ks

Form loss coefficient of the sth section of the loop

/

Table 2. Equation stating the balance between buoyancy and pressure losses along the closed loop of the 600-MW GFR passive decay heat removal system of Figure 4 and a description of the relevant physical parameters and their units of measure Equation (10) in Table 2 states that the sum of buoyancy (first term), friction losses (second term) and form losses (third term) should be equal to zero along the closed loop [5]. 12

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

4.2 Uncertainties in the T-H model The T-H model described in the previous Section 4.1 is a mathematical representation of the behavior of the passive system. Predictions of the system response to given accident conditions are accurate to the extent that the hypotheses made in the mathematical representation, and for its numerical solution, are true. Indeed, uncertainties affect the actual operation of passive systems and its modeling. On the one side, there are phenomena, like the occurrence of unexpected events and accident scenarios, e.g. the failure of a component or the variation of the geometrical dimensions and material properties, which are random in nature. This kind of uncertainty in the model description of the system behavior is termed aleatory [22], [23]. Two examples of classical probabilistic models used to describe this kind of uncertainties in PRAs are the Poisson model for events randomly occurring in time (e.g., random variations of the operating state of a valve) and the binomial model for events occurring “as the immediate consequence of a challenge” (e.g., failures on demand) [42]. The effects of these uncertainties are then propagated onto the risk measure, e.g. by Monte Carlo simulation based on Importance Sampling or Stratified Sampling [19], [35], [43]. In the present analysis for the estimation of the functional failure probability of the T-H passive system of Figure 4, the representation and propagation of aleatory uncertainties are not considered, as in the reference paper by [5]. An additional contribution of uncertainty comes from the incomplete knowledge on the properties of the system and the conditions in which the phenomena occur (i.e., natural circulation). This uncertainty is often termed epistemic and affects the model representation of the system behaviour, in terms of both (model) uncertainty in the hypotheses assumed and (parameter) uncertainty in the values of the parameters of the model [19], [34]. Model uncertainty arises because mathematical models are simplified representations of real systems and, therefore, their outcomes may be affected by errors or bias. It may, for example, involve the correlations adopted to describe the T-H phenomena, which are subject to errors of approximation. Such uncertainties may for example be represented by a multiplicative model [34], [44]: y = f ( x) ⋅ ε , (11) where y is the real value of the parameter to be correlated (e.g., heat transfer coefficients, friction factors, Nusselt numbers or thermal conductivity coefficients), f(·) is the mathematical model of the correlation, x is the vector of correlating variables and ε is a random multiplicative error factor. Hence, the uncertainty in the output quantity y is translated into an uncertainty in the multiplicative error factor ε, commonly classified as representing model uncertainty. Model uncertainty might also arise because the model is too simplified and therefore neglects some important phenomena which instead significantly influence the model output. This particular manifestation of uncertainty is sometimes identified separately from model uncertainty as completeness uncertainty [45]. Uncertainty affects also the values of the parameters used in the model (e.g., power level, pressure, cooler wall temperature, material conductivity, …), e.g. owing to errors in their measurement or insufficient data and information. As a consequence, the values of such parameters are usually known only to a certain level of precision, i.e., epistemic uncertainty is associated with them [5]. In current PRAs, the effect of these uncertainties is often propagated on the risk measure by Latin Hypercube Sampling (LHS) [18]. In the particular problem here of interest, the role of epistemic uncertainties in the definition of the functional failure probability can be qualitatively explained as follows. If the analyst is not fully confident on the validity of the correlations adopted to estimate, e.g., the design value of the heat transfer coefficient in the core during natural convection (e.g., due to the paucity of experimental data available in support of the use of a particular correlation), he/she 13

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

admits that in a real accident scenario the actual value of the heat transfer coefficient in the core might deviate from the nominal/design one. If this variation (accepted as plausible by the analyst) were to take place during an accident scenario, it may cause the T-H passive system to fail performing its safety function; based on the current state of knowledge of the heat transfer phenomenon in the core under the expected conditions, the likelihood of the heat transfer coefficient variation is to be quantified for estimating the functional failure probability. A future improvement in the state of knowledge, e.g. due to the collection of data and information useful to improve the characterization of the heat transfer phenomenon, would lead to a change in the epistemic uncertainty distribution describing the likelihood of the various values of heat transfer coefficient and eventually to a more accurate estimate of the system functional failure probability [2], [3], [5], [14], [29], [34]. In this work, only epistemic (i.e., model and parameter) uncertainties are represented and propagated through the deterministic T-H code [2], [3], [5], [14], [34]. Parameter uncertainties are associated to the reactor power level, the pressure in the loops after the LOCA and the cooler wall temperature. Model uncertainties are associated to the correlations used to calculate the Nusselt numbers and friction factors in the forced, mixed and free convection regimes. The corresponding nine uncertain inputs of the model {x j : j = 1, 2, ..., 9} are assumed to be distributed according to normal distributions of known mean μ and standard deviation σ (Table 3, [5]). The practical and conceptual reasons underpinning the values in Table 3 are described in [5]; notice also that they are such that non-physical values of the uncertain variables can be sampled with negligible probabilities (e.g., lower than 10-11).

Parameter uncertainty Model uncertainty (error factor, ε)

Name

Mean, μ

Standard deviation, σ (% of μ)

Power (MW), x1 Pressure (kPa), x2 Cooler wall temperature (°C), x3 Nusselt number in forced convection, x4 Nusselt number in mixed convection, x5 Nusselt number in free convection, x6 Friction factor in forced convection, x7 Friction factor in mixed convection, x8 Friction factor in free convection, x9

18.7 1650 90 1 1 1 1 1 1

1% 7.5% 5% 5% 15% 7.5% 1% 10% 1.5%

Table 3. Parameter and model uncertainties together with the related subjective probability distributions parameters values for the 600-MW GFR passive decay heat removal system of Figure 4 [5]

4.3 Failure criteria of the T-H passive system The passive decay heat removal system of Figure 4 is considered failed whenever the temperature of the coolant helium leaving the core (item 4 in Figure 4) exceeds either 1200 °C in the hot channel or 850 °C in the average channel: these values are expected to limit the fuel temperature to levels which prevent excessive release of fission gases and high thermal stresses in the cooler (item 12 in Figure 4) and in the stainless steel cross ducts connecting the reactor vessel and the cooler (items from 6 to 11 in Figure 4) [5]. Indicating by x the vector of the 9 uncertain system parameters of Table 3 (Section 4.2) and hot avg by Tout , core ( x ) and Tout , core ( x ) the coolant outlet temperatures in the hot and average channels, respectively, the failure region F can be written as follows: hot avg F = {x :Tout , core ( x ) > 1200}∪ {x :Tout ,core ( x ) > 850}.

(12)

14

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

To apply Line Sampling, the failure region F in (12) is condensed into a single performance indicator Y(x), leading to the definition of a single-output performance function g x (⋅) (Sections 2 and 3). The system performance indicator Y ( x ) is defined as

hot avg ⎫ ⎧Tout ,core ( x ) Tout ,core ( x ) Y ( x ) = max ⎨ (13) , ⎬ 850 ⎭ ⎩ 1200 so that the failure region F becomes specified as: F = {x :Y ( x ) > 1}. (14) In the notation of Section 2, the failure threshold αY is then equal to one and the system Performance Function (PF) in (1) is written as g x ( x ) = Y ( x ) − α Y = Y ( x ) − 1 .

5 Results of the application of LS for the functional failure analysis of the T-H passive system of Section 4 In this Section, the results of the application of LS for the functional failure analysis of the 600-MW GFR passive decay heat removal system in Figure 4 are illustrated. First, the probabilities of functional failure of the system are estimated (Section 5.1); then, the sensitivity of the passive system performance with respect to the uncertain input parameters is studied by examining the important unit vector α (Section 5.2).

5.1 Functional failure probability estimation In this Section, the performance of LS in the task of estimating the functional failure probability of the 600-MW GFR passive decay heat removal system of Figure 4 is compared to that of LHS (Appendix B); a comparison is also carried out with respect to the well-known First Order Reliability Method (FORM) [46]. Three different system configurations of decreasing values of failure probability are analyzed, with Nloops = 3 (P(F) ~ 10-3), 4 (P(F) ~ 10-5) and 5 (P(F) ~ 10-6). LS has been run with a total of NT = 10000 samples for all three cases, whereas LHS has been run with NT = 10000, 100000 and 1000000 for the configurations with Nloops = 3, 4 and 5, respectively, due to the necessity of producing a number of failure samples sufficient to estimate the related small failure probabilities and their standard deviations with acceptable robustness. The choice of NT = 10000, 100000 and 1000000 has been made for illustration and comparison purposes only. In practice LHS of such large size would not be carried out: if the properties of the problem were such to require such large sizes of LHS, then some other more appropriate simulation techniques would be adopted, like Importance sampling [16], [17], Stratified sampling [18], [19] or standard random sampling applied to an appropriately developed regression model [47], [48], [49]. For fair comparison, the two simulation methods under analysis have been evaluated with respect to two numerical indices which are independent of the total number NT of samples drawn: the unitary coefficient of variation (c.o.v.) Δ and the Figure Of Merit (FOM). Letting Pˆ NT (F ) be the estimate of the functional failure probability P(F) obtained by a given simulation method using NT samples, the unitary c.o.v. Δ is defined as σ Pˆ NT (F ) Δ = δ Pˆ NT (F ) ⋅ N T = ⋅ NT (15) E Pˆ NT (F ) where δ Pˆ NT (F ) is the c.o.v. of Pˆ NT (F ) , defined as the ratio of the standard deviation

(

(

)

(

)

( (

) )

(F )) to the expected value (i.e., the mean)

(

)

E Pˆ NT (F ) of Pˆ NT (F ) . In order to fairly compare the performances of LHS and LS and provide statistically meaningful estimates for

σ Pˆ

NT

15

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

(

)

(

)

σ Pˆ N (F ) and E Pˆ N (F ) in (15), S = 100 independent runs of each method have been T

T

carried out. In each simulation s = 1, 2, …, S an estimate PˆsNT (F ) of P(F) is obtained from the realization of NT samples: this produces an empirical distribution of the failure probability estimator Pˆ NT (F ) . The expected value E Pˆ NT (F ) can then be statistically estimated as

(

(

) (

)

)

S

1 E Pˆ NT (F ) ≈ Eˆ Pˆ NT (F ) = ∑ PˆsNT (F ) S s =1

(16)

(

)

and the corresponding standard deviation σ Pˆ NT (F ) as 2 1 S ˆ NT σ Pˆ NT (F ) ≈ σˆ Pˆ NT (F ) = Ps (F ) − Eˆ Pˆ NT (F ) . (17) ∑ S − 1 s =1 Since the standard deviation σ Pˆ NT (F ) (and, thus, the c.o.v. δ Pˆ NT (F ) ) of the Monte Carlo failure probability estimator Pˆ NT (F ) decays with a rate O 1 N T , then the quantity Δ = δ Pˆ NT (F ) ⋅ N is independent of NT [26] and serves the purpose of an intrinsic measure

(

) (

[

)

(

(

)

)

(

)]

( (

) )

T

of variability of the failure probability estimates obtained by a given simulation method. Notice that the lower is the value of Δ, the lower is the variability of the corresponding failure probability estimator and thus the higher is the efficiency of the simulation method adopted. In addition to the precision of the failure probability estimator, also the computational time associated to the simulation method has to be taken into account. To this aim, the FOM can be used: 1 1 (18) FOM = 2 N ≈ 2 N T T ˆ ˆ σ P (F ) ⋅ tcomp σˆ P (F ) ⋅ tcomp is the computational time required by the simulation method and σ 2 Pˆ NT (F ) is where t

(

comp

)

(

)

(

)

(

)

defined in (17). Since σ 2 Pˆ NT (F ) ∝ NT and approximately tcomp ∝ N T , also the FOM is independent of NT. Notice that in this case the higher is the value of the index, the higher is the efficiency of the method. Table 4 reports the values of the passive system functional failure probability estimate Pˆ NT (F ) , the unitary c.o.v. Δ and the FOM obtained by LS with NT = 10000 samples and LHS with NT = 10000, 100000 and 1000000 samples; the actual number Nsys of system response analyses by the T-H model and the computational time tcomp (in seconds) required by each simulation method on a Pentium 4 CPU 3.00GHz are also reported. Notice that for LS the actual number Nsys of system analyses is given by Nsys = Ns + 2·NT: in particular, Ns = 2000 analyses are performed to generate the Markov chain used to compute the important unit vector α as the normalized “center of mass” of the failure domain F (Section 3.2); the 2·NT analyses are carried out to compute the NT conditional one-dimensional failure probability estimates Pˆ 1D , k (F ) : k = 1, 2, ..., N T by linear interpolation (equation (4’) in Appendix A).

{

}

16

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Pˆ

NT

(F )

Δ

-3

19.05 LHS 1.400·10 LS 1.407·10-3 0.4757

Pˆ NT (F )

Δ

-5

LHS 2.000·10 210.82 LS 1.510·10-5 0.4785

Pˆ NT (F )

Δ

-6

Nloops = 3 FOM NT 3

1.41·10 1.00·106

10000 10000

Nloops = 4 FOM NT 4

5.63·10 9.87·108

100000 10000

Nloops = 5 FOM NT

Nsys

tcomp [s]

10000 22000

32515 64328

Nsys

tcomp [s]

100000 22000

321650 63482

Nsys

tcomp [s]

5

LHS 2.000·10 699.80 1.58·10 1000000 1000000 3223508 22000 64281 LS 3.426·10-6 0.9105 1.60·1010 10000

Table 4. Values of the passive system failure probability estimate Pˆ NT (F ) , unitary coefficient of variation (c.o.v.) Δ and Figure Of Merit (FOM) obtained by LS with NT = 10000 samples and LHS with NT = 10000, 100000 and 1000000 samples. The actual number Nsys of system analyses and the computational time tcomp (in seconds) required by each simulation method on a Pentium 4 CPU 3.00GHz are also reported It can be seen that LS leads to a substantial improvement in efficiency over LHS in all the cases considered, i.e. for failure probabilities P(F) ranging from 10-3 (Nloops = 3 in Table 4) to 10-6 (Nloops = 5 in Table 4), with the most significant improvement being registered in the estimation of the smallest values of failure probability. In particular, for P(F) ~ 10-6 (Nloops = 5 in Table 4) the estimate provided by LS is much more robust than the one provided by LHS: the unitary c.o.v. Δ of the LS estimator (which measures its variability) is about 770 times lower than that of the LHS estimator (conversely, the FOM is about 105 times larger). Notice that for the LS method even though the determination of the sampling important direction α (Section 3.2) and the calculation of the conditional one-dimensional failure probability estimates Pˆ 1D , k (F ) : k = 1, 2, ..., N T (equation (4’) in Appendix A) require much more than NT system analyses by the T-H model, this is significantly overweighed by the accelerated convergence rate that can be attained by the LS method with respect to LHS. Finally, it is also worth noting that the use of preferential lines (instead of random points) to probe the failure domain F of interest makes the effectiveness of the LS method almost independent of the target failure probability P(F) to be estimated: indeed, the value of the unit c.o.v. Δ is almost the same for values of the target failure probability P(F) which change by three orders of magnitude (in particular, Δ = 0.4757, 0.4785 and 0.9105 for P(F) ~ 1.4·10-3, 1.5·10-5 and 3.4·10-6, respectively).

{

}

A further comparison has been performed between Line Sampling and the well-known First Order Reliability Method (FORM) [17], [46]. The FORM algorithm involves three steps: i. Transforming the space of the original, physical uncertain input variables into a space of standard normal variables (Section 3.1); ii. Identifying the “design point” of the problem in the standard normal space. According to a geometrical interpretation, the “design point” is defined as the vector point θ * on the limit state surface gθ (θ ) = 0 which is closest to the origin in the standard normal space [17]. It can be computed by solving the following constrained minimization problem [50]: 17

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Find θ * : θ *

2

= min

{θ }

gθ (θ )= 0

(19)

2

where ⋅ 2 denotes the usual Euclidean measure of a vector. iii. Computing the estimate Pˆ (F ) for the failure probability P(F) as Pˆ (F ) = Φ − θ *

(

2

)

(20)

where Φ (⋅) is the standard normal cumulative distribution function. In other words, FORM uses the Euclidean distance θ *

2

from the design point θ * to the origin of

the standard normal space as a measure of the failure probability P(F) of the system. Table 5 reports the values of the passive system functional failure probability estimate Pˆ (F ) obtained by LS with Nsys = 22000 system analyses (i.e., NT = 10000 samples) and by FORM with Nsys = 6934, 10632 and 11794 system analyses; the computational time tcomp (in seconds) required by each simulation method on a Pentium 4 CPU 3.00GHz is also reported. Notice that all the Nsys system response analyses required by FORM are dedicated to solving the constrained minimization problem (19) by means of an iterative gradient-based algorithm [50]. It can be seen that FORM produces an acceptable result only for the configuration with Nloops = 3: actually, the failure probability estimate provided by FORM is 1.738·10-3 which is comparable to that provided by LS (i.e., 1.407·10-3). On the contrary, for the configurations with Nloops = 4 and 5 FORM significantly underestimates the failure probability of the system: estimates of 6.198·10-6 and 7.615·10-7 instead of 1.510·10-5 and 3.426·10-6 are produced for the configurations with Nloops = 4 and 5, respectively. These results demonstrate one of the known major drawbacks of FORM, i.e., the fact that the design points, and their neighborhoods, do not always represent the most important regions of the failure domain, especially in high-dimensional spaces [17]. Moreover, the gradient-based algorithms that are usually applied to solve the constrained minimization problem (19) and identify the design point θ * frequently converge to local minima, with further degradation of the accuracy of the estimate. Finally, the fact that FORM bases its failure probability estimation on the only design point (and not on a wide, random exploration of the sample space) makes it impossible to convey any information on the achieved accuracy: in other words, variances, coefficients of variations and Figures of Merit associated to the estimates cannot be determined [17].

18

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Nloops = 3 Nsys Pˆ (F ) -3

tcomp

9634 FORM 1.7380·10 1.407·10-3 22000 LS Nloops = 4 Nsys Pˆ (F ) -6 10632 FORM 6.198·10 -5 1.510·10 22000 LS Nloops = 5 Nsys Pˆ (F ) -7 11794 FORM 7.615·10 -6 3.426·10 22000 LS

28175 64328

tcomp 31150 63482

tcomp 34491 64281

Table 5. Values of the passive system failure probability estimate Pˆ (F ) obtained by LS with Nsys = 22000 system analyses and by FORM with Nsys = 9634, 10632 and 11794 system analyses (required to identify the design point θ* by means of an iterative gradient-based minimization algorithm). The computational time tcomp (in seconds) required by each simulation method on a Pentium 4 CPU 3.00GHz is also reported

5.2 Sensitivity analysis based on the Line Sampling important direction α

As explained in Section 3.2, the important unit vector α = {α1 , α 2 , ..., α j , ..., α n } is determined to point towards the failure domain F of interest: for example, in this work it is computed as the normalized “center of mass” of the failure domain F (Figure 3 of Section 3.2) [26]: as a consequence, it provides in principle the most realistic and reliable estimate for the location of the failure domain F in the standard normal space. As such, the identified vector α tells which combinations of parameter variations contribute most to failure and thus gives an idea of the relative importance of the uncertain parameters {θ j : j = 1, 2, ..., n} in determining the failure of the system under analysis [27]. For example, in the situation depicted in Figure 2, left, the system would be driven to failure much more effectively by an increase in Parameter 2 rather than by an increase in Parameter 1; on the contrary, in the situation represented in Figure 2, right, an increase in Parameter 1 would be much more important in determining system failure than an increase in Parameter 2. In this view, the sensitivity of the passive system performance to the individual uncertain inputs of Table 3 has been studied by comparing the magnitudes of the components of α. Table 6 reports the values of the components of the LS important unit vector α for the three system configurations with Nloops = 3, 4 and 5. Nloops

α1 (x1)

α2 (x2)

α3 (x3)

3 4 5

+ 0.0526 + 0.0774 + 0.0714

- 0.9243 - 0.9753 - 0.9868

+ 0.0540 + 0.0203 + 0.0645

LS important unit vector, α α4 (x4) α5 (x5) α6 (x6) α7 (x7) + 0.0296 + 0.0032 + 0.0110

- 0.0976 - 0.1330 - 0.0924

- 0.0430 + 0.0008 - 0.0110

+ 0.0196 + 0.0026 + 0.0065

α8 (x8)

α9 (x9)

+ 0.3518 + 0.1534 + 0.0796

+ 0.0601 - 0.0342 - 0.0423

Table 6. Components of the Line Sampling important unit vector α. The indication of the uncertain inputs of Table 3 corresponding to the vector components are enclosed in parentheses. The vector components (uncertain inputs) which most contribute to the failure of the passive system are highlighted in bold 19

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

It can be seen that the performance of the passive system is strongly sensitive to the pressure level established in the guard containment after the LOCA, as indicated by the large (absolute) values of component α2 in all three system configurations considered (α2 = – 0.9243, – 0.9753 and – 0.9868 for Nloops = 3, 4 and 5, respectively). A (slight) sensitivity of the passive system performance is also observed with respect to the correlation errors in both the Nusselt number (α5 = – 0.0976, – 0.1330 and – 0.0924 for Nloops = 3, 4 and 5, respectively) and the friction factor (α8 = + 0.3518, + 0.1534 and + 0.0796 for Nloops = 3, 4, and 5, respectively) in mixed convection regime. The magnitudes of the other vector components (uncertain inputs) are instead negligible comparatively. The sign of the vector components indicates the direction towards which the corresponding uncertain inputs have to move in order to drive the system to failure: for instance, since α2 and α5 have negative sign, failure of the passive system will be caused by low values of pressure (x2) and Nusselt number in mixed convection (x5); on the contrary, since α8 is positive, failure of the passive system occurs in correspondence of high values of the friction factor in mixed convection (x8). The above sensitivity indications agree with the results of the one-way sensitivity analysis reported in [5] and are physically reasonable. In fact, the pressure of the system strongly affects the density of the coolant helium gas and thus the extent of the buoyancy force on which the functioning of the natural circulation system is based. A decrease in the system pressure leads to a decrease in the buoyancy force which may not succeed in balancing the pressure losses in the natural circulation loop (Equation (10) in Table 2 of Section 4.1). Nusselt numbers instead are directly (i.e., linearly) related to the heat transfer coefficients in both the core and the heat exchanger and thus their variations directly impact the global heat removal capacity of the passive system. In particular, a decrease in the heat transfer coefficient in the heat exchanger (where the wall temperature is imposed) leads to a reduction in the heat flux (Equation (9) in Table 1 of Section 4.1) and consequently to an increase in the coolant temperature (Equation (8) in Table 1 of Section 4.1). On the other hand, a decrease in the heat transfer coefficient in the core (where the heat flux is imposed as constant) causes an increase in the coolant wall temperature (Equation (9) in Table 1 of Section 4.1). Both processes may concur to the attainment of the coolant temperature limits of system failure. Finally, the friction factors directly determine the extent of the pressure losses which oppose the coolant flow in natural circulation. An increase in the friction factors determines an increase in the pressure losses along the closed loop and consequently a reduction in the coolant flow rate (Equation (10) in Table 2 of Section 4.1). Then, the smaller the flow rate in the decay heat removal loop, the higher the coolant temperature rise will be, possibly leading to the attainment of the coolant temperature limits of system failure. Finally, it is worth recalling that in this work α is the normalized “center of mass” of the failure domain F, estimated by means of the Markov Chain Monte Carlo simulation method described in Section 3.2 (Figure 3): thus, the above mentioned sensitivity insights (based on the magnitudes of the components of α) are directly driven by the real location of the failure domain F. In this sense, the sensitivity considerations derived are not local as in sensitivity analysis based on derivatives and Taylor series expansion, because no local approximation of the performance function gθ(·) is introduced. Clearly, if the analyst were to calculate α by means of a simple algorithm, e.g., the normalized gradient of the performance function in the standard normal space (Section 3.2), a word of caution would be in order with respect to the meaning of the magnitudes of the components of α in sensitivity considerations: indeed, in this case the values would strongly depend on the 20

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

point of the standard normal space where the first-order, local approximations of the performance function gθ(·) are carried out, and thus would relate inherently local information.

6 Conclusions The assessment of the functional failure probability of T-H passive systems can be performed by sampling the epistemic uncertainties in the system model and parameters, and simulating the corresponding passive system response with mechanistic T-H computer codes. This procedure, however, requires considerable and often prohibitive computational efforts for achieving acceptable accuracies, owing to the long-running times of the T-H codes and to the very low values of passive system functional failure probability which make the occurrence of a failure a quite rare event. Thus, methods of efficient generation of random samples are necessary in order to reduce the computational effort. To this aim, in this paper the innovative Line Sampling method has been considered for performing the functional failure analysis of a T-H passive system. To the best of the authors’ knowledge, this is the first time that this method is applied to such problems. A case study involving natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) has been taken as reference. Nine uncertain parameters have been taken into account in this analysis. Two safety variables, the hot- and average-channel temperatures of the coolant leaving the core, have been considered for the evaluation of passive system failure in terms of their crossing given safety thresholds. A transformation based on the “max” operator has been introduced and applied to the two safety variables in order to generate a single-valued system performance indicator (or critical response variable) for direct use within the scheme of Line Sampling. The results of Line Sampling have been compared to those of Latin Hypercube Sampling for estimation of failure probabilities ranging from 10-3 to 10-6. LHS has been chosen as benchmark method due to its popularity and wide use in Probabilistic Risk Assessment (PRA). The results have demonstrated that Line Sampling significantly outperforms Latin Hypercube Sampling, in particular in the task of estimating very small failure probabilities (i.e., around 10-5 or 10-6). Further, it has been shown that the use of preferential lines (instead of random points) to probe the failure domain of interest makes the effectiveness of the Line Sampling methodology almost independent of the failure probability to be estimated: this renders Line Sampling the most suitable method for an extremely wide range of real-world reliability problems. A comparison has been carried out also with respect to the well-known First Order Reliability Method (FORM). The results have shown that FORM may seriously underestimate the functional failure probability of the system: this is due to the fact that the “design point” does not always represent the most important region of the failure domain, especially in highdimensional, nonlinear problems like those involving passive systems. This drawback is even more relevant because FORM can not convey any information to quantitatively envelop the accuracy of the produced estimates. Also, the sensitivity of the passive system performance to the nine uncertain system parameters has been studied through the examination of the elements of the Line Sampling important vector pointing to the failure region. The analysis has shown that an informative measure of the relevance of a given parameter in determining the failure of the system is the magnitude of the corresponding element in the LS important vector. Three parameters have been identified as most relevant for system failure, i.e. the pressure in the natural circulation loop after the LOCA, and the correlation errors in the Nusselt numbers and friction factors in mixed convection; these findings agree with those reported in the literature study taken as reference. Further, the sign of the elements of the important vector indicate whether the 21

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

corresponding parameters have to decrease (minus) or increase (plus) in order to drive the system towards failure. The outstanding performance of the Line Sampling method in the estimation of very small failure probabilities, and its capability of providing sensitivity indications makes it a rather attractive tool for passive system functional failure analyses and possibly one worth considering for extended adoption in full scale PRA applications, provided that the numerous possible accident scenarios and outcomes can be handled computationally in an efficient way. Acknowledgements: The authors wish to thank the anonymous referee for the numerous constructive comments and suggestions which have led to a significantly improved work.

References [1] IAEA, 1991. Safety related terms for advanced nuclear plant. IAEA TECDOC-626. [2] Mathews, T. S., Ramakrishnan, M., Parthasarathy, U., John Arul, A., Senthil Kumar, C., 2008. Functional reliability analysis of safety grade decay heat removal system of Indian 500 MWe PFBR. Nuclear Engineering and Design, doi: 10.1016/j.nucengdes.2008.02.012. [3] Mackay F. J., Apostolakis, G. E., Hejzlar, P., 2008. Incorporating reliability analysis into the design of passive cooling systems with an application to a gas-cooled reactor. Nuclear Engineering and Design, 238(1), pp. 217-228. [4] Nayak, A. K., Gartia, M. R., Antony, A., Vinod, G., Sinha, R. K., 2008. Passive system reliability analysis using the APSRA methodology. Nuclear Engineering and Design, doi: 10.1016/j.nucengdes.2007.11.005. [5] Pagani, L., Apostolakis, G. E. and Hejzlar, P., 2005. The impact of uncertainties on the performance of passive systems. Nuclear Technology, 149, 129-140. [6] Burgazzi, L., 2003. Reliability evaluation of passive systems through functional reliability assessment. Nuclear Technology, 144, 145. [7] Marquès, M., Pignatel, J. F., Saignes, P., D’ Auria, F., Burgazzi, L., Müller, C., BoladoLavin, R., Kirchsteiger, C., La Lumia, V., Ivanov, I., 2005. Methodology for the reliability evaluation of a passive system and its integration into a probabilistic safety assessment. Nuclear Engineering and Design, 235, 2612-2631. [8] Burgazzi, L., 2007. Thermal-hydraulic passive system reliability-based design approach. Reliability Engineering and System Safety, doi: 10.1016\j.ress.2006.07.008. [9] Aybar, H. S., Aldemir, T., 1999. Dynamic probabilistic reliability and safety assessment: an application to IS-BWR. In: Proceedings of the Seventh International conference on Nuclear Engineering, Tokio, Japan. [10] Burgazzi, L., 2002. Passive system reliability analysis: a study on the isolation condenser. Nuclear Technology, 139 (July), 3-9. [11] D’ Auria, F., Bianchi, F., Burgazzi, L., Ricotti, M. E., 2002. The REPAS study: reliability evaluation of passive safety systems. In: Proceedings of the 10th International Conference on Nuclear Engineering ICONE 10-22414, Arlinghton, VA USA, April 1418. [12] Jafari, J., D’ Auria, F., Kazeminejad, H., Davilu, H., 2003. Reliability evaluation of a natural circulation system. Nuclear Engineering and Design, 224, 79-104. [13] Zio, E., Cantarella, M., Cammi, A., 2003. The analytic hierarchy process as a systematic approach to the identification of important parameters for the reliability assessment of passive systems. Nuclear Engineering and Design, 226, 311-336. [14] Bassi, C., Marquès, M., 2008. Reliability assessment of 2400 MWth gas-cooled fast reactor natural circulation decay heat removal in pressurized situations. Science and 22

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

[15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33]

Technology of Nuclear Installations, Special Issue “Natural Circulation in Nuclear Reactor Systems”, Hindawi Publishing Corporation, Paper 87376. Schueller, G. I., 2007. On the treatment of uncertainties in structural mechanics and analysis. Computers and Structures, 85, pp. 235-243. Au, S. K. and Beck, J. L., 2003. Importance sampling in high dimensions. Structural Safety, 25(2), pp. 139-163. Schueller, G. I., Pradlwarter, H. J., Koutsourelakis, P. S., 2004. A critical appraisal of reliability estimation procedures for high dimensions. Probabilistic Engineering Mechanics, 19, pp. 463-474. Helton J. C, Davis, F. J., 2003. Latin hypercube sampling and the propagation of uncertainty in analyses of complex systems. Reliability Engineering and System Safety, 81, pp. 23-69. Cacuci, D. G., Ionescu-Bujor, M., 2004. A comparative review of sensitivity and uncertainty analysis of large scale systems – II: Statistical methods. Nuclear Science and Engineering (147), pp. 204-217. Morris, M. D., 2000. Three technometrics experimental design classics. Technometrics, 42(1), pp. 26-27. MacKay, M. D., Beckman, R. J., Conover, W. J., 1979. A comparison of three methods for selecting values of input variables in the analysis of output from a computer code. Technometrics, 21(2), pp. 239-245. NUREG-1150, 1990. Severe accident risk: an assessment for five US nuclear power plants, US Nuclear Regulatory Commission. Helton, J. C., 1998. Uncertainty and sensitivity analysis results obtained in the 1996 performance assessment for the waste isolation power plant, SAND98-0365, Sandia National Laboratories. Olsson, A., Sabdberg, G., Dahlblom, O., 2003. On Latin hypercube sampling for structural reliability analysis. Structural Safety, 25, pp. 47-68. Pebesma E. J., Heuvelink, G. B. M., 1999. Latin hypercube sampling of Gaussian random fields. Technometrics, 41(4), pp. 203-212. Koutsourelakis, P. S., Pradlwarter, H. J., Schueller, 2004. Reliability of structures in high dimensions, Part I: algorithms and application. Probabilistic Engineering Mechanics (19), pp. 409-417. Pradlwarter, H. J., Pellissetti, M. F., Schenk, C. A., Schueller, G. I., Kreis, A., Fransen, S., Calvi, A., Klein, M., 2005. Computer Methods in Applied Mechanics and Engineering, 194, pp. 1597-1617. Pradlwarter, H. J., Schueller, G. I., Koutsourelakis, P. S., Charmpis, D. C., 2007. Application of line sampling simulation method to reliability benchmark problems. Structural Safety, 29, pp. 208-221. Pagani, L., 2004. On the quantification of safety margins. Ph. D. dissertation thesis, Massachusetts Institute of Technology. Burgazzi, L., 2004. Evaluation of uncertainties related to passive systems performance. Nuclear Engineering and Design, 230, 93-106. Burgazzi, L., 2006. Failure mode and effect analysis application for the safety and reliability analysis of a thermal-hydraulic passive system. Nuclear Technology, 146, pp. 150-158. Zio, E., Pedroni, N., 2009. Building confidence in the reliability assessment of thermalhydraulic passive systems. Reliability Engineering and System Safety, vol. 94(2), pp. 268-281. Gläser, H., 2002. Uncertainty evaluation of thermal-hydraulic code results. In: ANS International Meeting on Best-Estimate Methods in Nuclear Installations Safety Analysis (BE-2000), Washington, D.C., USA, November 17-20. 23

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

[34] Patalano, G., Apostolakis, G. E., Hejzlar, P., 2008. Risk-informed design changes in a passive decay heat removal system. Nuclear Technology, vol. 163, pp. 191-208. [35] Hofer, E., Kloos, M., Krzykacz-Hausmann, B., Peschke, J., Woltereck, M., 2002. An approximate epistemic uncertainty analysis approach in the presence of epistemic and aleatory uncertainties. Reliability Engineering and System safety, 77, pp. 229-238. [36] Rosenblatt, M., 1952. Remarks on multivariate transformations. Ann. Math. Stat., 23(3), pp. 470-472. [37] Nataf, A., 1962. Determination des distribution dont les marges sont donnees. Comptes Rendus I’ acad. Sci., 225, pp. 42-43. [38] Huang, B., Du, X., 2006. A robust design method using variable transformation and Gauss-Hermite integration. International Journal for Numerical Methods in Engineering, 66, pp. 1841-1858. [39] Ahammed, M., Malchers, M. E., 2006. Gradient and parameter sensitivity estimation for systems evaluated using Monte Carlo analysis. Reliability Engineering and System Safety, 91, pp. 594 - 601. [40] Fu, M., 2006. Stochastic gradient estimation. Chapter 19 in Handbook on Operation Research and Management Science: Simulation, S. G. Henderson and B. L. Nelson, editor, Elsevier. [41] Metropolis, N., Rosenbluth, A. W., Rosenbluth, M. N. and Taller, A. H., 1953. Equations of state calculations by fast computing machines. Journal of Chemical Physics, 21(6), pp. 1087-1092. [42] NUREG-CR-6850, 2005. EPRI/NRC-RES Fire PRA methodology for nuclear power facilities, Volume 2: detailed methodology. US Nuclear Regulatory Commission. [43] Krzykacz-Hausmann, B., 2006. An approximate sensitivity analysis of results from complex computer models in the presence of epistemic and aleatory uncertainties. Reliability Engineering and System safety, 91, pp. 1210-1218. [44] Zio, E., and Apostolakis, G. E., 1996. Two methods for the structured assessment of model uncertainty by experts in performance assessment in radioactive waste repositories. Eliability Engineering and System Safety, Vol. 54, No. 2, 225-241. [45] USNRC, 1998. “An approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the licensing basis.” NUREG-1.174, US Nuclear Regulatory Commission, Washington, DC. [46] Der Kiureghian, A., 2000. The geometry of random vibrations and solutions by FORM and SORM. Probabilistic Engineering Mechanics, vol. 15(1), pp. 81-90. [47] Iooss, B., Van Dorpe, F., Devictor, N., 2006. Response surfaces and sensitivity analyses for an environmental model of dose calculation. Reliability Engineering and System Safety, 91, pp. 1241-1251. [48] Storlie, C. B., Helton, J. C., 2008. Multiple predictor smooting methods for sensitivity analysis: Description of techniques. Reliability Engineering and System Safety, vol. 93, pp. 28-54. [49] Marrel, A., Iooss, B., Laurent, B., Roustant, O., 2009. Calculations of Sobol indices for the Gaussian process metamodel. Reliability Engineering and System Safety, vol., 94, pp. 742-751. [50] Haldar, A., Mahadevan, S., 2000. Probability, reliability and statistical methods in engineering design. Wiley, New York. [51] Sallaberry, C. J., Helton, J. C., Hora, S. C., 2008. Extension of Latin Hypercube samples with correlated variables. Reliability Engineering and System Safety, doi: 10.1016/j.ress.2007.04.005. [52] Liefvendahl, M., Stocki, R., 2006. A study on algorithms for optimization of Latin hypercubes. Journal of Statistical Planning and Inference, 136, pp. 3231-3247. 24

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Appendix A The Line Sampling algorithm The LS algorithm proceeds as follows [27]: 1. Determine the unit important direction α = {α1 , α 2 , ..., α j , ..., α n }. Any of the methods summarized in Section 3.2 can be employed to this purpose. Notice that the computation of α implies additional system analyses, which substantially increase the computational cost associated to the simulation method (Section 3.2). 2. From the original multidimensional joint probability density function q(⋅) : ℜ n → [0, ∞) , sample NT vectors x k : k = 1, 2, ..., N T , with k k k k k x = {x1 , x2 , ..., x j , ..., xn } by standard MCS (Section 2).

{

{

}

}

3. Transform the NT sample vectors x k : k = 1, 2, ..., N T defined in the original (i.e., physical) space of possibly dependent, non-normal random variables (step 2. above) into NT samples θ k : k = 1, 2, ..., N T defined in the standard normal space where each component of the vector θ k = {θ1k , θ 2k , ..., θ jk , ..., θ nk }, k = 1, 2, ..., NT, is associated with

{

}

an independent central unit Gaussian standard distribution (Section 3.1). 4. Estimate NT conditional “one-dimensional” failure probabilities 1D , k ˆ P (F ) : k = 1, 2, ..., N T , corresponding to each one of the standard normal samples θ k : k = 1, 2, ..., N T obtained in step 3. above. In particular, for each random sample θ k , k = 1, 2, …, NT, perform the following steps (Figure 1’) [17], [27], [28]: a. Project the random sample vector θ k , k = 1, 2, …, NT, onto the straight line passing through the origin O of the standard normal space and perpendicular to α, in order to obtain the vector θ k ,⊥ (Figure 1’, top, left): θ k ,⊥ = θ k − α, θ k α , k = 1, 2, ..., NT (1’)

{

{

}

}

In (1’), θ k , k = 1, 2, ..., NT, denotes a random realization of the input variables in the standard normal space of dimension n and α, θ k is the scalar product between α and θ k , k = 1, 2, ..., NT. Finally, it is worth noting that since the standard Gaussian space is isotropic, the vector θ k ,⊥ is also standard normally distributed [28]. ~ b. Define the sample vector θ k , k = 1, 2, ..., NT, as the sum of a deterministic multiple of α and the vector θ k ,⊥ in (1’), i.e.: ~ θ k = c k α + θ k ,⊥ , k = 1, 2, ..., NT (2’) k where c is a real number in [-∞, +∞]. Again, it is worth noting that since the standard Gaussian space is isotropic, the scalar ck is also standard normally distributed [28]. c. Moving along the straight line passing through θ k and parallel to α, select two or three different values cik for ck (e.g., c1k , c2k and c3k in Figure 1’, top, right) ~ and calculate the corresponding sample points θik according to (2’) (e.g., ~ ~ ~ θ1k = c1k α + θ k ,⊥ , θ2k = c2k α + θ k ,⊥ and θ3k = c3k α + θ k ,⊥ in Figure 1’, top, right). d. Evaluate the performance function g θ (⋅) in correspondence of the sample ~ ~ ~ points θik calculated at step 3.c. above (e.g., θ1k = c1k α + θ k ,⊥ , θ2k = c2k α + θ k ,⊥ 25

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

( )

~ ~ and θ3k = c3k α + θ k ,⊥ in Figure 1’, middle, left) obtaining the values gθ θik ~ ~ ~ (e.g., gθ θ1k , gθ θ2k and gθ θ3k in Figure 1’ middle, left). Hence, for each

( )

( )

( )

standard normal random sample θ k , k = 1, 2, …, NT, two or three system performance evaluations by the T-H model are required. ~ ~ ~ ~ e. Fit the points cik , gθ θik (e.g., c1k , gθ θ1k , c2k , gθ θ2k and c3k , gθ θ3k in Figure 1’, middle, right) by means of a first or second order polynomial and determine its root c k . The value c k represents the intersection between the limit state function gθ (θ ) = 0 and the straight line passing through θ k and

[

( )]

[

( )] [

( )]

[

( )]

parallel to α (e.g., see Figure 1’, top, right). Also, notice that c k measures the distance between the limit state function gθ (θ ) = 0 and the straight line perpendicular to α and passing through the origin O of the standard normal space. As a final remark, a word of caution is in order with respect to the effectiveness of the above described fitting procedure (Figure 1’, middle, right) when the performance function gθ(θ) under consideration is heavily nonmonotonic (e.g., when it presents oscillations). In such a case, if the values cik for ck (step 3.c. above) are chosen too close to each other (e.g., c1k = 3, c 2k = 3.2 and c3k = 3.5), the linear or quadratic interpolating polynomial may capture only the “local behaviour” of the performance function gθ(θ) and lead to erroneous estimates for c k . Thus, in general well spaced values cik for ck (e.g., c1k = 2, c 2k = 4 and c3k = 6) should be chosen by the analyst in order to avoid this pitfall and capture the “global trend” of the performance function gθ(θ). f. Calculate the conditional one-dimensional failure probability estimate Pˆ 1D , k (F ) , k = 1, 2, …, NT, associated to each random sample θ k , k = 1, 2, …, NT, as Pˆ 1D ,k (F ) = P N (0,1) > c k = 1 − P N (0,1) ≤ c k = 1 − Φ c k = Φ − c k (3’) where Φ (⋅) denotes the standard normal cumulative distribution function (shaded area in Figure 1’, bottom). 5. Compute the unbiased estimator Pˆ NT (F ) for the failure probability P (F ) as the sample average of the independent conditional “one-dimensional” failure probability estimates Pˆ 1D , k (F ) : k = 1, 2, ..., N T in (3’) (step 4.f. above):

[

]

{

[

]

( )

(

)

}

NT

1 Pˆ NT (F ) = Pˆ 1D ,k (F ) (4’) ∑ NT k =1 The variance of the estimator (4’) can be then written as 1 2 ˆ 1D σ 2 Pˆ NT (F ) = σ P (F ) (5’) NT where NT 2 1 σ 2 Pˆ 1D (F ) = Pˆ 1D ,k (F ) − Pˆ NT (F ) (6’) ∑ (NT − 1) k =1 represents the sample variance of the independent conditional “one-dimensional” failure probability estimates Pˆ 1D , k (F ) : k = 1, 2, ..., N T in (3’) (step 4.f. above). Substituting (6’) into (5’), an explicit expression for the variance of the estimator (4’) can be obtained as

(

)

(

)

(

)

(

)

{

}

26

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

(

)

(

)

NT 2 1 Pˆ 1D ,k (F ) − Pˆ NT (F ) . (7’) ∑ N T ( N T − 1) k =1 Notice that the variance (7’) of the estimator (4’) decays as O(1 N T ) (as in all Monte Carlo-type estimators).

σ 2 Pˆ N (F ) = T

Figure 1’. The Line Sampling procedure [27]. Top, left: projection of the sample vector θ k onto the straight line passing through the origin O and perpendicular to α in order to obtain θ k ,⊥ (step 4.a.); top, right: selection of three values for ck, e.g. c1k, c2k and c3k, and calculation ~ ~ ~ of the corresponding sample points θ1k = c1k α + θ k ,⊥ , θ2k = c2k α + θ k ,⊥ and θ3k = c3k α + θ k ,⊥ (step 4.c.); middle, left: evaluation of the performance function gθ(·) in correspondence of the ~ ~ ~ ~ ~ ~ sample points θ1k , θ2k and θ3k in order to obtain gθ θ1k , gθ θ2k and gθ θ3k (step 4.d.);

( ) ( )

( )

27

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

[

( )] [

( )] and [c , g (θ~ )] by means

~ ~ middle, right: interpolation of the points c1k , gθ θ1k , c2k , gθ θ2k

k 3

θ

k 3

of a second order polynomial and determination of its root c k (step 4.e.); bottom: calculation of the kth conditional one-dimensional failure probability Pˆ 1D , k (F ) as Φ (− c k ) (shaded area) (step 4.f.) With the described approach the variance of the estimator Pˆ NT (F ) of the failure probability P (F ) is considerably reduced. In general, a relatively low number NT of simulations has to be carried out to obtain a sufficiently accurate estimate. A single evaluation would suffice for the ideal case in which the limit state function is linear and a Line Sampling direction α perpendicular to it has been identified [26]. This concept is pictorially represented in Figure 2’, left. The limit state function gθ(θ) = 0 is a straight line and the Line Sampling important vector α is perpendicular to it: as a consequence, all the values c k , k = 1, 2, ..., NT, corresponding to the sample vectors θ k , k = 1, 2, ..., NT, are equal one to another, i.e., c 1 = c 2 = ... = c k = ... = c NT (step 4.e. above). Since the one-dimensional conditional failure probabilities Pˆ 1D , k (F ) , k = 1, 2, ..., NT, associated to the sample points θ k , k = 1, 2, ..., NT, are Pˆ 1D , k (F ) = Φ − c k computed as (step 4.f. above), then in this case

(

)

Pˆ (F ) = Pˆ (F ) = ... = Pˆ (F ) = ... = Pˆ 1D , NT (F ) . As a consequence, the variance (7’) of the failure probability estimator (4’) turns out to be ideally equal to 0 [26]. However, it is worth noting that the analyst could not be able to identify the “optimal” Line Sampling direction α (i.e., the one perpendicular to the limit state function gθ(θ) = 0): in this case the failure probability estimator (4’) would still be unbiased, but its variance (7’) would obviously increase (i.e., in this case it would be larger than 0) (Figure 2’, right). 1D ,1

1D , 2

1D , k

Figure 2’. Line Sampling failure probability estimation when the limit state function gθ(θ) = 0 is linear: the variance of the failure probability estimator Pˆ NT (F ) is 0 when α is “optimal” (i.e., perpendicular to the limit state function gθ(θ) = 0 (left); the variance of Pˆ NT (F ) is larger than 0 when α is not perpendicular to the limit state function gθ(θ) = 0 (right)

Appendix B Latin Hypercube Sampling (LHS) Latin Hypercube Sampling (LHS) is a stochastic simulation method for efficiently generating a distribution of plausible realizations of parameter values from a multidimensional distribution. The technique was first described in [21] and has been further developed for different purposes by several researchers [18], [24], [51]. 28

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

In the context of statistical sampling, a square grid containing sample positions is a Latin square if and only if there is only one sample in each row and each column (Figure 3’). A Latin hypercube is the generalization of this concept to an arbitrary number of dimensions, whereby each sample is the only one in each axis-aligned hyperplane containing it [52].

Figure 3’. Examples of a square grid containing sample positions generated at random without any constraint (left) and of a Latin square where only one sample is contained in each row and each column (right) The LHS procedure for drawing NT samples from n independent variables {x j : j = 1, 2, ..., n}

with distributions {q j (⋅) : j = 1, 2, ..., n} is detailed below [51].

The range of each variable {x j : j = 1, 2, ..., n} is divided into NT disjoint intervals of equal probability and one value is selected at random from each interval in consistency with the corresponding distributions {q j (⋅) : j = 1, 2, ..., n}. The NT values thus obtained for x1 are paired at random without replacement with the NT values obtained for x2 to produce the NT ordered pairs {x1k , x2k }, k = 1, 2, …, NT. These NT ordered pairs are combined at random without replacement with the NT values of x3 to form the NT ordered triplets {x1k , x2k , x3k }, k = 1, 2, …, NT. The process is repeated for all the n variables until a set of NT n-tuples is obtained. These n-tuples are of the form k x = {x1k , x 2k , ..., x kj , ..., xnk }, k = 1, 2, …, NT (6’) and constitute the Latin hypercube samples [51]. The effectiveness of LHS, and hence its popularity, derives from the fact that it provides a dense stratification over the range of each uncertain variable with a relatively small sample size while preserving the desirable probabilistic features of simple random sampling, i.e. standard Monte Carlo Simulation (MCS) [18]. A drawback of the LHS technique is that its highly structured form makes it difficult to increase the size of an already existing Latin Hypercube Sample while preserving its stratification properties. Unlike simple random sampling, the size of a Latin hypercube sample (LHS) cannot be increased simply by generating additional sample elements as the new sample containing the original LHS and the additional sample elements will no longer have the structure of an LHS. For the new sample to also be an LHS, the additional sample elements must be generated with a procedure that takes into account the existing LHS that is being increased in size and the definition of Latin hypercube sampling [51]. 29

PAPER II – E. Zio, N. Pedroni/Reliability Engineering and System Safety 94 (2009) 1764-81

Moreover, it has been experimentally shown that LHS, which is very efficient for estimating mean values and standard deviations in complex reliability problems [24], is only slightly more efficient than standard MCS for estimating small failure probabilities [25].

30

Paper III Reliability simulation

estimation

by

advanced

Monte

Carlo

E. Zio and N. Pedroni Accepted for publication in: Faulin, Juan, Martorell, Ramirez-Marquez (Eds.), Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer.

Reliability estimation by advanced Monte Carlo simulation E. Zio and N. Pedroni Energy Department, Polytechnic of Milan, Via Ponzio 34/3, 20133 Milan, Italy Phone: +39-2-2399-6340; fax: +39-02-2399-6309 E-mail address: [email protected]

Abstract Monte Carlo Simulation (MCS) offers a powerful means for evaluating the reliability of a system, due to the modeling flexibility that it offers indifferently of the type and dimension of the problem. The method is based on the repeated sampling of realizations of system configurations, which however are seldom of failure so that a large number of realizations must be simulated in order to achieve an acceptable accuracy in the estimated failure probability, with costly large computing times. For this reason, techniques of efficient sampling of system failure realizations are of interest, in order to reduce the computational effort. In this paper, the recently developed Subset Simulation (SS) and Line Sampling (LS) techniques are considered for improving the MCS efficiency in the estimation of system failure probability. The SS method is founded on the idea that a small failure probability can be expressed as a product of larger conditional probabilities of some intermediate events: with a proper choice of the intermediate events, the conditional probabilities can be made sufficiently large to allow accurate estimation with a small number of samples. The LS method employs lines instead of random points in order to probe the failure domain of interest. An “important direction” is determined, which points towards the failure domain of interest; the high-dimensional reliability problem is then reduced to a number of conditional one-dimensional problems which are solved along the “important direction”. The two methods are applied on two structural reliability models of literature, i.e. the cracked plate model and the Paris-Erdogan model for thermal fatigue crack growth. The efficiency of the proposed techniques is evaluated in comparison to other stochastic simulation methods of literature, i.e., standard MCS, Importance Sampling (IS), Dimensionality Reduction (DR) and Orthogonal Axis (OA). Keywords: Failure probability; Monte Carlo sampling; Subset Simulation; Line Sampling; Computational efficiency.

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

1 Introduction In the performance-based design and operation of modern engineered systems, the accurate assessment of reliability is of paramount importance, particularly for civil, nuclear, aerospace and chemical systems and plants which are safety-critical and must be designed and operated within a risk-informed approach (Thunnissen et al., 2007; Patalano et al., 2008). The reliability assessment requires the realistic modelling of the structural/mechanical components of the system and the characterization of their material constitutive behaviour, loading conditions and mechanisms of deterioration and failure that are anticipated to occur during the working life of the system (Schueller and Pradlwarter, 2007). In practice, not all the characteristics of the system under analysis can be fully captured in the model. This is due to: i) the intrinsically random nature of several of the phenomena occurring during the system life; ii) the incomplete knowledge about some of these phenomena. Thus, uncertainty is always present in the hypotheses underpinning the model (model uncertainty) and in the values of its parameters (parameter uncertainty); this leads to uncertainty in the model output, which must be quantified for a realistic assessment of the system (Nutt and Wallis, 2004). In mathematical terms, the probability of system failure can be expressed as a multidimensional integral of the form P( F ) = P( x ∈ F ) = ∫ I F ( x )q( x )d x (1) where x = {x1 , x 2 , ..., x j , ..., xn }∈ ℜ n is the vector of the uncertain input parameters/variables

of the model, with multidimensional probability density function (PDF) q : ℜ n → [0, ∞) , F ⊂ ℜ n is the failure region and I F : ℜ n → {0,1} is an indicator function such that I F ( x ) = 1 , if x ∈ F and I F ( x ) = 0 , otherwise. The failure domain F is commonly defined by a so-called Performance Function (PF) or Limit State Function (LSF) g x ( x ) which is lower than or equal to zero if x ∈ F and greater than zero, otherwise. In practical cases, the multi-dimensional integral (1) can not be easily evaluated by analytical methods nor by numerical schemes. On the other hand, Monte Carlo Simulation (MCS) offers an effective means for estimating the integral, because the method does not suffer from the complexity and dimension of the domain of integration, albeit it implies the nontrivial task of sampling from the multidimensional PDF. The MCS solution to (1) entails that a large number of samples of the values of the uncertain parameters x be drawn from q (x) and that these be used to compute an unbiased and consistent estimate of the system failure probability as the fraction of the number of samples that lead to failure. However, a large number of samples (inversely proportional to the failure probability) is necessary to achieve an acceptable estimation accuracy: in terms of the integral in (1) this can be seen as due to the high dimensionality n of the problem and the large dimension of the relative sample space compared to the failure region of interest (Schueller, 2007). This calls for new simulation techniques for performing robust estimations with a limited number of input samples (and associated low computational time). In this respect, effective approaches are offered by Subset Simulation (SS) (Au and Beck, 2001; Au and Beck, 2003b) and Line Sampling (LS) (Koutsourelakis et al., 2004; Pradlwarter et al., 2005). In the SS method, the failure probability is expressed as a product of conditional failure probabilities of some chosen intermediate events, whose evaluation is obtained by simulation 2

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

of more frequent events. The evaluation of small failure probabilities in the original probability space is thus tackled by a sequence of simulations of more frequent events in the conditional probability spaces. The necessary conditional samples are generated through successive Markov Chain Monte Carlo (MCMC) simulations (Metropolis et al., 1953; Hastings, 1970; Fishman, 1996), gradually populating the intermediate conditional regions until the final target failure region is reached. In the LS method, lines, instead of random points, are used to probe the failure domain of the high-dimensional problem under analysis (Pradlwarter et al., 2005). An “important direction” is optimally determined to point towards the failure domain of interest and a number of conditional, one-dimensional problems are solved along such direction, in place of the highdimensional problem (Pradlwarter et al., 2005). The approach has been shown to perform always better than standard MCS; furthermore, if the boundaries of the failure domain of interest are not too rough (i.e., almost linear) and the “important direction” is almost perpendicular to them, the variance of the failure probability estimator could be ideally reduced to zero (Koutsourelakis et al., 2004). In this paper, SS and LS schemes are developed for application to two structural reliability models of literature, i.e., the cracked plate model (Ardillon and Venturini, 1995) and the Paris-Erdogan thermal fatigue crack growth model (Paris, 1961). The problem is rather challenging as it entails estimating failure probabilities of the order of 10-7. The effectiveness of SS and LS is compared to that of other simulation methods, e.g. the Importance Sampling (IS), Dimensionality Reduction (DR) and Orthogonal Axis (OA) methods (Gille, 1998 and 1999). In the IS method, the PDF q(x ) in (1) is replaced with an Importance Sampling Distribution (ISD) arbitrarily chosen so as to generate samples that lead to failure more frequently (Au and Beck, 2003a); in the DR method, the failure event is re-expressed in such a way as to highlight one important variable (say, xj) and the failure probability is then computed as the expected value of the Cumulative Distribution Function (CDF) of xj conditional on the remaining (n – 1) variables; finally, in the OA method, a sort of importance sampling is performed around the most likely point in the failure domain (Gille, 1998 and 1999). The remainder of the paper is organized as follows. In Section 2, a general presentation of the SS and LS schemes implemented for this study is given. In Section 3, the IS, DR and OA methods taken as terms of comparison are briefly summarized. The results of the application of SS and LS to the cracked plate and thermal fatigue crack growth models are reported in Sections 4 and 5, respectively. Based on the results obtained, a critical discussion of the simulation techniques adopted and compared in this work is offered in the last Section. For completeness of the contents of the paper, detailed descriptions of the Markov Chain Monte Carlo (MCMC) simulation method used for the development of the SS and LS algorithms are provided in Appendices A and B, respectively.

2 Simulation methods implemented in this study 2.1 The Subset Simulation method Subset Simulation (SS) is an adaptive stochastic simulation method originally developed for efficiently computing small failure probabilities in structural reliability analysis (Au and Beck, 2001). The underlying idea is to express the (small) failure probability as a product of (larger) probabilities conditional on some intermediate events. This allows converting a rare event simulation into a sequence of simulations of more frequent events. During simulation, 3

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

the conditional samples are generated by means of a Markov chain designed so that the limiting stationary distribution is the target conditional distribution of some adaptively chosen event; by so doing, the conditional samples gradually populate the successive intermediate regions up to the final target (rare) failure region (Au and Beck, 2003b).

2.1.1 The basic principles

For a given target failure event F of interest, let F1 ⊃ F2 ⊃ ... ⊃ Fm = F be a sequence of intermediate events, so that Fk = ∩ik=1 Fi , k = 1, 2, …, m. By sequentially conditioning on the event Fi, the failure probability P(F) can be written as m −1

P( F ) = P( Fm ) = P( F1 )∏ P( Fi +1 | Fi ) .

(2)

i =1

Notice that even if P(F) is small, the conditional probabilities involved in (2) can be made sufficiently large by appropriately choosing m and the intermediate events {Fi, i = 1, 2, …, m – 1}. The original idea of SS is to estimate the failure probability P(F) by estimating P(F1) and {P ( Fi +1 | Fi ) : i = 1, 2, ..., m − 1}. Considering for example P(F) ≈ 10-5 and choosing m = 4 intermediate events such that P(F1) and {P( Fi +1 | Fi ) : i = 1, 2, 3, 4} ≈ 0.1 , the conditional probabilities can be evaluated efficiently by simulation of the relatively frequent intermediate events (Au and Beck, 2001). Standard MCS can be used to estimate P(F1). On the contrary, computing the conditional probabilities in (2) by MCS entails the non-trivial task of sampling from the conditional distributions of x given that it lies in Fi, i = 1, 2, ..., m – 1, i.e. from q( x | Fi ) = q( x ) I Fi ( x ) / P( F ) . In this regard, Markov Chain Monte Carlo (MCMC) simulation

provides a powerful method for generating samples conditional on the intermediate regions Fi, i = 1, 2, ..., m – 1 (Au and Beck, 2001; Au and Beck, 2003b). For completeness of the paper, the related algorithm is presented in Appendix A.

2.1.2 The algorithm In the actual SS implementation, with no loss of generality it is assumed that the failure event of interest can be defined in terms of the value of a critical system response variable Y being lower than a specified threshold level y, i.e., F = {Y < y}. The sequence of intermediate events {Fi : i = 1, 2, ..., m} can then be correspondingly defined as Fi = {Y < y i }, i = 1, 2, ..., m , where y1 > y 2 > ... > y i > ... > y m = y > 0 is a decreasing sequence of intermediate threshold values (Au and Beck, 2001; Au and Beck, 2003b). The choice of the sequence {yi : i = 1, 2, ..., m} affects the values of the conditional probabilities {P( Fi +1 | Fi ) : i = 1, 2, ..., m − 1} in (2) and hence the efficiency of the SS procedure. In particular, choosing the sequence {yi : i = 1, 2, ..., m} a priori makes it difficult to control the values of the conditional probabilities {P( Fi +1 | Fi ) : i = 1, 2, ..., m − 1} . For this reason, in this work, the intermediate threshold values are chosen adaptively in such a way that the estimated conditional probabilities are equal to a fixed value p0 (Au and Beck, 2001; Au and Beck, 2003b). Schematically, the SS algorithm proceeds as follows (Figure 1):

4

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

{

}

k

1. Sample N vectors x 0 : k = 1, 2, ..., N by standard MCS, i.e., from the original probability density function q(·). The subscript ‘0’ denotes the fact that these samples correspond to ‘Conditional Level 0’; 2. Set i = 0; k 3. Compute the values of the response variable Y ( x i ) : k = 1, 2, ..., N ; 4. Choose the intermediate threshold value yi+1 as the (1 – p0)Nth value in the decreasing k list of values Y ( x i ) : k = 1, 2, ..., N (computed at step 3. above) to define Fi+1 = {Y < yi+1}. By so doing, the sample estimate of P(Fi+1|Fi) = P(Y < yi+1|Y < yi) is equal to p0 (note that it has been implicitly assumed that p0N is an integer value); 5. If yi+1 ≤ ym, proceed to 10. below; 6. Viceversa, i.e. if yi+1 > ym, with the choice of yi+1 performed at step 4. above, identify k u the p0N samples x i : u = 1, 2, ..., p0 N among x i : k = 1, 2, ..., N whose response Y lies in Fi+1 = {Y < yi+1}: these samples are at ‘Conditional level i + 1’ and distributed as q(⋅ | Fi +1 ) and function as seeds of the MCMC simulation (step 7. below);

{

{

}

}

{

{

}

{

u

}

}

7. Starting from each one of the samples x i : u = 1, 2, ..., p0 N (identified at step 6. above), use MCMC simulation to generate (1 – p0)N additional conditional samples distributed as q(⋅ | Fi +1 ) , so that there are a total of N conditional samples

{x

k i +1

}

: k = 1, 2, ..., N ∈ Fi +1 , at ‘Conditional level i + 1’; 8. Set i ← i + 1; 9. Return to step 3. above; 10. Stop the algorithm.

For clarity sake, a step-by-step illustration of the procedure for Conditional levels 0 and 1 is provided in Figure 2 by way of example.

5

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Figure 1. Sketch of the SS algorithm

6

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Figure 2. Illustration of the SS procedure: a) Conditional level 0: Standard Monte Carlo simulation; b) Conditional level 0: adaptive selection of y1; c) Conditional level 1: Markov Chain Monte Carlo simulation; d) Conditional level 1: adaptive selection of y2

Notice that the procedure is such that the response values {y i : i = 1, 2, ..., m} at the specified probability levels P ( F1 ) = p 0 , P( F2 ) = p( F2 | F1 ) P( F1 ) = p 02 , …, P( Fm ) = p 0m are estimated, rather than the event probabilities P ( F1 ) , P ( F2 | F1 ) , …, P ( Fm | Fm −1 ) , which are a priori fixed at p0. In this view, SS is a method for generating samples whose response values correspond to specified probability levels, rather than for estimating probabilities of specified failure events. As a result, it produces information about P(Y < y ) versus y at all the simulated values of Y rather than at a single value of y. This feature is important because the whole trend of P (Y < y ) versus y provides much more information than a point estimate (Au, 2005).

2.2 The Line Sampling method Line Sampling (LS) was also originally developed for the reliability analysis of complex structural systems with small failure probabilities (Koutsourelakis et al., 2004). The underlying idea is to employ lines instead of random points in order to probe the failure domain of the high-dimensional system under analysis (Pradlwarter et al., 2005). In extreme synthesis, the problem of computing the multidimensional failure probability integral (1) in the original “physical” space is transformed into the so-called “standard normal space”, where each random variable is represented by an independent central unit Gaussian distribution. In this space, a unit vector α (hereafter also called “important unit vector” or “important direction”) is determined, pointing towards the failure domain F of interest (for illustration purposes, two plausible important unit vectors, α1 and α2, pointing towards two different failure domains, F1 and F2, are visually represented in Figure 3, left and right, respectively, in a two-dimensional uncertain parameter space). The problem of computing the high-dimensional failure probability integral (1) is then reduced to a number of conditional 7

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

one-dimensional problems, which are solved along the “important direction” α in the standard normal space. The conditional one-dimensional failure probabilities (associated to the conditional one-dimensional problems) are readily computed by using the standard normal cumulative distribution function (Pradlwarter et al., 2005).

Figure 3. Examples of possible important unit vectors α1 (left) and α2 (right) pointing towards the corresponding failure domains F1 (left) and F2 (right) in a two-dimensional uncertain parameter space

2.2.1 Transformation of the physical space into the standard normal space

Let x = {x1 , x2 , ..., x j , ..., xn }∈ ℜ n be the vector of uncertain parameters defined in the original physical space x ∈ ℜ n . For problems where the dimension n is not so small, the parameter vector x can be transformed into the vector θ ∈ ℜ n , where each element of the vector θj, j = 1, 2, …, n, is associated with a central unit Gaussian standard distribution (Schueller et al., 2004). The joint probability density function of the random parameters {θ j : j = 1, 2, ..., n} is, then:

ϕ (θ ) = ∏ φ j (θ j ) n

j =1

(

where φ j (θ j ) = 1

(3)

)

2π e

−θ 2j 2

, j = 1, 2, ..., n.

The mapping from the original, physical vector of random variables x ∈ ℜ n to the standard normal vector θ ∈ ℜ n is denoted by Txθ (⋅) and its inverse by Tθx (⋅) , i.e.: θ = Txθ (x ) (4) x = Tθx (θ ) (5) Transformations (4) and (5) are in general nonlinear and are obtained by applying Rosenblatt’s or Nataf’s transformations, respectively (Rosenblatt, 1952; Nataf, 1962; Huang and Du, 2006). They are linear only if the random vector x is jointly Gaussian distributed. By transformation (4), also the Performance Function (PF) or Limit State Function (LSF) g x (⋅) defined in the physical space (Section 1) can be transformed into g θ (⋅) in the standard normal space: gθ (θ ) = g x (x ) = g x (Tθx (θ )) (6) 8

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Since in most cases of practical interest the function gθ (θ ) is not known analytically, it can be evaluated only point-wise. According to (6), the evaluation of the system performance k function gθ (⋅) at a given point θ , k = 1, 2, ..., NT, in the standard normal space requires i) a transformation into the original space, ii) a complete simulation of the system response and iii) the computation of the system response from the model. The computational cost of evaluating the failure probability is governed by the number of system performance analyses that have to be carried out (Schueller et al., 2004).

2.2.2 The important direction α for Line Sampling Three methods have been proposed to estimate the important direction α for Line Sampling. In (Koutsourelakis et al., 2004), the important unit vector α is taken as pointing in the direction of the “design point” in the standard normal space. According to a geometrical * interpretation, the “design point” is defined as the vector point θ on the limit state surface gθ (θ ) = 0 which is closest to the origin in the standard normal space (Schueller et al., 2004). It can be demonstrated that θ is also the point of maximum likelihood (Freudenthal, 1956); as such, it is the best choice unless additional analytical information on the true ‘shape’ of the limit state surface is available (Schueller and Stix, 1987). Then, the unit important vector α * * * can be easily obtained by normalizing θ , i.e., α = θ θ , where ⋅ 2 denotes the usual *

2

Euclidean measure of a vector. However, the design points, and their neighborhood, do not always represent the most important regions of the failure domain, especially in high-dimensional spaces (Schueller et al., 2004). Moreover, the computational cost associated with the calculation of the design point can be quite high, in particular if long-running numerical codes are required to simulate the response of the system to its uncertain input parameters (Schueller et al., 2004), as it is frequently the case in structural reliability. In (Pradlwarter et al., 2005), the direction of α is taken as the normalized gradient of the performance function in the standard normal space. Since the unit vector α = {α1 , α 2 , ..., α j , ..., α n } points towards the failure domain F, it can be used to draw information about the relative importance of the random parameters {θ j : j = 1, 2, ..., n} with respect to the failure probability P(F): the more relevant a random variable in determining the failure of the system, the larger the corresponding component of the unit vector α will be (Pradlwarter et al., 2005). Such quantitative information is obtained from the gradient of the performance function gθ (θ ) in the standard normal space, ∇gθ (θ ) : T

⎡ ∂g (θ ) ∂gθ (θ ) ∂gθ (θ ) ∂gθ (θ )⎤ ... ... (7) ∇gθ (θ ) = ⎢ θ ⎥ ∂θ 2 ∂θ j ∂θ n ⎦⎥ ⎣⎢ ∂θ1 The gradient (7) measures in a unique way the relative importance of a particular random variable with respect to the failure probability P(F): the larger the (absolute) value of a component of (7), the greater the “impact” of the corresponding random variable on the performance function gθ (θ ) in the standard normal space. In other words, given a specified finite variation Δθ in the parameter vector θ , the performance function gθ (θ ) will change most if this variation is taken in the direction of (7). Thus, it is reasonable to identify the LS important direction with the direction of the gradient (7) and compute the corresponding unit

9

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

vector α as the normalized gradient of the performance function gθ (⋅) in the standard normal

space, i.e. α = ∇gθ (θ ) ∇gθ (θ ) 2 (Pradlwarter et al., 2005). On the other hand, when the performance function is defined on a high-dimensional space, i.e. when many parameters of the system under analysis are random, the computation of the gradient ∇gθ (θ ) in (7) becomes a numerically challenging task. Actually, as the function gθ (θ ) is known only implicitly through the response of a numerical code, for a given vector θ = {θ1 ,θ 2 , ...,θ j , ...,θ n } at least n system performance analyses are required to determine

accurately the gradient at a given point of the performance function gθ (⋅) by straightforward numerical differentiation, e.g. the secant method (Ahammed and Melchers, 2006; Fu, 2006).

Finally, the important unit vector α can also be computed as the normalized “center of mass” 0 of the failure domain F of interest (Koutsourelakis et al., 2004). A point θ is taken in the failure domain F. This can be done by traditional Monte Carlo sampling or by engineering 0 judgment when possible. Subsequently, θ is used as the initial point of a Markov chain which lies entirely in the failure domain F. For that purpose a MCMC Metropolis-Hastings u algorithm is employed to generate a sequence of Ns points θ : u = 1, 2, ..., N s lying in the

{

failure domain F (Metropolis et al., 1956). The unit vectors θ

}

u

θ u , u = 1, 2, …, Ns, are 2

1 Ns u u ⋅ ∑θ θ (Figure 2 N s u =1 4). This direction is by no means optimal, but it is clear that it provides a good approximation of the important regions of the failure domain (at least as the sample size Ns is large). On the other hand, it should be noticed that the procedure implies Ns additional system analyses by the deterministic model simulating the system, which substantially increase the computational cost associated to the simulation method. then averaged in order to obtain the LS important unit vector as α =

10

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Figure 4. Line Sampling important unit vector α taken as the normalized “center of mass” of the failure domain F in the standard normal space. The “center of mass” of F is computed as an average of Ns failure points generated by means of a Markov chain starting from an initial failure point θ0 (Koutsourelakis et al., 2004)

In the implementation of LS for this work, the method based on the normalized “center of mass” of the failure domain F has been employed, because it relies on a “map” approximating the failure domain F under analysis (given by the failure samples generated through a Markov chain) and thus it provides in principle the most realistic and reliable estimate for the LS important direction α. For completeness, a thorough description of the Line Sampling algorithm and its practical implementation issues is given in Appendix B at the end of the paper.

3 Simulation methods considered for comparison The performances of Subset Simulation (Section 2.1) and Line Sampling (Section 2.2) will be compared to those of the Importance Sampling (IS) (Section 3.1), Dimensionality Reduction (DR) (Section 3.2) and Orthogonal Axis (OA) (Section 3.3) methods; the comparison will be made with respect to the results reported in (Gille, 1998 and 1999) for the two literature case studies considered, of the cracked plate and thermal fatigue crack growth models.

3.1 The Importance Sampling method The concept underlying the Importance Sampling (IS) method is to replace the original PDF q(x ) with an Importance Sampling Distribution (ISD) q~ ( x) arbitrarily chosen by the analyst so as to generate a large number of samples in the “important region” of the sample space, i.e. the failure region F (Au and Beck, 2003a; Schueller et al., 2004). The IS algorithm proceeds as follows (Schueller et al., 2004): 11

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

1. Identify a proper Importance Sampling Density (ISD), q~ (⋅) , in order to increase the probability of occurrence of the failure samples. 2. Express the failure probability P(F) in (1) as a function of the ISD q~ (⋅) : P(F ) = ∫ I F (x )q( x )d x

⎡ I ( x )q ( x ) ⎤ ~ = ∫⎢ F ~ ⎥ q ( x )d x ⎣ q (x ) ⎦

(8)

⎡ I ( x )q (x ) ⎤ = Eq~ ⎢ F ~ ⎥ ⎣ q (x ) ⎦ k 3. Draw NT independent and identically distributed (i.i.d.) samples x : k = 1, 2, ..., N T from the ISD q~ (⋅) ; if a good choice for the ISD q~ (⋅) has been made, the samples

{

{x

}

}

k

: k = 1, 2, ..., N T should be concentrated in the failure region F of interest. 4. Compute an estimate Pˆ (F ) for the failure probability P(F) in (1) by resorting to the last expression in (8): k k 1 NT I F x q x (9) Pˆ (F ) = ∑ q~ x k N T k =1 5.

( )( ) ( ) The variance V [Pˆ ( F )] of the estimator Pˆ (F ) in (9) is given by

⎡ I (x )q( x ) ⎤ 1 V Pˆ (F ) = Vq~ ⎢ F ~ N T ⎣ q ( x ) ⎥⎦ (10) 1 ⎛ I F ( x )q 2 ( x ) ~ 2⎞ ⎜ = q ( x )d x − P(F ) ⎟⎟ NT ⎜⎝ ∫ q~ 2 ( x ) ⎠ It is straightforward to verify that the quantity (10) becomes zero when I ( x )q( x ) q~ ( x ) = q~opt ( x ) = F (11) P (F ) This represents the optimal choice for the importance sampling density which is practically unfeasible since it requires the a priori knowledge of P(F). Several techniques have been developed in order to approximate the optimal sampling density (11) or to at least find one giving small variance of the estimator (9). Recent examples include the use of engineering judgment (Pagani et al., 2005), design points (Schueller et al., 2004) and kernel density estimators (Au and Beck, 2003a).

[

]

3.2 The Dimensionality Reduction method Objective of the Dimensionality Reduction (DR) method is to reduce the variance associated to the failure probability estimates by exploiting the property of conditional expectation (Gille, 1998 and 1999). In extreme synthesis, the failure event g x ( x ) ≤ 0 is re-expressed in such a way as to highlight one of the n uncertain input variables of x (say, xj); then, the failure probability estimate is computed as the expected value of the CDF of xj conditional on the remaining (n – 1) input variables. By so doing, the zero values contained in the standard MCS estimator (i.e., IF(x) = 0, if x ∈ F) are removed: this allows to i) reach any level of probability (even very small) and ii) reduce the variance of the failure probability estimator (Gille, 1998 and 1999). 12

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

The DR algorithm proceeds as follows (Gille, 1998 and 1999): 1. Write the failure event g x ( x ) = g x (x1 , x2 , ..., x j , ..., xn ) ≤ 0 in such a way as to highlight one of the n uncertain input variables (e.g., xj): x j ≤ hx (x − j ) j = 1, 2, …, n (12) where hx(·) is a function defined on ℜ n −1 which takes values on the set of all (measurable) subsets of ℜ and x − j is a vector containing all the uncertain input

variables except xj, i.e., x − j = (x1 , x2 , ..., x j −1 , x j +1 , ..., xn ); 2. Write the failure probability P(F) as follows: P(F ) = P[g x (x ) ≤ 0]

[

] [h (x )]}

= P x j ≤ hx (x − j )

{

= E x − j Fx j | x − j

(13)

−j

x

where Fx j | x − j (⋅) is the Cumulative Distribution Function of xj conditional on x − j , i.e., x − j = (x1 , x2 , ..., x j −1 , x j +1 , ..., xn );

{

}

3. Draw NT samples x − j : k = 1, 2, ..., N T , where x − j = (x1k , x2k , ..., x kj−1 , x kj+1 , ..., xnk ) , from k

k

the (n – 1)-dimensional marginal probability density function q m (x − j ) , i.e., qm (x − j ) = qm (x1 , x2 , ..., x j −1 , x j +1 , ..., xn ) = ∫ q (x1 , x2 , ..., x j , ..., xn )dx j ; xj

4. Using the last expression in (13), compute an unbiased and consistent estimate Pˆ (F ) for the failure probability P(F) as follows: 1 NT k (14) Pˆ (F ) = Fx j | x − j hx x − j ∑ NT k =1 It is worth noting that in (14) the failure probability estimate is computed as the expected value of the cumulative distribution function Fx j | x − j (⋅) of xj conditional on the remaining (n –

[ ( )]

1) input variables. Since this quantity takes values between 0 and 1, the zero values contained in the standard MCS estimator (i.e., IF(x) = 0, if x ∈ F) are removed: this allows to i) reach any level of failure probability (even very small) and ii) reduce the variance of the failure probability estimator. However, such method can not always be applied: first, the performance function gx(·) must be known analytically; second, it must have the property that one of the uncertain input variables can be separated from the others to allow re-writing the failure condition g x ( x ) ≤ 0 in the form of (12) (Gille, 1998 and 1999). Finally, notice that DR can be considered a very special case of LS (Section 2.2) where the performance function gx(·) is analytically known and the important direction α coincides with the “direction” of the variable xj, i.e., α = (0, 0, ..., x j , ..., 0, 0) .

3.3 The Orthogonal Axis method The Orthogonal Axis (OA) method combines the Fist Order Reliability Method (FORM) approximation (Der Kiureghian, 2000) and Monte Carlo Simulation (MCS) in a sort of importance sampling around the “design point” of the problem (see Section 2.2.2). The OA algorithm proceeds as follows (Gille, 1998 and 1999): 1. Transform x = {x1 , x2 , ..., x j , ..., xn }∈ ℜ n , i.e., the vector of uncertain parameters defined in the original physical space x ∈ ℜ n , into the vector θ ∈ ℜ n , where each element of the vector θj, j = 1, 2, …, n, is associated with a central unit Gaussian standard

13

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

distribution (Schueller et al., 2004) (see Section 2.2.1). Thus, the joint probability density function of θ can simply be written as

ϕ n (θ ) = ∏ j =1φ (θ j ) n

(

where φ (θ j ) = 1

(15)

)

2π e

(

− θ 2j 2

)

, j = 1, 2, ..., n;

2. Find the “design point” θ of the problem (see Section 2.2.2); 3. Rotate the coordinate system (i.e., by means of a proper rotation matrix R ) so that the *

new coordinate θ n is in the direction of the axis defined by the design point θ ; *

4. Define a new failure function g axis (θ ) as (16) g axis (θ ) = g (Rθ ) ~ ~ 5. Writing θ as θ , θ n , where θ = (θ1 , θ 2 , ..., θ n −1 ) , express the failure probability P(F) as follows: ~ P(F ) = P g axis θ ,θ n ≤ 0 ~ ~ ~ ~ = ∫ P g axis θ , θ n ≤ 0 | θ ϕ n −1 θ dθ (17) ~ = Eθ~ P g axis θ ,θ n ≤ 0 ~k 6. Generate NT i.i.d. (n – 1)-dimensional samples θ : k = 1, 2, ..., N T , where ~k θ = θ1k ,θ 2k , ...,θ nk−1 ; 7. Compute an estimate Pˆ (F ) for the failure probability P(F) as follows:

(

)

[ ( ) ] [ ( ) ] () { [ ( ) ]}

(

{

)

(θ~ ,θ )≤ 0] (18) ~ The terms P[g (θ ,θ ) ≤ 0] , k = 1, 2, …, N , are evaluated with an iterative algorithm ~ which searches for the roots of the equation g (θ , θ ) = 0 (Gille, 1998 and 1999). 1 Pˆ (F ) = NT

∑ P[g

}

NT

k =1

k

axis

n

k

axis

T

n

k

axis

n

It is worth noting that the idea underlying the OA method is essentially the same as that of LS (Section 2.2). However, in OA the “important direction” is forced to coincide with that of the design point of the problem; moreover, OA employs a rotation of the coordinate system which can be difficult to define in very high-dimensional problems.

4 Application 1: the cracked plate model The cracked plate model is a classical example in Fracture Mechanics and its relative simplicity allows a detailed and complete study of different simulation techniques. A thorough description of this model can be found in (Ardillon and Venturini, 1995).

4.1 The mechanical model A metal plate of infinite length with a defect of initial length equal to a [m] is considered. The plate is supposed to be subject to a uniform normal loading (i.e., stress) s∞ [MPa]. The intensity factor K [MPa m ], determined by the uniform loading in the neighborhood of the defect is defined as follows: K = Fs∞ πa (19) where F is the shape factor of the defect. The plate is supposed to break (i.e., fail) when the intensity factor K in (19) becomes greater than or equal to a critical value Kc, i.e.: 14

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

K = Fs∞ πa ≥ K c The variables of the mechanical model are summarized in Table 1.

Variables of the cracked plate model Description

Name Kc a F s∞

Critical stress intensity factor Initial length of the defect Shape factor of the defect Uniform normal loading (stress) to which the plate is subject

(20)

Unit of measure MPa√m m / MPa

Table 1. Names, descriptions and units of measure of the variables of the cracked plate model

4.2 The structural reliability model From the point of view of a structural reliability analysis, the cracked plate mechanical model of Section 4.1 is analyzed within a probabilistic framework in which the variables Kc, a, F and s∞ are uncertain (for simplicity of illustration with respect to the notation of the previous Sections, the four variables are hereafter named x1, x2, x3 and x4, respectively). Referring to (20), the performance function gx( x ) of the system is g x ( x ) = g x (x1 , x2 , x3 , x4 ) = x1 − x3 x4 πx2 The failure region F is then expressed as F = {x : g x ( x ) ≤ 0} = ( x1 , x2 , x3 , x4 ) : x1 ≤ x3 x4 πx2 Finally, the probability of system failure P(F) is written as follows: P(F ) = P( x ∈ F ) = P[g x (x ) ≤ 0] = P x1 ≤ x3 x4 πx2 .

{

(

(21)

}

(22)

)

(23)

4.3 Case studies Four case studies, namely Case 0 (Reference case), 1, 2 and 3, are considered with respect to the structural reliability model of the previous Section 4.2. Each case study is characterized by different PDFs for the uncertain variables x1, x2, x3 and x4 and by different failure probabilities P(F): these features are summarized in Table 2. Notice that in Cases 0, 1 and 2 the random variables are independent and normally distributed, whereas in Case 3 they are independent and lognormally distributed. Moreover, it is worth noting that the exact (i.e., analytically computed) failure probabilities P(F) approximately range from 10-3 to 10-7, allowing a deep exploration of the capabilities of the simulation algorithms considered and a meaningful comparison between them (Gille, 1998 and 1999). Case 0

Case 1

Case 2

Case 3

x1 (K) N(149.3, 22.2) N(149.3, 22.2) N(160, 18) LG(149.3, 22.2) x2 (a) N(5·10-3, 10-3) N(5·10-3, 10-3) N(5·10-3, 10-3) LG(5·10-3, 10-3) x3 (F) N(0.99, 0.01) N(0.99, 0.01) N(0.99, 0.01) LG(0.99, 0.01) N(600, 60) N(300, 30) N(500, 45) LG(600, 60) x4 (s∞) -3 -7 -7 1.165·10 4.500·10 4.400·10 3.067·10-4 P(F)

Table 2. Probability distributions and parameters (i.e., means and standard deviations) of the uncertain variables x1, x2, x3, and x4 of the cracked plate model of Section 4.2 for the four case studies considered (i.e., Cases 0, 1, 2 and 3); the last row reports the values of the corresponding exact (i.e., analytically computed) failure probabilities, P(F) (Gille, 1998 and 1999). N = Normal distribution; LG = Lognormal distribution 15

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

4.4 Results In this Section, the results of the application of SS and LS for the reliability analysis of the cracked plate model of Section 4.1 are illustrated with reference to Case studies 0, 1, 2 and 3 described in the previous Section 4.3. For fair comparison, all methods have been run with a total of NT = 50000 samples in all four cases. The efficiency of the simulation methods under analysis is evaluated in terms of four quantities: the failure probability estimate Pˆ (F ) , the sample standard deviation σˆ of the failure probability estimate Pˆ (F ) , the coefficient of variation (c.o.v.) δ of Pˆ (F ) (defined as

the ratio of the sample standard deviation σˆ to the estimate Pˆ (F ) ) and the Figure Of Merit (FOM) of the method (defined as 1 (σˆ 2tcomp ), where tcomp is the computational time required by the simulation method). The closer is the estimate Pˆ (F ) to the exact (i.e., analytically

computed) failure probability P(F), the more accurate is the simulation method. The sample standard deviation σˆ and the c.o.v. δ of Pˆ (F ) are used to quantify the variability of the failure probability estimator; in particular, the lower are the values of σˆ and δ, the lower is the variability of the corresponding failure probability estimator and thus the higher is the efficiency of the simulation method adopted. Finally, the FOM is introduced to take into account the computational time required by the method. The value of the FOM increases as the sample variance σˆ 2 of the failure probability estimate Pˆ (F ) and the computational time tcomp required by the method decrease; thus, in this case the higher is the value of the index, the higher is the efficiency of the method (Gille, 1998 and 1999). The different simulation methods are also compared with respect to two direct performance indicators relative to standard MCS. First, the ratio of the sample standard deviation σˆ MC obtained by Standard MCS to that obtained by the simulation method under analysis σˆ meth is computed. This ratio only quantifies the improvement in the precision of the estimate achieved by using a given simulation method instead of standard MCS. Then, the ratio of the FOM of the simulation method in object, namely FOMmeth, to that of standard MCS, namely FOMMC, is considered to quantify the overall improvement in efficiency achieved by a given simulation method with respect to standard MCS, since it takes into account also the computational time required. Obviously, the higher are the values of these two indices for a given method, the higher is the efficiency of that method (Gille, 1998 and 1999). Table 3 reports the values of Pˆ (F ) , σˆ , δ, FOM, σˆ MC σˆ meth and FOMmeth/FOMMC obtained by Standard MCS, SS and LS in Cases 0, 1, 2 and 3 (Section 4.3); the actual number Nsys of system response analyses (i.e., model evaluations) is also reported. Notice that for both SS and LS the actual number Nsys of system analyses does not coincide with the total number NT of random samples drawn (i.e., NT = 50000). In particular, in the SS method, the presence of repeated conditional samples in each Markov chain (used to gradually populate the intermediate event regions) allows a reduction in the number of model evaluations required: actually, one evaluation is enough for all identical samples (see Appendix A). In the LS method, instead, the actual number Nsys of system analyses is given by Nsys = Ns + 2·NT: in particular, Ns = 2000 analyses are performed to generate the Markov chain used to compute the important unit vector α as the normalized “center of mass” of the failure domain F (Section 2.2.2); the 2·NT analyses are carried out to compute the NT conditional one16

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

{

dimensional probability estimates Pˆ k (F ) : k = 1, 2, ..., N T (5’) in Appendix B).

} by linear interpolation (equation

Case 0 (Reference)

Standard MCS SS LS

Pˆ (F ) 1.120·10-3 1.274·10-3 1.169·10-3

Standard MCS SS LS

Pˆ (F ) 4.500·10-7 4.624·10-7 4.493·10-7

σˆ 3.000·10-6 7.295·10-8 1.791·10-10

Standard MCS SS LS

Pˆ (F ) 4.400·10-7 4.679·10-7 4.381·10-7

σˆ 3.000·10-6 6.890·10-8 4.447·10-10

Standard MCS SS LS

Pˆ (F ) 3.000·10-4 3.183·10-4 3.068·10-4

σˆ 1.496·10-4 7.136·10-5 5.142·10-7

c.o.v., δ 1.336·10-1 5.597·10-2 4.399·10-4

Nsys 50000 49929 102000

FOM 893.65 3936.67 3.782·107

σˆ MC / σˆ meth

1 2.10 290.92

FOMmeth/FOMMC 1 4.41 42318

Case 1 c.o.v., δ 6.667 1.578·10-1 3.986·10-4

Nsys 50000 49937 102000

FOM 2.222·106 3.762·109 3.117·1014

σˆ MC / σˆ meth

FOM 2.222·106 4.222·109 4.959·1013

σˆ MC / σˆ meth

FOM 3.334·103 3.339·104 3.028·108

σˆ MC / σˆ meth

1 41.12 16750

FOMmeth/FOMMC 1 1.7·103 1.4·108

Case 2 c.o.v., δ 6.667 1.473·10-1 1.015·10-3

Nsys 50000 49888 102000

1 43.54 6746.7

FOMmeth/FOMMC 1 1.9·103 2.2·107

Case 3 σˆ 7.745·10-5 2.450·10-5 1.817·10-7

c.o.v., δ 2.582·10-1 7.697·10-2 5.923·10-4

Nsys 50000 49907 102000

1 3.16 426.16

FOMmeth/FOMMC 1 10.01 9.1·104

Table 3. Results of the application of standard MCS, SS and LS to the reliability analysis of Cases 0 (Reference), 1, 2 and 3 of the cracked plate model of Section 4.2; the values of the performance indicators used to compare the effectiveness of the methods (i.e., σˆ MC σˆ meth and FOMmeth/FOMMC) are highlighted in bold It can be seen that SS performs consistently better than standard MCS and its performance significantly grows as the failure probability to be estimated decreases: for instance, in Case 0 (Reference), where P(F) ~ 10-3, the FOM of SS, namely FOMSS, is only four times larger than that of Standard MCS, namely FOMMC; whereas in Case 1, where P(F) ~ 10-7, the ratio FOMSS/FOMMC is about 557. On the other hand, LS outperforms SS with respect to both σˆ MC σˆ meth and FOMmeth/FOMMC in all the Cases considered. For instance, in Case 2, where the failure probability P(F) to be estimated is very small, i.e., P(F) = 4.4·10-7, the ratio σˆ MC σˆ LS is 155 times larger than the ratio σˆ MC σˆ SS , whereas the ratio FOMLS/FOMMC is 11750 times larger than the ratio FOMSS/FOMMC. Notice that for the LS method even though the determination of the sampling important direction α (Section 2.2.2) and the calculations of the conditional one-dimensional failure probability estimates Pˆ k (F ) : k = 1, 2, ..., N T (equation (5’) in Appendix B) require much more than NT system analyses by the model, this is significantly overweighed by the accelerated convergence rate that can be attained by the LS method with respect to SS.

{

}

4.4.1 Comparison with other stochastic simulation methods The results obtained by SS and LS are compared to those obtained by the Importance Sampling (IS), Dimensionality Reduction (DR), Orthogonal Axis (OA) methods and by a 17

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

combination of IS and DR (Section 3) (Gille, 1998 and 1999). For DR, the variable x1 is explicited. The values of the performance indicators σˆ MC / σˆ meth and FOMmeth/FOMMC obtained by the four methods in Cases 0, 1, 2 and 3 are summarized in Table 4. Case 0 (Reference) IS DR (Variable x1) OA IS + DR

σˆ MC / σˆ meth 17 14 340 194

FOMmeth/FOMMC 100 14 7.7·103 2.1·104

Case 1 IS DR (Variable x1) OA IS + DR

σˆ MC / σˆ meth 630 856 17255 8300

IS DR (Variable x1) OA IS + DR

σˆ MC / σˆ meth 643 242 10852 8077

IS DR (Variable x1) OA IS + DR

σˆ MC / σˆ meth 29 7 4852 150

FOMmeth/FOMMC 376 7.3·105 2.0·107 1.3·108

Case 2 FOMmeth/FOMMC 1.5·105 242 7.9·106 3.6·107

Case 3 FOMmeth/FOMMC 289 7 4.9·105 1.2·104

Table 4. Values of the performance indicators σˆ MC σˆ meth and FOMmeth/FOMMC obtained by IS, DR (with variable x1 specified), OA and IS + DR when applied for the reliability analysis of Cases 0 (Reference), 1, 2 and 3 of the cracked plate model of Section 4.2 (Gille, 1998 and 1999) Comparing Table 3 and Table 4, it can be seen that LS performs significantly better than IS and DR in all the case studies considered: in particular, in Cases 1 and 2 the values of the performance indicators σˆ MC σˆ LS (16750 and 6746.7) and FOMLS/FOMMC (1.4·108 and 2.2·107) are more than one order of magnitude larger than those reported in (Gille, 1998 and 1999) for IS (630, 376 and 643, 1.5·105 for Cases 1 and 2, respectively) and DR (856, 7.3·105 and 242, 242 for Cases 1 and 2, respectively). Moreover, it is worth noting that in the reference studies by (Gille, 1998 and 1999) a significant number of simulations has been run to properly tune the parameters of the ISDs for the IS method (in particular, 8, 6, 6 and 8 simulations have been performed for Cases 0, 1, 2 and 3, respectively), with a significant increase in the associated computational effort. LS is found to perform slightly worse than OA in all the case studies considered: actually, the values of both σˆ MC σˆ LS and FOMLS/FOMMC are slightly lower than those reported in (Gille, 1998 and 1999) for OA. However, it should be considered that in these studies the OA method has been applied to a simplified version of the problem described in Sections 4.1 and 18

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

4.2; actually, only three uncertain variables (i.e., x1, x2 and x4) have been considered by keeping variable x3 (i.e., F) fixed to its mean value (i.e., 0.99): this certainly reduces the variability of the model output and contributes to the reduction of the variability of the associated failure probability estimator. Further, LS performs consistently better than the combination of IS and DR in the task of estimating failure probabilities around 10-3 ÷ 10-4 (for instance, in Case 0 σˆ MC σˆ IS + DR = 194 and σˆ MC σˆ LS = 290, whereas in Case 4 σˆ MC σˆ IS + DR = 150 and σˆ MC σˆ LS = 426). In addition, LS performs comparably to the combination of IS and DR in the estimation of failure probabilities around 10-7: actually, in Case 1 σˆ MC σˆ IS + DR = 8300 and σˆ MC σˆ LS = 16750, whereas in Case 2 σˆ MC σˆ IS + DR = 8077 and σˆ MC σˆ LS = 6746. However, it has to be noticed again that in the reference studies by (Gille, 1998 and 1999) a significant number of simulations has been run to properly tune the parameters of the ISDs for the IS method (in particular, 4, 8, 8 and 10 simulations have been performed in Cases 0, 1, 2 and 3, respectively). Finally, it is worth noting that in these cases SS performs worse than the other methods proposed.

5 Application 2: thermal fatigue crack growth model The thermal fatigue crack growth model considered in this study is based on the deterministic Paris-Erdogan model which describes the propagation of a manufacturing defect due to thermal fatigue (Paris, 1961).

5.1 The mechanical model The evolution of the size a of a defect satisfies the following equation: da m = C ⋅ ( f (R ) ⋅ ΔK ) (24) dN c where Nc is the number of fatigue cycles, C and m are parameters depending on the properties of the material, f(R) is a correction factor which is a function of the material resistance R and ΔK is the variation of the intensity factor, defined as ΔK = Δs ⋅ Y (a ) ⋅ πa (25) In (25), Δs is the variation of the uniform loading (stress) applied to the system and Y(a) is the shape factor of the defect. Let Si = Δsi be the variation of the uniform normal stress at cycle i = 1, 2, …, Nc. The integration of equation (24) gives Nc a Nc da ( f (R ) ⋅ Si )m = C ⋅ (26) ∑ ∫a0 Y (a ) πa m i =1 where a0 and a N c are the initial and final size of the defect, respectively. In (26) the following

(

)

approximation can be adopted Nc

∑ ( f (R ) ⋅ S ) i =1

m

i

≈ (T − T0 ) ⋅ N c ⋅ ( f (R ) ⋅ S )

m

(27)

where T and T0 are the initial and final times of the thermal fatigue treatment (of Nc cycles). The system is considered failed when the size aNc of the defect at the end of the Nc cycles exceeds a critical dimension ac, i.e.: (28) ac − a N c ≤ 0 which in the integral form (26) reads ψ (ac ) −ψ a N c ≤ 0

( )

(29) 19

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

where

ψ (a ) = ∫

a

a0

da '

(Y (a')⋅

πa '

)

(30)

)

(31)

m

Using (27), a safety margin M (T ) can then be defined as follows: ac da m − C ⋅ (T − T0 ) ⋅ N c ⋅ ( f (R ) ⋅ S ) M (T ) = ∫ m a0 Y (a ) ⋅ πa The failure criterion can then be expressed in terms of the safety margin (31): M (T ) ≤ 0 The variables of the model are summarized in Table 5.

(

(32)

Variables of the thermal fatigue crack growth model Name Description Unit of measure Initial size of the defect Critical size of the defect Initial time Final time Parameter of the material Parameter of the material Correction factor Number of cycles per year Stress per cycle

a0 ac T0 T C m f(R) Nc S

[m] [m] [years] [years] / / / / [MPa]

Table 5. Names, descriptions and units of measure of the variables of the thermal fatigue crack growth model

5.2 The structural reliability model For the purpose of a structural reliability analysis, the thermal fatigue crack growth model is framed within a probabilistic representation of the uncertainties affecting the nine variables a0, ac, T0, T, C, m, f(R), Nc and S (hereafter named x1, x2, x3, x4, x5, x6, x7, x8 and x9, respectively). From (32), the probability of system failure P(F) is written as ⎡ ac ⎤ da m ( ) ( ( ) ) (33) − ⋅ − ⋅ ⋅ ⋅ ≤ P(F ) = P[M (T ) ≤ 0] = P ⎢ ∫ C T T N f R S 0 ⎥ c 0 m ⎢⎣ a0 Y (a ) ⋅ πa ⎥⎦ or ⎡ x2 ⎤ da x6 ( ) ( ) P(F ) = P[M (T ) ≤ 0] = P ⎢ ∫ x x x x x x 0 (34) − ⋅ − ⋅ ⋅ ⋅ ≤ ⎥. 5 4 3 8 7 9 x 6 ⎢⎣ x1 Y (a ) ⋅ πa ⎥⎦ It is worth noting the highly nonlinear nature of expressions (33) and (34) which increases the complexity of the problem.

(

)

(

)

5.3 Case studies Two different case studies, namely Case 1 and Case 2, are built with reference to the structural reliability model of the previous Section 5.2. The characteristics of the PDFs of the uncertain variables of Table 5 are summarized in Table 6; the values of the exact (i.e., analytically computed) failure probabilities, P(F), for both Cases 1 and 2 are also reported in the last row of Table 6.

20

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

x1 (a0) x2 (ac) x3 (T0) x4 (T) x5 (C) x6 (m) x7 (f(R)) x8 (Nc) x9 (S) P(F)

Case 1

Case 2

Exp(0.61·10-3) N(21.4·10-3, 0.214·10-3) 0 40 LG(6.5·10-13, 5.75·10-13) 3.4 2 N(20, 2) LG(300, 30) 3.3380·10-4

Exp(0.81·10-3) N(21.4·10-3, 0.214·10-3) 0 40 LG(1.00·10-12, 5.75·10-13) 3.4 2 N(20, 2) LG(200, 20) 1.780·10-5

Table 6. Probability distributions and parameters (i.e., means and standard deviations) of the uncertain variables x1, x2, …, x9 of the thermal fatigue crack growth model of Section 5.2 for the two case studies considered (i.e., Cases 1 and 2); the last row reports the values of the corresponding exact (i.e., analytically computed) failure probabilities, P(F) (Gille, 1998 and 1999). Exp=exponential distribution; LG=Lognormal distribution; N=Normal distribution

5.4 Results In this Section, the results of the application of SS and LS for the reliability analysis of the thermal fatigue crack growth model of Sections 5.1 and 5.2 are illustrated with reference to Cases 1 and 2 (Table 5 of Section 5.3). Again for fair comparison all simulation methods have been run with the same total number of samples (NT = 40000) in both Cases 1 and 2. The efficiency of the methods has been evaluated in terms of the same indices and performance indicators defined in Section 4.4. Table 7 reports the values of Pˆ (F ) , σˆ , δ, FOM, σˆ MC σˆ meth and FOMmeth/FOMMC obtained by Standard MCS, SS and LS in the Cases 1 and 2 of Section 5.3; the actual number Nsys of system response analyses (i.e., model evaluations) is also reported.

21

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Standard MCS SS LS

Pˆ (F ) 2.500·10-4 3.006·10-4 3.768·10-4

Standard MCS SS LS

Pˆ (F ) 1.780·10-5 1.130·10-5 1.810·10-5

Case 1 σˆ 7.905·10-5 3.214·10-5 4.610·10-7

c.o.v., δ 3.162·10-1 1.069·10-1 1.223·10-3

Nsys 40000 40019 82000

FOM 4.001·103 2.419·104 5.737·107

σˆ MC / σˆ meth

1 2.46 171.46

FOMmeth/FOMMC 1 6.05 1.434·104

Case 2 σˆ 2.269·10-5 1.653·10-6 2.945·10-8

c.o.v., δ 1.102 1.462·10-1 1.627·10-3

Nsys 40000 39183 81999

FOM 4.860·104 9.341·106 1.188·1013

σˆ MC / σˆ meth

1 13.73 770.02

FOMmeth/FOMMC 1 192.36 2.892·105

Table 7. Results of the application of standard MCS, SS and LS to the reliability analysis of Cases 1 and 2 of the thermal fatigue crack growth model of Section 5.2; the values of the performance indicators used to compare the effectiveness of the methods (i.e., σˆ MC σˆ meth and FOMmeth/FOMMC) are highlighted in bold Also in this application, the LS methodology is found to outperform SS in both Cases 1 and 2: for example, in Case 2, where the failure probability P(F) to be estimated is around 10-5, the ratio FOMLS/FOMMC is about 1500 times larger than the ratio FOMSS/FOMMC.

5.4.1 Comparison with other stochastic simulation methods As done for the previous application of Section 4, the results obtained by SS and LS have been compared to those obtained by other literature methods, in particular the Importance Sampling (IS) and a combination of Importance Sampling and Dimensionality Reduction (Section 3) which have turned out to give the best results in the case studies considered (Gille, 1998 and 1999). Notice that the Orthogonal Axis (OA) method has not been implemented for this application in the reference study (Gille, 1998 and 1999): this is due to the high dimensionality of the problem which makes the definition of a proper rotation matrix very difficult (step 3. in Section 3.3). The values of the performance indicators σˆ MC / σˆ meth and FOMmeth/FOMMC obtained by IS and IS and DR for Cases 1 and 2 of the thermal fatigue crack growth model of Sections 5.1 and 5.2 are summarized in Table 8. Case 1 IS IS + DR

σˆ MC / σˆ meth 16.9 65.4

IS IS + DR

σˆ MC / σˆ meth 41.1 172.4

FOMmeth/FOMMC 424.36 864.36

Case 2 FOMmeth/FOMMC 4.396·103 8.317·103

Table 8. Values of the performance indicators σˆ MC / σˆ meth and FOMmeth/FOMMC obtained by IS and IS + DR when applied for the reliability analysis of Cases 1 and 2 of the thermal fatigue crack growth model of Section 5.2 (Gille, 1998 and 1999)

22

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

In this application, LS is found to outperform both IS and the combination of IS and DR: for example, in Case 2, the ratio FOMLS/FOMMC is 65 and 35 times larger than FOMIS/FOMMC and FOMIS+DR/FOMMC, respectively. This confirms the capability of the LS method to efficiently probe complex high-dimensional domains of integration.

6 Summary and critical discussion of the techniques One of the major obstacles in applying simulation methods for the reliability analysis of engineered systems and structures is the challenge posed by the estimation of small failure probabilities: the simulation of the rare events of failure occurrence implies a significant computational burden (Schueller, 2007). In order to overcome the rare-event problem, the Importance Sampling (IS) method has been introduced (Au and Beck, 2003a; Schueller et al., 2004). This technique amounts to replacing the original PDF of the uncertain random variables with an Importance Sampling Distribution (ISD) chosen so as to generate samples that lead to failure more frequently (Au and Beck, 2003). IS has the capability to considerably reduce the variance compared with standard MCS, provided that the ISD is chosen similar to the theoretical optimal one (equation (11) of Section 3.1). However, generally substantial insights on the system stochastic behaviour and extensive modelling work is needed to identify a “good” ISD, e.g. by identifying “design points” (Schueller et al., 2004), setting up complex kernel density estimators (Au and Beck, 2003a) or simply by tuning the parameters of the ISD based on expert judgment and trial-anderror (Gille, 1998 and 1999; Pagani et al., 2005). Overall, this greatly increases the effort associated to the simulation for accurate failure probability estimation. Furthermore, there is always the risk that an inappropriate choice of the ISD may lead to worse estimates compared to Standard MCS (Schueller et al., 2004). Subset Simulation (SS) offers a clever way out of this problem by breaking the small failure probability evaluation task into a sequence of estimations of larger conditional probabilities. During the simulation, more frequent samples conditional to intermediate regions are generated from properly designed Markov chains. The method has been proven much more effective than standard MCS in the very high-dimensional spaces characteristic of structural reliability problems in which the failure regions are just tiny bits (Au and Beck, 2001). The strength of Subset Simulation lies in the generality of its formulation and the straightforward algorithmic scheme. In contrast to some of the alternative methods (e.g., Line Sampling and Orthogonal Axis), it is not restricted to standard normal spaces and can provide equally good results irrespectively of the joint distribution of the uncertain variables as long as one can draw samples from it. Except for rare degenerate cases, it performs consistently despite possible irregularities in the topology of the failure domain and its boundary (Au and Beck, 2001). Furthermore, a single run of the SS algorithm leads to the calculation of the probabilities associated with all the conditional events considered: if for example, the probability of exceeding a critical level by a system response statistic of a stochastic system (e.g., the mean or a percentile of the displacement, stress, temperature, etc) is sought, then by appropriate parametrization of the intermediate conditional events, a single run can provide the probabilities of exceedance associated with a wide range of values of the response statistic of interest irrespectively of their magnitude (Au, 2005). On the other hand, a word of caution is in order with respect to the fact that the conditional samples generated during the Markov Chain Monte Carlo (MCMC) simulation are correlated by construction. Since it is demonstrated that a high correlation among conditional samples increases the variance of the SS estimates, a good choice/tuning of the SS parameters (i.e., the conditional probability p0 and the proposal PDFs for MCMC simulation) is required to avoid it (Au and Beck, 2003b). Finally, another drawback of the SS method is the need to express 23

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

the failure event F in terms of a real valued parameter crossing a given threshold (i.e., F = {Y < y}). This parametrization is natural for the cases of practical interest in structural reliability and otherwise specific for other system reliability problems (Zio and Pedroni, 2008). An alternative way to perform robust estimations of small failure probabilities without the extensive modelling effort required by IS is offered by Line Sampling (LS). The LS method employs lines instead of random points in order to probe the high-dimensional failure domain of interest. An “important direction” is optimally determined to point towards the failure domain of interest and a number of conditional, one-dimensional problems are solved along such direction, in place of the original high-dimensional problem (Pradlwarter et al., 2005). In case the boundaries of the failure domain of interest are not too rough (i.e., approximately linear) and the “important direction” is almost perpendicular to them, only few simulations suffice to arrive at a failure probability with acceptable confidence. The determination of the important direction requires additional evaluations of the system performance which increases the computational cost (Section 2.2.2). Further, for each random sample (i.e., system configuration) drawn, two or three evaluations of the system performance are necessary to estimate the conditional one-dimensional failure probability estimates by linear or quadratic interpolation (equation (5’) in Appendix B). In case the “important direction” is not the optimal one, the variance of the estimator will increase. Luckily, in practice it is rarely necessary to determine the “important direction” with too high accuracy, since deviations from a perfect linear limit state surface will introduce anyway some variations in the conditional estimates. Of particular advantage of Line Sampling is its robustness: in the worst possible case where the “important direction” is selected orthogonal to the (ideal) optimal direction, line sampling performs at least as well as standard Monte Carlo simulation (Schueller et al., 2004). Finally, the Dimensionality Reduction (DR) method and the Orthogonal Axis (OA) method employ simulation concepts similar to those of LS, but with important limitations (Gille, 1998 and 1999). In the DR method, the failure event of interest is re-expressed in such a way as to highlight one (say, xj) of the input random variables, recognized as more important; then, the failure probability estimate is computed as the expected value of the CDF of xj conditional on the remaining (n – 1) input variables. By so doing, the zero values contained in the standard MCS estimator (i.e., IF(x) = 0, if x ∈ F) are removed: this allows to i) reach any level of probability (even very small) and ii) reduce the variance of the failure probability estimator (Gille, 1998 and 1999). Notice that DR can be considered a very special case of LS where the important direction α coincides with the “direction” of the variable xj, i.e., α = (0, 0, ..., x j , ..., 0, 0) . However, such method can not always be applied: first, the performance function of the system must be analytically known (which is never the case for realistic systems simulated by detailed computer codes); second, the performance function must have the characteristic that one of the variables can be separated from the others (Gille, 1998 and 1999). Finally, the Orthogonal Axis (OA) method performs a sort of importance sampling around the design point of the problem in the standard normal space. Thus, if the design point is actually representative of the most important regions of the failure domain, the OA leads to an impressive reduction in the variance of the failure probability estimator. However, it is worth noting that the design points and their neighbors do not always represent the most important regions of the failure domain, especially in high-dimensional problems. Moreover, the computational cost associated with the identification of the design points may be quite relevant which adversely affect the efficiency of the method (Schueller et al., 2004). Finally, the implementation of the OA method requires the definition of a rotation matrix in order to modify the coordinate system, which can be very difficult for high-dimensional problems. 24

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

A synthetic comparison of the stochastic simulation methods considered in this work is given in Table 9 (the second column, namely “Decisions”, refers to parameters, distributions and other characteristics of the methods that have to be chosen or determined by the analyst in order to perform the simulation).

25

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Method

Standard MCS

SS

LS

Simulation concepts

- repeat random sampling of possible system configurations

- express a small probability as a product of larger conditional probabilities - generate conditional samples by Markov Chain Monte Carlo (MCMC) simulation

- turn a high-dimensional problem in the physical space into one-dimensional problems in the standard normal space - project the problem onto a line α pointing at the important regions of the failure domain - use line α almost perpendicular to the failure domain to reduce the variance of the estimates

Decisions

/

- conditional failure probability p0 at each simulation level - proposal PDFs for MCMC Simulation

- one failure point to start the Markov chain for the determination of α

Advantages - samples the full range of each input variable - consistent performance in spite of complexity and dimension of the problem - accuracy easily assessed - no need for simplifying assumptions nor surrogate models - no complex elaborations of the original model - identification of nonlinearities, thresholds and discontinuities - simplicity - general formulation - straightforward algorithmic scheme - no restriction to standard normal space - consistent performance in spite of complex joint PDFs - consistent performance in spite of irregularities in topology and boundary of the failure domain - one single run computes probabilities for more than one event - reduced computational effort with respect to other methods

- no assumptions about regularity of the limit state function (robustness) - if limit state function is almost linear, few simulations suffice to achieve acceptable estimation accuracies - no necessity to estimate important direction α with excessive accuracy - even in the worst possible case (α orthogonal to optimal direction) the performance is at least comparable to standard MCS

Drawbacks

- high computational cost (in presence of long-running models for determining system response and small failure probabilities)

- parametrization of the failure event in terms of intermediate conditional events - correlation among conditional samples: bias in the estimates and possibly increased variance

- determination of important direction α requires additional evaluation of system performance (with increase in the computational cost) - for each sample drawn, two or three evaluations of system performance are necessary to estimate failure probability (with increase in the computational cost) - essential restriction to standard normal space (Rosenblatt’s or Nataf’s transformations are required) (Rosenblatt, 1952; Nataf, 1962)

Table 9. Synthetic comparison of the stochastic simulation methods considered in this work (Part I) 26

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Method

IS

DR

OA

Simulation concepts - repeated random sampling of possible system configurations - sample from Importance Sampling Density (ISD) to generate more samples in the region of interest (e.g., low probability of occurrence) - express failure event in such a way as to highlight one random variable - estimate failure probability as expected value of the CDF of the chosen variable conditional on the remaining (n – 1) variables

- identification of the design point - rotation of system coordinates - solve one-dimensional problems along direction of design point

Decisions

Advantages

- construction/choice of the ISD

- if the ISD is similar to optimal one: significant increase in estimation accuracy (or, conversely, reduction in sample size for given accuracy)

- random variable to be separated from others

- remove zero values included in the Standard MCS estimator (reduced variance) - any probability level can be reached (also the very small ones of rare events)

/

- if the design point is representative of the most important regions of the failure domain, then the variance is significantly reduced

Drawbacks

- many system behavior insights and and much modeling work needed for identification of good ISD - inappropriate ISD leads to worse estimates compared to Standard MCS - analytical expression for the system performance function is required - performance function must have the characteristics that one of the variables can be separated out from the others - design point frequently not representative of the most important regions of the failure domain (high-dimensional problems) - high computational cost associated to design point (nonlinear constrained optimization problem) - rotation matrix difficult to introduce in high-dimensional spaces

Table 9. Synthetic comparison of the stochastic simulation methods considered in this work (Part II)

27

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

References Ahammed, M., Malchers, M. E., 2006. Gradient and parameter sensitivity estimation for systems evaluated using Monte Carlo analysis. Reliability Engineering and System Safety, 91, pp. 594 - 601. Ardillon, E. and Venturini, V., 1995. Measures de sensibilitè dans les approaches probabilistes. Rapport EDF HP-16/95/018/A. Au, S. K., 2005. Reliability-based design sensitivity by efficient simulation. Computers and Structures, 83, pp. 1048-1061. Au, S. K. and Beck, J. L., 2001. Estimation of small failure probabilities in high dimensions by subset simulation. Probabilistic Engineering Mechanics, 16(4), pp. 263-277. Au, S. K. and Beck, J. L., 2003a. Importance sampling in high dimensions. Structural Safety, 25(2), pp. 139-163. Au, S. K. and Beck, J. L., 2003b. Subset Simulation and its application to seismic risk based on dynamic analysis. Journal of Engineering Mechanics, 129(8), pp. 1-17. Der Kiureghian, A., 2000. The geometry of random vibrations and solutions by FORM and SORM. Probabilistic Engineering Mechanics, vol. 15(1), pp. 81-90. Freudenthal, A. M., 1956. Safety and the probability of structural failure. ASCE Trans., 121, pp. 1337-1397. Fishman, G. S., 1996. Monte Carlo: concepts, algorithms, and applications. New York: Springer. Fu, M., 2006. Stochastic gradient estimation. Chapter 19 in Handbook on Operation Research and Management Science: Simulation, S. G. Henderson and B. L. Nelson, editor, Elsevier. Hastings, W. K., 1970. Monte Carlo sampling methods using Markov chains and their applications. Biometrika, 57, pp. 97-109. Huang, B., Du, X., 2006. A robust design method using variable transformation and GaussHermite integration. International Journal for Numerical Methods in Engineering, 66, pp. 1841-1858. Gille, A., 1998. Evaluation of failure probabilities in structural reliability with Monte Carlo methods. ESREL ’98, Throndheim. Gille, A., 1999. Probabilistic numerical methods used in the applications of the structural reliability domain. PhD Thesis, Universitè Paris 6. Koutsourelakis, P. S., Pradlwarter, H. J., Schueller, 2004. Reliability of structures in high dimensions, Part I: algorithms and application. Probabilistic Engineering Mechanics (19), pp. 409-417. Metropolis, N., Rosenbluth, A. W., Rosenbluth, M. N. and Taller, A. H., 1953. Equations of state calculations by fast computing machines. Journal of Chemical Physics, 21(6), pp. 1087-1092. Nataf, A., 1962. Determination des distribution dont les marges sont donnees. Comptes Rendus I’ acad. Sci., 225, pp. 42-43. Nutt, W. T., Wallis, G. B., 2004. Evaluations of nuclear safety from the outputs of computer codes in the presence of uncertainties. Reliability Engineering and System Safety, 83, 57-77. Pagani, L., Apostolakis, G. E. and Hejzlar, P., 2005. The impact of uncertainties on the performance of passive systems. Nuclear Technology, 149, 129-140. Paris, P. C., 1961. A rational analytic theory of fatigue. The trend of engineering at the university of Washington, 13(1), 9. 28

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Patalano, G., Apostolakis, G. E., Hejzlar, P., 2008. Risk informed design changes in a passive decay heat removal system. Nuclear Technology, vol. 163, pp. 191-208. Pradlwarter, H. J., Pellissetti, M. F., Schenk, C. A., Schueller, G. I., Kreis, A., Fransen, S., Calvi, A., Klein, M., 2005. Realistic and efficient reliability estimation for aerospace structures. Computer Methods in Applied Mechanics and Engineering, 194, pp. 15971617. Pradlwarter, H. J., Schueller, G. I., Koutsourelakis, P. S., Charmpis, D. C., 2007. Application of line sampling simulation method to reliability benchmark problems. Structural Safety, 29, pp. 208-221. Rosenblatt, M., 1952. Remarks on multivariate transformations. Ann. Math. Stat., 23(3), pp. 470-472. Schueller, G. I., 2007. On the treatment of uncertainties in structural mechanics and analysis. Computers and Structures, 85, pp. 235-243. Schueller, G. I., Pradlwarter, H. J., 2007. Benchmark study on reliability estimation in higher dimension of structural systems – An overview. Structural Safety (29) pp. 167-182. Schueller, G. I., Pradlwarter, H. J., Koutsourelakis, P. S., 2004. A critical appraisal of reliability estimation procedures for high dimensions. Probabilistic Engineering Mechanics, 19, pp. 463-474. Thunnissen, D. P., Au, S. K. and Tsuyuki, G. T, 2007. Uncertainty quantification in estimating critical spacecraft component temperature. AIAA Journal of Thermal Physics and Heat Transfer, in press (doi: 10.2514/1.23979). Zio, E., Pedroni, N., 2008. Reliability analysis of discrete multi-state systems by means of subset simulation. Accepted for publication on the Proceedings of the ESREL 2008 Conference, 22-25 September – Valencia, Spain.

Appendix A Markov Chain Monte Carlo (MCMC) Simulation Markov Chain Monte Carlo (MCMC) simulation comprises a number of powerful simulation techniques for generating samples according to any given probability distribution (Metropolis et al., 1953). In the context of the reliability assessment of interest in the present work, MCMC simulation provides an efficient way for generating samples from the multidimensional conditional PDF q( x | F ) . The distribution of the samples thereby generated tends to the multidimensional conditional PDF q( x | F ) as the length of the Markov chain increases. In mathematical terms,

{

u

}

letting x : u = 1, 2, ..., N s be the set of MCMC samples, then x

Ns

tends to be distributed as

1

q( x | F ) as Ns → ∞. In the particular case of the initial sample x being distributed exactly as the multidimensional conditional PDF q( x | F ) , then so are the subsequent samples and the Markov chain is always stationary (Au and Beck, 2001). Furthermore, since in practical applications dependent random variables may often be generated by some transformation of independent random variables, in the following it is assumed without loss of generality that the components of x are independent, that is, n

q( x ) = ∏ q j ( x j ) , where q j ( x j ) denotes the one-dimensional PDF of x j (Au and Beck, j =1

2001).

29

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

To illustrate the MCMC simulation algorithm with reference to a generic failure region Fi, let u x = x1u , x 2u , ..., x uj , ..., x nu be the uth Markov chain sample drawn and let p *j (ξ j | x uj ) , j = 1, 2,

{

}

…, n, be a one-dimensional ‘proposal PDF’ for ξ j , centered at the value x uj and satisfying the symmetry property p *j (ξ j | x uj ) = p *j ( x uj | ξ j ) . Such distribution, arbitrarily chosen for each element x j of x , allows generating a ‘precandidate value’ ξ j based on the current sample value x uj . The following algorithm is then applied to generate the next Markov chain sample x

u +1

{

}

= x1u +1 , x 2u +1 , ..., x uj +1 , ..., x nu +1 , u = 1, 2, …, Ns – 1 (Au and Beck, 2001): u +1 x = ~ x1u +1 , ~ x 2u +1 , ..., ~ x ju +1 , ..., ~ x nu +1 : for each 1. Generation of a candidate sample ~

{

}

parameter x j , j = 1, 2, …, n: a. Sample a precandidate value ξ uj +1 from p *j (⋅ | x uj ) ; b. Compute the acceptance ratio: r

u +1 j

=

q j (ξ uj +1 )

(1’)

q j ( x uj )

u +1 c. Set the new value ~ x ju +1 of the jth element of ~ x as follows:

⎧ξ u +1 with probability min(1, rju +1 ) ~ x uj +1 = ⎨ ju (2’) u +1 − x with probabilit y 1 min( 1 , r ) j j ⎩ u +1 x : 2. Acceptance/rejection of the candidate sample vector ~ u +1 u u +1 u x = x (i.e., no precandidate values have been accepted), set x = x . If ~ u +1 u +1 x is a system failure configuration, i.e. ~ x ∈ F : if it is, Otherwise, check whether ~ i

x as the next state, i.e., set x = ~ x ; otherwise, reject then accept the candidate ~ u +1 u +1 u ~ the candidate x and take the current sample as the next one, i.e., set x = x . u u +1 x is generated from the current sample x and then either In synthesis, a candidate sample ~ u +1

u +1

u +1

u u +1 u +1 the candidate sample ~ x or the current sample x is taken as the next sample x , u +1 depending on whether the candidate ~ x lies in the failure region Fi or not. For clarity, a

pictorial representation of the MCMC simulation algorithm is provided in Figure 1’.

30

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Figure 1’. Illustration of the MCMC simulation algorithm used in this work (Au and Beck, 2001) The proposal PDFs {p *j : j = 1, 2, ..., n} affect the deviation of the candidate sample from the current one, thus controlling the efficiency of the Markov chain samples in populating the failure region. In particular, the spreads of the proposal PDFs affect the size of the region covered by the Markov chain samples. Small spreads tend to increase the correlation between successive samples due to their proximity to the conditioning central value, thus slowing down the convergence of the failure probability estimators. Indeed, it can be shown that the coefficient of variation (c.o.v.) of the failure probability estimates, defined as the ratio of the standard deviation to the mean of the estimate, increases as the correlation between the successive Markov chain samples increases. On the other hand, excessively large spreads may reduce the acceptance rate, increasing the number of repeated Markov chain samples, still slowing down convergence. The optimal choice of the spread of the proposal PDFs {p*j : j = 1, 2, ..., n} is therefore a trade-off between acceptance rate and correlation due to proximity of the MCMC samples (Au and Beck, 2003b). In this work, the one-dimensional proposal PDF p *j , j = 1, 2, …, n, is chosen as a symmetrical uniform distribution centered at the current sample xj, j = 1, 2, …, n, with width 2lj, where lj is the maximum step length, i.e. the maximum allowable distance that the next sample can depart from the current one. The choice of lj is such that the standard deviation of p *j is equal to that of qj, j = 1, 2, …, n.

Appendix B The Line Sampling algorithm The LS algorithm proceeds as follows (Pradlwarter et al., 2005): 1. Determine the unit important direction α = {α1 , α 2 , ..., α j , ..., α n }. Any of the methods summarized in Section 2.2.2 can be employed to this purpose. 31

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

Notice that the computation of α implies additional system analyses, which substantially increase the computational cost associated to the simulation method (Section 2.2.2). 2. From the original multidimensional joint probability density function k q(⋅) : ℜ n → [0, ∞) , sample NT vectors x : k = 1, 2, ..., N T , with x = {x , x , ..., x , ..., x k

k 1

k 2

k j

k n

{

} by standard MCS.

{

}

}

k

3. Transform the NT sample vectors x : k = 1, 2, ..., N T defined in the original (i.e., physical) space of possibly dependent, non-normal random variables (step 2. above) k into NT samples θ : k = 1, 2, ..., N T defined in the standard normal space where each

{

}

component of the vector θ = {θ ,θ 2k , ...,θ jk , ...,θ nk }, k = 1, 2, ..., NT, is associated with k

k 1

an independent central unit Gaussian standard distribution (Section 2.2.1). 4. Estimate NT conditional “one-dimensional” failure probabilities k Pˆ (F ) : k = 1, 2, ..., N T , corresponding to each one of the standard normal samples

{ {θ

k

}

}

: k = 1, 2, ..., N T obtained in step 3. above. In particular, for each random sample

θ k , k = 1, 2, …, NT, perform the following steps (Figure 2’) (Schueller et al., 2004; Pradlwarter et al., 2005; Pradlwarter et al., 2007): ~k a. Define the sample vector θ , k = 1, 2, ..., NT, as the sum of a deterministic k ,⊥

multiple of α and a vector θ , k = 1, 2, ..., NT, perpendicular to the direction α, i.e., ~k θ = c k α + θ k ,⊥ , k = 1, 2, ..., NT (3’) k where c is a real number in [-∞, +∞] and θ k ,⊥ = θ k − α , θ k α , k = 1, 2, ..., NT (4’) In (4’), θ , k = 1, 2, ..., NT, denotes a random realization of the input variables k

in the standard normal space of dimension n and α ,θ

k

is the scalar product

between α and θ , k = 1, 2, ..., NT. Finally, it is worth noting that since the k

standard Gaussian space is isotropic, both the scalar ck and the vector θ also standard normally distributed (Pradlwarter et al., 2007).

k ,⊥

are

k

b. Compute the value c as the intersection between the limit state function ~k k ,⊥ k gθ θ = gθ c k α + θ = 0 and the line l k (c k , α ) passing through θ and

( ) (

)

k

parallel to α (Figure 2’). The value of c can be approximated by evaluating the performance function g θ (⋅) at two or three different values of ck (e.g., c1k , c2k and c3k in Figure 2’), fitting a first or second order polynomial and determining its root (Figure 2’). Hence, for each standard normal random k sample θ , k = 1, 2, …, NT, two or three system performance evaluations by the model are required. c. Solve the conditional one-dimensional reliability problem associated to each k random sample θ , k = 1, 2, …, NT, in which the only (standard normal) random variable is ck. The associated conditional failure probability Pˆ k (F ) , k = 1, 2, …, NT, is given by 32

PAPER III – E. Zio, N. Pedroni / Simulation Methods for Reliability and Availability of Complex Systems (series: Reliability Engineering), Springer (Eds.)

[

]

[

]

() ( )

k k k k Pˆ k (F ) = P N (0,1) > c = 1 − P N (0,1) ≤ c = 1 − Φ c = Φ − c (5’) where Φ (⋅) denotes the standard normal cumulative distribution function. 5. Using the independent conditional “one-dimensional” failure probability estimates Pˆ k (F ) : k = 1, 2, ..., N T in (5’) (step 4.c. above), compute the unbiased estimator Pˆ (F ) for the failure probability P (F ) as

{

}

1 NT ˆ k Pˆ (F ) = ∑ P (F ) N T k =1 The variance of the estimator (6’) is NT 2 1 σ 2 Pˆ (F ) = Pˆ k (F ) − Pˆ (F ) ∑ N T (N T − 1) k =1

(

)

(

)

(6’)

(7’)

With the described approach the variance of the estimator Pˆ (F ) of the failure probability P (F ) is considerably reduced. In general, a relatively low number NT of simulations has to be carried out to obtain a sufficiently accurate estimate. A single evaluation would suffice for the ideal case in which the limit state function is linear and a Line Sampling direction α perpendicular to it has been identified (Koutsourelakis et al., 2004).

Figure 2’. The Line Sampling procedure (Pradlwarter et al., 2005)

33

Paper IV An optimized Line Sampling method for the estimation of the failure probability of nuclear passive systems E. Zio and N. Pedroni Submitted to Reliability Engineering and System Safety

An optimized Line Sampling method for the estimation of the failure probability of nuclear passive systems E. Zio and N. Pedroni Energy Department, Polytechnic of Milan, Via Ponzio 34/3, 20133 Milan, Italy Phone: +39-2-2399-6340; fax: +39-2-2399-6309 E-mail address: [email protected]

Abstract The quantitative reliability assessment of a thermal-hydraulic (T-H) passive safety system of a nuclear power plant can be obtained by i) Monte Carlo (MC) sampling the uncertainties of the system model and parameters, ii) computing, for each sample, the system response by a mechanistic T-H code and iii) comparing the system response with pre-established safety thresholds, which define the success or failure of the safety function. The computational effort involved can be prohibitive because of the large number of (typically long) T-H code simulations that must be performed (one for each sample) for the statistical estimation of the probability of success or failure. In this work, Line Sampling (LS) is adopted for efficient MC sampling. In the LS method, an “important direction” pointing towards the failure domain of interest is determined and a number of conditional one-dimensional problems are solved along such direction; this allows for a significant reduction of the variance of the failure probability estimator, with respect, for example, to standard random sampling. Two issues are still open with respect to LS: first, the method relies on the determination of the “important direction”, which requires additional runs of the T-H code; second, although the method has been shown to improve the computational efficiency by reducing the variance of the failure probability estimator, no evidence has been given yet that accurate and precise failure probability estimates can be obtained with a number of samples reduced to below a few hundreds, which may be required in case of long-running models. The work presented in this paper addresses the first issue by i) quantitatively comparing the efficiency of the methods proposed in the literature to determine the LS important direction; ii) employing Artificial Neural Network (ANN) regression models as fast-running surrogates of the original, long-running T-H code to reduce the computational cost associated to the determination of the LS “important direction” and iii) proposing a new technique for identifying the LS “important direction”, based on the Genetic Algorithm (GA) minimization of the variance of the LS failure probability estimator. In addition, this work addresses the second issue by assessing the performance of the LS method in estimating small failure probabilities with a reduced (e.g., lower than one hundred) number of samples. The issues are investigated within two case studies: the first one deals with the estimation of the failure probability of a nonlinear structural system subject to creep and fatigue damages (Mao and Mahadevan, 2000; Lu et al., 2008); the second one regards a passive decay heat removal system in a Gas-cooled Fast Reactor (GFR) of literature (Pagani et al. 2005). Keywords: Functional Failure Probability; Natural Circulation; Line Sampling; Important Direction; Variance Minimization; Artificial Neural Network; Long-Running T-H Code; Computational Cost.

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

1 Introduction Modern nuclear reactor concepts make use of passive safety features (Fong et al., 2009), which do not need external input (especially energy) to operate (IAEA, 1991) and, thus, are expected to improve the safety of nuclear power plants because of simplicity and reduction of both human interactions and hardware failures (Nayak et al., 2008a and b; Nayak et al., 2009). However, the uncertainties involved in the modelling and functioning of passive systems are usually larger than for active systems. This is due to: i) the random nature of several of the physical phenomena involved in the functioning of the system (aleatory uncertainty); ii) the incomplete knowledge on the physics of some of these phenomena (epistemic uncertainty) (Apostolakis, 1990). Due to these uncertainties, the physical phenomena involved in the passive system functioning (e.g., natural circulation) might develop in such a way to lead the system to fail its function: actually, deviations in the natural forces and in the conditions of the underlying physical principles from the expected ones can impair the function of the system itself (Burgazzi, 2003). In this view, a passive system fails to perform its function when deviations from its expected behavior lead the load imposed on the system to exceed its capacity (Burgazzi, 2007). In the reliability analysis of such functional failure behavior, the passive system is modeled by a detailed, mechanistic T-H system code and the probability of failing to perform the required function is estimated based on a Monte Carlo (MC) sample of code runs which propagate the epistemic (state-of-knowledge) uncertainties in the model and numerical values of its parameters/variables (Pagani et al., 2005; Bassi and Marquès, 2008; Mackay et al., 2008; Mathews et al., 2008 and 2009; Patalano et al., 2008; Arul et al., 2009; Fong et al., 2009; Zio and Pedroni, 2009a and b). In practice, the probability of functional failure of a passive system is very small (e.g., of the order of 10-4 or less), so that a large number of samples is necessary for acceptable estimation accuracy (Schueller, 2007). Given that the time required for each run of the detailed, mechanistic T-H system model code can be of the order of several hours (Fong et al., 2009), the MC simulation-based procedure typically requires considerable computational efforts. To reduce the computational burden of MC simulation-based approaches to reliability and risk analysis, efficient sampling techniques like Importance Sampling (IS) (Au and Beck, 2003), Stratified Sampling (Cacuci and Ionescu-Bujor, 2004) and Latin Hypercube Sampling (LHS) (Helton and Davis, 2003) have been widely used (Helton and Sallaberry, 2009). In this paper, we consider an advanced simulation method called Line Sampling (LS), which has been recently introduced in structural reliability analysis (Koutsourelakis et a., 2004). Lines, instead of random points, are used to probe the failure domain (Pradlwarter et al., 2005); an “important direction” pointing towards the failure domain of interest is first determined and a number of conditional, one-dimensional problems are then solved along such direction (Pradlwarter et al., 2005). The approach has been shown capable of substantially improving computational efficiency in a wide range of reliability applications (Koutsourelakis et al., 2004; Schueller et al., 2004; Pradlwarter et al., 2005 and 2007; Schueller and Pradlwarter, 2007; Lu et al., 2008; Zio and Pedroni, 2009b). If the boundary profile of the failure domain of interest is not too irregular and the “important direction” is almost perpendicular to it, the variance of the failure probability estimator could ideally be reduced to zero (Koutsourelakis et al., 2004). Two main issues of the LS method are still under study for its practical application in reliability and risk analysis: 1. LS relies on the determination of the important direction, which requires additional runs of the T-H model, with an increase of the computational cost. 2

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

2. LS has been shown to significantly reduce the variance of the failure probability estimator, but this must be achieved with a small number of samples (and, thus, of TH model evaluations; say, few tens or hundreds depending on the application), for practical cases in which the computer codes require several hours to run a single simulation (Fong et al., 2009). The present paper addresses the first issue above by: • comparing the efficiency of a number of methods proposed in the literature to identify the important direction; • employing Artificial Neural Network (ANN) regression models (Bishop, 1995) as fast-running surrogates of the long-running T-H code, to reduce the computational cost associated to the identification of the LS important direction; • proposing a new technique to determine the LS important direction, based on the minimization of the variance of the LS failure probability estimator. With respect to the second issue above, this paper aims at: • assessing the performance of the LS method in the estimation of small failure probabilities (e.g., of the order of 10-4) with a reduced number of samples (e.g., below 100). The novelties with respect to previous work performed by the authors on these issues (Zio and Pedroni, 2010) are the following: • Genetic Algorithms (GAs) are employed as optimization algorithms, whereas in the previous work an algorithm based on Sequential Quadratic Programming-SQP was used; • the ANN regression models are here trained according to a sequential, two-step algorithm (based on error back-propagation) in order to increase the accuracy of the ANN model estimates in proximity of the failure domain of interest; • the performance of the LS method in the estimation of small failure probabilities (e.g., of the order of 10-4) is assessed with a very small number of samples drawn (of the order of 5–50); • the following probabilistic simulation methods are compared in the estimation of small failure probabilities, on the basis of a very small number of samples drawn: i) the optimized LS method proposed in this paper, ii) a combination of the optimized LS method and Latin Hypercube Sampling (LHS), also developed in this paper, iii) Importance Sampling (IS) (Au and Beck, 2003) and iv) a combination of IS and LHS (Olsson et al., 2003). The investigations are carried out with regards to two case studies. The first one deals with the estimation of the failure probability of a nonlinear structural system subject to creep and fatigue damages (Mao and Mahadevan, 2000; Lu et al., 2008): thanks to its simplicity, it is here used as a toy-problem to extensively test the proposed methods, with respect to both issues 1. and 2. above. The second one deals with the reliability analysis of a passive, natural convection-based decay heat removal system of a Gas-cooled Fast Reactor (GFR) (Pagani et al., 2005): on the basis of the investigations performed in the first case study, only issue 2. above is tackled in the second case study. The remainder of the paper is organized as follows. In Section 2, the reliability analysis of TH passive systems is framed in terms of the concepts of functional failure analysis. In Section 3, a general presentation of the LS procedure is provided. In Section 4, a detailed description of the techniques employed in this work to estimate the important direction for LS is given. In Sections 5 and 6, the structural case study of literature and the case study concerning the 3

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

passive cooling of a GFR are respectively presented, together with the corresponding results. Finally, a critical discussion of the results obtained is proposed in Section 7 and some conclusions are drawn in the last Section.

2 Functional failure analysis of T-H passive systems The basic steps of a functional failure analysis of a T-H passive system are (Marquès et al., 2005): 1. Detailed modeling of the system response by means of a deterministic, best-estimate (typically long-running) T-H code. 2. Identification of the parameters/variables, models and correlations (i.e., the inputs to the T-H code) which contribute to the uncertainty in the results (i.e., the outputs) of the best-estimate T-H calculations. 3. Propagation of the uncertainties through the deterministic, long-running T-H code in order to estimate the functional failure probability P(F) of the passive system. Formally, let x = {x1, x2, …, xj, …, xn} be the vector of the relevant system uncertain parameters, Y( x ) be a scalar function indicating the performance of the T-H passive system (e.g., the fuel peak cladding temperature during an accidental transient) and αY a threshold value (imposed e.g. by the regulatory authorities) defining the criterion of loss of system functionality. For illustrating purposes, let us assume that the passive system fails if Y( x ) > αY; equivalently, introducing a variable called Performance Function (PF) as g x ( x) = Y ( x ) − α Y , failure occurs if g x ( x ) > 0 . The probability P(F) of system functional failure can then be expressed by the multidimensional integral: P(F ) = ∫∫ ...∫ I F ( x )q( x )dx (1)

where q (⋅) is the joint Probability Density Function (PDF) representing the uncertainty in the parameters x , F is the failure region (where gx(·) > 0) and IF(·) is an indicator function such that IF(x) = 1, if x ∈ F and IF(x) = 0, otherwise. The evaluation of integral (1) above entails multiple (e.g., many thousands) evaluations of the T-H code for different sampled combinations of system inputs; if the running time for each TH code simulation takes several hours (which is often the case for T-H nuclear passive systems), the associated computing cost is prohibitive. In this paper, the computational issue is addressed by resorting to the Line Sampling (LS) technique (Koutsourelakis et al., 2004), whose main concepts are given in the following Section.

3 A synthetic illustration of the Line Sampling technique Line Sampling (LS) is a simulation method for efficiently computing small failure probabilities. The underlying idea is to employ lines instead of random points in order to probe the failure domain of the system analyzed (Koutsourelakis et al., 2004; Pradlwarter et al., 2005). In extreme synthesis, the computational steps of the algorithm are (Pradlwarter et al., 2005 and 2007): 1. From the original multidimensional joint probability density function {x k : k = 1, 2, ..., NT }, with q(⋅) : ℜ n → [0, ∞) , sample NT vectors x k = {x1k , x2k , ..., x kj , ..., xnk }. 2. Transform the NT sample vectors {x k : k = 1, 2, ..., N T } defined in the original (i.e., physical) space into NT samples {θ k : k = 1, 2, ..., N T } defined in the standard normal space; also the PFs g x (⋅) defined in the physical space have to be transformed into g θ (⋅) in the standard normal space (Huang and Du, 2006). 4

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

3. In the standard normal space, determine the unit important direction α = {α1 , α 2 , ..., α j , ..., α n }T (hereafter also called “important unit vector” or “important direction”) pointing towards the failure domain F of interest (see Section 4 below). 4. Reduce the problem of computing the high-dimensional failure probability integral (1) to a number of conditional one-dimensional problems, solved along the “important direction” α in the standard normal space: in particular, estimate NT conditional “one1D , k dimensional” failure probabilities Pˆ (F ) : k = 1, 2, ..., N T , corresponding to each one of the standard normal samples {θ k : k = 1, 2, ..., N T } obtained in step 2. Notice that 2·NT or 3·NT system performance analyses (i.e., runs of the T-H model code) have to be carried out to calculate each of the NT conditional one-dimensional failure 1D , k probability estimates Pˆ (F ) : k = 1, 2, ..., N T (see Pradlwarter et al., 2005 and 2007 for details). N 5. Compute the unbiased estimator Pˆ (F ) T for the failure probability P (F ) and its N variance σ 2 Pˆ (F ) T as:

{

{

[

}

}

]

NT

N 1D ,k Pˆ (F ) T = 1 N T ⋅ ∑ Pˆ (F ) ,

[

σ 2 Pˆ (F )N

(2)

k =1

T

] = 1 N (N T

NT

T

(

N 1D , k − 1) ⋅ ∑ Pˆ (F ) − Pˆ (F ) T k =1

). 2

(3)

The LS method here outlined can significantly reduce the variance (3) of the estimator (2) of the failure probability integral (1) (Koutsourelakis et al., 2004); however, its efficiency depends on the determination of the important direction α (step 3. above): the following Section delves further into this issue.

4 Methods for the determination of the important direction α In what follows, the methods used in this work to determine the LS important direction α are presented in detail: in Section 4.1, the techniques proposed in the literature are critically reviewed; in Section 4.2, a new method based on the minimization of the variance of the LS failure probability estimator is proposed.

4.1 Literature methods 4.1.1 Normalized “center of mass” of the failure domain F The important unit vector α can be computed as the normalized “center of mass” of the failure domain F of interest (Koutsourelakis et al., 2004). A point θ 0 is taken in the failure domain F: this can be done by engineering judgment when possible. Subsequently, θ 0 is used as the initial point of a Markov chain which lies entirely in the failure domain F. For that purpose, a Metropolis-Hastings algorithm is employed to generate a sequence of Ns points θ u : u = 1, 2, ..., N s lying in the failure domain F (Metropolis et al., 1956). The unit vectors

{

}

θ u θ u , u = 1, 2, …, Ns, are then averaged in order to obtain the LS important unit vector as 2

1 Ns u u ⋅∑θ θ (Figure 1, top, left). This direction provides a good “map” of the 2 N s u =1 important regions of the failure domain (at least as the sample size Ns is large); on the other hand, the procedure implies Ns additional system analyses by the T-H model, which may substantially increase the computational cost associated to the simulation method. α=

5

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

4.1.2 Direction of the design point in the standard normal space A plausible selection of α could be the direction of the “design point” in the standard normal space (Schueller et al., 2004; Valdebenito et al., 2009). According to a geometrical interpretation, the “design point” is defined as the point θ * on the limit state surface gθ ( θ ) = 0 in the standard normal space, which is closest to the origin (Figure 1, top, right). It

can be computed by solving the following constrained nonlinear minimization problem: Find θ * : θ * = min { θ 2 } 2

gθ ( θ ) = 0

(4)

where ⋅ 2 denotes the usual Euclidean measure of a vector. Then, the unit important vector α can be easily obtained by normalizing θ * , i.e., α = θ * θ * . 2

In this work, Genetic Algorithms (GAs) (Konak et al., 2006; Marseguerra et al., 2006) are used to solve the constrained nonlinear minimization problem (4). In extreme synthesis, the main properties of GAs are that the optimization search is conducted i) using a (possibly) large population of multiple solution points or candidates, ii) using operations inspired by the evolution of species, such as breeding and genetic mutation, iii) using probabilistic operations and iv) using information on the objective or search function and not on its derivatives. With regards to their performance, it is acknowledged that GAs take a more global view of the search space than many other optimization methods. The main advantages are i) fast convergence to near global optimum, ii) superior global searching capability in complicated search spaces and iii) applicability even when gradient information is not readily achievable (Marseguerra et al., 2006). A thorough descriptions of the GA computational flow is not reported here for brevity sake: for further details, the interested reader may refer to the cited references and the copious literature in the field. Notice that checking the feasibility of a candidate solution θ to (4) requires the evaluation of the PF gθ ( ⋅) at θ , which entails running the numerical T-H model code simulating the system. As a consequence, the computational cost associated with the calculation of the design point can be quite high, in particular if long-running numerical codes are used to simulate the response of the system to its uncertain input parameters (Schueller et al., 2004), as it is the case in the functional failure analysis of T-H passive systems. 4.1.3 Gradient of the performance function in the standard normal space In (Pradlwarter et al., 2005), the direction of α is taken as the normalized gradient of the PF gθ ( ⋅) in the standard normal space. Since the unit vector α points towards the failure domain

F, it can be used to draw information about the relative importance of the uncertain parameters {θ j : j = 1, 2, ..., n} with respect to the failure probability P(F): the more relevant an

uncertain variable is in determining the failure of the system, the larger the corresponding component of the unit vector α will be (Pradlwarter et al., 2005). Such quantitative information is obtained from the gradient of the performance function gθ (θ ) in the standard normal space, ∇gθ (θ ) : T

⎡ ∂g (θ ) ∂gθ (θ ) ∂gθ (θ ) ∂gθ (θ ) ⎤ (5) ∇gθ (θ ) = ⎢ θ ... ... ⎥ ∂θ 2 ∂θ j ∂θ n ⎦⎥ ⎣⎢ ∂θ1 The gradient (5) measures the relative importance of a particular uncertain variable with respect to the failure probability P(F): the larger the (absolute) value of a component of (5), the greater the “impact” of the corresponding uncertain variable on the performance function gθ (θ ) in the standard normal space. Thus, it is reasonable to identify the LS important direction with the direction of the gradient (5) and compute the corresponding unit vector α as

6

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

the normalized gradient of the performance function gθ (⋅) in the standard normal space, i.e. α = ∇gθ (θ ) ∇gθ (θ ) 2 (Pradlwarter et al., 2005).

For clarity sake, Figure 1 bottom shows this procedure with reference to a two-dimensional problem: the important unit vector α = {α1, α2} associated to the two-dimensional performance function gθ (θ1 ,θ 2 ) is computed at a proper (selected) point θ 0 = {θ10 ,θ 20 } T (e.g., the nominal point of the system under analysis). Notice that since component ∂g ( θ ) α1 = θ ∇gθ ( θ ) θ 0 (Figure 1 bottom, left) is significantly larger than component 2 ∂θ1 θ 0

α2 =

∂gθ ( θ ) ∂θ 2 θ 0

∇gθ ( θ ) θ 0

2

(Figure 1 bottom, right), uncertain variable θ1 will be far more

important than θ2 in leading the system to failure. Finally, notice that as the PF gθ (θ ) is known only implicitly through the response of a numerical code, for a given vector θ = {θ1 , θ 2 , ...,θ j , ...,θ n } at least n system performance T

analyses are required to determine accurately the gradient (5) at a given point of the PF gθ (⋅) , e.g., by numerical differentiation (Ahammed and Melchers, 2006; Fu, 2006).

7

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Figure 1. Methods for estimating the Line Sampling important unit vector α. Top, left: normalized “center of mass” of the failure domain F in the standard normal space (Koutsourelakis et al., 2004); top, right: direction of the design point of the problem in the standard normal space (Schueller et al., 2004; Valdebenito et al., 2009); bottom, left and right: normalized gradient of the PF gθ(·) evaluated at a selected point θ0 (e.g., the nominal point) in the standard normal space (Pradlwarter et al., 2005) All the techniques presented require additional runs of the T-H model code, with increase of the overall computational cost associated to the LS method. To improve on this issue, the substitution of the long-running T-H model code by a fast-running surrogate regression model is here investigated. The regression model is constructed on the basis of a limited-size set of data representing examples of the input/output nonlinear relationships underlying the original T-H code. Once built, the model can be used for performing, in an acceptable computational time, the evaluations of the system PF gθ(·) needed for an accurate estimation of the LS important direction α. In this work, a three-layered feed-forward Artificial Neural Network (ANN) regression model is considered. In extreme synthesis, ANNs are computing devices inspired by the function of the nerve cells in the brain (Bishop, 1995). They are composed of many parallel computing units (called neurons or nodes) interconnected by weighed connections (called synapses). Each of these computing units performs a few simple operations and communicates the results to its neighbouring units. From a mathematical viewpoint, ANNs consist of a set of nonlinear 8

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

(e.g., sigmoidal) basis functions with adaptable parameters that are adjusted by a process of training (on different input/output data examples), i.e., an iterative process of regression error minimization (Rumelhart et al., 1986). The details about ANN regression models are not reported here for brevity: for further details, the interested reader may refer to the cited references and the copious literature in the field. The particular type of ANN employed in this paper is the classical three-layered feed-forward ANN; in order to improve the accuracy in the approximation of the system PF gθ(·) (needed for an accurate estimation of the LS important direction α), the employed ANN models are trained by a properly devised sequential, two-step algorithm based on error back-propagation. ' In extreme synthesis, a first-step ANN regression model is built using a set Dtrain of ' ' ; further, a validation data set Dval (different from the input/output data examples of size N train training set) of size Nval’ is used to monitor the accuracy of the first-step ANN model during the training procedure in order to avoid overfitting of the training data (Rumelhart et al., 1986). The resulting ANN model is used (instead of the original, long-running system model code) to provide an approximation to the design point of the problem (Section 4.1.2): this is meant to provide an approximate, rough indication of the real location of the failure domain F '' '' '' of interest. Subsequently, new training and validation data sets Dtrain and Dval of sizes N train '' , respectively, are randomly generated centred on the approximate design point and N val previously identified: a second-step (i.e., definitive) ANN model is then constructed on these newly generated training and validation data sets. This should result in an ANN regression model which is more accurate in proximity of the failure domain F of interest, thus providing reliable estimates of the system PF gθ(·) for the identification of the LS important direction α.

4.2 Minimization of the variance of the LS failure probability estimator The optimal important direction α opt for Line Sampling can be defined as the one minimizing N N the variance σ 2 Pˆ (F ) T (3) of the LS failure probability estimator Pˆ (F ) T (2). Notice that

[

]

α opt can be expressed as the normalized version of a proper vector θ opt in the standard normal space, i.e., α opt = θ opt θ opt . Thus, in order to search for a physically meaningful important 2

opt

unit vector α (i.e., a vector that optimally points towards the failure domain F of interest), θ opt should belong to the failure domain F of interest, i.e. θ opt ∈ F or, equivalently, gθ θ opt > 0 .

( )

In mathematical terms, the optimal LS important direction α opt is obtained by solving the following nonlinear constrained minimization problem: N N Find α opt = θ opt θ opt : σ 2 Pˆ (F ) T = min σ 2 Pˆ (F ) T 2 α =θ θ 2 (6) subject to θ ∈ F (i.e., gθ (θ ) > 0 ). The conceptual steps of the procedure for solving (6) are (Figure 2): 1. An optimization algorithm proposes a candidate solution α = θ θ 2 to (6): as

[

]

{ [

]}

previously mentioned, in this work Genetic Algorithms (GAs) are employed. N 2. The LS failure probability estimator Pˆ (F ) T (2) and the associated variance σ 2 Pˆ (F )NT (3) are calculated using the unit vector α = θ θ proposed as important

[

]

2

direction in step 1. above; notice that 2·NT or 3·NT system performance analyses (i.e., runs of the system model code) have to be carried out in this phase (see steps 4. and 5. in Section 3). 9

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

[

N 3. The variance σ 2 Pˆ (F ) T

] obtained in step 2. above is the objective function to be

minimized; it measures the quality of the candidate solution α = θ θ the optimization algorithm in step 1. above. 4. The feasibility of the proposed solution α = θ θ

2

proposed by

2

is checked by evaluating the

system PF gθ(·) (i.e., by running the system model code) in correspondence of θ: if the proposed solution α = θ θ 2 is not feasible (i.e., if θ ∉ F or, equivalently,

gθ (θ ) ≤ 0 ), it is penalized by increasing the value of the corresponding objective N function σ 2 Pˆ (F ) T through an additive factor (Konak et al., 2006).

[

]

5. Steps 1. − 4. are repeated until a predefined stopping criterion is met and the optimization algorithm identifies the optimal unit vector α opt = θ opt θ opt . 2

Notice that i) the optimization search requires the iterative evaluation of hundreds or thousands of possible solutions α = θ θ 2 to (6) and ii) 2·NT or 3·NT system performance analyses (i.e., runs of the system model code) have to be carried out to calculate the objective N function σ 2 Pˆ (F ) T for each proposed solution; as a consequence, the computational effort

[

]

associated to this technique would be absolutely prohibitive with a system model code requiring hours or even minutes to run a single simulation. Hence, it is unavoidable, for practical applicability, to resort to a regression model (ANN-based, in this work) as a fastrunning approximator of the original system model for performing the calculations in steps 2. and 4. above, to make the computational cost acceptable.

Figure 2. Proposed method for estimating the LS important direction α: minimization of the N N variance σ 2 Pˆ (F ) T of the LS failure probability estimator Pˆ (F ) T

[

]

The characteristics of the methods described in Sections 4.1 and 4.2 are summarized in Table 1, with the specification of the computational tools employed for their implementation. 10

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Methods of literature Concept

Evaluations to be performed

“Center of mass” of F (Section 4.1.1) Design point (Section 4.1.2) Gradient (Section 4.1.3)

- Evaluation of the performance function gθ(θ) during MCMC to verify if θ belongs to the failure domain F, i.e., if gθ(θ) > 0

Computational tools adopted Original system model code ANN

- Minimization of the distance ||θ||2 in (4)

GA

- Evaluation of the performance function gθ(θ) to verify if θ is a feasible solution to (4), i.e., if θ belongs to the failure surface gθ(θ) = 0

Original system model code

- Evaluation of the performance function gθ(θ) to estimate the gradient ∇g θ (θ ) (5) by numerical differentiation

Original system model code

ANN ANN

Method proposed in this paper Concept

Evaluations to be performed

[

N - Minimization of the variance σ 2 Pˆ (F )

[

N - Calculation of the variance σ 2 Pˆ (F )

Variance minimization (Section 4.2)

T

T

] of the LS failure probability estimator Pˆ (F )

] of the LS failure probability estimator Pˆ (F )

Computational tools adopted NT

NT

GA LS algorithm

- Evaluation of the performance function gθ(θ) for the estimation of the failure probability N N Pˆ (F ) and its variance σ 2 Pˆ (F ) during the LS simulation

ANN

- Evaluation of the performance function gθ(θ) to verify if θ is a feasible solution to (6), i.e., if θ belongs to the failure domain F (where gθ(θ) > 0)

ANN

T

[

T

]

Table 1. Summary of the methods employed in this work for estimating the LS important direction α

11

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

5 Case study 1: structural system of literature The first case study deals with a probabilistic model for the reliability analysis of creep and fatigue failure phenomena in structural materials: the model was first proposed in (Mao and Mahadevan, 2000) and then employed also in (Lu et al., 2008). According to the above mentioned references, the nonlinear Performance Function (PF) gx(·) of a structural material subject to creep and fatigue damages can be expressed as g x ( x ) = g x ( x1 , x2 , x3 , x4 , x5 , x6 ) (7) eθ1 − 2 −θ 2 Dc = g x (N c , N f , nc , n f ,θ1 ,θ 2 ) = 2 − eθ1Dc + −θ 2 e −1 − D f e −1 where Dc = nc/Nc and Df = nf/Nf are the creep and fatigue damages, respectively, Nc and Nf are the creep and fatigue lives, respectively, nc and nf are the numbers of the creep and fatigue load cycles, respectively, and θ1 and θ2 are characteristic parameters of the structural material obtained from experimental data. The structural material is supposed to fail when its PF (7) becomes lower than or equal to 0, i.e., gx(x) ≤ 0. The shapes and parameters (i.e., mean μ and standard deviation σ) of the probability distribution functions associated to the uncertain variables {xj: j = 1, 2, ..., 6} of the probabilistic model (7) for creep and fatigue in structural materials are summarized in Table 2 (Lu et al., 2008). The true (i.e., reference) probability P(F) of the failure event F = {gx(x) ≤ 0} is 1.425·10-4, obtained as an average of S = 25000 failure probability estimates Pˆ ( F ) sNT , s = 1, 2, …, S, each one computed by standard MCS with NT = 500000 samples.

(

Name

Shape

Nc, x1 Nf, x2 nc, x3 nf, x4 θ1, x5 θ2, x6

Log-Normal Log-Normal Log-Normal Log-Normal Normal Normal

)

Mean, μ Standard deviation, σ (% of μ) 5490 17100 549 4000 0.42 6

20% 20% 20% 20% 20% 20%

Table 2. Shapes and parameters (i.e., mean μ and standard deviation σ) of the probability distribution functions associated to the uncertain variables {xj: j = 1, 2, ..., 6} of the probabilistic model (7) for creep and fatigue in structural materials (Lu et al., 2008)

5.1 Application 1: comparison of the methods proposed in Section 4 for determining the important direction α for Line Sampling LS is here applied to the probabilistic model (7) described above for creep and fatigue in structural materials. In particular, in this Section a thorough comparison of the different methods proposed in Section 4 for determining the important direction α for Line Sampling is carried out: in Section 5.1.1, the different experimental settings considered are described in details, together with the methods and models used, and the objectives; in Section 5.1.2, the quantitative indicators introduced to compare the methods adopted are presented; finally, the results obtained in the different experimental settings of Section 5.1.1 are illustrated in Section 5.1.3. 5.1.1 Experimental settings The simulations performed are intended to compare the efficiency of the different methods considered for the determination of the LS important direction α (Section 4). In each LS simulation, the system performance function gθ(·) is evaluated by running the original system

12

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety N model code and the LS point estimates Pˆ (F ) T of the failure probability P(F) are computed with a large number NT (i.e., NT = 10000) of samples (steps 4. and 5. of Section 3): this allows a reliable assessment of the effect of different important directions α on the accuracy and N precision of the obtained estimates Pˆ (F ) T . In this case the use of a large number of samples NT (i.e., NT = 10000) is possible because the system performance function (7) is a simple analytical function which can be evaluated in a negligible computational time. Three different experimental settings, namely settings 1, 2 and 3, are considered in this application. These settings differ by: i) the method used for determining the important direction α (Section 4); ii) the model employed to evaluate the system performance function gθ(·) for the estimation of the important direction α; iii) the number Nα of system performance evaluations used to determine α; iv) the total number Ncode,α of actual runs of the original system model code required by the whole process of determination of the important direction α. The characteristics of the three settings are summarized in Table 3.

13

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Experimental settings considered for the determination of the important direction α Setting number A 1

2

3

B

Method used to estimate α MCMC Design point

C

Gradient

A B C D A B C

MCMC Design point Gradient Variance minimization MCMC Design point Gradient

Model used to evaluate the system performance function gθ(·) Original system model code ANN (Ntrain = 50; Nval = 10; Ntrain’’= 100; Nval’’= 20; Ntest = 10) Original system model code

Number of system performance function evaluations, Nα 10000

Number of system model code runs, Ncode,α 10000

≤ 10000*

≤ 10000*

10000 Not available** 10000 ≤ 10000* 10000 Not available** (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190 ≤ (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190* (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190

10000 Not available** (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190 (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190 (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190 (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190 (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190 ≤ (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190* (Ntrain + Nval + Ntrain’’ + Nval’’ + Ntest) = 190

Table 3. Different experimental settings 1, 2 and 3 considered for Application 1 of Case study 1. The three settings differ by i) the method for determining the important direction α; ii) the model for evaluating the system performance function gθ(·); iii) the number Nα of system performance evaluations and iv) the total number Ncode,α of actual runs of the original system model code required by the whole process of determination of the LS important direction α * The number Nα of system performance evaluations depends on the speed of convergence of the GA optimization algorithm ** The number Nα of system performance evaluations depends on the speed of convergence of the GA optimization algorithm and on the number NT of samples drawn in step 2. of Section 4.2

14

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

In setting 1, the MCMC (labeled A, Section 4.1.1), design point (labeled B, Section 4.1.2) and gradient (labeled C, Section 4.1.3) methods are considered. A large number Nα of evaluations of the system performance function gθ(·) are carried out to determine α: in particular, Nα = 10000 is chosen to provide an accurate and reliable estimate for the important direction α. In this setting, the system performance function is evaluated by running the original system model “code” (i.e., the original system performance function gθ(·)), so that Ncode,α = Nα = 10000. In setting 2, Nα = 10000 evaluations of the system performance function gθ(·) are carried out to determine α, like in the previous setting 1. However, in this setting the system performance function gθ(·) is evaluated by resorting to a fast-running ANN regression model approximating the original system performance function. The objective is to verify the possibility of reducing the computational cost associated to the LS method by using ANN regression models in place of the original system model. In particular, the ANN regression model is constructed on the basis of a small set of data representing examples of the input/output nonlinear relationships underlying the original system model; once built, the regression model is used to evaluate (in a negligible computational time) the system performance function gθ(·) for the determination of the important direction α (steps 4. and 5. of Section 3). A classical three-layered feed-forward ANN (trained by the sequential, two-step error backpropagation algorithm described at the end of Section 4.1) is here adopted: the number of inputs to the ANN regression model is 6 (i.e., the number of uncertain variables in Table 2 of Section 5), whereas the number of outputs is 1 (i.e., the value of the system performance function). The number of nodes in the hidden layer has been set equal to 5 by trial and error. The first-step ANN model is built using a set of input/output data examples of size Ntrain’ = 50; further, a validation data set (different from the training set) of size Nval’ = 10 is used to monitor the accuracy of the first-step ANN model during the training procedure, in order to avoid overfitting of the training data (Rumelhart et al., 1986). Subsequently, the second-step (i.e., definitive) ANN model is built using training and validation sets of sizes Ntrain’’ = 100 and Nval’’ = 20, respectively; finally, a test set of size Ntest = 10, not used during the training and validation phases, is employed to provide a realistic measure of the second-step ANN model accuracy. Thus, the total number of system model runs performed to generate the two training sets, two validation sets and final test set is Ncode,α = (Ntrain’ + Nval’ + Ntrain’’ + Nval’’ + Ntest) = 50 + 10 + 100 + 20 + 10 = 190. Correspondingly, the total computational cost associated to the estimation of α in setting 2 is much lower than that of setting 1, in spite of the same number Nα of system performance evaluations. Actually, when a single run of the system model code lasts several hours (which is often the case for passive safety systems) the total number Ncode,α of simulations is the critical parameter which determines the overall computational cost associated to the method. Further, in setting 2, the methods A, B and C are compared to the new one proposed in this paper, i.e., the one based on the minimization of the variance of the LS failure probability estimator (labeled D, Section 4.2). The final setting 3 is similar to setting 1: methods A, B and C are used to determine α and the original system model is run to evaluate the system performance function gθ(·); however, like in the previous setting 2, the number Nα of system performance evaluations (and, thus, the actual number Ncode,α of runs of the original system model) is Ncode,α = (Ntrain’ + Nval’ + Ntrain’’ + Nval’’ + Ntest) = 50 + 10 + 100 + 20 + 10 = 190. Notice that in this setting, method D, based on the minimization of the variance of the LS failure probability estimator, is not employed for determining α because the actual number of “allowed” code runs (i.e., Ncode,α = 190) is too small to provide meaningful results for this method. 15

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

5.1.2 Performance indicators The experimental settings described in the previous Section 5.1.1 are compared in terms of two quantities: the percentage relative error ε between the LS failure probability estimate N Pˆ (F ) T and the true (i.e., reference) value P(F) of the failure probability of the system, and the percentage relative width wCI of the 95% Confidence Interval (CI) of the LS failure N probability estimator Pˆ (F ) T . These indicators are defined in (8) and (9), respectively: N Pˆ (F ) T − P(F ) ε= ⋅100 , (8) P (F ) U CI , Pˆ ( F )NT − LCI , Pˆ ( F )NT wCI = ⋅100 , (9) P (F ) where U CI , Pˆ ( F )NT and LCI , Pˆ ( F )NT are the upper and lower bounds of the 95% CI of the failure

probability estimator Pˆ (F ) T , respectively. Obviously, the lower is the value of ε, the higher is the accuracy of the failure probability N estimate Pˆ (F ) T ; instead, the lower is the value of wCI, the higher the precision of the estimate. N

5.1.3 Results As previously mentioned, the example application has been set with the purpose of comparing different methods for determining the LS important direction α (Section 4). N Figure 3 shows the values of the LS point estimates Pˆ (F ) T (dots) of the failure probability P(F) obtained with NT = 10000 samples in settings 1, 2 and 3 (Table 3); the corresponding 95% Confidence Intervals (CIs) are also reported (bars). Finally, the true (i.e., reference) value of the system failure probability P(F) (i.e., P(F) = 1.425·10-4) is shown as a dashed line. Table 4 reports instead the values of the associated performance indicators ε and wCI (Section 5.1.2).

16

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Case -4 study 1: Structural material subject to creep and fatigue - Application 1: N = 10000 T x 10

1.48

Setting 1

Setting 2

Setting 3

System failure probability, P(F)

1.46

1.44

1.42

1.4

1.38

1.36

1.34 A

B

C

D

A

B

C

D

A

B

C

N Figure 3. Point estimates Pˆ (F ) T (dots) of the failure probability P(F) obtained with NT = 10000 samples in settings 1, 2 and 3 (Table 3) of Application 1 of Case study 1, along with the corresponding 95% CIs (bars) and the true (i.e., reference) value of the system failure probability P(F) (i.e., P(F) = 1.425·10-4) (dashed line)

17

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Case study 1: Structural material subject to creep and fatigue - Application 1: NT = 10000 Setting 1 Method A B C

ε [%] 0.421 0.702 1.965

Method A B C D

ε [%] 0.211 0.351 0.772 0.070

Method A B C

ε [%] 0.070 0.632 2.175

wCI [%] 2.222 2.282 7.323 Setting 2 wCI [%] 2.723 2.516 7.199 2.204 Setting 3 wCI [%] 6.697 5.345 7.502

Table 4. Values of the performance indicators ε and wCI obtained with NT = 10000 samples in settings 1, 2 and 3 (Table 3) of Application 1 of Case study 1 The results obtained in setting 1 show that method A (i.e., MCMC simulation) provides more accurate (i.e., the estimates are closer to the true values) and precise (i.e., the confidence intervals are narrower) estimates than methods B (i.e., design point) and C (i.e., gradient): the percentage errors ε are 0.421, 0.702 and 1.965, whereas the percentage 95% CI widths wCI are 2.222, 2.282, and 7.323 for methods A, B and C, respectively. This can be explained by the fact that method A relies on a “map” approximating the failure domain F under analysis (given by the failure samples generated through a Markov chain) and thus it provides in principle the most realistic and reliable estimate for the LS important direction α. Moreover, it is evident that method B (i.e., design point) performs consistently better than method C (i.e., gradient). Actually, although design points do not always represent the most important regions of the failure domain F, especially in high-dimensional spaces (Schueller et al., 2004), they still provide an acceptable indication of the real location of the failure region F of interest. On the contrary, calculating α through the normalized gradient of the performance function gθ(·) makes the values of the components of α strongly dependent on the point where the first-order, local approximations of the performance function gθ(·) are carried out, and thus would relate inherently local (and possibly misleading) information: this effect is particularly critical for nonlinear systems like that of the case at hand. In setting 2 the evaluation of the system performance function gθ(·) for the determination of α is performed by replacing the original system model with an ANN (with Ntrain’ = 50, Nval’ = 10, Ntrain’’ = 100, Nval’’ = 20, Ntest = 10 input/output examples employed in the first- and second-step training, first- and second-step validation and test phases, respectively). The number Nα of system performance evaluations is the same as in setting 1 (i.e., Nα = 10000); however, the number Ncode,α of actual runs of the original system model code is much lower: indeed, in setting 1 Ncode,α = 10000, whereas in setting 2 Ncode,α = 190: this means that the overall computational effort associated to setting 2 is much lower than that of setting 1. It can be seen that the results obtained with methods A, B and C in setting 2 are comparable to those produced by the same methods in setting 1: the percentage errors ε are 0.421, 0.702 and 1.965 for methods A, B and C, respectively, in setting 1, and 0.211, 0.351 and 0.772 for methods A, B and C, respectively, in setting 2; the percentage 95% CI widths wCI are 2.222, 2.282, and 7.323 for methods A, B and C, respectively, in setting 1, and 2.723, 2.516 and 7.199 for methods A, B and C, respectively, in setting 2. 18

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Further, the proposed method D (Section 4.2) achieves more accurate and precise estimates than those of methods A, B and C in both settings 1 and 2: indeed, the percentage error ε and 95% CI width wCI are 0.070 and 2.204, respectively; these improved results are due to the fact that the proposed technique is based on the definition of the ideal (i.e., optimal) important direction α for LS (i.e., the one minimizing the variance of the LS failure probability estimator). Finally, an important remark is in order with respect to the comparison between settings 1 and 2; the results produced in setting 2 are at least comparable, if not better, than those of setting 1; yet, they are obtained at a much lower computational effort thanks to the fast-running ANN approximation of the system performance function gθ(·). A comparison can also be made between settings 2 and 3: actually, the number Ncode,α of runs of the original system model code (and thus the associated overall computational effort) is the same for both settings (i.e., Ncode,α = 190). However, in setting 2 the few system model code runs are directly used to estimate α (i.e., Ncode,α = Nα = 190), whereas in setting 3 they are used to build an ANN regression model, which is in turn employed to estimate α (i.e., Ncode,α = 190 ≠ Nα = 10000). It is evident that the methods A, B, C and D in setting 2 outperform the corresponding methods in setting 3: the percentage 95% CI widths wCI are 2.723, 2.516, 7.199 and 2.204 for methods A, B, C and D in setting 2, respectively, whereas they are 6.697, 5.345 and 7.502 for methods A, B, and C in setting 3, respectively. These findings bear an important practical implication: when a low number Ncode,α of system model evaluations is a priori imposed due to computational time limitations (which is the case for long-running codes), superior results are obtained if the outcomes of the evaluations are employed to build a surrogate ANN regression model for determining the important direction α instead of directly using them for estimating α. Finally, let us compare settings 1 and 3. In both settings, the original system model is directly employed for estimating α: however, in setting 1 a large number of system model evaluations (i.e., Ncode,α = Nα = 10000) are performed, whereas in setting 2 only a small number is used (i.e., Ncode,α = Nα = 190). As expected, the precisions provided by methods A, B and C in setting 1 are significantly better than those produced by the same methods in setting 3: the percentage 95% CI widths wCI are 2.222, 2.282, and 7.323 for methods A, B and C in setting 1, respectively, whereas they are 6.697, 5.345 and 7.502 for methods A, B, and C in setting 3. In addition, it seems interesting to note that the difference between the performances of methods A, B and C is lower when Nα (= Ncode,α) is small (e.g., equal to 190) than when it is large (e.g., equal to 10000). This is due to the fact that the efficiency of methods A (based on MCMC simulation) and B (based on design point identification through optimization algorithms) strongly relies on the possibility of deeply exploring the uncertain parameter space within the failure region F of interest: if only a small number Nα (= Ncode,α) of system performance evaluations is available, such a deep search cannot be carried out, thus resulting in poor estimates of the important direction α. In such cases, even a simple procedure like method C (i.e., gradient estimation by straightforward numerical differentiation) may provide comparable results. The conclusions on the accuracy and precision in the estimates provided by the important direction α determined by method D (i.e., the one proposed in this paper, based on the minimization of the variance of the LS failure probability estimator) justify its adoption in the subsequent applications.

19

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

5.2 Application 2: failure probability estimation using an optimized Line Sampling method with small sample sizes The objective of this application is verifying the possibility of obtaining accurate and precise N estimates Pˆ (F ) T of small failure probabilities P(F) (e.g., of the order of 10-4) even reducing the number of system model evaluations to below one hundred, which may be mandatory in practical applications of computer codes requiring several hours to run a single simulation. Thus, in the present analysis the system performance function gθ(·) is evaluated by means of the original system model; however, the number NT of samples drawn for the estimation of the system failure probability is much lower than in Application 1: indeed, sample sizes NT ranging from 5 to 50 are employed (more precisely, NT = 5, 10, 20, 30, 40 and 50). In addition, the benefits coming from the use of an optimized Line Sampling method with very small sample sizes NT is shown by means of a comparison between the estimation accuracies and precisions of the following simulation methods: i) optimized Line Sampling (LS) (Sections 3 and 4.2); ii) an original combination of optimized Line Sampling (LS) and Latin Hypercube Sampling (LHS) (hereafter referred to as LS + LHS); iii) standard Importance Sampling (IS) (Au and Beck, 2003); iv) a combination of standard Importance Sampling (IS) and Latin Hypercube Sampling (LHS) (hereafter referred to as IS + LHS) (Olsson et al., 2003). Thorough descriptions of methods ii) – iv) above (i.e., LS + LHS, IS and IS + LHS) are not reported here for brevity: the interested reader may refer to the cited references for details. In Section 5.2.1, the quantitative indicators used to compare methods i) – iv) above are presented; then, the results produced by all the methods considered are investigated in Section 5.2.2. 5.2.1 Performance indicators In order to properly represent the randomness of the probabilistic simulation methods adopted and provide a statistically meaningful comparison between their performances in the estimation of the system failure probability P(F), S = 2000 independent runs of each method have been carried out for each sample size NT: this is required by the fact that in this application the sample sizes NT are very small, such that they would produce poor statistics over a single simulation run. In each simulation s = 1, 2, …, S, the percentage relative absolute error εs between the true (reference) value of the system failure probability P(F) and the corresponding estimate Pˆ ( F ) sNT is computed as follows: P( F ) − Pˆ ( F ) sNT εs = ⋅100 , s = 1, 2, …, S (10) P( F ) The accuracies of the simulation method of interest in the estimation of P(F) are then compared in terms of the mean percentage relative absolute error ε over S = 2000 runs: 1 S ε = ⋅ ∑εs (11) S s =1 The quantity (11) provides a measure of the percentage relative absolute error in the estimation of the failure probability P(F) made on average in a single run by the simulation method with NT samples. The failure probability estimates Pˆ ( F ) sNT , s = 1, 2, …, S, are then used to build a N bootstrapped 95% Confidence Interval (CI) for the failure probability estimator Pˆ (F ) T , i.e.,

20

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

[L

CI , Pˆ ( F )NT

, U CI , Pˆ ( F )NT

]

(12)

where U CI , Pˆ ( F )NT and LCI , Pˆ ( F )NT are the 2.5th and 97.5th percentiles, respectively, of the N bootstrapped empirical distribution of the failure probability estimator Pˆ (F ) T . The percentage relative width wCI of the bootstrapped 95% Confidence Interval (CI) of the LS N failure probability estimator Pˆ (F ) T is then computed as

wCI =

U CI , Pˆ ( F )NT − LCI , Pˆ ( F )NT P (F )

⋅100

(13)

5.2.2 Results Table 5 reports the values of the performance indicators ε (11) and wCI (13) obtained with NT = 5, 10, 20, 30, 40 and 50 samples by the LS, LS + LHS, IS and IS + LHS methods in Application 2 of Case study 1. Case study 1: Structural material subject to creep and fatigue - Application 2 LS Sample size, NT 5 10 20 30 40 50

ε [%] 16.305 11.506 8.663 7.130 6.373 5.654

Sample size, NT 5 10 20 30 40 50

ε [%] 16.198 11.504 8.349 7.111 6.084 5.266

Sample size, NT 5 10 20 30 40 50

ε [%] 75.041 55.433 39.523 32.014 27.349 25.537

Sample size, NT 5 10 20 30 40 50

ε [%] 65.771 33.745 25.321 22.437 19.826 17.593

w CI [%] 98.535 68.619 52.973 39.595 34.321 29.361

LS + LHS w CI [%] 92.477 61.820 48.107 37.655 32.094 27.393

IS w CI [%] 390.88 285.60 201.56 160.43 140.39 135.03

IS + LHS w CI [%] 319.97 219.21 161.70 150.84 105.93 90.315

Table 5. Values of the performance indicators ε (11) and wCI (13) obtained with NT = 5, 10, 20, 30, 40 and 50 samples by the LS, LS + LHS, IS and IS + LHS methods in Application 2 of Case study 1

21

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

It is seen that: • the optimized Line Sampling methods (i.e., both LS and LS + LHS) provide more accurate and precise failure probability estimates than the other methods (i.e., both IS and IS + LHS): for example with NT = 5, the mean percentage errors ε are 16.305, 16.198, 75.041 and 65.771, whereas the percentage 95% CI widths wCI are 98.535, 92.477, 390.881 and 319.972 for the LS, LS + LHS, IS and IS + LHS methods, respectively; • the use of LHS in combination with the optimized LS method does not affect significantly the accuracy of the failure probability estimates in this application: for example with NT = 5, the mean percentage errors ε are 16.305 and 16.198 for the LS and LS + LHS methods respectively; conversely, the combination of LS and LHS increases the precision of the failure probability estimates: for example with NT = 5, the percentage 95% CI widths wCI are 98.535 and 92.477 for the LS and LS + LHS methods, respectively (a 6% increase in the precision of the estimate); • the use of LHS in combination with the IS method significantly increases both the accuracy and the precision of the failure probability estimates: for example with NT = 5, the mean percentage errors ε are 75.041 and 65.771, whereas the percentage 95% CI widths wCI are 390.881 and 319.972 for the IS and IS + LHS methods, respectively. Summing up, the results obtained confirm the possibility of achieving accurate and precise estimates of small failure probabilities by an optimized LS with a very low number NT of samples drawn in a nonlinear (but monotonous) case study.

6 Case study 2: thermal-hydraulic passive system This case study concerns the natural convection cooling in a Gas-cooled Fast Reactor (GFR) under a post-Loss Of Coolant Accident (LOCA) condition; the reactor is a 600-MW GFR cooled by helium flowing through separate channels in a silicon carbide matrix core (Pagani et al., 2005). A GFR decay heat removal configuration is shown schematically in Figure 4; in the case of a LOCA, the long-term heat removal is ensured by natural circulation in a given number Nloops of identical and parallel loops; only one of the Nloops loops is reported for clarity of the picture: the flow path of the cooling helium gas is indicated by the black arrows. The loop has been divided into Nsections = 18 sections for numerical calculation; technical details about the geometrical and structural properties of these sections are not reported here for brevity: the interested reader may refer to (Pagani et al., 2005). In the present analysis, the average core power to be removed is assumed to be 18.7 MW, equivalent to about 3% of full reactor power (600 MW): to guarantee natural circulation cooling at this power level, a pressure of 1650 kPa in the loops is required in nominal conditions. Finally, the secondary side of the heat exchanger (i.e., item 12 in Figure 4) is assumed to have a nominal wall temperature of 90 °C (Pagani et al., 2005).

22

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Figure 4. Schematic representation of one loop of the 600-MW GFR passive decay heat removal system (Pagani et al., 2005)

6.1 Uncertainties Uncertainties affect the modeling of passive systems. There are unexpected events, e.g. the failure of a component or the variation of the geometrical dimensions and material properties, which are random in nature. This kind of uncertainty, often termed aleatory (NUREG-1150, 1990; Helton, 1998; USNCR, 1998), is not considered in this work. Additionally, there is incomplete knowledge on the properties of the system and the conditions in which the passive phenomena develop (i.e., natural circulation). This kind of uncertainty, often termed epistemic, affects the model representation of the passive system behaviour, in terms of both (model) uncertainty in the hypotheses assumed and (parameter) uncertainty in the values of the parameters of the model (Cacuci and Ionescu-Bujor, 2004; Helton et al., 2006; Patalano et al., 2008). Only epistemic uncertainties are considered in this work. Epistemic parameter uncertainties are associated to the reactor power level, the pressure in the loops after the LOCA and the cooler wall temperature; epistemic model uncertainties are associated to the correlations used to calculate the Nusselt numbers and friction factors in the forced, mixed and free convection regimes. The consideration of these uncertainties leads to the definition of a vector x = {x j : j = 1, 2, ..., 9} of nine uncertain model inputs, assumed described by normal distributions of known means and standard deviations (Table 6, Pagani et al., 2005).

23

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Mean, μ Standard deviation, σ (% of μ)

Name Parameter uncertainty Model uncertainty

Power (MW), x1 Pressure (kPa), x2 Cooler wall temperature (°C), x3 Nusselt number in forced convection, x4 Nusselt number in mixed convection, x5 Nusselt number in free convection, x6 Friction factor in forced convection, x7 Friction factor in mixed convection, x8 Friction factor in free convection, x9

18.7 1650 90 1 1 1 1 1 1

1% 7.5% 5% 5% 15% 7.5% 1% 10% 1.5%

Table 6. Epistemic uncertainties considered for the 600-MW GFR passive decay heat removal system of Figure 4 (Pagani et al., 2005)

6.2 Failure criteria of the T-H passive system The passive decay heat removal system of Figure 4 fails to provide its safety function when the temperature of the coolant helium leaving the core (item 4 in Figure 4) exceeds either 1200 °C in the hot channel or 850 °C in the average channel: these values are expected to limit the fuel temperature to levels which prevent excessive release of fission gases and high thermal stresses in the cooler (item 12 in Figure 4) and in the stainless steel cross ducts connecting the reactor vessel and the cooler (items from 6 to 11 in Figure 4) (Pagani et al., hot avg 2005). Denoting by Tout , core ( x ) and Tout , core ( x ) the coolant outlet temperatures in the hot and average channels, respectively, the system failure event F can be written as follows: hot avg F = {x :Tout , core ( x ) > 1200}∪ {x :Tout ,core ( x ) > 850}.

(14)

-4

The probability P(F) of this event is 3.332·10 , obtained by standard MCS with NT = 500000 samples drawn.

6.3 Application The objective of the application is the estimation of the small functional failure probability P(F) (i.e., P(F) = 3.332·10-4) of the T-H passive system described in Section 6 by means of LS with a very small number NT of samples; more precisely, values of NT = 5, 10, 20, 30, 40 and 50 are considered. Justified by the results obtained in the previous case study, method D of Section 4.2 (i.e., the one based on the minimization of the variance of the LS failure probability estimator) is employed to estimate the important direction α for LS. The ANN regression model used to this purpose is the classical three-layered feed-forward ANN: the number of inputs to the ANN regression model is equal to 9 (i.e., the number of uncertain inputs in Table 6 of Section 6.1), whereas the number of outputs is equal to 2 (i.e., the number of system variables of interest, the hot- and average-channel coolant outlet temperatures, as reported in Section 6.2). The number of nodes in the hidden layer has been set equal to 4 by trial and error. The ANN model is built using the sequential, two-step training algorithm described in Section 4.1: training sets of sizes Ntrain’ = 50 and Ntrain’’ = 70, validation sets of sizes Nval’ = 10 and Nval’’ = 10 and a test set of size Ntest = 10 have been generated to train, validate and test the ANN model; thus, the total number of T-H code runs performed to generate the training, validation and test sets in this case is Ncode,α = (Ntrain’ + Nval’ + Ntrain’’ + Nval’’ + Ntest) = 50 + 10 + 70 + 10 +10 = 150. The accuracies and precisions of the optimized LS, LS + LHS, IS and IS + LHS methods are also compared on the basis of the performance indicators ε (11) and wCI (13) computed on S 24

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

= 10 runs with NT = 5, 10, 20, 30, 40 and 50 samples each. Table 7 reports the values obtained for the performance indicators ε (11) and wCI (13). Case study 2 – Thermal-hydraulic passive system LS Sample size, NT 5 10 20 30 40 50

w CI [%] 84.175 58.292 39.095 34.832 27.728 19.324

ε [%] 16.045 12.547 8.313 7.459 5.466 3.848

LS + LHS Sample size, NT 5 10 20 30 40 50

ε [%] 15.156 7.378 6.179 5.486 3.092 2.373

Sample size, NT 5 10 20 30 40 50

ε [%] 84.801 45.982 36.499 33.846 21.790 18.281

Sample size, NT 5 10 20 30 40 50

ε [%] 38.671 30.174 22.943 21.195 18.461 16.916

w CI [%] 67.387 31.264 26.682 26.419 16.345 13.590

IS w CI [%] 386.026 223.828 154.531 115.521 93.308 85.22

IS + LHS w CI [%] 212.079 122.647 106.231 100.854 73.522 71.069

Table 7. Values of the performance indicators ε and wCI obtained with NT = 5, 10, 20, 30, 40 and 50 samples by the LS, LS + LHS, IS and IS + LHS methods in Case study 2 It is seen that: • the optimized Line Sampling methods (i.e., both LS and LS + LHS) provide more accurate and precise functional failure probability estimates than the other methods considered (i.e., both IS and IS + LHS): for example with NT = 5, the mean percentage errors ε are 16.045, 15.156, 84.801 and 38.671, whereas the percentage 95% CI widths wCI are 84.175, 67.387, 386.026 and 212.079 for the LS, LS + LHS, IS and IS + LHS methods, respectively. • the use of LHS in combination with the optimized LS method in this case slightly increases the accuracy of the functional failure probability estimates: for example with NT = 10, the mean percentage errors ε are 12.547 and 7.378 for the LS and LS + LHS methods, respectively; moreover, the combination of LS and LHS in this case strongly increases the precision of the failure probability estimates: for example with NT = 10, the percentage 95% CI widths wCI are 84.175 and 67.387 25

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

for the LS and LS + LHS methods, respectively (a 20% increase in the precision of the estimate). • the use of LHS in combination with the IS method significantly increases both the accuracy and the precision of the functional failure probability estimates: for example with NT = 5, the mean percentage errors ε are 84.801 and 38.671, whereas the percentage 95% CI widths wCI are 386.026 and 212.079 for the IS and IS + LHS methods, respectively; • by way of example, the 95% CI associated to a standard MCS-based estimate of P(F) with NT = 100 is [0, 0.0296] and the corresponding percentage 95% CI width wCI is 8793.8: this value is about two orders of magnitude larger (and conversely the precision is about two orders of magnitude lower) than that produced by LS with NT = 5 samples: in other words, the precision of the optimized LS method is two order of magnitude larger than that of standard MCS even using a number of samples 20 times lower. In summary, the results obtained confirm the previous finding regarding the possibility of achieving accurate and precise estimates of small failure probabilities by an optimized LS method with a very low number NT of samples drawn; however, a much stronger conclusion can be drawn from this case study, regarding the actual feasibility of application of the method to the realistic, nonlinear and non-monotonous cases of practical interest in the reliability analysis of passive systems.

7 Discussion In this paper, the Line Sampling (LS) method has been considered for improving the efficiency of Monte Carlo sampling in the estimation of the functional failure probability of a T-H passive system. A system designed to provide the safety function of natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) has been taken as reference case study. Two relevant issues for the practical application of the LS method have been addressed: 1. the determination of the important direction for LS; 2. the reduction of the overall computational cost associated to the LS method in the estimation of the small functional failure probabilities characteristic of passive systems. Concerning the first issue, the main contributions of the work presented and its related findings are (Case study 1): • from a critical comparison of the methods currently available in the literature for the estimation of the LS important direction, it turns out that: ƒ the technique based on Markov Chain Monte Carlo (MCMC) simulation produces more accurate and precise failure probability estimates than those provided by the design point and gradient methods; ƒ the technique based on the identification of the design point performs better than the one based on gradient estimation. • an Artificial Neural Network (ANN) regression model has been built using a sequential, two-step training algorithm on a reduced-size set of examples of the input/output nonlinear relationships underlying the original system model code; then, the ANN model has been used as a fast-running surrogate of the original system model code in the determination of the LS important direction: ƒ the accuracy and precision of the estimates provided by the ANN-based method have been shown to be comparable to those produced by running the original system code: however, they have been obtained at a much lower computational effort; 26

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

ƒ

conversely, when a low number of system model code simulations needs to be a priori imposed due to computational time limitations (which is the case of the long-running system model codes, typical of nuclear safety), the accuracy and precision of the failure probability estimates provided by the ANN-based method have been shown to be consistently higher than those produced by running the original system model code. • a new technique has been proposed based on the minimization of the variance of the LS failure probability estimator; since the proposed method relies on the definition of the optimal LS important direction, it produces more accurate and precise failure probability estimates than those provided by all the techniques of literature, as clearly shown by the numerical results obtained. Concerning the second issue, the main contributions of the work presented and the related findings are (Case studies 1 and 2): • the performance of the LS method has been assessed in the estimation of a small failure probability (i.e., of the order of 10-4) with a reduced number of samples drawn (i.e., ranging from 5 to 50). The results have demonstrated that accurate and precise estimates can be obtained even reducing the number of samples to below one hundred and even in realistic, nonlinear and non-monotonous case studies; • the optimized Line Sampling method (i.e., both LS and the combination of LS and LHS) provide more accurate and precise failure probability estimates than both the IS and the combination of IS and LHS methods; • the use of LHS in combination with the optimized LS method slightly increases the accuracy of the failure probability estimates and strongly increases the precision of the failure probability estimates; • the use of LHS in combination with the IS method significantly increases both the accuracy and the precision of the failure probability estimates.

8 Conclusions The findings of the work presented (summarized in the previous Section 7) suggest the adoption of the following methodology for the accurate and precise estimation of the (typically small) functional failure probability of T-H passive systems (modelled by longrunning, nonlinear and non-monotonous T-H codes): 1. build an Artificial Neural Network (ANN) regression model using a sequential, twostep training algorithm on a reduced (e.g., around one hundred) number of examples of the input/output nonlinear relationships underlying the original system model code; 2. use the ANN model as a fast-running surrogate of the original system model code in the determination of the LS important direction; for this purpose, the technique proposed in this paper (based on the minimization of the variance of the LS failure probability estimator by means of Genetic Algorithms) is strongly suggested: since it relies on the definition of the optimal LS important direction, it produces more accurate and precise failure probability estimates than those provided by all the techniques of literature; 3. estimate the functional failure probability of the T-H passive system by means of Line Sampling with a small number of samples (e.g., few tens); the accuracy and precision of the estimates can be enhanced by combining Line Sampling with Latin Hypercube Sampling. The outstanding performance of the optimized Line Sampling method presented in this paper in the estimation of very small failure probabilities makes it a rather attractive tool for passive system functional failure analyses and possibly one worth considering for extended adoption 27

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

in full scale PRA applications, provided that the numerous possible accident scenarios and outcomes can be handled computationally in an efficient way.

References Ahammed, M., Malchers, M. E., 2006. Gradient and parameter sensitivity estimation for systems evaluated using Monte Carlo analysis. Reliability Engineering and System Safety, 91, pp. 594 - 601. Apostolakis, G. E., 1990. The concept of probability in safety assessment of technological systems. Science, 250, 1359. Arul, A.J., Iyer, N.K., Velusamy, K., 2009. Adjoint operator approach to functional reliability analysis of passive fluid dynamical systems. Reliability Engineering and System Safety, 94, pp. 1917-1926. Au, S. K. and Beck, J. L., 2003. Importance sampling in high dimensions. Structural Safety, 25(2), pp. 139-163. Bassi, C., Marquès, M., 2008. Reliability assessment of 2400 MWth gas-cooled fast reactor natural circulation decay heat removal in pressurized situations. Science and Technology of Nuclear Installations, Special Issue “Natural Circulation in Nuclear Reactor Systems”, Hindawi Publishing Corporation, Paper 87376. Bishop, C. M., 1995. Neural Networks for pattern recognition. Oxford University Press. Burgazzi, L., 2003. Reliability evaluation of passive systems through functional reliability assessment. Nuclear Technology, 144, 145. Burgazzi, L., 2007. Addressing the uncertainties related to passive system reliability. Progress in Nuclear Energy, 49, 93-102. Cacuci, D. G., Ionescu-Bujor, M., 2004. A comparative review of sensitivity and uncertainty analysis of large scale systems – II: Statistical methods. Nuclear Science and Engineering (147), pp. 204-217. Fong, C. J., Apostolakis, G. E., Langewish, D. R., Hejzlar, P., Todreas, N. E., Driscoll, M. J., 2009. Reliability analysis of a passive cooling system using a response surface with an application to the flexible conversion ratio reactor. Nuclear Engineering and Design, doi:10.1016/j.nucengdes.2009.07.008. Fu, M., 2006. Stochastic gradient estimation. Chapter 19 in Handbook on Operation Research and Management Science: Simulation, S. G. Henderson and B. L. Nelson, editor, Elsevier. Helton, J. C., 1998. Uncertainty and sensitivity analysis results obtained in the 1996 performance assessment for the waste isolation power plant, SAND98-0365, Sandia National Laboratories. Helton J. C, Davis, F. J., 2003. Latin hypercube sampling and the propagation of uncertainty in analyses of complex systems. Reliability Engineering and System Safety, 81, pp. 2369. Helton J. C, Johnson J. D., Sallaberry C. J., Storlie C. B., 2006. Survey on sampling-based methods for uncertainty and sensitivity analysis. Reliability Engineering and System Safety, 91, pp. 1175-1209. Helton, J.C., Sallaberry, C., 2009. Computational implementation of sampling-based approaches to the calculation of expected dose in performance assessments for the proposed high-level radioactive waste repository at Yucca Mountain, Nevada. Reliability Engineering and System Safety, 94, pp. 699-721. Huang, B., Du, X., 2006. A robust design method using variable transformation and GaussHermite integration. International Journal for Numerical Methods in Engineering, 66, pp. 1841-1858. IAEA, 1991. Safety related terms for advanced nuclear plant. IAEA TECDOC-626. 28

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Konak, A., Coit, D. W., Smith, A. E., 2006. Multi-objective optimization using genetic algorithms: A tutorial. Reliability Engineering and System Safety, Vol. 91, Issue 9, pp. 992-1007. Koutsourelakis, P. S., Pradlwarter, H. J., Schueller, 2004. Reliability of structures in high dimensions, Part I: algorithms and application. Probabilistic Engineering Mechanics (19), pp. 409-417. Lu, Z., Song, S., Yue, Z., Wang, J., 2008. Reliability sensitivity method by Line Sampling. Structural Safety, vol. 30, pp. 517-532. Mackay F. J., Apostolakis, G. E., Hejzlar, P., 2008. Incorporating reliability analysis into the design of passive cooling systems with an application to a gas-cooled reactor. Nuclear Engineering and Design, 238(1), pp. 217-228. Mao, H. and Mahadevan, S., 2000. Reliability analysis of creep–fatigue failure. Int. J. Fatigue, 22: pp. 789-797. Marquès, M., Pignatel, J. F., Saignes, P., D’ Auria, F., Burgazzi, L., Müller, C., BoladoLavin, R., Kirchsteiger, C., La Lumia, V., Ivanov, I., 2005. Methodology for the reliability evaluation of a passive system and its integration into a probabilistic safety assessment. Nuclear Engineering and Design, 235, 2612-2631. Marseguerra, M., Zio, E., Martorell, S., 2006. Basics of genetic algorithms optimization for RAMS applications. Reliability Engineering and System Safety, Vol. 91, No. 9, pp. 977-991. Mathews, T. S., Ramakrishnan, M., Parthasarathy, U., John Arul, A., Senthil Kumar, C., 2008. Functional reliability analysis of safety grade decay heat removal system of Indian 500 MWe PFBR. Nuclear Engineering and Design, doi: 10.1016/j.nucengdes.2008.02.012. Mathews, T.S., Arul, A.J., Parthasarathy, U., Kumar, C.S., Ramakrishnan, M., Subbaiah, K.V., 2009. Integration of functional reliability analysis with hardware reliability: An application to safety grade decay heat removal system of Indian 500 MWe PFBR. Annals of Nuclear Energy, 36, pp. 481-492. Metropolis, N., Rosenbluth, A. W., Rosenbluth, M. N. and Taller, A. H., 1953. Equations of state calculations by fast computing machines. Journal of Chemical Physics, 21(6), pp. 1087-1092. Nayak, A. K., Gartia, M. R., Antony, A., Vinod, G., Sinha, R. K., 2008. Passive system reliability analysis using the APSRA methodology. Nuclear Engineering and Design, 238, pp. 1430-1440. Nayak, A. K., Jain, V., Gartia, M. R., Srivastava, A., Prasad, H., Anthony, A., Gaikwad, A. J., Bhatia, S. K., Sinha, R. K., 2009. Reliability assessment of passive isolation condenser system using APSRA methodology. Annals of Nuclear Energy, 35, pp. 2270-2279. Nayak, A. K., Jain, V., Gartia, M. R., Prasad, H., Anthony, A., Bhatia, S. K., Sinha, R. K., 2009. Reliability assessment of passive isolation condenser system of AHWR using APSRA methodology. Reliability Engineering and System Safety, 94, pp. 1064-1075. NUREG-1150, 1990. Severe accident risk: an assessment for five US nuclear power plants, US Nuclear Regulatory Commission. Olsson, A., Sabdberg, G., Dahlblom, O., 2003. On Latin hypercube sampling for structural reliability analysis. Structural Safety, 25, pp. 47-68. Pagani, L., Apostolakis, G. E. and Hejzlar, P., 2005. The impact of uncertainties on the performance of passive systems. Nuclear Technology, 149, 129-140. Patalano, G., Apostolakis, G. E., Hejzlar, P., 2008. Risk-informed design changes in a passive decay heat removal system. Nuclear Technology, vol. 163, pp. 191-208. Pradlwarter, H. J., Pellissetti, M. F., Schenk, C. A., Schueller, G. I., Kreis, A., Fransen, S., Calvi, A., Klein, M., 2005. Computer Methods in Applied Mechanics and Engineering, 194, pp. 1597-1617. 29

PAPER IV – E. Zio, N. Pedroni / Submitted to Reliability Engineering and System Safety

Pradlwarter, H. J., Schueller, G. I., Koutsourelakis, P. S., Charmpis, D. C., 2007. Application of line sampling simulation method to reliability benchmark problems. Structural Safety, 29, pp. 208-221. Rumelhart, D. E., Hinton, G. E., Williams, R. J., 1986. Learning internal representations by error back-propagation. In Rumelhart, D. E. and McClelland, J. L. (Eds.), Parallel distributed processing: exploration in the microstructure of cognition (vol. 1). Cambridge (MA): MIT Press. Schueller, G. I., 2007. On the treatment of uncertainties in structural mechanics and analysis. Computers and Structures, 85, pp. 235-243. Schueller, G. I., Pradlwarter, H. J., Koutsourelakis, P. S., 2004. A critical appraisal of reliability estimation procedures for high dimensions. Probabilistic Engineering Mechanics, 19, pp. 463-474. Schueller, G. I., Pradlwarter, H. J., 2007. Benchmark study on reliability estimation in higher dimensions of structural systems – An overview. Structural Safety, 29(3), pp. 167-182. USNRC, 1998. “An approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the licensing basis.” NUREG-1.174, US Nuclear Regulatory Commission, Washington, DC. Valdebenito, M. A., Pradlwarter, H. J., Schueller, G. I., 2009. The role of the design point for calculating failure probabilities in view of dimensionality and structural nonlinearities. Structural Safety, doi:10.1016/j.strusafe.2009.08.004. Zio, E. and Pedroni, N., 2009a. Estimation of the functional failure probability of a thermalhydraulic passive systems by means of Subset Simulation. Nuclear Engineering and Design, 239, pp. 580-599. Zio, E. and Pedroni, N., 2009b. Functional failure analysis of a thermal-hydraulic passive system by means of Line Sampling. Reliability Engineering and System Safety, 94(11), pp. 1764-1781. Zio, E. and Pedroni, N., 2010. Nuclear passive system reliability assessment by an optimized Line Sampling method. Submitted to IEEE Transactions on Reliability.

30

Paper V Comparison of bootstrapped Artificial Neural Networks and quadratic Response Surfaces for the estimation of the functional failure probability of a thermal-hydraulic passive system N. Pedroni, E. Zio and G. E. Apostolakis Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Comparison of bootstrapped Artificial Neural Networks and quadratic Response Surfaces for the estimation of the functional failure probability of a thermal-hydraulic passive system a

b

N. Pedronia, E. Zioa,* and G. E. Apostolakisb Energy Department, Polytechnic of Milan, Via Ponzio 34/3, 20133 Milan, Italy *Phone: +39-2-2399-6340; fax: +39-2-2399-6309 E-mail address: [email protected]

Department of Nuclear Science and Engineering, Massachusetts Institute of Technology, 77 Massachusetts Avenue, Cambridge (MA) 02139-4307 Phone: +1-617-252-1570; fax: +1-617-258-8863 E-mail address: [email protected]

Abstract In this work, bootstrapped Artificial Neural Network (ANN) and quadratic Response Surface (RS) empirical regression models are used as fast-running surrogates of a thermal-hydraulic (T-H) system code to reduce the computational burden associated with the estimation of the functional failure probability of a T-H passive system. The ANN and quadratic RS models are built on few data representative of the input/output nonlinear relationships underlying the T-H code. Once built, these models are used for performing, in reasonable computational time, the numerous system response calculations required for failure probability estimation. A bootstrap of the regression models is implemented for quantifying, in terms of confidence intervals, the uncertainties associated with the estimates provided by ANNs and RSs. The alternative empirical models are compared on a case study of an emergency passive decay heat removal system of a Gas-cooled Fast Reactor (GFR). Keywords: Functional failure probability; Percentile; Natural circulation; Regression model; Bootstrap; Confidence interval; Computational time.

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

1 Introduction All innovative reactor concepts make use of passive safety features, to a large extent in combination with active safety and operational systems (Mackay et al., 2008). According to the definitions of the International Atomic Energy Agency (IAEA), a passive system does not need external input (especially energy) to operate (IAEA, 1991), while they are expected to contribute significantly to the safety of nuclear power plants thanks to their peculiar characteristics of simplicity, reduction of human interaction and reduction or avoidance of hardware failures (Mathews et al., 2008). However, the uncertainties involved in the modelling and functioning of passive systems are usually larger than for active systems. This is due to: i) the intrinsically random nature of several of the physical phenomena involved in the functioning of the system (aleatory uncertainty); ii) the incomplete knowledge on the physics of some of these phenomena (epistemic uncertainty) (Apostolakis, 1990; Helton, 2004). Due to these uncertainties, the physical phenomena involved in the passive system functioning (e.g., natural circulation) might develop in such a way to lead the system to fail its intended function, even if safety margins are present. In fact, deviations in the natural forces and in the conditions of the underlying physical principles from the expected ones can impair the function of the system itself (Marquès et al., 2005; Patalano et al., 2008). The problem may be analytically framed by introducing the concept of functional failure, whereby a passive system may fail to perform its function due to deviations from its expected behavior which lead the load imposed on the system to exceed its capacity (Burgazzi, 2003; Burgazzi, 2007). This concept has been exploited in a number of works presented in the literature (Jafari et al., 2003; Marquès et al., 2005; Pagani et al., 2005; Bassi and Marquès, 2008; Fong and Apostolakis, 2008; Mackay et al., 2008; Mathews et al., 2008; Patalano et al., 2008; Zio and Pedroni, 2009a and b), in which the passive system is modeled by a detailed, mechanistic T-H system code and the probability of failing to perform the required function is estimated based on a Monte Carlo (MC) sample of code runs which propagate the epistemic (state-of-knowledge) uncertainties in the model and the numerical values of its parameters/variables. Since the probabilities of functional failure of passive systems are generally very small (e.g., of the order of 10-4), a large number of samples is necessary for acceptable estimation accuracy (Schueller, 2007); given that the time required for each run of the detailed, mechanistic T-H system code is of the order of several hours (Fong and Apostolakis, 2008), the MC simulation-based procedure typically requires considerable computational efforts. A viable approach to overcome the computational burden associated to the analysis is that of resorting to fast-running, surrogate regression models, also called response surfaces or metamodels, to substitute the long-running T-H model code. The construction of such regression models entails running the T-H model code a predetermined, reasonably large but feasibly small, number of times (e.g., of the order of 50-100) for specified values of the uncertain input parameters/variables and recording the corresponding values of the output of interest; then, statistical techniques are employed for fitting the response surface of the regression model to the input/output data generated. Several kinds of surrogate meta-models have been recently applied to safety related nuclear, structural and hydrogeological problems, including polynomial Response Surfaces (RSs) (Bucher and Most, 2008; Fong and Apostolakis, 2008; Gavin and Yau, 2008; Liel et al., 2009), Gaussian meta-models (Volkova et al., 2008; Marrel et al., 2009) and learning statistical models such as Artificial Neural Networks (ANNs), 2

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Radial Basis Functions (RBFs) and Support Vector Machines (SVMs) (Deng, 2006; Hurtado, 2007; Cardoso et al., 2008; Cheng et al., 2008). In this work, the possibility of using Artificial Neural Networks (ANNs) and quadratic Response Surfaces (RSs) to reduce the computational burden associated to the functional failure analysis of a natural convection-based decay heat removal system of a Gas-cooled Fast Reactor (GFR) (Pagani et al., 2005) is investigated. To keep the practical applicability in sight, a small set of input/output data examples is considered available for constructing the ANN and quadratic RS models: different sizes of the (small) data sets are considered to show the effects of this relevant practical aspect. The comparison of the potentials of the two regression techniques in the case at hand is made with respect to the estimation of the 95th percentile of the naturally circulating coolant temperature and the functional failure probability of the passive system. Actually, the use of regression models in safety critical applications like nuclear power plants still raises concerns with regards to the control of their accuracy; in this paper, the bootstrap method is used for quantifying, in terms of confidence intervals, the uncertainty associated to the estimates provided by the ANNs and quadratic RSs (Efron and Thibshirani, 1993; Zio, 2006; Cadini et al., 2008; Secchi et al., 2008; Storlie et al., 2008). The paper organization is as follows. In Section 2, a snapshot on the functional failure analysis of T-H passive systems is given. Section 3 is devoted to the detailed presentation of the bootstrap-based method for quantifying, in terms of confidence intervals, the model uncertainty associated to the estimates of safety parameters computed by ANN and quadratic RS regression models. In Section 4, the case study of literature concerning the passive cooling of a GFR is presented. In Section 5, the results of the application of bootstrapped ANNs and quadratic RSs to the percentile and functional failure probability estimations are compared. Finally, conclusions are provided in the last Section.

2 The quantitative steps of functional failure analysis of T-H passive systems The basic steps of the quantitative phase of the functional failure analysis of a T-H passive system are (Marquès et al., 2005): 1. Detailed modeling of the passive system response by means of a deterministic, bestestimate (typically long-running) T-H code. 2. Identification of the parameters/variables, models and correlations (i.e., the inputs to the T-H code) which contribute to the uncertainty in the results (i.e., the outputs) of the best estimate T-H calculations. 3. Propagation of the uncertainties through the deterministic, long-running T-H code in order to estimate the functional failure probability of the passive system. Step 3. above relies on multiple (e.g., many thousands) evaluations of the T-H code for different combinations of system inputs; this can render the associated computing cost prohibitive, when the running time for each T-H code simulation takes several hours (which is often the case for T-H passive systems). The computational issue may be tackled by replacing the long-running, original T-H model code by a fast-running, surrogate regression model (properly built to approximate the output from the true system model). In this paper, classical three-layered feed-forward Artificial Neural Networks (ANNs) (Bishop, 1995) and quadratic Response Surfaces (RSs) (Liel et al., 3

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

2009) are considered for this task. The accuracy of the estimates obtained is analyzed by computing a confidence interval by means of the bootstrap method (Efron and Thibshirani, 1993); a description of this technique is provided in the following Section.

3 The bootstrap method for point value and confidence interval estimation 3.1 Empirical regression modelling As discussed in the previous Section, the computational burden posed by uncertainty and sensitivity analyses of T-H passive systems can be tackled by replacing the long-running, original T-H model code by a fast-running, surrogate regression model. Because calculations with the surrogate model can be performed quickly, the problem of long simulation times is circumvented. Let us consider a generic meta-model to be built for performing the task of nonlinear regression, i.e., estimating the nonlinear relationship between a vector of input variables x = {x1, x2, ..., xj, ..., xni } and a vector of output targets y = {y1, y2, ..., yl, ..., yno }, on the basis of a

finite (and possibly small) set of input/output data examples (i.e., patterns), Dtrain = {(x p , y p ), p = 1, 2, ..., N train } (Zio, 2006). It can be assumed that the target vector y is

related to the input vector x by an unknown nonlinear deterministic function μ y ( x ) corrupted

by a noise vector ε ( x ) , i.e., y( x ) = μ y ( x ) + ε( x ) . (1) Notice that in the present case of T-H passive system functional failure probability assessment the vector x contains the relevant uncertain system parameters/variables, the nonlinear deterministic function μ y ( x ) represents the complex, long-running T-H mechanistic model code (e.g., RELAP5-3D), the vector y(x) contains the output variables of interest for the analysis and the noise ε ( x ) represents the errors introduced by the numerical methods employed to calculate μ y ( x ) (Storlie et al., 2008); for simplicity, in the following we assume ε ( x ) = 0 (Secchi et al., 2008). The objective of the regression task is to estimate μ y ( x ) in (1) by means of a regression

function f(x, w*) depending on a set of parameters w* to be properly determined on the basis of the available data set Dtrain; the algorithm used to calibrate the set of parameters w* is obviously dependent on the nature of the regression model adopted, but in general it aims at minimizing the mean (absolute or quadratic) error between the output targets of the original T-H code, yp = μ y (x p ) , p = 1, 2, ..., Ntrain, and the output vectors of the regression model,

(

)

y p = f x p , w * , p = 1, 2, ..., Ntrain; for example, the Root Mean Squared Error (RMSE) is

commonly adopted to this purpose (Zio, 2006): N train no 1 (y p,l − yˆ p,l )2 , (2) RMSE = ∑∑ N train ⋅ no p =1 l =1 Once built, the regression model f(x, w*) can be used in place of the T-H code to calculate any quantity of interest Q, such as the 95th percentile of a physical variable critical for the system under analysis (e.g., the fuel cladding temperature) or the functional failure probability of the passive system. In this work, the capabilities of quadratic Response Surface (RS) and three-layered feedforward Artificial Neural Network (ANN) regression models are compared in the 4

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

computational tasks involved in the functional failure analysis of a T-H passive system. In extreme synthesis, quadratic RSs are polynomials containing linear terms, squared terms and possibly two-factors interactions of the input variables (Liel et al., 2009); the RS adaptable parameters w* are usually calibrated by straightforward least squares methods. ANNs are computing devices inspired by the function of the nerve cells in the brain (Bishop, 1995). They are composed of many parallel computing units (called neurons or nodes) interconnected by weighed connections (called synapses). Each of these computing units performs a few simple operations and communicates the results to its neighbouring units. From a mathematical viewpoint, ANNs consist of a set of nonlinear (e.g., sigmoidal) basis functions with adaptable parameters w* that are adjusted by a process of training (on many different input/output data examples), i.e., an iterative process of regression error minimization (Rumelhart et al., 1986). The particular type of ANN employed in this paper is the classical three-layered feed-forward ANN trained by the error back-propagation algorithm. The details of these two regression models are not reported here for brevity: the interested reader may refer to the cited references and the copious literature in the field.

3.2 The bootstrap method The approximation of the system output provided by an empirical regression model introduces an additional source of uncertainty, which needs to be evaluated, particularly in safety critical applications like those related to nuclear power plant technology. One way to do this is by resorting to bootstrapped regression models (Efron and Thibshirani, 1993), i.e., an ensemble of regression models constructed on different data sets bootstrapped from the original one (Zio, 2006; Storlie et al., 2008). The bootstrap method is a distribution-free inference method which requires no prior knowledge about the distribution function of the underlying population (Efron and Thibshirani, 1993). The basic idea is to generate a sample from the observed data by sampling with replacement from the original data set (Efron and Thibshirani, 1993). From the theory and practice of ensemble empirical models, it can be shown that the estimates given by bootstrapped regression models is in general more accurate than the estimate of the best regression model in the bootstrap ensemble of regression models (Zio, 2006; Cadini et al., 2008). In what follows, the steps of the bootstrap-based technique of evaluation of the so-called Bootstrap Bias Corrected (BBC) point estimate Qˆ BBC of a generic quantity Q (e.g., a safety parameter) by a regression model f(x, w*), and the calculation of the associated BBC Confidence Interval (CI) are reported (Zio, 2006; Storlie et al., 2008): 1. Generate a set D train of input/output data examples by sampling Ntrain independent input parameters values xp, p = 1, 2, ..., Ntrain, and calculating the corresponding set of Ntrain output vectors yp = μy(xp) through the mechanistic T-H system code. Plain random sampling, Latin Hypercube Sampling or other more sophisticated experimental design methods can be adopted to select the input vectors xp, p = 1, 2, ..., Ntrain (Gazut et al., 2008). 2. Build a regression model f(x, w*) on the basis of the entire data set Dtrain = {(x p , y p ), p = 1, 2, ..., N train } (step 1. above) in order to obtain a fast-running surrogate of the T-H model code represented by the unknown nonlinear deterministic function μy(x) in (1). 3. Use the regression model f(x, w*) (step 2. above), in place of the original T-H model code, to provide a point estimate Qˆ of the quantity Q, e.g., the 95th percentile of a 5

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

system variable of interest or the functional failure probability of the T-H passive system. In particular, draw a sample of NT new input vectors xr, r = 1, 2, …, NT, from the corresponding epistemic probability distributions and feed the regression model f(x, w*) with them; then, use the corresponding output vectors yr = f(xr, w*), r = 1, 2, …, NT, to calculate the estimate Qˆ for Q (the algorithm for computing Qˆ is obviously dependent on the meaning of the quantity Q). Since the regression model f(x, w*) can be evaluated quickly, this step is computationally costless even if the number NT of model estimations is very high (e.g., NT = 105 or 106). 4. Build an ensemble of B (typically of the order of 500-1000) regression models f b x, wb* , b = 1, 2, ..., B by random sampling with replacement and use each of the bootstrapped regression models fb(x, wb*), b = 1, 2, ..., B, to calculate an estimate Qˆ ,

{ (

)

}

b

b = 1, 2, ..., B, for the quantity Q of interest: by so doing, a bootstrap-based empirical probability distribution for the quantity Q is produced which is the basis for the construction of the corresponding confidence intervals. In particular, repeat the following steps for b = 1, 2, ..., B: a. Generate a bootstrap data set Dtrain ,b = {(x p ,b , y p ,b ), p = 1, 2, ..., N train }, b = 1, 2, ..., B, by performing random sampling with replacement from the original data set Dtrain = {(x p , y p ), p = 1, 2, ..., N train } of Ntrain input/output patterns (steps 1. and 2. above). The data set Dtrain,b is thus constituted by the same number Ntrain of input/output patterns drawn among those in Dtrain although, due to the sampling with replacement, some of the patterns in Dtrain will appear more than once in Dtrain,b, whereas some will not appear at all. b. Build a regression model fb(x, wb*), b = 1, 2, ..., B, on the basis of the bootstrap data set Dtrain ,b = {(x p ,b , y p ,b ), p = 1, 2, ..., N train } (step 3.a. above). c. Use the regression model fb(x, wb*) (step 4.b. above), in place of the original TH code, to provide a point estimate Qˆ b of the quantity of interest Q. It is important to note that for a correct quantification of the confidence interval the estimate Qˆ b must be based on the same input and output vectors xr and yr, r = 1, 2, …, NT, respectively, obtained in step 3. above. 5. Calculate the so-called Bootstrap Bias Corrected (BBC) point estimate Qˆ BBC for Q as Qˆ (3) = 2Qˆ − Qˆ BBC

boot

where Qˆ is the estimate obtained with the regression model f(x, w*) trained with the is the average of the B original data set Dtrain (steps 2. and 3. above) and Qˆ boot

estimates Qˆ b obtained with the B regression models fb(x, wb*), b = 1, 2, ..., B (step 4.c. above), i.e., 1 B Qboot = ∑ Qˆ b . (4) B b =1 The BBC estimate Qˆ in (3) is taken as the definitive point estimate for Q. BBC

The explanation for expression (3) is as follows. It can be demonstrated that if there is a bias in the bootstrap average estimate Qˆ boot in (4) compared to the estimate Qˆ obtained with the single regression model f(x, w*) (step 3. above), then the same bias exists in the single estimate Qˆ compared to the true value Q of the quantity of interest 6

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

(Baxt and White, 1995). Thus, in order to obtain an appropriate, i.e. bias-corrected, estimate Qˆ BBC for the quantity of interest Q, the estimate Qˆ must be adjusted by subtracting the corresponding bias ( Qˆ - Qˆ ): as a consequence, the final, biasboot

corrected estimate Qˆ BBC is Qˆ BBC = Qˆ - ( Qˆ boot - Qˆ ) = 2 Qˆ - Qˆ boot . 6. Calculate the two-sided Bootstrap Bias Corrected (BBC)-100·(1 - α)% Confidence Interval (CI) for the BBC point estimate in (3) by performing the following steps: a. Order the bootstrap estimates Qˆ b , b = 1, 2, ..., B, (step 4.c. above) by increasing values, such that Qˆ = Qˆ for some b = 1, 2, ..., B, and Qˆ < Qˆ (i )

b

(1)

( 2)

< ... < Qˆ ( b ) < ... < Qˆ ( B ) . b. Identify the 100·α/2th and 100·(1 – α/2)th quantiles of the bootstrapped empirical probability distribution of Q (step 4. above) as the [B·α/2]th and [B·(1 – α/2)]th elements Qˆ ([B⋅α / 2 ]) and Qˆ ([B⋅(1−α / 2 )]) , respectively, in the ordered list Qˆ (1) < Qˆ < ... < Qˆ < ... < Qˆ ; notice that the symbol [·] stands for “closest ( 2)

(b)

( B)

integer”. c. Calculate the two-sided BBC-100·(1 - α)% CI for Qˆ BBC as Qˆ − Qˆ − Qˆ , Qˆ + Qˆ − Qˆ .

[

BBC

(

boot

([B⋅α / 2 ])

)

BBC

(

([B⋅(1−α / 2 )])

boot

)]

(5)

An important advantage of the bootstrap method is that it provides confidence intervals for a given quantity Q without making any model assumptions (e.g., normality); a disadvantage is that the computational cost could be high when the set Dtrain and the number of adaptable parameters w* in the regression models are large.

4 Case study The case study considered in this work concerns the natural convection cooling in a Gascooled Fast Reactor (GFR) under a post-Loss Of Coolant Accident (LOCA) condition (Pagani et al., 2005). The reactor is a 600-MW GFR cooled by helium flowing through separate channels in a silicon carbide matrix core whose design has been the subject of study in the past several years at the Massachussets Institute of Technology (MIT) (Pagani et al., 2005). A GFR decay heat removal configuration is shown schematically in Figure 1; in the case of a LOCA, the long-term heat removal is ensured by natural circulation in a given number Nloops of identical and parallel loops; only one of the Nloops loops is reported for clarity of the picture: the flow path of the cooling helium gas is indicated by the black arrows. The loop has been divided into Nsections = 18 sections for numerical calculation; technical details about the geometrical and structural properties of these sections are not reported here for brevity: the interested reader may refer to (Pagani et al., 2005). In the present analysis, the average core power to be removed is assumed to be 18.7 MW, equivalent to about 3% of full reactor power (600 MW): to guarantee natural circulation cooling at this power level, a pressure of 1650 kPa in the loops is required in nominal conditions. Finally, the secondary side of the heat exchanger (i.e., item 12 in Figure 1) is assumed to have a nominal wall temperature of 90 °C (Pagani et al., 2005).

7

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Figure 1. Schematic representation of one loop of the 600-MW GFR passive decay heat removal system (Pagani et al., 2005)

4.1 Uncertainties Uncertainties affect the modeling of passive systems. There are unexpected events, e.g. the failure of a component or the variation of the geometrical dimensions and material properties, which are random in nature. This kind of uncertainty, often termed aleatory (NUREG-1150, 1990; Helton, 1998; USNCR, 1998), is not considered in this work. There is also incomplete knowledge on the properties of the system and the conditions in which the passive phenomena develop (i.e., natural circulation). This kind of uncertainty, often termed epistemic, affects the model representation of the passive system behaviour, in terms of both (model) uncertainty in the hypotheses assumed and (parameter) uncertainty in the values of the parameters of the model (Cacuci and Ionescu-Bujor, 2004; Helton et al., 2006; Patalano et al., 2008). Only epistemic uncertainties are considered in this work. Epistemic parameter uncertainties are associated to the reactor power level, the pressure in the loops after the LOCA and the cooler wall temperature; epistemic model uncertainties are associated to the correlations used to calculate the Nusselt numbers and friction factors in the forced, mixed and free convection regimes. The consideration of these uncertainties leads to the definition of a vector x of nine uncertain inputs of the model x = {x j : j = 1, 2, ..., 9}, assumed described by normal distributions of known means and standard deviations (Table 1, Pagani et al., 2005).

8

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Name Parameter uncertainty Model uncertainty

Power (MW), x1 Pressure (kPa), x2 Cooler wall temperature (°C), x3 Nusselt number in forced convection, x4 Nusselt number in mixed convection, x5 Nusselt number in free convection, x6 Friction factor in forced convection, x7 Friction factor in mixed convection, x8 Friction factor in free convection, x9

Mean, μ Standard deviation, σ (% of μ) 18.7 1650 90 1 1 1 1 1 1

1% 7.5% 5% 5% 15% 7.5% 1% 10% 1.5%

Table 1. Epistemic uncertainties considered for the 600-MW GFR passive decay heat removal system of Figure 1 (Pagani et al., 2005)

4.2 Failure criteria of the T-H passive system The passive decay heat removal system of Figure 1 is considered failed when the temperature of the coolant helium leaving the core (item 4 in Figure 1) exceeds either 1200 °C in the hot channel or 850 °C in the average channel: these values are expected to limit the fuel temperature to levels which prevent excessive release of fission gases and high thermal stresses in the cooler (item 12 in Figure 1) and in the stainless steel cross ducts connecting the reactor vessel and the cooler (items from 6 to 11 in Figure 1) (Pagani et al., 2005). Denoting hot avg by Tout , core ( x ) and Tout , core ( x ) the coolant outlet temperatures in the hot and average channels, respectively, the system failure event F can be written as follows: hot avg F = {x :Tout , core ( x ) > 1200}∪ {x :Tout ,core ( x ) > 850}.

(6)

hot avg According to the notation of the preceding Section 3, Tout , core ( x ) = y1(x) and Tout , core ( x ) = y2(x)

are the two target outputs of the T-H model.

5 Functional failure probability estimation by bootstrapped ANNs and quadratic RSs In this Section, the results of the application of bootstrapped Artificial Neural Networks (ANNs) and quadratic Response Surfaces (RSs) for the estimation of the functional failure probability of the 600-MW GFR passive decay heat removal system in Figure 1 are illustrated. Some details about the construction of the ANN and quadratic RS regression models are given in Section 5.1; their use for estimating the percentiles of the hot-channel and average-channel coolant outlet temperatures is shown in Section 5.2; the estimation of the probability of functional failure of the system is addressed in Section 5.3. The uncertainties associated to the calculated quantities are estimated by bootstrapping of the regression models, as explained in Section 3.

5.1 Building and testing the ANN and quadratic RS regression models

RS and ANN models have been built with training sets Dtrain = {(x p , y p ), p = 1, 2, ..., N train } of input/output data examples of different sizes Ntrain = 20, 30, 50, 70, 100; this has allowed extensive testing of the capability of the regression models to reproduce the outputs of the nonlinear T-H model code, based on different (small) numbers of example data. For each size Ntrain of data set, a Latin Hypercube Sample (LHS) of the 9 uncertain inputs has been drawn, xp = {x1,p, x2,p, …, xj,p, …, x9, p }, p = 1, 2, …., Ntrain (Zhang and Foschi, 2004). Then, the T-H model code has been run with each of the input vectors xp, p = 1, 2, …, Ntrain, to obtain the 9

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

corresponding bidimensional output vectors yp = μy(xp) = {y1,p, y2,p}, p = 1, 2, …, Ntrain (in the present case study, the number no of outputs is equal to 2, i.e., the hot- and average-channel coolant outlet temperatures, as explained in Section 4.2). The training data set Dtrain = {(x p , y p ), p = 1, 2, ..., N train } thereby obtained has been used to calibrate the adjustable parameters w* of the regression models, for best fitting the T-H model code data. More specifically, the straightforward least squares method has been used to find the parameters of the quadratic RSs (Bucher and Most, 2008) and the common error back-propagation algorithm has been applied to train the ANNs (Rumelhart et al., 1986). Note that a single ANN can be trained to estimate both outputs of the model here of interest, whereas a specific quadratic RS must be developed for each output to be estimated. The choice of the ANN architecture is critical for the regression accuracy. In particular, the number of neurons in the network determines the number of adjustable parameters available to optimally fit the complicated, nonlinear T-H model code response surface by interpolation of the available training data. The number of neurons in the input layer is ni = 9, equal to the number of uncertain input parameters; the number no of outputs is equal to 2, the outputs of interest; the number nh of nodes in the hidden layer is 4 for Ntrain = 20, 30, 70 and 100, whereas it is 5 for Ntrain = 50, determined by trial-and-error. In case of a network with too few neurons (i.e., too few parameters), the regression function f(x, w*) has insufficient flexibility to adjust its response surface to fit the data adequately: this results in poor generalization properties of interpolation when new input patterns are fed to the network to obtain the corresponding output; on the opposite side, excessively increasing the flexibility of the model by introducing too many parameters, e.g., by adding neurons, may make the network overfit the training data, leading again to poor generalization performance when interpolating new input data. A trade-off is typically sought by controlling the neural model complexity, i.e., the number of parameters, and the training procedure, e.g., by adding a regularization term in the error function or by early stopping the training, so as to achieve a good fit of the training data with a reasonably smooth regression function which is not over-fit to the data and therefore capable of generalization when interpolating new input data (Bishop, 1995). In the present work, early stopping is adopted: a validation input/output data set Dval = {(x p , y p ), p = 1, 2, ..., N val } made of patterns different from those of the training set Dtrain is used to monitor the accuracy of the ANN model during the training procedure; in practice, the RMSE (2) is computed on Dval at different iterative stages of the training procedure (Figure 2): at the beginning of training, this value decreases as does the RMSE computed on the training set Dtrain; later in the training, if the ANN regression model starts overfitting the data, the RMSE calculated on the validation set Dval starts increasing and training must be stopped (Bishop, 1995). It is fair to point out that the increased ANN generalization capability typically achieved by early stopping is obtained at the expense of Nval additional code simulations, with an increase in the computational cost for the training of the ANN model. In this work, the size Nval of the validation set is set to 20 for all sizes Ntrain of the data set Dtrain considered, which means 20 additional runs of the T-H model code.

10

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Figure 2. Early stopping the ANN training to avoid overfitting As measures of the ANN and RS model accuracy, the commonly adopted coefficient of determination R 2 and RMSE have been computed for each output yl, l = 1, 2, on a new data set Dtest = {(x p , y p ), p = 1, 2, ..., N test } of size Ntest = 20, purposely generated for testing the regression models built (Marrel et al., 2009), and thus different from those used during training and validation. Table 2 reports the values of the coefficient of determination R 2 and of the RMSE associated hot to the estimates of the hot- and average- channel coolant outlet temperatures Tout ,core and avg Tout ,core , respectively, computed on the test set Dtest by the ANN and quadratic RS models built

on data sets Dtrain of different sizes Ntrain = 20, 30, 50, 70, 100; the number of adjustable parameters w* included in the two regression models is also reported for comparison purposes. Artificial Neural Network (ANN) Ntrain 20 30 50 70 100

Ntrain 20 30 50 70 100

Nval 20 20 20 20 20

Nval 0 0 0 0 0

Ntest 20 20 20 20 20

Ntest 20 20 20 20 20

R2

hot out,core

avg Tout, core

T

Number of adjustable parameters w* 50 0.8937 50 0.9140 62 0.9822 50 0.9891 50 0.9897 Quadratic Response Surface (RS) Number of adjustable parameters w* 55 55 55 55 55

hot out,core

0.8956 0.8982 0.9779 0.9833 0.9866 R2 avg out,core

T

T

0.5971 0.8075 0.9280 0.9293 0.9305

0.7914 0.9348 0.9353 0.9356 0.9496

RMSE [°C] hot avg Tout, Tout, core core 38.5 34.7 15.8 12.4 12.0

18.8 18.6 8.7 6.8 6.3

RMSE [°C] avg T Tout, core hot out,core

75.0 51.9 31.7 31.4 31.2

26.6 14.8 14.6 14.3 13.1

Table 2. Coefficient of determination R 2 and RMSE associated to the estimates of the hothot avg and average-channel coolant outlet temperatures Tout , core and Tout ,core , respectively, computed

on the test set Dtest of size Ntest = 20 by the ANN and quadratic RS models built on data sets Dtrain of different sizes Ntrain = 20, 30, 50, 70, 100; the number of adjustable parameters w* included in the two regression models is also reported for comparison purposes

11

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

The ANN outperforms the RS in all the cases considered: for example, for Ntrain = 100, the coefficients of determination R2 produced by the ANN and the quadratic RS models for the hot hot-channel coolant outlet temperature Tout ,core are 0.9897 and 0.9305, respectively, whereas the corresponding RMSEs are 12.0 °C and 31.2 °C, respectively. This result is due to the higher flexibility in modeling complex nonlinear input/output relationships offered by the ANN with respect to the quadratic RS: the ANN structure made of a large number of adaptable connections (i.e., the synapses) among nonlinear operating units (i.e., the neurons) allows fitting complex nonlinear functions with an accuracy which is superior to that of a plain quadratic regression model. Actually, if the original T-H model is not quadratic (which is often the case in practice), a second-order polynomial RS cannot be a consistent estimator, i.e., the quadratic RS estimates may never converge to the true values of the original T-H model outputs, even for a very large number of input/output data examples, in the limit for Ntrain → ∞. On the contrary, ANNs have been demonstrated to be universal approximants of continuous nonlinear functions (under mild mathematical conditions) (Cybenko, 1989), i.e., in principle, an ANN model with a properly selected architecture can be a consistent estimator of any continuous nonlinear function, e.g. any nonlinear T-H code simulating the system of interest.

5.2 Determination of the 95th percentiles of the coolant outlet temperatures For illustration purposes, a configuration with Nloops = 3 loops is considered for the passive system of Figure 1. hot The 100·αth percentiles of the hot- and average-channel coolant outlet temperatures Tout ,core avg hot ,α avg ,α and Tout ,core are defined as the values Tout ,core and Tout , core , respectively, such that

(

)

hot hot ,α P Tout ,core ≤ Tout ,core = α

(7)

and avg avg ,α P (Tout ,core ≤ Tout ,core ) = α .

(8)

Figure 3, left and right, shows the Probability Density Function (PDF) and Cumulative Distribution Function (CDF), respectively, of the hot-channel coolant outlet temperature hot Tout ,core obtained with NT = 250000 simulations of the original T-H model code (solid lines); avg the PDF and CDF of the average-channel coolant outlet temperature Tout ,core are not shown for

brevity. The same Figure also shows the PDFs and CDFs constructed with NT = 250000 estimations from B = 1000 bootstrapped ANNs (dashed lines) and RSs (dot-dashed lines) built on Ntrain = 100 input/output examples.

12

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Cumulative Distribution Function (CDF) of Thot

out,core

1

0.018

0.9

0.016

0.8

0.014

0.7

Original T-H code, NT = 250000

Cumulative probability

Probability density function (PDF)

Probability density function (PDF) of Thot out,core 0.02

ANN, Ntrain = 100

0.012

RS, Ntrain = 100 0.01 0.008

Original T-H code, NT = 250000 0.6

ANN, N

0.5

RS, Ntrain = 100

0.3

0.004

0.2

0.002

0.1

400

500

600

700

800

900

1000

Hot channel coolant outlet temperature, Thot out,core

1100

1200

1300

= 100

0.4

0.006

0 300

train

0 300

400

500

600

700

800

900

1000

1100

1200

1300

Hot channel coolant outlet temperature, Thot out,core

Figure 3. Hot-channel coolant outlet temperature empirical PDFs (left) and CDFs (right) constructed with NT = 250000 estimations from the original T-H code (solid lines) and from bootstrapped ANNs (dashed lines) and RSs (dot-dashed lines) built on Ntrain = 100 data examples hot Notice that the “true” (i.e., reference) PDF and CDF of Tout , core (Figure 3, solid lines) have

been obtained with a very large number NT (i.e., NT = 250000) of simulations of the original T-H code, to provide a robust reference for the comparisons. Actually, the T-H code here employed runs fast enough to allow repetitive calculations (one code run lasts on average 3 seconds on a Pentium 4 CPU 3.00GHz): the computational time required by this reference analysis is thus 250000·3 s = 750000 s ≈ 209 h. The overall good match between the results from the original T-H model code and those from the bootstrapped ANNs and RSs regression models leads us to assert that the accuracy in the estimates can be considered satisfactory for the needs of percentile estimation in the functional failure analysis of the present T-H passive system. Also, it can be seen that the ANN estimates (dashed lines) are much closer to the reference results (solid lines) than the RS estimates (dot-dashed lines). To quantify the uncertainties associated to the point estimates obtained, bootstrapped ANNs and quadratic RSs have been built to provide Bootstrap Bias th hot ,0.95 hot , 0.95 ˆ hot ,0.95 Corrected (BBC) point estimates Tˆout percentiles Tout , core , BBC and Tout , core , BBC for the 95 , core avg , 0.95 hot avg and Tout ,core of the hot- and average-channel coolant outlet temperatures Tout , core and Tout ,core , hot ,0.95 respectively. Figure 4 shows the values (dots) of the BBC point estimates Tˆout , core , BBC (top) and Tˆ hot ,0.95 (bottom) obtained with NT = 250000 estimations from B = 1000 bootstrapped out , core , BBC

ANNs (left) and quadratic RSs (right) built on Ntrain = 20, 30, 50, 70 and 100 data examples; also the corresponding Bootstrap Bias Corrected (BBC) 95% Confidence Intervals (CIs) (bars) are reported. hot , 0.95 Again, notice that the “true” (i.e., reference) values of the 95th percentiles (i.e., Tout , core = avg , 0.95 796.31 °C and Tout , core = 570.22 °C, shown as dashed lines in Figure 4) have been calculated

with a very large number NT (i.e., NT = 250000) of simulations of the original T-H code, to provide a robust reference for the comparisons: the computational time required by the analysis is 209 h.

13

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

0.95 Quadratic RS-based BBC 95% CIs for Thot, out, core

0.95 ANN-based BBC 95% CIs for Thot, out, core

1000 0.95 95th percentile of the hot channel coolant temperature, Thot, out, core

0.95 95th percentile of the hot channel coolant temperature, Thot, out, core

1000

950

900

850

800

750

700 10

20

30

40

50 60 70 Training sample size, Ntrain

80

90

100

950

900

850

800

750

700 10

110

20

30

0.95 ANN-based BBC 95% CIs for Tavg, out, core

80

90

100

110

90

100

110

660 0.95 95th percentile of the average channel coolant temperature, Tavg, out, core

0.95 95th percentile of the average channel coolant temperature, Tavg, out, core

50 60 70 Training sample size, Ntrain

0.95 Quadratic RS-based BBC 95% CIs for Tavg, out, core

660

640

620

600

580

560

540 10

40

20

30

40

50 60 70 Training sample size, Ntrain

80

90

100

640

620

600

580

560

540

110

10

20

30

40

50 60 70 Training sample size, Ntrain

80

hot ,0.95 ˆ hot ,0.95 Figure 4. Bootstrap Bias Corrected (BBC) point estimates Tˆout , core , BBC and Tout , core , BBC (dots) hot , 0.95 avg , 0.95 and BBC 95% Confidence Intervals (CIs) (bars) for the 95th percentiles Tout , core and Tout ,core hot of the hot- (top) and average- (bottom) channel coolant outlet temperatures Tout ,core and avg Tout ,core , respectively, obtained with NT = 250000 estimations from bootstrapped ANNs (left)

and RSs (right) built on Ntrain = 20, 30, 50, 70 and 100 data examples; the “true” (i.e., hot , 0.95 avg , 0.95 reference) values (i.e., Tout , core = 796.31 °C and Tout ,core = 570.22 °C) are shown as dashed lines Bootstrapped ANNs turn out to be quite reliable and robust, providing BBC point estimates very close to the real values in all the cases considered; on the contrary, bootstrapped quadratic RSs provide accurate estimates only for Ntrain = 70 and 100. For example, for Ntrain hot ,0.95 hot , 0.95 = 20 the ANN and quadratic RS BBC point estimates Tˆout , core , BBC for Tout , core = 796.31 °C are 813.50 °C and 849.98 °C, respectively; on the contrary, for Ntrain = 100 the same estimates become 796.70 °C and 800.81 °C, respectively. The superior performance of the ANNs can again be explained by the higher flexibility in nonlinear modeling offered by them with respect to RSs. Moreover, the uncertainty associated to the bootstrapped ANN estimates is significantly lower than that associated to the quadratic RS estimates, as demonstrated by the width of the corresponding confidence intervals: for example, for Ntrain = 100 the widths of the BBC 95% hot , 0.95 CIs produced by bootstrapped ANNs and quadratic RSs for Tout , core are 21.40 °C and 78.00 °C, respectively. This difference in performance is related to the problem of overfitting 14

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

(Section 5.1) which can become quite relevant in the bootstrap procedure for the calculation of the BBC 95% CIs (Section 3). The calculation requires that B bootstrap samples Dtrain,b, b = 1, 2, …, B, be drawn at random with replacement from the original set Dtrain of input/output data examples: by so doing, some of the patterns in Dtrain will appear more than once in the individual samples Dtrain,b, whereas some will not appear at all. As a consequence, the number of unique (i.e., different) data in each bootstrap sample Dtrain,b will be typically lower than the number Ntrain of “physical” data: this is particularly true if Ntrain is low (e.g., equal to 20 or 30). Since during the bootstrap (step 4. in Section 3) the number of adjustable parameters w* in each “trained” regression model is fixed, it frequently happens that the number of adaptable parameters w* is larger than the number of unique data in the individual bootstrap sample Dtrain,b: this typically causes the regression model to overfit the bootstrap “training” data Dtrain,b with consequent degradation of estimation performance. In the case of ANNs, the early stopping method described in Section 5.1 allows avoiding the overfitting; on the contrary, to the best of the authors’ knowledge, no method of this kind is available for polynomial RSs. This explains the higher accuracy of ANN, which within the bootstrap resampling procedure results in a lower “dispersion” of the corresponding bootstrap estimates Qˆ b , b = 1, 2, …, B, and in a smaller width of the produced confidence intervals (step 4.c. in Section 3). Finally, the computational times associated to the calculation of the BBC point estimates hot ,0.95 hot , 0.95 avg , 0.95 ˆ hot ,0.95 Tˆout , core , BBC and Tout , core , BBC for Tout , core and Tout , core , and the corresponding BBC 95% CIs, are compared for the two bootstrapped regression models with reference to the case of Ntrain = 100, by way of example: the overall CPU times required by the use of bootstrapped ANNs and RSs are on average 2.22 h and 0.43 h, respectively. These values include the time required for: i. generating the Ntrain + Nval + Ntest input/output examples, by running the T-H code: the corresponding CPU times are on average (100 + 20 + 20)·3 = 420 s = 7 min ≈ 0.12 h and (100 + 0 + 20)·3 = 360 s = 6 min ≈ 0.10 h for the ANNs and the RSs, respectively; ii. training the bootstrapped ensemble of B = 1000 ANN and RS regression models by means of the error back-propagation algorithm and the least squares method, respectively: the corresponding CPU times are on average 2 h and 0.25 h for the ANNs and the RSs, respectively; iii. performing NT = 250000 evaluations of each of the B = 1000 bootstrapped ANN and RS regression models; the corresponding CPU times are on average 6 min (i.e., 0.1 h) and 4.5 min (i.e., about 0.08 h) for the ANNs and the RSs, respectively. The overall CPU times required by the use of bootstrapped ANNs (i.e., on average 2.22 h) and quadratic RSs (i.e., on average 0.43 h) is about 90 and 480 times, respectively, lower than that required by the use of the original T-H model code (i.e., on average 209 h). The CPU time required by the ANNs is about 5 times larger than that required by the quadratic RSs, mainly due to the elaborate training algorithm needed to build the structurally complex neural model.

5.3 Functional failure probability estimation In this Section, the bootstrapped ANNs and quadratic RSs are compared in the task of estimating the functional failure probability of the 600-MW GFR passive decay heat removal system of Figure 1. The previous system configuration with Nloops = 3 is analyzed. Figure 5 shows the values of the Bootstrap Bias Corrected (BBC) point estimates Pˆ (F )BBC (dots) of the functional failure probability P(F) obtained with NT = 500000 estimations from 15

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

the bootstrapped ANNs (left) and quadratic RSs (right) built on Ntrain = 20, 30, 50 ,70 and 100 data examples; the corresponding Bootstrap Bias Corrected (BBC) 95% Confidence Intervals (CIs) are also reported (bars). Notice that the “true” (i.e., reference) value of the functional failure probability P(F) (i.e., P(F) = 3.34·10-4, shown as dashed lines in Figure 5) has been obtained with a very large number NT (i.e., NT = 500000) of simulations of the original T-H code to provide a robust term of comparison: the computational time required by this reference analysis is thus 500000·3 s = 1500000 s ≈ 417 h. -4

-4

ANN-based BBC 95% CIs for P(F)

x 10

10

9

9

8

8

7

7 Failure probability, P(F)

Failure probability, P(F)

10

6 5 4 3

6 5 4 3

2

2

1

1

0

0

10

20

30

40

50 60 70 Training sample size, Ntrain

80

90

100

110

Quadratic RS-based BBC 95% CIs for P(F)

x 10

10

20

30

40

50 60 70 Training sample size, N

80

90

100

110

train

Figure 5. Bootstrap Bias Corrected (BBC) point estimates Pˆ (F )BBC (dots) and BBC 95% Confidence Intervals (CIs) (bars) for the functional failure probability P(F) obtained with NT = 500000 estimations from bootstrapped ANNs (left) and RSs (right) built on Ntrain = 20, 30, 50, 70 and 100 data examples; the “true” (i.e., reference) value for P(F) (i.e., P(F) = 3.34·104 ) is shown as a dashed line It can be seen that as the size of the training sample Ntrain increases, both the ANN and quadratic RS provide increasingly accurate estimates of the true functional failure probability P(F), as one would expect. On the other hand, in the cases of small training sets (e.g., Ntrain = 20, 30 and 50) the functional failure probabilities are significantly underestimated by both the bootstrapped ANN and the quadratic RS models (e.g., the BBC point estimates Pˆ (F )BBC for P(F) lie between 9.81·10-5 and 2.45·10-4) and the associated uncertainties are quite large (e.g., the widths of the corresponding BBC 95% CIs are between 3.47·10-4 and 7.91·10-4). Two considerations seem in order with respect to these results. First, in these cases of small data sets available the analyst would still be able to correctly estimate the order of magnitude of a small failure probability (i.e., P(F) ~ 10-4), in spite of the low number of runs of the T-H code performed to generate the Ntrain = 20, 30 or 50 input/output examples; second, the accuracy of an estimate should be evaluated in relation to the requirements of the specific application; for example, although the confidence interval provided by the bootstrapped ANNs trained with Ntrain = 50 samples ranges from 8.03·10-5 to 4.27·10-4, this variability might be acceptable for demonstrating that the system satisfies the target safety goals. Finally, it is worth noting that although bootstrapped ANNs provide better estimates and lower model uncertainties than quadratic RSs, the difference in the performances of the two regression models is less evident than in the case of percentile estimation (Section 5.2). This may be due to the fact that estimating the value of the functional failure probability P(F) is a simpler task than estimating the exact values of the corresponding coolant outlet temperatures. For example, let the true value of the hot channel coolant outlet temperature be 1250 °C and the corresponding estimate by the regression model be 1500 °C: in such a case, the estimate is 16

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

absolutely inaccurate in itself, but “exact” for the purpose of functional failure probability estimation with respect to a failure threshold of 1200 °C. Finally, the computational times required for the estimation of the functional failure probability, and the corresponding confidence interval, in the case of Ntrain = 100 are 2.32 h and 0.50 h for the bootstrapped ANNs and quadratic RSs, respectively.

6 Conclusions In this paper, Artificial Neural Networks (ANNs) and quadratic Response Surfaces (RSs) have been compared in the task of estimating, in a fast and efficient way, the probability of functional failure of a T-H passive system. A case study involving the natural convection cooling in a Gas-cooled Fast Reactor (GFR) after a Loss of Coolant Accident (LOCA) has been taken as reference. To allow accurate comparison values based on a large number of repeated T-H-model code evaluations, the representation of the system behavior has been limited to a steady-state model. ANN and quadratic RS models have been constructed on the basis of sets of data of limited, varying sizes, which represent examples of the nonlinear relationships between 9 uncertain inputs and 2 relevant outputs of the T-H model code (i.e., the hot- and average-channel coolant outlet temperatures). Once built, such models have been used, in place of the original T-H model code, to: compute the temperatures 95th percentiles of the hot-channel and average-channel temperatures of the coolant gas leaving the reactor core; estimate the functional failure probability of the system by comparison of the computed values with predefined failure thresholds. In all the cases considered, the results have demonstrated that ANNs outperform quadratic RSs in terms of estimation accuracy: as expected, the difference in the performances of the two regression models is much more evident in the estimation of the 95th percentiles than in the (easier) task of estimating the functional failure probability of the system. Due to their flexibility in nonlinear modelling, ANNs have been shown to provide more reliable estimates than quadratic RSs even when they are trained with very low numbers of data examples (e.g., 20, 30 or 50) from the original T-H model code. The bootstrap method has been employed to estimate confidence intervals on the quantities computed: this uncertainty quantification is of paramount importance in safety critical applications, in particular when few data examples are used. In this regard, bootstrapped ANNs have been shown to produce narrower confidence intervals than bootstrapped quadratic RSs in all the analyses performed. On the basis of the results obtained, bootstrapped ANNs can be considered more effective than quadratic RSs in the estimation of the functional failure probability of T-H passive systems (while quantifying the uncertainty associated to the results) because they provide more accurate (i.e., estimates are closer to the true values) and precise (i.e., confidence intervals are narrower) estimates than quadratic RSs; on the other hand, the computational time required by bootstrapped ANNs is somewhat longer than that required by quadratic RSs, due to the elaborate training algorithm for building the structurally complex neural model.

References Apostolakis, G. E., 1990. The concept of probability in safety assessment of technological systems. Science, 250, 1359. Bassi, C., Marquès, M., 2008. Reliability assessment of 2400 MWth gas-cooled fast reactor natural circulation decay heat removal in pressurized situations. Science and Technology of Nuclear Installations, Special Issue “Natural Circulation in Nuclear Reactor Systems”, Hindawi Publishing Corporation, Paper 87376. 17

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Baxt, W. G. and White, H., 1995. Bootstrapping confidence intervals for clinic input variable effects in a network trained to identify the presence of acute myocardial infarction. Neural Computation, 7, pp. 624-638. Bishop, C. M., 1995. Neural Networks for pattern recognition. Oxford University Press. Bucher, C., Most, T., 2008. A comparison of approximate response function in structural reliability analysis. Probabilistic Engineering Mechanics, vol. 23, pp. 154-163. Burgazzi, L., 2003. Reliability evaluation of passive systems through functional reliability assessment. Nuclear Technology, 144, 145. Burgazzi, L., 2007. State of the art in reliability of thermal-hydraulic passive systems. Reliability Engineering and System Safety, 92(5), pp. 671-675. Cacuci, D. G., Ionescu-Bujor, M., 2004. A comparative review of sensitivity and uncertainty analysis of large scale systems – II: Statistical methods. Nuclear Science and Engineering (147), pp. 204-217. Cadini, F., Zio, E., Kopustinskas, V., Urbonas, R., 2008. An empirical model based bootstrapped neural networks for computing the maximum fuel cladding temperature in a RBMK-1500 nuclear reactor accident. Nuclear Engineering and Design, 238, pp. 2165-2172. Cardoso, J. B., De Almeida, J. R., Dias, J. M., Coelho, P. G., 2008. Structural reliability analysis using Monte Carlo simulation and neural networks. Advances in Engineering Software, 39, pp. 505-513. Cheng, J., Li, Q. S., Xiao, R. C., 2008. A new artificial neural network-based response surface method for structural reliability analysis. Probabilistic Engineering Mechanics, 23, pp. 51-63. Cybenko, G., 1989. Approximation by superposition of sigmoidal functions. Mathematics of Control, Signals and Systems, 2, pp. 303-314. Deng, J., 2006. Structural reliability analysis for implicit performance function using radial basis functions. International Journal of Solids and Structures, 43, pp. 3255-3291. Efron, B. and Thibshirani, R. J., 1993. An introduction to the bootstrap. Monographs on statistics and applied probability 57. Chapman and Hall, New York. Fong, C. J., Apostolakis, G. E., 2008. The use of response surface methodology to perform uncertainty analyses on passive safety systems. Proceedings of PSA ’08, International Topical Meeting on Probabilistic Safety Assessment, Knoxville, Tennessee, September 7-11, 2008, American Nuclear Society, La Grange Park, Illinois. Gavin, H. P., Yau, S. C., 2008. High-order limit state functions in the response surface method for structural reliability analysis. Structural Safety, 30, pp. 162-179. Gazut, S., Martinez, J. M., Dreyfus, G., Oussar, Y., 2008. Towards the optimal design of numerical experiments. IEEE Transactions on Neural Networks, 19(5), pp. 874-882. Helton, J. C., 1998. Uncertainty and sensitivity analysis results obtained in the 1996 performance assessment for the waste isolation power plant, SAND98-0365, Sandia National Laboratories. Helton, J., 2004. Alternative representations of epistemic uncertainties. Reliability Engineering and System Safety, 85 (Special Issue). Helton J. C, Johnson J. D., Sallaberry C. J., Storlie C. B., 2006. Survey on sampling-based methods for uncertainty and sensitivity analysis. Reliability Engineering and System Safety, 91, pp. 1175-1209. Hurtado, J. E., 2007. Filtered importance sampling with support vector margin: a powerful method for structural reliability analysis. Structural Safety, 29, pp. 2-15. IAEA, 1991. Safety related terms for advanced nuclear plant. IAEA TECDOC-626. Jafari, J., D’ Auria, F., Kazeminejad, H., Davilu, H., 2003. Reliability evaluation of a natural circulation system. Nuclear Engineering and Design, 224, 79-104. 18

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Liel, A. B., Haselton, C. B., Deierlein, G. G., Baker, J. W., 2009. Incorporating modeling uncertainties in the assessment of seismic collapse risk of buildings. Structural Safety, 31(2), pp. 197-211. Mackay F. J., Apostolakis, G. E., Hejzlar, P., 2008. Incorporating reliability analysis into the design of passive cooling systems with an application to a gas-cooled reactor. Nuclear Engineering and Design, 238(1), pp. 217-228. Marquès, M., Pignatel, J. F., Saignes, P., D’ Auria, F., Burgazzi, L., Müller, C., BoladoLavin, R., Kirchsteiger, C., La Lumia, V., Ivanov, I., 2005. Methodology for the reliability evaluation of a passive system and its integration into a probabilistic safety assessment. Nuclear Engineering and Design, 235, 2612-2631. Marrel, A., Iooss, B., Laurent, B., Roustant, O., 2009. Calculations of Sobol indices for the Gaussian process metamodel. Reliability Engineering and System Safety, vol., 94, pp. 742-751. Mathews, T. S., Ramakrishnan, M., Parthasarathy, U., John Arul, A., Senthil Kumar, C., 2008. Functional reliability analysis of safety grade decay heat removal system of Indian 500 MWe PFBR. Nuclear Engineering and Design, 238(9), pp. 2369-2376. NUREG-1150, 1990. Severe accident risk: an assessment for five US nuclear power plants, US Nuclear Regulatory Commission. Pagani, L., Apostolakis, G. E. and Hejzlar, P., 2005. The impact of uncertainties on the performance of passive systems. Nuclear Technology, 149, 129-140. Patalano, G., Apostolakis, G. E., Hejzlar, P., 2008. Risk-informed design changes in a passive decay heat removal system. Nuclear Technology, vol. 163, pp. 191-208. Rumelhart, D. E., Hinton, G. E., Williams, R. J., 1986. Learning internal representations by error back-propagation. In Rumelhart, D. E. and McClelland, J. L. (Eds.), Parallel distributed processing: exploration in the microstructure of cognition (vol. 1). Cambridge (MA): MIT Press. Schueller, G. I., 2007. On the treatment of uncertainties in structural mechanics and analysis. Computers and Structures, 85, pp. 235-243. Secchi, P., Zio, E., Di Maio, F., 2008. Quantifying uncertainties in the estimation of safety parameters by using bootstrapped artificial neural networks. Annals of Nuclear Energy, 35, pp. 2338-2350. Storlie, C. B., Swiler, L. P., Helton, J. C., Sallaberry, C. J., 2008. Implementation and evaluation of nonparameteric regression procedures for sensitivity analysis of computationally demanding models. SANDIA Report n. SAND2008-6570. USNRC, 1998. “An approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the licensing basis.” NUREG-1.174, US Nuclear Regulatory Commission, Washington, DC. Volkova, E., Iooss, B., Van Dorpe, F., 2008. Global sensitivity analysis for a numerical model of radionuclide migration from the RRC “Kurchatov Institute” redwaste disposal site. Stoch Environ Res Assess, 22: pp. 17-31. Zhang, J. and Foschi, R. O., 2004. Performance-based design and seismic reliability analysis using designed experiments and neural networks. Probabilistic Engineering Mechanics, 19., pp. 259-267. Zio, E., 2006. A study of the bootstrap method for estimating the accuracy of artificial neural networks in predicting nuclear transient processes. IEEE Transactions on Nuclear Science, 53(3), pp.1460-1470. Zio, E. and Pedroni, N., 2009a. Estimation of the functional failure probability of a thermalhydraulic passive systems by means of Subset Simulation. Nuclear Engineering and Design, 239, pp. 580-599. 19

PAPER V – N. Pedroni, E. Zio, G. E. Apostolakis / Reliability Engineering and System Safety (2009), doi: 10.1016/j.ress.2009.11.009

Zio, E. and Pedroni, N., 2009b. Functional failure analysis of a thermal-hydraulic passive system by means of Line Sampling. Reliability Engineering and System Safety, Volume 9, Issue 11, pp. 1764-1781.

20