Mirror, Mirror on the Wall Do You See Me at All? The Cyber-Physical Gap and its Implications on Risks: Modeling Nuclear Hazards Mitigation

Similar documents
Operational Reactor Safety /22.903

FIRE RISK ASSESSMENT IN GERMANY - PROCEDURE, DATA, RESULTS -

THREE MILE ISLAND ACCIDENT

INTRODUCTION. Three Mile Island Unit 2

Application of Nuclear and Aerospace Industry Experience to Offshore Barrier Integrity Management

Model Based Systems Engineering (MBSE) Media Study. Prepared by: Julia Murray

Dynamic Behavior of BWR

7.1 General Events resulting in pressure increase 5

Nuclear power plant systems, structures and components and their safety classification. 1 General 3. 2 Safety classes 3. 3 Classification criteria 3

Nuclear Energy: Nuclear Energy

This occurrence is considered to be of no significance with respect to the health and safety of the public.

Factory owners must ensure the boiler is:

Object-Process Methodology as a basis for the Visual Semantic Web

FULL ELECTRICAL LNG PLANTS: HIGHEST AVAILABILITY AND ENERGY EFFICIENCY THROUGH OVERALL SYSTEM DESIGN

10 Nuclear Power Reactors Figure 10.1

UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, DC June 16, 2011

Alain Nifenecker - General Electric Manager Controls Engineering

KU DESIGN GUIDELINES APPENDIX XVI RECOMMENDED BAS I/O CONTROL POINTS BY EQUIPMENT / SYSTEM

MAINTENANCE INSTRUCTIONS. Thermia Robust heat pump

Introductions: Dr. Stephen P. Schultz

HOW DOES A NUCLEAR POWER PLANT WORK?

Boiling Water Reactor Systems

Safety Requirements Specification Guideline

Preventing Overheated Boiler Incidents

Westinghouse AP1000 PWR and the Growing Market for New Nuclear Power Plants

Enhancing Business Performance using Integrated Visibility and Big Data

System Aware Cyber Security

The Price-Anderson Act and the Three Mile Island Accident

The Piping System Model a New Life Cycle Document. Elements of the Piping System Model

ON-LINE MONITORING OF POWER PLANTS

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making. System Analysis. Lecturer. Workshop Information IAEA Workshop

How To Clean Up A Reactor Water Cleanup

FIELD TRIP TO A POWER PLANT - A Reading Guide

The Role of Automation Systems in Management of Change

May 23, 2011 Tokyo Electric Power Company

Best Practices and Approaches to Supply Chain Management

Roles and Responsibilities of Plant Commissioning, Hydrocarbon Introduction and Acceptance Test Run

Functional Architectures with SysML

Failure to comply with the following cautions and warnings could cause equipment damage and personal injury.

EMERGENCY RESPONSE FOR THE AREA SURROUNDING THE CATTENOM NUCLEAR POWER PLANT

CDS TROUBLESHOOTING SECTION I. VACUUM Weak vacuum at wand. Gauge reads normal (10hg to 14hg)

Survey of Model-Based Systems Engineering (MBSE) Methodologies

Routine and Emergency Boiler Operation

SysML Modelling Language explained

Pressurized Water Reactor B&W Technology Crosstraining Course Manual. Chapter 9.0. Integrated Control System

Elements Elements describe the essential outcomes. 1. Prepare to diagnose and repair air conditioning and HVAC system

, User s Manual

Safety Integrated. SIMATIC Safety Matrix. The Management Tool for all Phases of the Safety Lifecycle. Brochure September Answers for industry.

Impact of Control System Technologies on Industrial Energy Savings

Your Boiler Room: A Time Bomb?

Boiler & Pressure Vessel Inspection discrepancies and failures

INCOSE OOSEM Working Group Charter

This document is the property of and contains Proprietary Information owned by Westinghouse Electric Company LLC and/or its subcontractors and

Development Study of Nuclear Power Plants for the 21st Century

NUCLEAR POWER PLANT SYSTEMS and OPERATION

C. starting positive displacement pumps with the discharge valve closed.

Bradlee Boilers Ltd. Instruction Manual for starting up Bradlee Hire Boiler from Cold

Three Myths of the Three Mile Island Accident

Cyber-physical Systems Security An Experimental Approach

Conventional Energy Sources

HEAT PUMP FREQUENTLY ASKED QUESTIONS HEAT PUMP OUTDOOR UNIT ICED-UP DURING COLD WEATHER:

Safety of New Nuclear Power Plants

Nuclear Emergency Response Program

Electric Power Systems An Overview. Y. Baghzouz Professor of Electrical Engineering University of Nevada, Las Vegas

INCIDENT INVESTIGATION BASED ON CAUSALITY NETWORKS

Explosives Safety Initial Training. Course # 5.01 Rev TO

Intelligent Vibration Monitoring

CAST Analysis John Thomas and Nancy Leveson. All rights reserved.


Nuclear Power Station Control and Instrumentation Safety Systems Architecture An Overview

Loviisa 3 unique possibility for large scale CHP generation and CO 2 reductions. Nici Bergroth, Fortum Oyj FORS-seminar

THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY COMMERCIAL PROPERTY EXTENSION

Software Safety Hazard Analysis

The main steam enters the building in the basement mechanical room; this is where the condensate line also leaves the building.

Results and Insights of Internal Fire and Internal Flood Analyses of the Surry Unit 1 Nuclear Power Plant during Mid-Loop Operations*

Safety issues of hydrogen in vehicles Frano Barbir Energy Partners 1501 Northpoint Pkwy, #102 West Palm Beach, FL 33407, U.S.A.

13 Model-based Requirements Engineering Framework for Systems Lifecycle Support

Basic Fundamentals Of Safety Instrumented Systems

TECHNICAL ADVISORY BULLETIN

Indoor coil is too warm in cooling mode or too cold in heating mode. Reversing valve or coil thermistor is faulty

Functional safety. Essential to overall safety

Risk Matrix as a Tool for Risk Assessment in the Chemical Process Industry

PREFAULT MONITOR FOR AIR COOLED GENERATORS

RVL470. Heating Controller. Building Technologies HVAC Products. Series B

A Unified Product and Project Lifecycle Model. for Systems Engineering

Flowserve - Edward Valves Quick Closing Isolation Valves -The Equiwedge Alternative

The Technology and Business of Power Andrew Valencia, P.E. Lower Colorado River Authority

IGEMA BOILER LEVEL & TDS CONTROLS

Propulsion Gas Path Health Management Task Overview. Donald L. Simon NASA Glenn Research Center

310 Exam Questions. 1) Discuss the energy efficiency, and why increasing efficiency does not lower the amount of total energy consumed.

5-Minute Refresher: RENEWABLE ENERGY

Equipment Performance Monitoring

Tips for burner modulation, air/fuel cross-limiting, excess-air regulation, oxygen trim and total heat control

Equipment Breakdown. The extended property coverage you need for the equipment you rely on.

SAFETY STANDARDS. of the. Nuclear Safety Standards Commission (KTA) KTA Residual Heat Removal Systems of Light Water Reactors.

Basics of Kraft Pulping & Recovery Process. Art J. Ragauskas Institute of Paper Science and Technology Georgia Institute of Technology

Power Plant Electrical Distribution Systems

USER MANUAL OPERATION AND USE OF CAR WITH. Diego G3 / NEVO SEQUENTIAL GAS INJECTION SYSTEM

Transcription:

Mirror, Mirror on the Wall Do You See Me at All? The Cyber-Physical Gap and its Implications on Risks: Modeling Nuclear Hazards Mitigation Dov Dori Massachusetts Institute of Technology (visiting) Technion, Israel Institute of Technology UTSA Nov. 7, 2014

Multiple engineering professionals talk different languages Mechanical Engineers Civil Engineers Electronics Engineers Software Engineers Systems engineers are supposed to design systems and integrate these languages What language do they talk? 2

Systems Engineers Do Have Languages Systems Modeling Language SysML OMG Standard since 2007 Object-Process Methodology OPM OPM book published in 2002 ISO Standard 19450 as of Aug. 2014 (formally: 19450 Publically Available Specification) OPM software: OPCAT, freely downloadable from http://esml.iem.technion.ac.il/ Along with papers and other resources 3

The Six Leading MBSE Methodologies (INCOSE Task Force, Estefan, 2008 p 43) IBM Telelogic Harmony-SE INCOSE Object-Oriented Systems Engineering Method (OOSEM) IBM Rational Unified Process for Systems Engineering (RUP SE) for Model-Driven Systems Development (MDSD) Vitech Model-Based System Engineering (MBSE) Methodology JPL State Analysis (SA) Object-Process Methodology (OPM): 2014 ISO 19450 Standard (PAS) SysML was not surveyed since it is a language, not a methodology 4

The idea behind conceptual modeling conceived reality Is modeled by modeled reality Object is a Aircraft is a Vehicle Is modeled by Is modeled by Bus Gas Filling is Energy Replenishing Process Using graphical symbols, the model expresses physical things objects and processes and relations among them. Car 5 5

The Object-Process Theorem Stateful objects, processes, and relations among them constitute a necessary and sufficient universal ontology Corollary Using stateful objects, processes, and relations among them, one can model systems in any domain 6

Compact Ontology: OPM as a language with minimal alphabet OPM uses the smallest alphabet: Two types of things: (1) stateful objects (2) processes Two families of links: (1) structural link: connects two objects (2) procedural link: connects a processes with an object or object state 7

Object-Process Methodology (OPM) Things: Objects and Processes A thing that exists or might exist physically or informatically A thing that transforms one or more objects 8

Processes transform objects by (1) Consuming them: 9

Processes transform objects by (2) Creating them: 10

Processes transform objects by (3) Changing their state: 11

Any OPM Thing is one of: 1. Stateful Object 2. Process All the other elements are relations between things, expressed graphically as links 12

OPM Unifies the three main system aspects: Function (why the system is built), Structure (static aspect: what is the system made of), and Behavior (dynamic aspect: how the system changes over time) These aspects are expressed bi-modally, in graphics and equivalent text in a single model 13

Thing s Essence and Affiliation Attributes In OPM, a Thing (Object or Process) has two key attributes: Essence and Affiliation Essence pertains to the thing s nature Denotes whether the thing is physical or informatical. Affiliation pertains to the thing s scope Denotes whether the thing is systemic, i.e. part of the system, or environmental, i.e. part of the system s environment The Essence- Affiliation attribute value combinations 14

Cyber-Physical Systems: Characteristics Software-controlled physical systems Include physical and cybernetic components An agent a human decision-maker or an information & decision-making system is the cybernetic component Hardware (motors, actuators, VLSI chips ) is the physical component Physical processes signal and induce cybernetic events and vice versa 15

Essence is key to the Cyber-Physical Gap Thing s Essence is key to understanding and modeling the cyber-physical gap physical objects in the OPM model represent what is really out there actual states and values of objects informatical objects in the OPM model represent information about their corresponding physical objects available to a decision making agent (human or artificial) A cyber-physical gap exists when the state of the informatical object incorrectly indicates the state of the physical object is supposed to represent 16

Two main sources of cyber-physical gaps Incorrect instrument reading causes agents to create a different world view than what is really out there Agent s misconception or incorrect assumption possibly triggered or supported by incorrect measurement reading 17

Modeling the cyber-physical gap with OPM: The Three-Mile Island 2 Accident March 28, 1979 http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html http://www.nrc.gov/reading-rm/doccollections/fact-sheets/3mile-isle.html 18

https://www.youtube.com/watch?v=0j7khfbbbmk 2:00 2:15 https://www.youtube.com/watch?feature=player_detailpage&v=0j7khfbbbmk#t=121 We start with an OPM model of normal operation of Electric Energy Generating system by a Pressurized Water Reactor 19

Three OPM Models First OPM Model: We start with an OPM model of normal operation of Electric Energy Generating system by a Pressurized Water Reactor Second OPM Model: We continue with an OPM model of the reactor with the particular chain of faults with no human involvement, which culminated in the reactor core meltdown but could be prevented if humans stayed out Third OPM Model: We end with an OPM model of the reactor with the particular chain of faults, accounting for the cyberphysical gap that worked against the built-in security measures, ensuring the reactor core meltdown 20

First OPM Model: Electric Energy Generating by a Pressurized Water Reactor 21

Electric Energy Generating In-Zoomed: Animated Simulation 22

Turbine Spinning In-Zoomed: Animated Simulation 23

Electric Energy Successfully Generated 24

Auto-generated Object-Process Language (OPL) Example Feedwater can be cooling tower, condensor, or steam generator. cooling tower is initial. Pressurized Water Reactor consists of Reactor Secondary Unit, Reactor Primary Unit, and Cooling Tower. Reactor Secondary Unit consists of Turbine, Generator, and Main Feedwater Pump. Turbine consists of Condensate Pump. Condensate Pump can be operational or tripped. operational is initial. Main Feedwater Pump can be operational or tripped. operational is initial. Reactor Primary Unit consists of Reactor Core and Steam Generator. Cooling Tower consists of Circulating Water Pump. Electric Energy Generating is physical. Electric Energy Generating consists of Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Electric Energy Generating requires Pressurized Water Reactor and Cooling Tower. Electric Energy Generating yields Electric Energy. Electric Energy Generating zooms into Controlled Nuclear Reaction, Steam Generating, Turbine Spinning, and Electricity Generating. Controlled Nuclear Reaction affects Reactor Core. Controlled Nuclear Reaction yields Heat Energy. Steam Generating affects Steam Generator. Steam Generating consumes Heat Energy. Steam Generating yields Steam. Turbine Spinning consists of Turbine Water Circulating, Water Cooling, Turbine Heat Removing, and Steam Generator Water Circulating. Turbine Spinning affects Turbine. Turbine Spinning consumes Steam. Turbine Spinning yields Mechanical Energy. Turbine Spinning zooms into Water Cooling, Turbine Water Circulating, Turbine Heat Removing, and Steam Generator Water Circulating. Water Cooling consumes Steam. Water Cooling yields cooling tower Feedwater. Turbine Water Circulating requires Circulating Water Pump. Turbine Water Circulating changes Feedwater from cooling tower to condensor. Turbine Heat Removing requires condensor Feedwater. Turbine Heat Removing yields Mechanical Energy. Steam Generator Water Circulating occurs if Main Feedwater Pump is operational and Condensate Pump is operational. Steam Generator Water Circulating changes Feedwater from condensor to steam generator. Electricity Generating requires Generator. Electricity Generating consumes Mechanical Energy. Electricity Generating yields Electric Energy. 25

When Things Start Going Wrong: Summary of Events http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#summary The [TMI2] accident began about 4 a.m. on Wednesday, March 28, 1979, when the plant experienced a failure in the secondary, non-nuclear section of the plant (one of two reactors on the site). Either a mechanical or electrical failure prevented the main feedwater pumps from sending water to the steam generators that remove heat from the reactor core. This caused the plant's turbine-generator and then the reactor itself to automatically shut down. Immediately, the pressure in the primary system (the nuclear portion of the plant) began to increase. In order to control that pressure, the pilot-operated relief valve [PORV] (a valve located at the top of the pressurizer) opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open. 26

Second OPM Model: Failing Pressurized Water Reactor Operation: no cyber-physical gap 27

Pump Failing Changes Pump from operational to tripped 28

Tripped Pumps Cause too high Pressure 29

Too High Pressure Causes PORV to open normally 30

PORV Mechanical Failing causes POPV stuck open 31

Due to POPV stuck open Primary Cooling Water Escape! 32

Reactor Core is melted 33

As if this is not bad enough - The Cyber-Physical Gap http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html#summary The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve. As coolant flowed from the primary system through the valve, other instruments available to reactor operators provided inadequate information. There was no instrument that showed how much water covered the core. As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. As alarms rang and warning lights flashed, the operators did not realize that the plant was experiencing a loss-of-coolant accident. They took a series of actions that made conditions worse. The water escaping through the stuck valve reduced primary system pressure so much that the reactor coolant pumps had to be turned off to prevent dangerous vibrations. To prevent the pressurizer from filling up completely, the staff reduced how much emergency cooling water was being pumped in to the primary system. These actions starved the reactor core of coolant, causing it to overheat. 34

Third OPM Model: The Cyber-Physical Model Version 35

Secondary pumps are tripped; Problems start 36

Pressure builds; PORV opens to relieve the too high pressure 37

PORV Closing fails due to sticky PORV; PORV gets stuck open 38

Crew uses false indication to determine that PORV is closed Physical object shaded First cyber-physical gap Incorrect instrument reading: PORV is (stuck) open, but due to the false PORV closed indication, the Crew determines PORV is closed! Informatical object not shaded 39

Since PORV is closed Crew determines Core Water Level high Physical object shaded Second cyber-physical gap Agent misconception: Since PORV is believed to be closed, the Crew determines That Core Water Level is too high while in reality they are low and still Depleting! Informatical object not shaded Informatical object not shaded Physical object shaded 40

When Pressure is too high Emergency Water is supplied Second cyber-physical gap: Since PORV is believed to be closed, the Crew determines That Core Water Level is too high while in reality they are low and Depleting! 41

but the Crew stops the water supply, starving the reactor core of coolant, causing it to overheat Final blow due to the second cyber-physical gap: Crew applies Emergency Water Supply Stopping since it determined Core Water Level to be too high, making it too low 42

Summary 1/2 The cyber-physical gap is a critical factor It must be accounted for when designing systems, notably safetycritical ones OPM is suitable for modeling cyberphysical gaps This is due to its notion of essence physical vs. informatical things 43

Summary 2/2 The model can be instrumental in helping designers consider how hazardous situations might arise This still leaves us with the hard state explosion problem: How to consider the exponential number of system states (combinations of all object states) How to test the sheer number of system states to determine the potential hazard of each 44

Questions and (hopefully) Answers Contact: Dov Dori dori@mit.edu 45

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information