چارچوبی برای سیستم تجزیه و تحلیل سیستمهای خطر برای ایمنی-حیاتی یک کارخانه در معرض حوادث خارجی

We consider a critical plant exposed to risk from external events. We propose an original framework of analysis, which extends the boundaries of the study to the interdependent infrastructures which support the plant. For the purpose of clearly illustrating the conceptual framework of system-of-systems analysis, we work out a case study of seismic risk for a nuclear power plant embedded in the connected power and water distribution, and transportation networks which support its operation. The technical details of the systems considered (including the nuclear power plant) are highly simplified, in order to preserve the purpose of illustrating the conceptual, methodological framework of analysis. Yet, as an example of the approaches that can be used to perform the analysis within the proposed framework, we consider the Muir Web as system analysis tool to build the system-of-systems model and Monte Carlo simulation for the quantitative evaluation of the model. The numerical exercise, albeit performed on a simplified case study, serves the purpose of showing the opportunity of accounting for the contribution of the interdependent infrastructure systems to the safety of a critical plant. This is relevant as it can lead to considerations with respect to the decision making related to safety critical-issues.

The focus of this work is to look at the safety of a critical plant challenged by the occurrence of an external event, like earthquake, flooding, high wind, fire, lightning, volcanic eruption [1]. We assume that properly designed and dimensioned, “internal” emergency devices are available to assure safety of the critical plant upon such disturbances, even in the case of unavailability of the infrastructure services. However, accidental events in the industrial history, e.g., the recent Fukushima disaster [2], show that the post-accident assurance of the full or partial safety of a critical plant in the emergency conditions of an external disastrous event may also need to resort to exceptional recovery means and actions, which need to be supported by the infrastructures connected to the critical plant. In other words, upon the occurrence of the destructive event, the surrounding environment may or may not be left in the conditions to provide “emergency assistance” to the critical plant. Indeed, considering an external event which is spatially distributed, its impact may not affect only the critical plant itself but also the areas around it, with possible damages to the interdependent infrastructures that may or may not be capable of providing the services needed for keeping or restoring the safety of the critical plant. With these considerations, we propose to extend the boundaries of the analysis for evaluating its safety by adopting a “system-of-systems” framework of analysis [3], [4], [5], [6], [7], [8] and [9], which includes the interdependent infrastructures connected to the plant, in addition to its internal emergency devices, and thus examines also the “resilience” properties offered from the overall structure of the system of systems in which the plant is embedded. For the purpose of illustrating the concepts underlying the extended framework, as quantitative indicator we consider the probability that a critical plant remains or not in a “safe state” upon the occurrence of an external event. Safe state is here used to indicate that the plant is in a condition that does not cause health and/or environmental damages. To provide an example of application of the proposed framework, we consider a case study regarding the occurrence of an earthquake (the external event) impacting on a system of systems which contains a nuclear power plant (the critical plant) that is provided with the needed emergency infrastructure systems. For exemplary purposes, the framework extends the analysis to the power and water distribution, and to the transportation networks (the interdependent infrastructure systems) that can provide services necessary for keeping or restoring the safety of the critical plant. The case study is used only to illustrate the concepts behind the framework of analysis under a system-of-systems viewpoint: for this reason, it is fictitious and admittedly highly simplified in the technical aspects (including those of the nuclear power plant and its safety systems) and strong, possibly at times not too realistic, assumptions are made to keep the focus on the methodological framework. In spite of this, for completeness the modeling and numerical evaluation are carried out by resorting to powerful methods of system analysis and stochastic simulation: Muir Web [10] and Monte Carlo simulation [11], [12] and [13]. Muir Web is a system analysis technique to model a complex system and the relationships among its elements. In the context of ecological human community, in which it has been first introduced [10], traditionally only the major interactions are taken into account in the system modeling: for example, with reference to the food chain, only the connections between predator and prey are usually considered, whereas other relevant and influencing relationships exist between organisms, e.g., one species may take cover for another, and other factors contribute to the food chain, e.g., abiotic elements like water, sun, soil, rainfall, wind [10]. By the representative power of Muir Web, the traditional picture of dependencies is extended through a graph where the nodes represent all the system elements (e.g., species and abiotic factors in the ecological case) and the edges represent their dependency structure. The concept of Muir Web has been recently applied also to infrastructure systems, exploiting some similarities which exist between the ecological and the infrastructure networks [14]: both are large scale systems with complex interactions and can fail when an external event occurs. In the case of infrastructure systems, the nodes of the web are system components, e.g., a pump, and other factors which influence the infrastructure state, e.g., a stable soil with respect to seismic hazard. In the case study worked out in this paper, the assessment is performed in two main steps: first, a conceptual map in the form of a Muir Web is built to represent all the dependencies and interdependencies among the components of the infrastructure systems connected to the nuclear power plant; then, Monte Carlo simulation is applied to compute the probability that the nuclear power plant enters in an unsafe state, accounting for the contributions of both the internal emergency devices and the connected infrastructures to support the safety of the critical plant. An analysis is also made to find how much the interdependencies would affect the safety of the nuclear power plant. The remainder of the paper is organized as follows. In Section 2, the basic concepts of External Event Risk Assessment are introduced, with some specifics of Seismic Probabilistic Risk Assessment (SPRA) for positioning the illustrative case study used to exemplify the methodology; in Section 3, the Monte Carlo simulation framework for SPRA is described for providing the basic ground of the quantification technique used in the case study; in Section 4, the complete assessment of the case study by Muir Web and Monte Carlo simulation is presented, and the results discussed; in Section 5, conclusions and reflections are shared and future developments are provided.

We have presented a system-of-systems framework of analysis of the risk of a critical plant from external events, to account for the influence of the interdependent infrastructures in which the plant is embedded. For illustrating the conceptual framework of the analysis, we have made reference to an earthquake as the external event, a nuclear power plant as the critical plant and the power and water distribution, and transportation networks as the interdependent infrastructure systems. We admittedly simplified many technical details of the systems considered and made opportunistic assumptions for the purpose of preserving the focus on the conceptual, methodological framework of analysis. We provided a numerical example by resorting to the Muir Web as system analysis tool to build the system-of-systems model and Monte Carlo simulation for the quantitative evaluation of the model. In particular, the following analyses have been carried out: a. a comparison between the probabilities that the nuclear power plant reaches an unsafe state after an earthquake of a given magnitude, depending on different site-to-source distances: as expected, the higher the distance, the lower is the probability to get to an unsafe state; b. a comparison of the previous probabilities (a.), obtained in the case of dependence of the nuclear power plant on the interconnected infrastructure systems, with those obtained in the case of independence, i.e., considering the nuclear power plant as an isolated system provided only by its internal emergency devices: the results show that the probability to reach an unsafe state is higher in this latter case and, in particular, the “resilience” contribution of the interdependent systems to the safety of the nuclear power plant is significant for low magnitudes when the source-to-site distance is small, and for high magnitudes when the source-to-site distance is big; c. a comparison of the previous probability (a.) for one earthquake epicenter, obtained in the case of dependence of the nuclear power plant on the interconnected infrastructure systems, with that obtained in the case of isolated infrastructure systems, i.e., removing all the inter-system links and considering all the infrastructure systems as isolated: the results show that the probability to reach an unsafe state is higher in this latter case, due to the particular “redundancy” role of the road accesses under the assumption of immediate recovery of the components; d. the same comparison as in c, but considering, for the isolated case, the dependence between the road accesses and the corresponding components and maintaining the independence among the other systems: the results show that in this case the probability to reach an unsafe state is lower; this means that the inter-system links among the power and water systems increase the probability of failure of the system of systems and, thus, of the nuclear power plant being in an unsafe state. The results of the analyses, albeit performed on a simplified case study and under limiting assumptions, highlight that the interdependent infrastructure systems may play a role for the safety of a critical plant, and it thus seems advisable to include them in the analysis framework. In fact, they can provide additional support to the safety of the critical plant providing inputs necessary for its safe operation (results of case b. above), but their contribution can be reduced by their interconnections as shown in the case d. above. This is relevant as it can lead to considerations with respect to the decision making related to safety-critical issues. One may even imagine considering the optimization of some controllable characteristics of the system of systems with the objective of increasing the safety of the critical plant. This could be done by a thorough analysis to identify the most important elements in the system of systems and a cost/benefit analysis to rationally direct the investments of efforts and resources for improving their structural/functional responses, within a comprehensive system-of-systems approach. Note that although the driving case study for the illustration of the framework has considered a nuclear power plant as the critical plant, others can be analyzed with their specificities, e.g., chemical process and oil & gas plants or refineries which can release toxic material, develop fires and explosions. For example, loss of offsite power occurred during operation of a vinyl chloride monomer plant at Sodegaura, Chiba (Japan) after a strong earthquake in 1987. In that occasion, the emergency power generator started, as expected, but then it was stopped. As a consequence of the total power failure, the alkali circulation pump of the absorber stopped and the hydrochloric acid gas was released leading to environmental pollution [28]. Future research work will be devoted to apply the framework of analysis presented to diverse systems of systems, with different specificities, and to improve it, for example, by introducing the time needed to recover the safe state of the critical plant and considering a multi-state model for the components of the system of systems. The new case studies will also allow evaluating further the Muir Web representation model and what it is capable to do that other techniques cannot do.