Formal development and quantitative verification of dependable systems

-

Rigorous development of safety-critical systems

Nowadays, computer-based systems tend to become more complex and control increasingly critical functions affecting different areas of human activities. Failures of such systems might result in loss of human lives as well as significant damage to the environment. Therefore, their safety needs to be ensured. However, the development of safety-critical systems is not a trivial exercise. Hence, to preclude design faults and guarantee the desired behaviour, different industrial standards prescribe the use of rigorous techniques for development and verification of such systems. The more critical the system is, the more rigorous approach should be undertaken. To ensure safety of a critical computer-based system, satisfaction of the safety requirements imposed on this system should be demonstrated. This task involves a number of activities. In particular, a set of the safety requirements is usually derived by conducting various safety analysis techniques. Strong assurance that the system satisfies the safety requirements can be provided by formal methods, i.e., mathematically-based techniques. At the same time, the evidence that the system under consideration meets the imposed safety requirements might be demonstrated by constructing safety cases. However, the overall safety assurance process of critical computerbased systems remains insufficiently defined due to the following reasons. Firstly, there are semantic differences between safety requirements and formal models. Informally represented safety requirements should be translated into the underlying formal language to enable further veri cation. Secondly, the development of formal models of complex systems can be labour-intensive and time consuming. Thirdly, there are only a few well-defined methods for integration of formal verification results into safety cases. This thesis proposes an integrated approach to the rigorous development and verification of safety-critical systems that (1) facilitates elicitation of safety requirements and their incorporation into formal models, (2) simplifies formal modelling and verification by proposing specification and refinement patterns, and (3) assists in the construction of safety cases from the artefacts generated by formal reasoning. Our chosen formal framework is Event-B. It allows us to tackle the complexity of safety-critical systems as well as to structure safety requirements by applying abstraction and stepwise refinement. The Rodin platform, a tool supporting Event-B, assists in automatic model transformations and proof-based verification of the desired system properties. The proposed approach has been validated by several case studies from different application domains.

The biotechnology of lactic acid bacteria with emphasis on applications in food safety and human health

Selostus: Terveyttä ja ruoan turvallisuutta edistävät maitohappobakteerien biotekniset sovellukset

Experimental thermal hydraulic studies on the enhancement of safety of LWRs

The safe use of nuclear power plants (NPPs) requires a deep understanding of the functioning of physical processes and systems involved. Studies on thermal hydraulics have been carried out in various separate effects and integral test facilities at Lappeenranta University of Technology (LUT) either to ensure the functioning of safety systems of light water reactors (LWR) or to produce validation data for the computer codes used in safety analyses of NPPs. Several examples of safety studies on thermal hydraulics of the nuclear power plants are discussed. Studies are related to the physical phenomena existing in different processes in NPPs, such as rewetting of the fuel rods, emergency core cooling (ECC), natural circulation, small break loss-of-coolant accidents (SBLOCA), non-condensable gas release and transport, and passive safety systems. Studies on both VVER and advanced light water reactor (ALWR) systems are included. The set of cases include separate effects tests for understanding and modeling a single physical phenomenon, separate effects tests to study the behavior of a NPP component or a single system, and integral tests to study the behavior of the whole system. In the studies following steps can be found, not necessarily in the same study. Experimental studies as such have provided solutions to existing design problems. Experimental data have been created to validate a single model in a computer code. Validated models are used in various transient analyses of scaled facilities or NPPs. Integral test data are used to validate the computer codes as whole, to see how the implemented models work together in a code. In the final stage test results from the facilities are transferred to the NPP scale using computer codes. Some of the experiments have confirmed the expected behavior of the system or procedure to be studied; in some experiments there have been certain unexpected phenomena that have caused changes to the original design to avoid the recognized problems. This is the main motivation for experimental studies on thermal hydraulics of the NPP safety systems. Naturally the behavior of the new system designs have to be checked with experiments, but also the existing designs, if they are applied in the conditions that differ from what they were originally designed for. New procedures for existing reactors and new safety related systems have been developed for new nuclear power plant concepts. New experiments have been continuously needed.

Modelling of a Hydrogen Catalytic Recombiner for Nuclear Power Plant Containment Studies; Case: Siemens FR90/1-150 Recombiner in TONUS OD Code

Ydinvoimalaitokset on suunniteltu ja rakennettu niin, että niillä on kyky selviytyä erilaisista käyttöhäiriöistä ja onnettomuuksista ilman laitoksen vahingoittumista sekä väestön ja ympäristön vaarantumista. On erittäin epätodennäköistä, että ydinvoimalaitosonnettomuus etenee reaktorisydämen vaurioitumiseen asti, minkä seurauksena sydänmateriaalien hapettuminen voi tuottaa vetyä. Jäädytyspiirin rikkoutumisen myötä vety saattaa kulkeutua ydinvoimalaitoksen suojarakennukseen, jossa se voi muodostaa palavan seoksen ilman hapen kanssa ja palaa tai jopa räjähtää. Vetypalosta aiheutuvat lämpötila- ja painekuormitukset vaarantavat suojarakennuksen eheyden ja suojarakennuksen sisällä olevien turvajärjestelmien toimivuuden, joten tehokas ja luotettava vedynhallintajärjestelmä on tarpeellinen. Passiivisia autokatalyyttisiä vetyrekombinaattoreita käytetäänyhä useammissa Euroopan ydinvoimaitoksissa vedynhallintaan. Nämä rekombinaattorit poistavat vetyä katalyyttisellä reaktiolla vedyn reagoidessa katalyytin pinnalla hapen kanssa muodostaen vesihöyryä. Rekombinaattorit ovat täysin passiivisiaeivätkä tarvitse ulkoista energiaa tai operaattoritoimintaa käynnistyäkseen taitoimiakseen. Rekombinaattoreiden käyttäytymisen tutkimisellatähdätään niiden toimivuuden selvittämiseen kaikissa mahdollisissa onnettomuustilanteissa, niiden suunnittelun optimoimiseen sekä niiden optimaalisen lukumäärän ja sijainnin määrittämiseen suojarakennuksessa. Suojarakennuksen mallintamiseen käytetään joko keskiarvoistavia ohjelmia (Lumped parameter (LP) code), moniulotteisia virtausmalliohjelmia (Computational Fluid Dynamics, CFD) tai näiden yhdistelmiä. Rekombinaattoreiden mallintaminen on toteutettu näissä ohjelmissa joko kokeellisella, teoreettisella tai yleisellä (eng. Global Approach) mallilla. Tämä diplomityö sisältää tulokset TONUS OD-ohjelman sisältämän Siemens FR90/1-150 rekombinaattorin mallin vedynkulutuksen tarkistuslaskuista ja TONUS OD-ohjelmalla suoritettujen laskujen tulokset Siemens rekombinaattoreiden vuorovaikutuksista. TONUS on CEA:n (Commissariat à 1'En¬ergie Atomique) kehittämä LP (OD) ja CFD -vetyanalyysiohjelma, jota käytetään vedyn jakautumisen, palamisenja detonaation mallintamiseen. TONUS:sta käytetään myös vedynpoiston mallintamiseen passiivisilla autokatalyyttisillä rekombinaattoreilla. Vedynkulutukseen vaikuttavat tekijät eroteltiin ja tutkittiin yksi kerrallaan. Rekombinaattoreiden vuorovaikutuksia tutkittaessa samaan tilavuuteen sijoitettiin eri kokoisia ja eri lukumäärä rekombinaattoreita. Siemens rekombinaattorimalli TONUS OD-ohjelmassa laskee vedynkulutuksen kuten oletettiin ja tulokset vahvistavat TONUS OD-ohjelman fysikaalisen laskennan luotettavuuden. Mahdollisia paikallisia jakautumia tutkitussa tilavuudessa ei voitu havaita LP-ohjelmalla, koska se käyttäälaskennassa suureiden tilavuuskeskiarvoja. Paikallisten jakautumien tutkintaan tarvitaan CFD -laskentaohjelma.

Verification of a dynamic laboratory scale former

Laboratoriomittakaavainen formeri on välttämätön, jotta paperinvalmistusprosessin jäljitteleminen olisi mahdollista. Vaikka erilaisia formereita löytyykin paperiteollisuudesta, tilaa on kuitenkin laboratoriomittakaavaiselle paperinvalmistusmenetelmälle, joka sijoittuisipilottikoneen ja perinteisen laboratorioarkkimuotin välille. Formeri, jolla saadaan aikaiseksi oikean paperinvalmistuksen kaltaiset olosuhteet ja ilmiöt on kehitetty, ja sen toiminta on testattu Nalcon Papermaking Centreof Excellence:ssä Espoossa. Formeri on yhdistetty Nalcon lähestymisjärjetelmäsimulaattoriin ja simulaattorilla aikaansaadut hydro-kemialliset ilmiöt voidaan testata nyt myös arkeista. Laitteessa on perälaatikko ja viiraosa. Perälaatikosta massa virtaa viiralle, joka liikkuu eteenpäin hihnakuljettimen hihnojen päällä. Suihku-viira -suhdetta voidaan muuttaa joko muuttamalla virtausnopeutta tai viiran nopeutta tai säätämällä perälaatikon huuliaukkoa. Formerintoiminnan testaus osoitti, että se toimii teknisesti hyvin ja tulokset ovat toistettavia ja loogisia. Arkeissa kuidut ovat orientoituneet, formaatio ja vetolujuussuhde KS/PS riippuvat voimakkaasti suihku-viira -suhteesta, kuten oikeillakinpaperikoneilla.

Validation Studies of Thermal-hydraulic Code for Safety Analysis of Nuclear Power Plants

This thesis gives an overview of the validation process for thermal hydraulic system codes and it presents in more detail the assessment and validation of the French code CATHARE for VVER calculations. Three assessment cases are presented: loop seal clearing, core reflooding and flow in a horizontal steam generator. The experience gained during these assessment and validation calculations has been used to analyze the behavior of the horizontal steam generator and the natural circulation in the geometry of the Loviisa nuclear power plant. The cases presented are not exhaustive, but they give a good overview of the work performed by the personnel of Lappeenranta University of Technology (LUT). Large part of the work has been performed in co-operation with the CATHARE-team in Grenoble, France. The design of a Russian type pressurized water reactor, VVER, differs from that of a Western-type PWR. Most of thermal-hydraulic system codes are validated only for the Western-type PWRs. Thus, the codes should be assessed and validated also for VVER design in order to establish any weaknesses in the models. This information is needed before codes can be used for the safety analysis. Theresults of the assessment and validation calculations presented here show that the CATHARE code can be used also for the thermal-hydraulic safety studies for VVER type plants. However, some areas have been indicated which need to be reassessed after further experimental data become available. These areas are mostly connected to the horizontal stem generators, like condensation and phase separation in primary side tubes. The work presented in this thesis covers a large numberof the phenomena included in the CSNI code validation matrices for small and intermediate leaks and for transients. Also some of the phenomena included in the matrix for large break LOCAs are covered. The matrices for code validation for VVER applications should be used when future experimental programs are planned for code validation.

Practical Solutions for Increased Safety in Paper Mill Operations

Tämä diplomityö käsittelee työterveys- ja työturvallisuushallinnan (TTT) sekä ympäristönsuojelun ongelmia ja riskejä, joita tehdasalueen toiminnanharjoittaja kohtaa ulkoistaessaan tehdastoimintojaan ja siirtyessään käyttämään 24 h ulkoisia kunnossapitopalveluja. Teoriaosa selventää ulkoistukseen liittyviä lainmukaisia määräyksiä ja vaatimuksia koskien terveyden, turvallisuuden ja ympäristöongelmien hallintaa sellu-, paperi- ja kartonkitehtaissa Euroopassa, Yhdysvalloissa ja Suomessa. TTT-toiminnan tason sekä ympäristönsuojelun tason mittaamisen ongelmat tuodaan esille. Olemassa olevia kansainvälisiä TTT-johtamisjärjestelmien ja ympäristöjärjestelmien standardeja, riskien hallintatyökaluja ja ohjelmia esitellään lyhyesti. Käytännön osa toteutettiin tapaustutkimuksena, jonka kohteena oli Äänekosken tehdaskombinaatti ja kemianteollisuuden laitos, Noviant CMC Oy. TTT-hallintatoimien ja ympäristönsuojelun ongelmia tutkitaan tehdastoimintoja ulkoistettaessa. Integroidun johtamisjärjestelmän auditointimenettelyt, ulkoistuksen kohdealueet, pk-yrityksien riskien hallinta ja ulkoisten työntekijöiden turvallisuuskoulutus ovat erityisen tarkastelun alla. Käyttäen hyväksi kerättyä TTT- ja ympäristöaineistoa, suunniteltiin malli ja sisältöehdotus uudelle internet-selain tyyppiselle työkalulle TTT- ja ympäristöasioiden hallinnan avuksi. Työkalu on tarkoitettu palvelemaan Noviant CMC Oy:n eri sidosryhmien tarpeita. Diplomityön käytännön osa muodostaa pohjan JP MILLSAFE - pilottiprojektille, joka käynnistettiin internet-selain tyyppisen turvallisuuspalvelusovelluksen kehittämiseksi palvelemaan Äänekosken tehdaskombinaatin eri sidosryhmien tarpeita.

Transforming Maritime Safety Culture. Evaluation of the impacts of the ISM Code on maritime safety culture in Finland

The purpose of the METKU Project (Development of Maritime Safety Culture) is to study how the ISM Code has influenced the safety culture in the maritime industry. This literature review is written as a part of the Work Package 2 which is conducted by the University of Turku, Centre for Maritime Studies. The maritime traffic is rapidly growing in the Baltic Sea which leads to a growing risk of maritime accidents. Particularly in the Gulf of Finland, the high volume of traffic causes a high risk of maritime accidents. The growing risks give us good reasons for implementing the research project concerning maritime safety and the effectiveness of the safety measures, such as the safety management systems. In order to reduce maritime safety risks, the safety management systems should be further developed. The METKU Project has been launched to examine the improvements which can be done to the safety management systems. Human errors are considered as the most important reason for maritime accidents. The international safety management code (the ISM Code) has been established to cut down the occurrence of human errors by creating a safety-oriented organizational culture for the maritime industry. The ISM Code requires that a company should provide safe practices in ship operation and a safe working environment and establish safeguards against all identified risk. The fundamental idea of the ISM Code is that companies should continuously improve safety. The commitment of the top management is essential for implementing a safety-oriented culture in a company. The ISM Code has brought a significant contribution to the progress of maritime safety in recent years. Shipping companies and ships’ crews are more environmentally friendly and more safety-oriented than 12 years ago. This has been showed by several studies which have been analysed for this literature research. Nevertheless, the direct effect and influence of the ISM Code on maritime safety could not be isolated very well. No quantitative measurement (statistics/hard data) could be found in order to present the impacts of the ISM Code on maritime safety. In this study it has been discovered that safety culture has emerged and it is developing in the maritime industry. Even though the roots of the safety culture have been established there are still serious barriers to the breakthrough of the safety management. These barriers could be envisaged as cultural factors preventing the safety process. Even though the ISM Code has been effective over a decade, the old-established behaviour which is based on the old day’s maritime culture still occurs. In the next phase of this research project, these cultural factors shall be analysed in regard to the present safety culture of the maritime industry in Finland.

Food Safety Testing: Rapid Molecular Methods for Chemical and Biological Hazards

The central goal of food safety policy in the European Union (EU) is to protect consumer health by guaranteeing a high level of food safety throughout the food chain. This goal can in part be achieved by testing foodstuffs for the presence of various chemical and biological hazards. The aim of this study was to facilitate food safety testing by providing rapid and user-friendly methods for the detection of particular food-related hazards. Heterogeneous competitive time-resolved fluoroimmunoassays were developed for the detection of selected veterinary residues, that is coccidiostat residues, in eggs and chicken liver. After a simplified sample preparation procedure, the immunoassays were performed either in manual format with dissociation-enhanced measurement or in automated format with pre-dried assay reagents and surface measurement. Although the assays were primarily designed for screening purposes providing only qualitative results, they could also be used in a quantitative mode. All the developed assays had good performance characteristics enabling reliable screening of samples at concentration levels required by the authorities. A novel polymerase chain reaction (PCR)-based assay system was developed for the detection of Salmonella spp. in food. The sample preparation included a short non-selective pre-enrichment step, after which the target cells were collected with immunomagnetic beads and applied to PCR reaction vessels containing all the reagents required for the assay in dry form. The homogeneous PCR assay was performed with a novel instrument platform, GenomEra^™, and the qualitative assay results were automatically interpreted based on end-point time-resolved fluorescence measurements and cut-off values. The assay was validated using various food matrices spiked with sub-lethally injured Salmonella cells at levels of 1-10 colony forming units (CFU)/25 g of food. The main advantage of the system was the exceptionally short time to result; the entire process starting from the pre-enrichment and ending with the PCR result could be completed in eight hours. In conclusion, molecular methods using state-of-the-art assay techniques were developed for food safety testing. The combination of time-resolved fluorescence detection and ready-to-use reagents enabled sensitive assays easily amenable to automation. Consequently, together with the simplified sample preparation, these methods could prove to be applicable in routine testing.

Thermal-Hydraulic Studies on the Safety Of VVER-440 Type Nuclear Power Plants

This thesis includes several thermal hydraulic analyses related to the Loviisa WER 440 nuclear power plant units. The work consists of experimental studies, analysis of the experiments, analysis of some plant transits and development of a calculational model for calculation of boric acid concentrations in the reactor. In the first part of the thesis, in the case of won of boric acid solution behaviour during long term cooling period of LOCAs, experiments were performed in scaled down test facilities. The experimental data together with the results of RELAPS/MOD3 simulations were used to develop a model for calculations of boric acid concentrations in the reactor during LOCAs. The results of calculations showed that margins to critical concentrations that would lead to boric acid crystallization were large, both in the reactor core and in the lower plenum. This was mainly caused by the fact that water in the primary cooling circuit includes borax (Na)BsO,.IOHZO), which enters the reactor when ECC water is taken from the sump and greatly increases boric acid solubility in water. In the second part, in the case of simulation of horizontal steam generators, experiments were performed with PACTEL integral test loop to simulate loss of feedwater transients. The PACTEL experiments, as well as earlier REWET III natural circulation tests, were analyzed with RELAPS/MOD3 Version Sm5 code. The analysis showed that the code was capable of simulating the main events during the experiments. However, in the case of loss of secondary side feedwater the code was not completely capable to simulate steam superheating in the secondary side of the steam generators. The third part of the work consists of simulations of Loviisa VVER reactor pump trip transients with RELAPSlMODI Eur, RELAPS/MOD3 and CATHARE codes. All three codes were capable to simulate the two selected pump trip transients and no significant differences were found between the results of different codes. Comparison of the calculated results with the data measured in the Loviisa plant also showed good agreement.

Improving Evaluation and Development Capability in Verification and Validation

Validation and verification operations encounter various challenges in product development process. Requirements for increasing the development cycle pace set new requests for component development process. Verification and validation usually represent the largest activities, up to 40 50 % of R&D resources utilized. This research studies validation and verification as part of case company's component development process. The target is to define framework that can be used in improvement of the validation and verification capability evaluation and development in display module development projects. Validation and verification definition and background is studied in this research. Additionally, theories such as project management, system, organisational learning and causality is studied. Framework and key findings of this research are presented. Feedback system according of the framework is defined and implemented to the case company. This research is divided to the theory and empirical parts. Theory part is conducted in literature review. Empirical part is done in case study. Constructive methode and design research methode are used in this research A framework for capability evaluation and development was defined and developed as result of this research. Key findings of this study were that double loop learning approach with validation and verification V+ model enables defining a feedback reporting solution. Additional results, some minor changes in validation and verification process were proposed. There are a few concerns expressed on the results on validity and reliability of this study. The most important one was the selected research method and the selected model itself. The final state can be normative, the researcher may set study results before the actual study and in the initial state, the researcher may describe expectations for the study. Finally reliability of this study, and validity of this work are studied.

Safety Culture and Maritime Personnel’s Safety Attitudes: Interview Report

”METKU –projektissa” (Merenkulun turvallisuuskulttuurin kehittäminen) tutkitaan kansainvälisen turvallisuusjohtamiskoodin (ISM-koodin) vaikutuksia merenkulun turvallisuuteen ja etsitään kehittämiskohteita merenkulun turvallisuusjohtamisen parantamiseksi. Tämä haastatteluraportti on laadittu METKU –projektin yhteistyössä työpakettien 1 ja 2 kesken. Tähän raporttiin haastateltiin yhteensä 94 merenkulun ammattilaista. Suurimman osan haastateltavista muodostivat aktiiviset merenkulkijat: miehistön jäsenet, päällystö ja alusten päälliköt. Haastattelukohteena oli seitsemän suomalaista varustamoa. Haastatteluissa kerättiin merenkulkijoiden kokemuksia ja mielipiteitä ISM-koodin vaikutuksesta heidän käytännön työhönsä. Suomalaiset merenkulkijat uskovat, että tänä päivänä varustamoiden johtajat ovat hyvin sitoutuneita turvallisuuteen. Myös miehistön asenteet turvallisuuteen ovat ISM-koodin käytön myötä parantuneet. Haasteltavien yhteinen huoli kohdistui jatkuvan parantamisen toimivuuteen. Kaikki haastatellut ryhmät olivat samaa mieltä siitä, että poikkeamien raportointi ei ISMkoodin vaatimuksesta huolimatta toimi kunnolla. ISM-koodin käyttöön otosta on ollut merenkululle selkeää hyötyä. Haastateltavat esittivät hyötyinä parantuneen yhteistyön ja tiedonkulun alusten ja varustamon välillä sekä sen, että merenkulun toiminnan laatu on parantunut. Monet haastateltavat korostivat, että ISM-koodin selkeät turvallisuusvastuut yhtiölle on ollut merkittävä hyöty. Itse ISM-koodiin merenkulkijoilla ei ollut juurikaan huomauttamista. Sen sijaan turvallisuusjohtamisen käytännön toteutuksessa nähtiin parantamisen varaa. ISMkoodin aiheuttamina ongelmina mainittiin mm. lisääntynyt byrokratia ja liian monimutkaiset ja yksityiskohtaiset turvallisuuskäsikirjat. Monet haastateltavat toivovat, että ISM-koodin käytännön soveltamiseen laadittaisiin ohjeita.