REactor Safety Analysis ToolboX RESA-TX

,


Introduction
Every nuclear facility requires safety assessments. According to the IAEA [1], DSA is an essential part of this process, particularly to demonstrate the safety and adequacy of a reactor design within the defence in-depth concept. The main objective of DSA is to confirm that safety functions can be fulfilled and that the necessary structures, systems and components, in combination with operator actions, are effective in keeping the releases of radioactive material from the plant below acceptable limits. A deterministic safety analysis is generally conducted using thermal-hydraulic system codes. Best-estimate thermal-hydraulic system codes like RELAP, TRACE, ATHLET or CATHARE have been developed and extensively validated during the last decades to analyse the thermal-hydraulic phenomena occurring in nuclear facilities during various scenarios.
The first step to being undertaken for analysing the plant behaviour by applying these system codes is the development of a model of the nuclear facility. This model * e-mail: Simone.Palazzo@grs.de is a simplified representation of the main plant systems, such as the reactor coolant system, secondary side, or safety systems. The different components are modelled and connected to each other to form a network of objects, known also as the nodalisation scheme (see Fig. 1). The model is described in an input deck having a code-specific format and syntax. To generate the thermal-hydraulic model, extensive plant data about the geometry of the main components, material properties, valve and pump characteristics, heat transfer, neutronic and control logic data, etc. are required. The input deck developers must have deep knowledge of thermal-hydraulic modelling of systems using code-specific syntax. Processing a large amount of data and translating it into a plant model is a time-consuming task, which may require a big effort in terms of man-hours (see Fig. 2).
Plant-specific thermal-hydraulic models are used for example by reactor manufacturers to analyse the complex thermal-hydraulic behaviour for abnormal operating conditions, or accidents and to demonstrate the safety of the plant concept. Technical support organisations (TSO) like GRS develop independently complex thermal-hydraulic models to support regulatory authorities in their safety assessment process of nuclear power plants (NPPs) by conducting confirmatory analyses. Thermal-hydraulic code developers use models of experimental facilities to assess the performance of their code and validate it by comparing the code results against these experiments, also comparing to other codes in benchmarking activities. In all cases, the generation of these models is manual and laborious, requiring a big effort in terms of time and cost.
The achieved result and thus the quality of a DSA depends not only on the system code but also on the quality of the plant model in the generated input deck. The quality of the model is limited by the availability of data and can be influenced by the so-called user effect. A user effect is related to the individual way of modelling certain plant components as well as errors when implementing the geometry and characteristics of the components. It can reflect badly on the robustness of the adopted system code and jeopardise the quality of the DSA.

Concept
RESA-TX was outlined at GRS to cope with the abovedescribed problem. The innovative approach proposes an automated and standardised procedure supported by a large database of plant design characteristics, plant behaviour and DSA expert knowledge incorporated within the tool. Its application allows the end user to automatically generate and verify an input deck as well as conduct design basis accident (DBA) calculations for a certain design with highly reduced manual intervention.
The automatisation of each step using RESA-TX is supported by the inherent databases containing a pool of information about plant designs, plant behaviour, regulatory rules and expert know-how on DSA procedures. The databases can be extended depending on available information or other boundary conditions.
Heuristics are integrated into the model generation and verification process, where users often suffer from a lack of information about the facility under consideration. These heuristics can be replaced when higher information quality is available or enhanced over time which can lead to even more reliable results with increasing usage of the tool.
RESA-TX is intended for regulators and technical support organisations, for the nuclear industry as well as for nuclear code developers that can use either all or some of the tools for their own specific needs and purposes.

Methodology
The REactor Safety Analysis ToolboX (RESA-TX) is a collection of three different tools corresponding to the three main steps of DSA. They support the end user: (1) by the automatic generation of a thermal-hydraulic model of the desired facility in form of an input deck (Tool AMG -Automatic Model Generator). This is supported by a heuristic network in case of a lack of specific plant data; (2) by the automatic verification process of the input deck to confirm the adequacy of the model (Tool AMV -Automatic Model Verify) based on a qualitative system behaviour evaluation and/or the NPP documentation if available; (3) by the automatic generation of a safety analysis case (i.e., calculation of a basic set of design basis scenarios, e.g. a loss of coolant accident) with help of the ASAG tool -Automatic Safety Analysis Generator.
A schematic representation of the methodology is shown in Figure 3.

AMG -Automatic Model Generator
The Automatic Model Generator AMG is a tool which helps the user quickly generate a simple thermal-hydraulic model of the main plant components using code-specific syntax and automatically combining them to obtain a plant model. An automatic and standardised approach for the generation of input decks is not available so far. The plantspecific input decks for the simulation of nuclear facilities are currently manually developed. For the modelling of the most relevant components of a plant, such as a reactor pressure vessel (RPV), Steam Generators (SGs) and Pressuriser (PRZ), system-specific drawings, plans and descriptions are taken into account. The input deck developers must have deep knowledge of both thermalhydraulic system modelling and code-specific features and syntax. Generating a thermal-hydraulic model is a timeconsuming task, which may require a big effort in terms of man-hours.
For the modelling of the main components, geometrical data is often not available, complicating the task of model generation. The current state of the art is that to overcome  this lack of data, the user often needs to apply assumptions based on expert judgement, which requires not only time but also vast knowledge and experience. The innovative approach of RESA-TX strongly supports this step by automatically generating a plausible generic data set. This is done based on a network of heuristics, which represents a set of rules and mathematical relationships that help define the geometry and characteristics of a certain plant component and select the most likely configuration based on pre-defined plant databases. The previously required vast experience and user know-how are now in large part inherent to the tool. The developed algorithms in AMG are able to identify for instance the length of a certain component (e.g., fuel assembly) or the total number of components (e.g., number of fuel assemblies) by using the implemented mathematical relationships. If made available, the network of heuristics can be replaced with more specific plant data. With increasing plant knowledge, the model can be gradually refined.
By adopting this approach, essential systems and components of the plant are automatically generated as modules (RPV, SG, PRZ, ECCS). The modules are then automatically merged into one single data set constituting a plant-specific input deck. The complexity of the single components' modules is tailored to the respective level of knowledge about the plant and the DBA analysis to be executed. This approach has the potential to drastically reduce the user effect and user-induced errors during the modelling process by simultaneously decreasing the time necessary for the development.
Python is chosen for the automatic creation of the components modules, as it is an object-oriented programming language that enables the development of complex components in a modular way and is therefore suitable for the automatic generation of an input deck for system codes.
For the simulation of the relevant safety functions (e.g. SCRAM from reactor protection system) which are mandatory to prove that the reactor can cope with the accident scenario and reach a controlled state, control system models can be also automatically generated containing a simple network of logic signals. Figure 4 depicts the procedure of automated model development using AMG Software.
Currently, code-specific python programs for the generation of components as objects in ATHLET system code are being developed at GRS [2]. The python programs can be adapted to other system codes, based on the specific syntax.

AMV -Automatic Model Verifier
The Automatic Model Verifier AMV is an automatic and continuous integration of reactor-related models which uses a set of parallel transient simulations in order to confirm the adequacy of the model or simulation code used as a prerequisite for deterministic safety assessment. The tool is based on a comprehensive systematic procedure to examine the correctness of an implemented model against a defined evaluation basis. It consists of three modules that communicate with each other during the verification process (see Fig. 5): the Verification Database Generator -VDG: algorithms are used to generate acceptance corridors from parameter progressions for a set of transients and accident scenarios (inherent database or user-provided) as an evaluation basis; the Simulation Controller -SC: sets boundary conditions (BCs) and controls operator actions or unintended plant behaviour for the assessed transient scenarios; the Continuous Integration Module -CIM: interacts with a global database infrastructure (repositories, input and result storage, etc.), automatically triggers and coordinates parallel simulations, and uses algorithms to evaluate their results using the verification database to generate a clear result report. Thanks to learning feedback loops, the verification database will be enhanced with increased usage.
The AMV is applicable for any level of model complexity and any code that evaluates transient behaviour (esp. thermal-hydraulic system codes, neutronic codes, subchannel codes, etc.). If minimal knowledge about an investigated plant is available, the progression of system parameters during a given transient is compared against qualitative value corridors which are provided by RESA-TX to verify a plausible model behaviour. Such approximation can be continuously replaced if more plant-specific data becomes available, which increases the result reliability. Transients and accidents are set up and controlled using control protocols which are accessed by the SC module. The SC intervenes in the simulation process to change BCs, setting plant malfunctions (stuck valve, leak initiation, etc.) and performs operator actions associated with the given list of transients or accidents to be investigated. These protocols are provided by RESA-TX for a minimal set of transients for thermal-hydraulic analyses but can also be created by the user according to specific needs and other deterministic codes.
A similar tool is in use at GRS to assess the reliability of system-specific analysis simulators that analyse the thermal-hydraulic behaviour for abnormal operating conditions, incidents and beyond design basis accidents in nuclear power plants, as well as for the verification of thermal-hydraulic code development (see [3] and [4]).

ASAG -Automatic Safety Analysis Generator
Once the input model has been automatically generated by the tool AMG and verified by the tool AMV the third tool can be used for the automatic generation of deterministic safety analysis. For this purpose, the Automatic Safety Analysis Generator ASAG uses the IAEA option 3 "best estimate plus uncertainty" approach [5]. A mix of best estimate and unfavourable initial and boundary conditions is proposed by the tool based on provided Phenomena Identification and Ranking Tables (PIRTs), taking into account the very low probability that all parameters would be at their most pessimistic value at the same time. Conservative assumptions on the availability of systems are suggested by ASAG depending on the considered scenario. To ensure the overall conservatism required in the analysis of design basis accidents, design-dependant uncertainties are identified, quantified and statistically combined. To do this, the ASAG picks up on the large statistical data storage for safety analysis of the different reactor designs provided by RESA-TX. For initial purposes, ASAG is limited to design basis scenarios. The process of the ASAG application is depicted in Figure 6.
ASAG combines the automatic transient calculation software already used in AMV with a database of transients and statistical data required for a safety assessment of the selected reactor design. It is not limited to a specific code. It builds on software tools already in use at GRS for the automatic start of several runs for uncertainty analysis tools like SUSA, combining these with a deep knowledge of safety analysis procedures inherent to the tool, e.g., information on which transients are required for safety assessment of a certain design, what are the most relevant plant systems for each transient, which boundary conditions should be applied for a correct BEPU assessment of this transient, which variables should be varied and what statistical behaviour should be assumed for them, etc.
In this way, ASAG will guide and support the user through the different steps of the analysis. The analysis may range from one case to the whole list of design basis scenarios available for selection within the tool for a spe-cific reactor design (i.e. LWR or research reactors). The user can select the transient(s) desired, and ASAG will automatically prepare and run them. The transient results are then automatically assessed against a database of established acceptance criteria according to IAEA safety standards. With the increasing usage of the tool, a neuronal network could update boundary conditions and input parameters for the heuristic model generation with the AMG based on whether acceptance criteria are met.
Based on its safety assessment, ASAG will provide a list of the bounding transients for the selected reactor design and their safety margins accompanied by the selected analysis conditions and why they were assumed. Should there be changes or updates necessary, the whole analysis is easily rerunnable to deliver an updated result. This would be a big advantage in comparison to the current state of the art, in which repeating a safety case is often a very costly process and therefore often not undertaken.

Prototypical application of RESA-TX toolbox
The RESA-TX toolbox as well as its tools AMG, AMV and ASAG are software which undergoes continuous improvements and developments. Different single tests have been carried out till now to prove the correct implementation and the functionality of each tool.
In the following a prototypical application of the tools AMG and AMV will be presented.

Application of the AMG
To demonstrate the ability of the AMG tool to generate a code-specific thermal-hydraulic model of a specific component of the NPP, the automatic creation of a reactor pressure vessels model for a KWU plant type using the ATHLET code is presented as a prototype. Figure 7 shows a schematic representation of the steps required for the automatic generation of a simple thermalhydraulic model of the RPV.
The implemented heuristic approach needs the following parameters which are defined by the RESA-TX user in order to start the generation process: reactor thermal power.
-Number of fuel assemblies in the core.
In the example of Figure 7, a reactor thermal power of 4.0 GW, a fuel assembly lattice of 16 × 16 rods and a total number of 193 fuel assemblies in the core have been defined. Once the user inputs the parameter value in the AMG, the tool automatically selected the 4-loop geometry and generated the thermal-hydraulic RPV model for the ATHLET code. This is possible since every object, composing the RPV such as the upper and lower plenum or the core has been parametrized in the algorithm. The parameterization allows for a generation of even complex geometries on the basis of a few relevant dimensions using algebraic equations. An example is given in Figure 8 for the generation of a core channel model. The algorithm selects the core configuration for the 4-loop KWU-PWR and calculates every single parameter that describes the core channel geometry (e.g. length, cross-flow area and form losses) according to predefined equations. In the next step, the algorithm checks, if the calculated data for the core channel model is consistent with the geometry of the other sub-components of the RPV and if the data are exported in the code-specific data format (e.g. ATHLET ASCII-files). Some variables like the axial nodalisation are predefined and selected according to the validation report of the specific system code.
A further option in the AMG is available, which starts a test simulation for the generated geometry for check purposes. The results for the prototypical application are presented in Figure 9.

Application of the AMV
As a prototypical application of the AMV tool, each step of the automatic verification procedure for a generic PWR (KWU-type) input deck is presented in this chapter.
After generating the different thermal-hydraulic components of the primary and secondary sides, the input deck of the NPP has been loaded into a database structure (repository). A defined set of runs including plant transients (e.g. inadvertent opening of one main steam safety valve) and accident scenarios (e.g. intermediate break LOCA) has been selected and the verification process is initiated.
For each transient and accident, a protocol containing a list of the operator actions as defined in the operating manual is implemented (see Fig. 10). The manual actions are triggered when specific conditions are fulfilled. The file containing the listed actions as executable commands is loaded by the Simulation Controller which automatically executes and monitors the simulation.
The Continuous Integration Module, which is based on the GitLab [6] platform, automatically triggers and coordinates parallel simulations.
To prove the quality of the achieved results for each available transient the VDG module is automatically activated, which contains all the information of the acceptance corridors for each relevant thermal-hydraulic parameter (i.e. coolant temperature and pressure) and logical signal (i.e. coolant pump trip and SCRAM). This acceptance corridor for a specific parameter and a defined event is generated as a result of an algorithm, which evaluates the simulation results from previous runs stored in a database for the defined case using a 4-loop KWU-PWR. Figure 11 shows as an example the results of the coolant pressure in the pressurised for the event  "inadvertent opening of one main steam safety valve at full power". As soon as the failure occurs (t = 0 s), a sharp increase of the main steam flow takes place and temperature and pressure on the primary side decrease. The following increase of pressure up to 16.1 MPa is mainly due to the RCCA withdrawal, which is acted by the average coolant temperature control system to compensate for the temperature decrease of the coolant. The following decrease in the pressure is due to the RCCA insertion triggered by the power limitation system when the thermal power overcomes the 103% limit.
In the left plot of Figure 11, the results of different runs for this specific event are presented, which are stored in the VDG submodule. The implemented algorithm calculates the upper and lower bounds for the parameter "pressure" and additional limit curves, which have a gap of ±5% to the upper and lower bounds. The upper and lower bounds (blue curves) as well as the upper and lower limit curves (dashed curves) are plotted in the graphic on the right side. The graph also contains information on the current run (black curve) as well as the results from the last accepted verification run (pink curve). In this example,  the results of the actual run differ from the previous ones at ca. t = 500 s. The violation of the upper bound is saved in a report and the user is informed to take action.

Main users and applications
The proposed idea of the automatic REactor Safety Analysis ToolboX RESA-TX has three main user groups and numerous applications: • for nuclear regulators, RESA-TX can help support their assessment with a safety analysis, be it either in detail for confirmatory analysis purposes of a design assessment, or coarser to support an assessment that needs to be made with time constraints, e.g., a regulator reaction to an operational occurrence or an accident scenario. In the case of design assessment, the regulator would gain the ability to conduct a confirmatory safety analysis to support their assessment without necessarily requiring external services. In case of a quick safety assessment of an event, the regulator will gain the very powerful ability to conduct a fast but technically grounded analysis. • For the nuclear industry, the applications of RESA-TX range from the initial generation of a safety case for licensees to the continuous (re)running of certain transients for nuclear operators after plant design enhancements. A plant operator could use the toolbox to generate a very detailed and highly verified plant model given large data availability. The result would be a precise and automated tool able to calculate or rerun all desired transients at any time, which could be used for decades into the future with minor maintenance requirements and allow the operator to conduct an updated safety analysis quickly and with minimal effort throughout the lifetime of the plant. • For nuclear code developers, RESA-TX could translate into enormous time savings in the code validation and verification process given its automated and modular nature. As a code developer, a model of for example a research reactor or an experimental facility can be built with low effort using AMG and continuous code developments can be validated and/or verified automatically and regularly with AMV by clicking only a few buttons.
An example of market potential is the shortening of approval times in licensing projects. Applying RESA-TX would allow to a repeat of a safety analysis whenever necessary and quickly resolve any potential regulatory issue with low effort and increased added value, contributing to an increase in reactor safety.

Conclusion
GRS supports nuclear regulatory bodies worldwide, including the UK, the Netherlands, Switzerland and Germany. GRS regularly participates in operational safety assessments as well as licensing of new build designs. GRS are also code developers and have a large implication in nuclear safety research. Thanks to this valuable combination in our daily work, we have a good knowledge of the current state of the art in DSA and safety analysis code development. In the current state of the art, DSA is a complex and thus error-prone process that is highly time-consuming and repetitive. The reliability of the result is strongly dependent on the availability of plant data and expert know-how. The idea behind RESA-TX is based on our experience and knowledge accumulated over years of model development and conductance of DSA and complemented by powerful software that allows reaching a high degree of automatisation to counteract the issues described above. The resulting product is a toolbox made of three tools that base on our latest software developments and build upon them to achieve an advanced automated approach to DSA. The toolbox is flexibly applicable since the tools can be used independently. A centralised data source of information relevant to DSA ranking from plant design and characteristics to plant behaviour to safety analysis modelling and methods, conventions and acceptance criteria is inherent to the tool. To enable managing this large amount of information, big data algorithms are adopted. Thanks to learning feedback loops, the databases inherent to RESA-TX are enhanced with repeated usage. Through these innovations, a big increase in safety is achieved, since the automatic nature allows the frequent rerunning of a large set of safety analyses that would not be feasible otherwise. Also, an increase in the reliability of both codes and models is achieved due to the possibility of constant rerunning.

Conflict of interests
The authors declare that they have no competing interests to report.

Funding
This work has been partially financed by the German federal ministry for the Environment, Nature Conservation, Nuclear Safety and Consumer Protection with project contracts ID. 4719R01375 and ID. 4721R01335.

Data availability statement
The data that support the findings of this study are not openly available due to the presence of restrictive plant data.