Optimisation of nuclear reactor primary coolant design and maintenance parameters

An optimisation methodology is presented using the primary coolant circulation system of a nuclear reactor as its case study, the purpose of which is to find combinations of selected design and maintenance parameters to maximise the reactor safety and minimise monetary expenditure. The parameter space was sampled by a Monte Carlo method and Petri net modelling was used to predict the performance of each of these options. The optimal solutions were then extracted from the data via computation of the Pareto front, with further analysis conducted on parameter sets of interest


INTRODUCTION
Two important considerations in the design of nuclear reactor systems are cost and safety, with the objective being to respectively minimise or maximise these parameters. By their nature, these two objectives are in conflict as little to improve the safety of a design can be done without some increase in expenditure. To address this issue this work presents the use of models of component failure, maintenance, and repair, in conjunction with an optimisation methodology. The primary coolant circulation system of a generic nuclear reactor with modern design features is used as a case study, from which a number of design options are identified. Their parameter space is explored via Monte Carlo sampling, whereby corresponding models are created and simulated to produce the performance of each configuration.
Risk assessment is traditionally performed using a combination of fault tree analysis and event tree analysis. The former has its origins in the 1960s at Bell Laboratories with the work of Watson. 1 A fault tree is used to calculate the rate of occurrence of a system failure mode (top event) by systematically breaking the cause of the event down into lower levels of complexity, using the Boolean logic gates AND and OR, as seen in Figure 1. This development of the failure logic continues until each branch is terminated by an event, such as a component failure mode, for which failure and repair data is available. These are referred to as basic events. A set of basic events is called a minimum cut set if the occurrence of all of its members would cause the top event, and if the top event would not occur if any one member was removed from the set. Quantitative analysis was developed by Vesely 2 , termed kinetic fault tree theory, in which the frequency of the top event is calculated from the minimal cut sets and the failure rate and likelihood of each basic event. Additionally, calculation of importance measures 3 gives the relative significance of the basic events and minimum cut sets and thus enables prioritisation to be given to the most safety critical failure modes. The traditional process of analysing a large fault tree still requires approximations to be made however. An advanced methodology providing a fast and accurate means to quantify fault trees through the use of binary decision diagrams was developed in 1993 by Rauzy, 4 whose efficiency and accuracy was sufficient to help alleviate this problem. 5 Rasmussen led a team of people to produce the WASH 1400 report in 1975. 6 This performed a risk assessment on a nuclear plant and introduced the event tree methodology. By contrast to fault trees, an event tree starts with a single initiating event and progresses, from left to right across a page, towards the set of all possible resulting outcomes. This is an inductive approach which tracks the functionality and failure of system safety responses along branching pathways, as is illustrated in Figure 2.
The rate at which each outcome occurs is given by the product of the frequency of the initiating event and the probability of every event appearing along its route. The probabilities of the failure events are commonly obtained from fault tree analysis and it is then trivial to calculate the probabilities of success. 7 However, when basic events are shared between multiple fault trees, the resulting dependency has to be accounted for and can be achieved using binary decision diagrams. 8 Despite being mature and well developed methodologies, neither fault tree nor event tree analysis is suitable for the requirements of this work. When applying them, it is necessary to assume independence of the occurrence of basic events, and commercial implementations typically only permit the use of constant failure rates, preventing the modelling of processes such as component infant mortality or ageing and wear-out. Likewise, component repair times are unrealistically constrained to exponential distributions, and it is infeasible to model complex maintenance strategies or repair processes. At present, there exists no variation of fault tree or event tree that addresses all these concerns, which is of particular concern in relation to the increasing failure rates associated with ageing, the neglect which reduces the accuracy of the resulting safety assessment. F I G U R E 2 This event tree has three possible branching points following the initiating event, with the failure of both the first and second condition rendering the third irrelevant. The probabilities of success and failure for each condition are respectively P 1 S , P 2 S , and P 3 S , and P 1 F , P 2 F , and P 3 F , where P n S = 1 − P n F , with the initiating event occurring at a frequency of . This work was conducted using the Petri nets methodology 9,10 to overcome the limitations of event tree and fault tree methods to model these system characteristics. As this research aims to explore the effectiveness of alternative maintenance strategies for the system, Petri nets are significantly better suited in comparison to the traditional methodologies. Any fault tree or event tree structure can be replicated as a Petri net, but its potential enables more details and less restrictive assumptions to be included in the assessment. For example, a Petri net can include both multiple occurrences of the same basic events and different failure mode states for a component, and cyclic behaviours and multiple concurrent or synchronous processes can be modelled easily. Any probability distribution can be used to define the time to failure or time to repair for a component. The component can also exist in more than two binary conditions (working and failed) and can therefore progress through a sequence of degraded states until it achieves the failed condition. Where these condition states can be monitored, complex, condition based maintenance, strategies can be developed and their performance modelled. It is also possible to model the shift between multiple modes of operation, such as running in its normal configuration for a fixed period of time before commencing the shutdown sequence, or engaging the use of a emergency system in reaction to a disruptive fault.
The major cost associated with Petri net modelling is the necessity to execute large batches of simulations in its evaluation, with potentially many iterations being required to reach convergence. Although Petri net modelling can be computationally expensive compared to the fault tree and event tree methodologies, this can be justified by its facilitation of high fidelity representations of system dynamics, which would not be possible using the traditional techniques. The methodology has already been applied in civil nuclear energy contexts, [11][12][13][14][15][16][17][18][19][20][21][22] and prior works employ Petri nets for various purposes. For example, some works 11,12,14,15,[19][20][21][22] describe or develop operational procedures or processes in nuclear systems using Petri nets, among which a number were directly concerned with safety, risk or reliability. [19][20][21][22] More indirect applications can also be found, where Petri nets were created to describe nuclear reactor subsystems, but the evaluation was not performed by simulating the models. Instead the Petri net represented an intermediate form, which was converted for assessment by an alternative methodology, such as Markov chains, 16 reachability graphs, 17 or both. 18 Where this work differs in its aim, is that it seeks to tie its Petri net models into an optimisation process. Their ability to represent arbitrary system configurations makes them well suited for this end. While examples of optimisation in Petri net models exist in the literature from other industrial contexts, [23][24][25] there is an unrealised opportunity to develop its use for reactor safety engineering.
Monte Carlo sampling 26,27 of the optimisation parameter space is used in this work to generate data, from which the Pareto optimal 28,29 configurations are extracted. The advantage of this methodology is the simplicity of its implementation and execution, and that the system is sampled in an even and unbiased way, such that the full extent of the Pareto front is seen. Although other methodologies exist that converge faster than the Monte Carlo algorithm, this advantage would then be lost.

CASE STUDY
For our case study, a primary coolant system of a generic reactor system with an emphasis on passive safety is used. A schematic of the system is shown in Figure 3 with the relationship to the optimisable parameters illustrated. Pipes delivering low temperature coolant to the reactor are drawn in light blue, with the path of hot coolant from the core to the turbine shown in red. The primary coolant extracts heat from the core through natural circulation between four steam separators by way of down-coming and returning pipes, which connect to the reactor vessel at a header. During normal operation steam is separated from the loop and directed to the turbine building to generate power, after which it is condensed and pumped back to the core loop by a set of feed pumps. To initiate shutdown, an isolation valve is used to disconnect the pipe running to the turbine, instead directing coolant into the shutdown condenser, which removes decay heat during the forty day shutdown period. This shutdown process may be initiated either at the end of the normal scheduled period for maintenance or in response to component failure requiring repair. However, for the event of a severe fault requiring emergency shutdown, a reservoir is on stand-by to inject high-pressurise coolant into the core coolant channels if adequate coolant pressure is lost. This is followed by low-pressure gravity-fed injection from an overhead tank, which eventually submerges the core over the course of 3 days.
During operation, maintenance can be performed on the isolation valves and feed pumps. The isolation valves become more likely to fail (on demand or otherwise) with each passing year, but at the end of their maintenance period, they are restored to their original condition, resetting associated failure modes. Two feed pumps are always required to be online to return adequate coolant, with any additional pumps kept ready to come into use in the event of a failure. The individual pumps are periodically replaced. When a pump is retired, one of the inactive pumps comes online to assume its capacity, with the subsequent replacement pump becoming available as a new redundant pump. The replacement of pumps is staggered to occur proportionately through the scheduled period.
For the purposes of the optimisation, there are a number of variable design parameters pertaining to the levels of component redundancies and maintenance actions. A description of each parameter, its permitted range of values, and any associated costs, given in terms of an arbitrary currency unit, , are found in Table 1.
F I G U R E 3 Schematic of reactor case study system with the variable design and maintenance parameters to be optimised. Red lines represent the flow of hot coolant from the core to the turbine and condenser and light blue lines represent its return to the core, with the direction of flow marked by arrows in the respective colours. TA B L E 1 Parameters for the configuration and maintenance of the primary coolant system, with their description, inclusive range of possible values, and associated costs in (arbitrary currency unit)

F I G U R E 4
A key to the objects found in Petri net models.
These values are used to calculate the costs incurred during each batch of simulations with a particular set of parameters, including both the expenses of the initial set-up of the configuration and resulting from maintenance actions. System clock durations are tallied to produce the expenditure per unit time.

PETRI NET METHODOLOGY
The Petri net modelling in this work was realised with Macchiato, 22 developed in-house at the University of Nottingham. The name given to the particular variation of Petri net methodology employed is generalised stochastic Petri nets. 30

Structure
A Petri net is a bipartite graph and can be used to model the evolving state of a dynamic system represented in its structure. Figure 4 shows a key to the representation of the Petri net elements as depicted in this work. The two objects found in a Petri net are called the place and the transition, drawn as circles and squares respectively, and the connections between them are arcs, drawn as arrows and referred to as incoming and outgoing relative to the connecting transition. When a place and transition are connected by both an incoming and an outgoing arc, the pair is drawn as a single double-headed arrow. An arc has a property known as weight, which takes a non-zero integer value. If the weight of an arc takes a value other than 1, it is marked adjacent to it. The role of the place is to hold tokens, visualised as black dots, with the state of the represented system at some moment being determined by marking of the places. The transitions control the placement and removal of tokens. At each step in the simulation, a transition is chosen to fire, and which transitions can and cannot do so is determined by the token markings of the places connected to it by arcs. A transition which is available to fire is said to be enabled, and for this to be so, every place connected to it by an incoming arc must hold a number of tokens greater than or equal to the weight of that arc. When a transition fires, it removes a number of tokens from each of the incoming places equal to the weight of the connecting arc. It then adds tokens to the places connected by outgoing arcs, each number of which being equal to the weights of those arcs. This process is illustrated in Figure 5. Transitions can be parameterised to fire instantaneously or following a delay, as described in more detail in Section 3.3, with these being referred to as instant and timed transitions, and coloured grey and white respectively.
In addition to the standard arcs described above, there also exist inhibit arcs and place conditional arcs, both of which can only appear as incoming arcs. A inhibit arc has the effect of disabling the transition to which it connects, preventing it from firing, see Figure 6. A place conditional arc applies a modifier to a timed transition, altering the delay between it becoming enabled and firing.

F I G U R E 6
This transition cannot fire because the place connected by an inhibit arc holds a token.

Simulation algorithm
The successive firing of transitions updates the marking of the Petri net, which represents the dynamics of the system. At each step, every transition is inspected to determine whether its enabling conditions are met. Transitions that are now enabled that were not enabled on the previous step are added to a list and a firing time is calculated according to their parameters. Any transition that was enabled on the previous step, but whose enabling conditions are no longer satisfied, is removed from the list. If that transition is re-enabled at a later step, it retains no memory of its former firing time.
When the assessment of the status of the transitions is complete, the list of enabled transitions is used to choose the next transition to fire. First, it is established whether any instant transitions are enabled. If so, one of them is chosen at random. If not, the transition whose calculated firing time is closest to the current clock is selected. In the event that multiple transitions are scheduled to fire at the same time, one is again chosen at random. Having selected a transition, the token marking of the places is updated in accordance with its firing, the simulation step is advanced by one, and the system clock is set to the scheduled time of firing. This continues until a terminal place, marked with black fill, receives a token, at which point the simulation ends. The algorithm described here is shown in flowchart form in Figure 7.
Given the stochastic nature of the Monte Carlo simulation routine it is necessary to perform many iterations, until convergence is reached, at which point statistical data may be extracted from the body of results.

Transition firing delay
Four distributions are used for firing times in the modelling presented in the article, referred to as "delay", "uniform", "cyclic", and "Weibull". These distributions are adequate to capture the salient feature of the system. Generally, the delay and cyclic distributions are used to control the timing of system actions, for example, the duration of a process and the regular occurrence of maintenance respectively, while the uniform (when paired with a delay) and Weibull distributions produce the probabilities associated with failure events, for example, the likelihood that an action will be performed successfully and the time at which a component will experience a failure mode respectively. A delay transition fires after a fixed duration a and a transition with a uniform distribution fires at a time between 0 and u after becoming enabled, such that its probability density, f (t; u) is given by, A cyclic transition fires after becoming enabled at a system clock value equal to the next integer multiple of its parameter, c, optionally offset by a second parameter, . For example, a cyclic transition with c = 2 h and = 0 h would fire at system clock values of 0, 2, 4, 6 and so forth whereas with c = 2 h and = 1 h, the firings would occur at 1, 3, 5, 7 and so forth assuming that in both cases the transition was enabled at those times. The Weibull distribution 31,32 is commonly used for modelling failure times in reliability engineering, and generalises the exponential distribution for non-constant failure rates. It has two parameters and , which are respectively the scale parameter and the shape parameter. The former characterises the point at which approximately two-thirds of a population F I G U R E 7 The algorithm used by Macchiato to integrate a Petri net model. is expected to have failed, and the latter controls the evolution of the failure rate, such that < 1 is indicative of infant mortality, = 1 yields a constant failure rate, and > 1 produces an ageing effect, giving rise to a probability density function, f (t; , ), of where t is the time of failure. When a transition has one or more place conditional relations, a factor P is calculated, such that where W i is the weight of the ith place condition arc of the transition and N i is the corresponding token count. The resulting value is used to apply the modification by dividing a timing parameter (a, u, c, or as relevant) by P. Unlike that of standard arcs and inhibit arcs, the weight of a place conditional arc may take an non-integer value. The purpose of this mechanism is to allow representation of arbitrary schemes of time to fire alteration with respect to any number of place markings. For example, this work contains a type of valve which becomes progressively more likely to fail to shut on demand with each passing year since maintenance was performed. This is achieved with a transition which periodically adds a token to a place until maintenance occurs. A place conditional arc connects the place to the transition that determines whether the valve functions correctly or otherwise, such that when it is enabled by a token arriving on the place that represents demand, the probability of failure generated corresponds to the elapsed duration into the maintenance cycle.

PETRI NET MODEL
An example of one of the Petri net models generated in this work is shown in Figure 8 with a component configuration of two turbine isolation valves and three feed pumps. Sections of the Petri net that vary with respect to the optimisation parameters are highlighted. In Table 2, the function of each transition is briefly summarised, along with the relevant parameters used in the timed transitions.
The structure of each model represents a system of the type described in Section 2. While the parameters chosen were selected on the basis of expert opinion to be a realistic reflection of genuine nuclear reactors, their principle purpose is to facilitate the demonstrate of the methodology presented in this work, and not to provide advice about any specific real world design.
The reactor primary coolant system begins in full working order. The Petri net models the emergence of component failure modes and maintenance actions, running until one of two possible outcomes are reached, these being the safe shutdown of the reactor or a problem that requires the invocation of the emergency coolant injections systems. These are respectively labelled as "Safe Shutdown" and "Coolant Fault". Safe shutdown is reached following the end of shutdown condensation, which is requested either when the end of the maintenance shutdown period is reached, see TSM, or if a fault arises, for example, a burst pipe or a critical number of failed feed pumps. If a sufficiently severe fault occurs in a part of the system that cannot be isolated, such as a rupture in the internal coolant channels of the core or the loss of more than half of the steam separator circuits, shutdown condensation is insufficient to maintain safe core temperatures, necessitating the use of the injection system and resulting in a "Coolant Fault" outcome. In this model, this outcome is considered a failed state for the primary coolant circulation system.
The top left section of the Petri net models the four steam circuits. The four failure modes are the rupture of the steam separator, rupture of the downcomer, rupture of the return pipe, and spurious opening of the pressure release valve, with their occurrences respectively represented by the transitions TSS [1,2,3,4], TDC [1,2,3,4], TRP [1,2,3,4], and TSSPR [1,2,3,4]. The failure of a circuit is recorded by TCP [1,2,3,4], adding a token to PCC9. When the first token arrives there, it enables TMSS1, setting a countdown, at the end of which reactor shutdown is requested. The length of this countdown is parameterised by m ss . However, if additional steam circuit failures arise, this period is cut short when the token count at PCC9 reaches the threshold set by c ss , with the firing of TMSS2 requesting immediate shutdown.  Table 2 for parameters. Small size places are used for miscellaneous house-keeping tasks such as controlling the number of times a transition can fire.
The number of failed steam circuits reaching three constitutes a disruption to coolant circulation beyond that which can be managed within the primary coolant system, thus resulting in the "Coolant Fault" outcome.
Below the steam circuit section, the transitions TIH1 and TRCC model the failure of the reactor inlet header and the internal coolant channels, either of which causing an immediate "Coolant Fault" outcome. However, the turbine, the condenser, and the pipe to them from the reactor are placed beyond the turbine isolation valve, meaning that if a fault arises in one of these, the reactor can still be shut down by normal means. The transitions for those components are TT1, TCD1, and TTP [1,2,3].
The section within the orange box pertains to turbine isolation, with the total number of isolation valves being set by n iv . When a request to shutdown the reactor is placed, a token is added to PTI1. The first of the isolation valves will shut, with the transition TTIVb1 firing. If the valve fails to shut, see TTIS1, or if it fails to an open state once shut, see TTIFOF1, reactor isolation is interrupted. If there is a redundant valve available, an attempt will be made to close it instead, and if that should also fail, the next redundant valve will be used, until no redundancy remains, at which point a token is placed at PTIF, indicating the failure of turbine isolation and resulting in a "Coolant Fault" outcome. Otherwise, once the turbine has been isolated for forty days, "Safe Shutdown" is achieved. A turbine isolation valve can also close spuriously, see TTIVa[1, … , n iv ], forcing the reactor to shut down before its normal scheduled time. The valves are serviced periodically, according to the parameter m iv , which sets the firing delay of TVTRa[1, … , n iv ], the weight of the arcs connecting to TVA2, and the initial number of tokens at PV1. The former resets the time of occurrence of spurious valve closure and TA B L E 2 Parameters for the Petri net Model show in Figure 8 Transition (

DATA GENERATION AND PARETO OPTIMISATION
A large body of data was generated for the optimisation process. The system designs to be explored during the optimisation are achieved by Monte Carlo sampling 26,27 of the parameter space. Each set of parameters is selected randomly within the ranges specified in Table 1. Having generated a set of optimisation parameters, the corresponding Petri net structure was generated, as discussed in Section 4, and was simulated 10 6 times. On the order of 10 5 iterations would be sufficient when typical system parameter values are used, 22 but to guarantee that an adequate body of data is collected even in the case of the more exotic parameter combinations, this larger sample size was used, with the total expenditure of computational time summing to 15,000 core hours on the Hydra HPC system. A total of 4000 parameter sets were investigated in this fashion and the optimisation was subsequently performed via Pareto front 29 analysis with respect to the performance metrics of chief concern, namely the probability of safe shutdown and the monetary expenditure per unit time. The Pareto front is the line running through the set of data points which are Pareto optimal, 28 with an example given in Figure 9. A point is member of this set if it has the best possible score with respect to one performance metric that can be achieved for a given value of the other metric and vice versa, such that an improvement of either score can only be achieved to the detriment of the other metric. By examining the Pareto front, the optimal performance in terms of probability of safe shutdown can be achieved for a particular spending target, and counterwise, the most inexpensive parameter set for a given safe shutdown probability can be found.

RESULTS AND DISCUSSION
The results presented in this section are analysed using Spearman's rank correlation coefficient, 38 also known as Spearman's , to find the strength of relation between each of the optimisation parameters and the outcome metrics, and between the latter themselves. Spearman's gives the Pearson product-moment correlation coefficient 39 (PPMCC) of the rankings of every data point when ordered by its two sets of values. Unlike the PPMCC itself, Spearman's is suitable F I G U R E 9 Example of Pareto front with 100 randomly generated values. The goal is to minimise performance metric A, while maximising performance B. Therefore, the Pareto optimal data points are found at the top and left of the plot.

F I G U R E 10
Comparison of the main performance metrics from the optimisation process, expenditure per unit time and reliability, with Pareto front drawn.
for non-linear correlation. It yields a value in the range −1 to 1, where −1 is perfect negative monotonic correlation, 0 is no monotonic correlation, and 1 is perfect positive monotonic correlation. The confidence intervals were computed following the method described by Ruscio 2008. 40 The p-value is also given, which is the probability that greater or equal correlation than the given value of Spearman's would be observed in the case that the null hypothesis of no correlation were true. A p-value below 0.05 is typically used as the threshold to establish statistical significance. 41 A scatter plot comparing the cost per hour and reliability results from the optimisation process is found in Figure 10, along with the Pareto front for highest reliability for lowest cost per unit time.
The set of Pareto optimal configurations has 27 members and the full list is given in Table 3. Safe shutdown probability and monetary expenditure per unit time are respectively seen to range from 98.36% to 99.97% and 1.187 to 2.878 Cu h −1 , and it is clear that increased expenditure yields improved safety by this measure, with the overall Spearman's rank correlation coefficient between these two values being 0.7682, with a 95% confidence interval from 0.7533 to 0.7823, and p < 10 −308 . It is also seen that low numbers of isolation valves and feed pumps are generally favoured, as most Pareto optimal configurations include fewer than four of either of these. Notably however, the average duration of operation TA B L E 3 Full list of optimisation parameter sets found to be Pareto optimal with respect to safe shutdown probability and monetary expenditure per unit time, and their score with respect to all performance metrics. Optimisation

F I G U R E 11
Probability of the primary coolant system operating uninterrupted with respect to time (i.e., not encountering a critical failure or the need to shut down for repair) for the first and third quartiles (Q1 & Q3) of safe shutdown probability on the Pareto front, see Table 3. Note that reactor shutdown is scheduled to begin after 2.968 and 6.352 years of operation for Q1 and Q3 respectively. The outcome with the best safety performance out of Pareto optimal configurations with three feed pumps (B3FP) is also included, with a scheduled maintenance time of 1.868 years.
declines substantially as safe shutdown probability increases. To examine what happens within primary coolant systems with such configurations, further simulations with parameter sets taken from the Pareto optimal values were performed, corresponding to the first, second, and third quartiles with respect to safe shutdown probability (as before, 10 6 iterations were performed). The first quartile has a value of 99.36% and both the second and third quartiles have values of 99.91% due a plateau in the Pareto front, where many parameter sets result in the same performance; for this reason the latter two will be referred to collectively as the third quartile hereon. The first quartile falls between two parameter sets, seen as the seventh and eighth rows in the body of Table 3. As this is the lower quartile, the parameters for the former were selected, that is, m t = 2.968 years, c ss = 0.2497, m ss = 3.962 years, n iv = 5, m iv = 5.912, n fp = 3, and m fp = 0.3846 years. For the simulations representing the third quartile, the mean values for those parameter sets were used, such that m t = 6.353 years, c ss = 0.1840, m ss = 6.103 years, n iv = 2, m iv = 5.106 years, n fp = 2, and m fp = 5.852 years. In Figure 11, the predicted durations of operation are seen.
There is a stark difference in the behaviour of these two parameters sets, with the probability of the system continuing to operate for a given duration dropping off rapidly for the third quartile results, with the mean duration being just 0.7346 years. It seems that with there being only two feed pumps, and therefore no redundancy, this system configuration can only operate until the first instance of a feed pump failure mode. Given that these occur quickly compared to other failure modes, see Table 2, the rest of the system is still in pristine condition and therefore the risk of unsafe shutdown (i.e., a "Coolant Fault" outcome) is low. The results from the first quartile parameters indicate a much more gradual decrease of the probability of the primary coolant system continuing to function with respect to time, such that there is a likelihood of 70% that the reactor will still be operating at the end of the scheduled maintenance shutdown period. Interestingly, the steam separator maintenance delay (m ss ) is set to a higher value than the maintenance shutdown period (m t ), meaning than no precautionary shutdown occurs after the maintenance threshold (c ss ) is met. However, with this configuration, there is a 0.66% probability of a coolant fault requiring the use of emergency mechanisms. This probability can be reduced to 0.13% that is, an 80% improvement, by increasing monetary expenditure by 48% from 1.502 to 2.218 Cu h −1 . This gives the best safety on the Pareto front for configurations with three feed pumps, although this does bring the average operating duration down by 44% from 2.700 years to 1.510 years. Additional simulations with this configuration were also performed and are also seen in Figure 11, with the relevant parameters being m t = 1.868 years, c ss = 0.001530, m ss = 0.1290 years, n iv = 5, m iv = 3.565, n fp = 3, and m fp = 8.969 years. As expected, a faster drop off in the probability of uninterrupted operation is seen, but there remains a likelihood slightly greater than 50% that the scheduled maintenance time will be reached. To identify the parameters to which the performance metrics are most sensitive, the Spearman's rank correlation coefficients were calculated and are found in Table 4. While not all parameters are highly correlated with the performance outcomes, most Spearman's values have sufficiently small p-values for statistical significance. The Spearman's values of greatest magnitude are found for the maintenance shutdown period, the number of feed pumps, and the number of isolation valves, and in Figures 12-17 these design optimisation parameters are plotted against monetary expenditure per unit time and against safe shutdown probability, with relevant Pareto fronts included where applicable.
It is seen in Figure 12 that monetary expenditure per unit time falls with increasing maintenance shutdown period, making longer scheduled run times more cost effective. However, the curve has become quite flat once the upper end of its permitted range is reached. By contrast, in Figure 15 the deleterious effect on safety from increasing the maintenance shutdown period is seen, although it is most strongly expressed in the visible bands of concentrated non-optimal data points.
The number of isolation valves has little impact on the total expenditure per unit time, as seen in Figure 14, but the benefits to safety from having some measure of redundancy are obvious in Figure 17, although there appears to be no further gains from increasing the number beyond three.  Some of the correlations with the number of feed pumps initially seem strange. In particular, the probability of safe shutdown appears negatively correlated with the level of redundancy, and it is also found that the average duration of operation is positively correlated with the parameter. Recalling that when examining the Pareto optimal points it was seen that the results where only two feed pumps were used had very short run times and high likelihoods of a safe outcome, it can be concluded that the same phenomenon is the cause of these results. Indeed, if Spearman's is recalculated for only the 3504 parameter sets in which n fp > 2, a value of −0.0106 is found, with a 95% confidence interval of −0.0437 to 0.0225 and p = 0.5309, that is, no correlation between the number of feed pumps and safe shutdown probability can be established with those results excluded. While they are required for the reactor to safely remain online, given that the feed pumps lie beyond the turbine isolation valve, their failure should not impede the success of the shutdown condensation process, and this is reflected in Figure 16; as such, the revised Spearman's is not surprising. It is also seen that greater numbers of feed pumps increase monetary expenditure per unit time, with a clear anomaly for two feed pumps seen in Figure 13, due to the resulting short run times previously discussed.

CONCLUSIONS
In this work, design and maintenance parameters for the primary coolant system of a nuclear reactor were sampled by a Monte Carlo method and used to generate Petri net models corresponding to those values. Simulation of the Petri nets generated data relating to the performance of the sampled configurations in terms of monetary expenditure, probability of safe shutdown, and duration of operation without interruption from a critical fault. The Pareto optimal parameter sets were then identified and discussed. The most balanced solution is arguably the Pareto optimal parameter set with safest performance of those which had three feed pumps. However, ultimately the preferred configuration is dependent on the priority of those responsible for the system (operators, regulators, etc.) as well as their degree of willingness to rely on emergency shutdown mechanisms. Regardless of what those priories might be, the methodology discussed in this work should serve as a useful means to extract the performance data critical to inform such decision making. Future work should consider a greater array of cost factors. In particular, simulations should be conducted, in which an individual system is returned to use following maintenance shutdown and examined over a fixed long term period, with inclusion of the equivalent cost resulting from the loss of the supply of electricity from the power plant to the grid during these periods. Furthermore, there exist more complex methodologies for the iteration of system parameters, such as simulated annealing, 42 genetic algorithms, 43 or metaheuristics, 44 and these could be used to more efficiently converge upon the optimal configuration.

ACKNOWLEDGMENTS
This work was supported by the Engineering and Physical Sciences Research Council as part of the NuRes project (Grant number EP/R021988/1) within the UK-India Civil Nuclear Collaboration program.

DATA AVAILABILITY STATEMENT
Research data are not shared.