ML20065G872
| ML20065G872 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 08/23/1988 |
| From: | Beldecos F, Deahna S, Martin R DUQUESNE LIGHT CO. |
| To: | |
| Shared Package | |
| ML20065G860 | List: |
| References | |
| NUDOCS 9010240043 | |
| Download: ML20065G872 (10) | |
Text
{{#Wiki_filter:- -- . ATTAQ11 MENT F BEAVER VALLEY POWER STATION NO. 1 AND NO. 2 MOISTURE SEPARATOR-REllEATER STATUS REPORT ff $'
.1 l
4 9010240043 901001??- PDR ADOCK 05000412 P PNU,
' DUQUESNE LICliT COMPANY Beaver Vellcy Powar Station' ;
.i i
l i I i Beaver Valley Power Station No. 1 and No. 2 l Moisture Separator-Reheater Status Report i i i 4 August 23, 1988 i i i i Prepared by: Scott T. Deahna 38
. Reviewed by: Fra B d L
Approved by: Roger E. Martin k l l 1'
-4: BEAVER VALLEY POWER STATION NO. 1 AND 2 MOISTURE SEPARATOR-REBEATER REPORT s TABLE OF C0ffrENTS Section Description M ' 2 I. INTRODUCTION .......................................... 2 II.
SUMMARY
5 III. CONCLUSIONS AND RECOMMENDATIONS ....................... IV. ATTACHNENTS.................... ' ' ***********' A. Unit 1 MSR System Composite Tests Data Versus Design B. Vestinghouse Drawings - Alterations to Moisture Separator-Reheater
- (
Beaver Valley Power Station No. I and 2 Moisture Separator-Reheater Report I. INTRODUCTION During the Unit 1 sixth refueling outage, extensive repairs were performed on all four (4) Moisture Separator-Reheaters (MSR's). This report discusses 1) factors which led to the Unit 1 MSR damage, 2) results of post 6-R thermodynamic performance analysis, and 3) the future reliability of the Unit 1 MSR's. . The Unit 2 MSR's were evaluated for similar damage susceptibility and present thermodynamic performance. II.
SUMMARY
During the Unit 1 sixth refueling outage, two (2) types of damage were discovered in the MSR's. The first type of damage was the failure of the reheat steam inlet hemihead partition plate. The hemihead partition plate e isolates the top half of the U-tube bundle from the bottom half. Its integrity is required to ensure proper reheat steam flov.. The second type ' of damage is the failure of shellside closure plates. The integrity of the closure plates is required in order to direct the turbine cycle steam through the cheveron type moisture separating sections of the HSR vithout leaking around the reheater. j The failure of the hemihead partition plate was due to an increase in the tube side (partition plate) pressure drop. Partition plate pressure drop l increases as steam velocity (flov) through the U-tubes of the reheater , increases. Steam flov through the first pass tubes increases as (1) first- l pass tubes are plugged. (2) with the addition of the vent condenser -i j modification and/or (3) during interceptor /stop valve testing. During
-interceptor /stop valve testing, the cycle steam flow to one (1) MSR is shut off and diverted mostly to the opposite side MSR, resulting in significantly higher shellside (cycle steam) velocity (flow) rates and the corresponding pressure drops. These pressure drops overstress l j
shellside closure plates. At the same time, the heat transfer across the ' three (3) active tube bundles is increased due to higher shellside flov and this causes additional reheat steam to be cooled in the tubes,_ resulting in larger tubeside pressure drops. The increase of pressure difference across the partition plates, due to the arrangement of the vent condenser plus the added pressure unbalance during valve testing, are the prime causes of the partition plate failures. The cumulative effects from interceptor /stop valve testing are considered the primary cause of the shellside closure plate damage. F,
!v e The Unit.1 MSR hemihead partition plates which failed vere 0.50" thick steel plates, reinforced with a rib on the backside. The repair consisted of completely removing this plate and installing a 1.0" thick steel plate with two (2) reinforcing ribs on the top side. The repair prevents access to the lover half of the. tube bundle. Although the vet-vacuum tube test procedure can still be utilized and repairs to the top half tube sheet can be made, any tube leaks or lover half tube to tube sheet erosion cannot be repaired and vill, therefore, lead to cumulative unrepairable mechanical degradation. The shellside of the MSR's are separated into eight (8) compartments. 'All closure plates were 0.250" thick. The current standard for closure plate thickness is 0.620". The top-to-side closure plate joint was additionally reinforced by one (1,), vertical gusset in each compartment. This reinforcement was not sufficient to prevent the top closure plate upward displacement from failing the top-to-side closure plate joint in one of the center compartments. An additional 0.250" plate was installed to reinforce the top closure plates in the center two (2) compartments of each MSR. Further failure of either type is not anticipated at Unit 1.
Analysis of 100% power Unit 1 MSR System Test Data, taken on June 20, 1988, indicates that the composite MSR System performance compares ressonably well to design' parameters. (See Attachment A for a tabulation of composite test data versus design). The Unit *1' reheaters are presently consuming 6.5% greater than. design reheat steam flow and the low pressure turbine inlet temperature averages 8.8'F lower than design. If the low pressure turbine inlet steam temperature was increased to the design. temperature,.the reheat steam flov vould increase to a value which would indicate the actual'off-design performance of the MSR's. Individual MSR performance varies. No specific operating problems are noted and no single MSR can be identified as a particularly poor performer, based on the. calibrated accuracy of the plant and test instrumentation. Holsture separator flow computer points F2012A and F2032A appear to be indicating higher flows, based on a calculated moisture. separator ' removal effectiveness of greater than 100%. As a result, flow transmitters FT-SD-i 106B and FT-SD-106D should be examined for calibrated accuracy prior to the next test. Also, new calibrated pressure indicators are needed to indicate crossover pressure at the PI-MS-107B and PI-MS-107D locations. The test data indicates a flov imbalance between the A and'C train and the B and D train. The A and C train is utilizing 48 KBH more reheat steam than the B and D train. The A and C reheat steam pressure is higher and
,the A'and C cycle steam outl et temperat ure is 10'F higher than the B and D train. The difference is believed to be a difference in the lifts of the reheat steam flow control valves FCV-MS-100A (C). l The Unit 1 Moisture Separator-Reheater System Composite Test Data (Attachment A) is suitable for input to an actual baseline thermodynamic j heat balance, i
_. . . _ _ _ _ _ _ _ _ . _ _ _ _ - _ _ . . . _ _ _ _ _ - _ _ - _ _ - _ _ _ _ _ _ - . .-_____._-_-___.________-_._-___---_.__._.___D
'i L
Following the discovery of the specific MSR failure modes at Unit 1, an ; l
- investigation was performed to determine the susceptibility'of the Unit 2 MSR's to similar failures. It was determined that the Unit 2 MSR hemihead partition plate is 0.750" thick and the shell separation plate is 0.250" i thick. In 1980, the following alterations (See Attachment B, Vestinghouse MSR Alteration Dravingst were planned for the Unit 2 MSR'st
- a. ' Cycle steam distribution manifold alteration
~
Deck ~ plate addition between the cheveron sections [
- b. i
- c. Cheveron inlet perforated plate addition ,
i
- d. Tube bundle holddown i
- e. Reinforce hemihead partition plate (add bracing pipe) 7
- f. Reinforce shellside closure plates During The same alterations vere to be made to the Unit 1 MSR's (f) were in not' 1978.-
completed. 6R,.it was verified that alterations (e) and Records could not be found to indicate whether Alterations all of(f) (e) and theare alterations were of significant j performed on the Unit 2 MSR's. - importance to'the Unit 2 MSR reliability. ; Unit 2 MSR Operating Data collected on August 16, 1988, indicates that the . A-MSR hemihead partition plate may have already completely failed. The A-HSR reheat drain tank indicates throttle steam pressure, reheat drain flov (corrected for improper computer point flow coefficient) is lov and cycle ' steam outlet temperature is lov. The B-MSR hemihead partition plate may also be damaged based on a reheater high drain tank pressure. The Unit 2 Moisture Separator-Reheaters are presently under Vestinghouse i warrantee. All four (4) Unit 2 MSR's should be completely inspected during IR. Any damage found should be repaired by Vestinghouse at no . charge to Duquesne Light Company. Particular attention should be given to a shellside closure plate reinforcements since the closure plate thickness does not meet current standards. .The shellside top closure plate was to have a rib installed in the horizontal direction, running'the length of ; the plate. The rib should also be velded at its ends to the compartment divider plates. This modification is required _ to enable the MSR's to ' withstand turbine valve testing. The reheat- steam hemihead partition
- plate should contain a removable section to allow access to the lover half -
tube sheet and a bracing pipe should be located underneath the partition plate. T
- _ a. __ ____ _ _ . . _ _ ,_ ..
h i A Unit 2 MSR System Performance Test and Analysis Program vill be established, following 1R, to obtain base 3.ine heat balance input data and to trend the system performance to determine when tube testing may be required. III. CONCLUSIONS AND RECOMMENDATIONS The Unit 1 Moxsture Separator-Reheater System is presently utilizing 6.5% excess reheat steam flow vith the low pressure turbine inlet steam temperature an average of 8.8'F below design. Further structural damage i [' is not indicated or anticipated. However, tube leaks and lover U-tube, tube-to-tubesheet erosion vill continue to degrade the tubes and tubesheet at an accelerated rate. Once degradation occurs, no repairs are possible due to - the inaccessibility of the lover half of the tube bundle. Engineering and Testing and Plant Performance should continue to analyze system performance to ascertain when tube bundle replacement vill become necessary. Unit 2 Moisture Separsstor-Reheater Operating Data indicates that the reheat steam inlet hemihead partition plates are also susceptible-to failure. -The Unit 2 MSR's should he completely inspected during 1R to-ascertain which alterations vere not installed and to repair any visible _. damage. Engineering, with Testing and Plant Performance, should establish a Unit 2 Moisture Separator-Reheater Test and Analysis Schedule following 1R.- t I r l l i
\
_ _ _. _ _ . ___ ]
BEAVER VALL3Y POWER STATION r Moisture separator-Raheater Report l A'ITACHMENT A Unit 1 MSR System Connosite Test Data Versus Desian Values Design Values from Westinghouse Heat Balance CT-22484 (2660 MWt) Parameter Test Value Deslan Value Turbine First Stage Pressure 536 PSIA 540 PSIA ! Turbine First Stage Flow 10,700 KBH 10,794 KBH Reheat Steam Flow 772.7 KBH 725.2 KBH , Reheat Steam Pressure 776.9 PSIA 746 PSIA Reheat Drain Flow 649.9 KBH 572.5 KBH Reheat Drain Pressure 703.5 PSIA 738 PSIA , Reheat Drain Temperature 503.6 'F 510 'F
.Crossunder Pipe Flow 9,179 KBH 9,273.1 KBH '
Crossunder Pipe Pressure 216.5 PSIA 218.8 PSIA n Separator Drain Flow 942.4 KBH 877.2 KBH , Separator Drain Temperature 387.8 'F 388 'F Crossover Pipe Flow 8,236 KBH 8,396 KBH # Crossover Pipe Pressure 185.4 _ PSIA 202 PSIA-Crossover Pipe Temperature 475.4 'F 484.2 'F M.S.R. Terminal Temp. Difference 28.3 'F 25 'F M.S.R. Cycle Steam Pressure Drop 9.55 % 8 % Low Press Turbine Inlet Superheat 99.9 'F 100 'F 1
l , p.v.f S, Am/ve Sepmhr /Ue he Nf*'* b rK H'.M yr B n.lo/c. } L ]{.&, }.I l a , :- v.a
- f.m s
,u 1 N :.
e t
,@~ Q_[
3' la p. Iawe -2_w" n;,,p.gc S;L i
' l 4[i,, c ,
i) + HNT d i S, i lh.!:-, 14
%{
1 . l c
- f: e
- J a r s ,[ mjf g- wer. 22%w ,
' - --..:a 4 i
. . _ _ = !
g i~n. li g gly g/ 3 I-
., . 3 1
( A ...--,}
~
1, i h /gb lj,
.'t !,;agn* ! l ;
j II. 4,f I # r a .p 4 p (.4( II (I' ' f L'gD .,.
. E gIfb N M@A'e tqr r ~ lill sii s' m)
,t3 av d'
I 4 i h l.lj/-
'"'M[,)Y*
' t hy; vn-6Q g" e i d lEg g}
I, s i d h dpd i D_ %%Q95 1. -m% .> At e -. a u- ll}p' . l ' !. hp i wj '
' kg. ' Ni s .
[.......
)7 i
f( ,w ) r "/y . upg
;l y 3
'l l
1..# _ s* '
. . . . . . . . . . %,. -t i - .
s
- j.-
! =
. t uh in ii #1 I
MM i 97 -
+-
1 . p * '
,h 3 p .H..4 a
- v. _fL i
j 31 jl {
,l s
# p, --a]m eJ 4 a @a :
l 4 ;Kkt " " - N.7 -- . y p.2 g 1
..F N Jj-i ~1 t..:
p ', u (h i
/' .
,. f ~g,.xl J jg slj-l ,,
)
(.: a a 1 ti f 3-m ,y,= g 6 "~' g [ L r , , . . . . . g . g[ _ -. ._ _ ____ _ y") ,u Qj.3 (s%,,. < g sp t i m .... g \
,1
.! ! f ! !!
t t y' -l N k % <., /
.- g
.%, (U, . l,!. !. , l l
t
} ; } } 5 2
a k 5 j u \sh v s
> q n= :=.. . :
)y i . ..
i
.i x 3: ,, t* I 2 l J
b,V . < ilmic t p 9 . y H !. !
! ! : i j'.
.7 !
' > q -
. . , h. _,
>ln &
t : 4, v. :0, ^ 1 I '3 : 4 o
- ' . g j dy ,
3 :_ is' i ." w !5.. il
. - +
d)y n4 {Ja C , EJlt )- 5_. < f t m:i)Ngb .cs .d't! ,t v.g. o!
;ine u
/- 6.E Ine dr
- d's n *
.a o
/
1 6+s .4 :i > < V) ) m=iYii'.'d - ! - , 1 nyU rpMIIT_isa,1.
. LL d. E_ Lqi 3 : 4 'J v ,, .. .
f(d " " '
'l
~
4 .{V i , %[ , --'t rg!!r _ Q{.,',9 D (H ahm.mv k,. 18ri 3 i b ttzd O . MM gn af$96 Y
e.v,r.5. m " A a )ywor Aa" roe "v~t irriewmmt a n c o / t. q; j.gyg
,ita. 4 ro, I
p.3 M:,n =3 o to .+%
. _.__ _ . . _ _ _ _ . . . _ -- /t 2n Q .. _ __ __
j ; n /, _y) a: 2 3 ":i., , _g.4_:, . j 7, .. .,
, . _ _.,... g
$ t ?k ~}
d.r 2 LL8 ' 1 III W $iY A o u M(i 2 o I ti' "$ l
-us 2 . e '3 usf itj. .
Jshiuvi 8 r! d O sit z ; gEd g L Stk ;W i
$2Wj ; AIg e 3 sip .o 11 5 2W dd6 / hE i Pn $
+' E cu-T oec u 7;-1 r
.tko* MK .1- $ in j if W P
.h$ mg 2 f uu:,, p<<o Oyb . ~x lu %_sO <V / # z}. W .> g w l 4. g . - 1 2 <1 s N g4 ( i I .NW
\#' N 4k~.
s s - 4 i\ ' % ./ -[
.d 2
' m, At V! I ~
/ l$ .
p%y _ y
.. + u
) ~
a i y - i
\
- c. .
I t.\ _
= . .
)
- C
\- .6 --
T s 4 i > 0=L -
~
\ .
9 m' y//m g
$ T- \
s. a
- A
~ .
/ )
,, 'N a _ . _ . _ _ . . . . .
_.- .. q f in 40 N N%
.\ /
l . . m g ( , N
/
3
.e ..
hh ,' '
.t
. ka\ Q. r . . ;,- ~
%>-.(. :. . d-
.: . ~
_ . ,. y , , . _ ii p 4.a . . . . _ .- ,j s, , 9. - y i a, :.
p w., b $km.& .a 4 64- a- ~sma4.-mey-e.mdwA4+-6*a--edw6AM-,-mA--4944 o,ae-m -6 m-mam#-a,6sM Sm,o d e &, ,, a. m2 h u4A MmA-0 4 mea--4 BuO.b64.4 2,a usee as,,b A a W M,,e ,M s ATTACHMENT G e i J i ~ f 1 !* t ANALYSIS OF THE PROBABILITY OF A NUCLEAR TURBINE REACHING DESTRUCTIVE OVERSPEED , I 3-i P 6 4 h i e i 2*(19 .
.A , !
'" TOMCAL REPORT h POR NRC USS l cow N9 028 i W5ft>HP-A n W- i i
i ANALYSIS OF THE PROBABILITY OF A NUCLEAR TURBINE REACHING l . DESTRUCTIVE OVERSPEED 5
*} -
summmedau l NUCLEAMREQULATORY00NNessION i JULY,1984 l JUL og 7gy 4 i Westinghouse 8 team Twtine Generator DMelon Q .
/
t NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ! WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, OF MERCHANTABILITY OR WARRANTIES ARISING FROM ' ' COURSE OF DEALING OR USAGE OR TRADE, AND MADE REGARDING THE INFORMATION AND DESCRIPTIONS- : CONTAINED HEREIN. In no event will Westinghouse ' be responsible to the user in contract, in tort (including negligence).. strict liability or otherwise for any special, indirect, incidental or consequential damage or loss _ whatsoever including but not limited to damage to or loss of use of equipment, plant or power system, cost ! of capital, loss of profits or revenues, cost of replacement power, additional expenses in the use of existing power facilities, or claims against the user by its customers resulting from the use of the information and descriptions contained , herein, !
~l t
1 ( w
- u. _ _ _ _
. -_ a
. _ . _ . . , _ __._ _ _ ~ _ _ ~ _ . _ _ . . _ . _ _ _ _ -
[g UNITED STATES
../ NUCLEAR REGULATORY COMMIS$10N
-[ wAse418e4To88,D.C.20606 "g.....
FES02 g Mr. James A. Martin, Fellow Engineer Generation Technology Systems Division Westinghouse Electric Corporation i i The Quadrangle, MC 203 4400 Alefaya Trail l I i ' Orlando, Florida 32826-2399,
Dear Mr. Martin:
Sll8 JECT: APPROVAL FOR REFERENCING 0F LICENSINA TOPICAL PEPORTS - WSTG-1-P, MAY 1981, " PROCEDURES FOR ESTIMATING THE PR08 ABILITY l OF STEAM TURBINE DISC Rl!PTURE FP0M STRESS CORP 0$f0N CRACKING." , MARCH 197a, " ANALYSIS OF THE PR064BILITY OF THE GENERATf0N AND l STRIKE OF MISSILES FROM A NUCLEAR TilRBINE", WSTG-2-P, MAY 1981, )
" MIS $lLE ENERGY ANALYSIS METHODS FOR NUCLEAR KTEAM TURBINES", AND WSTS-3-P, JULY 1984, " ANALYSIS OF THE PROBABILTTY OF A NUCLEAR l TURRINE REACHING DESTRUCTIVE OVERSPEE0" I We have completed our review of the subject topical reports. We find these
! reports are aporoved for referencing in Ifcense applications to the extent specified and under the limitations delineated in the reports and the - , associated NpC evaluation which is enclosed. The evaluation defines the ' basis for.the approval of the reports. We do not intend to repeat our review of the approved matters described in the reports when the reports appear as references in license applications
- except to assure that the material presented is applicable to the specified plant involved. Our approval applies only to the matters described in the reports, in accordance with procedures established in NUREG-0390, it is requested that Westinghouse publish approved versions of these reports, proprietary and non-proprietary, within three months of receipt of this letter. The accepted i
- version should incorporate this letter and the enclosed evaluation between -
, the title page and the abstract. The approved version shall include an -A (designating approved) following the report identification symbol.
Contact:
S. Lee X28781 u
l l l I RB 0 2 SW : Should our criteria or regulations change such that our conclusions as to the acceptability of the reports are invalidated Westinghouse and/or the : licensees referencing the topical reports will be expected to revise and ' resubmit their respective documentation, or submit justificatien for the ; continued effective applicability of the topical reports without revisions of their respective documentation.
$1ncerely, j harles E. Rossi, Assistan Director :
Division of PWR Licensing-A I
. Enclosuts:
As Stated cc: W. J. Johnson i a-
-ev ov v-w - e w re---,-wwgr- s- ---w-.-*--,- - -,rwn-~ v---=saoee- www-+- -ww---,~-s- ------ - - - - - - - - - - - - - - - - - - - - - - ' - - - - - ' - - * - '
--._ - _ _ - - _ - - - .- . .-... -. _ - - - - --.- . _-. ~.
I i O *- 18 - i
5.0 REFERENCES
l
- 1. S. H. Bush, " Probability of Damage to Nuclear Components," Nuclear - j
- 3. (May - June) 1973, p. 187; and S. H. Bush, "A Reassess-Safety,J,bine-GeneratorFailureProbability,"NuclearSafety,U, ment of ur 6, (Nov - Dec.) 1978, p. 681.
- 2. NUREG/CR 1884, "0bservations and Comments on the Turbine Failure at Yankee Atomic Electric Company,-Rowe, Massachusetts," March 1981.' -
i
- 3. Preliminary Notification of Event or Unusual Occurrence -- PN0 - III -
81 - 104 - " Circle in the hub of the eleventh stage wheel in the main ' turbine" at Monticello Nuclear Power Station, Nov. 24, 1981.
- 4. Licensee Event Report No. 82-132, Docket No. 50-361 - " failure of I turbine stop valve 2VV-2200E to close fully" at San Onofre Nuclear
' Generating Station, Unit 2, Nov. 19, 1982.
- 5. J. J. Burns, Jr. , " Reliability of Nuclear Power Plant Steam Turbine Overspeed Control Sy' stems," 1977 ASME " Failure Prevention and Reli-ability Conference, Chicago, Illinois (Sept.) 1977, p. 27. ;
- 6. D. Kalderon, " Steam Turbine Failure at Hinkley Point A," Proc. Instn.
Mech.Engrs.,}!!, 31/72, 1972, p. 341. F
- 7. W. G. Clark, Jr. , 8. B. Seth, and D. H. Shaffer, " Procedures for '
Estimating the Probability of Steam Turbine Disc Rupture from Stress Corrosion Cracking " ASME/IEEE Power Generation Conference Oct. 4 8, 1981 St. Louis, Missouri. l 1
- 8. Gonea D Escaping.C.,"AnAnalysisoftheEnergyofHypotheticalWheelMissiles from Turbine Casings," General Electric Company - Turbine -,
Department Report, February 1973. -
- 9. 5. McHugh, L. Seaman and Y Gupta, " Scale Modeling of Tuttine Missile i Impact into Concrete," Final Report NP-2746 February 1983.
- 10. R. L. Woodfin, " Full-scale Turbine Missile Concrete Impact Experiments,"
prepared by Sandia National Laboratories under EPRI Research Project 399-1, Final Report NP-2745, February 1983. n ~ ~ - .-n., , .,-,e---,, , - -. ,-m,-a--, n. ,n--,-,-- . , - - , - - . ,:-, - , , - -,e , y -., m --
- , , --e,.w,s,,,n,- .. , -,,p---
l i 19 -
- 11. " Review of Westinghouse Report 1: Procedures for Estimating the Probe.bility of Steam Turbine Disc Rupture from Stress Corrosion Cracking WSTG-1-P, May 1981," L. J. Teutonico and Y. M. Sanborn, Stockhaven National Laboratory, July 1983. (Proprietary)
- 12. "neview of Westinghouse Report 2: Analysis of the Probability of the Gsneration and Strike of Missiles from a Nuclear Turbine, March 1974,"
L. J. Teutonico. Y. M. Sanborn, and J. G. Alastead, Brookhaven National caboratory, June 1983. (Proprietary)
- 13. " Review of Westinghouse Report 3:. Missile Energy Analysis Methods for Nuclear Steam Turbines,WSTG-2 P, May 1981," L. J. Teutonico and H. Ming i Chen, Brookhaven National Laboratory, December 1983. (Proprietary) '
i i 9
?
6 i i y - . . ~ , - . . . . .r-_-.,_._, . .. ,_.._.__ .____.,_ __ __.._.___________._____._______________.__________________.____mi
l t I
)
SAFETY EVALUATION REPORT l COMPONENT INTEGRITY SECTION , MATERIALS ENGINEERING BRANCH WESTINGHOUSE REPORTS: i
- 1. " Procedures for Estimating the Probability of Steam Turbine Disc Rupture 1 from Stress Corrosion Cracking," Westinghouse Steam Turbine. Generator .l Division, WSTG-1-P, May 1981. (Proprietary) ';
\
- 2. " Analysis of the Probability of the Generation and Strike of Missiles ;
from a Nuclear Turbine," Westinghouse Steam Turbine Generation Division, ' March 1974.
- 3. " Missile Energy Analysis Methods for Nuclear Steam Turbines," Westinghouse Steam Turbine Generator Division, WSTG-2-P, May 1981. (Proprietary) '
\
- 4. " Analysis of the Probability of a Nuclear Turbine Reaching Destructive Overspeed," Westinghouse Steam Turbine Generator Division, WSTG-3-P, July 1984. (Proprietary)
SUMMARY
AND CONCLUSIONS
- l The objective of the NRC staff's review of the subject reports was to evaluate and, if appropriate, to approve of the methods and procedures utilized by the Westinghouse Steam Turbine Generator Division (Westinghouse) to determine specific turbine system inspection and testing intervals for their respective utility customers.
~
During the past few years, the staff has recommended a probabilistic , approach to determine turbine rotor inspection intervals and turbine con-trol system maintenance and testing frequencies so as to maintain the as-built turbine system integrity. The Westinghouse reports describe such I an approach generically and, to the extent possible, supports it with test l and turbine system operating experience data. The staff recognizes that
.probabilistic analyses based on limited statistical data, especially for a 1 complex system, will include inherent uncertainties. Nevertheless, when the overall approach includes conservative assumptions which overcome the l uncertainties, then the ultimate results can be meaningful. ,
L L o
. - _ . _ _ ~ . . .. _ .___. - - ~ . . . - --- - _ . - -
_ . _ _ _ _ _ _ _ _ _ _ _ . . _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ . ~ . _ _ _ _ . _ _ _ _ . _ , l We conclude that the methodology described in the Westinghouse reports is state of-the-art and is acceptable for use in establishing maintenance and l inspection schedules for specific turbine systems. The staff was assisted in its review by Brookhaven National Laboratory, references 11,'12, and 13. Applicants or licensees who accept Westinghouse's recommendations, based , on these' reports, should confirm their commitment to the staff and provide a
. description of their specific maintenance and inspection program including a curve (or curves) of missile probability (Pg) versus service time for their specific turbine. rotors.
l
- 1. 0 BACKGROUND f I r Although large steam turbines and their auxiliaries are not safety-related :
systems as defined by NRC regulations, failures that occur in these turbines can produce large, high energy missiles. If such missiles were to strike ! and to damage plant safety-related structures, systems, and components, they could render them unavailable to perform their safety function. Consequently, General Design Criterion 4, " Environmental and Missile Design Bases," of Appendix A, " General Design Criteria for Nuclear Power Plants," to 10 CFR i Part 50, " Domestic Licensing of Production and Utilization Facilities," requires, in part, that structures, systems, and components important to l' safety be appropriately protected against the effects of missiles that might result from such failures. In the past, with regard to construction permit L- (CP) and operating license (0L) applications, evaluation of the effects of
^
turbine failure on the public health and safety followed Regulatory Guide 1.115. " Protection Against Low-Trajectory Turbine Missiles," and three essentially independent Standard Review Plan (SRP) Sections 10.2 "Turbina " Generator," 10.2.3 " Turbine Disk Integrity," and 3.5.1.3 " Turbine Missiles." I r I
. ~ , - ,. . - . , . , . - . - , , - , . _ . . . . - - . - - - . . . - . - . . , - - . . . . - , ~ . . - - - .,
3 According to NRC guidelines stated in Section 2.2.3 of the SRP and Regulatory Guide 1.115, the probability of unacceptable damage from turbine missiles (P4 ) should be less than or equal to about I chance in 10 million per year for an individual plant, that is, P4 1 10 per year. The probability of unacceptable damage resulting from turbine missiles is generally expressed as the product of (1) the probability of turbine failure resulting in the ejection of turbine disc (or internal structure) fragments through the turbine casing (P3 ); (2) the probability of ejected missiles perforating intervening barriers and striking safety-related structures, systems, or components 2(P ); and (3) the probability of struck structures, systems, or , components failing to perform their safety function (P ).
- 3 L
In the past, analyses assumed the probability of missile generation (P ).to 3 be approximately 10'4 per turbine year, based on the historical failure rate (Ref. 1). The strike probability (P )2 was estimated on the basis of l postulated missile sizes, shapes, and energies and en available plant-l specific information such as turbine placement and orientation, number , and type of intervening barriers, target geometry, and potential missile ' trajectories (See $RP Section 3.5.1.3 for a description of the evaluation i procedures previously recommended by the staff.) The damage probability (P3) was generally assumed to be 1.0. The overall probability of unaccept-able damage to safety-related systems (P ), which is the sum over all 4 targets of the product of these probabilities, was then evaluated for , compliancewiththeNRCsafetyobjective. This logic places the regulatory emphasis on the strike probability, that is, it necessitates that P be made 2 less'than or equal to 10'3, and disregards all the plant specific factors that determine the actual P 3and its unique time dependency. Although the calculation of strike probability is not difficult in principle, , L for the most part being not more than a straightforward ballistics analysis, it presents a problem in practice. The problem stems from the fact that numer-ous modeling approximations and simplifying ass aptions are required to make - T
. - - - - , n . + -- --- +
l
)
l 1 l
)
tractable the incorporation into acceptable models of available data on the (1) properties of missiles, (2) interactions of missiles with barriers and i
- obstacles (3) trajectories of missiles as they interact with and perforate !
(or are deflected by) barriers, and (4) identification and location of - safety-related targets. The particular approximations and assumptions made i tend to have a significant effect on the resulting value of P . Similarly, ! 2 a reasonably accurate specification of the damage probability (P ) is not a 3 simple matter because of the difficulty in defining the missile impact energy required to render given safety-related systems unavailable to perform their ; safety functions,and the difficulty in postulating sequences of events that ' would follow a missile producing turbine failure. Operating experience shows that nuclear turbine discs crack (Refs. 2 and 3), , that turbine stop and control valves fail (Refs. 4 and 5), and that disc retures could result in the generation of high energy missiles (Ref. 6). Analyses (Refs. 5 and 7) show that missile generation can be modeled and the probability can be strongly influenced by inservice testing and 4 inspection frequencies. During the past few years, the results of turbine inspections at operating nuclear facilities indicate that cracking to various degrees has occurred at the inner radius of turbine discs of Westinghouse design. Within this period, a Westinghouse turbine disc failure occurred at one facility owned by the Yankee Atomic Electric Company (Ref. 2). More recent inspections of General Electric turbines have also discovered disc keyway cracking (Ref. 3). , Stress cerrosion has been identified by both manufacturers as the operative cracking mechanism. i In view of operating experience and NRC safety obitctives, the NRC staff ; has shifted emphasis in the reviews of the turbine Mssile issue from the
~
strike and damage probability (P 2 xP 3 ) to the missile gueration probablity (Pg ) and, in the process, has attempted to integrate the urious aspects ' of the issue into a single, coherent evaluation.
?
5-Through experience of reviewing various licensing applications, the staff has concluded that P2"E3 analyses provide only " ball park" or " order of magnitude" values. Based on simple estimates for a variety of plant lay-
- outs, the staff also concludes that the strike and damage probability product (P2xP 3 ) can be reasonably taken to fall in a characteristic narrow range which is dependent on the gross features of plant layout with respect to turbine generator orientation; i.e., (a) for favorably. oriented. turbine '
generators P "E tends to lie in the range of 64 to 10'I 2 3 and (b) for ! unfavorably oriented turbine generators P 2*P3 **"d' ** II' I" th' "9' 10'I to 10-2 In addition, detailed analyses such as those discussed in this evaluation show that, depending on the specific combination of { material properties, operating environment, and maintenance practices, P 3 can have values from 10'I to 10'1 per turbine year depending on the turbine , r test and inspection intervals. For these reasons. in the evaluation of j P4 (= P3xP 2 *'3), the probability of unacceptable damage to safety related systems from potential turbine missiles, the staff is giving credit for l theproductof.thestrikeanddamageprobabilitiesof10'3 for a favorably oriented turbine and 10* for an unfavorably oriented tur-bine, and is discouraging the elaborate calculation of these values. f The staff believes that maintaining an initial small value of P g through a turbine testing and inspection is a reliable means of ensuring that the .; objectives precluding turbine missiles and unacceptable damage to safety-related structures, systems, and components can be met. It simplifies and improves procedures for evaluation of turbine missile risks and ensures that the public health and safety is maintained. To implement this shift of emphasis, the staff recently has proposed guide- ; lines for total-turbine missile generation probabilities (Table 1) to be used for determining (1) frequencies of turbine disc ultrasonic inservice inspections and (2) maintenance and testing schedules for turbine control s and overspeed protection systems. It should be noted that no change in safety criteria is associated with this change in emphasis. {
- - ,g - .-- . . . . . . . . . - - - - . . - - - - - ..
6-
~ Table 1. Turbine System Reliability Criteria- !
l: i
~1 '
Probability, yr , Favorably Unfavorably. l Oriented Turbine Oriented j Turbine Reevired Licensee Action .i
-(A) P ,< 10 -4 -5 This is the general, minimum 3 P3 < 10 reliability requirement for loading the turbine and bringing ..!
the system on line. '
~3 (B)-10~ 4 < h < 10 10-5 < P < 10'4 If this condition is rsached dur-ing operation,'the. turbine may be kept in service'until the next "
scheduled outage, at which time. .( L the licensee is to take action to-reduce Pp to meet the appropriate; A criterTon (above) before return-ing-the turbine to service.
-2 L
-(C) 10'3 < P3 < 10 10~4 < P3 < 10'3operation, If this condition is reached during L~ the turbine is to be. '
. isolated from the steam' supply:
within 60 days,'at which time the licensee is to take action to re-duce P3 to meetz the appropriate A criterTon (above) before returning - the turbine to service. : b 4
'(D) 10-2 < p ,
3f-3
in turbine . failure; one.due to rotor material failure at approximately-the rated operating speed, or one due to failure of the overspeed protec-tion systems resulting in excessive rotor speeds. Failures of turbine discs at or below the design' speed, nominally 120 ' percent of normal operating speed, can be caused by small flaws or cracks left during fabrication or those that initiate during operation and grow E to critical size either by fatigue crack growth, by stress corrosion crack b growth,or by a combination of both of these mechanisms. Cracks-in the-' , bore or: hub region of turbine discs could eventually lead.to disc failure.- L Failures of turbine discs at the destructive overspeed can result ~from a. a failure of.the governor and overspeed protection systems, consisting of: i (i) speed sensing and tripping systems and (ii) steam valves. If the turbine is out of control, its-speed can increase until failure occurs. For unflawed discs,- destructive overspeed is reached at about 180.to 190. [ percent of the normal. operating speed. In general, failures that occur ati destructive overspeed am caused by stresses which exceed the materials tensile strength.. ! .3 l) In the event of a turbine. disc burst, high velocity missile-like fragments may break through the turbine casing, possibly generating secondary mis- t siles. These missiles have a potential of damaging reactor safety systems. Alternately, the disc fragments could be arrested and contained by turbine ' itself. Hence, in evaluating the risk. associated with turbine disc rupture, t it is necessary to detemine whether or not missiles external to the casing can be generated by postulated disc ruptures. ' 1 i - _ _i______ ______._ m _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . _ _ w e }J . .g. This SER considers the above possibilities and summarizes the review and-evaluation of the We'stinghouse reports, listed earlier, which describe - Westinghouse procedures for estimating (a) the design speed missile-generation probability, (b) the destructive overspeed missile generation t probability, and (c) the perforation of the turbine casing by turbine disc: q burst fragments, i'
- 3. 0 DISCUSSION / EVALUATION Following are summaries of, evaluations performed by Brookhaven National-Laboratory (BNL) as contractor to NRC staff: I 3.1 Procedures for Desian Speed Failure Probability Calculations (Recort 1)
- This subsection. evaluates the procedures used by Westinghouse for cal- ;
culating the design speed probabilities of disc' rupture and turbine missile' generation. The results of the' evaluation yield the following ! conclusions and recommendations: I 11 The methodology employed for the calculation of disc rupture and , turbine missile generation probabilities-is a straightforward " application of probabilistic concepts.
- 2. The. use of fracture mechanics to develop a critical crack size model.is s' standard approach to problems in which criteria are
- U established for fracture instability.in the presence of a crack. i The, modifications introduced by Westinghouse based on their observations of bore and keyway cracks:are reasonable.
- 3. The crack growth rate equation is derived by classical regression methods. The choice of model which relates the natural log of the crack growth rate directly to yield stress and reciprocal temperature is justified by the data.
) * }
- 4. ,
?
- i
-9 ) ~ 4. The methodology was checked out in_a test case supplied by m Westinghouse.- There was_ virtual agreement between the BNL and- ] 't i & Westinghouse calculations of the probabilities of disc rupture- ; h< and turbine missile-generation.- 3 y ' y
- 5. Our'(i.e., BNL's) only reservation' concern theLinput data to the- :i
' calculations of crack initiation probabilities, critical crack - d y, ' size, and crack grpwth rate; discussed separately, as follows: I a)- Crack Initiation Probabilities: To evalute the effect of the uncertainties of the crack initiation probability estimates, ci it is' suggested that the turbine missile generation'proba- jj bility be calculated using the conservative estimates of. b creck initiation probabilities for the turbine units without .t L- existing cracks in their discs. L : , _b) . Critical' Crack Model: Our concern here is with the calculation- , of the variance of the critical crack depth; The variance is ] L related to the variations in fracture toughness and bore stress. l k* - The variability supplied by Westinghouse for the latter appears- y reasonable. We ;. ave doubts about'the former only- because the - j L 4 . variation of K gg depends on the values of Charpy energy and ;/j yield strength provided by the disc supplier, and we do not : q know to what extent these have been checked by. Westinghouse. In the British work it was found (upon test) that the Charpy- , energies were significantly lower than the supplied values, q If the variability of K yg is indeed larger, then the variance " of a ct is also, and the calculated values of P would be .; \ i i .f 1 t, l I l o .j -~ . . - . - . . . . . - - _ . . - . - - . . - - . . - - . - - -- 1 l -higher. Also, not.having seen the data, we do not~know if the assumption of variability equal to three (3) standard- [ deviations is justified. Even if the magnitudes of the. j u ) variabilit;es.are correct, setting them equal to two (2): i standard deviations would result in higher values:of P2 - y' L' c) Crack Growth Rate: The crack growth rate equation derived by-5 regression is only as good as the. raw data on which it.is based. .The latter contain a number of uncertainties (dis- ; cussed above), principal of which appears to:be the time of crack initiation. The assumption of zero incubation time to initiation underestimates the crack growth rate. Since'some of the service times employed in the calculations are only a ~ factor of two (2) 'or so larger than experimentally determined " E crack initiation ' times, the use'of a zeroLincubation time could -have a pronounced bearing on the calculation of i crack growth l rate. The guestion of incubation time can only be resolved ! l by reinspection. Until that-is done, it isi ecommended r that a more conservative estimate of crack' growth rate be utilized in the calculation of Ps.. Use of a more: conservative crack growth rate will increase the value of the turbine missile generation probability Pa. I The NRC staff recognizes BNL's reservations with regard to Report 1. In the past we-have reviewed crack initiation probabilities, critical crack sizes _and crack growth rates with' Westinghouse on numerous occasions during our evaluations of case-specific issues. -While there are uncertainties.in the above areas, we believe that Westinghouse's overall analysis < is conservative and is essentially consistent with the staff's recommendations. 4 9 g ) 'I t l 11 1 3.2 Overspeed Failure Missile Generation Probabilities (Report 2) C 1 An evaluation is made of the procedures used by Westinghouse for calculating the probability that the turbine will attain the > ., . destructive overspeed condition "ollowing a full load system separation resulting in the generation of turbine missiles'. No discussion of.the probability of such a' system separation was included; for most of.the calculations an average rate of one (1) U per year has been assumed. h Calculations were carried out for two (2) confidence levels at 95 and-50%. These confidence. levels do not refer to the calculated proba - bilities P but3 rather to certain input values used to make the ; calculations; i.e., confidence bounds on the probability.of mal- ; ' function for the basic events were obtained and used to generate f the P values. Cases 1 and 2 are considered by Westinghouse to be 3 very conservative upper bounds on the overspeed probability. Cases 3 and.41 are considered to be best approximations to a point estimate of the true overspeed probability. a Report 2 proceeds in a logical and straightforward manner: development l ' of a turbine model and a model for overspeed probability, construction j g of a fault tree for' destructive overspeed, calculation of basic event J probabilities from service experience or estimates, and direct evalua-tion of the fault. tree (using.the basic event probabilities) to obtain . j P , the probability of destructive overspeed. 3 Although Report 2 appears to present a thorough analysis of the problem of destructive overspeed, a_ number of points remain to be clarified or Li resolved: , 4 i
- 1) the general applicability of the turbine model to current units should be demonstrated; J,... ( 'h
A;g . ' L,; .. p - ;in = 12 - t y - ii) the requisite system schematics should be supplied in order to -: confirm tne applicability of the generic fault tree; 3 s i iii)-'with regards to the calculation of the basic event probabilities- 1 for which there were not sufficient s?rvice data and hence-required estimates, a discussion of how the estimates were made and a demonstration of conservatise are needed; iv) with information supplied as to which be'ic s events are valve. m specific and which are not, an attempt should be made to resolve i U . the discrepancey between the BNL-and Westinghouse calculations of destructive overspeed probability; and a l
- 'v) with the discrepancy resolved, the quantitative importance ~of L minimal-cut sets and components should be determined (since-these could point the way toward a possible reduction in P3 ). 7 l
The NRC staff has considered BNL's comments regarding Report 2L This [ subject has also been discussed with Westinghouse!in theLpast.1 The-difficulty in doing a generic review of turbine overspeed probability. - , arises'because'of the' variety of_overspeed' control _ systems and valve
- i. design details found in. service. Also,1 maintenance-and testing pro-3
.cedures can differ. Control systems are generally complex and contain' ! redundant elements.- Their reliability.in commercial applications has i been demonstrated to be good. As .a consequence, the .onT,ribution of potential overspeed failures to P 3 is relatively small and the uncer- I tainties mentioned by 8NL do not significant1y' affect'the overall I turbine system failure probability. Subsequent'to the BNL review of ) Report 2 Westinghouse submitted Report 4'(which BNL did not review). i
- This latter report. addresses BNL's concern. Based on our reviews of I
specific cases and on our review of Report 4, the staff believes that . Westinghouse treats this matter in a reasonable manner. _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . - . - . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ __ _ _ _ __ __ . - . +-- -. -. -. . . - - . . . - - . . - - . - - -- - - ~- 4 l j 3.3 Dise Fraoment Containment Analysis (Report 3) -.- This subsection evaluates the procedures used by Westinghouse for-calculating.the perforability of turbine casings by disc fragments.- The evaluation is summarized as follows:- .
- 1. The Hagg-Sankey method of containment analysis has been reviewed l and.found acceptable because the criteria for penetration / containment N given in the Hagg-Sankey work are clearly supported by test results.
- 2. The disc fragment penetration / containment criteria of.the Hagg-Sankey method are applicable only to the model structures for which :!
they were. derived. The subject report extends the principles of the Hagg-Sankey method to actural turbine structures and utilizes'the I results of additional testing carried out by Westinghouse during l 1979. Modifications to accommodate ring-type stationary structures ,} include: (a)' consideration of asymmetric collisions, two-ring collisions, brittle fracture, and piercing, (b) calculation of the j L effective mass of rings'with irregular cross sections for momentum .] transfer, and (c) calculation of energy absorbing capacities in ! shearing /stretchingofringswithboltjoints. The . numerous' cases 'r -and subcases of possible collisions which are presented'in the ' subject report involve calculations of effective target mass, j a ti 1 po h a rea na 1 re o a i 4 presented between the analytical results and the. experimental ! gu test results (as in the Hagg-Sankey paper). Hence, one cannot- ( ( y say to what degree the predicative calculations (based on the p - subject report) will be reliable. l-l ; i a 3.- It is assumed that the Westinghouse tests were not full scale i . tests. The question of scalability has been add m ssed by other L investigators. Turbine missile impact experiments were carried p 3 M$ ~f b . $ f l e , 4 . 14 .- 1 out for both full scale and-1/5 scale models (120' disc sectors , for both blunt and piercing impact orientations) and the results l published in two (2) recent reports. The results_of:the scale-model experiments agreed well with the results of the full-scale experiments and~were sufficient to demonstate scalability.. 3 1 - /
- 4. It should be noted that, as far as the calculation of' Pi (the 1
, probability of missile generation) is concerned, the only ' information required is whether or not the fragment is con-tained.- Specific values of the weight, velocity .and kinetic L energy of exiting missile fragments have-no bearing.on the-P 3 calculation. For contained fragments, no distinction.is-made' ' between the case in which a disc bursts but is contained and ,
- the case.in which no burst is possible, as far as evaluating the risk of missiles is-concerned.
l i .Unless a ruptured turbine disc results in a fragment that penetrates 'the, turbine casing and becomes a missile, the potential consequences to facility; safety systems is-minimal. Therefore, it is desirable to know the probability of various size. discs of doing so should they rupture.. ; Unfortunately..this knowledge is impractical'to obtain by resorting.to ! L i. .many full-scale tests using modern turbine geometry. lHence, one must ' y t rely on interpretations of existing data, engineering judgments and , analytical models. As Brookhaven acknowledges, Westinghouse has perfomed tests to validate' their model- to the extent practical. The + , , staff agrees-with Brookhaven that the Westinghouse analytical approach-' appears reasonable. - 3. 4 Pr'obability of Reachina Oestructive overspeed-(Recort 4) This mport is an update of the 1974 report, " Analysis of the Proba-bility of the Generation and Strike of Missiles from a Nuclear Turbine" (Report 2) in the areas relating to destructive overspeed. The effects e v-m+ww .-----r-y, -r fr' sw * ~ t--"""~ " A 1 - 1 of valve testing frequency on the destructive'overspeed probability are; incorporated. A sensitivity study on valve inspection-intervals was-also made. The values presented in this' report for the destructive- ] -I overspeed probability apply.to Westinghouse turbines with either the- 1 analog electro-hydraulic (AEH) contro1' system or the digital; electro - hydraulic-(DEH) Mod I and Mod 2 control systems-and 88 296 steam chesto type main steam inlet features. The probability values reported are l based'on the service experience where available and estimates and assumptions where such. data were not available.= When estimates were m , necessary, every effort was made to be on the conservative side. .It is Westinghouse's and our opinion that the probability values- reported ; i are conservative. t:
4.0 CONCLUSION
S AND REcomENDATIONS < The interconnections of sdjects presented in the subject reports'and their l relevancy to NRC reviews of-the turbine missile issue for plants with Westing - house turbines are readily apparent from Section 1 of this SER-and the abov'e summary discussions. The design speed and destructive overspeed turbine missile generation: probabilities, described in the reports are to be summej 'l to determine confomance'to NRC criteria:as outlined in Table 1, 'and the
+
turbine casing perforability described in Report 3 is to be:used together-
.' with turbine disc burst probabilities at both design speed and destructivt-
]
overspeed to obtain the corresponding missile generation probabilities. We conclude that the methodology described in the subject reports is' state-of :t l the-art and is acceptable.- Additional comments follow: f' [ 4.1' Desion Speed Failures y g' We had two (2) concerns with regard to the subject discussed in Report 1; , one is in connection with temperature uncertainties and the other is in l connection with crack initiation. L 4
= - _ _-
,. 7 ,
+
.. 4 7
,7 g
L 1. . During the course.of the review, Westinghouse was-questioned about? I i their method of. analysis to determine the temperature of discs and :'
.the effect of temperature uncertainties on the. missile generation
.I probability. The Westinghouse response was that they used standard heat transfer techniques and that the effect of. temperature uncer- <;
tainties was negligible. The SNL review showed that indeed small,' ; systematic,uniformerrorsinthedatabase-temperatureshivea i
-negligible effect on the missile generation probability. l
- 2. In their crack growth rate model, Westinghouse assumed that.all !
cracks have a-zero' initiation time; i.e. , for their data base,. they calculated the rate of crack growth for cracks in 'each - damaged disc by dividing the depth of the cracks by the total' j
-number of operating hours at the time of inspection. Corre- f L spondingly, when predicting the probability for a new-disc of.
a crack exceeding the critical crack-depth they assume-that'if' ' a crack can initiate it will do so when the unit begins service. I Tosupportthis[ assumption.Westinghousestatesthat -the non-conservatism introduced in the treatment of the data base is at ,
, least off-set by over-conservatism in the application of the
. probability.. The staff agrees. ,
4'.2 : Destructive Overspeed Failures The staff recommends that for a case-specific application, Westinghouse p use procedures-for calculating destructive overspeed missile generation, i probabilities which incorprate the turbine governor and overspeed pro - taction system's speed sensing and tripping characteristics,-the design , l .and arrangement'of main steam control and stop valves.and the reheat.
- ' steam intercept and stop valves, and the lengths of inservice testing
? and-inspection intervals for system components and steam valves'.
~ Particular attention should be paid to information as delineated in subsection 3.2 of this evaluation, r )
i y .[ ' '. i i 4 i
.p. ,
1 1 l 4,3 Disc Fragment Containment Analysis Report.3 addresses the method for the determination of whether or not . a disc burst will result in missiles being ejected from the~ turbine.' J casing, and if so,.the external kinetic energy of the exiting missiles.
-1 1
2 i'.
)? e t
- (
. 'h e I
. 1 o
p ,
)
l ( e w
-k
, 1 i
i
' I.
. ti
.i- . . _ . ., . . _.
lv,;; ,
.j .
[ ( ) } '
#m.
m
SUMMARY
q This report is an update of the 1974 report, " Analysis of the Probability of the ' j Generation'and Strike of Missiles from a Nuclear Turbine" in the areas relating to destructive overspeed. The effects of valve testing frequency on the destructive r overspeed probability are incorporated. A sensitivity study:on valve inspection , intervals was also made. The values presented in.this report for the destructive- j overspeed probability apply to Watinghouse turbine with either the anslog electro-
~
- hydraulic (AEH) control system or the digita1 electro hydraulie (DEH) Mod I and '
Mod 2 control systems and BB 296 steam chest type main steam inlet features. The a probability values reported are based on the service experience where available and a estimates s'nd assumptions where such data were not available. When estimates were necessary, every effort was made to be on the conservative side. It is our
. opinion that the probability values reported'are very conservative.
q l In this report, three basic values of the probability of destructive overspeed per 4
. loss of load incident are provided as relevant valum for Westinghouse turbine. 1 These aref.1 X'10-8 for weekly valve testing,1.9 X 10-s.for monthly testing, and-1.6 X 10-eJor yearly toting. To obtain the probability of destructive overspeed 1
_ per year per' unit, one must multiply _ the above probability by the average number L of load rejections ,per year with sufficient steam flow to go to detructive overspeed. h l ll 3
}
y N'
)
/ I. INTRODUCTION 1
in 1974, the Westinghouse Steam Turbine Division wrote report [4]
- Analysis of-i the Probability of the Generation and Strike of Missiles from a Nuclear Turbine" ;
and made it available to.the NRC for review. This. earlier report contains a 3 comprehensive probability analysis for the generation and strike of missiles that-may arise from overspeed in a nuclear LP turbine. The analysis work and results are reported in various Westinghouse Research Report: [1-3). This report is in response = m to the'NRC request to update the destructive overspeed probability.section of the 1974 report by: adding the LP turbine operating experience accumulated since 1972 and revising the study to account for the efects of valve testing frequency and valve , g inspection interval. The information in this report was derived from a Westinghouse - [, internal report [5). ,
]
- The probability values presented in this report for the'detructive overspeed in the - 1 event of loss of load apply to Westinghouse turbines with either the analog (AEH) or digital (DEH) electro hydraulic control systems and BB 296 steam ehest type 4 L
L main inlet features. The values reported:are based on the service experience of 1 [ Watinghouse turbines where available and estimates and assumptions where such y data were not available. As was done before, when estimates were necessary, every efort was made to be on the conservative side. It is the opinion that the probability - values reported are conservative. 1 u Section II of this report gives a description of the problem, and Section III describes-the model for destructive overspeed-in th'e event'of a loss of load and introduces the fault tree representation of the model. Section IV describes the data on operating experience and malfunctions that were collected and analysed to obtain the basic event probabilities. These are needed in analysing the destructive overspeed fault l tree of section III. Section V preents the values of destructive overspeed probability ; as 'a function of the valve testing frequency. Some results on the efect of valve p' inspection interval are also included in the form of a sensitivity study. Section VI contains discussion and conclusions, and the remaining sections consist of technical y appendlees and references. k i L
. l .i e
i V
- o. ,
3 J W Ur.
t ( ,
- w- .s
)
g 1 U. . PROBLEM DESCRIPTION There are three areas that need to be discussed in connection with the de8nition of P the problem. The Brst is the system con 6guration of the type of turbine generator c being considered. The second is the nature of the overspeed conditions being studied. The third is the precise meaning of the probabilities that are calculated. Figure 2-1 is a schematic representation of a typical nuclear turbine unit we have 3 considered. The unit consists of one high pressure (HP) and three low pressure (LP) turbines. The steam Bow into the HP turbine comes through two independent steam . chests, each of which has two throttle (stop) valves on the upstream side and tw [ governor (control) valves on the downsteam side. This steam chest conBguration is " i designated as a BB 296 steam chest in this report. These valves are taken to be 1
- - plunger type valves of the type currently in use on Watinghouse nuclear units, and each is controlled by a separate servo (Moog) valve.The HP exhausts to moisture separator and rebester (MSR) tanks from which the LP turbines are fed. Each LP- .
_ turbine has two inlet steam lines, each of which carris a reheat stop valve and an inteceptor valve, in that order. The specifications of the reheat stop valves and 1 interceptor valves are irrelevant to the present study, as the destructive overspeed l _ condition arises independent of whether these valves are closed or not. , L The analysis is applicable to a turbine unit equipped with AEH, DEH (MOD 1), [ or DEH (MOD 2) control system and mechanical trip protection system and with J L
^
the BB.296 iteam chest con 8guration. The system considered'is one in the form i that is currently in operation. In addition, th'e dual drain arrangement for' the overspeed~ protection controller trip and emergency electrical trip consisting of a i primary drain backed up with a secondary drain is used as standard. The general :' process by which a destruefice overspeed condition is reached will now be described. It begins with a unit load separation from the system. Then, because of a succession , of malfunctions in the protection system, the steam supply to the HP_ and/or LP- - turbine'is not properly interrupted and an overspeed condition occurs. In this i report, an assumption is made that the turbine speed will reach the destructive " overspeed unless the steam supply-to the HP can be stopped by closing throttle and/or associated governor valves. This is a conservative assumption as it does not consider other events which would prevent reaching destructive overspeed. The problem can now be stated in this way: given that a unit load separation . from the system has occurred, estimate the probability that the ensuing succession of malfunctions will lead to a turbine condition of destructive overspeed. The de8nition we have used is as follows: 3 K ) , t
7 , c :'- , y .. Detructive overspeed for a speci6e unit is the lowest calculated speed 3 at which any LP rotor dise will burst based on the average tangential stress being equal to maximum ultimate tensile strength of the disc-w material, assuming no Saws or cracks in the disc. Operationally, the destructive overspeed is considered to result only from the failure of at least one steam chest to close the steam inlet path following a load dump due ,! to' a system separation. In particular, the failure to close one throttle valve and 4, one associated governor valve of one of the two steam chests is taken as a minimal
.l E condition that leads to destructive overspeed.
The probabilities determined are conditional probabilities. That is, the concern is' a with the probability of a certain event only when it is known that a prescribed 4 circumstance exists. In particular, the probability of destructive overspeed given 1 a load dump due to a system separation is estimated. A second feature of the probabilities being determined here is that they are defensible, conservative bounds'. L; on the true probabilities rather than merely point estimates. They are defensible
/
[ in the sense that all are derived from Westinghouse experience that can be docu- ' L !- mented, and they are conservative in the sense that all are upper limits on the true probabilities, ! it is believed that the true values of the probabilities of destructive overspeed given a load system separation ~ are no greater than, and in many cases are much smaller than, the values presented in this report. ' l .I R I g i l r i
)
6, b
,,s.
e
,;-y -
a
-..7 -
- . .: =. . - =. _
-+ -
3
.:7
.- - - .- a
+=_..
[ .,
~..
.e-*
. f. , _
p Thrott'e-Valve -
...> N p
Steam Chest
-.Q ...> p i , ,
i Governo op alve - Valve
/
L T _ .j /
. i n v mInterceptor Valve
. . V. 1 5
H lP L.P- L'P . L
'P -
q i _ i -e - e 1 i ' - s - - l ' ' s
- h. U' . d~
-O--- > , ;
7
.. Q . . .>
.. -f
.j-RELEVANT STEAM PATHS SHOWN WITH DASHED LINES I
FIGURE 2-1. TURBINE SCHEMATIC AND WESTINCIIOUSE DB 296 STEAM - 1 CllEST CONFIGURATION FOR PROBABILITY ANALYSIS
~
( . l
. . _ . . . . . .i ..~k- ----a. ----
-.a o-e e w m+ -a., - >---E-. * -
-. , ,_ -ey - * +-~ nw*'. _e.,
_-_ _ . _- -_-__-__--ma- .1s- - - = - ' - - -
. q
..q~. l c
i 1 I IH. MODEL FOR DESTRUCTIVE OVERSPEED: FAULT TREE U
-t Presented is n' general discussion of how various overspeed conditions can occur I J during the normal operation of a generating plant. The turbine speed and load are
[ ' controlled by the amount of steam going into the turbines, and the only way to prevent the turbine from reaching an excessive speed when the load is lost is by D stopping the steam 80w into the turbines, l: ,
.l Under normal operating conditions, the turbine speed is kept at 100% of its rated :
L speed, and it is controlled by the system frequency. If for any reasonLthe load is
' lost and the circuit breaker opens, the turbine speed will in most instances increase'
~
y above the rated speed.'If a loss of load occurs when carrying greater than 30% rated i - unit load and the breakers open, the load drop anticipator function of the overspeed controller (OPC) rapidly._ closes both the governor and interceptor valves.in an J attempt to prevent excessive overspeed such that a turbine trip is prevented. The -
-interceptor valves are " modulated" to reduce the speed to rated speed and then the ,
l governor valves are opened to maintain synchronous speed. The turbine generator is ready for resynchronizing. If the turbine speed is not arrested and reaches the overspeed trip setting (usually 110% - 111% rated speed), the mechanical emergency : 1
- trip device should activate and trip close all the governor, throttle, reheat'stop and. <
LL interceptor valves. In addition, the electrical overspeed trip device should activate
- j. at approximately the same speed to close the valve.
l The overspeed function of the OPC activates if the breakers open and the overspeed : reaches 103% rated speed. .Both the governor valves and-interceptor' valves are rapidly closed 'and operate in the same manner as descrived for'the load drop L anticipator function.
.I If all the steam inlet Bows are stopped by an emergency trip mechanism, the turbine i
speed will not exceed the daign overspeed of 120%. However, if the steam continues I to Bow into the turbine due to some malfunction, the turbine. speed will continue n to go up beyond the 120% level, and it could even reach the destructive overspeed
. level of around 180%, provided that at least one of the two main steam inlets is not closed.
Presently the concern is with only the destructive overspeed condition. The above model was used to generate a fault tree diagram leading to the " top event" of reaching destructive overspeed given that a loss of load incident has occurred..The fault tree diagram is given in Figure 3-1. There are two basle overspeed protective systems used for Westinghouse turbines. They are distinguished by calling one the q e J l
[ ] , i
- mechanical trip system" and the other the " electrical trip system". The mechanical trip system or the electrical trip system may be combined with either the AEH, DEH (MOD 1), or DEH (MOD 2) control system, The mechanical trip system is used on most units in service at the current time, and this analysis deals with the mechanical j
L trip system. The fault tree corresponds exactly to the diagram in Figure 3-2 with an AEH control system. Its corresponding throttle and governor valve servo actuator' assembly diagram is given in Figure 3 3.
.i la developing the fault tree,31 diferent types'of basie events are identl8ed in Table .
41, and of these, basic event nos 15,25, and 26 do not appear in the fault tree. The basic event nos.15 and 25 are identiBed in the current study so that the b'asic event numbers are consistent with those appearing in earlier reports [1,4), and the basic - event no. 26 was identi6ed as it appears in both DEH (. MOD 1) and DEH (MOD j 2). Altogether 87 independent basic events (arising from the 31 different types of.
. (
basic events)'actually appear in the fault tree, and they are clearly marked by basic event number on the fault tree. The probabilities of destructive overspeed events will be calculated based on the basic event probabilities obtained in section IV and , the fault tree described in this section. The results will be given in section V. !
- In summary, the turbine may reach destructive overspeed if the following events "
occur simultaneously: (i) system separation with a sufficieint steam supply into - 1 L the turbine (for example, the load is lost and the breaker opens during normal L operation), and (ii) either a combination of failuresLin the overspeed protection and
; emergency trip systems or valve failures which~ cause~ the main steam inlet to b_e kept open. Since the destructive overspeed condition can occur only if the main ;
steam inlet is not closed, one needs to consider only.the governor valves and throttle j valves, and that is why the reheat stop valves and interceptor valves do not appear ! l _in the fault tree diagram. The symbols used in fault trees are brie 8y discussed in Appendix A. l; l ! N ,y
) ,
1 y ,- ..,,, . 5
, ll', ,jt.
W IeaQu >
..:- 3,H
- 9 e
% R ' j o FIGURE Sla. FAULT TREE LEADING TO DESTRUCTIVE OVERSPEED' ,Il *i l
- MAIN TREE - ' Part l of 0 - , i L! i; e
,._ )
))i, i
}) ,
- i '.
.l
- } "
l p. 1): . g\ _ :1' p?E Fastung to snut 'Wy eFF f ag sie . i lf te lettf Alet
' af f tt a gets er
- tsaa tee'aret iJ,
=
{ b 1 ]\ esef l' ,
/" % .l
?> $
I I
- i. '
FalLWRC fe CLett tantunt le cLOSC ( fMt Ltri stim fat glemt gitm C4C8f. CNESt i 800. see. s .
-1 f I I ,
est OR NFm est $4 Sela . est en esta set M sets f4Ref ft! tutti > Setteset tupil fieleffLt tutts cettans tufts. O ttFf tf tm : GF 4tFf litM ' er Aleuf tfte SF elent af tag - tj 64tf aAt eef cuttf aAt eef cutsf e, seen aat set - tutti aat set et seen e mera et stra i d
-/\ 8804
/\0003 .
/\sees
/\teef f% f% . f% f% d
- 7
~. g
. i . i , e . i' i
'Wef fkt 8494 funef fLE tuft cette20A tuf t tett9934 14 tt l'utof ftt tuf t festof fLt #4tt sostege va.st sJetaaen tattc '
L'I lt 908 Let it %1 Let to 44f L*4 Il 9ef 4*e it get e*2 It set A* I il 90' 8*4 is 908 SLMie (408t3 Clette ' theits CLOSte thests CLeste thette '. . .; q Ii
.i I
. 00 . . , ..e .. ... ee , .... es,9 I
- 1
.]
i
.s t
e > , ,.;. 7 f, 7 ' '
]. l T h
! f i I- i il -lli, -. f 4!
f' Ili 1l. . a 1.
-<E ,
4-
!!,!,i il in
-(DI-!l!'iu,! -CD! a l! M-li e i ill ,
0 !ri ls it!!
~
! I -
Il i, i! si il , w ,
-is w t N$ -h 9.' i e-- '.' ill .11
!!. ,i
,,, i, .,- .
e<.
;*. . t . .
j< ^ -!!
<wg l<3 .
11 - -(Dl-lilll-(D[ li l' s - ll -(D[ I!!iiO I j. '! y it!! 1,
-d- In
'I I' l, si. .-
- p-
~
43
-d!
1:i 4 iill,
>!i
-(D: ,
S!
~
, ~ll
. < J 4 ,
- h. 7 T. .y c
; '% s g
a. I, i - Q
;5 4. -jj iln m L
!L li !!
~
,,; ..,i ii n!
l' - li I l! . 4 ' 1: 11! h e
!,f!,4 i,l di -.!!i,n
-(D.!
?
l
- K lil !! !! i, , :s I
- f. -
Il lli
@j -
llj qi ; i m
?
_o Q
>e.
k&
=-
-l '
.o' 0A I i 1
~-(
'3f 41 -ll l 2 s{
am. IL .. h-il .
~
~
s , a
!r, i,I 11- Id! ,
d I I s - lj u l,i e < w+- 1. !Il -
.:- p
~ - ~~ ~
l1 n !s ll!!
, y. 1 b~
~ '
lh m - i Li M
^ .):
t
+
'4.I 4, ,g I I
'1# ______._____.___________._m_ _ -
p,~. ( _ r,
]'
y .,, 11:- 3 D -j! sh,
.41 --ll .
si M ll 41
~ -
!. -,lll ii 11 11,is
!1 ,l l
$ s .
--ll 1 l! %
1, til i I li tt - o, I-
-{
i h; -,!l -<H -(D! ;l! -(D.' lj , s -!i _cp!- _.y . , 1m th 11 5 O o F; g 2: s-H. 11: .,
.y s - U *C L 3' -
a
'd,,,.
lh I di - ll I. d- l! . I.l ' di 4-g 1. i.,i
't in u,,!:; i s ma i - -
-i Il I -
l,!_ 4 E4 y 1: ill
~
i ~ - htti !s ))l1! l gl- : : .j
'I llt
-(Di -;H ist
=
v ) - a 1 t g .
mu
- . ( { -' * '
l sn, [: -
,.1 .1 ,
4 r
~
r g l I -)
-il _ q[ - - --
l . GJ ; j o li, i, i. - ,
- n. . -
~ ~ -
~ -
i, n iil 11 I!.[ u i
.j
. i !' ill :
s l!i N '
~ll4 !! -OI ~!! -Oi j l3 11 -O'; -
l! si .;
, i hr lil . 1 .
5 ,. . -l c a0
-1! -@l }
o 11 -
- Es , , ,
Ik
- ga-lI si.
44 - ll-. i,1 h- (( i. 41 y , [ Ij ,, , g II I fj' I ll 41 4 ,3, . . 1[. a >
' ~ "
e, ' h !!!!
~
Y l'
'< l' .
4) n hi -!!! N } : ah
k ll's 7 i 'i- . Y c:: .'4: m FICURE M f, FAtET TREE 12ADING TO DESTRUCTIVE OVERSPEED-( , SUUTREES DD AND D . Part e of e ' e m.* edt # 8e. net p
, , mea.n
. e s.e.e.e. .
.tes_ teme.se se .;
i
)
Ghar enes up 3 1 1
*4 esse 8%e tese steege og seas mate test eastAAB 450s f ** set 9 men asse case ogge
%' i
- tese.e.n.e.t. mass.te.attr.ue es.e e g . egg se.egge .se.es ege.et.
- e. 645 e.
.e4.S4..W.
48
.es.e. 40846f en .le .. .d e e.me..e. h j me
# 48 Gert WM EBas east 96 4 es 88 e4
,g Y I I E Y I gangp ese agog ggg eg gg gget g eg e gese gem g f 4.s4 9 04 ( g.gg y eq 84 See 944 eE1Es gg Me pew temp 44wt 44ge WS 495f95 jf ggees es Sple og eseggf as steengt hWeGG ha4e 5 89 ceM Sat Asap earg dose 44 0 40 46 e0 4 ee 30'fGeese D ete t%at thmee 84sede se Wase met 589 Get REG 46 04 04 oaktfe et leeSE De PG4 asset 8 4**de S Mies utetet Smets th W4 et pte thtetet es te t p.444 t f e,o g 5,eErge se s
e.e. qqess sg e* sqea se
\
.\
il team helg esis m.psten eg g tg es>See - esaderes et set gw een ekteste 38RBeastft44 880H4e 848 re ss ergst ee 11tre e : t i i
.4. q e e == n -1
. esse as es es m. '$
1 e il
, I #
ess e s eseatne se apse e.esem as se sneses *e she e *******et f aende e sea * *.. .se sa er et J 4est 45'enOgegg een t es geste M W - Settgm tetete WIS O*W Ge6 thisteG test entsee eget Megge het seg s ee.,.m eggi eoges geese hese43 - sets wee tep storest eets eS* *dWe9 406 e890s test e nog og Gog staet esigests 3Bstl0 e6M $statM43 - , I i NH 5 00 e EI #8% e000 9024 GBGP
$4 84 46 e$ 04 ee 0$ a se eg e og
....mee e e 4ee a to.nske en eatema y es Mtemet44 Mtf 144e19644 OSep 88896# 94 4MG tette kett'em i GPsee GIMag # 9 m
'f N
'1
( epet eget s s.e' . .a + + q q e s...e4 e es one dess6 8+=edt W mit destas W f +sadt F Gesse 'i 93 gPte Nettf4A Gedese.e seg
.appenage.e test gotte e==M14493.e e S.tre.48 e-ene g
, E es >j
)
_ n. e ,
, '. ' ' .i'* h
.e.e .se seen eees sete j es seog es s e se e s i
.)
.,6d e - , e ne. . . ~
I GEdeted estet sev er- S - toast 80 Ste MLSeted em ' ifj M8809 844 L o
.5jl ii aans one es*a a s e s.
- y. -E 4
- t. \ -
J T x 2
.t 'i[,
- ? .~ v'l= . - - _ _ -__-_.____x_---_- -
'h
-;fe: 3- I y ,' +; a. -
u y ,
.3 di.:. ,
. u 4, .;.
~
r
-- - a ,c j !
- s .
-r a I
i!.
\,'r I
1 l
, u
-s l-I':
i
+
'e l
i 1 l .
.t
!' '{,-)
r s j i! i ! i w i L
- .u ,
k
'k r ,* -
FIGURE 3 2. EH FLUID SYSTEM AND LUBRICATION DIAGR AhtS .'l FOR ANALOG ELECTRO-IWDRAULIC CONTROL SYSTEM
~
19/20 l l < y ki '
]9 l___ _ _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ . . _ _ _ _ _ _ r .
3<-- --e
,. . . - - . ~ . - - . . . . - - -e- - - - - - . . . - - - ~ . . . . . . .~-+ .- - - . . . . + - .
( 'i' >,. .i t >- , n, . . A r zv i h H I! L.____W w ' l .
- l. - .
. E.
rs 1 {, Im y h . . . . . . . . ..Y Q w$> q. 1 p , _ ging
. .O< '
h t w ' a 5 v E - 1-n s e 'i m;;
- 1 Ig 4g 5 -
x Y-. __ m y - 3 . c c,3
- ig Y
fv i^ g o 4 e c
+ y
- 21
= k.i j
.2 .. .
. 4 a
E , Tj
-t IV. BASIC EVENT PROBABILITIES 1 The fault tree that is given in detailin the previous section de8nes 31 basic events or elementary malfunctions. They are elementary in the sense that they do not depend on still other malfunctions (that is, the tree stops branching at the elementary malfunctions). In order to calculate the probability of the top event of the tree, it is necessary to have values for the probabilities of the basic events. The purpose of-this section is to present the data on which the basic event probabilities were based and to give an account of their. estimation.
The 31 basic events are identi8ed in Table +1. A detailed description of these basic events and the effects of their failure.can be found in (6). The data that apply i to these events are given in Table +2. These data are based on the Westinghouse '~, service experience with the relevent components. For each event, Table +2 gives the - component-years of service and the number of malfunctions for the components on . which the event depends. A malfunction is de8ned as any failure of the component , to perform a designated function when called upon to do so. As applied to the ; turbine steam inlet valves, a malfunction la defined as failure of the valves to close on demand. Malfunctions can be detected either during system separation-(for-example, a scheduled shutdown) or during regular testing (for example, monthly 1 testing of the operation of a component.while carrying load). Thus, the number of malfunctions given in Table +2 for a particular event is the siim of _the number of im;ts and the number of system separations in which the component associated t with the event failed to perform properly. Notice that for some events (components) r two numbers are given. For these components, inadequacia in the records make the .
. number of malfunctions uncertain; a pair of values which are believed to bracket the
,3 correct number are given in such case. The calculation of basic event probabilities t
from these data takes two forms depending on the approach taken. W The basic event probability of some components (hereafter ca!!ed the failure-rate type) is obtained by Srst estimating their failure rate, and the basic event probability , of the remaining components (hereafter called the demand type) is obtained by ' mtimating the frequency of failure to meet a-demand for its services. For those ; basic events which are associated with demand type, the probability of the event is simply the probability of failure of the component given a demand. For the - failure rate type, however, the event that a component fails to perform on demand is visualized in terms of its having failed at some prior time and remained in this state until a demand occurs. In this case, the basic event probability is taken as the unavailability of the component. For such components, the service data are used to And a failure rate which is then used together with an assumed testing frequency to 8ad the unavailability. The relationships among failure rate, testing frequency, i
-Q 22 j
, - . - . . --v, -
4 -,-,
-4e
I r h i i ! unavailability, and basie event probability for this type of component are discussed ! in Appendix .B. The component years of service given in Table 4 2 must be Interpreted properly for each kind of component. For demand components, it is necesary to know how i E many demands were required to produce the number of malfuncti>ns observed. An average of one demand per component-year was assumed for au demand componehts
- i '
except those associated with events 1 and 2 which were assumed to have an average of 6. Similarly, for fauure rate' components it is n'eessary to know how many years 1 of operation were required to produce the observed number of malfunctions. Bued on past experience it was taken that turbines operate about 77.9 perent of the time, that is, each component-year of service was taken to be.779 years of operation for a failure rate component. - l In carrying out the fault tree analysis it was desired to use both "best" values and - conservative values for the basic event probabilities. The "best* value is represented here by the upper 50% con 8dence limit. This is a reasonable choice since a number ' of components had 0 malfunctions, that is, they would have been assigned failure : rates or prob,bilities of failure of 0 if conventional point-estimate were used. It was decided that even in the "best".value case, it would not be dairable to use a > value that was known to be too small. The conservative value is repreented by an , apper 95% con 8dence limit on either the failure rate or the probabuity of fauure. ~ A description of the con 8dence limit calculations is given in Appendix C. [ The results of the calculations based on the data in Table 4-2 are presented in Table 4-3 and 4-4. Table 4 3 gives the upper 50% and 95% con 8dence limits ! (using both the low and high numbers of malfunctions from hble 4 2) on.the : basic event probabilities for events corresponding to demand-type components. For events which conopond to components of the fauure rate type, Table 4-3 refers . to Table 4 4. This table reports the upper 50% and 95% con 8dence limits (using both the low and high numbers of malfunctions from hble 4 2) on the fauure rate. These components are, as usual, identlSed in the' table by the numbers of the events l to which they correspond. Table 4 4 also preents the component unavailsbuities implied by the given failure rates for various testing frequencia. These component unavauabuities are then used as basic event probabilities in the fault tree analysis. l l 23
)
7 3 TABLE 4-1. DESCRIPTION OF BASIC FAULT TREE EVENTS I i Event Number Event Description l 1 Mechanical trip mechanism failure 2 Cup valve (auto stop oil) faus to open ! 3 20/AST 1 solenoid and the plunger valve failure 4 20/AST actuation train failure , 5 Main speed detector (speed pick up 1) failure 6 laterface valve falls to open , [ 7 Secondary drain line is totally blocked 8 20/ET solenoid valve fauure ! 9 63/AST pressure switch (actuates to/ET) failure : 10 Primary drain line is totally blocked 11 Dump valve is stuck closed , 12 ET Suid line (to TV or GV) is totally blocked i 13 Auto stop oil line is elogged ' 14 Drain line through top of actuator cylinder is elogged 15 Fauure of auxiliary protection system 16 Thnottle valve (TV) is stuck open . 17 Servo valve failure to connect cylinder to' drain 18 Servo valve circuitry failure ' 19 Governor valve (GV)is stuck open ' 20 Check valve failure . 21 Fauure in loss of load detection ! 22 - OPC speed detection (speed pick up 2) failure < 23 OPC actuation train failure 24 20/OPC solenoid valve fauure - 25 Interceptor (IV) or reheat 4 top (RSV) valve is stuck open 26 Tarbine supervisory speed detector (speed pick up 3) fauure - 27 Servo valve drain line is elogged 28 Check valve on dump valve drain line falls to open to 20/AST 2 solenoid valve faus to open 30 Common servo valve drain line is elogged 31 FaDure of logie card x 24 J'
.g 3 l TABLE 4-2. SERVICE EXPERIENCE FOR COMPONENTS ASSOCIATED l WITH BASIC EVENTS !
Type
- Event Component Years Number of Number of Service Malfunctions (Low, High)
D 1 ! D 2 *
- D 3 D 4
)
i D 5 t D 6 D 7 ! D 8
- D 9 '
D 10 D 11 D 12 D 13 e FR 14 16 FR 16 FR 17 FR 18 ' FR 19 D 20 i
.D 21 D tt D 23 D S4 25 ,
D to ' D 27 D 2 , D 29 D 30 D 31 1b.c
- D - Demand, FR = Failure Rate 25 I
- (
( h- j l TABLE 4 3. ESTIMATES OF BASIC EVENT PROBABILITIES l USING UPPER CONFIDENCE LIMITS i t Event 95 Percent Con 6dence 50 Percent Con 6dence Number Low Failu.ees High Failures Low Failures High Failura { l ( : 2 -. : 3 4 5 ; 6 l ! 7 i 8 , 9 ; l 10 11 12 13 14 . 15 . 16 17 18 ,
'19 to +
21 ; g 23 24 L SS , 26 27 28 29 30 31 1 &,C < Note: 8.3E 5 means .000083.
- - - - - - - , -, _. . . . ~ . . . . . . _ , _,_ _
f
) i Table 4 4. EST1 MATES OF UNDERLYING FAILURE RATES AND BASIC !
EVENT PROBABILI11ES vs TESTING FREQUENCY ; Failure Rate (Designated FR) or ! Basic Event Probabuity Event Testing l 95% Con 8dence 50% Con 6dence i Number Frequency Low High Low High 14 FR [ Yearly Monthly i Weekly 16 FR ' i Yearly Monthly Weekly 17 FR Yearly : i Monthly - L Weekly 18 FR Yearly Monthly Weekly .
~
19 FR Yearly Monthly 1 Weekly
. a ,c Note: 3.9E-4 means .00039.
3
.1
( V. DESTRUCTIVE OVERSPEED PROBABR,ITY: DEPENDENCY ON VALVE TESTING FREQUENCY AND INSPECTION IN- , TERVAL The probability of reaching destructive overspeed (given that a loss of load incident had occurred) was estimated by analyzing the fault tree developed in section El and using the _ basic event probabilities obtained in section IV. Four primary case were considered, each corresponding to the basic event probabilities given in one .I' of the four columns of Table 4 3. Thesi 4 ease are distinguished by two levels of upper con 8dence limits (upper 50% and 95% con 6dence limits) and by two levels for the number of component malfunctions for those components where two bo.:ading l ( values (the low and high number of malfunctions in Table 4 2) are given. t The fault tree for destructive overspeed was analyzed using the Westinghouse in- . ; ternal fault tree quantl8 cation routine [7), and the probabilities of destructive overspeed thus obtained are summarized in Table 51. The. cases selected as rep-resentative are given by the top three probability values of Table fel, and they . correpond to the case of 50% con 6dence level and high component malfunction. The unavailability of valves (that is, the probability of their beh.e in the
- stuck )
open* state at a random time) depends on the frequency of valve tuting. This : is intuitively obvious (infrequent toting allows a failed valve to be unavailable for a longer average time than frequent testing does), and it is clear from the : formula for component unavailability that has been given in Appendix B. However, - these ranarks are about the probability model for valve unavailability. A possible additional source of dependency on testing frequency is that the act of testing itself i may alter the failure rate of a valve. A set of data giving valve malfunctions under - -i various toting schedules was examined for evidence of an effect on failure rate in another report l8). The statistleal analysis section from that study is reproduced in Appendix D. De data gave no evidence of a dependency of failure rate on testing schedule. In this report we are assuming constant failure rate for each type of valve and treating testing frequency as having an effset only through th's probability model as described above.
. 4 i
in this study, three different valve toting frequencies were considered, namely, weekly, monthly, and yearly testing. The probability of destructive overspeed is then given in terms of these frequencia. For example, Able 61 indicate that if both the throttle and governor valves are tested once every month, then the probability of detructive overspeed per loss of load incident is estimated to be 1.88 X 10-8. As an illustration of obtaining the probability of destructive overspeed y 28 y
3 r per year, suppose that there are on the average 5 load lossa per year. In addition, it it is assumed that both the throttle and governor valves are tasted once a me. nth, then the probability of destructive overspeed incident per year is given by $ times 1.88 X 10-s, or 9.4 X 10-8 Given a decription of the fault tree and the basic event probabilities, most fault tree analysis routines Srst obtain all the minimal cut sets leading to the top event and then, using the assumption that all the basic events are mutually statistically independent, e'alculate the probability of the top event. Two basie events of demand type or one of demand type and the other of failure rate type are independent. However, two basle events of failure rate type are not independent since their probabuities are expresed by their unavaDabilities which are not independent. In such cases, one has to correct the top event probability obtained by the fault tree analysis routine. Speel$cally, if a minimal eut set leading to the top event consists of two basic events of the unavailability type and if it contribute signl6cantly to the top event probabuity, the probabuity of such a minimal eut set is multiplied by a factor of 4/3 in order to account for the dependence (see Appendix E). Next consider the efects of valve inspection interval on the probability of destructive overspeed. The current Westinghouse recommendation regarding the turbine valve inspection schedule is that au valves should be inspected once every 39 operating months (9). The efect of varying inspection intervals on valve reliabuity can be modeled as foBows: A more frequent valve inspection would lead to a longer valve life, which wiu be re8ected by a decrease in valve failure rate; and a less frequent valve inspection would mean an increase in valve faBure rate, Although we were able to determine qualitatively how the valve life might be afected by the valve inspection interval, it was not possible at the present time to quantify the eHects of valve inspection interval on valve reliability. As a result, the study was limited to that of a sensitivity study. The following two questions were considered: (1)If both the throttle and governor valve were inspected more frequently than the current schedule and it is assumed that this reduced the valve fauure rates by 20%, what would be the efect on the probability of destructive overspeedt (2) On the contrary, if the valves were inspected less frequently and it is assumed that this increased the valve failure rates by 20%, what would be the efect? Table 5-2 give results of this study. The results show that the 20% change in valve failure rate leads to about 18% change in destructive overspeed probability for weekly valve toting frequency, and the same 20% change leads to about 29% and 36% changes respectively for monthly and yearly valve testing frequencies. Y Q.
^
h . Table 6 3 indicate the major contributors to the probability of destructive overspeed. by specifying the basic events of the minimal eut sets with the greatest contribution j
- j. to the overall probability. Also given in the table are the percentage of contribution ;
to the overall probability. The three most critical components as judged by their i contribution to the probability of destructive overspeed are the governor valves, the , l throttle valves, and the auto stop oil line, in that order. e l 6 t i 9 e 9 7 0 4 4 4 l
- i 4
e e
/ 30
( >
l r h
\
TABLE 51. PROBABILITY OF DESTRUCTIVE OVERSPEED (Given A Loss-of Load Incident) l l 1 Case Description Probability Con 8dence Component Valve Testing Level Malfunction Frequency .
." 1 High 50 % Weekly Month.'y 3.12 X 10-8 l 1.88 X 10-8 :
Yearly 1.56 X 10-e 50 % Low Weekly 1.53 X 10-8 Monthly 5.54 X 10-' Yearly 8.12 X 10-7 ; 95 % High Weekly 2.84 X 10-8 Monthly 7.81 X 10-s ; Yearly 3.01 X 10-8 ! t 95 % Low Weekly 2.08 X 10-s i Monthly 4.11 X 10-8 , Yearly 8.90 X 10-7
)
{ l l- . L , 1 ( II
( D' i P TABLE 5 2. PROBABILITY OF DESTRUCTTVE OVERSPEED: ! A SENSITIVITY TO VALVE INSPECTION INTERVAL l (A Parametric Study At 50% Con 6dence Level ! And For High Component Malfunctions) Case Description Probability Weekly Valve Testing Frequency . 3.12 X 10-' Valve failure rates decreased by 20% 2.60 X 10-' Valve failure rates increased by 20% 3.70 X 10-' Monthly Valve Testing Frequency 1.88 X 10-s Valve failure rates decreased by 20% 1.37 X 10-s Valve failure rates increased by 20% 2.46 X 10-8
- Yearly Valve Testing Frequency 1.56 X 10-'
Valve failure rates decreased by 20% 1.04 X 10-e , Valve failure rates increased by 20% 2.17 X 10-e . 0 9 1
--.-aw-e,..,s ,8.= ,, _ m ., , , , . _ _ _ _ _ _ _ - - -
)
7 TABLE 5 3. MAJOR CONTRIBUTORS TO THE PROBABILITY !
- OF DESTRUCTFIVE OVERSPEED .
(At 50% Con 6dence Level And For High Component Malfunctions)-
?
Case Description Basic Events % Contribution to ! in Min Cut Set Overall Probability . Weekly Valve Testing 50 % 17 % Monthly Valve Testing 54 % i 36 % I i- . Yearly Valve Testing 95 % i i
&sC 5%
I a
= ,
Note: Basic Event No l e,C i 1 , P l Q 33 j
l l . VL DISCUSSION, CONCLUSIONS, AND
SUMMARY
TABLE The problem of assessing the risk associated with turbine missile generation is I generally broken down into three distinct parts with certain customsry designations ; used for the probabilities associated with erch part: Pt: The missile generation probabillty, which is the probability of ! turbine failure resulting in the ojection of missile through the .I turbine casing; Ps: The strike probabuity, which 's the probability of a missile per- i forating intervening barriers and striking a safety-related system- l l P3: The damage. probability, whleh is the probability that the system will be rendered unavailable to perform its safety function. This report addresses the portion of P: roulting from the destructive overspeed condition, that is, the probability of resching destructive overspeed given a system separation during normal operation with the conservative assumption that a turbine l missile is generated with certainty under detructive overspeed condition. This ! section contains a summary in Table 61 of the results obtained in Section V and remarks regarding the nature of the roults. As was done in the earlier report [4], the probabuity valum corresponding to 50% con 8dence level and high component malfunction are selected as repreentative. These values are reported in Table 61, although other cases are also reported in Table 51 for comp.arison. The turbine operating data used to stimate the basle event probabilities came ex-clusively from experience with Westinghouse turbines. For some of the components,- only the nuclear unit operating experience was used to estimate the component i reliability, while for others both the nuclear and fossu operating experienes were , combined whenever it was determined that there were enough simuarities between ' the components of nuclear and fossil units. As mentioned earlier, the roults are applicable only to Watinghouse turbine with " mechanical trip system" and either AEH, DEH (MOD 1), or DEN (MOD 2) control system and with the BB 296 steam chest conBguration. - The numerical values of detructive overspeed probabilities presented in this report were obtained for the AEH control system. However, the DEH (MOD 1) and DEH (MOD 2) systems are very similar to the AEH system analyzed, with a minor
, diference being in the overspeed detection function. The DEH systems have another
)
S4
j f D 1 speed detection channel in addition to the two speed channels in AEH control - system. The three speed signals are continually compared using a 2-out-of 3 check logie in the DEH control systems, while no such comparison is made in AEH control system. Hence, tneoretically the destructive overspeed probability of the DEH (MOD 1) and DEH (MOD 2) systems should be smaller than that of the AEH system. However, the main contributors to destructive overspeed probability (that is, the minimal eut sets with a signi6 cant contribution to the top event probability of destructive overspeed fault tree) did not involve the basic events associated with overspeed detection, and as a roult improving the reliability of overspeed detection in itself would not afect the overall destructive overspeed probability very much. Thus, the numerical roults we obtained here for the AEH control system are also applicable to the DEH (MOD 1) and DEH (MOD 2) control systems. The potential user of the roults reported here is again reminded of two important characteristics of the probability values given: (1) The probability is a conditional probability in the sense that it gives the probability of a turbine unit reaching destructive overspeed given a system separation during normal operation. If one is interested in obtaining the probability of destructive overspeed per unit per year of operation, then the probability value of Table 61 should be multiplied by the average number of system separations per year. (2) The probability estimates given are upper bounds rather than best point estimate. The 50% upper con 8dence limit used for a component failure probability or failure rate estimation in itself does not lead to a conservative value. However, the high value was used for the number of component malfunctions, which is an upper bound on the number of malfunctions. The number of service years given in Table 4 2 and the number of demands used, i.e.,6 per year for basic events 1 and 2, and 1 per year for the other basic events, are conservative. This section is concluded with a brief discussion of the diferenes between the current study and the earlier study [1,4). First, the turbine operating experience data has been updated. The earlier study was based on the turbine operating experience through the year 1972, and the current study is based on the turbine operating experience through the end of 1981. During those nine years from 1973 through 1981, a great deal of nuclear unit operating experience as well as electro-hydraulie (EH) system operating experience has been accumulated. Secondly, all the basic events of the fault tree were treated as being of the demand type in our earlier study, and it was not possible to study the efects of valve testing frequency on the probability of destructive overspeed. The current study, however, treats the valves as well as a few other components as being of the failure rate type and thus we were able to examine the efects of valve testing frequency on the probability of l destructive overspeed. ( 35 J
f ' f . l i la conclusion, the current study indicates that the throttle and governor valve are ! the two most critical components followed by the auto stop oil line. This result ! seems to contradict the earlier Ending, in which other components were found to be most critical. This apparent discrepancy roults from the two factors: (1) the ) . operating experience of the additional nine years amounts to a large portion of the i l overall EH system experience and (2) both the nuclear and fossil experiences were ; used for the valve and many other components, and the additional nine years did i not add very much to the overall operating experience of these components; however, for those few components for which only the EH system operating experience was used, the additional nine years amounted to be the major portion of the overall operating experience of these components, i l I~ J ,
. t i
i A
. _. _ . _ _ _. _ _ . . _ . . _ _ _ _ _ _ . _ _ _ . . . ~ . . _ . _ . _ _ .
i F 1 TABLE 61. PROBABILITY OF DESTRUCTIVE OVERSPEED i AND MAJOR CONTRIBUTORS ! TO DESTRUCTIVE OVERSPEED PROBABILITY !
.(At 50% Con 6dence Level And For High Component Malfunctions) !
Major Contributors 1 Valve Tating Probability Basic Events % Contribution to . Frequency in Min Cut Set overall Probability i Weekly 3.12 X 10-' , 1 i 50 % i 17 % ! Monthly 1.88 X 10-s 54 % i 30E0 ' Yearly 1.50 X 104 ' [ 95 % ' l - ac 5% ; \: .;
~ ~
Note: Basic Event No. 1' ! .. a,c t L l , L . L I (- ) 37
.3 .
' VII. APPENDICES A: Fault Tree Diagram Symbols i B: Determining Basic Event Probabilities for ;
Components of Failure Rate Type j C: Coo 6dence Limits for Failure Rates and , Probabilitie of Failure D: Statistical Evaluation of Valve Tating i Interval and Valve Failure E: Correction of Fault Dee Raults for f Dependent Basic Events t t t e i
~.
?
Y F ,- - = , - - - - - _ _ _ _ _ _ _ _ - _ _ . _ _ _ . - . _ _ -
, , , , , - - , , - - -- , - ,,. .-m-,..,,,-- ., ,-+,,__.n._-,, --. . ,--,-, -,.nm.-,,.
4 ,-ene
( h Appendix At Fault-Tree Diagram Symbols A fault tree is a convenient and pratical tool for evaluating the reliability charac-teristles of a system. It is a graphical representation in which all combinations of fault events or conditions that can lead to a system failure are organized deductively and systematically. The fault tree technique can be used to depict and evaluate the reliability or availability of a system or the probability of an event which is the consequence of the occurrence of other events. A fault tree begins with an identi8 cation of the " top event", an undesirable event, which in our case is the destructive overspeed (given that a loss-of load incident has occurred). Then one identi6es all possible combinations of events that would lead to the occurrence of the top event, and the combinations of events are expressed graphically in the form of a tree. Good documentation on fault tree methodology can be found in [10). A brief description of the fault tree symbols used in this report is presented below:
, output event l
[ b I lapat evente RECTANGLE AND GATE output event i r laput events t OR GATE CIRCLE l l N
.I
-I i K., 9'
/ ,
1 l'
)
l l hansfer-out hansfee la ' DIAMOND . TRANSFER ,j RECTANGLE: identi8ed an mat, usually a malfunction or an undesirable event.-- , 1
)
AND GATE: describes the logical situation whereby the output'is realized if 1 all the input events occur.- : OR GATE: describes the logical situation whereby the output is realised if one of the input events occur. . L CIRCLE: designates a basic fault event that requires no further develop- ) ment and whose probability can be quanti 8ed., i DIAMOND: designates a fault event that is considered to be basic in a given i fault-tree but for whleh the causes have not been fully developed; TRANSFER: the triangle is used as a transfer symbol to connect identical portions of the fault tree. t 9 9
,Q 40
.)
w-+v., ..,-,-,e- ,,~.ww.. ., . . , . , - - . , . - . . ,---.,v- , - . . . - - - . . . - . . , . - , . . . . . . . - - . - . . . . . - , - , . - . - - - . . . . . - . - --
( ) ; t Appendix B: Determining Basic Event Probabilities for Components of l Failure-Rate Type l l Consider a component (a valve, for example) with an exponential failure time dis-tribution. That is, if the component is put into operation and T is the time to F failure, then T is distributed with probability density given by f(f) = he-M
~
(1) and distribution function given by F(1) = 1 - e-M (2) This well known and often used assumption has a number ofimpliestions. Basically, it correponds to the component falling purely at random. A good decription of this distribution and its use in reliability contexts is available in Chapter 3 of [11). For present purpoem, we need to know that A is the /silure este for the component. (In this report, failure rates are in failure per year). j
'As a simple example to help 8x ideas, suppose X - .01 for some component. The ;
probability that such a component would fau in a given year is found from equation (2) by letting i have the value 1. By de8altion, F(1) is the probability that the time to fauure for the component will not exceed 1 year. Thus the desired probability is - 1 - e '1. Using the well known approximation that e-* = 1 - r for small r, the probability is very nearly .01, that is, a component with a failure rate of .01 (per ! year) has a probability of failing in any one year of about .01. . In the present context, the probabilities of lateret are the 6aie ewnf probabilitie. The connection between 6seie ewnie and component /silers is that if a demand-(that is, a system separation) occurs when a eempenent is in the faued state then' the 6mic swat associated with that component is ddned to have occurred. The . connection between the pro 6s6ility of a basic event and component failure is this: the probability that a demand at some future random time will coincide with a component's being in a faued state is simply the long run proportion of the time that : the component is in such a state. This proportion is known as the answile6(lity of the component. In other words, evaluating component unavailabilitim yields basic : event probabilities directly. Recan that the components being discussed in this appendix (failure rate com-ponents) are assumed to be tested regularly. Their unavailability depends on their
1 ( h failure rate and frequency of testing. To see that testing frequency is a factor, notice that infrequent testing implies that failed components will not be discovered and repaired for a relatively long time. A well known result in reliability theory is that the long run unavailability of a component is given by the expected value of the time it spends in the failed state expressed as a proportion of the total time the system is in operation. The essential task then is to evaluate the expected " downtime" for a component given its failure rate and testing frequency. Consider the previous example again brie 8y. The component had a failute rate of .01 and was toted yearly. To And its expected downtime we will make use of the following fact: given that a failure has occurred in a particular' year, the distribution of its time of occurrence within the year is uniform. Thus the expected-time of failure within a year in which a failure is known to have occurred, is mid-year. The conditional expected downtime during such a year then, is 0.5 years. The unconditional expected downtime (that is, the expected value for any year) is the product of this and the probability of failure in any year. Previously this probability was seen to be .01. Therefore the expected value _we seek is .005. Moreover this . is also the unavailability since it is the expected years of downtime in a year of operation and,the divisor is therefore unity. Hence, the component is unavailable (on the average) 5 years out of a thousand, and the probability that it will be down at a random time in the future is .005. In words, the unavailability of a component is the prod'u ct of the probability of its falling in the time interval between tats and 0.5 (the ratio of the half length to the full length of the testing interval). That is, unavailability == 0.5Xt, where A is the fallare rate in failures per year, and . i is the testing intervalin years.
' This result involve several approximations. One,' mentioned above, is that e-8 is approximately equal to 1 - e for small s. Considering the very small values of A that occur in this work, the use of this approximation is entirely justined. The-other approximation was used in the above derivation of the expected downtime given that a failure has occured. There are two approaches to the exact result.
First, one can use the exponential density given in equation (1). If T is the time of failure and the interval is 1 year, we need the conditional expectation of 1 - T given that T$I. This is the ratio of two integrals involving the density in (1) and
i f I it evaluates to t 1 1 i 1 - e- A E f This can be approximated very closely by } using the fact that 1 - e-A is very i nearly A- A'/2 and A is very small. i i i The other approach use the fact that the exponential failure times can be thought l of as the time betwun randomly arriving failure events, i.e., a Pbinson proems, it is this picture that leads to the result mentioned earlier that conditional on a faHure ! arriving in an interval, its location within the interval is uniformly distributed. The ! approximation enters here because to get the exact expected downtime by this route it is necesary to condition not only on 1 failure but also on 2,3,4, and so on, j When the interval has two arrivals, for example, it is the first one that represents ; c component failure and its average location in the (1 year) interval is at the one third < l point not the one half point. In this approach, the exact expected downtime is the probability of exactly one failure times the implied average downtime,1/2, plus ; the probability of exactly two failure time the implied average downtime,2/3, plus, and so on. The apprarimation in this approach consists of ignoring the extra >
" failures" because their probability of occurrence is very small.
i A good reference for the uniform distribution results used above is Chapter 3 of (1',]. For availability (and hence unavailability) see Chapter 7 of [12).
+
i *
?
9
i f D: , 4 Appendix C: Con 6dence Limits for Failure Rates and Probabilities of ' Failure !. The basic event probabilities used in this report are based on estimated failure rates 1 (per year) for some components and estimated pro 6s6(lities offailure (per demand) e for other components. The approach that was used to estimate these parameters will be described in this appendix. j The data for both types of components are presented in Table 4 2 where they we listed by basic event. For each event, Table 4 2 gives the number of component years ' of exposure that were accumulated by the components assoelated with the event, and the number of malfunctions that were experienced by those components. Let r be the number of malfunctions and N the number of component years of exposure (in calsadar years). Probabilities of failure will be discussed Brst. They are approached by regarding i each year of operience with a component as representing a certain number of performance demands (depending on the type of component) and treating the data as roulting from Bernoulli trials with probability of failure; p. Thus, for a type of component whleh receives m demands per year, r malfunctions.in N component- > years of exposure corresponds to r failure in mN Bernoulli trials; the distribution of r is binomial with parameters p and mN. The problem is to obtain 50 and 95 percent upper con 8dence limits on p. i This problem is classical; good discussions on con 8dence limits for a binomial parameter are available in many places (for example, [13), [14), [15]). Brie 8y, the idea is to use the data from a given type of component to Bad the largest value of p that is consistent with that data. The essential problems in iraplementing this idea involve giving meaning to the concept *eonsistent". It in not the purpose of this appendix to derive statistical results from Best principles, but a certain amount of explanation is probably worthwhile. ' i Consider an example. If there were 1 failure in 10 demands then clearly 0.1 would be a consistent value for p. Just as clearly, there is nothing very unreasonable about the value p == 0.15. The question is, "for increasing p, at what point does the value become unreasonablet". The answer is taken to be-that value of p for which the probability of one or fewer failures (the present result or a more extreme one) is on the threshold of being too small. The threshold is set by the choice of the coa 8dence coetBeient. A choice of 0.95, for example, means that the threshold.was set at . k M J
1 l [
\
a choice of 0.50 means that it was set at 0.50. The Brst'of these produem a larger ' value of p as being consistent with a given set of data than the second one dom. For {
~ future use, let p(e) be the upper 100e % eon 6dence limit for p. We are interated in p(0.50) and p(0.95).
The references cited above show that to calculate p(e) given r (number of malfune-tions) and mN (number of demands) one must hd the value of p (probability of ; malfunction) for which the probability of r or fewer malfunctions equals 1 - e, and set p(e) equal to that value. In the case where r = 0, the roult is given by a simple formula: p(c) = 1 -(1 - c)16e. (1) ; For r > 0, the simplest approach is to use the tabled values of a statistical distribution known as the F distribution. This family of distributions is indexed by two parameters, Da and De, known as degren-of. freedom. Given r and mN, l the particular distribution that applim to p(e) is given by the relations, 1 Da r4 2(r + 1), and
, D2 = 2(mN- r).
To complete the calculation it is necessary to And that value which is at the 100e > h percent point of the distribution. Let F(e;Ds,Ds) represent this value. Then, for r > 0, * (r + 1)T(c;Da,Ds) - l N' " (mN - r) + (r + 1)F(c;Da,D2 )' I . Formulas (1) and (2) were used to compute the upper 50 and 95 percent con 8dence ; limits on p for those component type that are characterised by a probability of
~
failure per demand. For the other type of component involved in this report, it is necessary to estimate failure rates. This stems from the assumption of an exponential time to failure dis . tribution for these components. The single parameter in this family of distributions will be denoted by A in this appendir. As above, the ntimates will be in the form of upper 50 and 95 percent con 8dence limits. The observational utsterial remains the , same as it was for the other components, namely, r malfunctions in N component years of exposure. Now, however, each component is viewed as being exposed to failure during the time it is in service. Since the raw data is in calendar-years of - exposure, it is necessary to correct for the fact that components are not in constant operation. This is handled by multiplying N by the proportion of the time that the turbines operate. Let the reduced exposure be represented by N' = kN. In the calculations for the report, k was taken as 77.9 percent. X 45
)
_ . - _ . - - . - - . - L. -
i ( '% The theory for con 6dence limits on A is more involved than that for p_ because there are a number of practical distinctions in how the data are coueeted. A good discussion of these matters is given in Chapter 3 of [11). The present case falls into the category known as type Il censoring with replacement, that is, there are
)
a number of samples of a given component on " test", when there is a failure the - I unit is repaired or replaced, and the " test" is terminated after a certain amount of l exposure. The theory in this case appeals to the relationship between an exponential faHure time distribution and the Pbisson arrival process for fauure occurrenes. c The data consist of the number of malfunctions (r) in a Szed amount of exposure ! (N'), and r has a Poisson distribution with parameter N'A. The problem is thus transformed into Anding upper 50 and 95 percent con 8dence limits on a Poisson ] parameter. Let A(c) be the upper 100c% con 6dence limit on A. We want A(0.50) - and A(0.95). 3 This problem is just like the corresponding problem for the binomial parameter p that was discussed above, it is discussed not only in [11] in the preent context but . also in [13) in a general setting. These references show that to $nd N'A(c) given r i and N', one must 6nd that value of the Pbisson parameter for which the probability of r or fewer malfunctions equals 1 - e, and set N'A(c) equal to that value. One j may then solve for A(c) of course. Just as before, when r = 0 a simple formula can be given, it is A(c) = - .
- (3) ;
When r > 0, it is simplest to use the fact that the Chi square distribution give the sum of Poisson probabilities (just as before it was the F-distribution giving the sum of binomial probabilities). Let x 8(e;D ) be the 100e percent point of the Chi. square distribution with Da degrees of freedom. For r malfunctions, the particular j l Chi-square distribution that applies to A(c)is given by i Da = 2(r + 1). ! i The formula is A(c) = . (4) i< n 4
--,e.1 . - --,-..-- - , , . . . ..-,- , .w, . , , . - - - - - - - - - ,c-,-,, ey,m-,-,, ,, , + e rP*"*--'a-"'"*~e-e*e+M--*-+
p
,..T- ,
3 ; i i Appendix D Statistical Evaluation of Valve Testing Intervals and ! Valve Failure i i
. The throttle and governor valve operating data on nuclew units can be summarized as follows:
L Testing sebedule Expoence (valv> hours) Failures l Wnkly [ I Monthly , Every 2 weeks : Not regular } b,c - [ These data invite the computation of failure rates (number of failures per valve- I bour) for each testing schedule followed by appropriate comparison. The question , of whether the calculated rate are sufficiently different to constitute evidence of ' real differences among schedules naturally arism. The purpose of this appendix is i to discuss this question and related issues. ,
-l The working assumption for this discussion is that within any toting schedule, 3 failure occur randomly over time at a constant rate which is characteristic of the D
particular schedule. This is a very natural assumption that is used frequently in i dealing _with data involving the occurrence of a more or less rare event over time. Based on this assumption, the number of failure in exposure-time i while using ! a given tuting schedule has a Pbisson distribution with parameter p - Af. The , quantity A is the failure rate mentioned above and supposed constant within any testint uhedule. Using the weekly schedule as an example, there is 1 failure in about IO8 }ralve hours. Denoting parameter estimates u A and i we have 8"l .. b,c ; A=, , failures per valvehour. . Once an estimate for A, i.e., i, is available, one can stimate the parameter of the Fbisson distribution that would govern the number of failures under a weekly testing scheeule for any number of valvehours of exposure. For example, the number of s failure inh X lo]valvehours would be estimated to have a Pbinson distribution with parameter a ,c . .
,,e A=A i
)
. . b Notice that the monthly schedule had an exposure of about ,
, valve'c hours and only 1 failure was observed. Does this mean that the monthly schedule involves
3 ,. a lower failure rate than the weekly, or does the variability inherent in the Pbisson distribution readily explain this much discrepancy? This exempli 8m the kind of l question to be dealt with in the remainder of this appendix. " One way to summarine the information about the underlying failure rate (A) con-tained in a given set of data is to compute a con 8dence interval for this unknown parameter. Using classical method one can state that if I failure has been observed } then a 95% con 8dence interval for the Pbisson parameter p is j
.025$p f 5.57.
]
Since p = XI this means that i
$A$ } I
~
b,c with 95% con 8dence. For the weekly data then, since f = [ we End (
$' , b,c
[ (*'Nly') ; while for the monthly data (i =[ , we End i ( )(inonthly). , These intervals convey what is known about the values of A under the two schedules in a way that reveals the uncertainty involved. Each interval gives the values of , A that are reasonably consistent with the corruponding set of data. The chosen i con 8dence coeScient of 95% sets the standard for what is to be regarded as
'tessonable'. For given data, increasing the coeScient merely enlarges the the interval. A value of 95% is more or les standard, s
The con 8dence intervals for the failure rates under weekly and monthly testing have a considerable overlap. This says that the difference between the observed l rates [ . . Jailures per million valve hours for weekly and monthly test. b,c ing, respectively) could easily arise from chance alone in the ' absence of any real. diference. . Whue the two con 8dence intervals are of interest in themselves as a summary of what the data say about the individual failure rates, a more direct approach for the comparison of the two failure rates is available. Under the Pbisson assumption, it is possible to calculate a con 8dence interval for their ratio. The ratio of the weekly to the monthly faDure rate may be estimated from the data to be
) = [ ]g the 95% con 6dence intervalis '
ac [ ] (weekly / monthly). X J
-,..l..--.. - .- . , , , , , , - . - - - - , ---w,-m ,.-w,-vn~w
( h For the failure rates to be judged diferent on the preent data, this interval would have to e,xclude 1.,This shows once again that even though the observed rates are a,c diferent , such a result is quite consistent with the true rates being equal (p = 1)." Of course, the con 6dence interval is quite broad. This means that the , i amount of data is not sumelent to give a very precise comparison of the two rates. ' Voniestly, the precision would improve if there were more failure. On the other hand, a greater exposure would not help the precision of the comparison. Greater ; i_ exposure would, however, help the precision of the estimates of the individual rates, i This points up the importance of considering the magnitude of the individual rates as well as their comparison. If they are both quite small, it is not possible to make a precise comparison; corespondingly, in such a case it probably does not matte,r which rate is larger. t ( The data for the other toting schedules do not add much to the above analysis. The every-other week schedule is based on only one unit and hence does not have a sumelently broad base to be analysed by itself while the non regular testing i regimen sufers from the data paucity syndrome mentioned above (i.e., o failures), For completeness the Brst three data sets are combined into one which represents : the practice of regular testing and compare with the remaining set which represents 1 the absence of a regular testing schedule. The data may then be represented as e o Regular Theting . Exposure (valve hours) Failures Yes ( , No . ]b,c The 95% con 8dence inte or the individual falure rates are: 4C [ ](re, gular) [ ](,not regular). 2 Again there is considerable overlap between these intervals, and therefore the data fall to reject the proposition that the two toting regimens have the same underlying failure rates. The 95% con 8dence interval for the ratio of the two failure rates is ac [ ](regular /not regular) with an estimated value of ) = 1.12. The interval does not exclude 1 and therefore , provides no basis for concluding that the underlying rates are diferent. The overall failure rate estimate based on all the data (that is, assuming there is no dependence of failure rate on toting regimen) is i =[ 'fsilure
)C 49
)
f'
.) ,
per million valvehours. The 95% con 6dence interval for this overall A is a,c I )(overall). r Based on this analysis we conclude that these data give no evidence of a dependence i of failure rate on tesing regimen. Moreover, under the assumption of a single failure rate these data would put that rate at between[ ) failures per million valvehours. ~ a,c
.i P
4
.?
l t t P 9
. l 6
4 l
\
4 9 50
,k ) '
. _ - . , - . . - -__- . - - - - -__---m_ ,, , , - . , . . . . . - , . . . . . , - - -
,.,y._ ,, ....,,_..,_m.,, , . . - . . , _ _ . . , _ . . . ~, ,. r
4 ' h Appendix E: Correction of Fault ' nee Results for Dependent Basic Events - 3 The; top-event probabilitie given in Table 5-1 were calculated by a fault tree
- anal > sis program. In doing these calculations, whenever it is necessary to find the probabuity of an event which is represented in the tree as two events joined by;an L
*and gate",'the program uses the simple product rule from probability calculus;' :
that is, the program treats the two events as (probabilistically) Independent. This t is not necesarily correct even though one is willing to assume that components fail - independently. The difficulty is that buie-event probabuitis and probabilities of , component failure are the same only for what we have caued demand components. For failurerste components, as has been pointed out elsewhere in this report, basic 3 event probabilitia are component unavausbilities. It is simply not.true that the , joint unavailability of components which failindependently is given by the product , of their separate unavailabilities. In this appendix we indicate the correct approach and describe the correction that was applied to the roults of the fault tree' analysis. ; program. In the case of two components with failure rates At and As and a common test .; interval t, their separate unavailabilities (as was seen in Appendix B) are Ant /2 and . Ant /2 respectively. To get at their joint unavailability we return to the.de6aition,
.i.e., the average fraction of i during which both are in the failed state. This, of course, is quite analogous to the situation in Appendix B where a formula for the unavailability of a single component was developed. We begin by Snding the- i expected joir* downtime in a time interval of length i given that both components l
have in fact aled during the interval. As was stated in Appendix B, given that a component has' failed in a speciSed interval, the distribution of its time of failure 1 within that interval is uniform. Since the two components being discamed here are assumed to fail independently, their two times of fauure are independently, uniformly distributed within the speci8ed interval. Now, the components are jointly down for the amount of time during which the second one to failis down. To know . the expected value of this quantity we need to know the expected value of the largest of two independent uniform observations. This wen known roult is 2t/3, that is, l os the average the second failure will occur at the point which is one third of the length of the interval from its end. The joint unavailability of the two components
-in intervals of length i where they both fau is thus given by 1/3 (the time during which both are down, divided by the length of the interval). To get the joint unavailability in general (that is, not conditional on the two components failing in e
a speciBed interval) we must multiply the conditional value by the probability of
, the condition.
e ( 51 ) ,
'ri y ,.
- ' a f'
The probability of the condition is the probability of both components failing in the. interval.- Since they failindependently with exponentially distributed failure time, - the result is the product of 1 - exp(-At t) and 1 - exp(-Ast) or An tAst using the usual approximation. Finally then, the correct joint unavailability is the product , of this probability and the above factor of 1/3, that is, 1 I gAntAt t. Meanwhile, for reasons explained above, the fault tree ~ analysis program will use the result, ' X t A2f. l To correct for this, we have hand. adjusted the affected results from the program : by the factor 4/3. , I .
\
'I
(' l . L L l s 4 l I ! l-
. i s
5I; 52 j. c 4
i (f , y
. i
.. ]
VIII. REFERENCES U
- b,c
-(1}. .1 12):
U . [3}[ ] >
~
[4] Westinghouse STDE, ? Analysis of the Probability of the Generation and Strike .' of Missiles from a Nuclear Wrbine", March 1974.- ' b,c l [5][ s
, [6] . ' ' > 3 r, s II}
a i L' [8)[ .. 1 L'. [9] Westinghouse STG, " Valve Inspection for Fossil and Nuclear Units", Steam ! l-L hrbine Information Manual, Section 13 CT-24038, October 1983. -(
. , i
_ [10] USNRC, Fault Tree Handbook,' NUREG-0492, March 1980. 3 [11] Bain', Lee J., Statistical Analysis of Reliability and Life Testing Modele-Theory L ' and Methods, New York: Marcel Dekker,1978.
~ [12] Barlow, Richard, E., and Proschan, Frank, Statistical Theory of Reliability and i Life Testing-Probability Models, New York: Holt, Rinehart, and Winston,1975.
[13) Brownlee, K. A., Statistical Theory and Methodology In Science and Engineer-
- ing, 2nd ed. New Yorks John Wiley and Sons,1965.
M 53
) 4
v-e . _ 1
.( ,
y r-I. l14] Mood, Alexander M. and Graybill, Franklin A., Introduction to the Theory of
. Statistics,2nd ed. New York: McGraw-Hill,1963.
[15] Kempthorne, Oscar and Folks, Leroy, Probability, Statistics and Data Analysis, Ames, Iowa: The Iowa State Univ. Press,1971. l [ I e li l 1
- p
.. g l
l I
+
i 54 J E . _.__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ m}}