Text

Review of South Texas Project Quality Data Processing Sys Reliability Study, Draft Technical Evaluation Rept
	ML20214R379
Person / Time
Site:	South Texas
Issue date:	02/28/1987
From:	Poloski J; EG&G IDAHO, INC., IDAHO NATIONAL ENGINEERING & ENVIRONMENTAL LABORATORY
To:	; NRC
Shared Package
ML20214R349	List: ML20214R346; ML20214R379;
References
	CON-FIN-D-6019 EGG-REQ-7542, NUDOCS 8706080105
	Download: ML20214R379 (28)
	v • d • e

_ _ _ - _ _ _ - _ - _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ __. _ _ _ _ - _ _ _ _ _ _

l 1

EGG-REQ-7542

~

February 1987 INFORMAL REPORT ORAFT TECHNICAL EVALUATION REPORT yg . f Engineering REVIEW 0F SOUTH TEXAS PROJECT QUALITY DATA Laboratory PROCESSING SYSTEft RELIABILITY STUDY Managed by the U.S. John P. Poloski Department ofEnergy i

l EGcG,..

! n Prepared for the l w e . ,,,, ,,,,,

ll. S. NilCLEAR REGilLATORY COMMISSION l uaor-Aco$f[$[Sg a Under DOE Contract No. DE-AC07-761001570

{

870'6080105's70309 l PDR ADOCK 05000498 '

A PDR L_

S EGG-REQ-7542

~

CRAFT TECHNICAL EVALUATION REPORT 1

REVIEW 0F SOUTH TEXAS PROJECT QUALITY DATA PROCESSING SYSTEM RELIABILITY STUDY John P. Poloski W

Published February 1987 EG&G Idaho Inc.

Idaho Falls, Idaho 83415

! Prepared for the

l. U.S. Nuclear Regulatory Commission i Washington, D.C. 20555 Under DOE Contract No DE-AC07-761001570 FIN No. D6019

ABSTRACT This report presents the results of a review of the Westinghouse Report PCA(85)-.491, " South Texas Project Qualified Data Processing System .

Reliability Study." In addition to determining the adequacy of-assumptions, models and. failure data, simple fault models were developed- -

to determine the validity of the availability estimates.

4 9

4 ii

SUMMARY

A review of the South Texas Project reliability study of the Qualified Data Processing System found no major errors. The review concurs with the higher availability estimate of the implemented digital channel compared

. to a hypothetical analog counterpart. The models defined for the two designs appear to be reasonable and only define the dominant contributors to channel availability. Due to the lack of detailed modeling, the estimates are not intended to demonstrate availability requirements as specified in certain regulatory documents, but are only intended to be used in qualitative assessments.

The failbre data, namely mean-time-to-failure, generally appear to be on the conservative side thus yielding a conservative availability estimate. The mean-time-to-repair data appeared to be optimistic thereby leading to a non-conservative estimate for availability. Primarily.the 1 repair time data was ba;ed on engineering judgement. Due to insufficient information contained in the South Texas Project reliability study, the repair time data could not be fully justified for use in the reliability study. In addition, the mean-time-to-repair data did not take into account the time to detect a failure. The detection time could impact the availability estimates documented in the South Texas Project reliability study.

0 9

iii

n CONTENTS

' Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 QDPS Modul e Representation . . . . . . . . . . . . . . . . . . . . . . . 2 Reliability / Availability . . . . . . . . . . . . . . . . . . . . . . . . 8 Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2

Module Modeling ............................ 12 Conclusions .............................. -20 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 FIGURES

l. QDPS System Block Diagram ..................... 3 4

2. Basic Features and I/O of a Class 1E Auxiliary Process Cabinet . . . 4

3. Typical Remote Processing (RPU) Unit Architecture . . . . . . . .. 6

4. Typical Valve Control Loop Block of the QDPS . . . . . . . . . . . . 7

5. Simp'ified Fault Tree for the Digital Process Channel of the SGWLCS. 14

6. Simplified Fault Tree for the Hypothetical Analog Process Channel of the SGWLCS Assuming Plant Shutdown Upon Failure of One RTD . . . . . 15

7. Simplified Fault Tree for the Hypothetical Analog Process Channel of i the SGWLCS Assuming Plant Shutdown Upon Failure of Both RTDs . . . . . '16 i

. TABLES

1. Failure Data Utilized in SGWLCS Availability Calculations . . .. . - 11

2. SGWLCS Module Availability Estimates . . . . . . . . . . . . . .. . 17

3. SGWLCS Module Reliability Estimates . . . . . . . . . . . . . . .. . 19 V

INTRODUCTION A technical evaluation of a Westinghouse submittal l for the South

, Texas Project (STP) relating to the reliability of the Qualified Data Processing System (QDPS) was performed in support of the Nuclear

- Regulatory Commission's Office of Nuclear Reactor Regulation. The evaluation focused on determining the adequacy of the assumptions, analyses, results and conclusions presented in the submittal.

It was not the intention of the STP submittal to calculate an estimate of reliability for the entire QDPS but specifically to compare an existing digital process channel of the QDPS to a hypothetical analog counterpart.

In addition to it.olating on a particular process channel of the QDPS, the analog and digital channels found in the STP study were only developed to a level of detail that sufficiently differentiate the two designs. Due to this lack of complete detailed modeling, the estimates reported are only intended for use in the qualitative assessment of the two designs. The STP submittal contends that the digital channel has a higher availability than the analog counterpart. The process channel chosen for demonstrating the availability estimates is part of the Steam Generator Water Level Compensation System (SGWLCS) of the QDPS. The results presented in this report determines the validity of the availability estimates as well as the SGWLCS representing the QDPS as a whole.

e 1

QDPS MODEL REPRESENTATION The QDPS is an integrated computer system designed to perform the following functions: e

1) Data acquisition / qualified displays for post-accident monitoring;

2) Safety-grade control and position indication of several safety-related valves;

3) Steam generator narrow range water level compensation for the effect of reference leg temperature changes; and

4) Temperature averaging scheme for narrow range TH0T signal per loop.2 The QDPS consists of the following major hardware: four Class 1E Auxiliary Process Cabinets (APCS), eight Class IE plasma display units, three non-Class 1E demultiplexer units and one non-Class 1E remote processing unit (RPU).

Figure 1 represents an overall layout of the QDPS system. Figure 2 shows the basic features and I/O of an APC. The functions performed by the QDPS are accomplished within the APCS. The remote processing unit (RPU) contained in each of the APC are data acquisition processors. The RPUs transmit data to the data processing units which ultimately provides information to the operators via the plasma display modules. The RPUs are channelized process channels that perform engineering conversion, limit checks and isolation of the raw input data. In addition to the data acquisition, the APCS contain a set of Class 1E equipment to provide ,

safety-grade control and position indication of safety-related valves and microprocessor equipment for steam generator narrow range water level compensation and TH0T temperature averaging scheme use for calculating the narrow range hot leg RTD average temperature per loop. The QDPS is essentially broken down into three subsystems:

2

> : : I >,'

l !1\1

t I! >iiI i- !l >:>! lt ;t

_ Y 8 Y I v I Y 8 v I Y e Y e v g A A A A A A A Lg L LS L t tr L t L La t L a, t t

- PgE sa W rE w E sB rGL s8 W E esE sAW r

s6 W rr se w W8LGE W rs saw

_ I E i E i E e E i E iE I E e g

. D L D L D L D L D L D L D L D t

-- C - 'C - E - - '2 - 1 '

h - Z -

+ .

I

-'l-t f

E I 4 4 I I I

m M a C 1 .

_ E L pal GSA EL gE L L m o6E f

C 0V AEV t E BEV yw I uE rW a

-r E 0E OE DE gE eE g i L L L L I L f a

_ - - 'O = - - O= - ; : -- O_- =-

i D

k

_ c l

o B

_ m

_ e t

._ s y

S

. S D _

._ P O

._ 1 e

_ u l

r

_ =

g u

i F

I g

_ 4 i i : I M A at C eL _

UEL L t CE tw crw tE rW fE PD AE uE aE rV aE _

L L L L L

_. w

)l' 1]j 41j ii 1{jjj1i, ,';lJ 4I l:!j21 i1' ii

'l I i APC l Analog Outmde

,,,_ _ _ g Data Linka to EM (2) N 4 ,, , _

g N

Date Unk Omemde le DPU A.C. ASP +MCS

! = '

,,,,, ,,,, , , % %g ;

1.97 Inputs from Other Cabinele l

_ . , , , , , , , , ,,,, , ,. pyg : !

Analog Inputs ,,,,, , , ,e,p Level 1

/

ose leell/O ,./

e D D i

s

- A A

} + . T T A A t L L 1 I .

Analoginput N N l l K K '

DiglialI/O Ousened -

: _- -* w '

Analog Outpute : ,,, , _ - L*'*8 8 t l

Analog inpute F SGWLCS/TAS l

_# p g,,,g g g j , Analog Outpute :- #

Figure 2. Basic Features and I/O of a Class IE Auxiliary Process Cabinet

, t e * . .

t

1) Control,

2) Steam Generator Water Level Compensation System (SGWLCS), and the

3) Plant Safety Monitoring System (PSMS).

The STP study focused on the SGWLCS as being representative of the QDPS as a whole. Functionally there is a distinction between these three subsystems. Specifically the control and SGWLCS subsystems are under control of their microprocessor for each particular process variable being monitored. The PSMS subsystem is under control of a central processing unit (CPU) contained in the RPU and is totally involved in data acquisition and display of information. Figure 3 shows the RPU architecture, which is the heart of the PSMS subsystem. Figure 4 shows a typical control loop block diagram for a process variable.

Although differences exist between the three subsystems of the QDPS and not accounted for in the STP study, a comparison of the information displayed by Figures 3 and 4 to the information provided in the STP study indicates the STP study is isolating on a particular process channel contained in the SGWLCS subsystem. From this standpoint, it appears that the digital model presented in the STP study is representative of any other process channel in the QDPS system. The discussions that follow will be in the context of a typical process channel of the SGWLCS. The availability estimates calculated pertain only to a process channel of QDPS. The estimates cannot be considered as representative of the QDPS as depicted by the block diagram defined in Figure 1. For the remainder of this report, channel and module will be used interchangeably and represent

. one and the same thing.

5

l

)

Dets Unk inputs / Outputs u b h

_ <r

r. r Data Test Unk Term. geog, ,

i db tU

1r Dets l Utility CPU Memory U""

Functions l Commun.

i 4, <r r o _ Microprocessor l

1

~

n a a a ' Bus

'r 'r 't r

Digital A/D D/A Digital I/O Convert. Convert. l/O b '

u a ,

Test Functions I I I

Analog Digital Signal i

Signal = ~ ~

Cond.

Cond. ,. .

1 .

a n a

,,,a ,,,

r o

! Digital Analog i Plant Plant Inputs / Inputs /

Outputs Outputs l

Figure 3. Tynical Remote Processing (RPU) Unit Architecture 3 6 i

t

) <

i .

Signal I Analog Control 1

i

~ 4-20snA d, r l

Cond.

input

Dieltal 80

-+ "

Loop Proceanor

{ PC Card Converter (CLP) t (A/D)

' M u Date N To P8M81W43 T He l (OLH)

B Men /

aa g Machine Portelde .

.-e- Interface ---------------o- Mha .

.. i Processor Tennimal

]

(MMI) g : valve Control-4 contace High Undt 8/S

Tal Digital Input / -

PC Conv er CO ; Velve Control-(D/A) L.ow Unitt S/S i !

j y g-0-10W Cond. 1_ Fiow Indication

- : i PC med APC i

! Figure 4. Typical Valve Control Loop Block of the QDPS.

i i

(

i i

RELIABILITY / AVAILABILITY ANALYSIS The STP study reported estimates of availability for comparison of the digital and analog modules. Availability is defined herein, and also in the STP report, as the probability that the system will be able to operate within tolerances at any given instant of time. Reliability is defined as -

the probability of a system performing its purpose adequately for the period of time intended under the operating conditions encountered. The definition of reliability is provided to make the distinction between availability and reliability.

For non-repairable systems and a constant rate model, reliability and availability are one in the same. For the repairable case, UPTIME , MTTF Availability = A =

UPTIME + 00WNTIME MTTF + fiTTR where MTTF = mean time to failure MTTR = mean time to repair.

Reliability is formally defined as, Reliability = R = e- At where A= failure rate = MT F t = operating time.

The STP report provides availability estimates for a process module of the SGWLCS. The STP report makes inferences of the reliability of QOPS .

based on SGWLCS availability estimates. Since QOPS and SGWLCS are repairable systems, the usage of these two measures of system performance ,

can result in different conclusions. The calculations that follow will show how these two measures of system performance can provide different results.

8 l

FAILURE DATA The failure data utilized in the STP study primarily comes from IEEE Standard-5003 and from life-testirg data provided by the manufacturer.

The data were verified for correctness and applicability. Table 1

. presents the failure data utilized in this analysis and generally reflects the data found in the STP study. No major discrepancies were found that

- would significantly affect the conclusions of the STP study. The failure data selected, primarily MTTF, generally appears to be applicable to the components defined by the models and tends to be on the conservative side.

However, the MTTF for several components of the digital model appeared to be in error resulting in a non-conservative availability estimate. The MTTF for these affected components were updated by this review to determine the impact of these errors on the digital channel availability.

The affected components and updated MTTF are discussed below, i The MTTF reported in Appendix 0 of the STP study for the communication controller, Intel iSBC-88/45, is 11,365 hours0.00422 days 0.101 hours 6.035053e-4 weeks 1.388825e-4 months at 550C. Correcting this estimate for an environmental temperature of 450C produces a MTTF for the communication controller at 16,000 hours0 days 0 hours 0 weeks 0 months . The final estimate reported in the STP study was computed by multiplying 16,000 hours0 days 0 hours 0 weeks 0 months by a factor of four. The justification for this four-fold increase in the MTTF for this component was stated as being "only one quarter of the board is being used." Review of the life test data found in Appendix E of the STP study does not provide sufficient information to warrant the increase in MTTF for this component due to only partial board utilization. Further examination of data contained Appendix E data reports the total board hours accumulated for the communication controller to be 56,157 hours0.00182 days 0.0436 hours 2.595899e-4 weeks 5.97385e-5 months at l 550C with no failures. A conservative 90% upper Chi-square confidence bound for the true failure rate when no failures are observed is given by l

the following:

9 l

2 X

^ (2)

A _<. ,9

+ 2T where X 2 (2) represents the 90% Chi-square confidence limit with 2 degrees of freedom and -

T is the total accumulated test time.

Since the MTTF is the reciprocal of the failure rate under the assumption of an exponential distribution, a conservative MTTF equal to 24,000 hours0 days 0 hours 0 weeks 0 months at 550C for the communication controller is justified.

i Since no specific information is provided on the operational characteristics of this board and on the life testing of the communication controller by the manufacturer, a MTTF of 24,000 hours0 days 0 hours 0 weeks 0 months at 550C was used for the communication controller. Correcting this estimate for temperature of 450C gives an approximate MTTF of 33,000 hours0 days 0 hours 0 weeks 0 months for the communications controller.

The failure data reported in Appendix 0 of the STP study for the digital to analog converter, DT-1742. indicates 305 beards shipped over a 12 month period with five random failures. The MTTF estimated was 58,368 hours0.00426 days 0.102 hours 6.084656e-4 weeks 1.40024e-4 months based on 304 units operating for a 6-month period. Due to a lac.k of information in the STP study and for the purposes of this review, the shipment of D/A converters was assumed to be uniformly distributed over a 12-month period. Based on the five observed failures, a MTTF of 63,500 hnurs was estimated for the D/A converter. The value utilized in the STP study apparently used a lower 90% Chi-square confidence limit of 28,000 hours0 days 0 hours 0 weeks 0 months . The selection of this lower limit will produce a more conservative availability estimate but is not consistent with the MTTF calculated for the remaining components of the digital channel. For this review, a MTTF of 63,000 hours0 days 0 hours 0 weeks 0 months was used for 0/A converter. ,

The microprocessor MTTF estimate reported in Appendix 0 of the STP was based on the original estimate of 8,655 hours0.00758 days 0.182 hours 0.00108 weeks 2.492275e-4 months at 550C. This value was then adjusted for an operating temperature of 450C to arrive at the MTTF estimate of 40,000 hours0 days 0 hours 0 weeks 0 months . There exists a large difference between 10

Table 1. Failure Data Utilized in SGWLCS Availability Calculations Channel failure Detection Fault Component Type" MTTF Rate Interval MTTR Duration Unavailability RTD A&D 83,000 1.2E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 36 40 4.8E-4 av/I Converter -A&D 45,000 2.2E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 8.4E-4 Amplifier A 90,000 1.lE-5 3 months 3 1083 1.2E-2 (Auctioneer)

Amplifier (L/L) A 90,000 1.lE-5 3 months 3 1083 1.2E-2 Multifunction A 31,000 3.2E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 2.2E-4 Generator Summing Amplifier A 90,000 1.1E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 7.7E-5 O Bistable A 336,000 3.0E-6 3 months 3 1083 3.2E-2 l I/E Converter D 90,000 1.lE-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 7.7E-5 R/E Converter A&D 45,000 2.2E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 1.5E-4 A/D Converter D 37,000 2.7E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 1.9E-4 Microprocessor D 12.200 8.2E-5 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 3 3.5 2.9E-4 l D/A Converter D 63,000 1.6E-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 1.1E-4 E/I Converter D 90,000 1.lE-5 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 3 7 7.7E-5 Communication D 33,000 3.0E-5 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 3 3.5 1.lE-4 Controller -

Note: a. A denotes analog applicaton D denotes digital application I

the temperature scaling factor of the microprocessor, 4.6, as compared to the factor used for the communication controller, 1.4. The power ratings and heat dissipation of these two devices are not known but there appears to be a large disparity between the two scaling factors. Using the same factor that was applied to the communication controller for temperature adjustment, a MTTF estimate of 12,200 hours0.00231 days 0.0556 hours 3.306878e-4 weeks 7.61e-5 months for the microprocessor was .

calculated during this review. The MTTF estimate utilized in the STP study was a factor of 3.3 greater than what the failure data in Appendix 0 -

supports. Further examination of the data found in Appendix E of the STp study states for the microprocessor, iSBC-88/40, a demonstrated MTTF at 550C of 27,939. In addition to reporting a demonstrated value in Appendix E of the STp study, a calculated MTTF of 8,655 at 550C was reported. To compute a " calculated" MTTF estimate, one typically takes the demonstrated MTTF, which is primarily the accumulated hours of life testing and divides by the number of observed failures. No other failure data was reported for this device. Due to insufficient data, this discrepancy could not be resolved at this time. For this review, the MTTF for the microprocessor is assumed to be 12,200 hours0.00231 days 0.0556 hours 3.306878e-4 weeks 7.61e-5 months which corresponds to the calculated MTTF at 450C.This estimate was chosen since it will result in a conservative availability estimate for the digital channel.

MODULE MODELING The models presented in the STP report appear to be an ar. curate representation of a typical digital and analog process channel. Due to the reasonableness of the models, they were also used for the basis of this study. The failure data contained in Table 1 of this review was utilized for the purposes of calculating module availability estimates.

The estimates provided by this study, as well as the STp report, are

^

intended for comparison purposes only. Hence the models developed are not detailed models, but high level models intended to show the major active ,

components of the digital and analog modules. Therefore the estimates are gross in nature and should not be considered as an accurate estimate of system performance. The absence of lesser important components in the models tends to overestimate channel availability.

12

Fault models were developed for this review of the digital and analog modules found in the STP study. These fault models, as well as those in the STP report, ignore faults associated with wire; power supplies, human, software, etc. In addition, the models assume a steam generator water level signal is present and therefore water level signal processing components are not developed as part of the fault tree logic.

Unavailability estimates presented in Table 1 were assigned to the

~

hardware components defined in the fault models. The individual unavailability estimates were calculated by multiplying the component failure rate by the fault duration time. The fault duration time is assumed to be one-half of the test interval time plus the average time to repair the faulted component. The fault model and associated unavailabilities for the digital module are depicted in Figure 5. The fault model for the analog representation of the digital module is represented by Figure 6 and Figure 7. Two models were developed for the analog module to account for the possibility of shutting down the plant when the first RTD failed (Figure 6) or continuing to operate until a second RTD failure occurs (Figure 7). These assumptions are consistent with those stated in the STP report and are considered to be a reasonable approach for a bounding calculation. These two possibilities are provided 4

to bound the unavailability estimates for the analog configuration. Table 2 presents the results of the quantified fault models as well as providing the availability estimates stated in the STP study. Even though the absolute values differ, the same qualitative conclusions relating to the higher availability of the digital module as compared to the analog module is supported.

13

l 1

il ol i p -

,M C

E i

=

14 i

1 temJLIWlREEN Sf C B IE t1NL Galmm 0e108.

+

3 ens AlfLFER

+

flat Det. Ele UUt NEMBE R +AAG LDD

]

6 12E4 11 E 4 73 E4 1

5; T

' RED E W lM MEIDER FNBf Ms O 3 4

T (

I

$F @b l I

=<*

j n n T T l

hQ F1 gg W

M S-SE Ft 6

14 E4 4A E4 14E4 643 E4 i

Figure 6. Sinplified fault +ree for the hypothetical analog process channel of the SGHLCS assursing plant shutdown upon failure of one RTD.

ma e a M f una j s/c uut t taEL an estarum oma w

I s --

E fat 1 CF THIkT m = =m. e O

l 7.7 E4 22 E4 12 E 4 5 i TAD]N l

IWhi $s McH3ER o

l T iuudiurni -

i i lund % H R/E F t 1

j p :

p 2n uE4 T T 1

Tan a TanEr Tan a

$H RID 5-58 y 1-2 F ,M F 14 E4 4A E4 14 E4 4AE4 l Figure 7. Sinplified fault tree for the hypothetical analog process channel of the SGiCS j

assuming plant shutdoun upon failure of both RTDs.

4 TABLE 2. SGWLCS MODULE AVAILABILITY ESTIMATES This Review STp Results Digital module 0.9993 0.9996 Analog module Failure of both RTDs 0.9758 0.9993 j Failure of a single RTO 0.9731 0.9983 l

1 One apparent reason for the difference in the availability estimates other than the failure rate differences, discussed earlier, is the repair time assigned to each of the hardware components. The STP study assigned to each component a MTTR of three hours. This estimate was based on a weighted average of time to complete various tasks necessary to do the actual repair. These tasks include such steps as assignment of repair

! personnel to perform the repair to replacement and testing of the component. Within each task breakdown, various scenarios were defined to I account for different possibilities or conflicts that could be encountered during the course of the repair process. Times were assigned to the i scenarios as well as the probability of occurrence. These estimates were i based on engineering judgement and experience. No data were provided in f the STP study to indicate how many people participated in this survey, the i level of expertise (i.e. above average repair technician, below average,

~

etc.), were the times assigned average or worst possible case, etc. Due 3

to the above mentioned reasons, a high degree of. uncertainty exists in the J

. MTTR estimate.

'e

! 17 4

i

In addition to the above, the MTTR estimate did not take into account the time to detect the existence of a faulted component. The method to detect a faulted component is generally through surveillance testing programs. The Westinghouse Standard Technical Specification 4 indicate that channel checks be conducted at least once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and an operational test to be conducted every 31 days. The latter requirement has been relaxed to every three months. The testing intervals assigned to .

the various components based on Tech Spec requirements are reported in Table 1. These surveillance requirements are consistent to those reported in the STP study. The exclusion of the average time to detect the failed components from the MTTR estimates utilized in the STP Study biases the availability estimates. This bias results in an optimistic estimate of component availability.

In addition to the availability estimates, estimates of reliability were computed in order to provide the reader w'ith a better understanding between these two types of estimates of system performance. The STP study makes references about reliability being of prime importance. The type of system performance measure used can clearly change the conclusion regarding performance of the digital and the analog module. Even though the STP study makes use of this terminology, the appropriate measure of system performance, availability, for the SGWLCS was calculated for the comparison of digital to analog channels. The discussion that follows is intended to clarify the distinction between the two types of system performance estimates. Table 3 present the digital and analog module failure rates and associated reliability for a one hour and three month mission time. The estimates are based on the data contained in Table 1.

As indicated by Table 3, tne analog modules have a higher probability of survival than the digital. The reason for this being the case is that the analog components exhibit a lower failure rate than the digital ,

components. Since both analog ind digital are primarily a series system, the failure rates are additive. Therefore if reliability in the context ,

of the module performing its stated function for a period of time, were the major consideration, the analog module would clearly be the obvious choice. Since the SGWLCS is part of the protection system, availability is the most important consideration. Because of the self diagnostic of 18

+ i the certain digital hardware, the detection time, hence down time of the digital module is much lower than the analog module. The higher availability of the digital module is attributed to this feature.

TABLE 3. SGWLCS MODULE RELIABILITY ESTIMATES Module Mission Reliability Failure Rates 1 Hour 3 Months Digital Module 1.87E-4 0.99981 0.6677 Analog Module

, t Failure of one RTD 1.33E-4 0.99986 0.7503 Failure of both RTDs 1.16E-4 0.99988 .0.7784 l

a i

i l

r 19 l

i CONCLUSIONS l

A review of the South Texas Project reliability study of the QOPS was conducted to determine if the digital implementation of a typical process

~

channel was better than a hypothetical analog design. The method utilized in the reliability study and in this review, to make the comparison was f _

j development of reliability models for which estimates of availability for the implemented digital and the representative analog process channels were derived. The review focused attention on the accuracy of the models developed for the analog and digital channels, assumptions associated with the models, and failure data utilized to produce the availability-l estimates.

Overall, the review results concur with the South Texas Project 1 findings pertaining to the higher availability estimate for the 6 implemented digital channel versus the hypothetical analog channel.- From a channel perspective, the models represent a typical process channel of the QDPS.

. The estimate of availability presented for the digital model does not reflect the availability of the QDPS as a whole. Nor is it intended to be an accurate estimate of availability of the overall system. The models developed were only high level in nature focusing only on major active -

components of the channel. Deficit contributions to the availability model, by such components as power supplies faults, wire. faults and human l error, were omitted from the analysis. Given the reasonableness of the i models to depict any other channel of'the QDPS the failure data assigned to the components generally appeared to be appropriate.

The mean-time-to-failure data used in the STP study generally appeared to be on the conservative side. Some discrepancies were found and noted- .

in the main body of this report. These discrepancies were modified for the review in order to assess the impact on the availability estimates.

In addition, the mean-time-to-repair data appeared to be questionable. A

20 4

, , s - - ,v rn,-- , , , ,-,, , , -, ,r..ne .-,ea, a we , - - , - - - . + , ,,-

repair time of three brurs was assigned:to each of the components depicted in the model. The assignment of a three hour repair time appears to be incorrect from a intuitive engineering perspective.~ Due to lack of information contained in the reliability study and for the review, these repair time estimates could not be substantiated. Because of tne unresolved repair time and not having the same tool used to quantify the estimates as in the STP study, fault models of the digital and analog channels were developed in. order to recompute the availability estimates.

The availability estimates were derived from the fault models. A time averaged availability calculation was performed on the dominant cutsets of the fault models.

The recalculated availability estimates, even though lower than stated in the STP study, support the higher availability of the digital channel as compared to the hypothetical analog channel. The estimates provided by 4

this review and also those reported in the STP study are intended only for I

purposes of comparison. Neither of these estimates should be utilized as i absolute values of channel availability. Further, they are intended only to represent a typical process channel and not to be taken as an estimate of the total QOPS availability.

21

-w g - - , , - ,y r---

References

1. Westinghouse Report PCA (85)-491, South Texas Project Qualified Data Processing System Reliability Study, February 1986.

2. South Texas Project Final Safety Analysis Report. .

3. IEEE Std 500-1984, IEEE Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component, and Mechanical Equipment Reliability Data for Nuclear-power Generating Stations.

4. NUREG-0452, Standard Technical Specifications for Westinghouse Pressurized Water Reactors, Fall 1981.

J d

O l

I l

1 22

\

l

U S. seuCLEA3 kE LULATORY COesastasiON i AtPowY NWU$tA (A.ppaed er TIOC. eea rs# No . st eard Mac ,Onu S3s

2 34a

@*32/2 BIBLIOGRAPHIC DATA SHEET EGG-REQ-7542

$EE shSTRUCf TONS ON Twt afvenst J T+ TLt AN0 5Lef tf LE J LE AVE BL ANE Technical Evaluation Report -- A Review of South Texas Project Qualified Data Processing System . oAfi iPOaT CO uYeo

=0~ra veAa Reliability Study l i Avr-Cais, February 1987 s # D ATE mtPORY f 55utD vtAa John P. Poloski -O*T-l February 1987 7 Di#PORMING ORC.Ami2AYeON NAME AND MAILING ACQat$5,swweele Cessi 8 PROJECT,T ASK.woma umiT muustm Idaho National Engineering Laboratory . .,= Oa Ga&~ r ~u.. a EG8G Idaho, Inc.

Idaho Falls, ID 83415 10 54,N50RsNG ORGamr2 Af SON N AWt AND MAeLING ACORESS (fac8 vet te Cases lla TYPE OF REPOAT Office of Nuclear Reactor Regulation Draft Technical Evaluation Report U.S. Nuclear Regulatory Commission , ,,,o, c9,, ,9 ,,n ,, ,

Washington, D.C. 20555 12 $UPPLEUtNT ARY NOTES o A.sr..ct ,m .e.e. . ,

The findings of a review of the South Texas Project Quality Data Processing Reliability report are presented.

te QQCyptwf AN AL)Sa3 4 El veQRO$ QtSC4+#f0M3 16 Awa A 36 Lt T V Unlimited Distribution 14 SEcumeTvCLAssisiCATION ar ,,,

nsoggiositas OPtwENotoTgnus Unclassified Irne resorts Unclassified 17 NvwetR OF PAGES

. . ...c 4

.-.

ML20214R379

Text

SUMMARY

Navigation menu

Search