ML20247M711
| ML20247M711 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 05/22/1989 |
| From: | Wiesemann R WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | Murley T Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20247M701 | List: |
| References | |
| CAW-89-072, CAW-89-72, NUDOCS 8908020200 | |
| Download: ML20247M711 (9) | |
Text
. _ - _ _ _ -
f Westinghouse Energ Systems nuciear ana navancea Electric Corporation """'"*"
Box 355 Pittsburgh Pennsylvania 15230 0355 May 22, 1989 CAW-89-072 Dr. Thomas Murley, Director Office of Nuclear Reactor Regulation
'U.S. Nuclear Regulatory Commission Washington, D.C. 20555
' APPLICATION FOR WITHHOLDING PROPRIETARY INFORMATION FROM PUBLIC DISCLOSURE
Subject:
WCAP-11312, Rev.1, " Westinghouse Owner's Group Technical Specification Subcommittee Reactor Trip Breaker Maintenance / Surveillance Optimization Program" (Proprietary)
Dear Dr. Murley:
The proprietary information for which withholding is being requested in the enclosed letter by Georgia Power Company is further identified in Affidavit CAW-88-099 signed by the owner of the proprietary information, Westinghouse Electric Corporation. . Tha affidavit, which accompanies this letter, sets forth the basis on which the information may be withheld from public disclosure by the Commission and addresses with specificity the considerations listed in
. paragraph (b)(4) of 10CFR Section 2.790 of the Commission's regulations.
Accordingly, this letter authorizes the utilization of the accompanying affidavit by Georgia Power Company.
Correspondence with respect to the proprietary aspects of the application for withholding or the Westinghouse affidavit should reference this letter, CAW-89-072, and should be addressed to the undersigned.
Very truly yours, WESTINGHOUSE ELECTRIC CORPORATION OW RobertA.WiD.mann, Manager Regulatory & Legislative Affairs Enclosures cc: E. C. Shomaker, Esq.
Office of the General Counsel, NRC 5
.., .s. ,
CAW-88-099-AFFIDAVIT COMMONWEALTH OF PENNSYLVANIA:
ss COUNTY OF ALLEGHENY:
Before me,'the undersigned authority, personally appeared Robert A. Wiesemann, who, being by me duly sworn according to law, deposes'and says that he is authorized to execute this Affidavit on
~
behalf of Westinghouse Electric Corporation (" Westinghouse") and that the averments of fact set forth in this Affidavit are true and correct to the best of his knowledge, information, and belief:
>tt ALAPAMAMA Robert A. Wiesemann, Manager Regulatory and Legislative Affairs Sworn to and subscribed before me this J.Lhay of ~7(em*/m 1988.
l O Sa > $. all L Notary Public NOTARIAL sFAL LoRRAINEM PlPLCA,PCTARYPJBLC MoNRoEVLLE Boro. ALLEGHENYCoUNTY MY coMM$$loN EXP!RES DEC 14.1991 Member. Pevsytern Associaton c f Nestes 1
t_ _ __ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ _
t CAW 88-099 l
(1) I am Manager, Regulatory and Legislative Affairs, in the Nuclear and Advanced Technology Division, of the Westinghouse Electric Corporation and as such, I have been specifically delegated the function of reviewing the proprietary information sought to be -
withheld from public disclosure in connection with nuclear power plant licensing and rulemaking proceedings, and am authorized to apply for its withholding on behalf of the Westinghouse Energy
. Systems, Nuclear Fuel, and Power Generation Business Units.
(2) I am making this Affidavit in conformance with the provisions of 10CFR Section 2.790 of the Commission's regulations and in conjunction with the Westinghouse application for withholding accompanying this Affidavit.
(3) I have personal knowledge of the criteria and procedures utilized by the Westinghouse Energy Systems, Nuclear Fuel, and Power Generation Business Units in designating information as a trade secret, privileged or as confidential commercial or financial information.
(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.790 of the Commission's regulations, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.
(1) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse.
l l
CAW-88-099 i
(ii) The information is of a type customarily held in confidence by Westinghouse and not customarily disclosed to the public.
Westinghouse has a rational basis for determining the types of information customarily held in confidence by it and, in that connection, utilizes a system to determine when and whether to i hold certain types of information in confidence. The application of that system and the substance of that system constitutes Westinghouse policy and providas the rational basis required.
Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:
(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.
(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a
, competitive economic advantage, e.g., by optimization or improved marketability.
l l.
Y _ _ - _ - _
' CAW-88-099 (c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.
(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies' of Westinghouse, its customers or suppliers.
4 (e) It reveals ~ aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.
(f) It contains patentable ideas, for which patent protection may be desirable.
(g) It is not the property of Westilighouse, but must be treated as proprietary by Westinghouse according to agreements with the owner.
There are sound policy reasons behind the Westinghouse system which include the following:
(a) The use of such information by Westinghouse gives Westinghouse a competitive advantage over its competitors.
It is, therefore, withheld from disclosure to protect the Westinghouse competitive position.
{
l 1
l i i
i l - - _ - - - - - _ _ _ _ _ _ _
.- . . . J
u -:
CAW-88-099 (b) It is information which is marketable in many ways. The extent to which such information-is ava'lable to competitors diminishes the Westinghouse ability to sell products and services involving the use of the information.
(c) Use by our competitor would put Westinghouse at a competitive disadvantage by reducing his expenditure of resources at our expense.
-(d) Each component of proprietary information pertinent to a particular competitive advantage is potentially as valuable 7 as the total competitive advantage. If competitors acquire components of proprietary information, any one component may be the key to the entire puzzle, thereby depriving Westinghouse of a competitive advantage.
(e) Unrestricted disclosure would jeopardize the positior of prominence of Westinghouse in the world market, r.nd thereby give a market advantage to the competition of those countries.
(f) The Westinghouse capacity to invest corporate assets in research and developosnt depends upon the success in obtaining and maintaining a competitive advantage.
(
L&
L 1
s.
CAW-88-099 (iii) The information_is being transmitted to the Comission in confidence and, under the provisions of 10CFR Section 2.790, it is to be received in confidence by the Comission.
(iv) The information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or rethod to the best of our knowledge and belief.
(v) The proprietary information sought to be withheld in this submittal is that which is appropriately marked in
, " Westinghouse Owners Group Technical Specification Subcommittee Reactor Trip Breaker Maintenance / Surveillance Optimization Program," WCAP-11312, Revision 1 (Proprietary), for Diabic Canyon Power Plant Units 1 and 2, being transmitted by tne Pacific Gas & Electric Company (PG&E) letter and Application for Withholding Proprietary Information from Public Disclosure, J. D. Shiffer, PGaE, to U.S. Nuclear Regulatory Comission, Attn: Document Control Desk, December, 1988. The proprietary information as submitted for use by Pacific Gas & Electric Company for the Diablo Canyon Power Plant Units 1 and 2 is expected to be applicable in other licensee submittals in response to j certain NRC requirements for justification of optimum intervals for test and maintenance of reactor trip breakers l
such that breaker reliability is enhanced while sufficient i surveillance testing is performed to confirm operability. !
l J
}Q.
CAW-88-009 l
[
This information is part or that which will enable Westinghouse to:
(a) Provide documentation of the analyses and methods for reaching a conclusion relative to the optimum preventive maintenance and test intervals for reactor trip breakers.
(b) Develop a reactor trip breaker database in order to establish the parameters necessary for the evaluation of reactor trip breaker reliability. J (c) Establish the. basis for a mathematical reliability model representative of the cyclic degradation procen and the effects of preventive maintenance on reactor trip breakers.
( d ,'. Assist the customer to obtain NRC approval.
I Further this information has substantial commercial value as follows:
l (a) Westinghouse plans to sell the use of similar information to its customers for purposes of meeting NRC requirements for licensing documentation.
( (b) Westinghouse can sell support and defense of the analysis and conclusions to its customers.
I i
l a
g ._ __ - - - __________
l
- t ,-
i CAW-88-099 !
I i
I j i
Public disclosure of this proprietary infon.ation is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability.of competitors to provide similar analytt.a1 documentation and licensing defense services for commercial power reactors without commensurate expenses. . Also, public disclosure of' the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.
The development of' the technology described in part by the ,
information is the result of applying the results of many years of experience in an intensive Westi y house effort and the expenditure of a considerable sum of money.
In order for competitors of Westinghouse to duplicate this information, similar technical programs would have to be performed and a significant manpower effort, having the requisite talent and experience, would have to be expended for data collection and reduction and development of analytical models.
Further the deponent sayeth not.
1 l
L T
l: , .
WESTINGHOUSE-CLASS 3:
E
, 4
. WCAP-11966'
- - c . '
Westinghouse Owners Group Technical Specification Subcommittee Reactor Trip Breaker Maintenance / Surveillance Optimization. Program October, 1988 ,
By
- , .D. A. McCutchan D. R. Peffer Approved By: O ku ur # 6 A.Maguire,Ma3ager Reliability Engineering Funded under the auspices of the Westinghouse Owners Group (MUHU-3032)
Westinghouse Electric Corporation Power Systems Division I.. P.O. Box 355 Pittsburgh, Pennsylvania (l,.
e b COI q$
1584v:1D/103188 1 L:- -
J
LEGAL NOTICE 4-This report was prepared by Westinghouse Electric Corporation, as an account of work sponsored by the Westinghouse Owners Group. Neither Westinghouse nor any person acting on behalf of either: (a) rekes any warranty of representation, express or implied, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or (b) assumes any liabilities with respect to the use of, or for damages resulting from the use, of any information, apparatus, method, or process disclosed in this report.
1564v:1D/091388 2
- . . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _____)
EXECUTIVE
SUMMARY
AstudyhasbeenconductedfortheyOwner'sGroupoftheoptimumpreventive maintenance and test intervals for reactor trip breakers. SincetestingatH ITTC and the expert opinion of breaker engineers indicate cycling to be the primary cause of breaker failures, there is reason to believe frequent testing may be counterproductive. Likewise preventive maintenance, as currently defined, results in added trip cycles. The objective of this study is to calculate optimum intervals for test and maintenance, such that breaker reliability is enhanced while sufficient surveillance testing is performed to confirm its operability.
The assumption underlying periodic testing of standby safety systems, as embodied in the Technical Specifications for nuclear plant operation, is that a component may fail unannounced while in standby. Accordingly, safety system operability is confirmed periodically and the plant is shut down when a malfunction is detected if it cannot be repaired within a specified time. This
. limits the risk that a safety system is inoperable at the time of a safet) demand. Thus, when a regulation requires periodic testing of the trip breakers, the justification for the test rests on the assumption that a trip breaker may become inoperable during normal plant operation - while it is closed - such that it might later fail to open in response to a subsequent trip signal. The presumeo failure cause in this concept is one whose arrival can occur randomly in time, and in the absence of a trip signal.
A database of reactor trip breaker (RTB) failures was developed by updating the data previously obtained for the earlier study of UVTA reliability (Ref.
- 1) and analyzed to determine failure statistics. Very few malfunctions were indicateo uy the report originators as being caused primarily by time related processes such as the accumulation of dust or the degradation of lubricants.
In contrast, the majority appear to be caused by repeated stresses connected with trips. It is remarkable that the fundamental assumption justifying periodic inspection - that failures to trip can originate as the result of (or are correlated with) the passage of time alone - is not supported by
~
experience. Accordingly, it may be concluded that from a breaker performance 1584v:1o/0013ss 3
_ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ A
standpoint,.less frequent testing would be desirable. The results reported here show that for a rather wide range of RTB reliability parameters, the
" optimum" test interval is [ ]+a.c Here,
)
I
" optimum" is defined as the interval which yields the minim g breaker unavailability for a randomly timed trip challenge. The available data do not .
permit an objective classification of the events as definitely due to time or cycling alone, so that the mean-time-to-failure, on which the location of the l
minimum depends, remains uncertain. Reasonable choices can be made sub'jectively; this leads to an interval of ( -)+a,c. Since the present interval is ( )+a,c, it is recommended that no change be made.
It should be noted that the above discussion of " optimum" test intervals is directed to calculating the interval which maximizes the reliability of an isolated RTB for a safety demand. If the expected value of RTB system reliability were recalculated (by PRA methods) to take account .. recent RTB modifications, most notably the automation of the Shunt Trip Attachment feature, the results would presumably indicate that a longer test interval can be tolerated,' even if the resulting system reliability were less than that achievable at the " optimum" interval. Past NRC regulatory policy has, however, discounted the benefit of the STA on the grounds that it does not operate on a "de-energize-to-trip principle. A further difficulty is that an explicit statement of the required RTB reliability would be needed; by simply testing at the interval which maximizes reliability, we avoid the need for a reliability requirement.
The situation with regard to the optimum preventive maintenance (PM) interval is clearer: for the entire range of RTB parameters considered reasonable -
even by very conservative standards - it is clear that conducting PM during '
the operating cycle is counterproductive. (We assume that PM will be undertaken during refueling outages, as in the past). Operating intervals of up to [. ]+a,c were investigated, corresponding to an approximately
[. ]+a,c fuel cycle. While this study was limited in scope to the analysis of a single RTB, this recommendation is considered to be valid for the typical, redundant RTB system also.
1584v:1D/09138B 4 i
L' u/ -
, [?! ,
- TABLE OF CONTENTS Sectioit- Paca No.
- 1.0 Introduction 6 LReactorTripBreakerDataBaseDevelopment-
~
2.0 8 g
3.0 Description.of Reliability Model -10 4.0 Data Reduction and Analysis 21
- - -5.0 Results 28 6.0- Summary and Conclusion 43-7.0 Recommendations 45 8.0 References 47 1
te i 1584v:1D/091488 5
1.0 INTRODUCTION
In early 1982 the Westinghouse Owners Group undertook the Technical Specification Optimization Program (WOG-TOPS), a fault tree evaluation of the !
reactor protection system aimed at optimiring technical specification requirements for testing and repair time. SMrtly after submittal of the initial report to the NRC (2) the Salein w wating Station experienced two reactor trip breaker (RTB) malfunctions which wore widely publicized because both RTB's failed to open and because of the circumstance that the initial malfunction was not noticed and reported. As a result of those problems, it was agreed that relaxation of technical specification requirements on reactor trip breakers would not be considered as part of the WOG-TOPS submittal.
Since that time, several other programs have been performed by Westinghouse at the request of the WOG including:
- 1. An evaluation of breaker Undervoltage Trip Attachment (UVTA) failure experience (1)
- 2. Class 1E qualificat %n and life cycle testing of the reactor trip breaker trip attac' ' ants (3, 4)
- 3. Der .lopment of reactor trip breaker maintenance manuals.
These programs have enhanced W and W Owners Group knowledge about reactor trip breakers, but were not performed with the aim of establishing a probabilistic or statistical basis for testing and maintenance practices. In fact, the test and maintenance practices specified in the maintenance manuals to date have been based primarily on engineering judgment. Realizing that a quantitative basis for reactor trip breaker testing and maintenance practices would be a significant step forward, the WOG authorized its Technical Specifications Subcommittee to proceed with the Reactor Trip Breaker Maintenance / Surveillance Optimization Program. The specific objectives of the program have been to:
- 1. Utilize existing data and methodologies available as a result of
~
previous programs to the extent practicable 158/v:1o/0913BB 6 I
I-l
- 2. Establish _ optimized reactor trip breaker test and preventive maintenance (PM) practices (including trip breaker components)-
- 3. Revise the DS-416 and DB-50 Maintenance Manuals based on reliability-centered test and maintenance intervals
'4. Develop revised technical specifications for reactor trip breaker testing requirements.
This report documents the following tasks:
- 1. Establishment of a reactor trip breaker database.
- 2. Development of a reactor trip breaker reliability model.
- 3. Analysis of the reliability model using the database so as to provide optimi:.ed test and maintenance frequencies.
Revisions to the breaker maintenance manuals are being made in conjunction
^
with this study and will be issued separately.
We have not proposed a revision to the Standard Technical Specification because no sufficient basis for relaxation has emerged from the present-study of an isolated breaker. However, a suggested technical specification written in accordance with Generic Letter 85-09 (with the exception of the treatment therein of bypass RTB's) has been issued to the WOG in an effort to establish a standard in WOG utilities. It is not unlikely that the reliability margin for the trip system as a whole has been enhanced by design modification to the point that less frequent testing may be required. To confirm this, a PRA of the entire system would be required, as in prior evaluations (2,5,6); this lies outside the scope of this project.
l- This report deserthes the details of the work carried out in this program as l well as the results.
1 l
1564v lo/0913BB 7 I 3
,g 2.0? REACTOR TRIP BREAKER ' DATABASE DEVELOPMENT
-In order to perform a quantitative reliability analysis, a summary of
., . Westinghouse breaker experience was required. A reactor trip breaker database was developed in order to estimate the parameters necessary for evaluation of R .the reactor trip breaker reliability model. The first step in establishing this database _was to investigate the already available and compiled information which included:
l a,c 2.
The life-cycle test reports contain relevant information as to component replacement intervals in order to preclude cycle wear-out. [
~
]+a,c That listing provided information regarding failure modes and failure causes. The basis for the event listing was a plant survey completed by each WOG member which provided information on testing and maintenance practices as well as a list of breaker and UVTA events. Although[ ]+a,c dealt only with UVTA events, information relative to breaker malfunctions was also reported.
Although the listing of breaker events provided the bulk of information necessary for the program, data regarding test and maintenance practices in the post-July 1,1983 period were also investigated. Technical Specifications delineate current reactor trip breaker surveillance requirements and the DB-50 and DS-416 Maintenance Manuals contain the present maintenance practices and recommendations for WOG plants.
These three sources, viz.,
- 1. the listing of breaker events,
- 2. current testing practices, and
- 3. current maintenance practices I 1584v:1o/091388 d
___---____.________________________-____________-_____________-__a
j provide the basis for data reduction and analysis of the trip breaker reliability model. l I
1 4
i l
1 a
4 1584v;10/091388 9
3.0 DESCRIPTION
OF RELIABILITY MODEL 3.1 ! ackground B
a An extensive literature exists on the availability of a periodically monitored safety system; see (7) through (20). The model created in this project is an extension of.the [
h)+a,c model has been. thoroughly reviewed in the course of its extensive use, and may be presumed to be accepted within the NRC, who continue to sponsor its development.
A plant operating cycle between refuelings is analyzed in the model. The
~
cycle length assumed for all of the present results was [-
. . . ... )+a,c operating period is then divided into a number of subperiods equal to the test interval - with a final fractional interval in most cases - and the expected unavailability of the breaker on a random challenge is calculated for each subperiod. The subperiod unavailabilities are averaged to produce the' final RTB unavailability presented for that test interval. The number of failures is also calculated for comparison to historic event data. In each test interval failures on {
demand and unavailability at demand due to unannounced, standby failures; outages for test and PM; and outages for repair are calculated. I On-line preventive maintenance events were allowed to occur at [.
~
]+a,c times during the cycle; PM concurrent with one of the tests and at approximately equal intervals. In every case, a PM procedure was also assumed to occur during the refueling outage.
I 1sB4v:1o/091388 10
. _ _ _ .}
L L3.2 Standby Failure Model Random events causing a dormant fail-to-open condition are assumed to occur
- between tests, while the breaker is in standby (i.e. closed and motionless; .
the adjective " standby".here addresses the critical mechanical components required to trip. Thebreakeris,however,electricallyactive).
-The. standby' failure process may physically originate in such time-related degradation processes as the following:
accumulation of dust deterioration'or loss of lubricant due to vibration or flow corrosion Randomly occurring external events may also be modeled as occurring at a constant rate over time. Degradation of the UVTA insulation with time and temperature might be added, although this does not appear relevant to the
~
critical, fail-to-trip' malfunction.
The basis of the mathematical model is the following idea of the standby
. failure' process. The process at first causes no perceptible degradation.
Eventually it proceeds to the extent that it causes the breaker to trip more slowly, but still within the required time. (This signals the need for prev'entive maintenance). Finally, the level of deterioration is reached at which the breaker opens erratically, it opens too slowly to meet its functional specification, or it completely fails to open. (The level of degradation required to defeat the shunt trip attachment function should be
-higher than for the UVTA because of its stronger impulse to the linkage).
It is reasonable to suppose that the probability of failure by these processes can,.in the absence of human intervention, increase from a low initial level to the critical level. These processes are represented in either of two models.
IL 1584v:1o/09138B 11
1 L-i l
-1. Constant occurrence rate model a,c
)
I i
II. [Weibull)+a,c occurrence rate model a,c
[ Notation: F(t) is the cumulative distribution function, f(t) the density function and h(t) the htzard function, equivalent to the failure rate.)+a,c The two models can be used together to represent a hazard rate which is non-zero initially and then increases with time:
( )+a,c
[
)+a,c 3.2.1 Effects of Periodic Testino and Corrective Maintenance The effects of standby system degradation depend on test policy. Without on-line testing, a standby failure may persist for long times, averaging about
( )+a,c operating cycle. Thus, a fairly low standby failure rate multiplied by this long interval would produce a significant probability that the RTB might be unavailable at the time of a trip challenge.
l 1sB4v;1o/091388 12
The present model allows tests to be performed at a constant calendar-time interval specified as an input. Parametric values of the test interval are
~
computed with the program and the resulting average RTB unavailability for a safety challenge is graphed as a function of test interval, allowing the minimum unavailability and associated test interval to be located by eye.
Any malfunctions in standby is assumed to be detected in the next test and corrected; this choice is discussed below. No other maintenance is assumed to occur as a part of surveillance testing. Since the unit is always operable or restored to service following a test it remains "at risk" and can suffer the same malfunction again; thus the expected number of malfunctions in a periodically tested component is slightly greater than one would calculate in the absence of testing. To reiterate, without periodic inspection a standby equipment can fail only once, but with test and restoration to service it can fail more frequently, up to the number of tests. The ultimate purpose of testing of a standby safety component is not to prevent failures, but to avoid plant operation in the absence of a safety function, or with degraded redundancy in the function. In this context the occurrence of additional
~
failures is immaterial. To illustrate this point, Table 3.1 shows the effect of periodic testing on the number of failures observed for a hypothetical component operating over a one year period.
In the example as we test more and more frequently the failure count increases toward the limit
[ )+a,c (The limit represents a system which is continuously monitored and repaired instantly. Although repair time removes the event from risk for, say 10 hr.
this effect is not significant, and was ignored in the development of the current model).
Table 3.2 repeats the hypothetical example but for a ( )+a,c process with increasing failure rate. The effect of one test per operating cycle, as
~
opposed to no testing, is in this case almost no increase in the number of 1584v:1D/091388 13
_ _ - _ . . _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ )
- g. ,
s I t i
p '
L Table-3.1
-Effect of: Periodic Testing on Number of Failures Observed In'A Constant failure Rate Process
. Example Data
~~ '~
a,C Calculation of number of failures Let: a,c a) a.C b)
C) d)
J s-1584v:1o/0913BB lt,
7
~
,; Table 3.2-Effect of Periodic _ Testing On Number of-Failures Observed In .
fa,eFailureProcess
( A' [
~
Example Data:-
-a,c Calculation of number of _ failures in 1 year a,c a) b)
,c)
Notation: '
a,c I-1584v:1 0/091388 15
mi w - .
a c ,
s
- failures (in.the constant failure rate case there was a substantial-
-increase). Here two processes'are at work: (1)'testingrevealsfailures,so I that the~ unit is repaired and again put at risk and:(2) the assumed failure
-ratelis much higher in the second half year interval'. .In a [ ]+a,c process'most failures will occur at long times. Thus.the number of failures in the early int'ervals is-small and the increase in number of failures due to-l . restoring the units to service is very small also ['
)+a,c-W 3.2.2 Preventive-Maintenance Effects When a preventive maintenance act is performed, either during refueling or in 4 an on-line PM act, we have simply assumed it to remove all degradation due to time-related failure processes. In effect, we replace the unit by brand-new equipment, as-far as the time related degradation process is concerned;. the long-range effects of wearout with cycling, which culminate in the eventual replacement of the RTB are assumed to be uninterrupted by an on-line PM act.
.w :
Performing PM has a' beneficial effect where the time failure process is accelerating (rapid waarout),'but has no effect if the failure rate is constant. In.the latter case, a new unit is no better than an old one, so
'nothing.is gained by replacement. At the expense of further model complexity and additional parameters to be estimated from' test data, we could describe PM as removing some fraction less than [. ]+a,e of the accumulated degradation.
In the illustrative examples in Tables 3.1 and 3.2, the component saw only corrective maintenance, which restored it to its current working condition (i.e., not to " brand new" condition). Table 3.3 extends the example to show the effect of a singie, fully effective PM act, showing a drastic reduction in the number of failures.
1584v:1o/091388 16
u-WESTINGHOUSE PROPRIETARY CLASS 2 3.3 Demand Failures The current model also permits failures to occur on demand._ The probability of demand failure is assumed to depend on the cumulative cycles seen by the
~
breaker. Again a [ ]+a,c process is assumed, with two distinct parameters (the scale and shape parameters [. .)+a,c). A range of typical shape parameters [. ]+a,c was tested, approximately typical of [. J+a,c distributions fitted to mechanical equipment failure data.
The probability of failure on the N-th demand, given that the RTB was operable-prior to the demand, is given by the expression,
[ )+a,c where
- a,c The available data were considered insufficient to justify formally fitting
[ )+a,c parameters to the data; the selections used here were therefore guided by the data but were judgmental. Given a selection of the shape parameter [ ]+a,c, the scale parameter is determined by the assumed mean-cycles-to-failure, as shown above.
I 1584v:1D/091488 17
-_ - h
- ):
E ,.
! {
iz Table 3.3-
., Effects of Preventive Maintenance On Number of Failures Observed Example Data r . ..
' Same as' Table 3.2.
I Calculation of number of failures
._ - - a,c a) b)
C) n l*
l 1584v:1D/091388 18 L
Demand failure mechanisms cause failures in tests with a small probability. If it malfunctions, an RTB is out of service for a repair' time, which contributes unavailability in the next test interval. Since the interval is on the order of [ ]+a,c, the unavailability (ratio of the repair time to
.the interval length) is small, When multiplied by-the failure probability to obtain the expected unavailability per test, the contribution is relatively unimportant, as'the curves in the Results section will show.
The dominant effect of. a demand failure mechanism is the probability that on an actual trip challenge, the RTB may fail. The expected unavailability in-this case is equal to the demand probability calculated from the above equation. As we do not scale by the ratio of repair time to test interval in this case, the demand failure probability contributes significantly to the total RTB expected unavailability.
3.4 Modeling Test-Induced Failures
~
In the present model, test cycles can cause failures but they are presumed to be detected immediately and repaired within a short time thereafter. The only effect of a' test malfunction is thus a reasonably short outage time, say
[ _3+a,c - Frequent testing tends to increase the number of these events, but the effect on breaker availability for a random safety challenge is small.
In some model>, such as the-[
)+a,c there are input options allowing a test to initiate with specified probability, a failure which persists until it is detected at the next test. The unavailability resulting from such events would be large because the breaker is inoperative for a full test interval, say [' 3+a,c rather than a short repair time.
The value of the test interval at which unavailability is minimized is unchanged by including the possibility of a test-induced, undetected 1584v:1D/091388 19
failure *. A more important effect of test-induced failures than the location of.the' minimum is the higher unavailability, which, taken in combination with
'a target maximum value, might mandate more frequent testing. (In-thatevent, the benefit of frequent testing would be to reduce other unavailability
~
contributors like the standby failure mechanism, the contribution of test-induced failures being constant).
Although it could be speculated on the basis of the above that test-caused,.
undetected failures might significantly affect the optimum test frequency, the events reviewed herein disclosed no data for such events. We see the breaker design as basically " fail-safe" against such human errors as, for example, failure to properly rack a breaker in to restore it to service following a test. No deterministic s::quence was identified in which a breaker which had opened might then return to an inoperative condition as it was closed.
On the other hand, if a mechanical adjustment were made to the trip linkage following a test, an undetected failure could be initiated. It is crucial to
~
the present analysis that all maintenance activities culminate in a test; this is specified by }{ in the RTB maintenance manuals.
- I g+a,e i
1564ac/os14se 20
___- A
4 t
- X 4.0 DATA REDUCTION AND ANALYSIS x
In this section we discuss the reduction of the compiled RTB data ~ and its use to estimate:the input parameters of the model.
4.1 Development of Failure Statistics The database developed herein includes breaker malfunctions in periodic tests, actual a'utomatic trips or maintenance / bench test cycles. Tabulations of reactor trip breaker events were made on a plant-by plant basis. This information was developed primarily using the WDG questionnaire completed in the previous UVTA Reliability study (1). The events were classified into four categories: failure to close (FTC); failure to open (FTO); spurious opening.
(50); spurious closure (SC); and basis for classification not available
.(N/A). (No physical basis for the SC mode is known; it was included only for completeness).-
[ ]**'C events were recorded. Because of the trip breaker's critical function to drop the control rods on command, the failure-to-open events are the basis of the periodic test requirement and only these, which numbered [ )+a c are relevant to this study. Also compiled
. were plant cumulative operating hours .since.the start of commercial operation, calendar hours since commercial, and total breaker cycles in test, maintenance or autorratic trips. The cycles and hours are cumulative breaker operations and time, for all installed active breakers (normally two per plant).
A further breakdown of the FTO (fail-to-open) events was then attempted. The events are subdivided into four categories: time-related (T), demand-related (D), demand- and/or time related (D/T), and not obviously related either to time or demar.d. The classification of an event as time- or demand-related was necessarily subjective in the absence of detailed descriptions of the physical basis of the degradation process. Of the [ ]+a,c FTO events, [
]+a,c appeared to be primarily time-related. Since the presumed possibility of time-dependent breaker degradation modes is a prerequisite to obtaining any benefit from periodic testing, [ )+a,c 1584v:fo/DB138B 21 e
- y. , _ _ _ _ _ . _ . _ _ - -
l
(
l'* )4a,c l Some interpretations were necessary; for example, when a UVTA was described as burning open (open-circuiting) during a test, the event was cicssified as a l' fail-to-close (FTC), since the breaker could not be returned to service by l closing it. The occurrence of a UVTA open-circuit during normal operation would necessarily be revealed as a spurious trip, y
l No detailed investigation of root causes of failure were made, as only the time or demand dependence was relevant to this work.
4.2 Parameter Selection The model developed for this study was purposely endowed with considerable flexibility in representing the failure process: two time-related wear processes [ )+a,c may be used in any combination to describe failures in standby and in addition, a cyclic wear process is provided to describe the probability of failure on demand.
Since the classification of a FT0 event as time- or demand related is inevitably subjective, the approach taken here is to repeat the model calculation for a range of input parameters encompassing both extreme cases, i.e., all FTO events are caused by either cumulative or cumulative cycles.
For either time or cycle related degradation processes one or two parameters must be specified, and in addition we specify no. of "on-line" PM renewals no. of cycles per test, per PM, and per refueling PM 1sB4v:10/091488 22
EMean-Cycles to Failure
~
The data compiled for breaker malfunctions in W-designed PWR's indicate
[ .)+a,e failures to open in [ 1+a,c demands, or an apparent unavailability of
- 1
~
TU = .
)
- In the calculation we lump all failure experience, which implies that the same inherent or population failure rate exists in all plants. While there is some evidence of plant-specific differences in PTB failure rate,'we did not pursue j the question of classifying plants according to special factors which might influence failure rate. Thus at'this time the aggregation of all plant experience appears to be necessary. It is recognized that if plants with poor past experience were considered individually, relatively high failure rates might be developed, outside the parameter rances developed here. Such experience is considered atypical, and particularly inappropriate to projections of future performance.
If the failure probability per cycle were constant, 1 "mean cycles to isilure" (MCTF) would be MCTF = }+a,c ,
Most of the RTB's in the database were presumably conventionally maintained, so this is an order of-magnitude estimate of the life of a breaker under a irpical PM policy. Although the mean life would be much shorter in the absence of any PM, conceivably as low as [ 3+a,c cycles, breaker failure probabilities calculated with a MCTF this small lead to unrealistically high failere probabilities. To represent the typical plant, we adopted the value
[- )+a,c cycles, which returns a probability comparable to the
[~ .)+a,c cited above. We will show that the conclusions of this study are insensitive to this input value.
1584v:1o/091388 23 u
Mean-Time-to-Failure
~
The cumulative experience in the sample was [ )+a,e breaker calendar hours, leading to an alternative statistic when failures-to-open are
~
postulated to occur in proportion to elapsed time between tests:
The reciprocal of this number represents the classical estimate of the mean time to failure (MTTF) under the assumption of a constant failure rate:
+a,c l MTTF =
The failure count used here includes all malfunctions seen in bench testing and periodic testing as well as the very few which have occurred in non-test a,c trip demands. Also conservatively included were [ ] events attributed by the utility as due to manufacturing design modifications have presumably addressed the causes of these events.
More importantly, the above calculation is extremely pessimistic (too low a value for MTTF) because it presumes that RTB's can fail to open as a consequence of time in standby, which is contradicted by the event ;
descriptions, by expert opinion, and by data from breaker testing. The great majority of the failure event descriptions imply cyclic wearout as the chief cause of breaker malfunctions. Of the ( )+a,c events in the l failure-to-open category,
- )
a,c i
- i 35B4v:1D/091488 24
-- -______-_-_________________________b
Thus of the [ ]+a,c classified malfunctions, at least [
]+a,c are of cyclic origin; if one considers events where the event characteristics are reported in detail, the causes are almost always related to wear (e.g., surface galling or abrasion). This suggests that a root cause analysis of the FTO events would support a cycle-related fraction closer to 100%; such an investigation is not within the the scope of this study, i If the [ ]+a,c events tentatively assigned to the " time only" category are used to calculate the MTTF, the result is
+a,c MTTF =
While this value was used as a reference value in this study, the event classification leading to the denominator value is subjective. Accordingly, this MTTF was used only as a starting point, and a wide parametric range was investigated. The above MTTF is somewhat longer than the number used'in previous risk evaluations. The point estimate failure rate used in the
[ .]+a,c studies was [ ]+a,c and its reciprocal
.]+a,c hr. The cited failure rate was described as
~
yields a MTTF of [
representing all modes; since many of the events are non-relevant modes such as FTC, the rate appropriate to the FTO mode should be lower, and the higher MTTF value of [ ]+a,c hr is consistent.
Table 4.1 summarizes the parameter vclues used as model inputs in this investigation. The values indicated under " Reference" are merely central values chosen to produce RTB failure rates in general agreement with experience; they have no special significance: as will be shown in the next section, the principal findings of the study (namely, an optimum test interval approximating the current [ -]+a,cmonth interval and an optimum preventive maintenance policy of [ ]+a,c PM acts during operation) are insensitive to parameter variations within the indicated ranges.
1sB4v:1o/091488 25
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _________J
Table 4.1
. Input Data Used In This Study Reference Parametric Data Item. Value Values Plant'and RTB Data -
,,c Calendar Time Between Refuelings Operating Time Between Refuelings Trips Per Year RTB Age, plant operating cycles RTB age, calendar years Test' Parameters f
Duration ~ .
Breaker Cycles per Test j
' Interval between Tests . ,
i iFailure Detection Probability l Probability of Causing Undetected, :
(i.e., persistent) Failure j Maintenance Parameters !
i Preventive Maintenance On-line Preventive Maintenance In Refuel Duration !
Breaker Cycles per PM Act l l
Breaker Reliability Parameters l Cyclic ~ Failure Process MeanCyclesToFauE' [ ] Parameter i Time Failure Processes Constant Rate Component Mean Time To Failure [. J+a,c Component Mean Time To Failure Shape Parameter Repair Time. Repair Effectiveness 1584v:1D/091388 26
(fi I The historic average' demand. rate developed by information from the questionnaire completed by the WOG is [ --]+a,e cycles per year. Thus an indicated [ ')+a,c-cycle RTB: design'1ife objective would, under historic
, test conditions, have led to a mean time between replacements of ['
'J+a,c calendar years or [. f)+a,c' hours.-
f; 1584v:1o/091388 27
<ii, - ..
y
;a-n R 5.0 RESULTS g
. Parametric studies were made.with reasonable variations about the parameter
. selections presented in-Table 4.1. The primary quantity calculated in every_
instance is the probability that an isolated trip breaker will' fail to trip on
-a random safety challenge. .(The redundant system of trip breakers.
Conventionally used would have a much lower unavailability). 5.1' Effect Of Test Interval' Fioure 5.1 shows the breaker unavailabilities obtained with test intervals-re.nging from'[_ ]+a,c mo. These correspond to'a variation in the number of tests in a-[' ')+a,c-mo. operating cycle (time between refuelings) of.[
]+a,citests during' operation. The figure is based on the Reference parameter selections given in Table 4.1.
The figure shows the contribution of four sources of unavailability, each
~
curve _ representing the addition of its own source to that of the curves beneath it. From bottom to top, the sources and the magnitudes read off at. the [ J+a,c on the X-axis are as follows: Incremental- Cumulative
~ ~
Demand failure: Unavailability due to Test Time Unavailability e to Unannounced Failure Between .. ts Unavailability due to Outage Time
'for Repairs -
Tne first contributor represents a demand failure at the instant of a safety-
. . challenge. The remaining three are cause; e ich disable the RTB before a safety demand occurs.
1ss4v:1D/001388 28
i i 'l1 1I i! j m.- r e,
. i a a p
e R
. - I 8 r d 3 n o a p e e r R l
u l o a y F i t i d l i e c b n l a u o i n y a n o e 6 t i v n l o U i b n . l a U es t l a T v B i d e o e n T t oc U R e mn u B u ,o T R n d l a n n o t y vr na o i i l i 4 en l l a b a t i nU a v v l l r r e t s e v e o
. t t
e o n T I n i n U i t' s
. d e t n T s e f e s e
o T r t c f lu l i 2 e f o o F f E t d n e c o 1 f e m im T 5 f e e D e t r E f s e u g o T i F s n i o + t u G b - - - - - - i t r n0 5 0 5 0 5 0 5 o5 4 4 3 3 2 2 1 C0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 O 0 o 0 0 O d n o m e D EoE a EoyoE o' N =$=yoC3 D a.?3 g Q=
Note tht.t a-short test interval-(frequent testing) tends to increase demand
. failure probability. This happens because the failure probability is modeled as increasing with accumulated cycles. With frequent testing, the.RTB has a higher chance of demand failure, the impact being greater if the number of cycles per test is' increased or if.the RTB age is greater. (Here we assume
[ 3+a,c cycles per ' test, and a breaker age of [. )+a,c plant vperating cycles or [ ')+a , c calendar years). - Although this is an important component numerically, it is rather insensitive to test interval and therefore does not
~
control the location of the " optimum" test interval at which unavailability is o minimized. The reason is that the cumulative number of breaker trips tends to be dominated by the [ ]+a,c trips accumulated during PM acts, which is assumed to occur in each refueling, even when no on-line PM is practiced. In additia,[ )+a,c. trips are incurred in each refueling cycle. At a [ ]+a,c test interval, each RTB sees only [ .]+a,c trips per year due to testing. If a random safety demand occurs within the RTB test time, the consequence is a risk to the plant. The time required to perform the test [ -]+a,c assumed typical) represents a significant unavailability cause'since the RTB being tested is assumed here to be inoperable. (We do not follow the [. )+a,c code option of permitting the RTB to return to service with some specified probability like [ 1+a,c if a trip demand originates during the test). The test-caused unavailability is proportional to the number of tests snd therefore increases significantly at short test intervals. Note that this component does not depend on breaker failure parameters at all. Unannounced failures constitute the next failure source; these are failures occurring while the breaker is in service, but stationary. Recall that the failure mode of interest is a failure-to-open (FTO). Obviously, this event cannot be detected until a demand is made for ths RTB to trip open. The actual failure initiation is, however, assumed to be a random function of
^
time. This unavailability component is frequently calculated as a constant failure rate times one-half the test interval, yielding an unavailability proportional to the test interval duration. Although a more complicated 1584v;1D/091388 30
failure process is modeled here, the basic trend is approximately a proportional increase with test interval length. Note tSt the sum of all the components discussed thus far (shown as the third curve from the bottom) shows a shallow minimum at about [ ]+a,c months. Since the first curve (demand failure) was nearly flat, the location of minimum is controlled by unavailability due to test time and by unavailability due to unannounced failure between tests. Both of these causes are relatively insensitive to the reliability parameters (MTTF's and b's). ThereN e one would expect that the " optimum" test interval of about [ ]+a,c months would be relatively insensitive to the parameters. This is demonstrated below. The final unavailability cause is repair outage time; we have assumed a constant repair time of [ 1+a,c hours for all malfunctions, whether occurring on a test demand or between tests. From the standpoint of plant protcetion, the plant is "at risk" for less than this time, since the Limiting Conditions for Operation may mandate a shutdown if the repair is not completed in some shorter time. The addition to the total unavailability is small and is not sensitive to the test interval. The calculated breaker unavailabilities are not exactly comparable to the probability of finding an RTB inoperable in a test situation, since prior to the test demand, a full test interval will have elapsed, approximately doubling the unannounced failure component. If time-related failure causes are significant, one would expect that the true RTB unavailability for a random demand would be lower than the average historic test failure probability. 5.2 Effect of Preventive Maintenance In Figure 5.2 we show the result of a similar calculation, but with a single preventive maintenance action taken midway through the [ fa,c.,3 operating cycle. The unavailability again attains a minimum value at a [ fa,c test interval, but the minimum is now [ fa,c
. The demand failure source (lowest curve) is unchanged.
1sE4v:1o/091388 31
i ! ;l l' 1' 1_ l r ' o
- p e
R - 8 d l r n o p a e e r R
, t l
u o A y F t d i l e i c b n y l a u o t 1 i n ,6 1 a n a ( b v r l a a U i n t , a v U se a n T U d B o e B T t oc T R R eu mnu
,o n o
n d l o v n ron l o i t y
,4 en a
v l r t nU i l b e a o I t n v l l e t s I r v e o t e o n T t s e i n U , T d f t n o s a t e s e c e T r u f f l ,2 E f i a o F 2 t d e 5 c n a m e f e m i T r u _ f e , t g - D s i E _ e F f o T s n + i o ta n 0 t - - - - - - - - - - - - - - i r t n0 o5 84 6 4 44 2 04 84 6 3 34s 23 3 0 8 8 4 22 02 2 2 2 C00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 - 0 0 0 0 0 O 0 0 0 0 O 0 0 0 0 O d n o m e _ D
,c[ E Eo?8" {i y=$5$c3 D e E s" l %,
n o M Ill! l l! ' ' i .lll i! l
r- - - - _ - - - - - _ - . - - - - - - - - _ - - - - - . - - - -- i The next component, formerly just test time, is increased slightly to account for the extra outace time required for the PM procedure, here taken
^
to be [')+a,c hr above that required for the accompanying test. This time, plus the 4ssumed [ ]+a,chr test time, equals [')+a,c hr, which is the !
^ ~
maximum typically allowed. [
)+a,c Figure 5.3 shows the total unavailability calculated for [ ]+a,c pp q acts per year. Note that the unavailability increases as more PM acts are performed.
The effects of performing a PP procedure as currently defined are threefold: [ J+a,c hr outage time [ )+a,c additional cycles restoration to new condition (reducing time relatri failure rate). Only the third effect is favorable and it is outweighed by the first twe, which increase unavailability. In this study it was assumed that the breaker was out of service without recall during a test or PM procedure. Since most W PWRs substitute bypass breakers for the tested breaker there is no system requirement that a breaker return to service upon safety challenge. (In the [ )+e,c model a breaker can return to service during a test, but with a specified test override probability). Thus test time has a significant effect on breaker unavailability although the RTB system is not affected substantially. (An analysis of the increased system failure probability is outside the defined scope of this work). The PM act is expected to include [ 3+a,c additional open/close cycles. Obviously, much of this testing could be regarded as simply additional surveillance testing. The final effect of preventive maintenance is the intended function: to replace worn parts, clean and inspect the breaker. Since degradation is, by l Jefinition, noted and corrected, the component is restored to " good as new" 1584v:1D/091488 33 l
, { l 8
y c , n e u q e r 6 _. F e sr c e n t e a m , n a r t e P a o m i n B l T a R o v M e ,4 r e c t e enr In i v e t s t f e e n e R , T v s e r is a B
, P f
o , 2 t c f e f E i 0 0 8 6 4 2 0 8 6 4 2 0 8 6 4 2 0 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0, 0 0 0 0 0 0 0 0 0 0 0 0 0 O 0 O 0 0 0 0 0 0 O 0 0 0 0
,C { .O E gcj j 2 io.li$CU i
a T 1 $ a gl l
,=
c
.C condition. The restoration is here assumed to be confined to the time-related causes: dirt, accumulated test cycling wear. Long-range degradation modes, which eventually lead to replacement at [ ')+a,c cycles (,
equal to the plant design life objective in. years) are beyond the scope of the periodic preventive maintenance procedure. Note in particular that if the time-related failure process has a constant failure rate, PM has no beneficial effect on failure rate and the associated unavailability effects driven by'
- on-line failures (i.e., repair of time-related failures and unavailability due to unannounced, time-related failure).
. A corollary to the preceding discussion is that increased RTB trip cycles during PM are detrimental. This is illustrated in Figure 5.4, which assumes one on-line PM procedure per operating / refueling cycle.
5.3 Effect of Varying Time-Related Failure Parameters
~
Figure 5.5 shows the various computed effects for a time-related failure process with MTTF = [ ]+a,c For a short MTTF (top curve) failures in standby are an important source.of unavailability. Frequent testing detects these events before much time has elapsed, so that the cerve increases with test interval. Longer MTTF's diminish the importance of unannounced failures and cause the minimum of the curve to move toward longer test intervals. The shape parameter used here [ )+a.c tends to' increase the importance of on-line PM, which is a conservative choice with respect to evaluating the need for on-line PM. If the factor were made equal to [ .)+a,e on-line PM would by definition, have no effect and if it we're [ Ja.c on-line PM would degrade RTB availability. (In the latter case, "old" is better than "new".) 4 l 1584v:1D/0913BB 35 l
1 !
^ ~
e, i t *. 8 y i M - 3r s e e e l cy l: i n C - 6 y c M l P
- 0
- d 4 e n M i
f n O i o o I n g M i O g i n P o n r 1 m i r u t p D u D l e a c v r s e s x i4 e l e c e , t I n C y l c t o t y a s 8 e s T C de T l e R c i c y f o B ne c t T r 0 c R e f 2 e f e f f R E o : s i2 + 4 i t s c a 5 B e e r f f u g E i F i s O l e
- - - - - - - - - - - - - - - c y
c 0 8' 6 4 2 0 8 6 4 2 0 8 6 4 2 0 0 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 O O 0 0 0 0 0 O 0 0 0 0 D
,c{oO EoEg y y=Sii$c3 3TSB3g E
,l lllllt L
5.4 Effects of Cyclic Failure Parameters ( The demand failure process 's characterized by two parameters, MCTF and bd* Figures 5.6 and 5.7 shows ;he effect of variations in these parameters. Although the unavailability is increased if the RTB has a shorter life in cycles, the shape is unchanged and the minimum is primarily established by the time-related failure parameters. (Here, a MTTF of [ pa,c was used, which as shown in Figure 5.5, forces the minimum to occur at about [
)+a,c 5.5 Effect of Imperfect Failure Detection We have assumed that all malfunctions are detected in the present model. It is usually conceived that arrival of a causal factor is random in time, and upon arrival, renders the breaker unable to open on any subsequent trip demand. As a physical example, friction due to dirt or corrosion might accumulate to some level in'the trip mechanism, such that the trip force is greater than the UVTA can provide. If we accept this model, which might be labeled " deterministic", we can identify no chain of events through which a ~
breaker has once entered the degraded state could pass the trip test. This is true because the actuation sequence from voltage reduction on the trip bus through opening the main contacts is the same for the test as for an actual challenge. In [ ]+a,c human error is proposed as a cause of non-detection. Thus a failure-to-trip event might occur but not be acted upon, l leaving the breaker failed until the next test. If, for example, we assign this human error a probability of [ ]+a,c the breaker would have an added unavailability of [ )+a,c throughout the year, regardless of test interval. 1 While the inclusion of an arbitrary human error probability in the present model would not be difficult, its effect would only be to superimpose a constant additional standby unavailability component independent of test
~
frequency (the test frequency and interval compensate as far as unannounced I failures are concerned, as indicated in the footnote in Section 3.5). 1584v:1D/091388 37
.--------------------_-___----_-----------_-----------.-.------_---------------------J
m
,e g
X
.t__
$ O
.E_ e D
y -e { C o h e [ a :
, , a
+s5 e ~"
g
'E C 5 E o &-
L d A E p1 s* _u g5 - n O g [
=
u- an
~
.O id w
c + E
- 8, C
i i i I I I I . I I i M N - - @ W N m t M N - O d O O O O O O O O O O O O 8 i I puowsp wopuow so) 4Higollo^oun D 1584v:10/0913BB 38
h l U, ' s
-- e
{' E m -.
$x o
C
-~ U
.- .e. . -
CE M vf- . E
. $. v.
. .s, u
E8 l
-+ -
C 3n ' O% 5 O E ~o E 2 i e : e a 6 '
**- e -
- O ID a
, - g o -
v W
... w _~
are
. t' s i'n
_ $C E N
+
i i i i i O i i 1 i i I i i i i I i I i 8EERSE?RRS8EERSR?R S8 855555555558888888888 ddddddddddddddddddddd E h FupWDQ wopuog Jo) Aglggp[goAcun g D 1584v:1D/091388 39
q 1il l
~
~
~ C
~. *
, 8 i
r t o c i 6 a F r o t
- e. c a
p F a a i e p h t a a S D o h e m4 S r c ,1 r a n la vr a e e e r i4 e0 W Wf e t c e I n 1 1 c R c i : t s y l s e C c i y as
. T f o
C B i 2 t c f 1 f e o f E t + c 7 f e i2 5 f e r E u g i 0 F 1 i D O 0 8 6 4 2 0 8 6 4 2 0 8 6 4 2 0 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 O 0 O O O 0 0 O 0 0 0 0 0 0
,C { ." EjCy o+ N2o.~o8C3 .
37s6
- 8 w
p
]
5.6 'Effect of Imperfect Maintenance There is probably more chance for human errors of omission and commission in
' performing both repair and preventive maintenance than in a failure to detect and correct a problem. The impact of imperfect repair is similar in effect to increasing repair time. Thus if [ J+a,c of corrective repairs following
' tests were hypothesized to leave the breaker inoperable, the breaker dowr, time for [- J+a.c of the repairs will be [ )+a,c hr, using the repair time selected for the present study. For the remaining [. J+a,c of repairs, the downtime would_ extend to the next test. If, for example, the test interval were [ .)+a,c hr, the average downtime per failure would be
[, )+a,c Because there are few RTB malfunctions in tests, the contribution of the repair errors of omission to expected breaker unavailability is small (see differenceoftoptwocurvesinFig5.1),evenwiththefactorof[ ]+a,c increase in availability in this illustration. Thus, imperfect maintenance is a second-order effect. The reason that imperfect maintenance causes little unavailability is that the breaker problem would normally be discovered by the next test. The review of events showed a very few instances where a failure to trip occurred, no cause was discovered, and a second failure occurred soon afterwarct. Here one is compelled to classify the event as an incomplete repair. Conceivably, the resperse of the trip mechanism may have a slightly random character. It is obviously good practice to continue a repair effort and testing until either a plausible cause is found or the breaker has operated reliably on UVTA actuation in repeated cycling. Again it is worth noting that the reliability of the RTB trip linkage under the relatively forceful STA actuation is probably much higher. As a consequence, neither imperfect repairs or imperfect failure detection should be significant. Since corrective maintenance is not applied after a successful test, we need not consider the possibility that a good unit might through human error be 1584v:1D/091488 41 i
(. left inoperable. But what about preventive maintenance, both of the minor I sort which might be done during a test, and the "on-line" and refueling maintenance acts which we have modeled explicitly? Now the breaker is (at. I least in theory) susceptible to degradation as the
- maintenance person cleans i and adjusts.it. Suppose, for example, that one "on-line" PM act were done per i operating cycle,. the operating part of the cycle is [. ]+a,c months, and breakers are left failed ~after PM at a frequency of [ .)+a,c The result would be an expected downtime every cycle of
( 3+a,c where we assume a'[2-mo = 1460)+a,c hr test interval. This sequence creates a small additional unannounced-failure downtime, which corresponds in unavailability terms to
~
]+a,c 4
[ J+a,c . The refueling PM might be equally error prone, doubling this small amount. Although these unavailability quantities are not strictly negligible, the reason for not including maintenance-induced downtime in the analysis is simply that every corrective or preventive maintenance act is defined by procedures to end with a test, so that an error is discovered at once. (It is important that maintenance procedures emphasize that this be the invariable rule). Since testing is performed periodically to minimize the impact of unannounced failures there is no problem in scheduling each PM act prior to a test. On the basis of this reasoning, no test-induced failure probability was included in the present model. 1584v;1D/091588 42 j
6.0
SUMMARY
AND CONQLUSIGS
~^
6.1 Conclusions Regarding Test Frequency
^
A wide range of data interpretations tend to support the current practice of testing RTB's at [ ]+a,c month intervals. Simply stated, the event descriptions compiled herein do not support a time failure rate high enough-to justify more frequent testing. At intervals shorter than [ J+a,c months, breaker degradation due to excessive trip cycles and the test time unacceptably reduce breaker availability. The concept of periodic testing of a standby equipment rests on the fundamental assumption that the equipment may malfunction (transition to a dormant inoperative state) while in standby as a result of some time-dependent cause. If this occurred, the equipment might remain inoperative for the entire [ )+a,c-mo operating cycle if periodic testing were not exercised; the NRC regulatory position is that frequent testing must be done to minimize this possibility. The best information available presently suggest that the [ ]+a,c-month interval currently required in Technical Specifications is close to the optimum as calculated in this study. The review of actual failure-to-open events conducted as part of this study shows very few which are plausibly classifiable as having originated due to the mere passage of time. (Even these few are philosophically speaking, conjectural because the fact of a breaker's inoperability cannot be determined until the instant of a test demand). Moreover, on physical grounds one expects any effect of standby time to be manifested jointly with the effects of cyclic wear mechanisms. If the [. ]+a,c events tentatively assigned to the time-related condition are used to calculate mean-time-to-failure, the result is [
]+a,c hr. Model predictions with this MTTF indicate that periodic v testing should be done at intervals of [ ]+a,c months, as noted above.
The unavailability of an isolated trip breaker (UVTA included), based on aggregate historical failure experience, is estimated here as 1584v:1D/091388 43 i
2
-[ 1+a,c/ demand,'if all failures to trip are presumed to be of cyclic origin. If all malfunctions were related to time, the failure rate is [ )+a,c/hr. These are aggregate statistics, derived by combining all plant experience; individual plants may exhibit f
higher or lower failure probabilities. In addition, the trend has been to increasing reliability with service years, so the future RTB reliability should be higher than these numbers indicate. l The discussion above focussed on the test interval which minimizes
. unavailability. More precisely stated, the reliability objective ought to be to satisfy the required breaker availability. Changes in the breaker hardware particularly the automation of the Shunt Trip Attachment - improvements in-UVTA design, test and. maintenance procedures are being implemented which tend to increase RTB system availability. All other factors being equal, the required test interval could relax (increase) if the ci.ginal reliability were regarded as adequate.
We advocate a reduction in the RTB cycles imposed during surveillance testing. Where the breaker cycles are a byproduct of sensor or logic testing, a search
~
for alternative test strategies is an attractive area for industry consideration. 6.2 Conclusions Regarding Maintenance Practice The practice of performing preventive maintenance while the plant is on-line is undesirable. If, as we assume and recommend, PM is also done during refueling, the additional on-line PM events (which are required following maintenance) increase total cycles and may aggravate RTB wear substantially, increasing the probability of malfunction on a safety demand. For operating cycles as long as [ .)+a,c months, our model suggests that nothing is gained by doing an on-line PM procedure as currently defined: that is, one entailing on the order of [ ]+a,c trip cycles. A corollary conclusion is that fewer RTB cycles should be a goal of utility maintenance procedures development. 1584v:10/0913BB 44
7.0 RECOMMEND TIONS L (1) The present study generally confirms the practice of testing at a [' )+a,cmonth interval es maximizing RTB reliability for tripping upon safety derrand. No relan tion to the Technical Specifications regarding test frequency cr.n be justified on the basis of this study. , The appropriate test interval, as derived from the location of the minimum RTB unavailability, depends strongly on the assumed frequency of failure-to open events caused by the passage of time (as opposed to demand stresses). Further study of the physical causes of RTB failure to trip may support longer intervals, but it is inherently difficult to distinguish whether a historic failures was time- or demand-related, so the relevant failure rate remains difficult to specify. While better understanding of the causes of RTB failure is obviously desirable as a general objective, no specific recommendation for further study is made here. Note also that this study specifically considered an isolated breaker, rather than the redundant RTB system used in W NSSS designs. Reactor Protection Systems fault tree analysis, not included in the present work, might be employed as in the [ )+a,c studies to demonstrate that a relaxation in testing (i.e., longer intervals between tests) taken in combination witn the modification of the shunt trip attachment to act automatically would not increase risk. Likewise, it might be shown that the required unavailability can be met by testing at a longer interval than the interval corresponding to the minimum unavailability. A separate evaluation would be required to confirm that such relaxation is possible. (2) Performance of Preventive Maintenance procedures other than in refueling is not conducive to high RTB availability. This conclusion is based on e' the PM act as currently defined: that is, one which entails many post-maintenance trip cycles. 1584v:1D/091388 45 _=____a
.i It is recommended that the W RTB Maintenance Manuals specify that PM procedures as ' currently defined, be limited to [ J+a,c per refueling cycle, done during refueling.
(3) RTB trip cycles during PM p"ocedures should be limited to the minimum number. required. (4) A corollary recommer.dation is that means of achieving RPS operability without requiring the currently high number of RTB trips [. J+a,c should be explored. Many of these trips occur as a by product of sensor and logic testing; research into alternative ways of confirming the reliability of these components may be attractive as an industry goal. (5) This investigation confirms the importance of concluding all PM work'with at least one UVTA trip, as previously recommended. e 1584v:1D/091388 46
L
8.0 REFERENCES
l' ( 1) Roberts, G. K., " Reliability Estimates of the UVTA's in RPS Trip Breakers";WCAP-10426(January 1984) ( 2) Jansen, R. L., L. M. Lijewski and R. J. Masarik " Evaluation of Surveillance Frequencies and Out-of-Service Times for the Reactor Protection Information System", WCAP-10271 (January 1983) ( 3) Chizniar, J. P. and D. N. Katz " Report of the DB-50 RTB Shunt and Undervoltage Trip Attacments - Life Cycle Tests"; WCAP-10852 (May 1985) ( 4) Chizmar, J.P. and J.B. Reid " Report of the DS-416 RTB Undervoltage and Shunt Trip Attachments - Life Cycle Tests"; WCAP-10835 (May 1985) ( 5) Jansen, R. L. et al " Evaluation ... System- Supplement 1"; WCAP-10271 Supplement 1(July 1983) 4 ( 6) Andre, G. R. et al " Evaluation... System - Supplement 2"; WCAP-10271, S_upplement 2 (February 1986) ( 7) Coleman, J. and J. Abrams, " Mathematical Model for Operation Readiness", J. Oper. Res. Soc. 10, p. 10 (1962) ( 8) Jacobs, I. M., " Reliability of Engineering Safety Features as a function Of Testing Frequency", Nuclear Safety Vol. 9, (1968) (9) Hirsch, H. M., " Methods for Calculating Safe Test Intervals and Allowable Repair Times for Engineered Safeguards Systems", G.E. Report NED0-10739, Jan. 1973 (10) Chay, S. C. and M. Mazumdar, " Determination of Test Intervals In Certain a Repairable Standby Systems , IEEE Trans. Reli. 3, pp. 201-205 (1975) 1584v:1o/091388 47 _J
(11) Apostolakis, G. E. and P. P. Bansai, "Effect of Human Error on Availability of Periodically Inspected Redundant Systems". IEEE Trans. j' Reli. Vol. R-26, No. 3, August 1977 i l9 (12) Vesely, W. E. and F. F. Goldberg, " FRANTIC - A Computer Code for f ' Time-Dependent Unavailability Analysis". NUREG-0193, (1977) (13) Karimi, R., et al, " Nuclear Plant Reliability Analysis" - Optimization of Test Intervals for Standby Systems in Nuclear Power Plants", MIT Energy Laboratory Report, MIT-EL 78-027, Nov. 1978 (14) Apostolakis, G. E. and T. L , Chu, "The Unavailability of Systems Under Periodic Test and Maintenance", Nuclear Tech. 50, pp 5-15 (1980) (15) McWilliams, T. P. and H. F. Martz, " Human Error Considerations and Annunciator Effects in Determining Optimal Test Intervals for Periodically Inspected Standby Systems", 1981 Proceedings Annual n Reliability and Maintainability Symposium
" (16) Vesely, W. E., et al, " FRANTIC II - A Computer Code for Time- Dependent
- Unavailability Analysis", NUREG/CR-1924, April 1981 (17) Ginzburg, T., J. M. Dickey and R. E. Hall, " Sensitivity Study Using the FRANTIC Code...", NUREG/CR-2542, Feb. 1982 (18) Vaurio, J. K., " Practical Availability Analysis of Standby Systems", pp 125-131, 1982 Proceedings Annual Reliability and Maintainability Symposium (19) Ginzburg, T., et al, " FRANTIC II Applications to Standby Safety Systems", NUREG/CR-3627, October 1982 o
(20) Enzinna, R. S., " Optimization of Reactor Trip System Intervals", Paper
= presented to the 1984 Reliability Conference for the Electric Power Industry 1564v:1 0/091388 48
..________j}}