Category Archives: EXAMPLES OF REACTIVITY-CONTROL SYSTEMS

Nuclear Power Plant I

Type of neutron detector Fission counter

Type of signal cable Single and double shielded coaxial

Location of pulse preamplifier At top of detector instrument well

Location of pulse amplifier In amplifier cabinet at control room

Distance between pulse amplifier and preamplifier 90 ft

Distance between neutron detector and preamplifier 24 ft

Method of grounding Multiple-point grounding system Both the preamplifier and the amplifier are grounded to the building ground at the point of their installation The signal-cable shield is grounded at the preamplifier and the amplifier The neutron detector is grounded through the signal-cable shield back at the preamplifier

Operating problems and modifications During the initial installation period and preoperational testing of the neutron-monitoring system, noise in the start-up channels was prohibitive Noise was reduced by replacing the RG-8/U single shield coaxial cable with RG-71/U double-shield coaxial cable Other noise problems caused by the operation of relays, motor starters, and switches were eliminated at the source xhe switches and motor starters for the fission-chamber carts were a source of noise causing large transients in the start-up channels Some problems were eliminated by installing filter capacitors across switches

3. Preselection of a Basic System Configuration

The most effective reliability efforts are those expended during the preliminary design phase while the system configuration is being determined During this period the reliability considerations can influence design decisions and ensure that the chosen configuration is one that can be developed to meet the reliability requirements The process is an iterative one, with the designer continually looping back and trying different system configurations until all constraints are satisfied At this time the principal effort is being expended at the drawing board Errors of judgment may be corrected with an eraser instead of a jackhammer Reliability considerations are hot the only constraints imposed on the design Other constraints include capability,
si7e, shape, weight, cost, schedule, and customer prefer­ence, all of which must be adequately satisfied Reliability analysis provides a disciplined framework within which the interplay of these constraints can be viewed with sharper perspective Frequently the result is not only a more reliable system but also a better system as judged by all other applicable criteria

In the preselection of a basic system configuration, the designer should (1) define success for the system, (2) estab hsh adequate reliability goals, (3) propose alternate designs, and (4) evaluate the reliability potential for each design These four tasks are discussed in the following sections.

(a) Defining “Success” for the System. The designer must know exactly what his system is expected to do This may sound trite, but many a design has been impaired because the designer either did not fully know or perhaps had lost track of the real reason for having the system The definition of success should include the environmental constraints in force and the length of time or the number of cycles the system is expected to endure There may be two or more valid success definitions for the same system, each requiring a separate analysis

For example, assume an instrumentation system associ ated with a set of isolation valves There may be two definitions of success imposed, one for safety reasons and the other for operational or economic reasons

Success #1 Given that the pipeline downstream of the isolation valve is broken (complete severance), the instru­mentation system shall detect the resultant leak within 10 sec and signal the isolation valve to close

Success #2 Given that the pipeline downstream of the isolation valve is not broken, the instrumentation shall not signal the isolation valve to close

Operating conditions The cable and detector environ­ment is 120°F and 50% relative humidity prior to the break and 212 F and 100% relative humidity following the break The instrumentation system is tested every 3 months and calibrated annually

In every case the boundaries of the system under consideration must be explicitly defined In the above example, it is intended that the valve itself be excluded For this reason a transition point from the instrumentation system to the valve must be chosen so that every component or potential point of failure is certain to be included within one system or the other, but never both

(b) Establishing Goals. The designer must have some measure of achievement for the reliability of his system One simple and effective goal that has been used on critical systems for many years is the so-called “single-failure” criterion, namely, that the system shall fulfill its success definition in the event of failure of a single active component Basically, this criterion has served the nuclear industry rather well in spite of some limitations One limitation is that it is not readily adjustable to match the whole range of consequences of system failure If the
single-failure criterion were universally applied, a high-level warning instrument on a waste-water sump would need to be just as reliable as the reactor protection system, even though the consequences of failure are vastly different. In addition, the single-failure criterion does not adequately protect against multiple independent failures that are more probable than should be allowed. Despite its shortcomings, the single-failure criterion for all active components should be imposed as the minimum goal on all reactor instrumenta­tion systems where safety and the potential for economic loss are important considerations

The techniques of reliability analysis, properly applied, yield a numerical measure of the expected system reliability or availability. For this reason a numerical goal serves an especially useful purpose Although such numerical goals are commonplace m the aerospace industry, they are only recently coming into use in the nuclear industry. A numerical goal can be established in any one of a number of ways.

1. Risk acceptance Ideally the goal should be a func­tion of the highest risk the public will accept in return for the benefits derived from nuclear power. Risk is defined as the product of the probability of failure and the conse­quences of that failure. The consequences may be measured on any convenient scale, such as dollars, curies of 1 3 11, and injuries. Unfortunately this concept is not very far ad­vanced and not universally accepted However, an examina­tion of some of its precepts does yield some insight into the relative reliability required for various systems

2 Grandfather systems. Even though the nuclear indus­try is relatively young, there are some instrumentation systems that have gained wide acceptance for a given application and enjoy a reputation for being adequately reliable A reliability analysis of one or more of these systems will yield a numerical result that should prove useful in establishing a realistic numerical goal for new systems

3 Industry standard goals Industry committees con­cerned with the safety of nuclear plants (see Chap 12) are beginning to address themselves to the matter of goals On the international scene, a goal of 10 5 probability of failure has been proposed for the reactor-protection-system scram function The IEEE Nuclear Science Group Technical Committee on Standards (see Vol 2, Chap. 14) has con­sidered goals, but it is currently recommending that each designer set a goal to meet the particular need.4

(c) Proposing Alternate Designs. Before any attempt is made at a detailed design, a wide range of design alternates should be blocked out for evaluation. The instrumentation system must be considered as an integral and essential part of the overall functional system. In other words, instrumen­tation systems perform an essential service for the func­tional systems in the plant, instrumentation does not exist for its own sake.

For example, assume that the functional system is an emergency cooling loop. The engineer designing the func­tional system and the instrumentation engineer must work together to propose alternates, such as the following

1. One loop, two 100% capacity pumps per loop

2 One loop, three 50% capacity pumps per loop.

3. Two loops, one 100% capacity pump per loop

4. Two loops, one 100% capacity pump per loop with a crosstie

5. Two loops, one 50% capacity pump per loop plus one 50% capacity pump shared by both loops

The list should be made as inclusive as possible so that no worthy configuration is omitted All proposed alternate designs should pass the capability test before being evalu­ated for reliability or availability. Obviously the probability for system success can vary widely, depending on the system configuration The instrumentation systems to start and stop the pumps and open and close valves are very different for the relatively few configurations cited.

(d) Evaluating the Reliability Potential for Each De­sign. It is not practical to perform a detailed design on each proposed system before making a selection that is based on, among other considerations, a detailed reliability analysis Therefore it is particularly important that the proposed designs be carefully screened to eliminate those which do not have the potential for development into a system with adequate reliability.

The foregoing may be accomplished by adhering to the following discipline

1 Construct a simple reliability model for each pro­posed design The blocks from which the models are constructed should encompass as much of the system’s equipment as is reasonably possible I or example, a block called “pump” could effectively include the pump, its driving motor, coupling, and circuit breaker.

2 Use a consistent set of failure data throughout the comparative evaluations Where failure-rate data have been reported, use them as a base, but do not hesitate to adjust them upward or downward to reflect best judgment, duty factors, or environmental conditions. Where failure-rate data do not exist, choose a value that reflects the best judgment of knowledgeable people in the field but use the same assumption consistently throughout the evaluation.

3. Reflect the expected operating conditions If in one design certain components are exposed to environmental conditions more severe than normal, that design should be properly penalized by adjusting the failure rates upward by an appropriate К factor to reflect the higher level of imposed stress

4 Allow each system proper credit for its compatibility with testing. In general, the unreliability of a component increases almost linearly with the interval between thorough tests (See Fig 11.4 ) 1 herefore a component that is physically inaccessible for test except during a refueling shutdown should be penalized in comparison to one that is readily accessible and frequently tested.

5. Solve the models for a numerical index of reliability If the model is really kept at its simplest level, the

probabilistic solution should not be difficult If the solution is difficult, concentrate first on simplifying the model to get an approximate solution rather than straining at the mathematics for these preliminary design evaluations

6 Conduct sensitivity studies to identify the dominant components contributing to the unreliability of each system This may be done by making a significant change in the assumed failure rate of a particular component and noting the change in the overall probability of system failure Figure 112 shows a plot on a log—log scale of component unreliability vs system unreliability The refer­ence or expected failure probability for component 1 is indicated by an arrow Note that the arrow falls on the flat portion of the curve, indicating that this particular compo­nent does not contribute significantly to system unreliabil lty The reference value for component 2 is on the steep part of the curve, indicating that a change in failure rate here will have a dominant effect on system unreliability Good safety design dictates that the overall system have a sufficiently low value of unreliability Good economic design dictates that, in general, the least expensive compo­nents should not be dominant contributors to unreliability

7 Redesign the proposed systems, as appropriate, to minimize the areas of apparent weakness revealed by the sensitivity analysis This becomes an iterative process, but this is where the big payoff comes, in being able to bring quickly into focus the systems with the greatest potential for detailed design consideration

8 Reexamine the final proposals to be sure that they satisfy all other operational and physical constraints that mav be appropriate

9 Select the one or two exploratory designs that show the greatest potential for maturing through a detailed design process and for adequately satisfying all constraints, including reliability

Fig 11 2—Sensitivity study of system failure vs component failure

11- 3.3 Detailed System Design for Reliability

The proposed design or designs selected from the evaluations of reliability potential are subjected to detailed design Components of known quality are selected and applied well within their rating for the expected environ­ment If a new component of unknown quality is to be applied, it may be appropriate to subject it to test, particularly if the assumed best judgment failure rate indicates (through the sensitivity study) that the compo nent has a dominant influence on reliability

In every possible way the designer must endeavor to emulate the model and to be certain that the boundary assumptions are satisfied If the model assumes that the failure of one component or group of components is statistically independent of other failures, the designer should try to ensure that this is true For example, if two channels of instrumentation are assumed to be indepen­dent, they should be so located that only a highly improbable event could disable both The routing of signal cables and the location of power sources must be carefully considered Historically, localized overheating and fire have been the two most common single-event failures that can cause other failures to be interdependent Careful judgment is required to develop a design that gives a reasonable assurance that a fire can be controlled without transgressing the independence of channels

The designer should also recognize that interdepen­dence can creep in by inconspicuous routes If the required level of reliability is such that redundancy is necessary, it may be appropriate to make the redundant channel different just to increase the likelihood that an unknown deficiency or inadequacy in one channel will not be repeated in the other Frequently this can be accomplished by functional diversity, for example, one channel can monitor temperature and another pressure, either signal containing the desired information Where functional diver sity is not possible, equipment diversity may be used to good advantage For example pressure can be monitored b two sets of equipment that operate on two entirely different principles Functional diversity is to be preferred because it almost automatically includes equipment diver­sity

If the model assumes that the component failure rates are constant, the designer should be sure that the mam tenance and replacement practices will not allow worn out components to remain m the system If the model assumes that some of the components are to be tested while the plant is in operation, the designer should be sure that adequate testing facilities are provided If the system or portions of the system perform functions in addition to a safety related task, the designer must ensure that these additional functions do not interfere with the model of the safety related function

Simple straightforward systems arc easy to understand, easy to model, and tend to have high reliability If a system is allowed to develop without the benefit of a model to
emulate, the system can become complex and interwoven in such a way that modeling is extremely difficult and, intuitively, the whole system is suspect A safe rule, then, is never design a system that cannot be reduced to a tractable reliability model.

Of course, the instrumentation system must still meet all its normal objectives of performance The reliability discipline is simply superimposed on the usual detail design procedure. The concepts of reliable system design are not difficult nor are the associated mathematical relations. For this reason it is preferable that a designer with a good reputation for instrumentation design take on the disci­plines of reliability engineering rather than interpose a reliability engineer as a series element in the design chain. A reliability engineer serves the highest purpose when used as a consultant and when he and the designer approach a problem with open minds and an honest desire to under­stand the system.

INSTALLATION FOR EASE OF MAINTENANCE

10-7.1 Reliability and Maintainability

The value of any instrumentation system is largely determined by its use factor, i. e., the amount of operating time compared to the amount of downtime attributable to
instrument or component failure during normal operation of the system. The use factor is a function of both the reliability and maintainability of the instrumentation sys­tem. Reliability is concerned with the frequency of failure, whereas maintainability is concerned with the duration of failure (see Chap. 11).

Although in recent years gains have been made in component reliability, they have almost always been exceeded by increases in system complexity. With the certain evolution of MSI and LSI (medium-scale and large-scale integrated circuits), which • will increase com­plexity on a component level without reducing reliability, systems reliability in the areas of total plant control and monitoring will begin to improve. Presently, the day of totally reliable, maintenance-free systems appears to be still
in the future This condition has forced the electronics industry to develop the technology of instrument and system maintainability. Although instrument manufacturers have always considered easy maintenance as a desirable feature, the complexities of today’s systems have dictated renewed interest and analysis. Achieving the shortest possible problem analysis and repair time (maintainability) should be considered one of the most important goals in equipment design and installation.

10-7.2 Reliability

Reliability is primarily a function of instrument and system design However, two aspects of installation can affect reliability the quality of materials and of workman­ship (particularly in system and component interfacing and interconnection) and the operating environment

Problems in the quality of installation can be minimized by the employment of highly qualified, competent labor and the use of highly reliable installation hardware Using crimp-type terminals and connectors with the proper tooling greatly reduces termination problems Installation plans with step checkoff sheets or diagrams can improve installation efficiency and accuracy

Many reliability problems associated with installation are created by unsuitable environmental conditions. In determining how instruments, components, and systems are to be applied, the environmental parameters must be carefully considered during installation. The manufacturer’s recommendations concerning installation and operating conditions, such as temperature, humidity, cleanliness, electrostatic and magnetic fields, vibration, and nuclear radiation fields, must be given close attention. Where conditions exist that are contrary to those recommended, special packaging, cooling, etc, should be provided as required.

10-7.3 Installation for Maintainability

Assuming that all the equipment in the system is installed in accordance with the manufacturer’s recommen­dations, system performance now becomes a function of system maintainability.

(a) Unit Design and Equipment Spacing. Several fac­tors must be considered in the design of the system installation. The type and location of the plant determines the availability of maintenance personnel. Space and access considerations for the physical layout of the plant are influenced by the number and type of operating personnel on site during operation and also the type of test equipment required for maintenance Unit design is also affected by the general maintenance philosophy for each instrument or system, such as repair vs replacement, components vs modules, and on-line vs. off-line main­tenance. This, in turn, is governed to a large extent by the availability of replacement parts

(b) Cables and Connectors. When maintenance re­quires removal of the equipment from its operating configuration, the ease with which the removal is accom­plished is a prime factor in successful maintenance. All cables and connectors should be installed for easy removal without the use of special tools. It should always be possible to remove equipment without disturbing the operation of adjacent equipment Likewise, cables and connectors of the operating equipment should not interfere with the removal of the defective equipment Connectors should be indexed and coded so that incorrect interconnec­tion is virtually impossible.

(c) Displays for Maintenance. One of the quickest ways to determine maintenance requirements is through the use of a self-annunciating or display system. Where practi­cal, this type of failure alarm system should be used In instrumentation systems where self-checking is used, the installation of the display unit should blend as far as possible with the operational configuration of the system and should become conspicuous only when an alarm is actuated

Nuclear Power Plant J

Type of neutron detector BF3 Type of signal cable Triaxial

Location of pulse preamplifier In amplifier cabinet at control room Location of pulse amplifier In amplifier cabinet at control room Distance between pulse amplifier and preamplifier 2 ft Distance between neutron detector and preamplifier 225 ft

Method of grounding A single-point grounding system is used System ground is made at the amplifier cabinet The signal cabling and neutron detector are insulated and floated above ground, being grounded at the amplifier cabinet The inner shield of the triaxial cable is connected to one electrode of the neutron detector The outer shield is connected to the case of the neutron detector The two shields are grounded at the amplifier cabinet The signal grounds in the preamplifier and amplifier are grounded at the amplifier cabinet The amplifier cabinet is grounded to building ground through grounding cable and buses

Operating problems and modifications During the initial installation, it was discovered that the start-up channels were subject to transient noise problems from several systems throughout the reactor plant The starting and stopping of cranes were a major source of noise The noise problems were eliminated by installing capacitor filters across motor starters, relays, and switches Some noise still remains in the system, but the level is not great enough to affect operation of the system

Evaluation of the Design

(a) The Failure Modes and Effects Analysis (FMEA). The detailed design is followed by a detailed reliability evaluation. As a minimum the system must be subjected to an FMEA. This is a subjective and nonnumeri­cal analysis that exposes potential failure points The FMEA identifies every component in the system by component number and name It lists the various modes in which the particular component would fail (open, short, closed, stuck, etc.) and lists the failure mechanisms that can induce a particular failure mode. It further identifies the relation a failed component has to system failure and to the failure of other systems.

A sample page of an FMEA is shown in Fig. 11 3. There are many variations of this form, and there should be no
hesitation in adapting the form to suit each analysis. The primary function of the FMEA is to provide an under­standing in depth of how the system reacts to all modes of component failure. It is particularly valuable m serving as evidence of conformity with the single-failure criterion If only a minimum effort can be budgeted on reliability analysis, it is generally best spent on an FMEA.

The FMEA form also has space to develop information on failure rates, application factors, test intervals, and repair times in preparation for the more rigorous mathe­matical model of reliability or availability.

(b) Detailed Reliability Model. The designer now has the information at hand to conduct a more detailed reliability or availability analysis of the system. If the designer adheres closely to the framework of the original simple reliability model, the detailed model should gener­ally be satisfied by the same skeletal block diagram, the exception being only in the number of blocks represented Thus the final model should be just as tractable mathe­matically as the exploratory model on which the design is based. If it is not, the designer should examine the original assumptions, particularly the one on component or channel independence, to see if they have been violated.

The main value m performing the detailed reliability analysis is in making certain that some trivial component does not make an unexpected and unwarranted contribu­tion to unreliability. If such a discovery is made, the problem can usually be rectified by the choice of a better component, more frequent and more thorough testing, or by the judicious use of redundant components

When it has been determined that the contribution of a given component to unreliability is trivial, it may be eliminated from the model or lumped with associated components to simplify the computation.

SUMMARY OF INSTALLATION PRACTICES

Table 10.10 has been prepared as a summary of the material presented in this chapter It is intended to furnish the reader with an easy reference on sound installation practices and problem areas in the installation of reactor instrumentation systems Opinions on sound installation practices are diverse in the nuclear industry, however, the opinions expressed in Table 10 10 are shared by a majority of the people operating and maintaining nuclear power plants

Table 10.10—Installation Practices for Reactor Instrumentation Systems

Do’s

 

Don’ts

 

Don’ts

 

Do’s

 

Подпись: Use triaxial cables with a floating shield operated at a fixed potential Use triaxial cable for low- level signals, such as from neutron detectors and ionization chambers Provide easy access to the back of instruments behind the instrument panels Mount all visually monitored instruments at or near eye level Protect critical controls from accidental actuation Ground all conduits to the main building ground bus Drill drain holes in conduits at low points to allow water condensing inside to escape Use covered wiring trays for power leads, and band all tray sections together Provide adequate tempera ture-sensitive circuitry Be sure that radiation detec tors are not overheated by neutron heating, etc Pull cables by hand when possible to ensure that no problems exist which will cause the cable to stick Terminate high frequency cables properly to avoid end reflections and standing waves Shield all noise-sensitive cir cuits from electrostatic as well as magnetic fields if magnetic fields are a problem Use differential amplifiers to eliminate common mode voltages and ground loop problems Use a sensor with a center tap where possible Use a balanced-line shielded twisted pair of conductors for low level signal transmission Use high-impedance measuring circuits Подпись:Подпись:Подпись:Подпись:Подпись:

Make certain the insulation is thoroughly stripped off wire before crimping on lug

Give installed connector a re­sistance and voltage test to assure proper operation

Reserve one side of terminal blocks for terminating field wiring

Use large-enough conductor to ensure proper grounding

Bond all racks and chassis together and to ground

Support cables and wires at several points

Install coaxial and triaxial signal cables in metal con­duits

Keep switching command cables, such as those for relays etc, isolated from low level signals for de tectors

Carefully inspect coaxial and triaxial cable installations and procedures to ensure work is properly done

Allow extra conductors in cables wherever practical for future expansion (10 to 15%)

Single-end ground spare shielded signal leads in a cable with the shield grounded at the opposite end

Provide terminal blocks with terminals adequately sized to handle the physical as well as the electrical re quirements of both the interior and field wiring

Keep signal lead as short as possible

Use line filters and shielded transformers wherever necessary

Segregate loads on power lines so that motors, welders, and other machin­ery are not on the same line as instrumentation

Consider radiation environ­ment as well as tempera­ture, moisture, etc, when choosing cables

Don’t leave wire strands out of lug when crimping

Don’t use panel structural member as a ground con ductor

Don’t use a common ground return wire for several relays

Don’t support cables and wires by terminations

Don’t install power cables in the same conduit as signal cables

Don’t think that all signal levels in instrumentation are the same and lump all the cables together

Don’t make coaxial cable out of triaxial cable by con necting both shields together

Don’t let cable “fill” in a conduit exceed 40% in mi tial installations

Don’t ground circuits at ran­dom places or allow them to become grounded unless a ground is called for

Don’t forget to mark each wire and cable with appro­priate identification to assist in circuit tracing

Don’t use splices in signal leads

Don’t think interference won’t occur, it will

Don’t neglect to put inter ference suppressors on any sort of device that may generate interference, i e, relays, motors, fluorescent lights, welders, and heaters

Don’t apply higher than rated voltages to coaxial and triaxial connectors

Appendix

ENGINEERING DATA SHEETS ON NEUTRON-MONITORING START-UP-CHANNEL GROUNDING AND SHIELDING PRACTICES AND EXPERIENCE IN SELECTED U. S. NUCLEAR POWER PLANTS*

Quality Assurance and Reliability

Leland G. Marquis and Ivan M. Jacobs

11- 1.1 Definition of Terms

Quality assurance comprises all those planned and syste­matic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service Quality assurance includes quality control, which comprises those quality assurance actions related to the physical characteristics of materials, struc­tures, or systems which provide a means to control their quality to predetermined requirements

Reliability is the probability that a system, channel, or component will perform a specified function under given conditions for a specified period of time without failure For instrument channels this probability is normally a function of time because few one-shot measurements are considered in nuclear power plants

A product may meet all design specifications When first tested, but, if components of the product are overstressed, they will fail sooner than expected As a result, a product that passes stringent quality-control requirements may not necessarily be reliable This relation between the two terms should be kept in mind even though they are treated separately here

10- 1.2 Quality and Reliability Requirements in Reactor Instrumentation

In the past few years a great deal of effort has gone into the generation of definitive specifications, standards, and regulatory requirements concerning all aspects of quality for the purpose of establishing universal guidelines for all nuclear-reactor systems and components manufacturers and their vendors, as well as nuclear-reactor architect—engineers and owner/operators

Those organizations and personnel concerned with design, construction, and operation of systems and compo­nents for domestic power plants are bound by the 18 quality-assurance criteria in Appendix В of Title 10, Part 50, in the Code of Federal Regulations This docu­ment, which was promulgated by the AEC, has created an atmosphere within the nuclear energy industry of extreme concern for the quality of systems and components that are important to safety

Another document, also issued by the AEC, but much more comprehensive, is the standard used by organizations and personnel concerned with reactor development and test facility projects The objective of this document, RDT-F2 2T, Quality Assurance Program Requirements, “is to assure that structures, components, systems, and facili­ties are designed, developed, manufactured, constructed, operated, and maintained in compliance with established engineering criteria ”

Certain instrumentation devices, such as in-core detec­tors and penetration seals, which when placed into service become an integral part of a pressure boundary, are required to meet Sec III of the ASME Boiler and Pressure

Vessel Code, which addresses itself to Nuclear Power Plant Components Article NA-4000 of this section, titled Qual­ity Assurance, “sets forth the requirements for planning, managing, and conducting quality-assurance programs for controlling the quality of work performed under this section of the Code ”

In addition to the above-mentioned documents, the American National Standard Institute (ANSI), under the sponsorship of the ASME, is issuing a whole series of standards (N45 2 series) for the purpose of guiding organi­zations and personnel involved in design, construction, and operation of nuclear-power-plant systems and components in proper performance of the quality-related aspects of each phase of the total scope of activities

There has never been any question about the need for a high level of quality and reliability in nuclear instrumenta­tion, especially since it represents such a visible segment of the nuclear safety system These documents attempt to describe the contents of an acceptable quality-assurance program, and it is up to the industry to develop such a program and still remain competitive The remainder of this chapter endeavors to deal with this theme

Testing for Reliability

Instrumentation systems are characterized by two kinds of signals, analog and bistable The analog portion of the system can usually be depended on to annunciate its faults by causing either a zero output or an off-scale reading With the proper alarms, gross failures in the analog circuit can usually be detected immediately The bistable portion of the circuit can usually be designed so that the most probable modes of failure are to the “safe” state However, “fail-to-safe state” design is more of a design objective than an accomplished reality, and the only way one can be sure that a bistable device will successfully change state is to test it Accordingly the designer should address himself faith­fully to the special problems of testing

(a) Thoroughness of Testing. The test should be thorough. The objective of the test is to ensure that the system still retains its original properties The test must reflect the conditions that will exist when the instrumenta­tion system is called on to function For example, a bistable trip circuit should be tested by running the analog signal up to the trip level rather than dropping the trip level down to the normal operating point The former proves that the analog signal will not saturate before it reaches the trip level.

If possible, a complete channel should be tested end to end with the real input parameter as the variable For example, some designers arrange to squirt hot water on a temperature sensor to drive it past the alarm point, or, in other cases, there is a provision for removing a neutron shield from a neutron sensor to give it an up-scale signal If it is not possible, for safety or practical reasons, to vary the real input parameter, then a substitute should be used which bridges the gap For example, if it is not safe to reduce the flow down to the trip level, then a differential pressure signal may be substituted

Instrumentation systems that must function while the reactor is operating should be tested while the reactor is operating. If a system is repaired or maintained while the reactor is shut down, it should be tested using substitute inputs before start-up and retested after start-up in its operational mode.

(b) Testing Redundant Systems. Redundancy in a system presents special problems for testing The objective of redundancy is to provide a system that will continue to work in spite of the failure of a component. The redun­dancy tends to hide the failure, and, unless the test finds the first failure, the redundant system is not appreciably better than a nonredundant system.

The maximum benefit of redundancy is realized when the product of the failure rate X and the test interval r is kept small compared to unity. This principle is illustrated in Fig. 11.4, where the probability of failure is plotted as a function of Xt for a single and a dual (redundant) device. Note that if Xt is allowed to get too large, there is little advantage in redundancy.

Fig. 11.4—Probability of failure of single and dual (redun dant) devices as a function of Xt [From I. M. Jacobs, Safety-System Design Technology, Nucl Safety, 6(9) 235 (Spring 1965).)

The ability to test should influence system design. In Fig 11.5(a) redundancy is applied on the component level, і e., each component is paralleled with a like component. If there is no opportunity to test or repair (e. g., in an unmanned satellite), component redundancy may have some advantages in higher reliability However, component redundancy is difficult to test because the function is performed if either of the parallel components perform. Also, few components work compatibly in parallel without some special provisions to get them to share the load, and there are likely to be single-failure modes that fail both components.

The system redundancy shown in Fig. 11.5(b) is amena­ble to test because each channel can be tested indepen­dently and the first failure can be found on test In addition, the two channels can be physically and electri­cally isolated from each other, and single-failure modes are minimized. System redundancy is the preferred design mode. Component redundancy should be used sparingly

(a)

(b)

Fig. XX.5—Component (a) vs system (b) redundancy

and only to bolster the reliability of one component m an otherwise strong chain.

(c) Staggered Tests. If there are multiple channels of instrumentation performing the same function in a redun­dant manner, there is an advantage to be gained in staggering the tests For example, in a three-channel system scheduled for quarterly test, one channel should be tested each month. If the three channels comprise a one-out-of — three system, staggering the tests reduces the predicted unavailability to one-third that which would accrue for simultaneous testing. The higher the level of redundancy, the greater the benefits of staggered tests.

Table 11.6 shows the unannounced unavailability of various logic configurations for three different schedules of testing Note that random testing [calculated by the methods of Sec 11-3 6(f)] yields a result that is intermedi­ate between simultaneous and perfectly staggered testing

Table 11.6—Unavailability as a Function of Logic Configuration and Testing Schedule

Unannounced unavailability

Logic

Simultaneous

testing*

Random

testing!

Perfectly

staggered

testing*

1/2

V32 T2

U2r2

5/ 2 _2

’24* t

2/2

t

Л. Т

Л. Т

1/3

V4V

‘/„yV

1/ 3 _3 ’12* T

2/3

2T2

%b2T2

%X2 T2

3/3

% XT

%t

%T

1/4

‘/54t4

1/ 4 4

A 6 Л. r

2 5 1/ x 4 і П68 0Л T

2/4

V

%3t3

U3T3

3/4

22 r2

% X2 T2

1 V82t2

•Derived from A. E. Green and A J. Bourne, Safety Assessment with Reference to Automatic Protective Systems for Nuclear Reactors, British Report AHSB(S)R-117(Pt. 2). tDerived from Sec. 11-3.6(f) of this chapter.

Another more subtle benefit of staggered testing should be noted. If all tests are run simultaneously, і e, one test immediately following another, there is increased oppor­tunity for human error Suppose, for example, that the technician systematically reads the wrong scale on the calibration instrument and sets all channels to a low gain rendering them unsafe. If he proceeds directly from one test to the next, he is much more likely to repeat such an error on all channels than if the tests are spaced days apart

(d) Provisions for Testing. The designer should antici­pate the needs for testing and make appropriate provisions If the test must be performed frequently, some built-in arrangements may be in order If the test is simple and is performed infrequently, it may be more appropriate for the one performing the test to implement the test provisions In any event the designer must be certain that the test can be run and that the test gear does not interfere with the ability of the system to perform its intended function.

If standard test-signal emitters are built into a channel, procedure should call for a regular cross calibration with another standard to ensure that the built-in standard remains within tolerance If switches are built in to facilitate testing, an alarm should be initiated if the switches are not restored to “normal” before returning the channel to operation.

Observing the response of the channel to normal process variability and cross comparing with other channels monitoring the same variable is a very convincing test for the analog portions of an instrumentation channel

Automatic testing provisions are sometimes used in reactor protection systems These have two primary advan­tages

1 The interval between tests can be reduced consider­ably with a corresponding reduction m system unavail­ability.

2 The automatic testing system can be designed to be a diagnostic help in troubleshooting

These benefits should be balanced carefully against the disadvantages

1 Extreme care must be exercised to ensure that a common-failure mode is not introduced in otherwise independent channels

2 It must be demonstrated conclusively that the automatic test signal (frequently a pulse tram) has the same effect on the circuit output device as a bona fide trip signal, which may build up slowly and sustain itself much longer

3. The automatic test must encompass the whole channel, from sensor to channel output, and be thorough in discovering failures This presents some difficulty for the tester, especially if a portion of the channel is analog in nature.

(e) Setting the Test Interval. Several factors must be considered in setting the time interval between tests Tests spaced too far apart may allow unsafe failures to accumu­late. On the other hand, tests conducted too frequently can become a burden on the plant operator if they do not truly enhance safety. The designer should consider the following factors in making the test interval a viable part of his design

1. The tests should be made frequently enough so that the system will meet its design goal. In fact, one way to increase or decrease the availability of a system is to alter the test interval.

2 The tests should not be scheduled as “busy” work at an unrealistically short interval lest the tester lose his respect for the test and become negligent

3. Only failure modes that are primarily time dependent need be considered in setting the test interval. For example, it is futile to test for a failure that occurs only as a result of the stress of initiating the test.

4 Wear-out due to testing should be a consideration, and, if it is necessary for the sake of safety to test so often that wear-out could be a problem, provisions must be made to monitor the component failure rates carefully and renew the components before they deteriorate to too low a level.

5. If a channel must be bypassed while it undergoes test, then the interval between tests (r) should not be so short that the unavailability due to being bypassed is higher than the expected unavailability due to unsafe failures For a single channel there is an optimum test interval. If the expected channel unsafe failure rate is X and the time required to perform the test is t, the optimum test interval for highest availability is given by the expression5

<->

In no case is it of benefit to test more often. The preceding expression does not hold for a redundant or majority logic system, there being no true optimum. However, negligible benefits are derived from testing the individual channels of a redundant system more often than is indicated by Eq. 11.2.

Nuclear Power Plant A

Type of neutron detector Fission counter Type of signal cable RG-71/U double shielded

Location of pulse preamplifier Near loading-face shield at top of detector wells Location of pulse amplifier In amplifier cabinet at control room Distance between pulse amplifier and preamplifier Approximately 120 ft Distance between neutron detector and preamplifier Approximately 28 ft

Method of grounding Multiple-point grounding system Both the preamplifier and amplifier are grounded to the building ground at the point of their installation The signal-cable shield is grounded at the preamplifier and the amplifier The neutron detector is grounded through the signal-cable shield back at the preamplifier

Operating problems and modifications During the first year of operation, it was noted that the excessive noise was eliminated by adjustment of the discriminator threshold bias control on the pulse amplifier Toward the end of the first year of operation, the noise became so excessive other methods were required to correct the problem. Examination disclosed that a No 8 conductor was installed between the preamplifier and amplifier cabinets to establish building grounds between these units The conductor resistance measured greater than 3 ohms Ground circulation currents caused by an excessive pickup of r-f noise from a-c and d-c machinery throughout the reactor building produced an emf across the grounding conductor The emf modulated the signal to the amplifier cabinet, causing excessive noise in the neutron-monitoring channels This source of noise was eliminated by removing the No 8 conductor and installing two No 2/0 grounding conductors in its place Other shielding problems Noise showed up in the automatic servo-control system during the first year of operation. Examination disclosed that a shield on a multiconductor shielded cable had not been terminated to ground by the construction contractor The problem was corrected by properly terminating the shield to the reactor building ground

QUALITY ASSURANCE OF REACTOR INSTRUMENTATION

11- 2.1 Fundamentals of Quality Assurance

Industrial quality assurance has evolved from a policing function, consisting of final inspection and test, to a defect-prevention system that begins with product concep­tion and ends only when that product has satisfactorily fulfilled its intended function

At some quality level the balance between cost of failure and the cost of prevention and appraisal will be at a minimum. A successful quality system operates at or near that level In the nuclear industry the quality level must be higher than in most industries, this tends to result in higher costs for quality assurance

In specialized industries, such as those producing manned space vehicles and nuclear reactors, the level of quality has been set more by reliability requirements than by cost considerations However, as competition in the nuclear industry increases and as competition between nuclear energy and other energy sources increases, quality systems in the nuclear industry will have to meet plant safety and performance requirements at reasonable cost

(a) Modern Quality Systems. Modern quality systems prevent defects and substandard workmanship by exercising controls over design, materials, processes, and products at the appropriate place in the product cycle All modern quality systems contain three basic elements design con­trol, materials control, and process and product control

Design control consists in the preproduction efforts of Design Engineering, Manufacturing Engineering, and

Quality-Control Engineering* in developing a design and production and test methods that will ensure with a high degree of confidence that a quality product can be built and sold for reasonable profit to a customer who will accept the product and remain satisfied over its expected life Design control must be a joint effort of the three groups Properly conducted design reviews are essential during this phase

Materials control consists in the preproduction efforts of Quality Assurance, Materials, and Purchasing Quality Assurance must evaluate the vendor’s capability to perform and must ensure that quality requirements are included with purchase orders In addition, incoming material must be tested or inspected on a statistically valid basis An objective in materials control is to establish a certification program that puts the burden of quality control on the vendor rather than on Receiving Inspection This is essential for products that will be shipped directly to a site Materials control becomes extremely important whenever Boiler Code materials are involved Such materials must be traceable to their original heat number regardless of the state of manufacture This is accomplished by such tech­niques as color coding, electroetching, and tagging or by the use of move tickets, depending on the state of completion of the part All materials, whether raw stock or finished goods, must be controlled by Materials, and these controls should be audited periodically to ensure that they are being followed

Process and product control consists in the evaluation and control of manufacturing facilities (whether skilled workers or production machines) and the inspection and test of the product to ensure that the product meets all engineering specifications and quality standards Once control of manufacturing facilities has been accomplished through planning and the development of manufacturing and inspection or test equipment, training of operators, etc, process and product control must be maintained by implementing the quality plan This plan may require audits, automatic test, continuous sampling, or roving inspection It will specify the points in the manufacturing cycle where certain inspection or tests, or both, are necessary, the records to be kept, control charts, calibration and maintenance schedules of critical equipment, special handling techniques, etc Finally, there will be final inspection or tests, or both, to be performed and possible special packaging instructions and inspections to be per­formed at the site in many cases

(b) Justification of the Quality System. Since about 1950 most companies have incorporated a quality system containing the basic elements Given the talent, quality costs have been significantly reduced following the initial costs of putting the system in operation Costs have been reduced because the production lines have produced less

’Initial capitals are used m referring to groups m the industrial organization that is designing and manufacturing the product scrap and customers have returned fewer goods or de­manded less service The savings have more than paid for increased staff Savings have also been realized by reducing the number of policing inspectors and testers This reduc­tion has been made possible by detailed planning of inspection and testing and by using automated test equip­ment Cost savings have been experienced by large and small concerns, whether production-line or job-shop oriented

Positive side effects have been experienced following the institution of a well-planned quality system improved product design, better processes, and the development of quality mindedness in the production and engineering forces It is especially important that such systems be set up in the nuclear instrumentation industry and that the industry be organized in such a way as to foster the philosophy of total quality control The difficult, but not impossible, goal of increasing quality levels while reducing quality costs can be achieved when this happens

(c) Organization of the Quality System. The staffing of an organization to implement and operate a modern quality system depends on the size and resources of the company The number of engineers and test and inspection supervisors depends on three factors volume, variety, and complexity of product In brief, one or more quality control engineers, process-control engineers, test-equipment engineers, foremen, planners, inspectors, and testers are necessary In a small organization the process-control engineer can double as foreman, the quality-control engi­neer can do planning and specify commercially available test equipment, and inspector—testers can combine those two functions The quality-control engineer participates in design control, writes quality plans, including inspection and test instructions for a given product, evaluates vendor’s performance data, analyzes process and product measure­ments and product service reports, and applies the results to prevent poor-quality material and products in future purchases and production The process-control engineer is responsible for implementing the quality-control engineer’s quality plan (including control of incoming materials, processing equipment, and inspection or test equipment) He should be the leader in solving technical quality problems in the manufacturing area

Since this chapter is intended to detail quality assurance of nuclear instrumentation systems, the foregoing summary of a quality system and its staffing must suffice For additional information the reader is referred to Refs 1 to 3

(d) Special Aspects of Reactor Instrumentation Qual­ity Control Nuclear sensors are used to detect the presence and amount (intensity and energy) of neutrons and gammas (see Chaps 2 and 3) Sensors that are located in the nuclear-reactor core are considered an integral part of the pressure vessel and therefore fall within the scope of the ASME Boiler and Pressure Vessel Code As a consequence, manufacturing procedures and quality control of these sensors are stringent Many of the processes used in the manufacture of in-core sensors are peculiar to that product (e g, uranium and boron coating of electrodes, casting metal to ceramics, outgassing and backfilling with special mixtures, and pressures and purities of fill gases) In-process quality control procedures rely heavily on mechanical inspection techniques, especially where mechanical toler­ances are critical Helium mass-spectrometer leak testing is important after enclosure welds are made, and insulation — resistance checks are very important wherever parts are mechanically and electrically isolated from each other Final test and inspection depends on the end use Actual end-use operating conditions should be simulated as closely as is economically feasible

Nuclear-reactor readout instruments can be classified as any electronic system that accepts a signal from a nuclear sensor and converts it to usable information. Formerly, this category was normally typified by rack-mounted equip­ment However, recently the trend has been to integrate various instrumentation functions directly into panels and consoles, this has necessitated drastic changes in the in-process quality control With rack-mounted instruments, there are usually printed wire boards to be checked out either as boards or as a part of a system Obviously the quality of work by personnel who solder components or attach leads to the boards or to instrument chassis must be very high and should be monitored at carefully chosen points in the manufacturing cycle Quality-control prob­lems are different from those involved in sensor manufac­turing

Nuclear instrumentation systems can be classified as a group of instruments, including sensors, that together perform a specific function, such as the reactor protection system, the neutron monitoring system, the off-gas moni­toring system, the rod control system, or the area monitor­ing system Usually such systems are housed in one or two panels or a panel and a console so that systems check-out can be made without having to interconnect more than two panels These panels may house a multitude of instruments, or they may house switches, relays, and meters The degree to which in-process check-out (continuity, insulation, etc ) can be effected is determined by the configuration of the panel

Peripheral equipment is a catch-all term for the essential equipment involved in interfacing sensors and reactors or instruments It includes drive mechanisms, penetration seals, etc, and must be treated individually since each piece of equipment has its own peculiar problems