Как выбрать гостиницу для кошек
14 декабря, 2021
Сегодня каждый, кто собирается в отпуск и не знает, с кем оставить своего котика или кошку, может во[...]
Testing for Reliability
Instrumentation systems are characterized by two kinds of signals, analog and bistable The analog portion of the system can usually be depended on to annunciate its faults by causing either a zero output or an off-scale reading With the proper alarms, gross failures in the analog circuit can usually be detected immediately The bistable portion of the circuit can usually be designed so that the most probable modes of failure are to the “safe” state However, “fail-to-safe state” design is more of a design objective than an accomplished reality, and the only way one can be sure that a bistable device will successfully change state is to test it Accordingly the designer should address himself faithfully to the special problems of testing
(a) Thoroughness of Testing. The test should be thorough. The objective of the test is to ensure that the system still retains its original properties The test must reflect the conditions that will exist when the instrumentation system is called on to function For example, a bistable trip circuit should be tested by running the analog signal up to the trip level rather than dropping the trip level down to the normal operating point The former proves that the analog signal will not saturate before it reaches the trip level.
If possible, a complete channel should be tested end to end with the real input parameter as the variable For example, some designers arrange to squirt hot water on a temperature sensor to drive it past the alarm point, or, in other cases, there is a provision for removing a neutron shield from a neutron sensor to give it an up-scale signal If it is not possible, for safety or practical reasons, to vary the real input parameter, then a substitute should be used which bridges the gap For example, if it is not safe to reduce the flow down to the trip level, then a differential pressure signal may be substituted
Instrumentation systems that must function while the reactor is operating should be tested while the reactor is operating. If a system is repaired or maintained while the reactor is shut down, it should be tested using substitute inputs before start-up and retested after start-up in its operational mode.
(b) Testing Redundant Systems. Redundancy in a system presents special problems for testing The objective of redundancy is to provide a system that will continue to work in spite of the failure of a component. The redundancy tends to hide the failure, and, unless the test finds the first failure, the redundant system is not appreciably better than a nonredundant system.
The maximum benefit of redundancy is realized when the product of the failure rate X and the test interval r is kept small compared to unity. This principle is illustrated in Fig. 11.4, where the probability of failure is plotted as a function of Xt for a single and a dual (redundant) device. Note that if Xt is allowed to get too large, there is little advantage in redundancy.
|
Fig. 11.4—Probability of failure of single and dual (redun dant) devices as a function of Xt [From I. M. Jacobs, Safety-System Design Technology, Nucl Safety, 6(9) 235 (Spring 1965).) |
The ability to test should influence system design. In Fig 11.5(a) redundancy is applied on the component level, і e., each component is paralleled with a like component. If there is no opportunity to test or repair (e. g., in an unmanned satellite), component redundancy may have some advantages in higher reliability However, component redundancy is difficult to test because the function is performed if either of the parallel components perform. Also, few components work compatibly in parallel without some special provisions to get them to share the load, and there are likely to be single-failure modes that fail both components.
The system redundancy shown in Fig. 11.5(b) is amenable to test because each channel can be tested independently and the first failure can be found on test In addition, the two channels can be physically and electrically isolated from each other, and single-failure modes are minimized. System redundancy is the preferred design mode. Component redundancy should be used sparingly
|
(a) |
Fig. XX.5—Component (a) vs system (b) redundancy
and only to bolster the reliability of one component m an otherwise strong chain.
(c) Staggered Tests. If there are multiple channels of instrumentation performing the same function in a redundant manner, there is an advantage to be gained in staggering the tests For example, in a three-channel system scheduled for quarterly test, one channel should be tested each month. If the three channels comprise a one-out-of — three system, staggering the tests reduces the predicted unavailability to one-third that which would accrue for simultaneous testing. The higher the level of redundancy, the greater the benefits of staggered tests.
Table 11.6 shows the unannounced unavailability of various logic configurations for three different schedules of testing Note that random testing [calculated by the methods of Sec 11-3 6(f)] yields a result that is intermediate between simultaneous and perfectly staggered testing
|
Table 11.6—Unavailability as a Function of Logic Configuration and Testing Schedule Unannounced unavailability
•Derived from A. E. Green and A J. Bourne, Safety Assessment with Reference to Automatic Protective Systems for Nuclear Reactors, British Report AHSB(S)R-117(Pt. 2). tDerived from Sec. 11-3.6(f) of this chapter. |
Another more subtle benefit of staggered testing should be noted. If all tests are run simultaneously, і e, one test immediately following another, there is increased opportunity for human error Suppose, for example, that the technician systematically reads the wrong scale on the calibration instrument and sets all channels to a low gain rendering them unsafe. If he proceeds directly from one test to the next, he is much more likely to repeat such an error on all channels than if the tests are spaced days apart
(d) Provisions for Testing. The designer should anticipate the needs for testing and make appropriate provisions If the test must be performed frequently, some built-in arrangements may be in order If the test is simple and is performed infrequently, it may be more appropriate for the one performing the test to implement the test provisions In any event the designer must be certain that the test can be run and that the test gear does not interfere with the ability of the system to perform its intended function.
If standard test-signal emitters are built into a channel, procedure should call for a regular cross calibration with another standard to ensure that the built-in standard remains within tolerance If switches are built in to facilitate testing, an alarm should be initiated if the switches are not restored to “normal” before returning the channel to operation.
Observing the response of the channel to normal process variability and cross comparing with other channels monitoring the same variable is a very convincing test for the analog portions of an instrumentation channel
Automatic testing provisions are sometimes used in reactor protection systems These have two primary advantages
1 The interval between tests can be reduced considerably with a corresponding reduction m system unavailability.
2 The automatic testing system can be designed to be a diagnostic help in troubleshooting
These benefits should be balanced carefully against the disadvantages
1 Extreme care must be exercised to ensure that a common-failure mode is not introduced in otherwise independent channels
2 It must be demonstrated conclusively that the automatic test signal (frequently a pulse tram) has the same effect on the circuit output device as a bona fide trip signal, which may build up slowly and sustain itself much longer
3. The automatic test must encompass the whole channel, from sensor to channel output, and be thorough in discovering failures This presents some difficulty for the tester, especially if a portion of the channel is analog in nature.
(e) Setting the Test Interval. Several factors must be considered in setting the time interval between tests Tests spaced too far apart may allow unsafe failures to accumulate. On the other hand, tests conducted too frequently can become a burden on the plant operator if they do not truly enhance safety. The designer should consider the following factors in making the test interval a viable part of his design
1. The tests should be made frequently enough so that the system will meet its design goal. In fact, one way to increase or decrease the availability of a system is to alter the test interval.
2 The tests should not be scheduled as “busy” work at an unrealistically short interval lest the tester lose his respect for the test and become negligent
3. Only failure modes that are primarily time dependent need be considered in setting the test interval. For example, it is futile to test for a failure that occurs only as a result of the stress of initiating the test.
4 Wear-out due to testing should be a consideration, and, if it is necessary for the sake of safety to test so often that wear-out could be a problem, provisions must be made to monitor the component failure rates carefully and renew the components before they deteriorate to too low a level.
5. If a channel must be bypassed while it undergoes test, then the interval between tests (r) should not be so short that the unavailability due to being bypassed is higher than the expected unavailability due to unsafe failures For a single channel there is an optimum test interval. If the expected channel unsafe failure rate is X and the time required to perform the test is t, the optimum test interval for highest availability is given by the expression5
<->
In no case is it of benefit to test more often. The preceding expression does not hold for a redundant or majority logic system, there being no true optimum. However, negligible benefits are derived from testing the individual channels of a redundant system more often than is indicated by Eq. 11.2.