Westinghouse Reactor Protection System Unavailability, 1984-1995 Page: 3 of 9
This article is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided to Digital Library by the UNT Libraries Government Documents Department.
The following text was automatically extracted from the image on this page using optical character recognition software:
trip breakers given appropriate combinations of signals
from the channels. For the RPS to fail, both of the trains
(or their associated reactor trip breaker) must fail, a
sufficient number of channel failures must occur, or a
sufficient number of RCCAs must fail to insert. Since
only two diverse trip signals were modeled, 3 of 4
channels for each of the two trip signals must fail. It was
assumed that 10 or more of the 40 to 60 RCCAs must fail
to fully insert (in a random pattern). A sensitivity study
was conducted to determine the impact on RPS
unavailability from this assumption.
Testing of the Westinghouse RPS can be summarized
by RPS segment (Figure 1). Generally, the RPS channels
are tested every three months, with the channel being
placed in a bypass condition during the test. The trains
and reactor trip breakers are tested on a staggered
monthly basis. This means that each train (and associated
breaker) is tested every two months. Finally, the RCCAs
and associated CRDMs are tested every refueling or 18
II. SYSTEM FAULT TREE
System fault trees were constructed for each of the
two Westinghouse RPS designs analyzed: Analog Series
7300 and Eagle-21. The level of detail in the fault tree
includes RCCA/CRDMs, reactor trip breakers and bypass
trip breakers (broken down into mechanical/electrical,
undervoltage device, and shunt trip device contributions),
undervoltage driver and universal cards in the SSPS,
selected relays, temperature and pressure
sensor/transmitters, Eagle-21 and analog process logic
modules, and bistables. As noted previously, two trip
signals were included in the fault tree, even though at
least three signals are typically generated for plant upset
conditions. A sensitivity study was conducted to
determine the impact on RPS unavailability if three trip
signals had been modeled.
Common-cause failures (CCFs) across similar
components were explicitly modeled in the RPS fault tree.
In general, CCF events were defined to involve sufficient
failures of the component type to fail the RPS. Lower-
order CCF events, which must be combined with random
component failures to cause an RPS failure, were not
included in the fault tree. Results of the fault tree
quantification were reviewed to ensure that the exclusion
of lower-order CCF events did not significantly impact
Test and maintenance outages and associated RPS
configurations were modeled for the SSPS (and
associated reactor trip breaker) and channel outages. For
channel outages, the channel was assumed to be placed
into a bypass condition, rather than a tripped mode. For
SSPS train outages, only the other train is available to
respond to plant upset conditions.
The Analog Series 7300 RPS fault tree model
included approximately 120 basic events, of which
approximately 40 were CCF events. Approximately
25,000 cut sets were generated when the fault tree model
was solved using the SAPHIRE computer code. 2 The
Eagle-21 fault tree model had a similar level of
III. DATA REVIEW AND ANALYSIS
U.S. Westinghouse RPS performance during the
period 1984 through 1995 was assessed by reviewing
Licensee Event Reports and the Nuclear Plant Reliability
Data System reports. Fifty-three U.S. Westinghouse
nuclear power plants were covered in the study.
Approximately 15,000 reports were identified. Of these
15,000, approximately 1,000 involved actual component
failures (independent or CCF) applicable to this study.
The data review process involved at least two
independent reviews of each event report by
knowledgeable engineers. Each event was characterized
by safety function impact (fail-safe, non-fail-safe, or
unknown) and degree of failure (complete failure, no
failure, or unknown). This resulted in a three-by-three
matrix, with nine different bins into which an event could
be placed, as indicated in Figure 2. This classification
scheme resulted in one bin with non-fail-safe, complete
failures of components. Three other bins may also
contain such events, but limited information from the
event report did not allow the analysts to determine
whether the events were non-fail-safe, complete failures.
Safety Function Impact
Non-fail- Unknown Fail-safe,
safe, safety function complete
complete impact, failure
Non-fail- Unknown Fail-safe,
safe, safety function unknown
unknown impact, complete-
complete- unknown ness
ness b completeness h
Non-fail- Unknown Fail-safe,
safe, no safety function no failure
failure C impact, no
a. Events in this bin receive weights of 1.0.
b. Events in these bins receive weights of <1.0.
c. Events in these bins are not applicable.
Figure 2. Data classification scheme.
Here’s what’s next.
This article can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Article.
Gentillon, C. D.; Marksberry, D.; Rasmuson, D.; Calley, M. B.; Eide, S. A. & Wierman, T. Westinghouse Reactor Protection System Unavailability, 1984-1995, article, August 1, 1999; Idaho Falls, Idaho. (digital.library.unt.edu/ark:/67531/metadc620476/m1/3/: accessed December 11, 2018), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.