Improving the performance of important SSCs

The D-RAP team must make use of the programmatic tools described in detail elsewhere in this guidebook, but to recapitulate the possible options, the D-RAP team should:

- Use the D-RAP RAM modeling and analysis process to produce the categorized and ranked list of SSCs which are important to plant reliability and economic performance, - Use the categorization process to focus their attention on the issues which are important

to the improvement process and have a realistic potential for gain, or offer a positive return on the invested resources,

- Define the issues of importance to the D-RAP improvement or enhancement process for each important SSC:

(i) Failure modes of importance,

(ii) Whether failure mode importance is a result of reliability (failure rate) or maintainability (time down for test, repair, inspection or overhaul),

- Assess the potential for enhancement of reliability and or maintainability, by comparison with historical experience for similar SSCs operating under similar conditions,

- Define a D-RAP strategy for the reliability, availability or maintainability enhancement process for each important SSC.

5.16.1. Reliability enhancement

To enhance the reliability of individual SSCs and minimize the number of unplanned functional failures, the cognizant designer should:

- Use a combination of historical records from past failures and a focused reliability assessment for the SSC, e.g. goal tree or equivalent, to identify:

(a) Dominant functional SSC failure modes,

(b) SSC flaw initiating mechanisms and likely initiating sites,

(c ) Intermediate SSC damage states and failure propagation paths which, without (d) intervention, culminate in the functional failure of the SSC,

(e) Environmental and process conditions which influence the rates of flaw initiation and progression, and an estimate of the relative progression rates for each important failure mode,

(f) Information which is potentially available to diagnose SSC damage state and infer SSC internal condition,

- Use information from the SSC reliability assessment to guide the specification of materials of construction and manufacturing methods to minimize the probability of flaw initiation and propagation for important failure modes,

- Use information from the SSC reliability assessment to develop an effective protective actions strategy which not only prevents catastrophic failure (long down time) but also does not result in premature or spurious shutdowns (high shutdown rate):

(i) Define information which can be feasibly collected and analyzed to infer internal SSC condition, or, severe external threats to its condition from the process, and construct an intervention strategy which can be used to initiate automatic or manual protective action,

(ii) Develop a highly reliable automatic strategy (highly redundant) which will ensure immediate cessation of damage state progression and prevent consequential damages for important failure modes, yet minimize vulnerability to spurious shutdowns caused by false inputs or failed actuation devices in any one of the redundant paths, i.e. develop an M-out-of N logic which achieves both highly reliable operation without susceptibility to spurious actuation,

(iii) Develop an effective diagnostic and monitoring package which will guide the operator’s decisions about SSC shutdown in the presence of deteriorating internal conditions or severe external threats to its integrity.

General philosophy for protective systems

SSC shutdown systems either initiate an automatic trip or annunciate a warning whenever the protective system detects unacceptable internal hardware conditions or the presence of potentially damaging external threats. In principle, an equipment protective trip contributes to SSC availability by preventing the occurrence of severe failures and their attendant demands for long down times to effect repair, at the expense of more frequent shutdowns when the SSC remains in a relatively benign, or less severe, damage state.

A protective system provides higher SSC availability by providing a large decrease in average down time at the expense of a small increase in effective failure rate.

The need for protective systems is generally driven by the cost and complexity of the protected equipment, i.e. protective trips are standard on turbines, generators, reactors, large pumps, fans, motors and electrical equipment.

Where standby safety related equipment must operate on demand during an accident, and repairability is not of value nor concern, equipment protective systems may not be installed because there is little opportunity for a positive return yet there may exist the potential for a large negative return if a spurious or inadvertent SSC trip were to occur.

5.16.2. Maintainability enhancement

To enhance the maintainability of individual SSCs and minimize the average down time following unplanned failures, or, to minimize the contributions to unavailability from test and

preventive maintenance activities, the cognizant designer should follow the general precepts described in section 2 and summarized below.

When the SSC categorization process indicates that maintainability of normally operating components is important to plant forced or planned outage rates, the cognizant designer should first separate the contributions to SSC unavailability from preventive maintenance and testing from the contributions associated with corrective maintenance and planned overhauls because they require different treatment.

5.16.3. SSC unavailability from required tests, inspections and PMs

The primary goals of the designer when designing, specifying and selecting SSCs whose down time from required tests and inspections makes important contributions to SSC unavailability, are to:

- Minimize the need to interfere with normal operation by providing effective on-line diagnostics which allow the maintenance staff to use condition directed maintenance, in lieu of periodic tests and inspections.

The SSC reliability analysis can provide the insights about hardware failure characteristics which are needed to guide development of a programme of this type.

- Perform a formal assessment of the risks which are accepted if the plant elects not to comply with equipment manufacturers recommendations for on-line testing of critical equipment, and confirm that the testing is, or is not, cost effective. This type of assessment may be important when determining how often to test turbine stop valves.

This type of assessment should consider each of the following contributors when assessing cost benefit ratios for a specific testing activity:

Costs of test:

- Loss of generation per test, if load reduction is needed

Loss of generation = tests/a * reduction in MW/test * duration of test

- Expected loss of generation per test if a load change or other associated activities have the potential to cause a SCRAM

Expected loss = tests/a * P[SCRAM | test] * generation lost/SCRAM Benefit from test

Reduced economic risk attributable to the test

$risk = {failure rate/a | no test — failure rate/a | test} * $consequences of failure

A difficulty may arise when trying to assess the effects of testing on reliability, because there is seldom a clear-cut quantitative relationship between them. In this case, the designer should use judgement and experience to bound the issue and make the necessary decisions.

- Maximize the testability of the SSC, i.e. make sure that where feasible and justified:

(a) Connections needed to either test the SSC, or to monitor its performance during the test, are provided. By minimizing the number of required temporary connections the error rate associated with configuration induced system transients should be minimized,

(b) The system is designed to accommodate testing, to the maximum extent possible by providing adequate permanently installed test instrumentation.

- Minimize the down time required for preventive maintenance activities:

(a) Review the preventive maintenance requirements provided by the equipment vendor and compare them with the insights and results from the reliability assessments performed for the SSC,

(b) Determine the value of the suggested PM activities in preventing the occurrence of important failure modes and identify those which can be expected to be effective,

(c) Review the design of the SSC and identify any feasible changes which will enhance the performance of the proposed preventive maintenance activities,

(d) Based on the results from the above, define the requirements for on-line PM, both in terms of applicable maintenance actions, their periodicity and if possible, modify the specifications or design to minimize the time required to effect the required maintenance actions.

5.16.4. SSC unavailability from required corrective maintenance

To minimize the down time required to repair, replace or refurbish a failed SSC, the designer must optimize the design to cost effectively reduce each individual contribution to down time by minimizing the design contribution to:

- Pre-repair delays,

- Delays and inefficiencies incurred during performance of the repair task, - Post-repair delays.

5.16.4.1. Pre-repair delays and inefficiencies

To minimize the pre-repair delays the SSC designer should review the design to confirm that it meets all of the maintainability criteria which should be considered for all plant hardware, namely that:

- The area surrounding the SSC is laid out in a manner which facilitates radiation surveys which may be needed prior to initiating the repair process,

- Tag-out, drain and de-energization boundaries are reviewed to confirm that requisite connections are provided in locations which are both accessible and functionally viable, e.g. pipe vents which must be opened to drain system piping are both accessible, and at high points in the pipe, and that drain are at the low points and close to a plant drains so that long lengths of temporary hoses are not needed. Where systems may contain contaminated or radioactive fluids, confirm that there is ready access to the plant liquid waste systems,

- Chain or reach-rod operators are installed on inaccessible manual valves and they are oriented so that they can be easily operated from the compartment deck or access ways, - Clearly visible, standard nomenclature, equipment tag identifiers are provided with each

isolation boundary component to speed their unambiguous identification,

- Equipment or plant instrumentation provides enough information to allow effective diagnosis of the failed SSC damage state to facilitate maintenance repair pre-planning and staging activities,

- The areas surrounding the SSC contain no interferences from other systems which must be removed before repairs on the SSC can be initiated. This includes confirmation that there is adequate clearance for removal of rotating machinery internals, and that piping or cable runs from other systems do not interfere with SSC disassembly or removal, - Special rigging points, anchorages or monorails needed to disassemble or remove the

SSC are pre-installed and that interferences, e.g. cable trays or small bore and field run piping, do not interfere with the ability to use them,

- Rails or rollers are permanently installed for heavy equipment which must be moved out of place for repair or overhaul,

- SSCs installed in a high radiation area are shielded to preclude the need to install it prior to initiating a repair,

- Any needed support systems, such as breathing air, plant air (for tools), and welding and power receptacles are provided in the vicinity of important SSCs to minimize delays because of the need to set up temporary wiring connections and hoses before the repair process can be initiated,

- Evaluate the feasibility of installing catwalks or permanent scaffolds where they may be needed to gain access to the equipment during disassembly or repair.

5.16.4.2. Repair delays and inefficiencies

The designer should review the design and proposed installation to confirm that:

- The equipment is installed in an area which has adequate lay down space and sufficient available access for both the maintainers and their equipment,

- The SSC diagnostics are sufficient to allow effective staging for the repair of the dominant functional failure modes. “Staging” includes preparation of procedures, collection of needed tools, parts and special equipment and the definition of any needed personal protective equipment, e.g. anti-contamination suits, respirators, plastics or air-hoods,

- A reasonable work environment is provided, i.e. ventilation, light, heat, radiation protection in each area which is likely to be an important source of maintenance activities. Inadequate environmental controls either result in worker inefficiencies, either because they must wear excessive amounts of personal protective equipment or initiate delays while temporary utility services, e.g. portable fans and temporary lights are established,

- Provide elevators and open walkways wherever possible to provide maintainer access to and from the job site with needed tools and equipment, and minimize delays incurred when traveling to and from the workshop to get additional tools, parts, etc.

- SSC protective instrumentation and actuation systems are designed to detect, diagnose and actuate shutdown, or warn the operators, before important failure modes can progress to the point where consequential internal damage results, i.e. control the damage to minimize the scope of required repairs,

- The equipment is inherently maintainable, i.e. can be disassembled and repaired in the field. This is particularly important for hardware which may become irradiated or contaminated to a level which precludes its being shipped off-site or even to the main plant repair facility,

- Exploit the results from the reliability and maintainability analyses to define an adequate, yet cost effective, set of equipment spare parts and replacement assemblies which can be provided as part of the initial SSC purchase, and prevent delays when needed spares are not available on-site.

5.16.4.3. Post-repair delays and inefficiencies

Many of the hardware characteristics associated with minimization of post-repair delays are similar to those suggested above to minimize pre-repair delays, i.e. access to the SSC boundary isolation devices, primarily valves, which must be manipulated to reestablish equipment operability. However, following repairs, there are often requirements to perform a functional test before the SSC is returned to service. The ease with which this test can be performed can have an important effect on the time required to complete it. The designer should try to minimize the time required to perform post-maintenance tests and:

- Use the insights from the SSC reliability analysis to guide development of a pre-test examination which will identify potential problems which may follow improper maintenance, or the installation of inadequate, defective or incorrect parts. Having an effective tool of this type will:

(i) minimize the probability that an improperly performed maintenance activity will remain undetected until the functional test,

(ii) reduce the probability of a functional test failure which requires repetition of the isolation, repair and de-isolation process.

- Design the installation to allow complete “off-line” functional operation of the SSC, e.g.

ensure that there are adequately sized recirculation lines for a standby pump so that it can be operated and tested without having to inject flow into the normal process and without having to establish a temporary alignment, which itself must be restored at the completion of the test.