NUCLEAR ENGINEERING AND DESIGN 28 (1974) 239-251. © NORTH-HOLLAND PUBLISHING COMPANY
THE
PROBABILITY
OF
CATASTROPHIC FAILURE SYSTEM COMPONENTS*
OF
REACTOR
PRIMARY
A.B. H O L T S6ndre Huseby, Oslo 3, Norway
Received 22 October 1973
Using recent information about failures in nuclear plants, the author has derived the following estimates of the probability of failure events in prime piping systems of carbon and low-alloy steel: severance prior to service: 5.7 x 10-2 events/plant, and severance during service: 5 x 10 -3 events/plant yr. These numbers are higher, by one to two orders of magnitude, than the corresponding numbers used in calculations pertaining to nuclear safety. To estimate the probability of severance of a reactor vessel (which here includes the large nozzles), the author uses the logic of the Warner diagram. In the case of piping, it is noted that the ratio: probability of severance prior to service to probability of severance during ten years of service = 1 (approximately). Over the last ten years there have been at least four failures of heavy section steel vessels (UK and US). Although there are good reasons to assert that vessels are much less prone to severance than piping, the Warner diagram speaks its logic. Statistics gathered from hardware populations in existing plants will never be directly applicable to hardware populations in future plants because we are continuously introducing changes in the main parameters: design, materials, manufacture and operation. Wilson, of General Electric, has developed methods for a priori calculations of the probability of failure events in piping systems, based on first principles, as he sees it. He considers that failures are due to fatigue, and bases his method on the Paris formula: d(a)/d(n) = A K B, with the stress parameter K = a(a 1/2) constant. In Wilson's scheme, each component slides down its path to failure, passing a specified series of stages where the parameters of his formulae are subject to random variations. The result is that a crack of initial size a i (random) under the influence of stress a (random) may grow to a depth exceeding the wall thickness, resulting in a leak. Or the crack may grow to critical size, and result in a severance triggered by a high stress (random). Wilson's results compare favorably with the observed probabilities of leaks and severances during service, but they are too low, by an order of magnitude, for the probability of severance prior to service.
1. I n t r o d u c t i o n In 1812, Pierre de Laplace offered publicly to b e t a n y o n e 1 826 214 to 1 that the sun w o u l d rise the n e x t day [1 ]. When calculating the p r o b a b i l i t y o f a solar disaster, Laplace displayed an admirable scientific o b j e c t i v i t y n o t readily seen a m o n g his later pupils w o r k i n g w i t h a t o m i c p o w e r reactors. Thus a recent r e p o r t issued b y the School o f Engineering and A p p l i e d Sciences, University o f California, cond u d e s that the worst h y p o t h e t i c a l accident associated w i t h an a t o m i c p o w e r reactor has a p r o b a b i l i t y * Invited paper M6[3" presented at the Second International Conference on Structural Mechanics in Reactor Technology, Berlin, Germany, 10-14 September, 1973.
of occurring o n c e in 100 million years [ 2 ] . Intuitively, one w o u l d assume the sun to be the m o r e reliable o f the t w o machines. Hence, it m a y be very f o r t u n a t e for our peace o f m i n d t h a t Laplace is not around to calculate the risk associated w i t h watercooled p o w e r reactors. It m a y be excusable to express the degree o f one's belief using astronomical numbers, b u t realistic sounding estimates carry the higher credibility [ 3 ] . The generally a c c e p t e d i n t e r p r e t a t i o n o f probability is f o u n d e d on the observed f r e q u e n c y o f the event in the p o p u l a t i o n we consider. The e v e n t o f interest is failure b y severance, the p o p u l a t i o n is nuclear hardware used in boiling w a t e r and pressurized w a t e r reactors. S o m e t i m e s the failure o f a piece o f h a r d w a r e will trigger a chain o f events t e r m i n a t i n g
240
A.B. Holt. Failure probability in reactor primary system components
in a disaster [4]. Atomic power plants are designed with engineered safeguards which will, we believe, stop the chain of events from developing into a public disaster. Expressing the above considerations in probabilistic terms, we get p(e) = p(1) x p(2) x p(3),
(1)
where p(e) is the probability of disaster caused by a particular trigger event under consideration; p(1) is the probability of the trigger event, i.e. a particular component suffering a severance bearing on the safety of the reactor plant; p(2) is the conditional probability that the primary failure shall trigger a domino reaction wrecking the primary loop; and p(3) is the conditional probability that the containment structure shall fail to perform its intended function under the above circumstances. The actual disaster probability is the sum of the partial probabilities described by eq. (l): P(e) = summation ofp(e).
(2)
Before we endeavor to develop numerical values for the trigger events p(1) and the conditional probabilities p(2) and p(3), we will compare the disaster probabilities P(e), which we associate with the types of plants of interest, i.e. type A - conventional utility plant, used for comparison; type B - commercial water-cooled atomic power reactors, land based; type C - marine atomic power plants, military and commercial.
In table 1, I have ranked the probabilities within the same category as minimal, small, moderate, and high. This gives the relative ranking of the probabilities appearing in the same row, but should not be used for comparing probabilities in the same column. We have sufficient data enabling us to predict the probability of occurrence of a primary event, i.e. leak or severance. The conditional probabilities (domino event, broken confines) remain largely conjectural. but for one important case. 2. Actual failure statistics Table 2 gives a summary of failure rates of pressure vessels, mostly boilers. Table 3 gives a summary of failure rates experienced in steam piping. In table 3 we have added failure rates calculated from the probabilities which Wilson has derived by means of methods developed under a USAEC sponsored research and development program [5-7]. In addition, we have some field data which we have used for deriving statistics of interest to atomic power plant operation. Table 4, taken from Scott [8], gives failure data encompassing 13 classes of components used in atomic power plants. By my reckoning, these data have been collected from 24 atomic power reactors, and represent approximately 75 yr of actual operation. Table 5 gives additional data, taken from my personal notes, about severances ~/hich have occurred in the primary steam piping of atomic power plants in the US, during hot testing (pre-operational) and actual service.
Table 1. Comparison of risks associated with three types of power plants, USA. Category of event
Type A, conventional utility plants
Type B, commercial watercooled atomic power reactors
Type C, marine atomic power plants, military and commercial
(l) trigger event (2) domino event (3) confines broken
p(1, A) = small p(2, A) = minimal p(3, A) = not applicable
p(1, B) = moderate p(2, B) = small p(3, B) = moderate
Disaster event p(e)
not applicable limited
p(1, B) xp(2,B) xp(3,B)
p(1, C) = small p(2, C) = moderate p(3, C) = high, approx. = l p(l, C) x p(2, C) x 1
l boiler drum fractured during pre-operational testing. One 24 in. steampipe severed catastrophically during service.
no serious mishap during approx. 200 reactor yr of operation. One 4 in. steam line severed during operation.
Damage potential Recent experiences:
unlimited
limited to plant and complement two total losses during approx. 1000 reactor yr of operation. Causes not disclosed, if adequately known.
A.3. Holt, Failure probability in reactor primary system components
241
Table 2. Summary of surveys of pressure vessel failures, UK and Germany. Source
Size of population, no. of failure events
Failure rate (events/vessel yr)
Survey by UKAEA: British built pressure vessels, Class I req.: Phillips and Warwick [5]
12 700 vessels totalling 100 300 vessel yr of operation 60 potentially dangerous failures (req. remedial action) 2 catastrophic failures (minor)
6 x 10 -4
Survey by TtJV: German built pressure vessels: Kellermann et al. [6]
241 boiler drums 2500 vessel yr of operation (assumed by me) 33 failures
2 x 10 -s
1.32 x 10-2
Table 3. Experience, steam plant piping failure rate summary, US surveys. Source
Size of population, no. of events
Failure rate (events/plant yr)
National Bureau of Casualty Underwriters, 4~ yr of records to 06/1961. Steam, feedwater and blowoff piping on water boilers
not reported
1.67 x 10 -3
Survey of piping failures for the 'Reactor primary coolant pipe rupture study', GEAP-4574, May (1964)
approx. 9000 plant yr of operation, 399 failures of which four excessively severe service failures (17 severance cases~
general failure: 44.3 x 10 -3 failure by severance: 1.9 x 10 -3 severe failure: 0.44 x 10 -3
'Reactor primary coolant system rupture study', GEAP-10207-23, USAEC Research and Development Report; Quarterly No. 23 (1970)
the numbers have been calculated from the probabilities given for the first 5 yr of reactor service period. Probabilities from computational methods using 17 basic fault causes with weighted degrees of probability
without UT leaks: 264 x 10 -3 severance: 4 x 10 -3 with UT leaks: 125 x 10 -3 severance: 1.5 x 10 -3
Table 6 gives a comparison between some failure frequencies observed in the piping of conventional utility plants and the frequencies observed in the corresponding piping of commercial atomic power plants. Note that the latter frequencies are higher by one to two orders of magnitude. In looking for a plausible explanation of this strange fact, we may point to the stricter reporting requirements exercised by the USAEC tbr plants under its jurisdiction. However, a more sinister cause has been operative, which is seemingly responsible for the larger share of the blame: the prevalence of h u a m n error as one of the basic causes of the high rate of failures experienced in atomic power plants give ample reason for concern (see table 7).
The surveys of pressure vessel failures reported in table 2 indicate strongly that well designed and correctly operated vessels do not fail in a catastrophic manner. This conclusion is markedly at odds with my recollections from simply reading the newspapers [9]. Preparing a correct and informative survey is a very difficult task. Raw data are hard to come by, and the compiler is usually under pressure to prove a point. Table 8 is a compilation of catastrophic severances of pressure vessels based on sporadic notes and bits of information which I have gathered over the last 32 years. Events like the boiler explosion at Sparrows Point in 1968, and others about which I have completely ignored the details have been omitted from the list.
242
A.B. Holt, Failure probability in reactor primary system components
Table 4.
N o t i c e t h e h i g h f r e q u e n c y o f failures w h i c h have
Components most frequently identified in nuclear facility incidents [8]. Component
Total no. of incidents
Control rod system (stuck rods)
75 (23)
Valves (leaks)
73 (34)
Instrumentation
o c c u r r e d u n d e r p r o o f testing. This fact, strange to say, h a s i n d u c e d m a n y engineers to advise against p r o o f testing. T h e i r r e a s o n i n g runs as follows. T h e stress p a t t e r n i n d u c e d b y o v e r l o a d i n g t h e vessel in t h e temp e r a t u r e range 7 0 - 1 5 0 ° F is d i f f e r e n t f r o m t h e stress p a t t e r n t h e vessel sees at full o p e r a t i n g pressure a n d temperature and during the transient periods. A p p r o x i m a t e l y eight years ago t h e a u t h o r proposed t h a t r e a c t o r vessels b e p r o o f - t e s t e d at design
46
Heat exchangers (tube leaks)
34 (24)
Pipe (leaks)
30 (17)
Pumps
24
Welds
17
Fuel
17
Power supplies
15
Diesel generators
11
Sensitized material
6
Nozzle safe ends
6
Turbine
5
pressure at a t e m p e r a t u r e o f 4 0 ° F (fill t h e vessel w i t h ice water). This test w o u l d b e very i n f o r m a t i v e since t h e vessel w o u l d c r a c k if it c o n t a i n e d flaws o f the size w h i c h c a n n o t escape d e t e c t i o n b y radiog r a p h y ( a n d UT). H o w e v e r , t h e test is s e e m i n g l y t o o cruel o n t h e R P V . I h a v e p e r s o n a l e x p e r i e n c e o f the fact t h a t a well m a d e steel pressure vessel m a y be Table 7. Causes most frequently identified in nuclear facility incidents [ 81.
Table 5. Failure frequencies observed in commercial atomic power plants, USA. No. of power reactors in the statistics 35 Total no. of reactor yr accumulated (approx.) 200 Piping severances during hot testing before service 2 Piping severances during service 1 Severance rate: prior to service = 2/35 = 57 x 10-3/plant in service = 1/200 = 5 x 10-3/plant yr
Cause
Frequency
*Design error *Operator error Debris in core or system *Maintenance error Corrosion *Administrative error Crud (film deposits) Vibration Act of God
38 31 31 28 16 13 12 10 4
*38 '31
Grand total
193
*110
110 Percentage human error = - - x 193
*28 "13
100 = 57%
Table 6. Comparison of failure frequencies in prime piping, events/plant yr. Type of failure
Conventional utility (source: GEAP-4574)
Commercial atomic power plant (sources: Scott/Holt)
Leak Severance
399/9000 = 44.3 x 10 -? 17/9000 = 1.9 x 10 -3
(34 + 17)/75 = 680 x 10 -3 (2* + 1)/200 = 15 x 10 -3
* Two excessively severe f:,ilures occurred during hot functional testing. In the Wilson study they are counted as service failures since they occurred during the hot functional testing. The rate over first 5 yr is given as 19.95 x 10 -3 or 4 x 10-a]yr.
A.B. Holt, Failure probability in reactor primary system components
243
Table 8. Catastrophic pressure vessel failures known to the author. Identification of pressure vessel
Approximate wall thickness
Circumstances of failure
Tank car (chlorine gas) Mountain Top vessel Sizewell vessel John Thompson vessel Cockenzie vessel GKW Mannheim vessel Ensidesa vessel Madrid vessel Roxboro vessel Three rocket casings
43 in. 7-8 in. 2.25 in. 5.875 in. 5.562 in. 78 mm 28 mm 38 mm 7.50 in. 3 in.
during service (discharging), 1940 preservice proof testing, 1964" preservice proof testing, 1964 preservice proof testing, 1965 preservice proof testing, 1966 proof testing follow, repair, 1961 [10] during service, 1971 preservice proof testing, 1972 preservice proof testing, 1972 t preservice proof testing [ 15-18 ]
* The Mountain Top vessel was a shell and tube heat exchanger that failed under proof testing in 1964. The end (tube plate) was fabricated from forging material ASTM SA 266 Grade II, Y = 35 000 psi and UTS = 70 000 psi. The failure started at the transition between the tube plate and the head wall where the transition radius was very small. The internal diameter was 6.5 ft, the wall thickness between 6 and 7 in. The design pressure was 3750 psi. The test pressure at the time of rupture was 5300 psi, or approximately 1.4 x design pressure. The temperature was 14°F above NDT (determined by the Pellini method after the accident). "~ The Roxboro vessel was a boiler drum that failed during the pre-operational hydrostatic test. The drum was 60 ft long x 6 ft i.d., and its nominal wall thickness was 7~ in. It had been designed and manufactured under the rules of ASME Section I, from SA 515 Grade 70 plate. The design-pressure.was 2900 psi; the proof test pressure requked was 2900 x 1.5 = 4350 psi. The boiler failed brittly at 3800 psi, and a temperature of 64°F. The failure seems to have originated in the area of two 14 in. downcomer nozzles, and propagated in both directions, axially. fully p r e s s u r i z e d , even at t e m p e r a t u r e s b e l o w - 1 0 0 ° F , without any danger*. Failure statistics are usually p r e s e n t e d u n d e r g r o u n d rules t h a t a u t o m a t i c a l l y e x c l u d e vessels w h i c h fail u n d e r p r o o f testing, p r i o r to service a n d f o l l o w i n g * In 1937 when the author was superintendent of a Linde unit of a great ammonia producing plant, he conceived the idea of bottling oxygen (a byproduct from the Linde unit) by the simple expedient of filling liquid oxygen in a pressure resisting container, and allowing it to evaporate until it had built up the necessary pressure needed for bottling it commercially. Liquid nitrogen has a boiling point of -196°C. As container I used a slender steel forging of the type used in the ammonia synthesis. While I took care that the liquid nitrogen did not come into contact with the steel walls, the evaporated cold gas did. The temperature of the walls could have been - 5 0 to -100°C. The pressure was around 200 atm. We repeated the cycle hundreds of times. The steel forging must have been free from cracks, not unlike the reactor vessel which had been manufactured under a quality control program. Hence, I see no reason why the latter could not be pressurized to operating pressure at a temperature of 5-10°C, since this test would give us complete assurance that no flaws above a certain size exist in the vessel.
m a j o r repair w o r k [ 1 0 ] . A f t e r e l i m i n a t i n g such e v e n t s f r o m t a b l e 8 o n l y t w o cases r e m a i n : t h e t a n k car a n d t h e E n s i d e s a vessel. T h e t a n k car was a n old vessel o f the riveted type, hardly representative of today's m a n u f a c t u r e , a n d it s h o u l d b e e l i m i n a t e d f r o m o u r c o n s i d e r a t i o n s . T h e Ensidesa vessel was d e s i g n e d u n d e r a c o d e d i f f e r e n t f r o m t h e A S M E Boiler a n d Pressure Vessel Codes, a n d o u g h t n o t b e c o n s i d e r e d for this reason. T a b l e 8 is b y n o w e l i m i n a t e d , a n d we start o u t w i t h a clean slate. This p o s i t i o n m a y easily b e d e f e n d e d since t h e t w o c a t a s t r o p h i c failures r e p o r t e d b y Phillips a n d W a r w i c k c o u l d n o t have o c c u r r e d u n d e r t h e c o n s t r u c t i o n rules i m p o s e d b y S e c t i o n III o f the A S M E Code. U n f o r t u n a t e l y , a realistic appraisal o f t h e s i t u a t i o n regarding large size n u c l e a r r e a c t o r vessels does n o t w a r r a n t s u c h c o m f o r t a b l e c o n c l u s i o n s as t h o s e o f ref. [ 2 ] , or e v e n t h o s e o f ref. [11 ] . I n this c o n n e c t i o n it seems a p p r o p r i a t e to m a k e t h e f o l l o w i n g r e m a r k . A conceivable event of technological nature which has n e v e r b e e n o b s e r v e d m u s t n o t b e dismissed f r o m o u r
244
A.B. Holt. Failure probability in reactor primary system components
considerations for that reason. The numbers game we play using probabilities of once in a million plant years and similar are largely opiates [12].
3. The probability o f severance o f reactor pressure vessels Reactor pressure vessels are large size constructions having wall thicknesses in the order of 6-12 in. They are in several respects unique among pressure vessels. For this reason one must be very careful in classifying them with other pressure vessels such as boilers, and drawing conclusions based on statistics gathered from pressure vessels in general. Nuclear safety experts reason as follows: (a) Reactor pressure vessels (RPVs) and boiler drums are subclasses of the pressure vessel in general. (b) Statistics encompassing 12 700 vessels with an accumulated service life of 100 300 vessel yr, according to UK statistics, have proven that the failure rate is 2 x 10 -s catastrophic events/vessel yr. (c) Since RPVs are manufactured and operated in such a way that similar catastrophic failures cannot occur, their failure rate becomes virtually zero, say 10 -6_ 10 -7 catastrophic events/vessel yr. Let us first look at the assumption of the infallibility of pressure vessels as demonstrated by their service record. When we look at tables 8 and 9 we are struck by the number of heavy-walled pressure vessels that ruptured during proof testing. Four out of the six vessels that failed had wall thicknesses in excess of
5 in. Considering that thin-walled pressure vessels are ten times more numerous than heavy-walled ones, we have reason to believe that heavy-walled vessels might be set apart as a special subgroup within the class of pressure vessels. If we do, the number of vessels and their accumulated service time decrease sharply, and the rate of 2 x 10-s catastrophic events/vessel yr is no longer applicable. The second question we ask may be formulated as follows. Does the pre-operational proof test constitute a foolproof warranty that, once the vessel has passed that hurdle, it will not fail during service? Tiffany and Masters have shown that this line of reasoning may be used in cases where the materials obey the rules of linear elastic fracture mechanics. They use it to good effect in their surveillance program for landing gear cylinders [13]. It might be used for pressure vessels in critical service if one cools the vessel to a temperature range where it exhibits brittle behavior. The usual proof test at temperatures where the vessel behaves in a ductile fashion is of limited value. Our experience with boiler drums seems to indicate that we might rely on the proof test to eliminate the defective drums, and that the rate of metallurgicaJ regression exhibited by the drums is too slow to threaten their mechanical resistance over their service life. The boiler drum has one weak point, the downcomer, accounting for the bulk of observed failures. The reactor vessel has a still weaker point, the nozzle. As soon as we focus on the nozzle, we realize that we may treat it as statistically independent of the
Table 9. Data pertaining to pressure vessels that failed during proof testing, 1963-1973. Vessel
Design pressure
Nominal test pressure
Pressure at failure
Temperature at failure
Mountain Sizewell Thompson Cockenzie Roxboro GKM
3750 300 5100 2775 2900
5525 450 6950 4163 4350
5300 440 5000 3980 3800 128 atiJ
70°F 13°C 10°C 50°F 64°F 70°C
Vessel diameter
Wall thickness
UTS
Y
Failure stress (% of Y)
78 in. 270 in. 67 in. 66 in. 72 in. 1700 mm
7.5 in. 2.25 in. 5.88 in. 5.6 in. 7.5 in. 78 mm
70 000 39 t/in. 2 36 t/in. 2 39 t/in. 2 70 000 52
35 000 32.5 t 24 t/in. 2 28 t/in. 2 38 000 27
66 41 60 42 48 50
Note: The Madrid vessel has been omitted since this vessel is not considered a member of the same statistical population due to its shape and manufacture (field welded). The GKM vessel was made of Cu. Ni 52 special which contains 0.6% Ni and 1% Cu. The stress is nominally calculated as S = pD/2t. The UTS and Y are nominal.
A.B. Holt, Failure probability in reactor primary system components
having probability distributions f(R), and f(L). The difference of the two variates will be given the symbol Z, thus
reactor vessel. From the Scott statistics (table 4) we know that there have been six failures of nozzle safe ends in 75 yr of reactor service. Since one case only has relevance to reactor vessel nozzles of the kind we are worried about, we retain this event, and put:
Z -- R - L.
4. Application of the Warner diagram The conditions which will assure that a structure does not fail may be expressed in symbolic terms as
Z(mean) = R(mean) - L(mean).
var(Z) = var(R) + var(L).
Eq. (3) merely states the fact that if the load L exceeds the resistance capacity R of the material something will break, or yield. Yielding means a redistribution of the forces until the equation becomes satisfied. When yielding is infeasible, separation occurs. A refinement of eq. (3) leads to the Warner diagram [19]. R and L are considered as random variables
R (mean) - L(me an) k = (var(R) + var(L)) 1/2
Test run
Material UTS Yield P e a k § Y stress
S t r e s s C y c l e s C y c l e s Type of %of Y theor, failure failure
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
A 201B A 201B A 201B A 201B A 201B A 302B A 302B A 302B A 302B A 201B A 201B A 212B
90 90 90 90 55 64 50 50 50 64 64 50 100 125 72 120 67 67
A 212B A 212B
41 600 41 600 41 600 41 600 25 500 42 000 32 450 32 450 32 450 25 180 25 180 25 180 56 650~: 55 200~ 33 250 55 500:~ 40 300 40 300
(6)
The failure probability is given by the negative area under the distribution curve, f(Z). The dividing point between negative and positive Z values is given by the 'coupling formula' which may be written
Table 10. Data pertaining to some model vessels w. nozzles tested in fatigue, Wylie [14 ].
46.2 46.2 46.2 46.2 46.0 65.8 65.8 65.8 65.8 46.0 46.0 59.4 57.0 44.0 46.0 46.0 (60.0) (60.0)
(5)
Its variance becomes
(3)
68.8 68.8 68.8 68.8 68.0 87.0 87.0 87.0 87.0 68.0 68.0 85.7 84.0 68.0 70.0 70.0
(4)
In most cases, we ignore the distributions f(R) and f(L), but let us assume that R and L are normally distributed around their mean values, with variances vat(R), and vat(L). Then the difference becomes normally distributed about its mean:
p(trigger, nozzle) = 1/75 event/reactor yr.
R - L I> O.
245
20 000 5174 leaker 20 000 6845 leaker 20 000 7223 leaker 20 000 7516 catastrophic* 100 000 123 618 leaker 20 000 8990 leaker 100 000 40 041 leaker 100 000 48 437 leaker 100 000 67 636 leaker 100 000 23 908 major repair 100 000 63 000 major repair 100 000 227 685 leaker 20 000 82 614 cracking 20 000 19 666 leaking 20 000 11 707 catastrophic t 95 000 leaker 95 172 leaker 48 146 leaker
mean stress = 75% of yield * Crack initiated at nozzle 6 and prop. in base metal remote from long. w. seam. t UT prior to fatigue test revealed no unacct, defects. Inspection at 5000 cycles and at 10 000 cycles showed no growth of ext. incl. or formation of defects. qt Nozzles tested in bending. § Stresses by cycling pressure, pD/2t stress.
(7)
246
A.B. Holt, t:ailure probability in reactor primary system components'
We will apply this method for analyzing the result reported by Wylie [l 4]. The test program used vessels of 3 ft i.d. with 2 in. wall thickness, having numerous nozzles. The nozzle to shell diameter ratios (d/D) were large enough to simulate the proportions found m reactor vessels. This fact makes the test series so interesting for our calculations. Although the tests were primarily designed to study fatigue, two o f tllem resulted unintentionally, in brittle fracture. The rest consisted of subjecting a pressure vessel to stress cycling until it either leaked or broke catastrophically. The first event we consider as 'win', the latter as 'lose' (leak before break). Break happens when the h)ad L exceeds the resistance R and the materials consequently flies apart due to mechanical imbalance. In our mathematical model this happens at point k. In table 10 we have summarized the data pertinent to our analysis. We note that R(mean) = 1.45 Y, and L(mean) = 0.75 Y. We further simply guess that var(R) = (0.4 y)Z, and var(L) = (0.4 y)2. In writing the above equations, we have glibly identified R with UTS, and L with the applied stress. Both assumptions are open to criticism. Substituting the numerical values given above into eq. (7), we get 1.45 - 0.75 0.7 k = (0.16 + 0.16) 1/2- 0.56
1.25.
of
the
5. Probability of a reactor vessel failing catastrophically through failure of a nozzle having a large diD ratio The nozzle failures in the Scott statistics were not of the 'win or lose' type which terminated the Wylie experiments. Hence, we need a reduction factor which will bring us from a situation of mere failure to a situation of serious failure. To this purpose I shall use the Phillips and Warwick statistics reported in table 2. They give the probability of potential failure as 6 x 10-4, and the probability of catastrophic failure as 2 x 10 -s. Hence, the ratio is 1:30. With this ratio, the probability that a reactor vessel suffers catastrophic failure triggered by a failure of a nozzle becomes
1
1
p(e) = - - x - 75 30
4 x
100
= 2 x 10 -5 (approx.) events/reactor yr. This is the type of failure which O'Neil and Jordan designate 'category A catastrophic failure of the main pressure vessel with fragmentation and capable of compromising the structural integrity of the containment'.
(8)
The cumulative relative frequency of catastrophic failures in the test series is 2/18 = 0.11. Looking up the tabulation of the normal probability function, we find that the value of 0.11 corresponds to a k value of 1.2. This means that the coupling formula yielded the right result when we used the value of (0.4 y)2 for var(R) and vat(L), i.e. when we made the right guesses. The L(mean) used in the tests is too high. What happens when we lower it and put L(mean) = 0.45 Y, which is much closer to actuality? Eq. (7) yields 1.45 - 0,45 1 k - ( 0 . 1 6 + 0 . 1 6 -U2) / -0.56
ability of becoming a catastrophic failure pressure vessel.
1.78.
With this value the negative area becomes 0.04 (approximately), i.e. at working stress levels, a developing crack in a pressure vessel nozzle has a 0.96 probability of becoming a large leak, and 0.04 prob-
6. The probability of a heavy walled vessel failing catastrophically Nuclear safety engineers have put great emphasis on the Phillips and Warwick statistics encompassing 12 700 pressure vessels with an accumulated service life of 100 300 vessel yr. They have chosen to overlook the very obvious fact that the statistics have been gathered from a mixed population in the sense that thin-walled and heavy-walled vessels are lumped together. One would expect heavy-walled vessels of large diameter to have a markedly more pronounced tendency to fall catastrophically since, by analogy, tug boats never break while big ships sometimes do. The Phillips and Warwick statistics actually bear out this fact. Of the three catastrophic failures experienced during proof testing, two occurred in vessels having wall thickness in excess of 5 in., and only one
A.B. Holt, Failure probability in reactor primary system components
occurred in vessels below that wall thickness. If we now make the assumption that 90% of the vessels belong in the latter category, and 10% in the former, the probabilities of catastrophic failure during proof testing become p(thin wall) =
1 12 700 x 0.9
= 10 -4 events/test (approx.), 2 p(heavy wall) - 12 700 x 0.1 = 2 x 10 -a events/test (approx.). These numbers are cause for reflection. They may explain the great reluctance of vessel manufacturers and owners to perform proof testing of their vessels during service life. When we focus on the pressure vessel subclass which we have called heavy-walled pressure vessels, we realize that we do not have 100 300 service yr in our statistics. We may only have 1/10 or 104 service yr. While we have no breaks in this subclass (in the Phillips and Warwick statistics), it seems entirely unwarranted to make extrapolations of the order of 10-5-10 -6 events/vessel yr on a background of 10 000 service yr. is there a correlation between the probability of catastrophic failure during proof testing and the probability of the same event during service? In other words, may we write e.g. (9) p(cat, service life) = F x p(cat, proof test),
(9)
where F i s a factor? If we use the value of 10-5-10 -6 events/vessel yr, the value of p(catastrophic service life) becomes approximately 10 -4 events/vessel over 30 yr of service. We note that the two events have approximately the same probability. Does this reasoning also apply to heavy-walled vessels where the p(catastrophic proof test) = 2 x 10 -a events/test (approximately)? Even if we put the factor F = 0.1, the probability of catastrophic failure during service life becomes 2 x 10 -4 (approximately).
7. The value of nondestructive examination The vessel manufacturer will always assure us that he knows the properties of his materials including the
247
welds and the vessel designer that he knows everything worth knowing about the loads and the stresses. Hence we ought to rest assured that eq. (3) will remain satisfied over the lifetime of the vessel. How certain can we be about this? We have listed in table 8 three vessels which do not belong among commercial pressure vessels. They belong to a population of 1000 (approximately) Minuteman first stage casings, and are made of special, high strength materials. The properties of the material are such that, at proof pressure levels, a long, sharp flaw of depth at least ~ in. can be tolerated. Needless to say, each casing had been subjected to the most careful inspection by every available means, by the most competent NDT experts. In other words, the manufacturers were sure that they had delivered flawless materials. But out of 1000 proof-tested vessels, three failed catastrophically due to previously undetected flaws in the welds of the cylindrical walls [ 15, 17]. This very best inspection technique (described as 400% inspection) afforded no better than 0.997 probability of detecting flaws in excess of ~ in. depth (we are not concerned with the length of the flaw) in a 3 in. thick wall (approximately). How great then is the probability that an inspector on the manufacturer's payroll will miss, or misjudge the size of, a flaw? The author once attended a meeting where the manufacturer and the owner appeared with a bevy of NDT experts who all insisted that the indications they had detected on the UT screen were due to flaws absolutely not larger than ~ in. The structure in question was a nozzle of very large dimensions welded into a reactor vessel. An autopsy which was performed at the insistence of the USAEC showed that the flaws were closer to ] in.
8. GE-USAEC: Reactor Primary Coolant System Rupture Study [7] Task A of this program started out under the heading 'Reliability Engineering', but was later changed to 'Probability Study'. Part of the work performed under Task A has been condensed and appears as a topical report (see ref. [7]). In his probability studies, Wilson uses very involved statistical methods such as Monte Carlo using importance sampling. The purpose, as expressed in Wilson's
248
A.B. Holt, Failure probability in reactor primary system components
report, is to estimate the probability of pipe leakage in a 40 yr service period due to low cycle fatigue. Wilson's second major undertaking involved the probability of severance (and incidentally of leak), using the basic approach expressed in eq. (3), and the reasoning I have outlined. Piping severance may be due to a host of causes, and Wilson is concentrating on failure due to low cycle fatigue. The starting point is the Paris formula [20] : d ( a ) / d ( n ) = A K B,
where K is the stress intensity factor of fracture mechanics. The crack, of initial size ai, grows a little bit in each cycle, depending on the stress level and its actual size. This process will terminate in one of the three possible events: (i) The material will be returned from service before the crack has grown through the wall or initiated gross failure. (ii) The crack grows through the wall and becomes a leaker before the load L overpowers the resistance R.
(iii) The crack grows to a size where its associated stress intensity factor K exceeds the resistance capacity of the material, resulting in disaster. According to Wilson's method, the probability of severance is estimated considering the multitudinous fault causes and fault conditions which could conceivably cause the simultaneous presence of large flaws and high stresses in piping systems. Table 11 lists the fault causes which, according to Wilson, will affect the stress level. Table 12 lists the fault causes which affect the initial crack size. Table 13 lists six secondary fault conditions. In quarterly report No. 23 (see ref. [7] ) Wilson lists the probability of severance by separate estimate categories. The probabilities are given as averages per component, and as a total for the system. Wilson's system is composed of 300 pieces, as follows: 150 spools (Wilson calls them straights), 100 ells and bends, and 50 tees. Table 13. Six secondary fault conditions.
Table 1 1. t:ault causes which affect the stress l e v e l
Probability
Being oval (straight sections) Being oval (elbows) Having uneven wall thickness Incorrect installation (rerouting) Unplanned installation and hanger location Late design changes with unreconciled discrepancy Mislocated restraints on pipe whip Equipment or structures impair flexibility In-service modification Frequent local thermal stressing High load non-operating conditions (water slugs, etc.) Use in non-flow legs
0.03 0.03 0.03 0.03 0.03 0.03 0.01 0.003 0.03 0.01 0.003 0.2
Table 12. Fault causes which affect the initial crack size
Transition temperature Sensitization by welding Surface cold work Exposure to elements in transit Reactor environment Cyclic frequency
Table 14. Probability of leaks and severances by the method of GEAP-10207. Type of failure and years of service
with UT
without UT
0.06600 0.62800 0.83700
0.12700 1.32600 2.07800
1.53100
3.53100
Severances: prior to service first 5 yr last 35 yr
0.00002 0.00764 0.01147
t).00205 0.01995 0.03130
total over 40 yr
0.01913
0.05330
Leaks: prior to service first 5 yr last 35 yr
Probability total over 40 yr
Purchased from a marginal raw material manufacturer Purchased from a marginal piping manufacturer Purchased from a marginal assembly manufacturer Difficult installation (faulty welding) In-service modification
Total probability f. system
0.2 0.2 0.2 0.01 0.03
249
A.B. Holt, Failure probability in reactor primary system components
Wilson uses two classes of size: 100 pieces larger than 16 in. dia., and 200 pieces 16 in. dia. or smaller. Wilson also considers two classes of material: 100 pieces of stainless steel, and 200 pieces of carbon steel. Finally, Wilson has subdivided the reactor service period (his own words) into three subperiods: prior to service, the first in five years, and the last 35 years. The concept of 'first five years' also includes the hot functional testing. Wilson makes a definite distinction between components which have been ultrasonically tested, and those which have not. When we check Wilson's probabilities against the statistics given by Scott encompassing 24 nuclear reactors over 75 yr, we find good agreement (see table 6). The 300-piece system of Quarterly Report No. 23 [7] does not take in the nozzles, hence we look in vain for the probability of severance of this component type. However, in Quarterly Report No. 3, Jaech [21] has tabulated some probabilities of failures, see his table 3-3. We notice that the total probability of failure, in the case of a nozzle, is given as 3.2 x 10-4 events/nozzle yr. Since Jaech's nozzle has not been ultrasonically inspected, we will take the reduction factor used by Wilson, when he compares U-tested components with not U-tested, and write the probability
Since Jaech [21] considers that a nozzle has a three times higher probability of fracture than an ell, p(nozzle fracture) = 3 x 10 -5 events/nozzle yr, instead of 1 x 10 -4 used earlier. Wilson's severance probabilities are even consistent with the Thresher disaster. If we assume that his 300piece model reflects the nuclear plant of a submarine, we notice that the total probability rate is p(U-tested components) -
764 x 10 -s 5
= 1.53 x 10 -3 events/yr,
p(not U-tested comp.) -
1995 x 10 -s 5
= 4 x 10 .3 events/yr. It has been stated that military reactors have accumulated 1000 reactor yr of experience. Accordingly, we figure that there has been 1.5-4 severances. Indications are that Thresher went down because of the severance of its primary system piping. A similar event took place aboard the US Nautilus [4]. Hence, we know about two instances of sudden severances. There might have been more.
p(nozzle fracture) = 1 x 10-4 events/nozzle yr.
9. Conclusions
If we now consider that a reactor vessel has six large nozzles, the probability becomes
We have considered two separate sets of probabilities: (i) the probability of severance of the reactor pressure vessel and (ii) the probability of severance of a primary system piping component. To estimate the first probability, nuclear safety engineers have used statistics gathered from pressure vessels in general. In so doing they have forgotten that thick-walled pressure vessels form a subclass of pressure vessels. This fact we have brought out by focusing on the very high rate of catastrophic failure during proof testing of thick-walled pressure vessels. One might expect that this ten-fold higher propensity will show up during the service life of these vessels. In addition, we consider that the RPVs form a subclass of the heavy walled pressure vessels, because of many nozzles with high diD ratios. We have considered that the break of a nozzle, an event with an assigned probability of 1/2000, may trigger a catastrophic breakage of the reactor vessel proper. The combined
p(vessel, nozzle fracture) = 6 x 10 -4 events/vessel yr. The failure rate thus derived is consistent with the failure rate which we have derived previously, using the Scott statistics, i.e. 1
1
p(vessel, nozzle fracture) = ~-~ x ~-~ 2 -
events/vessel yr.
1000
However, we are duty bound to signal a slight inconsistency. The probabilities of severance of U-tested ells and bends are given as approximately 10 -s events/ comp. yr by Wilson for the first 5 yr of reactor service. (This number is not given directly; we started with the number of 12.8 x 10 -s given over 40 yr, and compensated for the higher probability for the first 5 yr.)
250
A.B. ttolt, Failure probabiliO' in reactor primary system components
p r o b a b i l i t y o f the t w o e v e n t s has b e e n assigned a p r o b a b i l i t y o f 2 x 1 0 - s events/vessel yr. Over the service life o f a w a t e r - c o o l e d a n d m o d e r a t e d a t o m i c power plant, the probability of a catastrophic event m i g h t be as h i g h as 10 - 3 - 1 0 -4 disaster e v e n t s / p l a n t life. R e g a r d i n g t h e severance o f piping, we h a v e sufficient i n f o r m a t i o n to c o m p u t e some p r e l i m i n a r y severance rates. T h e y are m u c h h i g h e r t h a n one w o u l d have e x p e c t e d , b a s e d o n statistics g a t h e r e d f r o m conv e n t i o n a l utility plants. It is o f i n t e r e s t t h a t t h e y corr e s p o n d r e a s o n a b l y well w i t h the rates p u b l i s h e d in the R e a c t o r P r i m a r y C o o l a n t R u p t u r e S t u d y . One thing we have to bear in m i n d is t h a t a r u p t u r e in t h e piping m a y trigger a m u c h m o r e serious event, such as the m e t a l / w a t e r r e a c t i o n . Based o n p r e s e n t r e a c t o r t e c h n o l o g y a n d experience, o n e has n o right to use the range o f 10 - s - 1 0 -6 e v e n t s / p l a n t yr as t h e p r o b a b i l i t y o f a p l a n t disaster, the p r o b a b i l i t y is at least one, if n o t two, decades higher. Scientific a n d t e c h n i c a l progress is chiefly d u e to the o p t i m i s m a n d f o r t i t u d e o f i n n o v a t o r s a n d prom o t e r s . Due to t h e i r e f f o r t s we got the w a t e r - c o o l e d and m o d e r a t e d r e a c t o r used in t h e a t o m i c p o w e r plants. P r u d e n c e can n e v e r b e c o m e part o f t h e i r m e n t a l m a k e - u p for o b v i o u s p s y c h o l o g i c a l reasons, It is u n f o r t u n a t e t h a t t h e y did n o t pause to fit the m e c h a n i c a l e l e m e n t s to m a t c h t h e safety r e q u i r e m e n t s o f t h e i r n u c l e a r systems. A w e l d e d pressure vessel o f m o d e r a t e d i m e n s i o n s fits t h e safety r e q u i r e m e n t s o f a c o n v e n t i o n a l b o i l e r installation. A giant pressure vessel o f w e l d e d steel plates does n o t fit the safety r e q u i r e m e n t s o f a n u c l e a r installation. I n s t e a d o f playing n u m b e r s g a m e s t r y i n g to p r o v e w h a t c a n n o t be p r o v e n , safety e n g i n e e r s o u g h t to c o n s i d e r if this steel vessel can be r e p l a c e d w i t h a n o t h e r t y p e o f vessel w h i c h will r e d u c e or e l i m i n a t e the c a t a s t r o p h i c event.
Annotated r e f e r e n c e s [ 1 ] L.G. Parrat, Probability and Experimental Errors in Science. The equation (n + 1)/(n + 2) expressing the probability of success when we have observed n successful events in a row is called the Laplace law of succession. When Laplace reckoned with 5000 years of solar regularity, he based it on the complete absence on any written record or statement to the contrary. Historically, there has once been a slight irregularity in the behavior of the sun: 'And the sun stood still, and the moon stayed' (Joshua 10:13), which may explain Laplace's reservations about the sun rising the next day.
J 21 C. Start, M.A. Greenfield and D.F. tlausknecht Pubii~ He',dth Risks of "lhermal Power Plants CA report prepared for the Resources Agency of California, Sacramento, California) School of F,ngincering and Applied Science, University of California. See p. 3 of the report, also p. 42. 'In the nuclear case, a probability can be assigned to a maximum impact of about 500 cancer deaths per million population (about one-third of the normal annual cancer rate) - estimated to occur less than once in I00 million years. Because most of the fatalities resulting from such radiation exposure would be spread over very many years, the public impact of such nuclear plant accident is unlikely to have much general visibility.' I consider thgJt following a major nuclear accidenl, the panic alone may cause 500 violent deaths. [3] The Institute for the Future of the Next Decade, International lterald Tribune, 28 Sept. (1973): by two mathematicians, Norman Dalkey and Olaf Helmer. The name derives from the Grecian oracle at Adelphi. The institute's Project Aware was commissioned by E.1. DuPont de Nemours & (7o., Lever Brothers Co., lhe Monsanto Co., and the Scott Paper Co . . . . "One difficulty is separating what the expert thinks will happen from what he wants to happen", he said. Another difficulty is finding the experts. Mr. Amara says such authorities are not as confident as they used to be. They know that what will happen in their field depends to a great extent on what will happen in the adjoining fields in which they are not experts, he said . . . . The project said that workers would become more unhappy with their jobs, and citizens would experience an increasing "sense of powerlessness" to affect their lives. "Government incompetence, corruption and disregard for the laws are judged to be largely permanent features of the political system," Project Aware's report said. It singled out what it called "the government's increasing ability to hide its acts under various guises or secrecy'" The above has been taken verbatim from the International Herald Tribune, the paragraphs have, however, been slightly jumb!.ed. I take it that the term 'Government' encompasses its agencies, such as the USAEC. It is by now plain that our universities cannot be considered different from any public agency. [4] Thresher Disaster Warning, The Washington Daily News, Thursday, 14 Jan. (1965): 'A freshman congressman who was a skipper of the first U.S. nuclear submarine says the Congressional Report on the Thresher tragedy should teach naval shipbuilders to "do things right to start with". Rep. William Anderson (D., Tenn.) said the submarine Nautilus, under his command in 1959, experienced piping trouble similar to (that which) may have caused the Thre~vher sinking tour years later . . . . Rep. Anderson shares the view of a Naval Court of Inquiry which determined the probable cause of the sinking as rapid flooding caused by faulty piping in the engineering section. He said the Nautilus had similar trouble off New
A.B. Holt, Failure probability in reactor primary system components England when a four-inch pipe burst and caused flooding while the sub was at test depth, more than 400 feet. He said that quick action by the crew averted disaster.' [5] C.A.G. Phillips and R.G. Warwick: A survey of defects in pressure vessels built to high standards of construction and its relevance to nuclear primary circuit envelopes, UKAEA. The survey also contains a 'Comparative survey of service failures in reactor primary circuit envelopes' which takes in 260 yr of UK reactors, and 1092 yr of US reactors. The reactor population in the statistics consists of a mixture of research reactors and power reactors, and production reactors. They are also widely different in design (Dresden, Chapelcross, Dounrey, NRU, etc.) I have, for this reason, not included the results in table 2. Actually, 17 events are listed, and the calculated failure rate becomes: 17/1352 = 12.6 x 10 -3 events/reactor yr. [6] O.A. Kellermann, G. Mieze, G. Slopianka and A. Tietze: Progress and results of the reliability study of pressure vessels, IAEA-SM-127/24. See also: O. Kellermann, Unfallanalyse in der Kerntechnik, Ti~ Bd. 13 (11) (1972) S.330/335. [7] W.S. Gibbons and B.D. Hackney, Survey of piping failures for the reactor primary coolant pipe rupture study, GEAP-4574. The survey was made in preparation for 'Reactor primary coolant system rupture study' by GEAP under Project Agreement 37 with the USAEC, Contract AT(04-3)-IK.9, 1964. At the time of writing, 26 quarterlies have appeared. A topical report, GEAP10452, 'Estimating pipe reliability by the distribution of time to damage method' by S.A. Wilson. Wilson has also developed a somewhat more pragmatic method for estimating the probability of severance in a piping system, see GEAP-10207, quarterlies nos. 21, 22, and 23. Wilson has made very extensive numerical calculations based on a model piping consisting of 300 pieces (spools, tees and ells) of various sizes. One-third are of stainless steel, two-thirds carbon steel. The collection seems representative of the piping used in water-cooled and moderated power reactors, but Wilson has made a disclaimer reminiscent of what is customary for authors writing un roman h clef. However, his numerical results are very close to the true life history of commercial power reactors. [8[ R.L. Scott, Jr, A review of safety related occurrences in nuclear power reactors from 1967-1970, ORNL-TM-3435. [9] Associated Press, Baltimore, 3 May (1968): Two men were killed and 23 persons were injured today as a boiler exploded in the steam generating plant of a Bethlehem Steel Co. plant . . . . ' Herald Tribune, Friday, 23 Mar. (1973): '200 foot high tower of steam engulfs large New York apartment house complex on Wednesday across the street from a Consolidated Edison plant (foreground), after a 24 inch steam pipe blew a 25 by 25 foot hole in the street . . . . ' [10] W. Schoch, Bericht uber die aufgetretenen Schaden an Kesseltrommeln, Mitteilungen der VGB, 101, Apr. (1966): 'Diese Arbeiten wurden vom Trommelhersteller, der die Auftrageschweissungen auf Grund von vorlie• . .
251
genden Erfahrungen for unbedenklich hielt, durchgefiihrt. Bei der anschliessenden Druckprobe (Temperatur der Kesseltrommel 70°C) riss die Kesseltrommel bei Erreichen des Betriebsdruckes (128 atii) verformungslos von einer Anhalsung bis zum Mannloch auf.' [11] R. O'Neil and G.M. Jordan, Safety and reliability requirements for periodic inspection of pressure vessels in the nuclear industry• [ 12] Availability analysis - a useful tool for improving systems design APED-5496. Under the heading 'Time To Restore Incoming Power' we read: 'Data from TVA indicates that they have had four station power blackouts in 112 station years. The blackout lasted for 61, 40, 5, and 1 minutes. On distribution networks the repair time distributions are, to a reasonable approximation, exponential in nature. Assuming that an exponential distribution applies also to transmission systems, the best curve fitting the meagre data is described approximately by the equation Pl = e-3T, where P1 is the probability that the repair time exceeds T hours, and T is the repair time in hours.' Or, during the unexpected blackout on the East Coast of 9 November, 1965, one nuclear power station lost all external power for 18 hr. The calculated probability of this event isP 1 = e -3 × 18 = e-54 = approximately 10 -23 . [13] C.F. Tiffany and J.N. Masters, Applied Fracture Mechanics, Fracture Toughness Testing and Its Applications, ASTM STP 381, Apr. (1965). [14] R.D. Wylie, Summary of pressure vessel test program at Southwest Research Institute, SwRI Project, No. 07-1348, 21 Apr. (1965). [15] J.E. Strawley and J.B. Esgar, Investigation of hydrotest failure of 260-inch motor case, National Aeronautics and Space Administration, Washington, DC, TM-X-1194, Jan. (1966). [161 W.F. Brown Jr and J.E. Scrawley, Plane Strain Crack Toughness Testing of High Strength Metallic Materials, ASTM STP 410, Dec. (1966). [171 V. Singer, Application of fracture mechanics in design and analysis of pressure vessels, Thiokol Chemical Corporation Private communication (1967). 118] F.J. Loss, Engineering significance of statistical and temperature-induced fracture mechanics toughness variations on fracture-safe assurance, NRL Report, 7353. [19] E.B. Haugen, Probabilistic Approaches to Design, John Wiley & Sons, Inc. (1968). [2O] P.C. Paris, Notes from Fracture Mechanics Workshop held at the University of Denver (1964). See also E.T. Wessel, W.G. Clark and W.K. Wilson, Engineering methods for the design and selection of materials against fracture, US Army Tank-Automotive Center Warren, Michigan 48090, Westinghouse Research Laboratories, Pittsburgh (1966). [21 ] J.L. Jaech, Reactor primary coolant system rupture study, GEAP-5082.