The reliability of controlled safety valves in conventional power plants

Reliability Engineering 9 (1984) 33-47

The Reliability of Controlled Safety Valves in Conventional Power Plants

W. Oberender Department for Large-scale Power Plants, TOV Rheinland, Cologne, West Germany

and W. Bung Department for Large-scale Power Plants, RWTOV, Essen, West Germany

(Received: 28 October 1983)

ABSTRACT This paper gives results oJ the statistical analysis o,/1378,/unction tests oj controlled sa,/ety devices to prevent excess pressure. The probabilities deduced ,/rom these results ,/or ,/ailure in opening direction are compared with the non-availabilities o.1 such devices, as calculated in reliability analyses. The results show that the outside medium-controlled sa,/ety vah'es are more reliable than the intrinsic medium-controlled sa,/ety valves. The positive development oJ the test results gained,/or intrinsic medium-controlled sa,/ety vah'es ,/rom 1970 to 1980 is explained by the success,/ul introduction o,/ modern techniques applied in component tests, including reliability analyses, and in -/unction tests. From the technical results requirements are derived/or design and construction and,/or type approval and,/unction tests oJ controlled sa,/ety devices. A version of this paper was presented at the 4th National Reliability Engineering Conference--Reliability '83, 6-8 July 1983, Birmingham, UK, and is reproduced by kind permission of the organisers. 33 Reliability Engineering 0143-8174/84/$03"00 ~5) Elsevier Applied Science Publishers Ltd. England, 1984. Printed in Great Brtain.

W. Oherender, W. Bung

34

1.

PROBLEMS AND FUNDAMENTALS

The purpose of safety valves is to protect components subject to internal pressure in industrial plants from becoming overloaded or even destroyed, and hence to protect the surrounding area and the environment from possible damage. They are the final links of a safety chain which is becoming ever more complex as technology progresses. This chain helps to ensure the safe and reliable operation of many different installations in a wide range of industrial sectors, and especially of modern power plants. The investigations, the results of which will be detailed later, were concerned with demonstrating the functioning of controlled safety devices used to prevent excess pressure in conventional power plants. The purpose of these investigations was to arrive at some recommendations and requirements for controlled safety devices of similar type, as used in nuclear power plants. The work here was performed as part of a research project supported by the Federal Ministry of the Interior.1 The Technischer Uberwachungs-Verein Rheinland e.V. (TUV Rheinland), Cologne, was mainly responsible for the project, working together with the Rheinisch Westf/ilischer Technischer Uberwachungs-Verein e.V. (RWT10V), Essen, and the Gesellschaft ffir Reaktorsicherheit (Association for Reactor Safety--GRS), Cologne. Over the last 20 years the development of power plant engineering has been determined largely by two tendencies. The first of these is the steady increase in the capacities of the power plant boilers, and the second is the increasing exploitation of nuclear power for the generation of electricity. The demand for higher availability and safety in power plants in operation has steadily increased in importance, not least because of the need to use primary energy sources economically. In conjunction with the growing awareness in the fields of safety and the environment, these developments have also resulted in qualitatively different and quantitatively higher requirements for safety valves today. This applies not only with regard to the technical conception and design, but also to the requirements regarding the functional safety and reliability of modern safety devices used to prevent excess pressure. In the field of nuclear power plants, besides the requirement for reliable opening on demand, the requirements for reliable closing and for reliable non-opening or non-closing when no demand is made have increased in importance.

Reliability of controlled safety valves in power plants

35

Even though safety valves are the final link in a safety chain, as has already been mentioned, requirements with regard to performance and reliability must already be laid down for controlled safety devices, especially at the design stage of a power plant. This is because the performance and reliability of such devices are limited for technical and economic reasons. Under certain circumstances this can mean that other components in the safety chain will be designed differently or other safety systems will have to be developed. In nuclear power plant technology, in particular, safety systems have prevailed which require reliable fulfilment of precisely defined quantitative specifications by a wide range of components. For this reason it is important, even at the design stage, to have the most precise data possible on the reliability of controlled safety devices. Figure 1 shows the principal sequence for a reliability analysis 2 which offers the possibility of establishing such data. As a rule, the components and elements of the system under consideration are first subjected to a failure mode and effects analysis. The result of this analysis is the determination of failure rates for the most important system components. It should be said that the failure rates for the individual elements in the components are known either from the literature or from failure tests, or plausible failure rates have to be assumed. The whole system is finally subjected to a fault tree analysis with the undesirable event, for example, 'safety valve does not open', placed at the top. The fault tree analysis includes the failure rates for the individual components. The fault tree itself is mostly not calculated analytically but in many cases using simulation methods, e.g. the Monte Carlo simulation with reduction in variance. Here both the component failure rates, assumed to be not time-related, and the failure and problem times are included in the calculation. The mean non-availabilities finally obtained, e.g. for various design and arrangement variants, help to select the optimum system or result in improvements to design, a Initially, the failure rates for the individual components were taken from the relevant literature. Because of their wide scatter, obscurities with respect to the parameters considered and hence their doubtful transferability, the tendency is increasingly to go over to the determination of failure rates empirically under defined conditions. Another possibility is the statistical analysis of function tests for a large number of controlled safety valves. "Ihis analysis was used in investigations described here.

W. Oherender, W. Bung

36

Reliability Analysis

Design Drawings end Data Failure Rates of Elements

i'

i

Failure Rates o f Components

Times to Failure

] v

Failure Mode and E f f e c t s Analysis

1 Fault

Tree

Analysis

Carlo Simulation

Monte

Mean Non-availability Modifications t o Design

Fig. 1.

T t NA'~T f ( 1 - e "~' )dt o =1 XT

Basic course of a reliability analysis. )~= failure rate; NA = non-availability; T = problem time. 2.

INVESTIGATIONS CARRIED OUT

In the research project a the results of 1378 performance tests, which had been performed on 538 controlled safety valves between 1970 and 1980, were analysed. The controlled safety valves in question are installed in steam boiler installations belonging to conventional thermal power plants in the areas covered by R W T I ] V and T ~ V Rheinland, i.e. in North Rhine-Westphalia and Rheinland Palatinate. The basic structure and function of controlled safety devices to prevent excess pressure are given in the figures below. F o r reasons of clarity, those redundant components which are in fact present have only been shown once in the figure.

37

Reliability of controlled safety valves in power plants

Generally speaking, each controlled safety device consists of one or several main valves and the ever-present, redundant control lines. The controlled safety devices examined by us were, on average, equipped with three control lines and one main valve. Every third safety device was fitted with two main valves. Figure 2 shows the main arrangements for an outside m e d i u m controlled safety device working on the relief principle. Air and oil are the outside media which can be considered. Here a pressure is built

Solenoid Control

I

J J J i

Impulse

_

Valve ..,.,.,v.

_

Check Volvo

~ ~,

Generator Pressure

Exhaust

Sensing Pipe

Pipe

~'~ ~'J

! I i i l I i

Control Pipe with Stop Vslve

•

p Stop Valve

l

L ..... L Medium

Fig. 2. Outsidemedium-controlled safety device--relief principle. up and maintained above the working piston of the main valve by means of the outside medium, and this pressure counteracts the force of the piston pressure acting in the opening direction. By increasing the pressure of the outside medium any required sealing force can be achieved at the valve seat. If the response pressure is exceeded the solenoid receives a signal from the pulse transmitter and opens the control valve, which has remained closed up to this point. The pressure of the control medium in the chamber above the working piston is reduced and the main valve opens as soon as the force of the system pressure acting in the opening direction exceeds the closing force caused by the pressure of the control medium. The controlled safety device shown in Fig. 3 works according to the load principle with intrinsic medium control. The solenoid spring control

38

W. Oberender, W. Bung

I

i!

Impulse

Solenoid Control Valve

I

J J I

! ! ! ! !

II

Impui.e

II

Generator

II

.~___J ~ ~

_~

: ~

i i

Control Pipe with Stop Valve

Pressure Sensing

,ip.

I

! I

!

'i

Stop Valve

i

Z..o~°io I

Medium I

Fig. 3.

Intrinsic medium-controlled safety device--load principle.

valve is arranged according to the rest principle, i.e. it opens when the power supply fails. If the control and main valves are closed, then the chambers above and below the working piston of the main valve are not under pressure. The closing force of the main valve is a product of the area at the valve seat and the pressure in the system to be protected. When the release pressure is reached a pulse interrupts the power supply to the solenoid, which has held the control valve closed up to that point. The control valve opens and an equalizing pressure fills up in the chamber above the working piston. Because of the different flow losses in the system this pressure is lower than the system pressure. In order to ensure a reliable opening of the main valve, this equalizing pressure must be sufficiently above the equilibrium pressure, at which the force acting on the working piston in the opening direction is just equal to the force acting on the valve seat. The main valve opens if this equalizing pressure has risen to a sufficiently high level. When the system pressure returns to below the set closing pressure, the solenoid is excited by the pulse transmitter and the control valve closes. The pressure in the chamber above the working piston is reduced by the throttle and by leaks at the working piston, and the spring and system pressure close the main valve. Although Figs 2 and 3 are considerably simplified, they can nevertheless be taken as typical examples of the great variety of controlled safety devices. Accordingly a distinction was also made in the evaluations

Reliability of controlled safety valves in power plants

39

regarding the criteria intrinsic medium/outside medium, and load or relief principle. Simple motion tests cannot yield adequate information on the serviceability of controlled safety valves~ Thus T R D 421 # requires that, during a function test, both the functioning of the main valve and the serviceability of the individual control lines must be tested and assessed. In order to facilitate such information, therefore, the chronological course of those parameters which describe the dynamic behaviour of a controlled safety device where a demand arises must be measured and recorded. 7`s These parameters are, for example, the quantities system pressure and control pressure shown in Fig. 4 for a safety valve working Set pressure Pilot V a l v e

Main Valve System Pressure

--m-

Fig. 4.

Time

Operation characteristic of an intrinsic medium-controlled safety valve working on the load principle.

on the load principle, as well as the lifts of the main valves and perhaps also of the control valves. This method first proved itself when the cause of an accident which occurred in a 180 MW power plant unit in 1970 was determined. 5 Between 1970 and 1980 1378 such function tests were carried out with recording instruments in the R W T U V and T(0V Rheinland areas. 1"6 As Fig. 5 shows, 577 tests were concerned with intrinsic medium-controlled safety valves and 801 with outside

40

W. Oberender, W. Bung

582

Fig. 5.

Inllial

796

periodic

Number of evaluated function tests--types of test and controlling medium.

medium-controlled safety valves. Of the last group, 540 tests were concerned with pneumatically controlled and 261 with hydraulically controlled safety valves. 582 of the tests were initial and 796 were periodic, with recording instruments. In order to be able to analyse the findings and results obtained in a flexible way and differentiated according to a wide range of aspects, not only were the basic technical data of the controlled safety valves examined, but also the results of the tests were logged in coded form in a data bank with a hierarchical structure. This offers the possibility of direct access via inverted data sets. Some of the results obtained during the analysis are shown below.

3.

RESULTS AND CONCLUSIONS

From the large quantity of results obtained only some of particular importance can be given here. We confine ourselves to a description of two basic types of event observed during the tests, the 'faultless

Reliability of controlled safety valves in power plants

41

functioning' and the 'not opening' on demand. The latter failure in the opening direction is further differentiated according to whether the failure was caused by a defect in the main valve or by a defect in the control system. Figure 6 shows the results obtained with respect to these events for intrinsic medium-controlled safety valves, differentiated according to the load and relief principles, as well as for outside medium-controlled safety valves, differentiated according to pneumatically and hydraulically operated safety valves. Here it should be noted that the great majority of outside medium-controlled safety valves operate on the relief principle. Before the other results are presented, something should be said about the type of representation chosen here. Each of the bars shown in Fig. 6 indicates the observed frequency of the event (%) and the calculated upper and lower limit values for the confidence level of 95 %. This method of presentation has the advantage that it prevents false conclusions as, for example, in the case where apparently serious differences occur between the frequencies observed, but these differences do not yield any definite information because their scatter band is too wide. As is evident from the upper part of Fig. 6, the outside Control Medium

Number of T e s t s 263 314 540 261

intrinsic Outside

Pneumatic Hydraulic

0

tO

20

"Faultless Functioning" Load Principle Relief Principle

~ mm~ v~mm

g-."_."_'.'_r.':::d

30

40

SO

60

70

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Intrinsic

80

90

tO0~

"Did not open on demand"

Pneumatic Hydraulic

~.~.:.:~:.:.:.:-:.:-:-:.:.:.:.1

"caused by d e f e c t s in the main valve"

.r:.:.::o:..1

l:.:;:~:::.l~:.:;:~:_;:_~:.:.:.:.:.:~:;:.:_;:_.:._:d "caused by d e f e c t s in the pilot system"

1

Fig. 6.

2

3

4

5

6

7

8

9

10%

Percentage of faultless functioning and failure for intrinsic and outside medium-controlled safety valves.

42

W. Oberender, W. Bung

medium-controlled safety valves are clearly superior to the intrinsic medium-controlled safety valves in that they have a success frequency of approximately 80~o as opposed to 40~o. In the case of the intrinsic medium-controlled valves, no significant difference was established between the load and relief principles. With the outside m e d i u m controlled safety valves as well there were at least no serious differences between the valves with different types of control medium: pneumatic or hydraulic. The tendency shown in the case of faultless functioning is verified by the results shown in the lower part of Fig. 6 for failure in the opening direction. With frequencies below 3 ~ , the outside medium-controlled safety valves were again superior to the intrinsic medium-controlled safety valves, but not with the same statistical significance as for faultless functioning. If one considers the failure cases differentiated according to whether they were caused by a defect in the main valve or a defect in the control system, it becomes evident that no definite information is obtained with respect to the cause of the defect in the main valve, because the scatter bands for all the differentiations considered here overlap. On the other hand it can clearly be seen that, in the case of failures caused by defects in the control system, the outside medium-controlled safety valves are definitely superior to those which are intrinsic medium-controlled. Figure 7 shows the chronological development of faultless functioning and of failure of intrinsic medium-controlled valves. Differentiation according to load or relief principle is dispensed with here, because no significant differences became evident. The frequency of faultless functioning improved between 1970-74 and 1979-80 from approximately 20 ~,,, to approximately 55 ~o. Accordingly, the frequency of failure in the opening direction fell over this period from approximately 10 ~o to less than 10J/o.A comparison of the causes for the faults shows that the greatest improvements were made in the area of control. In 1979-80 the number of failure cases caused by faults in the main valve dropped to zero. All in all these results show that the performance tests carried out using modern methods play an important part in improving the reliability of controlled safety valves. This is so because it was only possible to give operators and manufacturers clear indications of weak spots and necessary technical improvements on the basis of function tests in which the chronological course of the main readings was registered. But the fact that, in this period, an increasing number of the safety valves put into use had been subjected beforehand to

Reliability of controlled safety valves in power plants "Faultless Functioning"

N u m b e r of T e s t s 233

1979-1980 1977-1978 1976-1976 1970-1974

149 99 lO9

I

1979-1980 1977-1978 1975-1976 1970-1974

I

l

10

43

/

20

T

!

I 30

[

40

I

SO

60

70

80

90

100%

" D i d n o t o p e n on demand"

[,'.:.:. I . ~ " . " : ' : ' : ' . " : ' : ' : ' 1

~ . ~ . ,~.;.;.:..'. T ~ : . : . : . : . : - : 4

[.~:..'.:.:.:.:.:-.'-:.:. ! ~ . : . : . : . : ' : . : 4 "caused by defects in t h e main v a l v e "

:::'! ~ ' . ~ : : ; ' ~ : : : : 1 [:.':.'::'-.':':::::T ~ , : : : : : : : : : |

"caused by defects In t h e p i l o t s y s t e m "

I::":-T":"'.':~-o::~o(::-~:]

~ :..'::.'.'::. - ::- - :2":: T':::o'~::o ":5 .::" o::'o ::'o ~ :'oo:: ~o:::..:: I

0

2

4

6

8

10

12

14

16

18

20%

Fig. 7. Percentage of faultless functioning and failure for intrinsic medium-controlled safety valves versus time.

a component test and, in conjunction with this, a reliability analysis, certainly played an appreciable part in this welcome development. This conclusion is confirmed by the results shown in Fig. 8. Here the results shown in Fig. 7 for failure in the opening direction, as caused by defects in the main valve or in the control, are differentiated according to whether the failure cases were observed at the initial function test or at the periodic function test using recording instruments. Here it can be Initial Function T e s t s

Periodic Function Tests

( ) Number of Tests (f03) (47) (47) (aS)

1979-1900 1977-1978 197S-1976 1970-1974

(130) (102) (42) r.:.:~:*:.~::~::~:::.: (20)

"Did not open on demand, caused by d e t e c t s in the main valve"

;

lit T J 10

I 20%

"Old not open on demand, caused by d e f e c t s in the pilot system"

",'~,~:t'J

0

10

20

30

40%

Fig. 8. Percentage of failure for initial and for periodic tests versus time.

44

W. Oherender. W. Bung

clearly seen that the improvements in the area of control have made a greater contribution than improvements in the area of the main valves. With failure cases caused by defects in the main valve, it can be seen that the failure frequency during the initial tests fell from approximately 4 oj /o for the years up to 1974 to zero in 1979-80. During the periodic tests no cases of failure in the opening direction caused by defects in the main valve were observed. This applies to the whole period. The increasing number of tests carried out results in a reduction of the scatter band regarding the upper limit value for a confidence level of 95 %. This means that for 1979-80 it can be reckoned with a statistical certainty of 95 % that such failure cases occur with a frequency of between zero and 3% maximum, while the corresponding limit values for the period up to 1974 were still between zero and 16 %. Even with cases of failure in the opening direction caused by defects in the control, a corresponding tendency can be observed. Even here it can be said that in the period 1979-80 no further failure cases of this kind have been observed in the function tests under examination. In Fig. 9 a comparison is made between the mean non-availabilities calculated in reliability analyses and the mean failure probabilities per demand derived from the analysis of the function tests. With the mean non-availabilities here the span is given in each case, that is the smallest and the largest calculated value and the relevant mean value. With the mean failure probabilities per demand, the mean failure probabilities EI:]

W h o l e Unit Intrinsic Medium-

Main V s l v e

g;:;::.
Controlled

m

Pilot S y s t e m Outside

Medium

C.:.:.:.:.:.:.:. T .:,:.:.:-:.:.;.;-:.;.;.:.|

W h o l e Unit

r~

Main Valve

t ":';°":~::::::;::::~ , i ~]

Pneumatically Controlled

ss c a l c u l a t e d as o b s e r v e d

Pilot S y s t e m Outside Medium

]

W h o l e Unit

Y

[.:.:.: T .-:.:.:,:.:.:.:.:-:.:.:.:o:4

::::::::::::::::::::::::::::::::::

Main Valve Hydraulically Controlled

Pilot S y s t e m

0

Fig. 9.

S

10

15

20

25

30

10 - 3

Non-availability as calculated by reliability analysis and average failure probability as evaluated from the results of function tests.

Reliability of controlled safety valves in power plants

45

derived from failure rates observed are given, together with the lower and upper limit values for a confidence level of 95 ~o, as in the previous figures. These values are given in each case for the whole unit, for the main valves and for the control, including intrinsic medium-controlled and outside medium, pneumatically or hydraulically controlled safety valves. The results shown indicate the following: with intrinsic medium controlled safety valves the mean failure probabilities derived from the function tests are significantly greater than the mean nonavailabilities determined in the reliability analyses. As the corresponding results for the main valve and for the control show, these differences are caused, with clear statistical significance, by correspondingly strong differences in the values for the control system. This means that the failure rates put into the reliability analyses for the components of the control system have been taken as too favourable, or that causes for systematic faults were not adequately covered. With the outside medium-controlled pneumatic safety valves there is a clear counter-tendency. Here the mean failure probabilities per demand, as established on the basis of the function tests, are better, for the whole unit, in terms of statistical significance than the mean non-availabilities established in reliability analyses. This improvement is brought about here mainly by the corresponding values for the main valves, while the values for the control system show a higher level of agreement. The conclusion may be drawn then that the failure rates for the components of the main valves, as assumed in the reliability analyses, are too high compared with practical experience. A similar tendency can be observed with outside medium--controlled, hydraulic safety valves. Here, however, the statistical significance is not so marked, and so conclusions should only be drawn with caution.

4.

CONCLUSIONS AND PERSPECTIVES

The results show that function tests should be carried out on controlled safety devices to prevent excess pressure, using continuously recording instruments. Only in this way will it be possible to assess the reliability and serviceability of the controlled safety devices with adequate certainty, to detect weak spots and to draw up suggestions for improvement. The tests must include measurement of the chronological progress for the system pressure ahead of the armature and of the control pressures, measurement of the lifts for the pulse, control and main valves, together

46

W. Oberender, W. Bung

with measurement of the dead and delay times. It may be necessary or useful to measure and record further characteristics, particularly in the initial function tests. When analysing and assessing the results, care must be taken to ensure adequate regulating power reserves at the main and control valves. With regard to the regulating power reserves, special attention should be paid to combinations of materials because of possible variations in heat expansion coefficients, and in general attention should be paid to the compatibility of the various materials. Only in this way will it be possible to prevent the seats jamming, a build-up of magnetite and ageing of oil collars and sealing material. In addition, the entry and exit cross sections for the load and relief chambers must be taken into account for the purposes of adequate regulating power reserves. An important point for the serviceability of controlled safety valves is the purity of the control medium. With oil and air controlled safety valves this can be achieved relatively easily by installing filters. With intrinsic medium-controlled safety valves this requirement is more difficult to satisfy. Since failure of control elements caused by dirt particles was established when the function tests were analysed, this problem should be given consideration accordingly. As regards the design and configuration of controlled safety devices, special attention should be paid to testability and ease of testing. To summarize, it can be said that the way taken, i.e. the performance and evaluation of function tests on controlled safety valves using modern methods, is correct and gives valuable indications of how to increase the reliability of controlled safety devices to prevent excess pressure. Accordingly, further statistical analyses are being carried out at present on the results of further function tests. It is expected that these investigations will lead to further concrete indications on the improvement of the reliability and serviceability of controlled safety devices to prevent excess pressure. REFERENCES 1. Mai, E. et al. Untersuchung der Zuverl~issigkeitvon Druckabsicherungen in Kernkraftwerken, Abschluflbericht zum BNI-Forschungsvorhaben, RS 1 1 510 321/245 SR 214, TUV Rheinland, Cologne, Report No. 911-258/81, 1981.

Reliability of controlled safety valves in power plants

47

2. Mai, E. Sicherheitsarmaturen, zuverl~issigkeitstechnische Analyse, Rohrleitungen in Kraftwerken, Verlag TI~IV Rheinland, Cologne, 1978. 3. Drucks, G. K. Improving reliability of controlled safety valves of modern power station units, J. I. Mech.E., 35 (1979). 4. TRD 421, Ausriistung. Sicherheitseinrichtungen gegen Druckiiberschreitung, Vereinigung der Technischen Oberwachungs-Vereine e.V., Essen, May 1982. 5. Kriiger, W. VGB-Krafiwerkstechnik, 52 (1972), pp. 57-68. 6. Arens-Fischer, F. and Bung, W. T(] 23 (1982), p. 383. 7. Arens-Fischer, F. VGB Krafiwerkstechnik, 56 (1976), p. 766. 8. Bung, W. Sicherheitsarmaturen, praktische Zuverl~issigkeit, Rohrleitungen in KraJtwerken, Verlag T(]V Rheinland, Cologne, 1978.