Study on Safety Analysis of Large Angle Rolling Test Facility for Motion Conditions

The large angle rolling test device for motion conditions is an Electromechanical-hydraulic integrated test facility, which provides a simulation environment for nuclear safety related verification test and basic technical research in laboratory. The test device is complex in composition. The method of identifying hazards from physical hazards and human behavioral hazards is used to find out the risk factors. Therefore, the test device has guiding significance for the safety and reliability design of nuclear power plant system, as well as for the personal security of operators, the configuration of test site, and the formulation of safety plans.


Introduction
The motion condition large angle rolling test device is a test device, which simulates the effect of waves on a large simulated ship at sea that adopts electromechanical hydraulic integration under laboratory conditions. Due to the complex composition of the device, the coordination, instantaneity, synchronization, correctness, safety and reliability of the work between various components will bring uncertainty and danger to the test process and test results, which cannot be ignored as a threat to the safety of test objects, equipment and personnel. Therefore, it is necessary to find out potential sources of danger in the system, analyze the sources of failures that may cause dangers, and propose corresponding protective measures to ensure the safety of test personnel, work sites, test objects and structures.

Device Introduction
The composition of the test device is shown in Figure 1. The hydraulic traction device is a power source, which can apply a rolling moment to the cabin section through a steel wire rope to provide a simulated movement environment of the cabin section rolling.

System Danger Source Identification
The system was identified in accordance with GB/T13861-1992 "Classification and Code of Dangerous and Harmful Factors in the Production Process" (hereinafter referred to as "Classification"), and it was identified and analyzed from two aspects of physical dangers and factitious dangers. Factitious risk dangers include: command errors, operational errors, monitoring errors, etc. Physical dangers factors are shown in Table 1.

Response to equipment and facility defect
The strength check of the mechanical, piping and other components in the swing drive system was performed. The safety factor of the steel wire rope was larger than the allowable safety factor; the bearing device was designed not only with static load but also with dynamic load, and had undergone mechanical check to ensure sufficient strength [1].
To cope with the equipment overload, the drive system was equipped with double protection measures. The wire rope tensioning device was equipped with a safety valve to prevent the rope tension from exceeding the maximum working force. The hydraulic motor drive system had designed a safety valve to limit the maximum output of the rope.
When the device fails, conduct fault analysis and treatment as show in Table 3. In addition, because the drive system adopts torque control, when a certain device in the drive device fails, the failed hydraulic drive device cannot output the drive torque, which will cause uneven drive torque to the cabin section, thereby the supporting roller at the bottom of the cabin is under uneven stress conditions. For this reason, on the one hand, the most severe working conditions of unilateral force are considered in the design of the load bearing device to meet the situation of unilateral force. On the other hand, the system monitoring system is equipped with an alarm system and an emergency stop device. Therefore, for the safety of the swing drive system equipment, not only the safety factor should be considered in the design, but the monitoring instruments need to be complete, and various fault monitoring and indicating devices should be provided.

Response to protection defects, electrical hazards, vibration and noise hazards
The electrical components and electrical control cabinets were designed, processed and installed in accordance with national standards to achieve purposes of dustproof, waterproof, and anti-leakage; the main control operation cabinet was placed in the operation room, and the operation room was set up to facilitate the observation of the test of the section, which was convenient for operation; protective measures were designed for exposed moving parts. The motor's high-speed rotating shaft was equipped with a protective cover, and a protective fence and warning signs were designed around the driving equipment to prevent people from approaching when the system was running.
Electrical components such as motors, power distribution cabinets, control cabinets, and electrical control cabinet wiring were implemented in accordance with national industry standards. When power is off, the swing drive system will be connected with the solenoid valve in the hydraulic circuit driven by the motor, so that the two cavities of the hydraulic motor can be connected. Under the action of viscous damping, friction damping and other external damping, the swing angle of the cabin will gradually attenuate, and the cabin will finally stop safely.
The control system used mature industrialized products, and bit errors in real-time network data transmission can be detected by an effective 32-bit CRC check code. Except for breakpoint detection and location, the transmission physical layer and topology structure made high-quality monitoring of each independent transmission segment a reality through the system protocol. By automatically analysing relevant error counters, we can pinpoint critical network sections. Changing sources of errors such as EMC interference, defective connectors, and damaged cables can be detected and located, even if they have not yet had an undue impact on the network's ability to self-heal.
In the design of the control system, the situation of communication interruption was considered. When a communication failure is detected, the lower unit will automatically enable the stop procedure, stop the section swing, and shut off the hydraulic oil source. The swing drive system can be safely stopped by emergency stop and other methods.
In the hydraulic drive system, measures such as installing vibration damping pads for electric motors and low-pressure accumulators in hydraulic piping systems were adopted to reduce mechanical and fluid noise generated by shock vibration. The hydraulic drive system was placed in the basement, which was away from operators, and had a small noise impact.
For the steel wire rope, a steel wire rope tensioning device was designed to provide tension and reduce the shock and vibration of the steel wire rope during reversing. The contact surface between the cabin section and the supporting roller is required to meet the requirements of mechanical level 8 processing to reduce deformation and vibration. For high speed rotating drum, a speedometer was installed to monitor the drum vibration in real time. Once the trend of increasing vibration is found, the machine will stop in time and be maintained.

Response to wire rope fracture
In order to prevent the rope from breaking due to system overload and self-aging, the drive system was designed with double protection measures. The steel wire rope tensioning device was equipped with a safety valve to prevent the rope tension from exceeding the maximum working force. The hydraulic motor drive system also designed a safety valve to limit the maximum output force of the rope. In addition, the minimum breaking force of the surface contact steel wire rope used was much larger than the maximum working tensile force, and the steel wire rope had a large overload safety factor.
Steel wire ropes will inevitably be broken. Regular inspection and replacement are necessary. Defects in the broken wire rope were detected by the non-destructive testing device of the wire rope, and the loss of the bearing capacity of the wire rope was calculated to judge whether the wire rope was scrapped. Performed tensile and fatigue tests on the steel wire rope samples to check the ability of the entire rope to deal with damage, and made some preliminary estimates of the life of the steel wire rope. In this way, the service life of the wire rope can be obtained. The wire rope has to be replaced after reaching the service life, so as to avoid the damage caused by the aging and breaking of the wire rope.

Response to rollers, falling objects, missing signals, sign defects, etc.
During the operation of the system, the drum rotated at high speed. Retracted the steel wire rope, and set up protective fences and warning signs around the driving equipment to prevent personnel from approaching when the system is running. For the safety training of installers, the equipment hoisting needs to be dispatched uniformly, obey the command, and nobody should stand under the heavy objects during the hoisting process. There should be a warning signal before the system starts and stops to remind personnel to leave the test site; a warning signal should be used to remind personnel to stay away when dragging the section or lifting heavy objects. Warning signs were set on the guardrail of the driving equipment to remind the system to prohibit entry; the electrical control cabinet was marked with warning signs to remind non-workers not to approach; test fires and equipment installation rooms were placed with warning signs for prohibiting open flames; warning signs were placed on the operation room to prompt the operator to confirm staffs had evacuated from the pool.
In view of human behavioral risk factors, technical training is required for test personnel. The swing driving system was operated by a special person to reduce the harm caused by misoperation.

Major failure
By analyzing the danger sources of the system, it can be known that the failures of the steel wire rope, the sudden power failure of the system, and the interruption of communication signals can seriously affect the safety of the system test.
In order to improve the safety and reliability of the system, the failure phenomenon of the designed swing drive system was analyzed, and corresponding measures and countermeasures after the failure were taken in the design to avoid failures and improve system safety and reliability. See in Table 2 for the main fault causes and troubleshooting methods in the system.

Reliability calculation
As described in the previous section, each part of the system was analyzed for faults, and carry out redundant configuration for the key parts of components in the system. The specific redundant configuration is as follows: 1) In the hydraulic motor drive system, the communication solenoid valve was a redundant configuration of the safety valve; 2) In the mechanical device, the bearings that have a greater impact on the reliability of the system are redundantly configured, and 4 support rollers were designed on each group of supports; 3) In the control system, a redundant configuration of the gyroscope that had a greater impact on the system reliability was performed. At each part of the front, middle and rear of the device a gyroscope  6 was installed, and the collected signals were processed according to the principle of "selected two in three".
The system was optimized and designed in accordance with the above principles, the overall safety of the system was guaranteed, and the reliability was greatly improved. The reliability analysis of the swing drive system was performed. The fault tree is shown in the figure.
In the system failure analysis software Relex Architect, a sway drive system fault tree was established, and set the failure rate or mean time without failure (MTBF) for each base event. Fault tree model and base event failure rate were calculated for each base event with 1500h of work per year. After analysis, it can be seen that the reliability of the system after redundancy optimization was 93%, which was 13% higher than before optimization. The system after redundancy configuration had higher security; and it was found that, as the working time increases, the unreliability of the system was also gradually increasing. Within 500 hours of cumulative system operation, the system reliability was larger than 97%; after 1500 hours of continuous system operation, the system reliability was reduced to 93%. Therefore, after 500 hours of cumulative work, the key components affecting system reliability need to be repaired and maintained, and the system reliability can be maintained at above 97%.
From the analysis of the importance of the base event, it can be seen that the failure of the seal ring, fatigue fracture of the wire rope, and bearing failure have a greater impact on the system reliability, which are the main causes of the decrease in system reliability. Therefore, during the system operation, maintenance or seals replacing should be performed according to the life requirements, bearings and wire rope wearing parts. Determining the proper inspection time helps to improve the system security, and the system security after the inspection can be guaranteed at above 97%.

Conclusion
This article collects and analyses the dangerous sources of the large-angle roll test device in marine conditions to classify the failures that cause the device operation and provide countermeasures, and also give suggestions and treatment plans for events that have an important impact on reliability during operation, which can provide useful guidance for the safety design and reliability design of the entire device.