App III IV safety.pdf
170
7- ýv-' 4., WASH-10 Reactor a fety Study An Asses sment of Accident Risks. in U.S. Commercial Nuclear Power Plants United States Nuclear Regulatory Commission October 1975
-
Upload
justin-j-fu -
Category
Documents
-
view
60 -
download
24
Transcript of App III IV safety.pdf
7- ýv-'
4.,
WASH-10
Reactor a fety Study
An Asses sment ofAccident Risks. in U.S. Commercial
Nuclear Power Plants
United States Nuclear Regulatory Commission
October 1975
NOTICE
This report was prepaied as an account of work sponsored bvthe United States Government Neither the United States northe United States Nuclear Regulatory Commission, nor any of"their employees, noi any of their contractors. subcontractois,or their employees, makes any warranty, express ot implied,norassumes any legal liability or responsibility for the accuracy,completeness or usefulness of any information, apparatus, pro-duct or process disclosed, nor represents that its use wouldnot infringe privately owned tight,.
Available fromNational Technical Information Service
Springfield, Virginia 22161Price- Printed Copy $6 00 .Microfiche $2 25 Second printing
WASH- 1400INUREG-75/014)
FAILURE DATA
APPENDIX III
to
REACTOR SAFETY STUDY
U.S. NUCLEAR REGULATORY COMMISSION
OCTOBER 1975
Appendix m
Table of Contents
Section Page No.
1. FAILURE DATA ....................................................... III-1
1.1 Discussion of Contents ........................................ III-i1.2 Definition and Explanation of Terms ........................... III-i1.3 General Data Considerations .................................. 111-2
2. DATA BASE ASSESSMENTS ......... ; .................................... 111-5
2.1 Overall Data Tabulation ....................................... 111-52.2 Data Assessment Comparison ................................... 111-5
3. CURRENT NUCLEAR EXPERIENCE ........................................ 111-15
3.1 Introduction ................................................. 111-153.2 Nuclear Experience Statistics ................................ III-153.3 Operating Incidents Used for Statistical Analyses and
Individual Failure Analysis .................................. 111-193.4 Individual Failure Analysis Listing .......................... 111-25
REFERENCES ............................................................... 111-33
4. EXPANDED FINAL DATA ASSESSMENT .................................... 111-39
4.1 Introduction ................................................. 111-39
4.1.1 Notes on Pumps ......................................... 111-394.1.2 Notes on Valves ...................................... 111-404.1.3 Notes on Pipe - Testing .............................. 111-414.1.4 Notes on Motors ...................................... 111-414.1.5 Notes on Relays - Failure Modes ...................... 111-414.1.6 Notes on Switches - Failure Modes..... .................. 111-414.1.7 Notes on Batteries - Failure Modes ................... 111-414.1.8 Notes on Solid State Devices ......................... 111-414.1.9 Notes on Diesels ..................................... 111-424.1.10 Notes on Instrumentation - Failure Modes ............. 111-424.1.11 Notes on Wires and Terminal Boards - Failure
Modes................................................ 111-42
4.2 Summary of Post Accident Assessments ......................... 111-42
4.2.1 Notes on Containment Hardware - Test ................. 111-424.2.2 General Data Behavior .................................. 111-42
REFERENCES ............................................................... 111-43
5. TEST AND MAINTENANCE DATA AND APPLICATIONS ................... ..... 111-53
5.1 Introduction ............................................ .1..... 11I-535.2 Corroboration of the Model Results............................ 111-54
6. SPECIAL TOPICS .................................................... 111-59
6.1 Human Reliability Analysis ................................... 111-59
6.1.1 Introduction ......................................... 111-596.1.2 Human Performance Data ............................... 111-596.1.3 Performdnce-Shaping Factors .......................... 111-62
III-i
Table of Contents (Continued)
Section Page No.
6.1.3.1 Level of Presumed PsychologicalStress ...................................... 111-63
6.1.3.2 Quality of Human Engineering of Controlsand Displays ................................ 111-63
6.1.3.3 Quality of Training and Practice ................ 111-646.1.3.4 Presence and Quality of Written
Instructions and Method of Use ................. 111-646.1.3.5 Coupling of Human Actions ...... . ................ 111-656.1.3.6 Type of Display Feedback ........................ 111-666.1.3.7 Personnel Redundancy ............................ 111-66
6.1.4 A Sample Hunan Reliability Analysis ...................... 111-67
6.2 Aircraft Crash Probabilities ................................. 111-69
6.2.1 Number and Nature of Aircraft Movements ................. 111-706.2.2 Determination of Plant Vulnerable Area .................. 111-706.2.3 Damage Potential ..................................... 111-706.2.4 Typical Damage Calculation (Surry 3 and 4) .............. 111-70
6.2.4.1 Source ...................................... 111-706.2.4.2 Source ...................................... 111-70
6.3 Total Loss of Electric Power ................................. 111-71
6.3.1 Total Loss of Electric Power at LOCA ..................... 111-716.3.2 Total Loss of Electric Power During a LOCA ............... 111-726.3.3 Summary .............................................. 111-73
6.4 Pipe Failure Data ............................................ 111-74
6.4.1 Plant Parameters ..................................... 111-756.4.2 Nuclear and Nuclear-Related Experience .................. 111-756.4.3 U.S. Non-Nuclear Utility Experience ...................... 111-766.4.4 United Kingdom Data .................................. 111-776.4.5 Other Reported Pipe Failure Rates ........................ 111-78
6.5 Failure Rates Compared With Log Normal ........................... 111-78
REFERENCES ............................................................... 111-78
7. REFERENCES ........................................................ 111-91
7.1 Discussion of References ..................................... 111-917.2 General Sources .............................................. 111-917.3 Special Sources .............................................. 111-91
III-ii
List of Tables
Table
III 2-1 Data Assessment Tabulation .......................................
III 2-2 Comparison of Assessments with Nuclear Experience ................
III 2-3 Comparison of Assessments with Industrial Experience .............
III 3-1 Number of Failures by Plant Showing Failures During Standbyand Operations ...................................................
III 3-2 Number of Failures by Plant Component/System .....................
III 3-3 Averaged Failure Rate Estimates (Rounded to Nearest HalfExponent) ........................................................
III 3-4 Averaged Demand Probability Estimates (Rounded to NearestHalf Exponent) ...................................................
III 3-5 1972 Failure Categorization Into Random Versus Common Mode .....
III 3-6 Common Mode Effects and Causes ...................................
III 4-1 Summary of Assessments for Mechanical Hardware ...................
III 4-2 Summary of Assessments for Electrical Equipment ..................
III 4-3 Summary of Post Accident Assessments .............................
III 5-1 Summary of Test Act Duration .....................................
III 5-2 Summary of Major Maintenance Act Duration (Raw Data)....-.......
III 5-3 Log-Normal Modeled Maintenance Act Duration ......................
III 6-1 General Error Rate Estimates .....................................
III 6-2 Aircraft Crash Probabilities .....................................
III 6-3 Comparison of Probability of an Aircraft Crash for VariousTypes of Aircraft ................................................
III 6-4 Crash Probabilities at Various Sites .............................
III 6-5 Summary of Transmission Line Outages (Based on BonnevillePower Administration Data--1970 Statistics) .....................
III 6-6 Summary of Transmission Line Outages (Based on BonnevillePower Administration Data--1971 Statistics) ......................
III 6-7 Summary of Transmission Line Outages (Based on BonnevillePower Administration Data--1972 Statistics) ......................
III 6-8 Probability of Total Loss of Electric Power After A LOCA .........
III 6-9 Pipe Failure Assessed Values ....................................
III 6-10 Reported Pipe Failure Rates ......................................
Page No.
111-7/8
111-11/12
111-13/14
111-35/36
111-35/36
111-35/36
111-35/36
111-37/3.8
111-37/38
111-45/46
111-47/48
111-49/50
111-55/56
111-55/56
111-55/56
111-81/82
111-81/82
111-81/82
111-81/82
111-83/84
111-83/84
111-83/84
111-83/84
111-83/84
111-85/86
III-iii
List of Figures
Figure
III 4-1 Relative Failure Rate Assessments - Switches .......................
III 4-2 Relative Failure Rate Assessments - Valves ........................
111 4-3 Relative Failure Rate Assessments - Pumps..........................
III 4-4 Demand Probabilities of Classes of Hardware ......................
III 4-5 Leak and Rupture Assessments for Passive Hardware ................
III 5-1 Observed Repair Times and Theoretical Distribution - Pumps .......
III 5-2 Observed Repair Times and Theoretical Distribution - Valves ......
III 5-3 Observed Repair Times and Theoretical Distribution -Diesels ..........................................................
III 5-4 Observed Repair Times and Theoretical Distribution -
Instrumentation ..................................................
III 6-1 Hypothetical Relationship Between Performance and Stress .........
III 6-2 Motor Operated Valve (MOV) Switches on Control Panel .............
III 6-3 Probability Tree Diagram for Step 4.8.1 ..........................
III 6-4 Cumulative Outage Duration Distribution Curve ....................
III 6-5 Histogram - Restoration of Transmission Line Outages .............
III 6-6 Log-Normal Distribution - Pumps ..................................
III 6-7 Log-Normal Distribution - Valves .................................
III 6-8 Log-Normal Distribution - Clutch - Electrical ....................
III 6-9 Log-Normal Distribution - Diesels ................................
Page No.
IEI-51/52
111-51/52
111-51/52
111-51/52
111-51/52
111-57/58
111-57/58
111-57/58
111-57/58
111-87/88
111-87/88
111-87/88
111-87/88
111-87/88
111-89/90
111-89/90
111-89/90
111-89/90
III-iv
Section 1
Failure Data
In the quantitative system probabilityestimates performed in this study,component behavior data in the form offailure rates and repair times arerequired as inputs to the system models.Since the goal of this study is riskassessment, as opposed to reliabilityanalysis, larger errors (e.g. order ofmagnitude type accuracy) can betolerated in the quantified results.This has important implications on thetreatment of available data. Instandard reliability analysis, pointvalues (i.e., "best-estimates") are gen-erally used for both data and results inquantifying the system model.
in risk assessment, since resultsaccurate to about an order of magnitudeare sufficient, data and results usingrandom variable and probabilisticapproaches, can be usefully employed.The base of applicable failure rate datais thus significantly broadened sincedata with large error spreads anduncertainties can now be utilized. Thedata and associated material that wereassembled for use in this study and thatare presented here are to be used in therandom variable framework (which will bedescribed). The data and the accompany-ing framework are deemed sufficient forthe study's needs. Care must be taken,however, since this data may not be suf-ficiently detailed, or accurate enoughfor use in general quantitatige relia-bility models.
1.1 DISCUSSION OF CONTENTS
The items listed below summarize thedetail sections which follow.
1. A listing of definitions and adiscussion of the general treatmentof data within the random variableapproach as utilized by the study.(section 1)
2. A tabulation of the assessed database containing failure classifica-tions, final assessed ranges utiliz-ed in quantification and referencesource values considered in deter-mining the ranges. Additionaltables, extracted from the maintable, are also given showing theassessed ranges and comparing themwith industrial and nuclear experi-ence. (section 2)
3. A discussion of nuclear power plantexperience that was used to validatethe data assessment by testing itsapplicability as well as to check onthe adequacy of the model to incor-porate typical real incidents.(section 3)
4. An expanded presentation of the dataassessment giving information on ap-plicability considerations. Detail-ed characteristics are also givenfor utilization of the data in therandom variable approach. Graphsare finally presented showing trendsand class behaviors. (section 4)
5. A discussion of test and maintenancedata including comparisons of modelswith experience data. (section 5)
6. Special topics, including assess-ments required for the initiatingevent probabilities and human errordata and modeling. (section 6)
1.2 DEFINITION AND EXPLANATIONOF TERMS
Listed below are definitions of termswhich will be employed in the discus-sions. Certain of these definitions arelisted elsewhere, but have been restatedhere since they have pertinence withregard to data assessment.
Failure Probabilitx: the probabilitythat a system, subsystem, or componentwill suffer a defined failure in aspecified period of time. In context ofthe defined failure, the failureprobability is equivalent to theunreliability.
Unavailability: the probability that asystem, sustem, or component will notbe capable of operating at a particulartime, i.e,, will be in a failed state.Availability is the complement ofunavailability. Point unavailabilityand interval unavailability are treatedas being equivalent here (see the faulttree quantification discussion forfurther details).
Active Devices:such as pumps,
those operating devicesvalves, relays, etc.,
III-1
that run, transfer, or change state toperform their intended function.
Passive Devices: those inert devicessuch as pipes, vessels, welds, etc.that are generally inactive but whoselfailure will affect system behavior.
Test Time: the total on-line timerequired to test a system, subsystem, orcomponent. This total includes theactive test time plus the on-line timerequired to reconfigure before and aftertesting.
Maintenance Time: the total on-linetime required to maintain a systemsubsystem, or device. Analogous to theprevious test definition, the on-linemaintenance period includes actualmaintenance time plus any adjustment orcheck-out time associated with themaintenance.1~
Test Interval: the length of timebe-tween tests of systems, subsystems,and components. For the applicationshere, this interval is often 720 hours,(".1l month), although there areexceptions, and relevant test intervalsmust be obtained for each component. Aswill be further discussed, test inter-vals are treated as being periodic.
Maintenance Interval: the length oftime between maintenance on systems,subsystems, or components. The intervaldepends upon whether the maintenance isof periodic, non-periodic, scheduled ornon-scheduled nature. For the applica-tions here, the maintenance interval isgenerally treated as being non-scheduledand hence non-periodic.
Demand Probabilities: the probabilitythat the device -will fail to operateupon demand for those components thatare required to start, change state, orfunction at the time of the accident.The demand probabilities, denoted by 0d,incorporate contributions from failureat demand, failure before demand, aswell as failure to continue operationfor a sufficient period of time forsuccessful response to the need. When
Th term "on-line", as standardly used,denotes the time actually impacting thesystem unavailability or failureprobability. The "on-line" phrase isoften deleted with the understandingthat only test or maintenance tineactually affecting the system isincluded.
pertinent, the demand data Qa can beassociated with standard cyclic data orcan be interpreted as a general unavail-ability. Human error data can also beassociated 'with demand probabilities(i.e. per action) as discussed in thehuman evaluation section.
Operatingl Failure Rates: for those com-ponents required to operate or functionfor a period of time, the probability(per hour) of failure is denoted by Xc,.For those components affected by acci-dent environments, additional failurerates applicable to the pertinentaccident environment are given.
Standby 'Failure Rates: for thosepassive-type devices such as pipes,wires, etc., which are normally dormantor in standby until tested or anaccident occurs, the probability (perhour) of failure is denoted by Xs.
The above definitions involve thestandard terminologies and conceptsemployed in reliability theory. Testand maintenance data in general consistsof the test and maintenance times andthe test and maintenance intervals.Component failure data in generalconsists of the demand probabilities,operating failure rates, and standbyfailure rates. The characteristicswhich have been described are by nomeans exhaustive. Also, many equivalentbases can be constructed. The charac-teristics as defined here, however, aresufficient for the applications in thestudy.
1.3 GENERAL DATA CONSIDERATIONS
This section describes certain basicconcepts involving the probabilistic, orrandom variable approach used in thestudy and its implications with regardto the establishment of a data base.
The quantitative evaluation of a systemcan involve one of two types ofcalculations: a point calculation, or arandom variable evaluation. The pointand random variable types of evaluationdiffer with regard to basic goals andapproaches and how to input data must beprepared. With point value calculationsthe general goal is to derive a bestvalue for the system parameter ofinterest, usually the system unavaila-bility or failure probability (unrelia-bility). In point calculations oneattempts to obtain the input data withgreat accuracy since, the computedresults are to represent an exact typeof value. In reality, of course, pointvalues are never exact but are computedas precisely as possible.
111-2
Because of the need for highly accuratecomponent assessment, point calculationsgenerally require extensive input datawhich classify each component accordingto particular characteristics,' known asthe "pedigree" of the component.Examples of these characteristics are:
a. Generic type of component (relay,
motor, etc.)
b. Component manufacturer
c. Component failure mode (i.e., opens,closes, ruptures, etc.)
d. Component specificationsvoltage, flow rate, etc.)
(i.e.,
e. Component environment (i.e., temper-ature, humidity, etc.)
In point calculations, a single valuefor each component failure rate or de-mand probability is obtained. Onceobtained, these values are then substi-tuted into the reliability equations tothen obtain the point value for the sys-tem result. In practice, to obtain asingle failure rate or demand probabili-ty value for a particular component, newfailure data is collected in the form ofsamples, and statistical point estima-tion techniques are used.
In practice, an exact match of thepedigree characteristics is not alwayspossible, and a failure rate is derivedfrom data which matches, as closely aspossible, the important characteristicsof the problem. Engineering judgment isused to determine the applicability ofthe various data. The source data usedin point evaluations may be obtainedfrom handbooks, field experience, orfrom specially designed samplingexperiments.
The second approach, the random variabletechnique, is not commonly discussed andtreated in reliability texts but is astandard general technique in statisti-cal and probabilistic modeling. in therandom variable approach, one point val-ue for an input data parameter is seenas being insufficient to describe theapplicable situation. Instead a rangeof values is determined which describesthe variability and randomness associ-ated with the parameter. The data pa-
1tndr approaches involve parametricestimation techniques, such as maximumlikelihood,
rameter which is input to a calculation,such as a failure rate, is thus nowtreated as being a random variable andthe range of values gives the variouspossibilities for the random variable.As a last step, probability distributionis associated with the random variableto describe the probability associatedwith various possible values.
one of the simplest ways to obtainnecessary data for the random variableapproach is to estimate ranges for eachpiece of data which is to be used. Inreliability applications of the randomvariable approach, failure data istreated as being a random variable andhence estimation involves obtainingranges for each component failure rateand each demand probability.
The random variable approach was chosenin the study for several reasons. Thereliability results which were computedwere to apply to a population of reactorplants (100) and hence it was desired tomodel the component failure variabilityfrom plant to plant. Also, data whichdoes exist is not precise but showslarge uncertainty and variability and itwas desired to incorporate thisuncertainty and variability.
treating data as random variables issometimes associated with the Bayesianapproach where the data distributionsare treated as priors. The system fail-ure probability and its unavailabilityare subsequently treated as conditionalprobabilities and the overall marginaldistribution is obtained by integrationover the data priors. Because the datadistributions were associated with apopulation (the 100 reactor plants) thedata and system characteristics weretreated by the study as being simplyrandom variables, however the Bayesianinterpretation can also be used wherethe data distributions are treated asgiven Bayesian priors.
The failure rates and demand probabili-ties used in the study were derived fromhandbooks, reports, operating experi-ence, and nuclear power plant experi-ence. The data sources involvedDepartment of Defense data (Navy, AirForce, etc.), NASA data and generalindustrial operating experience as wellas nuclear power plant data. The as-sessment process entailed an amalgama-tion of this information to obtain finalranges which described regions in whichthe data had a high probability oflying.
Examination of the various sources ofcomponent data showed that, in assess-
111-3
ment of the final data base, only orderof magnitude accuracy would be generallyfeasible. However, these accuracieswere sufficient for the risk calcula-tions since only order of magnituderesults are required. In arriving atthe final data assessment, the fact thatranges were assigned to each data vari-able gave latitude for the incorporationof differing data source values. Aheuristic illustration is shown below ofthe range type of assessment. The rangetype of assessment has the advantage ofrendering the calculations and resultsto be insensitive to fine distinctionsof the applicability of any particularbit of data.
x x x i Data Source Values
-*-Data Range-.P- Range Assessment
As discussed in Appendix II, the lognormal distribution was used to describethe data variability. Since the lognormal has two parameters (the mean andstandard deviation, say);, the two endpoints of a s'uitably defined rangedetermine the unique, applicable lognormal. A 90% range was selected forthe assessments with the lower range endpoint being the 5% bound and the upperend point the 95% bound. The rangewhich was assessed for each failure rateand demand probability thus coincidedwith this 90% definition (there was thusa 90% probability that the data valuewould be in this range).
Even though the data sources used, rep-resented diverse conditions and applica-tions, with some sources apparently moreapplicable than others, the data sourceswere in general agreement within one totwo orders of magnitude accuracy. Thefinal assessed ranges were thus general-ly one to two orders of magnitude inwidth to represent this degree of dataconsistency. Because of the order ofmagnitude accuracies, range end pointswere determined to the nearest half in-teger on the exponent scale, i.e. afailure rate end point being 10-1 or10-1-5, etc. This half integer exponentscale coincided with the assignment of a3 or 1 for the significant number, i.e.1 x 10-1 or 3 x 10-2, etc.
since diverse data sources were used andsince a large number of components wereinvolved in the assessment, a number ofiterations were involved in obtainingthe actual assessed ranges. Inassessing the ranges, data points wereselected from the various sources,including nuclear experience, and arange was then overlayed to coverapproximately 90% of the points. Asdescribed in Appendix II, the calcula-tions are not sensitive to the precise90% definition, for example littledifferences were obtained if the rangewas actually 85% or 95%. The rangedeterminations involved data plottingwith decisions made on the weight ofeach source data point. The assessmentdecisions were based upon the experienceof individuals involved in reliabilityand nuclear power plant operation.
Because of the order of magnitude rangesand accuracies, components were general-ly classified only to generic type.When extreme behaviors existed, compo-nent failure definitions were furtherdetailed. When available, actual nucle-ar plant experience was used as theprincipal basis in determining andchecking the final assessed ranges.Nuclear component variability from plantto plant that was observable was notinconsistent with the final rangewidths. (This variability was also notinconsistent with the random variableapproach utilized.)
The tables and discussions which follow,present the basic data, assessed ranges,and comparisons involving the assessedranges. This hopefully will aid thereader in determining for himself thevalidity of the data ranges that wereemployed.
In the tables and discussions, the ex-tractable failure modes are given foreach component classification. Failurerates are in units of per hour HR-1 anddemand probabilities (unavailabi.lities)are in units of per demand D'- .Thelower and upper bounds which are givencoincide with the approximate 5% and 95%range end points (to half integerscale). The ranges and upper and lowerbounds can be interpreted as a confi-dence on the data, however, this must bedone so within the random variable (orBayesian) framework in which the data isto be applied.
111-4
Section 2
Data Base Assessments
2.1 OVERALL DATA TABULATION
Table III 2-1 shows the final assessedranges employed by the study and theprincipal, raw input values that formedthe bases for the assessed ranges.
2.2 DATA ASSESSMENT COMPARISON
ranges as compared to obtainable nuclearexperience values and extreme valuesfrom industrial experience. The nuclearvalues were computed from current nu-clear experience as discussed in thesubsequent section. The industrialbounds represent the extreme minimum andmaximum values obtained from the raw in-dustrial source inputs (which are deter-ministic type bounds) and are comparedwith the assessed ranges (which aredefined at 90% probability).
Tables III 2-2 and IIItractions from Table IIImore explicitly the
2-3 contain ex-2-1 and show
final assessed
111-5
YAIA112-1 Uata AssO103.iteiL .
P.*Tft1 U.*"10 .3 .i I1040M %w3 IW0.4 3,ll3 3w.1&3 1.i04 N1&@ 4 3 1 04 @Wl.- NA NA NA NA NA 010 NA- NA NA NA NA NA NA NA
_N i N .1041 1 l 3. 3.1044.. INl was .43.140 4 *.,1 i11.N NA N- ).0 NA I A 60 N A NA N N NA M .04
F-h-i T. 2.a .03 A I N
gm .y T 3.I3II1•0.3mm ,10"+m10.I Il~fOI0 3.I44 1.10".3 x0" NA NA•' NA1• NA1• NA1 NA NA ~r NA NA1• NA NA NA0. ~l- NA NA NA NA NA NA NAl• NA0" *.i0.
-1 z I" - - N& To 300 -0.3 3.1003.14.03 W03 . .0sl0 N .3 • 3.10N3 .Ol
3.10N 3 - N043 NA ... 03 NA N& NA %A 1.1*- NA NA NA NA NA NA 1.0 30" 314
0 44.V1./ 3.10-3. 1004 |S,.l-1.
NA 3.NA NA- N A NA N N NA NA NA NA N %. NA A NA NA N NA N hI.N
00340To SL&. 3lRI04M II .1o 3.304 NA NA 1.10A NA NA NA NA NA NA NNA A 2A NA NA N"A NA NA NA NA - N0 13410
/50? * 3.030 313104 NA 0" l0" NA] NA1• NA0. NA NA NA N NANA A N. NA A N NA NA NA NA NA A A 10"
A .'I'PAA TON.N.l 3i .1 i 04/0 3110IN l.iNrl I .1 0 41o~ 4.1, ii 0" NA N.t 334 NA 4030 3.I NA NA NA NA NA .,A NA *.A NA NA NA NA NA NA NA NA m1"
14001 Te ONN 1.1 01/0 3I.3I0.I 304 3 0 NAf 1 3 .1 4• N A NA0us NA NA N NA NA NA NA N N NAt % NA NA NA NA NA NA NA,, N 3.s
0.U-N. L I .I4hi 0l Il0". 01.10.1 3.0 NA 0 NA NA,0 NA NA NA N A NA NA N A NA *IA NA S. NA NA NA NA NA NA NA 34
O-04II .0I.. 111"~lO 11 0 N0 I .l I NA 11101 NA 3A NA NA NA NA NA A A A NA A NA M
0I I I NA.I..
.A.I.
A NA 1A NA %. NA NA NA NA NA NA NA NA
F*. t 0o L N 1.10110 .14.N..10? 3. 10 N 1 1 .10 NA 1.100 NA NA NA NA N NA N NA 54 NA ". NA NNA A NA A A i i A i..04
IV- $1toAHo l.10.I0 .l 0|OI N A NA NA NA NA N . 04 N A N A NA NA A NA NA 3 NA 1A10A
• lli01l. t 0.10"1.10.' NA NA 1.l04 NA NA NA NA NA NA NA NA NA NA -A" NA NA NA NA NA NA N" NA
0.-II
NA N
PO. ..0 .W
1 /1.NA 01 NA NA NA WA NA NA Ne NA NA NA NA NA NA NA NA AA NA NA NA
303.0NA 1.14410
NA113.10' 1.1.0 3
*4.1
N
.N 4.3A5N3,N
4P i0 1 4 5 IZ 0. ION A .10"-
. I0
1 0N. 1.04 I 4.4.4 3410N
i10.0
iN NIN Im ]U•NM " .0 '.iS .16.4 2. 0 140NA Ni0 NA" NA. N NA NAMA NA NA NA .3 NA NA NA NA NA NA NA NA N A A1Q104
0 0 1.,14144 3.1013.1100 3 NA .101M. 1 0 ,&NA
NA1 NA NA' NA NAO NA NA NA NA NA N104 NA NA NA NA NA NA NA NA 111C_~4- L-k - -YR & .,Sw -8 PIA -A NA- - - - -
0 • L 4 3 10.4l13N ,.. * l ,.,I , I m"mk g..0 4 3.10 4 N"0~ 1.1 NA N A 0 00 N A N4A N A N A NA N A N A N A U3 NA N A N A NA NA N A N A N A OK
CNN 1.-i./N.4 I3 0410, 1A1011.10.0 1 1111 NA 3,304 1.10 3.10 NA N NA kA NAM NA N i 0 43 NANA MA NA A NA NM NA -N.A 1%
' w&3 NA NA NA NA NA NA NA NA AA NA A NA NA NA N A A NA N.. A
S-oS 310 Memo 1,1 110 0' 04s 3.0 1.- -.
0 - - - - - - - -
A- A M A k ý
4 . .104M/ we 3. ,04 NAtw 4.&3 .104 NACp NA N A N.N A N A 100 N N A N A A N A NA N .0
3fA~V .4434 3344.34 3~93 A A 130. NA NA A A NA NA N N A NA N A NA NA- A A NA kA0 1.10
Table IlI 2-1 (Sheet 1 of 2)
111-7/B
TA1LE II124 (Continued)
.. ] ,."I, 101 31 11 1~ . 1 A 1 1 42 4 4.441 14 41,
04.7
3.104M9 1 g4l. ,&3A-I 3.W 1~9
Z.,941 4..,3 .... 1 1 -a' N NA I-e, 3 NA NA I N. .A NA I NA 1 lw3 NA NA NA NA .A "A
- I - -i-I-I- I- - - t - - P- I-i- - I - - - -4-4-- - - - - + - 4- + - + -1-4-- .I.-4- -
-1.14414 i .1 0
7l-we'0
N I NA I l '13-04 1 j 2.104 1N 10 1 A.. I . NA A NIA NA NA "A NA I A NA .. I NA N*A "A NA INA NA NA NA
0* 1 o4w 3. 14,1" W S.204-.;0 2.,&00 j 2-03 0 NA NA INA NA NA NA N NA N NA NA NAN NA NA NA NA NA NA A
CLUTCH _____ _____
1.10C.1 - - - -0 -o -0 NA I- - - -- NA A A -A NA NA N - - -
N o..s..1owo. .i, . no 2.3A104 .Inl4 *.103 .1.o2 m..04 NA NA NA flA NA NA NA NA NA NA NA NA NA NA N N NA NA NA NA NA
NOO[ 10440 1 h lll 10"10 311 0-- '4 21I0s- NA NA N ., N. NA N NA NA NA NA NA A NNA NA A NA 1A NA NA NA NNA NAANA NAROD@ 'N togwlwl Ai; IA NA •A
IA NA P
mm 3. 1 041 I WII-- •• 2.104,0 .0 wv$ .. 0, Il'04 1.i04 NA 21.10"4 1.104 .104
1.10 A.1SA NA NA NA NA 1.10 NA 2.10' NA NA NA NA NA NA 7NI0" 3,104 2014
'01o01 pmA.MR. mI.IO fl 3i.10
O--3.10 1.104)"R 2.106 2,10 1.1014 l. 106 &.0.0 NA 6.104 2..o4 i.106 3,144 1.104 NA NA NA NNA N.101
NA NA NA NA NA NA NA NA & 1.0 1,04
NANA NA - MA N
F -••..mn -. iN2 l.0 .5 h.1a2 NA ,10. 1-0. 02 3l0,1 NA NA NA Iu A A NA NA Nw NA NA NA NA - NA N A A .10N A 4 NA NA1NA
:;C P. 0N 1.10"0 -.. .-O1104 1. 10-400 1.107 1.. .1'a, I I0"4 NA WOi0 U10, NtA NA NA ? N"A 1., 3.w?4 ,A w NA NA NA NA A 3.A NA NA NA 3*74"
- - - - - - - - - - - - - - - - - - - -- - -I - - - - - -
0le ,.m1
3,o- ,o,.0 .A NA NA 2.10' A A N A .NANA 1il 2.10 A . .NA NAw NA NA NA NA NA 6.10'
NOI NCCO..S ... A040 3.104-.1.10' " 104 I.104 .0 NA NA 1.A %A0 NA NA NA NA NA NA NA N. NA A NA NA NA NA NA NA I NA 1.10
- Fa.Ol iCCN, 1W4/0 3 10 wa-- 310,0 l. 4NN NA A NA NA . IA. NA NA NA NA 7I NA NA NA -04 NA NA NA NA NA NA NA NA twe0l
.TNA : 07 106Arn I.10',0 3.I A I0-] l .I0'l l 2.i0 1 .10' N.A NAl04 11. NA NA NA N N NA NA NA 2I,7A
NA NA NA NA NA NA1 NA NAA A .10,
M.2 Y4IftT NS M• .l00 2.IOS-2.I0' 3110' .010" N0,; NA NA '.00 N NA NA NA NA NA NA NA NA A NA NA NA NA N., NA NA NA2.'0
C-IP4IOl 8 .10, 3.1.02 0' -100 -.O ~4~N A1.1 00 NA Nt2 ANA NA NA 1.0, .0 A NA NA NA NA NA NA NA NA NA 3.1042 NA A.0
Clam" 3.0-.10-3 1-103M 1.10 3- I:0 ly. "A '.103 3-10- l-- -4 .- 0-- - -..- , N- -- - - - - - -. 10- A A NA - A NA A I - . l - s-
S N IA K 0 NS AJ l 1'. 1 6 . 80 2.,0, .1 1 1 . I IA 21100 N A 2 .1A ' 3 .0 6 N0 3 A NA NA N N A N AA N A N A N A N - N A N A . A N A NAAU
-• g 10 Gm.I 3. 10,7- )..04 NA 5.10, 1.10, way" HA 3.u10' 51041 NA NA NA MA NA "A llA 2.10 & NA NA MA NA 10A. NA I ~ NA NA • 410-11
fwlilo ýb l •/ wo--s1m -06O,0 w11s 10 m NA H NA A NA NA M NA We 70" NA N& NA m A WA "A NA NA
Cil,0,N Ili0..I1t. I2.107. Nl0Q, 10, NA N A NA NA NA NA NA NA A NA NA NA NA NA NA NA .0 NA NA NA
t% l I.0"-A 1 I00.1001 -. 1 , . 10 .1a, 2.0 A.NA NA 1.103 NA h.t 7 A NO NA NA NA 1A NA NA NA NA MA NA NA NA NA -IA NA .170,0
01NOV1 -,0M 3.03.0 -.0 -0 -0 A 1A NA -A -.0 A-A - MA -W NA -A -A w9 -.
lNAEN .'04'". 2.l.-2.104 1.10410 .0 110 1,0 0A .l0l NA NA NA NA NA NA NA NAO NA NA N.104 NA 'A N NA NA NA NA NA NtA NA '.0
F OFMnClK O I .010, 2.&l0"-321&14 -A1,0, 7' .'10Q4 .10 N NA 2A" 4A N& NA NAMA NA NNA 2.10" NA NA NA NA NA NA MA104 NA NA NA 4,104
SOFLO A..0 00 .0"I0 3i104,.i100 l.10' O10 . NA NA NNA ANNA A "N NA NA NA NA NA NA NA NA A NA N NA NA NA NA
S I'm ll 14¢_
06¢ I~q 310106111 l.10;. l. 100s I , +,04,N 1.1041 NA .0 14 NA NA NA NA NA NA N A 1410' NA N A NA NA N NA • NA NA NA NA 7.0
mqn1"1 .404044m 1.10i-1110' 1.101 N I.I NA NA NA NA NA N"NNA NA NA NA NA "A NA NA NA NA NApq i10,;4•o 31I0'•-1104 .,0 1.104I 1.1' N NA NA NA NA NA NA 3.10 NA NiA I..0 NA NA NA NA NA NA4 1.104• NA NA N .0
1. ~rp104,06 .10
4..0 .7.70 ..0A NA NA NA NtA NA .A NA NA "A N A NA A - NA A NA NA NA NA NAA
Table 1II 2-1 (Sheet 2 of 2)
111-9/10
TABLE Ill 2-2 COMPARISON OF ASSESSMENTS WITH NUCLEAR EXPERIENCE
Component/Primary Assessed Values Nuclear(aFailure Modes Lower Bound Upper Bound Experience
Mechanical Hardware
PumpsFailure to start, Qd:
Failure to run, X :0
(Normal Environments)
Valves
Motor Operated
Failure to operate, Qd:
Plug, Qd:
Solenoid Operated
Failure to operate, Qd:
Plug, Qd:
Air Operated
Failure to operate, Qd:
Plug, Qd:
CheckFailure to open, Qd:
Relief
Failure to open, Qd:
Manuhl
Plug, Qd:
Pipe
Plug/rupture
£ 3" diameter, X :
> 3" diameter, X 0:
Clutches
Mechanical
Failure to engage/disengage
3 x 10-4/d
3 x 10-6/hr
3 x 10-4/d
3 x 10- 5 /d
3 x 10-4 /d
3 x 10-5 /d
1 x 10- 4 /d
3 x 10- 5 /d
3 x 10- 5/d
3 x 10-6 /d
3 x 10- 5 /d
3 x 10-11/hr
3 x 10- 12/hr
3 x 10- 3/d
3 x 10- 4/hr
3 x 10-3/d3 x 10- 4/d
3 .x 0- 3 /d3 x l0-4 /d
1 x 10- 3/d
3 x 10-4/d
3 x 10- 4/d
3 x 10-5 /d
3 x 10-4 /d
3 x 10- 8/r
3 x 10- 9/hr
1 x 10- 3 /d
3 x 10- 6/hr(b)
1 x 10- 3 /d
3 x 10- 5 /d(c)
1 x l0-3
3 x 10- 5 /d(c)
1 x 10 4 /d
3 x 10 5 /d(c)
1 x 10-4 /d
1 x 10~ 5 /d
3 x 10-5/d
1 x 10- 9/hr
1 x 10- 1 0 /hr
1 x 10-4/d i x 10- 3/d 3 x 10- 4 /d
Electrical Hardware
Electrical Clutches
Failure to operate, Qd: 1 x 10- 4 /d 1 x 10-3/d 3 x i0-4/d
TABLE 111 2-2 (Continued)
Component/Primary Assessed Values Nuclear
Failure Modes Lower Bound Upper Bound Experience (a)
Motors
Failure to start, Qd:
Failure to run
(Normal Environments),A :0
Transformers
Open/shorts, A 00
Relays
Failure to energize, Qd:
Circuit Breaker
Failure to transfer, Qd:
Limit Switches
Failure to operate, Qd:
Torque Switches
Failure to operate, Qd:
Pressure Switches
Failure to operate, Qd:
Manual Switches
Failure to operate, Qd:
Battery Power Supplies
Failure to provideproper output, As
Solid State Devices
Fails to function, A 00
Diesels (complete plant)
Failure to start, Qd:
Failure to run, A 00
Instrumentation
Failure to operate Xo0
1 x 10- 4/d
3 x 10-6/hr
3 x 10- 7/hr
3 x 10- 5/d
3 x 10 -4/d
Sx 10-4 /d
3 x 10-5/d
3 x 10- 5/d
3 x 10- 6/d
1 x 10- 3/d
3 x 10- 5/hr
3 x 10- 6/hr
3 x 10-4/d
3 x 10- 3/d
1 X 10-3/d
3 x 10- 4/d
3 x 10- 4/d
3 x 10- 5/d
3 x 10- 4 /d
1 X 10-6 /hr(d)
1 x 10- 6/hr
3 x 1-5/hr-5
3 x 10 /d
-31 x 10 /d
-41 x 10 /d
1 x 10-4/d
1 x 10-4/d
3 x 10- 5/d
3 x 10- 7/hr(e)
1 x lo- 6/hr
3 x 10-2 /d
1 x 10- 3/hr
1 x 10- 6/hr
1 x 10- 6/hr 1-x 10- 5/hr
3 x 10- 7/hr
1 x 10- 2/d
3 x 10- 4 /hr
1 x 10- 7/hr
3 x 10 5 /hr
1 x 10- 1 /d-2
3 x 10 /hr
1 x 10- 5 /hr
(a)
(b)
(c)
(d)
(e)
All values are rounded to the
Derived from averaged data on
nearest half order of magnitude on the exponent.
pumps, combining standby and operate time.
Approximated from plugging that was detected.
Derived from combined standby and operate data.
Derived from standby test on batteries, which does not include load.
Table III 2-2
111-11/12
TABLE III 2-3 COMPARISON OF ASSESSMErNTS I'ITH INDUSTRIAL FXPERIENCE
Active Mechanical Hardwarc
Component/Primary Lower Bounds ()Upper Bounds
Failure Modes Assessed Industrial(a) Assessed Industrial~a)
Pumps
Failure to start, Od
Failure to run, Y
(Normal Environments)
Failure to run, X.:o
(Extreme Environment)
Valves
Motor Operated
Failure to operate, Qd:
Plugs, Qd:
Solenoid Operated
Failure to operate, Qd:
Air Operated
Failure to Operate, Qd:
Check
Failure to open, Od
Reverse leak, X.:
Vacuum
Failure to operate, Qd:
Relief
Failure to open, Qd:
Manual
Plug, Qd
Pipe
Plug/rupture, ).o:3"1 diameter
3" diameter
Clutches
Mechanical
Failure to engage/disengage, Od:
3 x 10- 4 /d
3 x 10- 6 /hr
I x 10-4/hr
3 x 10-4/d
3 x 10- 5 /d
3 x 10- 4/d
1 x 10- 4 /d
3 x 10" 5 /d
1 X 10- 7 /hr
5 x 10- 5 /d
1 x 10- 7/hr
i x 10- 4/hr
2 x 10-4 /d
6 x 10-5/d (a)
2 x L0- 5 /d
1 x 10-6/d
2 x 10- 5 /d
1 x 10- 7 /hr
3 x 10- 3 /d 5 x 10- 3 /d
3 x 10-4/hr 1 x 10- 4/hr
1 x 10- 2/hr 1 x 10- 3/hr
3 x 10-3/d3 x 10- 4/d 7 x 10-2 /d(b)
3 x 10-4/d (a)
1 x lo- 5 /d 1 x lO- 5/d
3 x 10- 6 /d 1.4 x 10- 5 /d
x lo-5 /d 3 x lO-4/d(d)
3 x 10 -1 1
/hr 2 x 10-9/hr
3 x 10- 1 2
/hr 1 x 10-1 0
/hr
1 : 10- 4 /d I x 10- 4/,d
3 x 10 3 /d 6 x 10-3/d
1 x 10- 3 /d 2 x 10-2/d(c)
3 x 10-4/d 3 x 10- 4 /d
1 x 10- 6 /hr 1 x 10-6/hr
Sx lO- 4/d 1 x 10- 4 /d
3 x 10- 5 /d 3.6x lO- 5 /d
3 x 10-4/d 3 x lo-4/d(d)
3 x lo-8 /hr 5 x 10-6/hr(e)
3 x 10- 9 /hr 5 x 10-6 /hr (e)
1 x 10- 3 /d 4 x 10-3/d
TABLE 111 2-3 (Conti-nued)
Component/Primary Lower Bounds Upper BoundsFailure Modes Assessed Industrial? Assessed Industrial(a)
Clutches, electric
Failure to cperate, Q8 :
Motors, electric
Failure to start, Q
Failure to run, givenstart
(Normal environments),0
Failure to run, givenstart
(Extreme Environments),A:
0
Transformers
Open/shorts, ý 00
Relays
Failure to energize, QG:
Circuit Breakers
Failure to transfer, QG:
Limit Switches
Failure to operate, G :
Torque Switches
Failure to operateQd:
Pressure Switches
Failure to operate, Qd:
Manual Switches
Failure to transfer, Q.:
Battery Power Suppl:es
Failure to provideproper output, A Ss
Solid State Devices
Fails to function,0
(Hi power applicat-on)
Fails to function, X :(Low power applizatiSn)
I
I
x
S
10- 4/d
10- 4/d
1-
7
10 /d
10- 5 /d
!
!
x
X
10- 3/d
10-3/d
4
3
X
X
!0-3/d
10-3/d )
1 10 5/hr 5 x 10- 7 /hr 3 x 10- 5/hr
* 104 /hr
* 10- 7/hr
x 10-5/d
x 10-4/a
x 10-4/d
10- 4/hr
10- 7/hr
lo-5/d
10- 5/d
10-5 /d
3
3
3
3
3
3
3
10-2/hr
10- 6/hr
10-4/d
10- 3/d
10-3/d
10- 4/d
10-4/d
10- 5/d
I x 10-4/hr
3 x 10- 2 !hr
I x 10-6/hr
10 x /dg)
3 X o-3 /d
7 x 10- 4/d
Ix lo- 4 /d
I x 10- 3/d
.7 x 10-4/d(h)
6 X lo-6/hr
I x 0-4 /hr(i)
X
x
S
10 /d
10-5
10- /d
2 x 10- 5/d
5 ×In-5/a
3 10- /a
1 x l0-'/hr
2 x 10- 6/hr
i x 10- 6 /hr
3 x 10-'/hr
1 x 10- 5/hr
3 x 10- /hr
I x 10-7 /hr 2 x 10-7/hr Ix 10- 5 /hr 2 x 10-6/hr
TABLE III 2-3 (Continued)
Component/Primary Lower Bounds ()Upper BoundsFailure Modes Assessed Industrial(a) Assessed Industrial(a)
DieselsFailure to start, Qd: 1 x 102/d 1 x 10-3/d 1 x 10-1/d I x 10-1/d
-alr osat d 04 -4 -2 -3Failure to run, AO: 3 x 10 /hr I x 10 /hr 3 x 10 /hr 1 x 10 /hr(emergency loads) 0
Instrumentation
Failure to operate, Ao: 1 x 10-7/hr 3 x 10- 7/hr 1 x 10- 5 /hr 6 x 10-5/hr(j)
(a) Some demand values derived from data on continuously operating systems.
(b) Derived for values in high temperature sodium environment.
(c) Includes failures due to improper air supplies.
(d) These values derived from data on continuously operating system; only oneindustrial source listed this mode.
(e) Due to the varying unit of pipe lengths in the different sources (per foot, persection, per plant, etc.), the failure rates from the industrial sources haveextremely wide ranges. For detailed comparison of pipe failure rates see thespecial assessment section of this appendix.
(f) This value obtained from high temperature liquid metal test reactor applications.
(g) Data from average of all modes of relay failures.
(h) Data from average of all modes of switch failures.
Wi) This value derived from experimental reactor experience.
(j) Data from chemical industry.
Table III 2-3
111-13/14
Section 3
Current Nuclear Experience
3.1 INTRODUCTION
As an input t6 the range assessments,current, commercial, reactor experiencewas examined for component data. Therewas a definite problem in obtaining us-able data since reactor history has beenrecorded with little view towardquantitative evaluations. Sufficientquantitative characteristics are notgenerally recorded for the failure oc-currences,, there is little categoriza-tion and classification for statistical.and behavioral (trend) evaluations, andthere is little systematic storage ofthe data for quantitative evaluation andretrieval.
Ha4 more accurate nuclear data beenavailable, the ranges that were assessedin the data base could-have had narrowervalues. Precise detailed component 'in-formation was not obtainable; insteadgross, averaged statistics were esti-mated. Because of the random variableapproach, however, the averaged nuclearstatistics could be incorporated as im-portant data for the assessed dataranges.
In the assessment proce 'dure, involvingthe study's data base, the assessedranges were compared with the nucleardata values to ensure that the nucleardata were consistent with the definedranges and that the nuclear values didnot contradict the range assessments,
The averaged nuclear data values wereobtained by examining operating historyof nuclear power plants and manually ex-tracting data estimates, i.e., failurerates and demand probabilities, usingstandard reliability evaluation tech-niques. Comparisons of the nuclear datawith the assessed ranges have been givenin the previous tables. The evaluationsperformed to obtain the nuclear datavalues are reviewed in this section.Sunmmarized listings also are provided ofthe raw data employed in the evalua-tions. Also given are certain addition-al trend analyses which were performedin conjunction with the data estimationand which were considered in the. rangeassessments. In addition to the aver-aged estimations that were performed,which served as the basic data, otherinvestigations were performed in orderto check model and data adequacy. Thesewere done on an individual failure
level, where actual f ailure incidentswere examined. With regard to the f aulttree and event tree models, the inci-dents were examined to determine if thegeneral failure definitions in themodels included such particular occur-rences. With regard to the data base,the incidents were examined to see ifsuch mechanisms and causes were givencoverage by the total f ailure rate anddemand probabilities and their associa-ted ranges.
The experience examined in these failureinvestigations included 1971-1973 reac-tor incident f iles and operating occur-rence reports (including certain perti-nent earlier failures), Nuclear SafetyInformation Center files, environmentalreports, National Technical InformationServices files, RESPONSA information,individual published reports, and otherpertinent sources. These sources areincluded in the reference and bibliogra-phy listings given in this appendix,with brief sumiriaries of their use. Atabulated listing is given at the end ofthis section to show the nature of theinvestigations performed and thecons iderat ions undertaken.
3.2 NUCLEAR EXPERIENCE STATISTICS
Since experience history tended to bemore quantitatively deficient the earli-er it was recorded, recent 1972-73 ex-perience was examined for the sampleestimates of averaged statistics. Inparticular, the one year period fromJan. 1, 1972 through December 31, 1972was used to evaluate the summarized andaveraged nuclear data statistics, whichin turn were used in the rangecomparisons and consistency checks.Preliminary analysis of the experience,consisting of the period in 1973 todate, gave no gross differences comparedto the one year period sample.
In addition to the averaged statisticalevaluation, detailed nuclear history,including experience earlier than 1972,was examined on an individual failurelevel. As stated, the failure analysisserved as a check on the fault treemodels and event tree models which hadbeen constructed. Analysis of thefailure modes also served to check theadequacy of the failure rates and demand
111-15
probabilities which had been definite.At the end of this section, a tabulatedlisting is given summarizing the inves-tigations which were done.
The tables which follow are self-explanatory. The 1972 experience, usedfor the statistical analyses, was ob-tained from the listings which have beenrecently assembled by the Directorate ofRegulatory Operations, Office ofOperations Evaluation. The data listedare those reported by the utilities inaccordance with Regulatory Guide 1.6 andthe Technical Specifications in the AEClicense for the applicable reactors.
For the 19/2 time period, a total ofapproximately 700 failures and anomalieswere reported. Because of the constantfailure rate assumption, considerationwas restricted to those plants which hadoperated for the entire one year period.Also, only those failures which wererelevant to the data base categoriza-tions were considered (i.e. safety rela-ted failures). The total number offailures and anomalies evaluated wasthen reduced to 303.
Table 111 3-1 lists the 17 plants whichwere operational for the 1972 one yearperiod and which formed the data basefor the evaluations. of the 17 plants,8 were pressurized water reactors (PWR)and 9 were boiling water reactors (BWR).The table lists the number of failuresoccurring, subcategorized into thoseoccurring while the plant was in standbystatus and in operation status. The op-erating times have been rounded to oneyear, which is sufficient for the accu-racies being considered.
Table 111 3-2 categorizes the 303 fail-ures into generic component classes andexemplifies the type of categorizatonthat was performed to obtain statisticalestimates of averaged failure rates anddemand probabilities. For these stati*s-tical estimates, further detailed sub-classifications were not performed sincethe accompanying details were masked bythe basic data uncertainties and werecovered in the assessed ranges.
The averaged (standby) failure rateestimates were obtained by using thestandard equation, in applicable formhere:
n f
5 NP N cT
where
nf = number of failures observed
Np=number of plants (17)Nc average number of components
per plantT = observed (standby) time period
(8760 hr)
Since safety systems were examined, Ncis thus in general the average number ofcomponents associated with the safetysystems in an individual plant. Foreach class of failure, Nc was estimatedbased on average plant statistics whichconstituted sufficient accuracy withregard to data resolution and assessedrange widths.
Instead of failure rates, the failurestatistics can also be expressed interms of failure upon demand probabil-ities (or simply demand probabilities),Qd, which were obtained by using thestandard binomial estimate,
d N pN cNT
where N and Nc are as defined previous-ly and 9, is the average number of tests(demands) performed per component peryear. (The averaged demand probabilityhas an additional factor of 0.5.Because of the half-exponent roundingprocedure, this was not included.)
Tables 111 3-3 and 111 3-4 give thefailure rates and demand probabilitiesfor pumps, piping, control rods, die-sels, and valves, using the above formu-las and the summarized failure statis-tics in Table 111 3-2. Standard proce-dures, such as chi-square evaluations,can be used to obtain approximate confi-dence bounds on the component estimates.Such bounds at 90% were in general ofthe order of a factor of 3 to 10 inwidth. These bounds are not particular-ly pertinent nor applicable since theyrepresent the spread on the averagedestimate and do not account for theerrors due to the averaging processitself (i.e., lumping failures ofdifferent modes different componentpedigrees, etc.) .1
1 tshould be noted that these boundsare classical, confidence bounds andare not random variable related (i.e.for the classical bounds, the data aretreated as parameters and not randomvariables).
111-16
The estimates in Tables III 3-3 andIII 3-4 have been rounded to the nearesthalf exponent to conform with theassessment scale used in the study(i.e., 10-1.5 or 10-1, etc. giving 1 or3 as a significant figure for the fail-ure rates and demand probabilities). Atthe end of this section is a tabulatedlisting of the failures used to obtainthe various averaged nuclear estimateswhich served as input to the assessedranges. (The failures were also part ofthose examined on an individual levelfor model checking).
In addition to the averaged estimates,nuclear operating experience was used tocheck relative orderings of the assessedranges (highest failure rate, secondhighest, etc.). This ordering checkaided in determining whether the compo-nent failure rates were properly as-sessed on a relative scale.
The relative ordering investigations en-tailed an ordering of nuclear estimatesand then comparing this ordering withthe ordering of the study's assessedranges. The data used were those inTable III 3-2 and those listed at theend of this section. Checks were madeon recent 1973 experience, revealing nosignificant changes from the data al-ready used. With regard to absolutefailure occurrences from the nuclearhistory, valves dominated, contributing34% of the failures followed by instru-mentation 16%, pumps 8%, control rods(all failures) 8% and diesel generators7%. Miscellaneous and human failuresformed the remaining contribution.These statistics were in general agree-ment with those obtained from theassessed ranges and fault treeresults. 1
Finally, with regard to nuclear experi-ence statistics, common mode surveyswere performed to investigate componentfailure and dependencies in order togain additional perspective on the ade-quacy of the models and coverages givento common mode effects. The surveysperformed here served as checks on thecommon mode treatments of componentfailures including the quantitativecoverages given. (More details on themodel treatments are given in AppendixIV.)
IMore formally, from a statistical pointof view and when statistical tests wereperformed, the nuclear data did notcontradict (reject) the model resultsand data assessment values.
Common mode failures, which involvecommon causes, can be categorized in anumber of ways. One such categorizationwas given by Williams (Ref. 1) and withcertain modifications is used here.Four classes can be definedwith regardto gross system and component hardwareeffects:
a. Component Effect - A single failurewhich causes a group of redundant orsimilar components to fail.
b. System Effect - A single failure,which can be a Single componenthardware failure, that causes adefined system or combination ofsystems to fail (entailing loss of adefined function).
c. Interaction Effect - A single commonmode failure or single hardwarefailure, which causes a protectionfunction to be required and at thesame time renders that protectionunavailable.
d. Questionable Effect - As in generalwith data analyses, there is also afourth class which contains thosefailures with too little informationfor specific categorization.
In addition to effects, common modefailures involving common causes canalso be categorized with regard to theirbasic origin.
a. Design and Manufacturing Cause -Failures which are due to defectsand errors in design, manufacturing,quality control, etc.
b. Human Cause -to operatormaintenanceprocedure.
Failureserrors,errors
which are duetesting, andand lack of
c. Environment Cause - Failures whichresult from conditions and causeswhich are environmentally related,such as those beyond designenvironments.
d. Hardware Cause - Failures which aredue to inrierent component failures,which may include "infant mortali-ties" (burn-in failures).
e. Questionable Cause - Failures forwhich there is insufficientinformation.
The aforementioned four group and fivegroup categorizations are still somewhatgeneral, and overlappings can thereforeexist, perhaps causing problems with
111-17
regard to uniquely classifying thefailure. However, the categorization isuseful in general behavior and trendanalyses and when overlapping questionsarose, judgement was made on the domi-nant failure characteristic and thefailure was accordingly classified. Theclassifications and indentifications ofcommon modes have further imprecisenessdue to data deficiencies; however, theresults were deemed sufficient for thegeneral, overview purpose used.
Table III 3-5 shows a breakdown of the1972 experience into common mode andnon-common mode ("random failure")contributions by reactor. In general,of the PWR failures 10.5% were classedas common mode failures and of the totalBWR failures, 11.1% were assessed ascommon mode. Thus approximately 10% ofthe occurring failures were classifiedas common mode, and though this numberis not precise it indicates an order ofmagnitude type of contribution.
The breakdown of the common modefailures into the effect and causecategories is given in Table III 3-6.The tabulation of the common modefailures, is provided in the followingpages. The code in parentheses besideeach failure refers to the assessedeffect class (the alphabetic character)and the assessed cause class (the numer-ical character), where these charactersrefer to those previously used in thedefined classifications.
e All main steam line high-flowswitches failed due to the use oflead-base sealant in switch assembly.(B-5)
e Four flow switches failed because ofa jeweled bearing, which supports thetorque tube in each, became contami-nated; the bearing housing wasredesigned. (D-5)
* During the start-up from cold shut-down, fuses in power supplies for IRMchannels BD & F were blown; no causegiven. (D-5)
o Three LPCIS delta pressure switchesdrifted out of technical specifica-tion requirements (reactor at 100%power). (D-5)
e With reactor at 85% power low-lowreactor pressure switches driftedbelow technical specification limits.(D-5)
e Water hammer in a cross-over linecaused tack welds in 11 hangers tobreak; heavier tack welds wererequired to correct problem. (D-5)
o Suction .and discharge valves to off-gas samples were left closed; theprocedure was changed and the valveswere altered to make them "locked-open" valves. (D-2)
Thewerehavemode
following are reported events whichassessed to be common mode or tohigh potential for causing common
effects.
* Breaker interlock prevented onefrom starting on signal whenother pump breaker is racked(A-2)
pumpthe
out.
" The high flow isolation switches forthe high pressure coolant injectionsystem (HPCIS) drifted above thetechnical specification limits.These switches were not of the lock-ing type. Installation of lockingswitches corrected the problem.(A-1)
" All low pressure permissive switcheshad drifted above technical specifi-cation limits. Switches were changedto locking type. (A-l)
" Trip setting for emergency corecooling system (ECCS) was found to betoo low because of absence of anytype of a locking device. (A-l)
e Ten valves failed to close followingtest due to weak "torque switch tor-sion springs"; the weak springs, pre-vented the contacts to return to aclosed position. (D-l)
e Indicating lamps shorted out andactuated circuit breaker in powerline to motor and controller; used24v in lieu of 120v lamps to solveproblem. (D-5)
o Two reactor core isolation coolingsystem (RCICS) valves failed to opendue to inability of the 250v dcbreaker to pull in. (D-5)
* During testing all four low-low reac-tor water level sensors were found tobe out of adjustment. All had beencalibrated by the same person. (C-2)
* During testing of main steam line lowpressure switches, all 4 were found
a Flow switches oncoolant injectionpumps failed duepaddles; heavierinstalled. (A-5)
two low pressuresystem (LPCIS)to breakage ofduty switches
111-18
set (and locked) below technicalspecification limits of 850 psig.(D-2)
" The magnetic mercoid switches for themain condenser vacuum sensorb wereset too high. Sensing lines andvacuum header piping contained en-trapped condensate. (D-5)
* All low pressure switches on mainsteam line found set below technicalspecification limits after recentcalibration. (D-2)
" Two solenoid operated isolationvalves in torus sampling systemfailed to close on signal. Dust ac-cumulation on valve intervals hadcaused valve pistons to bind. (D-3)
" The 2" check valves on HPCIS turbineexhaust drain line let water into thedrain trap. Loose rust particlescaused valve plugs to bind. (D-3)
" The pump start permissive relayfailed to energize because the relaysused were not designed for 125 dcoperation, and the air gap on bothrelays was too large, requiring ex-cessive pull in voltage to energizerelay. (D-5)
" Water dripped into rod controlcabinets from main steam generatorfeedwater flow lines and groundedcontrol power to stationary grippercoil causing rods to drop into core.(A-l)
* With plant at 90% power 3 controlrods dropped into core due to failureof a multiplexing thyristor in themovable gripper coil circuit. (D-l)
" Feedwater control valve (valve forloop "C") failed, introducing feed-water transients into primary systemwhich resulted in a low pressuretransient, a reactor shut down, andinitiation of safety injection systemoperation. (B-5)
" During pre-operational testing ofTurkey Point Unit #4 a design errorin Unit #3 caused a simultaneous ac-tuation of Emergency Core CoolingSystem for both units. (D-1)
" In the emergency core cooling system,a leak in the upper diaphragm of apilot valve on the nitrogen pressureregulator caused the regulator toclose and the redundant regulatorcould not maintain the overpressure.(C-5)
* Failure of an overpower rod stop anda reactor trip bistable resulted froman incorrectly sized zener diode inthe regulated power supply. (D-5)
" Pressurizer level instrumentation;three narrow range level transmitterswere incorrectly calibrated. (D-2)
" Six steam generator (SG) blow downisolation valves failed to respond tosafety injection system signals.Temporary jumpers had been installedand technician failed to remove them.(D-2)
* Linkages on six solenoid valves thatcontrol main steam stop valves weresticking because of dirt accumulationin the area of the plunger on thesolenoid. (D-3)
* Zero settings for all narrow gaugepressurizer level transmitters werefound 5% below indicated value; thecause not determined, it could bedrift or incorrect calibration.(D-5)
" Cracks were found in welded joints ofboth feedwater lines for steamgenerators A and B; the investigationis continuing. (B-5)
3.3 1972 OPERATING INCIDENTS USEDFOR'STATISTICAL ANALYSES ANDINDIVIDUAL FAILURE ANALYSIS
Listed on the following pages are one-line summaries of the failures incorpor-ated in the statistical analyses. Thefigures cover a spectrum of severities;however, all were of sufficient magni-tude to warrant reporting as incidents.
a. Control Rods
Control rod (CR) No. 19 failed tofall into crie during startup.
CR No. 19 failed to drop fully andCR No. 18 dropped slowly.
CR No. 19 failed to insert fully andsubsequent slow insertion time.
CR No. 19 fell from 90" to 24" fol-lowing plant trip.
CR inspection showed several missingbolts and locking cups.
CR No. 19 hung up at 36" withdrawndue to embrittled spiral pin.
CR No. 20 hung up at 36.5" withdrawnduring scram time measurements.
111-19
Four CR's dropped 150 steps intocore and initiated load runback.
Four CR drives latched at 6" with-drawn due to dirt, broken carbonseals.
Three CR's dropped into core due tomultiplexing thyristor.
Three CR's dropped into core due tomultiplexing thyristor.
CR drive stopped to 02 position dur-ing scram, had to be manually drivenin.
CR failed to fully insert due to ex-cessive leakage across stop-pistonseals.
CR drive 22-31 automatically scram-med to the 02 position.
CR drive 22-31 seated at 02 positionduring scram due to excessive leak-age across stop-piston seals.
CR drive 22-31 seated at 02 positionduring scram.
CR drive malfunctioned due to failedseat on stationary face.
CR drive No. 19 malfunctioned due toprimary coolant leakage.
CR drive after scram following manu-al scram apparently due to scoredguide tube during CRDM repairs.
CR No. 26 failed to be withdrawn dueto open circuit on motor brakewires.
CR failed to stop; replaced 3 CRDMmotors and retested fourth.
CR failed to withdraw due to brakedragging.
CR failed to withdraw due to defec-
tive brake operation.
b. Diesels
DG No. 3 failed to start on remotesignal.
DG failed to start during test.
DG radiator coolant hose tore loosefrom recirculating heater outlet.
Propane engine-drive generator mal-functioned twice due to dirt incoil.
DG failed to start due to oil ondistributor points.
DG failed to start due to oil lubepressure switch setting drift.
DG failed to come up to voltage dueto failed exciter armature.
DG malfunctioned due to improperlyconnected plug at one of the termi-nals.
DG failed to start twice due to de-fective air start motors.
DG failed to start due to defectiveair start motors.
DG startup terminated due to highcrankcase pressure.
DG shut down due to high crankcasepressure. DG spurious trip due tohigh crankcase pressure.
DG spurious trip due to high crank-case pressure.
DG spurious trip due to high crank-case pressure.
DG failed to start due to rust par-ticles restricting bleed orifice inair relay.
DG failed to start due to dirt inpilot valve in the governor assem-bly.
Output fluctuations of DG due todirty contacts in droop relay.
DG tripped during hot standby due toloss of fuel supply.
DG failed to take additional loaddue to mechanical blockage.
DG malfunctioned due to high temper-ature of engine cooling water.
DG malfunctioned due to failure ofthe cooling radiator shutters.
c. Instrumentation
Low-flow scram signal failed to tripturbine.
Low-trip settings for condenser vac-uum below spec. due to water insensing line.
Radiation monitor alarm due to un-known causes.
111-20
Both neutron-monitoring startupchannels failed due to faulty triaxcable.
Low-low reactor water level sensorswere out of technical specifications(TS).
Line-break sensors hooked up back-wards valving "B" isolation conden-ser into service.
"A" and "B" isolation condensersfailed to be activated due to gaugecaught up scale.
Air pressure in scram valve pilotheader lost due to de-energizedbackup scram solenoid.
High flow differential pressureswitch failed.
Scram-dump-volume level switch fail-ed to actuate high level alarm.
Pressure bistable failed to de-energize due to bad soldered joint.
Two pressure switches for spray in-jection system (SIS) drifted aboveTS limit of 350 psig.
Low pressure scram switches in tur-bine EHC control system driftedbelow TS limits.
Low pressure switches on mainstreamline (MSL) found below TSlimits.
MSL low pressure switches driftedbelow TS limits.
MSL low pressure switches trip set-tings found below TS limits.
Switch in MSIV "hi-flo" circuitrusted shut due to water drainagefrom room cooler.
Two high pressure scram switch set-points drifted above TS limits.
Refueling interlock failure due tolimit switch failure as a result ofmisalignment.
RPS relay for No. 2 turbine stopvalve failed to de-energize.
Instrumentation for initiation ofcore spray and LPCIS - admissionvalves found out of TS limits.
Turbine control valve closure failedto initiate scram for generator-
turbine load mismatch due to brokenwire at connector to solenoid.
Isolation condenser flow switch outof 7specification due to drifted setpoints.
Reactor pressure switches trippedabove TS limits.
Reactor-level switch tripped out ofTS limits.
High-flux trip from pressure tran-sient caused by plugged filter inthe pilot valve.
LPCI low pressure switch switchfailed to signal injection permis-sive.
Water level trip point drifted belowTS minimum.
DP switch for high-flow steam supplyto isolation condenser failed.
Reactor vessel high-pressure-scrampressure switch tripped above TSlimits.
Time-delays in APRM logic trippedabove TS limits.
Level trip switch found out of TSlimits.
Turbine lockout occurred due to in-stabilities in the pressure regula-tor.
Position switch out of adjustmentfor the clean-up system aux-pumpsuction valve.
Sensor relay to the logic cabinet ofCRD system found inoperable.
High temperature isolation set pointdrift.
Flow switch torus-to-drywell vacuumbreaker failed in untripped condi-tion.
High-flow isolationsteam line failed.
sensor in main
APRM channels indicated lower thanactual core thermal power.
High-flow switch on isolation con-denser found over TS limits.
Low-pressure permissive switch setpoints drifted above TS limits.
111-21
High steam-flow switch on isolationcondenser above TS limits.
Reactor pressure scram setpointfound drifted out of specifications.
Low-pressure switch for ECCS foundgreater than TS limits.
Pressure switch on MSLOB below TSlimits.
Off-gas monitor set point found inexcess of T.S. limits.
Startup pressure channel failed.
d. Valves
Core spray valve CS-lI failed toopen due to improper limit switchsetting.
Emergency condenser system valvesMO-101 and 102 failed to open due tohigh torque switch settings.
ECCS, SIS nitrogen pressure regula-tor upper diaphram pilot valve leak.
Air-operated containment isolationvalve failed to operate due to theSOV-432 solenoid pilot valve fail-ure.
Emergency condenser condensate re-turn valve motor power supply break-er tripped.
Condensate return valve on emergencycondenser failed to operate.
Emergency condenser Limitorque con-densate return valve failed to oper-ate.
Containment isolation valve failedto close due to defective solenoidvalve SV-4876 in the controller.
Loop "C" feedwater valve faulty.
Discharge valve to the refueling-water storage tank failed due toexcessive binding of packing andstem.
Containment isolation valve in fuelpool/reactor drain line to radwastefailed to close due to defectivesolenoid valve SV-4876.
Recirculation isolation valve failedto open due to over-torquing ofclutch shaft.
Containment isolation valve failedto close due to solenoid valve airleakage.
Containment purge exhaust bypassisolation valve air leakage due tocracked yoke.
Containment purge exhaust bypassisolation valve air leakage due tocracked yoke.
Main steam isolation valve (MSIV)leakage due to pilot valve stemmisalignment.
Condensate return valve failed toopen due to burned out motor.
Main steam isolation valve failuredue to AC control unit.
Main steam isolation valve leakagedue to pilot valve stem misalign-ment.
Main steam isolation valve failed toclose due to sticking pilot valve.
Electromatic relief valve failed toreset due to foreign material invalve seat.
Main steam isolation valve leaked.
Main steam isolation valve leaked.
Suction recirculation pump valvefailed due to inoperable valve oper-ator.
Recirculation system valve leakagedue to packing leakage.
Suction recirculation pump valvefailed due to damaged valve opera-tor.
MSIV closure due to pressure vesseloverfill and relief valve failure.
Safety relief valve relieved belowdesign pressure.
Retainer valve leakage due to dam-aged disc-retainer and valve-bodythreads.
Feedwater check valve and air-operated butterfly valve leaked dueto worn rubber seats.
HPCI inboard steam isolation valvefailed to open.
Air-operated primary containmentsample return isolation valve failedto close due to physical bindinq.
111-22
HPCI motor-operated valve failed toopen due to valve jamming afainstseat.
Turbineoperaterelay.
control valve failed todue to faulty load-mismatch
HPCI motor-operated valve failedopen due to burned relay coil.
to
LPCI valve failed to close due todisconnected wiring.
LPCI valve failed to operate due totripped thermal valve motor overloadbreaker.
Main stop valve/control valve slowclosure due to broken wire.
Primary containment rubber-seatedvent valve leaked due to crackedseat.
Primary containment rubber-seatedvent valve leaked due to crackedseat.
Containment sump isolation valvefailed to operate due to incorrectmounting.
HPCI valve failed to operate due tobroken disk.
MSIV failed to close due to bindingin latching mechanism.
Air-operatedsample returnto close duethe valves.
primary containmentisolation valve failedto physical binding on
No. I turbine control valve fast-acting solenoid failed to actuatedue to contamination.
Containment isolation valve leaked.
MSIV slow operation due to stickingpilot valve.
Safety valve leakage.
No. 4 turbine control valve fast-acting solenoid failed to actuate.
Inboard isolation valve failed toclose due to tripped motor overloadbreaker.
HPCI electromatic relief valve fail-ed to open.
HPCI steam valve in drywell failedto open during reactor startup.
Isolation condenser valve failed toopen due to faulty valve operator.
MSIV in "BI steam line failed due tooil leak in fitting.
Inboard steam-isolation valve failedto close due to tripped breaker.
HPCI electromatic relief valve fail-ed to open due to scored disc.
Vacuum pump suction valve failed toclose fully.
No. 4 turbine control valve failed.
LPCI torus spray isolation valvefailed to operate due to galling.
Containment sump isolationfailed to operate.
Containment sump isolationfailed to operate.
valve
valve
Containment sump isolation valvefailed to operate due to air leakagepast regulator.
Feedwater control valve erratic op-eration due to dirt in air supply.
LPCI valve failed to open due toimproperly adjusted position switch.
MSL stop control solenoidlinkages fouled due to dirt.
valve
Power-operated relief valve stuckopen.
Diesel generator solenoid pilotvalve failed to open due to dirtparticles.
MSIV closed completelysheared pin in the linkage.
du e
MSIV closed completely duesheared pin in the linkage.
MSIV closed completely duesheared pin in the linkage.
Power operated relief valve fjto close due to scored guide.
to
to
to
aiied
Stop valve failed due to limitswitch setting.
HPIC valve malfunction caused byplastic pipe cap oil hydraulic con-trol system.
111-23
HPIC turbine control valve malfunc-tion due to plastic pieces in pilot-valve oil inlet.
HPCI turbine exhaust check valveleaked.
ECCS outboard head spray-isolationvalve failed to close due to adjust-ment.
Stop-check valve failure due to discrupture.
Containment isolation valve seatleakage.
HPCI outboard steam isolation valvefailed to close due to motor fail-ure.
Low-flow feedwater containment iso-lation valve leak due to cut seatsurface.
Main steam stop valve on SG failedto close due to faulty, motor opera-tor.
Main steamfailed todrive-motor
isolationopen duewindings.
valve on SGto short of
'e failed toMain steam stop valvclose due to worn gear.
HPCI exhaust check valve discseparated from valve hinge.
found
MSIV inoperable due to broken drumon limit switch.
Limitorque valve inoperable due tobroken support bearing for gearshaft.
Pump emergency primary makeup systemsteam-admission valve failure due tolinkage.
Relief valve failure in primary makeup system.
e. Pipes
Desuperheating water line of thesecondary steam system failed due toa crack.
HPCI steam-supply isolation valvefailed to close due to packing leak-age.
HPCI exhaust check valve disc rup-
ture.
Group I relief valve malfunction.
Outboard main steam drain isolationvalve failed to close due to loosemounting screws.
Recirculation pump discharge valvestuck due to damaged threads.
Relief valve "A" failed to reseatdue to rust particles lodged acrossvalve orifice.
Relief valve failed to close due todeposits on second-stage piston ori-fice.
Primary system relief valves re-placed due to spring problems.
Safety relief valve failed to oper-ate due to drift in setpoints.
Safety relief valve malfunction.
Reactor vent line failure dueleaky fitting of reducer nipple.
to
Drain line from coil of second stagereheater failed due to cracks atweld edge.
Bent line to MSIV weld failure dueto cracks as a result of excessiveline motion.
Discharge line of the emergencyservice water pump failed due to arubber expansion joint rupture.
Recycle line to the floor drainsystem leakage due to erosion of thecarbon steel elbow.
Small indentations on piping.
Defective fittings on the feedwaterflow DP cell.
Hanger tack welds failed as a resultof water hammer in the cross-overline.
Atmospheric control system 18"header cracked.
Carbon steel elbow leaked downstreamof steam-trap.
Torus-to-drywellvalve problems duevalve operators.
vacuum-breakerto binding in
Air-operated vacuum-breaker valveboot seals found depressurized.
Air-operated vacuum-breaker bootseals found depressurized due toexcessive clearance between actuat-ing arm and pilot valve.
111-24
f.. Pumps
Shaft thread wear on the feedwateroil pump.
Excessive steam leakage past thecontrol slide valve.
Primary coolant leakage due to pumpseal leakages.
ECCS core spray pump failed due tocircuit breaker binding and burnedout check switch contacts.
Fire in oil supply line to turbinedriven feedwater pump.
ECCS core spray pump failed due tocircuit breaker misalignment andburned out latch-check switch con-tacts.
ECCS containment-spray pump startfailure as a result of corrodedbreaker contacts.
Pump failed to operate due to faultyinterlock.
Pump in SIS loop failed to start dueto improper wiring.
LPCI pump failed to start due tointermittent breaker contacts.
Standby sampling pump inoperative
due to fouled oil lubricator.
Sample pump tripped prematurely.
Excessive leakage to primary con-tainment due to recirculation pump"A" seal leakage.
Containment spray pump failed torotate freely due to galled impellerring.
ECCS pump failure due to faultypump-start permissive relay.
Standby liquid control pump failedto develop sufficient head.
Residual heat removal system (RHR)pump failure due to ground fault byair deflector.
RHR pump failure due to upper glandseal overtightness.
Standby liquid control pump failedto develop sufficient head.
Sample pump tripped due to personnelerror.
Feedwater pump failure due to over-heating of hydrostatic bearings.
Charging pump secured due to crackin sbcket weld.
Recirculation pump failed due toseal leak.
Sample pump "A" removed from servicedue to faulty motor leads.
3A INDIVIDUAL FAILURE ANALYSIS LISTING
Listed here are investigations and con-siderations that were given to incidentsthat have occurred in nuclear operatingexperience. The tabulations are a sam-ple and serve to illustrate the type ofanalyses that were performed in checkingthe fault trees and calculations againstactual, individual failure experience.In contrast to the previous statisticalanalysis of the incidents, the incidentsin this phase of the analysis were exam-ined in a more individual engineeringmanner for model checking purposes.
1. Connecticut Yankee Atomic Power Co.(Connecticut Yankee) #96
a. Problem. During a routine op-eration inspection severalseismic support hold-down boltson the sliding supports for thesteam generators were. loose.Subsequent investigation foundeight bolts broken and fifteenothers suspected of beingbroken. There are a total of256 hold-down bolts on the foursteam generators.
As noted by the incident reportthis is the second instance ofsignificant bolt failure rela-tive to seismic supports.
b. Reactor Safety Study (RSS)Action. Questions related to
re-'-dequacy of the seismicdesign for Category 1 structuresystems and components wereinvestigated by the study on asample basis. The results ofthis work are reported in Ap-pendix X.
2. Consolidated Edison Co. (IndianPoint 2) #49
a. Problem. Eight anchor boltsfailed in tension and 1200 ofthe weld which joins the roofdome to the tank wall of thecondensate storage tank failed.This tank provides the source
111-25
of make up water to the secon-dary system. At the time offailure the tank contained morethan 31,000 gallons but lessthan 80,000 gallons of water.(Design capacity is 600,000gallons). Ambient temperaturewas 200 to 25OF and the windwas from the east to southeastwith heavy gusts up to 35 MPH.
b. RSS Action. Consideration ofpassive failures of the conden-sate tank and supply lines tothe auxiliary feed system hasbeen given in fault tree analy-sis of the auxiliary feed sys-tem.
3. Duke Power Co. (Oconee) #51
a. Problem. Twenty-one of thefifty-two inconel in-core in-strument stub tubes (0.75 inch-ID schedule 160) that penetratethe bottom of the reactor ves-sel broke off inside the ves-sel. The break occurred in thevicinity of the weld that joinsthe stub tube to the bottom ofthe vessel. One additionalstub tube had failed at thesame location but was not com-pletely sheared. Five addi-tional tubes had failed in thevicinity of the flow distribu-tor plate and several otherswere bent at a point 2-3 inchesabove the seal weld. In addi-tion a thermocouple guide ex-tending from the top vesselhead had failed and one accel-erometer used in measuring vi-bration had become detached.
Pieces of the failed stub tubeswere found throughout the reac-tor coolant system, ranging insize from small buckshot topieces approximately 2" in di-ameter. This caused extensivedamage to the tube sheet andtubes in steam generator "A"and lesser damage to the tubesprojecting above the tube sheetin generator "B".
b. RSS Action. Failure of the in-core tubes caused loose partsto occur within the reactorcoolant system (RCS). In thisparticular case, which involvedthe first of a line of vendorplants, the hydraulic designdeficiencies were found in ini-tial plant operations and cor-rected. The occurrence ofloose parts within the RCScould potentially result in
some flow blockage within thecore and cause fuels to over-heat. As noted in Appendix I,the study gave consideration topotential consequences result-ing from flow blockage.
4. Rochester Gas & Electric Co.(Ginna) #53
a. Problem. Dynamic stress analy-ses of the pressurizer safetyvalve installation in the pri-mary system indicate higherreaction forces during safetyvalve discharge than originallyconsidered, preventing isola-tion in the event of a failure.The analyses also indicate thatan overstressed condition wouldexist on virtually all of the3" and 4" pipe and fittingsbetween the pressurizer nozzlesand the safety valves.
b. RSS Action. The PWRtrees for small LOCA:
event
" Specifically recognize thefailure possibility of safe-ty valve headers, inadver-tently stuck open safetyvalves and relief valves.
" Specifically define combina-tions of safety features(ECCS) that would be re-quired to operate in case ofthe pressurizer vapor spaceLOCA.
" Have numerical estimates onthe failure probability forsuch ECCS combinations aswould be required for thevapor space LOCA, since sucha LOCA could cause uniqueECCS actuation characteris-tics which are also recog-nized and considered in theRSS event trees.
5. Consumer Power Co. (Palisades) #55
a. Problem. During inspection ofthe primary side of SteamGenerator "B" a foreign objectbelieved to be the head and
"shoulder of one of the boltswhich lock the ring shim in theupper guide structure assemblywas found. The bolts were 304SS 2 1/4" long with a nominal1/2" thread and a 3/4" x 1"shoulder. Preliminary metal-lurgical examination indicatesthe failure mechanism as fa-tigue.
111-26
b. RSS Action. Refer to previouscomment on item 3 (incident51).
6. Consolidated Edison Co. (IndianPoint 2) #57 and #59
a. Problem. Mechanical binding ofthree control rods during test-ing at operating temperatureconditions were experienced.Apparent cause of this incidentis attributed to a guide sheathundersized condition. Boro-scopic examination revealedevidence of scratching, metalgalling and conditions thathave the appearance of weldsplatter.
b. RSS Action. This type of fail-ure contributed to the database for control rod failures.The fault trees also identifymechanical binding as a possi-ble failure mode for componentswhere appropriate.
7. Virginia Electric Power Co. (Surry-1) 163
a. Problem. While attempting tocontrol the reactor primarycoolant temperature by ventingsteam from the secondary sideof the steam generators to theatmosphere, the operator at-tempted to open the three atmo-sphere steam power reliefvalves; however these valvesfailed to open. An attempt wasthen made to initiate ventingthrough the back up decay heatrelease system. When the decayheat relief control valve wasopened, the valve dischargenozzle (4 1/2" OD) disengagedfrom the exhaust vent as aresult of the initiating reac-tion force permitting the re-lease of secondary steam to asmall room of the turbinebuilding.
b. RSS Action. This condition wasconsidered as a contributor tothe failure of the auxiliaryfeedwater system since the pos-sibility of steam dischargeinto the room where the secon-dary safety/relief valves arelocated, could interact withthe auxiliary feedwater systemwhich could be needed to con-trol plant heat removal follow-ing such high energy linebreaks.
8. Consolidated Edison Co. (IndianPoint) #65
a. Problem. Removal of the entireunirradiated core from thereactor vessel. The core con-sists of pressurized fuel rodswhich have experienced claddingcollapse during long term irra-diation. The collapse of thecladding has been attributed todensification of the pelletsafter prolonged service.
b. RSS Action. The impact of fueldensification as it concernsfuel cladding temperature mar-gins during plant accidents andtransients is covered in theAEC's licensing process and bythe AEC's acceptance criteriafor the design and performanceof emergency core cooling sys-tems. These analyses establishconservative thermal marginsfor full performance where den-sification is significant.
9. Georgia Power Co. (Hatch #1) #52
a. Problem. Flaws discovered attwo recirculation inlet nozzlesof the Reactor Pressure Vessel.On one nozzle a crack having anapproximate dimension of 0.6inches in the through-wall di-rection, located in the heataffected zone between the weldmetal and vessel plate materi-al.
b. RSS Action. This particulartype of incident is accountedfor predicting the probabilityof pressure vessel failure.
10. Commonwealth Edison Co. (QuadCities 2) #56
a. Problem. Failure of four pipehangers that support the 24Nring suction header locatedoutside of the pressure sup-pression pool (Torus).
b. RSS Action. Failures of thistype were examined to assesstheir contribution to pipefailure data. Failure of theheader appeared as a potentialfailure mode of the vapor sup-pression system.
11. Commonwealth Edison Co. (QuadCities 1) #58
a. Problem. The rapid closing oftwo-circulating water system
111-27
reverse flow valves caused therupture of an 8 foot diameterrubber expansion joint in thedischarge line. As a result ofthe failure approximately600,000 gallons of river waterentered the turbine building.The flooding of the turbinebuilding resulted in the lossof safety related equipment,i.e., cooling water pumps fortwo of the three station emer-gency diesel generators, allfour service water pumps forunit 1 residual heat removalsystem and the station seismo-graph.
b. RSS Action. Pumps, valves andother equipment associated withEngineered Safety Systems havebeen examined as to their ele-vations and physical locationsrelative to important sourcesof water and included in faulttrees where appropriate.
12. Northern States Power Co. (Monti-cello) #61
a. Problem. Loss of generatorexcitation caused a turbinetrip and reactor scram. Agroup 1 isolation signal ofundetermined cause was re-ceived, resulting in the clos-ing of the main steam isolationvalves. During the ensuingpressure transient the reactorreached a maximum pressurelevel of 1140 psig. Reliefvalves A, B, and C operated butrelief valve "D" failed tooperate. The "A" safety valveoperated (1220 psig setpoint)and the thermocouple for the"D" safety valve showed a tem-perature increase indicatingthat it may have leaked a smallamount of steam. A high dry-well pressure alarm was alsoreceived. The Emergency CoreCooling systems, with the ex-ception of the High PressureCoolant Injection system (HPCI)which was isolated for surveil-lance testing started automati-cally.
b. RSS Action. Relief valve fail-ures have been identified as afailure event on the automaticdepressurization system (ADS)tree and failure of the HPCIsystem to operate due to isola-tion for surveillance testinghas been identified on the HPCIfault tree.
13. Commonwealth Edison Co. (Quad Cit-ies 2) #62
a. Problem. A fire in a cabletray resulted in the loss of"B" recirculation pump anderratic indication on some ofthe control room process in-strumentation and damage to 24electric cables. A controlledreactor shutdown was initiated.
b. RSS Action. The routing andseparation of safety system ca-bles in trays has been coveredin the common mode failureanalyses.
14. Commonwealth Edison Co. (Quad Cit-ies 2) #64
a. Problem. The "B" recirculationpump tripped due to a problemin the speed control unit.
b. RSS Action. This type oftransient is within the normalplant operating capability.However, this transient couldresult in a demand for reactorshutdown and is included in thedata for initiating events forthe transient event trees.
15. Commonwealth Edison Co. (Dresden 2)#66
a. Problem. In service inspection(Radiography) of "B" main steampiping showed the main steamflow restrictor to have failedat the weld securing the down-stream cone. The loose conelodged immediately upstream ofthe inboard MSIV.
b. RSS Action. This weld failureresulted in a loose part withinthe reactor coolant system.Loose parts that might inter-fere with the operability ofsystems and components, e.g.,valves, were considered in thefault tree analyses.
16. Commonwealth Edison Co. (Dresden,1, 2, and 3) #69
a. Problem. Failure of 40-50 feetof the dike for the 1275 acrecooling lake. Condenser cool-ing water supply was transfer-red to the Illinois river.
b. RSS Action. Loss of pump basinwater as been identified as afailure event on the high pres-sure service water (HPSW) and
111-28
emergency service water (ESW)fault trees.
17. Millstone Point Company (Millstonei) #70
a. Problem. Two of the four feed-water spargers contained cir-cumferential cracks in thevicinity of their attachmentwelds. One sparger crack ap-peared to penetrate the fullwall thickness and was, atleast, one-half of the spargercircumference in length.
b. RSS Action. Cracks such asthese could potentially lead tofailure of the spargers. Thesparger failur'e could lead toloss of the feedwater system.Failure of the feedwater systemis included in the 'transientevent trees. Operating datawere used to estimate transientevents with loss of feedwater.
18. Boston Edison Co. (Pilgrim 1) #71
a. Problem. After experiencing aflow-biased flux scram theoperator manually opened onerelief valve to reduce systempressure, the, valve failed toreseat. Approximately 10,000gallons of water (primary) wasdischarged to the torus.
b. RSS Action. Operation of arelief valve and subsequentfailure of the valve to closerepresent a small LOCA if thefeedwater system fails to make-up the coolant inventory. Thetransient event tree analysisincluded stuck-open reliefvalves for both success andfailure of the feedwater systemto supply make-up inventory.
19. Vermont Yankee Nuclear Power Corp.(Vermont xankee) 172
a. Problem. An increase in stackrelease rate was experiencedwhile operating at 100% power(1593 MWT). Maximum releaserate reached was 20,000 UCi/sec. Reactor power was reducedto 70% and release rate reducedto 18,000 uCi/sec.
b. RSS Action. This type ofincident pertains to routineeffluent releases and is notrelevant to the RSS study ofreactor accidents.
20. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) #73
a. Problem. A fire occurred inthe' station unit auxiliarytransformer following a turbinetrip and subsequent motoring ofthe main generator. Cause ofthe fire was apparent failureof mal-operation of protectivebreakers for the generator andturbine.
b. RSS Action. Failure of majorelectric components that canresult in failure of the elec-tric power system to engineeredsafety features is • identifiedon the fault trees and in com-mon mode analyses.
21. Niagara Mohawk Power Corp. (NineRile Point 1) #75
a. Problem. Premature actuationof a-safety valve resulted inrelease of primary steam to thecontainment drywell. A turbinetrip also occurred.
b. RSS Action. Turbine trips orinadvertent safety valve actua-tions have been covered by thetransient event tree analysis.
22. Vermont Yankee Nuclear Power Co.(Vermont Yankee) #76
a. Problem. Turbine gland sealfailure while turbine was onthe turning gear caused a smallquantity of primary steam toleak from the turbine sealsinto the turbine building.
b. RSS Action. This type of fail-ure could potentially result ina reactor shutdown which isaccounted for in the transientevent tree analysis.
23. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) #77
a. Problem. Failure of a start uptransformer caused the loss ofstation electric power and aresultant scram. During theensuing primary system tran-sient three of four reliefvalves actuated but one couldnot be verified to have openeddue to a thermocouple malfunc-tion.
b. RSS Action. See comment foritem 14.
111-29
24. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) #79
a. Problem. While calibrating thepump speed control system anincrease in speed of one recir-culation pump occurred. Theensuing transient resulted in aprimary system pressure in-crease and an increase in thestack release rate from 0.05Ci/Sec to 2.5 Ci/Sec.
b. RSS Action. See comment foritem 19.
28. Boston Eidson Co. (Pilgrim 1) #87
a. Problem. Strike against BostonEdison Co. by the UtilityWorkers of America (UWUA Local387).
b. RSS Action. Not applicablethe considerations definedthe Reactor Safety Study.
toin
25. Millstone Point Co.Point 1) #80
(Millstone
29. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) #89
a. Problem. Lightning struck thetop of the ventilation stackdisabling one of the two stackgas monitoring systems and thearea gamma radiation monitor.The lightning also caused anexplosion in the off-gas holdupsystem.
b. RSS Action. See comment foritem 19.
30. Commonwealth Edison Co. (Quad Cit-ies 2) #82
a. Problem. A manufacturing errorto provide a specified chamberat the junction weld betweenthe control rod blade sheathand the control rod blade lim-iter casting could result in aledge that would interfere withfuel assemblies when the bladeis within one inch of the fullyinserted position.
b. RSS Action. This anomaly doesnot appear as a fault conditionon the fault trees because in-sertion to one inch of fullinsertion is deemed adequate.
26. Jersey Central Power & Light Co.(-Oyster Creek) #78
a. Problem. A malfunction reliefvalve caused a blowdown of theprimary system following a re-actor scram. During the ensu-ing transient one relief valvefailed to reseat discharging50,000 gallons of primarycoolant to the torus.
b. RSS Action. See comment foritem 18.
27. Millstone Point Co. (Millstone 1)#85
a. Problem. During inspection ofthe reactor internals, crackswere discovered in the NE andNW feedwater spargers. Themaximum crack was estimated tobe 4 inches long and 1/32inches wide.
b. RSS Action. See comment foritem 17.
a. Problem. A lightningcaused failure of adisc in the off-gassystem.
strikeruptureholdup
b. RSS Action. See comment foritem 19.
31. Commonwealth Edison Co. (Dresden 2)#83
a. Problem. Explosion in the off-gas system while making modifi-cations.
b. RSS Action. See comment foritem 19.
32. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) #93
a. Problem. Lightning struck theventilation stack disablingboth stack gas monitors and thearea gamma radiation moni'oralso causing an explosion inthe off-gas holdup system.
b. RSS Action. See comment foritem 19.
33. Iowa Electric Light & Power Co.(Duane Arnold) #92
a. Problem. Possibility that thefuel bundles have a manufactur-ing defect in the lower tieplate castings.
111-30
b. RSS Action. Defects oftype potentially involvesiderations pertinent toblockage and emergencycooling functionability.Appendices I and V.
thiscon-flowcoreSee
34. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) 497
a. Problem. Inspection of fuelbundles revealed cracks in 5 ofthe fuel bundle channels.
b. RSS Action. See comment foritem 33.
35. Millstone Point Co.Point 1) #90
(Millstone
a. Problem.led totion ofblades.
Assembly errors whichthe inverted installa-
some control rod
b. RSS Action. Analysis indicatesthat the fission process can beadequately controlled eventwith blades installed in thisfashion.
36. Boston Edison Co. (Pilgrim 1) #94
a. Problem. Inadvertent openingof the "D" target relief valveand failure to reseat.
b. RSS Action. See comment foritem 18.
37. Jersey Central Power and Light Co.(Oyster Creek) #95
a. Problem. During routineswitching of electric loads tothe startup transformer result-ed in temporary loss of elec-trical power to essentialequipment due to an improperlyset tap on a differential cur-rent relay.
b. RSS Action. The fault tree forthe electrical power systemidentifies faults which couldcause an outage of power tosafety system equipment includ-ing operator error for wrongset points.
38. Vermont Yankee Nuclear Power Corp.(Vermont Yankee) #100
a. Problem. During control rodfriction drive tests on onecontrol rod with the reactorvessel head removed, a scramoccurred from high flux levels.
Investigation revealed that anadjacent control rod was in thefully withdrawn position.
b. RSS Analysis. Events such asthis one are not significant inthe overall accident analysis.
39. Baltimore Gas and Electric Co.(Calvert Cliffs) #67
a. Problem. A concrete void inthe-area of the containmentvertical tendon bearing plateson the inside rings was detect-ed. One void has a depth of 12inches encompassing a surfacearea of 15 square inches ex-tending to the proximity of anadjoining bearing plate. In asecond bearing plate a concretevoid 6 inches deep over asurface area of 10 squareinches with a crack at thebottom of the void.
b. RSS Action. Lack of concreteconsolidation and voids wereconstruction deficiencies iden-tified during plant construc-tion and prior to plant opera-tion. This detection andcontrol is indicative of imple-mentation of a program of qual-ity assurance during the con-struction phase. If this typeof deficiency had remainedundetected in contruction, itcould have affected thestrength of the containmentbarrier if the containment weresubjected to high overpressuresafter a loss of coolant acci-dent. Consideration was givento the possible existence ofsuch containment deficienciesin the study's estimation ofpredictable containment failurepressures. See Appendix VIII.
40. Virginia Electric and Power Co.ASurry 1) #68
a. Problem. A bonnet gasket on aT14inch main feedwater linecheck valve failed releasingapproximately 1000 gallons ofsecondary system water into thecontainment building.
b. RSS Action. Data on gasketfailure and valve externalleakage are a part of the database where calculations havebeen performed to predictfailure rates.
111-31
41. Yankee Atomic Electric Co. (Yankee)#74
a. Problem. Indications of bind-ing uring operations of thecruciform control rods promptedvisual inspections which re-vealed two control rods hadbeen displaced and that tiedown bolts for the shrouds hadseparated and were located onthe vessel lower core supportplate.
b. RSS Action. See comments underitem 6 regarding control rodbinding and under item 3 re-garding loose parts.
42. Southern California Edison Co. (SanOnofre 1) #81
a. Problem. An earthquakemagnitude of 5.2 on'thescale was detected bydetectors. No damageported.
with aRichterseismicwas re-
b. RSS Action. The Design Ade-quacy portion of the ReactorSafety Study checked the capa-bility of a plant to carry thedesign stresses produced by anearthquake. See Appendix X.
43. Florida Power and Light Co. (TurkeyPoint 3) #84
a. Problem. Loss of power from anExide inverter while instrumen-tation was in a 1 out of 2scram logic condition causingreactor shutdown and loss ofoffsite power.
b. RSS Action. Analysis of thistype of incident is covered inthe electrical power systemfault trees because the failurecauses reactor shutdown. Tur-bine trip has been evaluatedfor its contribution to loss ofoffsite power to the plant.Its contribution to transientinitiating events is covered bythe transient event tree.
44. Southern California Edison Co. (SanOnofre 1) #88
a. Problem. While the reactor wasshWutdown and maintenance wasbeing performed on one of theoffsite electrical sources forthe plant, the alternate off-site electrical feed to theplant was interrupted by theinadvertent actuation of a dif-
ferential current protectionrelay. This resulted to a lossof all offsite power into theplant, and the contributingfault was attributed to improp-er grounding of protection sys-tems for the main stationgenerator. The emergency on-site power source (provided bytwo diesel generators) startedand operated the necessaryplant heat removal equipment.After about 3/4 of an houroperation, a malfunction involtage regulator for onediesel generator resulted in anoverload trip of both theemergency onsite power sources.A momentary (about 1 minute)interruption of the emergencypower source occurred as aresult of this common fault.
b. RSS Action. Considerations(through fault trees, eventtrees and data application)were given to such types offaults that could result in aninterruption and loss of boththe offsite and onsite sourcesof electrical power for theplant. Assessment of the prob-ability and consequences fromsuch an event as loss of allelectric power to a plant wasan important part of this studyeffort.
45. Consumers Power Company (Palisades)#98 and ROE 74-3
a. Problem. Mechanical Vibrationsof Reactor Internals. Inspec-tion revealed the following:
1. All expansion-compensatingring bolts were found bro-ken.
2. Measurements in the proxim-ity of the upper guidestructure reveal that thecore support barrel isnominally 1/4" lower thanas-built drawings specify.
3. The core support barrelflange has worn a ledge inthe vessel flange permit-ting the core supportbarrel flange to be verti-cally displaced.
4. A groove approximately1/16" deep and 1/4" widewas worn into the reactorvessel head flange when the
111-32
compensating ring madecontact with the vesselhead.
b. RSS Action. Analysis indicatesthis relates to ECCS functiona-bility questions which arecovered in Appendix V.
46. ýFlorida Power and Light Co. (TurkeyPoint 3 & 4) #99
a. Problem.- Utility workers onstrike with threats of sabotageof a main generator at theplant.
b. RSS Action. Potential acci-dents due to sabotage have notbeen an explicit part of theReactor Safety Study.
47. Consumers Power Co. (Milford 1 & 2)
a. Problem. Deficiencies inCadweld splicing of concretereinforcing bars.
b. RSS Action. See comment foritem 39.
48. Consolidated Edison Co. (IndianPoint 2) #102
a. Problem. A crack in the 18inch feedwater line to steamgenerator #2 resulted in thedischarge of water and steam tothe containment vessel. Thecrack was not isolatable fromthe steam generator. The crackis located several inchesinside the containment vessel,is circumferential, extends ap-proximately one half the cir-cumference of the pipe, and
appears to be associated with afillet weld, joining the endplate of the containment pene-tration bellows assembly to thefeedwater line.
b. RSS Action. Pipe ruptures forall systems show on individualsystem fault trees. Pipe leaksand ruptures are also coveredby the data base.
49. Virginia Electric Power Co. (Surry1) #103
a. Problem. Loss of flow in the
UXAImain coolant loop due to a
broken pump shaft in ReactorCoolant Pump (RCP) "A". Thebreak was 15 inches above theimpeller, between the thermalbarrier and the lower pumpbearing.
b. RSS Action. This event result-ed in a loss of flow in one RCSloop. Such transients areaccounted for in the plantdesign. Potential shutdowns ofthe reactor are covered by thetransient event tree.
50. Duke Power Co. (Oconee 2) #106
a. Problem. The failure of a re-actor coolant pump seal causedleakage of primary water to thefloor of the containment build-ing.
b. RSS Action. Leakage due to thefailure of a coolant pump sealis within the capability ofnormal RCS inventory make-upsystems. The event trees con-sider small LOCA conditionsmore severe than this event.
Reference
1. Williams, HAL., "Reliability Evaluation of the Human Component in Man-MachineSystems", Electrical Manufacturing, 1958, 4, 78-82.
111-33
TABLE 111 3-i NUMBER OF FAILURES BY PLANT SHOWING FAILURES DURING STANDBY A•;DOPERATIONS
1972DATA
Months roursPlant Oper. Oper. %
Reactor Type Standby Oper. Time Time Standby Oper.
Dresden 1 BWP. 1 2 12 8760 33.4 66.6
Yankee PWR 8 5 12 8760 61.5 38.5
Indian Point 1 PWR 7 12 12 8760 36.8 63.2
Humboldt Bay 3 BWR 5 7 12 8760 41.7 58.3
Big Rock Point BWR 4 3 12 8760 57.1 42.9
San Onofre I PWr 3 7 12 8760 30.0 70.0
Haddam Neck PWR 0 3 12 8760 100.0
Nine Mile Point 1 BWR 7 13 12 8760 35.0 65.0
Oyster Creek BWR 10 19 12 8760 34.5 65.5
Ginna PWR 1 5 12 8760 16.7 83.3
Dresden 2 BWR 8 20 12 8760 28.6 71.4
Point Beach 1 PWR 2 4 12 8760 33.3 66.7
Millstone 1 BWR 7 22 12 8760 24.1 75.9
Robinson 2 PWR 3 17 12 8760 15.0 85.0
Monticello BWR 10 34 12 8760 22.7 77.3
Dresden 3 BWR 4 22 12 8760 15.4 84.6
Palisades PWR 6 22 12 8760 21.4 78.6
86 217 204 148,920 xxxx xxxx
TABLE Il 3-2 NUMBER OF FAILURES BY PLANT COMPONENT/SYSTEM"
VR w i 1 14 00 P oin4 r-' 0 2 0 . 1=4 U C 3 0 c U~ C E
Humbold U) 3 1 524 1 w 12
Bg0o o' 214 * =.1 244 r 0to nor 12 X 4j $4 C 14 w M 1 -M4 t 0
4' 0 4' 4' to U to 0 4j 4' C 0 w I . A >. M. U '
41e C C C wie 3 3 14 =Reactor M 0 0 0 w C 1 -4 0 044 W 0 4 20
m0 U in 0 w v3 w 0 H~ C A. a. 0. 0 E- E- : N. v
Dresden 1 1 2 3
Yankee Rowe 5 3 1 1 2 13
IndianPoint1 2 2 0 2 1 2 1 8 1 19
Humboldt Bay 3 1 2 1 1 1 3 3 12
Big RockhPoint 2 2 1 2 7
SanM nofre 1 1 2 2 3 1 1 10
Connecticut Yankee 3 3
NineMilePoints 2 1 1 1 8 4 3 20
Oyster Creek 1 1 2 5 4 3 1 6 3 3 29
Ginna 1 1 1 1 2 6
Dresden 2 3 11 10 4 28
Point Beach 1 1 1 2 1. 1 6
Millstonel1 1 12 2 2 1 3 1 6 29
Robinson 2 2 3 1, 1 1 7 1 4 20
Monticello 5 2 1 1 5 1 21 6 2 44
Dresden 3 7 1 115s 226
Palisades 7 3 1 3 1 9 3 1 28
TOTALS 2 0 23 1 21 3 4 4 7 48 14 11 2 7 1 3 102 24 26 303
TABLE III 3-3 NVERAGED FAILURE RATE ESTIMATES
(Rounded to nearest half exponent)
PWR FR COHtEINED
NN n. N N nf Xs/hr T K 1 n Xs/hrComponent T pc - ks/hr T pcc P f
Pumps 8760 400 6 1 x 10-6 8760 450 18 3 x 10- 6 8760 850 24 3 x 10-6
Piping(a) 8760 280k 3 1 x 10 9 8760 315k 8 3 x 10 9 8760 595k 11 1 x 10-9
Control rods(b) 8760 400 4 1 x 10-6 8760 1350 2 1 x 10-7 8760 1700 6 3 x 10-7
-55Diesels 8760 24 9 3 x 10- 8760 27 12 3 x 10 8760 51 21 3 x 10-
Valves 8760 2312 32 1 x 10-6 8760 1467 70 3 x 10-6 8760 3842 102 3 x 10-6
Instruments 8760 2560 6 3 x 10-7 8760 3042 44 1 x 10-6 8760 5613 50 1 x lo-6
(a) Failure rate given in units of per hour per foot, where 280k denotes approximately 280,000 ft.
(b) Failure rate per hour per rod, for failure to enter.
TABLE III 3-4 AVERAGED DEMAND PROBABILITY ESTIMATES
(Rounded to nearest half exponent)
PWR BWR COMEINED
Component nf NpNc T Q d nf p c T Qd nf P T
Pumps 6 400 12 1 x 10-3 18 450 12 3 x 10-3 24 850 12 1 x 10-
Control Rods 4 400 12 1 x 10 2 1350 12 1 x 10 6 1700 12 3 x 10-
Diesels 9 24 12 3 x 10-2 12 27 12 3 x 10-2 21 51 12 3 x 10-2
Valves 32 2312 12 1 x 10-3 70 1467 12 3 x 10-3 102 3842 12 1 x I0-3
Instruments(a) 6 2560 1.5 1 n 10-3 44 3042 1.5 1 x 10-2 50 5610 1.5 3 x 10-3
(a) Average number of instrumentation testsinstrumentation.
obtained from histogram of test distributions for safeguard
Table III 3-1 - Table III 3-
111-35/36
TABLE III 3-5 1972 FAILURE CATEGORIZATION INTO RANDOM VERSUS COMMON MODE
PWR BWR
Random Comnmon Mode Random Common Mode
Reactor Number Percent Number Percent Number Percent Number Percent
Dresden 1 3 100.0
Yankee Row 12 92.3 1 7.7
Indian Point 1 19 100.0
Humboldt Bay 3 10 83.3 2 1E.7
Big Rock Point 5 71.4 2 28.6
San Onofre 1 9 90.0 1. 10.0
Haddam Neck 3 100.0
Nine Mile Point 1 17 E5.0 3 15.0
Oyster Creek 27 93.1 2 6.9
Ginna 4 66.7 2 33.3
Dresden 2 24 85.7 4 14.3
Point Beach 1 4 66.7 2 33.3
Millstone 1 28 96.6 1 3.4
Robinson 2 18 90.0 2 10.0
Monticello 37 84.1 7 15.9
Dresden 3 25 96.2 1 3.8
Palisades 25 89.3 3 10.7
TOTAL 94 11 176 22
TABLE III 3-6 COMMON MODE EFFECTS AND CAUSES
PWF. BWR
(percent) (percent)
A. Component Effect 9.1 22.7
B. System Effect 18.1 4.5
C. Interaction Effect 9.1 4.5
1. Design, etc. Cause 27.3 13.6
2. Human Cause 18.2 18.3
3. Environment Cause 9.1 13.6
4. Hardware Cause ---- 6.3
(OTHERS QUESTIONABLE)
Table III 3-5 - Table III 3-6
111-37/38
Section 4
Expanded Final Data Assessment
4.1 JINTRODUCTION
Tables 111 4-1 and 111 4-2 in this sec-tion present as a separate tabulationthe final assessed data base utilized inthe study. The information is extractedfrom the tables in section 2 and in-cludes further elaboration on applica-bility considerations for safeguardrelated components. Except for pumps,the applicable environment for thesetables consists of standard operationalnuclear power plant conditions (as char-acterized in the model descriptions).The assessed ranges cover variationswhich can occur in these environments.Pump failure to 'run, given successfulstart, was also assessed for extremetemperature and pressure conditionscharacterizing a severe accident. Table111 4-3 gives additional data assess-ments for post-accident conditions forcertain other components relevant to thestudy. A discussion is provided for acomponent when further relevant detailsare applicable.
The tables contain the assessed rangesfor the data, the median value of therange and the error factor. The rangerepresents a 90% probability, or ("con-fidence level"), associated with therandom variable approach. The median isa reference value for the range; thereis a 50-50 chance that the data value iseither higher or lower than the medianvalue. The error factor is the upperlimit of the range divided by the medianvalue. Since the median is the geomet-ric midpoint, the error factor is alsothe median divided by the lower limit.The values given in the tables arerounded to the nearest half exponentvalue (i.e., 1 or 3 appearing as thesignificant figure). Units for the dataare probability per demand, "d", or perhour, "hr".
4.1.1 NOTES ON PUMPS
a. Test and Maintenance.
Generally, those test and mainte-nance situations where an overridefeature can automatically return thepump (or other devices) to opera-tional status, given demand willhave no test and maintenance contri-bution to unavailability. Distribu-tions on test and maintenance actdurations are used to account for
variations in the times required tocomplete the act from plant to plantor situation to situation. Testingtimes include the time required tomake the minor repairs incidental tothe tests.
Testing the pumps within the safetysystems requires isolation of thepump under test in the majority ofcases. This results in a contribu-tion to unavailability due to pumpdowntime. In general, the probabi-listic contribution is derived fromthe test act duration time whichranges (90%) from 15 minutes to 4hoursi under a log-normal distribu-tion.' From this range, the meantest duration time (downtime) isthus 1.4 hours (tD =1.4 hours fortest).
Maintenance on the pumps ranges induration from 30 minutes to severaldays. From this range the meanmaintenance act duration tD is 37hours. maximum outage during pow-ered operation may be limited to 24hours on pumps other than thoselocated inside containment. Use ofthe 24 hour limit as an upper boundgives a mean maintenance act dura-tion, (tD), of 7 hours. Pumps lo-cated inside the containment vesselare permitted by specification to bedown singly for a maximum of 72hours during plant operation. Theassociated mean duration time forthese particular pumps is tD = 19hours.
In general, the test period forsafety system pumps is fixed by thespecification at monthly intervals.The test frequency is theref'ore ap-proximately constant at 1 'act permonth. The nominal test contribu-tion to unavailability, OT, is theratio of mean test act duration time(tD), to test interval.
t DQT= _#Hr~s7Month
1See section on test and maintenancedata.
111-39
Non-routine maintenance ranges frommonthly to yearly with a mean pumpmaintenance interval of 4.5 montht/act or a mean frequency of mainte-nance of 0.22 acts/month. The main-tenance contribution to unaVailabil-ity QM is a function of themaintenance frequency (f), meanmaintenance act duration (tD), andmaintenance interval. The equationfor QM is given by the equation
tDoM - f x D/
when tD is now the average mainte-nance downtime. Substituting valuesinto the above equations will givenumerical values for QM.
b. Environments.
The safety pumps located outsidecontainment are not likely to besubjected to abnormal environmentalconditions in the event of theassumed loss of coolant accidentwith the exception of a temporarychange in temperature and radiationlevel of the pumped fluid. Sincethese pumps are designed for suchconditions, the assessments foroutside pumps are based on perform-ance data from similar pumps opera-ting under design-conditions.
The pumps located inside containmentmay be subjected to a much moresevere environment during the periodfrom the accident to the time thatthe safety system can reduce thetemperature, pressure, humidity, andradiation levels to near normal.This extreme environmental conditionhas a chance of subsiding within 24hours.
The levels of the immediate post-accident environment cannot be de-termined exactly, but conditionsgenerally representative of the ac-cident were used in a series of pumpqualification tests for the insidepumps. These tests were non-exhaustive. The results. of thesetests and experience data from pumpperformance in test re.actors oper-ating at extremely high temperatureswere considered in making the as-sessments for pumps inside contain-ment. Recovery to near normal envi-ronmental conditions is likely toincrease the probability of contin-ued pump operation. Experience andtesting (Ref. 1, 2, 3, 4) have re-vealed, however, some degradation inlubricants, bearings, and motor in-
sulation after exposure, possiblydegrading pump performance givensurvival of the initial 24-hour per-iod. To account for the potentialdegradation, a failure probabilitybetween normal and abnormal condi-tions is assigned with sufficientassociated uncertainties to accountfor the possibility of deviations.
4.1.2 NOTES ON VALVES
a. Failure Modes.
Failure of a valve to operateincludes changing state from closedto open or open to closed. Failureto remain open (plug) refers toreduction of flow to an unusablelevel due to foreign material orgate failure, etc. Not included inthe data is the contribution for aninadvertent or false signal drivingvalves closed. Instances of valvegates separating from drive stemsand lodging in a closed position(while the valve monitors continuedto indicate open) have been reportedin nuclear operating experience.
b. Test and Maintenance.
Motor operated valve test act dura-tion times range from 15 minutes to2 hours (90% range) with a mean testtime tD of 0.86 hours (log-normal).No downtime test contribution isobtained if the valve has a testoverride feature which automaticallyreturns the valve to an operationalstatus given demand. The positionmonitors used on automatic valvesdetect the position of valve drive;they do not determine flow or posi-tion of valve gate. Hence monitor-ing does not influence fault dura-tion time for failure to remain open(plug) failure modes.
Valve outages for maintenance rangefrom 30 minutes to several days witha mean maintenance duration tD of 24hours. Maintenance acts on certainvalves may be limited to 24 hoursduring powered operations by speci-fication. Under these conditionsthe mean act duration time tD is 7hours. The mean maintenance actfrequency f is 0.22 acts per month.Thus,
tD fQT - M.' QM " M ,
where tD in the first equation isthe test downtime and in the second
111-40
equation maintenance downtime. Sub-stituting will yield the applicablenumerical values for QT and QM.
c. Environments.
In general, valves withinsystem operate on demandfew minutes after theHence degradation dueaccident environments issignificant within theuncertainties.
the safetywithin aaccident.
to post-deemed notassociated
4.1.3 NOTES ON PIPE - TESTING
Certain safety piping is tested monthlyduring the tests on pumps within thesafety system. Certain portions of thepiping however are incapable of beingperiodically tested except during theinitial tests prior to final licensingof the plant.
Therefore the failure rate assessmentswere applied to both standby pipes(safety) and active pipes (process) withlarge uncertainties to account for thepossibility of either extreme. Thesafety assessments are given in units ofper section per hour with a sectiondefined as an average length betweenmajor discontinuities such as valves,pumps, etc. (approximately 10 to 100feet). Each section can include severalwelds, elbows and flanges. See specialassessment section of this appendix formore details.
4.1.4 NOTES ON MOTORS
In many instances, pumps and valveswithin the safety system are driven byelectric motors. Available experiencedata do not permit separation of motorfailure from pump failure. Therefore,separate motor failure rates for pumpand valve drive motors should not beincluded. The assessments above applyto those electric motors that functionindependently of the pump and valves.
4.1.5 NOTES ON RELAYS - FAILURE MODES
The available data do not completelyisolate separate causes of failure;hence the above failure modes are notnecessarily independent. For example,failure rates for failure to energizeincludes failure of the normally opencontacts to close. Hence relay andcontact failure rates in general shouldnot be combined together to determineoverall relay failure rates. Individualcontributions, however, can be employedwhere there are individual, separateeffects on the system. Examples arefailure of contact of a multiple contact
relay, or shorts to power (which couldeffect power circuit) if these modeshave a unique, individual effect on thesystem.
4.1.6 NOTES ON SWITCHES - FAILURE MODES
The data do not uniquely separate thecauses of failure; hence the abovefailure modes are not necessarily inde-pendent. Failure to operate includesfailure of contacts. In general, thecontact contribution should not be addedto the switch contribution to determineoverall switch failure rate. As withrelays, when separate, individual ef-fects occur, individual contact contri-butions can be computed (such as formultiple contact switches).
4.1.7 NOTES ON BATTERIES - FAILUREMODES
The emergency dc power system involves58-60 series connected lead cadmium orlead calcium battery cells to form a 125volt supply. Two 125 volt systems areseries connected to obtain 250 volts.These batteries are constantly chargedby chargers and the open circuit outputvoltage monitored at regular intervals.The significant failure mode in thisarrangement involves failure to provideadequate output voltage under emergencyload conditions. Failures by shorts toground or internal shorts within cellsare likely to be detected quickly withnegligible resulting fault durationtime.
4.1.8 NOTES ON SOLID STATE DEVICES
a. Environments. High power applica-tion is defined as application incircuits involving currents of 1ampere or above and/or voltages - 28volts and above.
b. Failure Modes. The available datadonot permit separation of the
causes of failure in all cases;hence the above failure modes arenot independent. Failure rates forshorts should not be added to ratesfor failure to function unlessspecial consideration of shortfailures is necessary due to uniqueeffects on the system.
The relatively large error factorson solid state device assessmentsreflect the potential variation fromapplication to application. Forparticular situations, a detailedanalysis could yield narrowerbounds.
111-41
4.1.9 NOTES ON DIESELS
a. Test and Maintenance. Certain spe-cific tests on emergency dieselgenerators render the power plantunavailable for use in the event ofa demand on the equipment. Theduration of these tests ranges from15 minutes to 4 hours with a meantest act duration time tD, of 1.4hours.
Maintenance acts on diesels range induration from 2 hours to 160 hours.The mean maintenance act duration is21 hours. If specifications limitthe maximum diesel outage duringplant operation to 24 hours theassociated mean is then 13 hours.
b. Failure Modes. The demand probabil-ities on failure to start involvesthe complete plant including start-ers, pumps and fueling systems.Because of possible variance in theredundancy of auxiliary equipment,the operational failure rate for theengine is separated from theoperational failure rate for thecomplete power generator system.
c. Environments. These above dataapply to diesel operation in normalenvironments. Diesels operating inextreme weather conditions or withexhaust outlets near the intake airvents, etc., may have significantlyhigher operational failure rates dueto the sensitivity of the system tointake air quality. These should beassessed on an individual basis.
4.1.10 NOTES ON INSTRUMENTATION -FAILURE MODES
The data for shift in calibration incor-porate a variation of drift magnitude.These data may be pessimistic if usedfor instrumentation with wide'opera-tional tolerance bands. In these casesindividual assessment should beperformed.
The relatively large error factors asso-ciated with instrumentation assessmentsreflect the wide variation in configura-tion from application to application.For any particular instrumentation sys-tem, a detailed analysis may be done toobtain narrower bounds.
4.1.11 NOTES ON WIRES AND TERMINALBOARDS - FAILURE MODES
The failure rates for wires are based ona typical control circuit wire sectionwith soldered and lug connections tocomponents and terminal boards. The
circuit consistsconnections withthese connectionsminals on terminal
of approximately 30approximately 20 ofcomprised of lug ter-boards.
The data do not permit a unique separa-tion of failure modes in all cases;hence the failure modes listed for wiresand terminals are not necessarily inde-pendent. Probabilities for defectiveterminations should not in general beadded to wire probabilities to obtainoverall circuit probabilities. Separateterminal board data are provided forthose cases in which unique systemeffects exist.
4.2 SUMMARY OF POST ACCIDENTASSESSMENTS
Table III 4-3 summarizes the assessmentspertaining to leak failures of the con-tainment system, and the associatedhardware in the post-accident situation.At the time of a severe loss-of-coolantaccident the pressure within the con-tainment system may rise to 40-45 psigfrom normal operating pressures. Thispressure rise is expected to be rapid,but should subside in a few minutes ifthe safety system performs as intended.In the event of safety system failure,the conditions may exceed the designlimits of the system. Those assessmentsderived from data from hardware oper-ating within design limits apply only toconditions given safeguard system opera-tion.
4.2.1 NOTES ON CONTAINMENT HARDWARE -TEST
Normally the containment system is at orslightly below atmospheric pressure withcontinuous monitoring of the internalcontainment environment; hence signifi-cant leaks occurring prior to an acci-dent should be quickly detected. Thecapability of the system to withstandhigh pressure is verified at three yearintervals by pressurizing the system tothe design levels.
4.2.2 GENERAL DATA BEHAVIOR
The assessments used in the study aregrouped and plotted in the followingfigures to show trend and class behav-ior. In the assessment process, thesetypes of plots were also used to helpcheck the overall consistency of thefinal data base.
Figure III 4-1 is a summary of therelative failure assessments for seven
III-42
classes of switching components. 1 Theassessments are plotted as demandfailure probabilities, and are shown indescending order of magnitude.
Figure III 4-2 is a summary of therelative failure assessments for fiveclasses of valves. The assessments areplotted as demand failure probabilities,and are shown in descending order ofmagnitude.
Figure III 4-3 is a summary of theassessments for the operational failurerate of pumps, given proper start forthree different environmental levels.
1 The figures are at the end of the text.
The plots are in operational failurerates per hour and are shown in decreas-ing severity of the environment.
Figure III 4-4 is a summary of thedemand failure probabilities for fourgeneral classes of hardware. Class 1contains heavy mechanical equipment suchas diesel generators; Class 2 electro-mechanical devices such as motors,clutches, etc.; Class 3 includes mechan-ical devices such as pumps and valves;and Class 4 electrical equipment such ascircuit breakers, relays, etc.
Figure III 4-5 is a summary of the grossleak and rupture assessments for thepassive safeguard and containment asso-ciated hardware.
References
1. WCAP-7744, "Environmental Safety Features Related Equipment, Volumes 1 and 2
(NSSS Standard and Nonstandard Scope)," December 1971, J. Locante, E. G. Igne.
Non-Proprietary Class 3.
2. WCAP-7829, "Fan Cooler Motor Unit Test," April 1972, C. V. Fields. Non-Proprietary Class 3.
3. WCAP-7343-L, "Topical Report - Reactor Containment Fan Cooler Motor Insulation
Irradiation Testing", July 1969, J. Locante (Westinghouse NES Proprietary Class
2).
4. WCAP-7396-L, "Safety Related Research and DevelopmentPressurized Water Reactors - A Program Outline, SpringR. M. Hunt (editor). (Westinghouse NES Proprietary Class 2)
for Westinghouse1969," April 1969,
111-43
TABLE 111 4-1 SUMMARY OF ASSESSMENTS FOR MECHANICAL HARDWARE
Computational ErrorComponents Failure Mode Assessed Range Median Factor
Pumps
(includes
driver)- Failure to start
on Demand , Qd
Failure to run,
given start, AO
(normal environ-
ments)-
Failure to run,
given start, A0
(extreme, post
accident environ-
ments inside
containment):
Failure to run,
given start, a
(post accident,
after environ-
mental recovery].
Failure to operate,
Qd (includesdriver) (b):
Failure to remain
open, Qd (plug) (c).
X .s
Rupture, A .5
3x10-4 _ 3x10 3/d
3x10-6 _ 3xl-4 /hr
l0- lxl 0-2
/hr
3x10-5 - 3xl0 3/hr
ixl0-3/d
3xl0 -5 /hr
ix10- 3/hr
3x10 4/hr
ix1O-3/d
xO-4/>X10- /d
3x10 7 /hr
ixl0- 8/hr
3
10
10
3
3
3
10
Valves
Motor
Operated:
-43x10
3x10-5
lxl0-7
lxl0-9
- 3xl0- 3/d
- 3xl04 /d
- xl0- 6/hr
- x10- 7/hr
TABLE III 4-1 (Continued)
Components Failure Mode Assessed Range Computational ErrorMedian Factor
Solenoid
Operated:
Air-Fluid
Operated:
Check
Valves:
Vacuum
Valve:
Manual
Valve:
Relief
Valves:
Failure to operate.,(d) :
Failure to remain
open, Qd(plug):
Rupture, As:
Failure to operate,
Od (a):
Failure to remain
open, 0 d (plug):
A :
Rupture, AS:
Failure to open,Od:
Internal leak, Ao
(severe):
Rupture, AS:
Failure to operate,Od:
Failure to remain
open, 0 d (plug):
Rupture, AS:
Failure to open,
Qd:
Premature open,
A :0
3xl0_ 4- 3xl0 3/d
3xl0 5
1x10_9
- 3x10_ 4 /d
- 1x10 7 /hr
lxlO _ 1x10 3 /d
3xl10
1x10 7
1x10 9
- 3x10 4/
- 1x10_6 /hr
- 1x10 7 /hr
ix10-3 /d
lxl0 4/d
lxl0 8/hr
3x10- 4/d
I0-4/
3xlO-7 /hr
ixl0- 8/hr
lxl -4/d
3xl0 7/hr
lxl0-8/hr
3xl.0-5/d
lxlO 4/d
lxl0- 8 /hr
3xlO-5 _ 3xlO-4/d
1x10 7
lx0 1 9
- 1x10_6 /hr
- 1X10 7 /hr
1x10_5 _ 1X10 4 /d
3xl0 5
1x10 9
- 3x10-4/d
- lxl0- /hr
3X10-6 _ 3X10- /d
3x10 6_ 3x10 5 /hr
ixl0- 5 /d
lxl1 5/hr 3
TABLE III 4-1 (Continued)
Components Failure Mode Assessed Raroe Computational ErrorC Median Factor
Test Valves,
Flow Meters,
Orifices: Failure to remain
open, Qd (plug). Ixl -_ l10- 3/d 3x10-4 /d 3
Rupture, X.: lX0- 9 - lxl0-I/hr Ix0-8 /hr 10s
Pipes
Pipe 4 3"
dia per
section Rupture/Plug,
3xlG - 3xl0- /hr ixl0-9 /hr 30
Pipe 1 3"
dia per
section. Rupture/Plug.
s, X : 3x10 -12 3xlO-9/hr Ix10- 10 /r 30
Clutch,
mechanical: Failure to operate,
Qd(d) IxlO-4 -xl- 3/d 3xlO-4 /d 3
Scram Rods
(Single): Failure to insert, 3x10- - 3x10-4 /d xl0- 4/d 3
(a) Demand probabilities are based on the presence of proper input control signals.For turbine driven pumps the effect of failures of valves, se.asors and otherauxiliary hardware may result in significantly higher overall failure ratesfor turbine driven pump systems.
(b) Demand probabilities are based on presence of proper input control signals.
(c) Plug probabilities are given in demand probability, and per hour rates, sincephenomena are generally time dependent, but plugged condition may only bedetected upon a demand of the system
(d) Demand probabilities are based on presence of procer input control signals.
Table III 4-1
111-45/46
TABLE Ill 4-2 SUMMARY OF ASSESSMENTS FOR ELECTRICAL EQUIPMENT
Computational ErrorComponents Failure Mode Assessed Range Median Factor
Clutch,
Electrical:
Motors,
Electric,
Failure to operate,(a):
Premature dis-
engagement, Xo"
Failure to start,
Qd (a):
Failure to run,
given start, X0(normal environ-
ment) :
Failure to run,
given start, X0(extreme environ-
ment):
Failure to(a).
energize, Qd
Failure of NO
contacts to close,
given energized,
X:0
Failure of NC
contacts by
Opening, given
not energized,
A:0
Short across NO/NC
contact, X.:
Coil open, A0:
Coil Short to
power, A0 :
Ixl0-4 - ixI0-3/d
-xl0-7 _ lXl0-5/hr
ix10 -4 _ lxl0- 3/d
3x10 -6 _ 3xl0 -5 /hr
lxl0 -4 1 xl0 2/hr
3klO -5 3xlO -4/d
xl0 -7 1x10 -6/hr
3xlO -8 3xlO -7/hr
3x10-4/d
lxl0 6/hr
3x10 4/d
3
10
3
ixl0- 5
/hr
Relays:
lxl0 3/hr
-4lxlO /d
3xl0 7/hr
lxl0 7/hr
lxl0- /hr
lxl0 7/hr
10
3
3
3
10
10
1x10 9
1x108
- lxl0 7/hr
- xl0-6
ixl0-9 - lxl0 7/hr ixl0-8 /hr 10
TABLE III 4-2 (Continued)
Computational ErrorComponents Failure Mode Assessed Range Median Factor
Circuit
Breakers: Failure to transfer,
Qd (a):
Premature transfer,
X:0
3xl0 4
3xl0 7
3x10 3/d
3x10- 6/hr
lxl0 3/d
lxlO 6 /hr
3
3
Switches
Limit:
Torque:
Pressure:
Manual:
Switch
Contacts:
Failure to operate,
Qd:
Failure to operate,Od:
Failure to operate,
Qd:
Failure to transfer,
Od:
-Failure of NO
contacts to close
given switch
operation, Ao0
Failure of NC by
opening, given
no switch
operation, A.:
Short across NO/NC
contact, A :o
1x10 4
3x10 5
3xl0 5
3xl0 6
_ ixl0-3
/d
_ 3x10 4/d
_ 3x10- 4 /d
- 3xl0-5
/d
3x10-4 /d
Ixl0-4 /d
lxl0 4/d
Ixl0- 5 /d
lxl0 7/hr
3xl0 8/hr
lxl0 8/hr
3
3
3
3
10
10
10
lxl0-8 - lxl0 6/hr
3xlO09
1X10 9
3xl0 7/hr
ixl0 /hr
Battery
Power
Systems
(wet cell): Failure to provide
proper output, As: lxl0-6 _ 1xl0- 5 /hr 3xl0 6/hr 3
TABLE III 4-2 (Continued)
Computational Error
Components Failure Mode Assessed Range Median Factor
Transfcrrers: Open Circuit
primary or
secondary, )0*
Short primary to
secondary, X :0
3x10 - 3xl0 6/hr
3x10 -7 3xl0 6/hr
Ixl0-6 /hr
Ixl0- 6/hr 3
Solid State
Devices, Hi
power Appli-
cations (diodes,
transistors,
etc.): Fails0
to function,
Fails shorted,
x:o
3x10-7 _ 3xl0-5/hr
-xl0-7 _ xl0-5/hr
3xl0 6/hr
lx10-6/hr
10
10
Solid State
Devices,
Low power
Applications: Fails to function,
a:
Fails shorted:
ixl0-7 _ ix10-5 /hr
-xl0-8 - ixl0-6/hr
i!-6/hlxl0-6/hr
lxlO_ /hr
10
10
Diesels
(Complete
plant): Failure to start,
Qd:
Failure to
run, emergency
conditions,
given start,A:
0
Failure to run,
emergency con-
ditions, given
9tart, X.:o
Ixl0-2 _ lxlD 1/d
3x10-4 _ 3xl0 2/hr
3x10 2/d
3xl0 3/hr
3
10
Diesels
(Engine
only):
3x10-5 - 3xl0 3/hr 3xl0 4 /hr 10
TABLE III 4-2 (continued)
C Computational ErrorComponents Failure mode Assessed Range Median Factor
Instrumenta-
tion - General
(Includes
transmitter,
amplifier and
output
device): Failure to operate,
xo: lxlO-7 _ lxlO-5/hr x10- 6/hr 10
Shift in calibra-tion, Ao: 3xl0- 6
- 3xl0- 4 /hr 3xl0- 5 /hr 10
Fuses: Failure to open,
Qd: 3xi0- 6 - 3x10- 5 /d lx10- 5 /d 3
Premature open,Ao: 3x10- 7 _ 3xl0- 6 /hr lxl0- 6 /hr
Wires
(Typical
circuits,
severaljoints): Open circuit, A 0: lxl0- - lxl0- 5 3xl0 6/hr 3
Short to ground,
Ao: 3x10- 8 - 3xl0-6/hr 3xl0-6/hr 10
Short to power,
Ao: lx10-9 - xl0- /hr xl0-8 /hr 10
Terminal
Boards: Open connection,
xo: lxi0-8 - lxl0-6/hr ixl0- /hr 10
Short to adjacent
circuit, Ao: lxl09 - lxl0- 7 xl0-8/hr 10
(a) Demand probabilities are based on presence of proper input control signals.
Table III 4-2
111-47/48
TABLE III 4-3 SUMMARY OF POST ACCIDENT ASSESSMENTS
ode (a) As d Ra Computational ErrorComponent Failure Median Factor
Welds
(containment
quality): Leak, Xo(post
accident, serious): lxl00
- lxl0 /hr 3xl0 9/hr 30
Elbows,
Flanges,
Expansion
3oints
(containment
Cuallty): Leak, A0 (post
accident, serious): lxlO-8 - lxlO /hr 3xl- /hr 30
Gaskets
(containment
quality): Leak, X0 (post
accident, serious): lxl0 - ixl0- /hr 3xl0- /hr 30
(a) For assessments of containment system rupture probabilities, see the special
assessment section of this appendix.
Table III 4-3
111-49/50
o 10.2
I x10,3.
J 'l
-,•0--_ I-' I-I xi"
6 g -
FIGURE III 4-1 Relative Failure RateAssessments - Switches
I x IOr3= | I I
..... I-i 1 x '.4 __
1x 10-4
I 10
1I~i0-r
lxlO5
0"
FIGURE 111 4-2 Relative Failure RateAssessments - Valves
(1) Failure to Run Given Steels
(Extreme Post Acvident Envirornments)(2) Failure to Run Givers Stant
iPost Accident Afte, EnvronentalReco-eyl
(3) Failure to RUtn Given Start(Normal Eniron-ment)
'5o
I t105
1 lo16
FIGURE III 4-3 Relative Failure RateAssessments - Pumps
Crt Ci 2 Cias 3 Clas 4S ! i I
t. sot
CI... t Maloi MrMava.10.lOr CG.. ri
0la. 2 Eievrro MriiuW.-vr Civiris ct
C'..s 3 Mctavl
Ctas 4 ElI-¢ctl(Re.. a .i.. -.S.stces. r I
i
I1
I . 0to -
1. tO0
FIGURE Il1 4-4 Demand Probabilities ofClasses of Hardware
ul 12
I I
FIGURE III 4-5 Leak and RuptureAssessments forPassive Hardware
Fig. III 4-1 - Fig. III 4-5
111-51/52
Section 5
Test and Maintenance Dataand Applications
5.1 INTRODUCTION
Certain test and maintenance acts causeeffective removal of a component fromthe system, rendering it unavailable forsome period of time. This unavailabili-ty due to test or maintenance is a func-tion of the test or maintenance actduration time and the frequency of theacts. The contribution to the unavaila-bility can be written as:
Q= f(avg acts/month) x tD (avg hrs/act)
720 (hrs/montlh)
where f is the frequency and tD is theduration time (downtime).
The duration time tD depends on severalfactors including the component in-volved, the complexity of the test ormaintenance, the magnitude of repair,contingencies which arise, etc. Whenmaintenance is performed non periodical-ly, f is likewise dependent on similarfactors. The log-normal distributionwas used to describe the variable natureof these parameters, for the followingreasons (in addition to the general con-siderations discussed in Appendix II):
a. The general agreement found betweenthe log-normal model, and the avail-able test and maintenance data. SeeFigs. 111 5-1 thru 111 5-4.
b. The positive skewed nature of thelog-normal distribution, which is inaccord with the experience that themajority of acts are completed Inrelatively short times, but thatoccasionally circumstances requiresignificantly longer times.
c. The capability of defining the dis-tribution and its various parametersfrom a knowledge of only the as-sessed ranges. The mean value ispertinent for quantification of theunavailability, and can be obtainedfrom whatever range is assessed, byidentifying the limit values withthe 5% (Xmin) and 95% (XSirax) per-centile values and using. therelationships given in Appendix II.
Estimates of the maximum and minimumvalues for the test act and maintenanceact durations and frequencies werederived from: 1) discussions with plant
test and maintenance teams; 2) analysisof technical specifications (whichdictate the maximum allowable outagesduring powered operation) and; 3) reviewof maintenance summary reports for fouroperating plants.
The contributions to unavailability wereseparated into test contributions andmaintenance contributions for four majorclasses of components: pumps, valves,diesels, and instrumentation.
The bounds which were used to derivemean test durations for the quantifica-tion formulas are given in Table III5-1.. The test act includes the minorrepair, calibration and reconfigurationtime that normally occurs as part of theperiodic testing during normal plantpowered operation. Those tests thatoccur during refueling (and other plantoutages) do not affect system availabil-ity. In general, testing of most safetyhardware occurs at monthly intervals;i.e.e, f (the test frequency) = 1 and theaverage unavailability due to testingis:
=tD
where
tD, average (mean) duration time
Maintenance summary reports from mill-stone 1 and Dresden 1, 2, and 3 for 1972provided the data listed on Table III5-2 for act duration ranges and meanvalues observed for major corrective andpreventative maintenance programs..
The data from which these values werederived are shown plotted in Figs. III5-1 to 111 5-4, along with the theoreti-cal cumulative log-normal distributionderived from the sample mean and vari-ance. The agreement between the modeland the data supports use of this dis-tribution as an adequate approximation.(Log-normal probability plots showedsimilar adequacy in the log-normal fit).
From discussions with plant personnel,it was learned that minor maintenanceand repair can occur quite frequently,
111-53
and involves short periods of timecompared to the more major acts. Fur-thermore, the plant Technical Specifica-tions restrict in many cases, the dura-tion time that a component within thesafeguard system can be wout" for main-tenance while the plant is in operation.Certain pumps are limited to 24 houroutages, while others are limited to 72hours. If the repairs cannot be com-pleted within the allowed interval theplant is placed in a "shutdown" config-uration until they are completed. Themaximum unavailability of certaincomponents in the event of an accidentis thus limited by these restrictions.The maintenance act duration data formost restricted components were there-fore derived using 30 minutes and 24 or72 hour limits. For diesels, because ofgenerally longer maintenance and looserrestrictions, bounds of 2 hours and 72hours were used. These limits and theircalculated log-normal means are shown onTable III 5-3.1
Finally, frequency of the maintenanceact varies from monthly to yearly asindicated by the summary reports;therefore, bounds of 1 month and 12months were used as the 5 and 95 per-centile points on a log-normal distribu-tion to derive the maintenance actfrequency values. The mean interval is4.6 months per act with a range of 1 to12 months per act. The mean frequencyis 0.22 acts per month with a range of1.0 to 0.083 acts per month.
5.2 CORROBORATION OF THE MODELRESULTS
To determine the capability of themodels to predict unavailability values,
1 Because of the specifications, thedistributions are actually truncatedand maintenance times greater than thelimit should be set equal to the limit.The log-normal averages account forthese truncations.
the model results were corroborated withthe data. The average unavailabilityfrom maintenance data was calculatedfrom the individual act duration timeslisted in the maintenance summary, whichwere summed over all the components ofthat class for the year. This value wasdivided by the number of components ofthat class in the summary plants todetermine an average maintenance actduration per year, and then this valuewas normalized by the number of hoursper year to determine average unavaila-bility, i.e.,
Duration of observed actsQ (hrs/yr)
Qavg /Number of .Number i 'hr'r[components) -(plants in) • (hs/yr\per plant \ summary /
The model results were determined usingthe equation discussed earlier, i.e.,
f tD
Q ' 2
where tD and f are the log-normal mod-eled values previously given.
UNAVAILABILITY
Component
Pumps
Valves
Diesels
Instrumen-tation
Model Results
2 x 10-3
2 x 10-3
6 x 10-3
2 x 10-3
Data Results
2.5 x 10-3
3 x 10-3
1 x 10-2
8 x 10-4
As observed, there is adequate agreementbetween the theoretical and raw dataresults.
111-54
TABLE 111 5-1 SUMMARY OF TEST ACT DURATION
CalculatedRange on Test Mean Test Act
Component Act Duration Time, Hr Duration Time, tD, Hr
Pumps 0.25 - 4 1.4
Valves 0.25 - 2 0.86
Diesels 0.25 - 4 1.4
Instrumentation 0.25 - 4 1.4
TABLE III 5-2 SUMMARY OF MAJOR MAINTENANCE ACT DURATION (RAW DATA)
Range on Maintenance Mean Maintenance Act
Component Act Duration Time, Hr Duration Time, tD, Hr
Pumps 2 - 400 37
Valves 1 - 350 24
Diesels 2 - 300 21
Instrumentation 1/4 - 72 7
TABLE I11 5-3 LOG-NORMAL MODELED MAINTENANCE ACT DURATION
Range On Mean Act
Component Duration Time, Hr Duration Time, Hr
Pumps 1/2 - 24 7
1/2 - 72 19
Valves 1/2 - 24 7
Diesels 2 - 72 21
Instrumentation 1/4 - 24 6
Table III 5-1 - Table III 5-3
111-55/56
1.0 F
0.a
I
x 1
xx
x U P
K I
0.6 8
0.4-
0.21-
0
S I I i I , 11.1#0
FIGURE III 5-1 0,D
Hours to Rfpwir
I I I T e til
and Theoreticalbserved Repair Timesistribution - Pumps
VALVES
x
I
xVx
xX
0
10 100Hours To M"ir
Observed Repair Times and TheoreticalDistribution - Valves
FIGURE III 5-2
x[
0808
I
zI
04 - xX II
1 10 100 1~00How, To Roo...
FIGURE 111 5-3 Observed Repair Times and Theoretical
Distribution -Diesels
0
x IIB I
x[
0&4 X X
I I
0 IIII I~0 x
w 10 10 1000HOurs To Rp-,
FIGURE III 5-4 Observed Repair Times and TheoreticalDistribution - Instrumentation
Fig. 111 5-1 - Fig. 111 5-4
111-57/58
Section 6Special Topics
6.1 HUMAN RELIABILITY ANALYSIS
6.1.1 INTRODUCTION
The Safety Systems provided in nuclearpower plantq to prevent and mitigateaccidents are generally designed tooperate automatically during the initialstates of accident sequences. Informa-tion on the conditions in the reactorand on the operation of the SafetySystems during an accident would bedisplayed at the control room and theoperator would be able to follow thesequence of events but no direct humanaction would be required until theaccident is brought automatically undercontrol. There is, however, human in-teraction with the system in routineplant operation, testing and main-tenance. Furthermore human interventionwould be required in case of malfunctionof automatic systems. Hence, humanreliability needs to be considered insafety system analysis.
As an extensive actuarial-type data basedoes not exist for human reliability,the analysis involves a -significanteffort in estimation of the reliabilityof human responses under emergency andnormal conditions, and the influence ofstress, routine and, other factors onerror rates for various tasks.
Whenever possible, data were obtainedfor human reliability in industriesinvolving tasks comparable to thosefound in nuclear power plants. For somecases data were obtained from militaryexperience, with less similarity tonuclear plant tasks. Because the totalavailable data on the whole are somewhatmeager, human reliability analysis asapplied to nuclear power plants is stillsomewhat subjective. Nonetheless, thederived numbers are considered to besufficiently accurate for risk analysispurposes, with the error bands tendingto cover the associated uncertainties.
The human reliability analysis wasperformed to estimate the influence ofhuman errors on the unavailability ofvarious safety systems and components.Several equally valid approaches can beused to quantify human reliability, andthe approach in the study utilized thegeneral features of the THERP Techniquefor Human Error Rate Prediction, a modeldeveloped at Sandia Laboratories (Refs.1, 2). The model uses conventionalreliability technology, describing
events in terms of what it calls prob-ability tree diagraming. Probabilitytree diagraming is simply a form ofdecision tree or event tree where eachstep or branch indicates different humanactions possible, different environmentspossible, etc.
In the present study, the system faulttrees in Appendix II were analyzed as tothe human errors which were combined inthe trees. In a number of cases, thehuman errors were relatively straight-forward, and values were directlyassigned from basic data considerations.
In other cases, when the human errorswere more involved, probability treediagraming was used to decompose thehuman error into constituent acts forwhich basic data existed or for whichvalues could be assigned from extra-polations of basic data. Details of theprobability tree diagraming are notgiven for all the cases analyzed;instead, sufficient information and ex-amiples will be given to describe thegeneral technique with data values usedand results obtained.
6.1.2 HUMAN PERFORMANCE DATA
An actuarial data base for human errorrates in nuclear power plants does notexist. Although the AEC does collectinformation on human errors associatedwith abnormal power plant incidents, thedata are not generally in a form usablefor human reliability analysis. There-fore, in this study, substitutes had tobe found for actuarial data. A firstdata source consisted of human perform-ance data on tasks with similarity tonuclear plant operation, test, mainte-nance, and calibration tasks. Such datahave been compiled for European nuclearreactor operator tasks and also for theprocess tasks found in petrochemicaloperations. The sources were the UnitedKingdom Atomic Energy Authority (UKAEA),the Danish AEC, and the ImperialChemical Industries, Ltd. (ICI) of GreatBritain.
The above sources, though relevant,suffer from lack of actual recordeddata. Most of the numbers representestimates of human error rates based onthe judgment of technical personnel inthe organizations mentioned. Some datafrom controlled studies have also beenobtained from the UKAEA (Refs. 3, 4) andthe ICI (Ref. 5).
111-59
A second data source consists of humanerror rate data from weapons production,maintenance, and testing tasks with lesssimilarity to nuclear plant tasks *thanthe above. These data have been col-lected by human reliability analysts atSandia Laboratories. In using thesedata, the analysts had to judge theirapplicability to nuclear plant tasks.This judgment accounted for similarityin perceptual, cognitive, and motoraspects of the tasks. It is possiblefor the equipment involved in theperformance of two different tasks to bephysically different, and yet for thepsychological (behavioral) aspects ofthe tasks to be similar.
A particular lack of data for thepresent study concerns the reliabilityof nuclear power plant personnel after alarge loss of coolant accident (LOCA)has occurred. Since there is no histor-ical precedent for this event, there hasbeen no opportunity to see how thesepersonnel would react in the presumedlyhighly stressful situation created bysuch an occurrence. In the absence ofsuch experience, the best data availablecome from studies of man's behavior inother emergency conditions.
Two studies that merit mention here areboth considered classics in the area ofhuman factors. In one study by theAmerican Institutes for Research (Ref.6) critical incidents were collectedfrom Strategic Air Command aircrewsafter they survived in-flight emer-gencies (such as loss of engine ontakeoff, cabin fire, tire blowout onlanding, etc.). The critical incidentaverage error rate was 0.16; that is,16% of the time the critical actions ofthe aircrews; in such stress situationseither made the situation worse or didnot provide relief.
In the second study, conducted by theHuman Resources Research organization(Ref. 7) Army recruits were subjected tosimulated emergencies such as theincreasing- proximity of falling mortarshells to' their command posts. Therecruits were exposed to these simulatedemergencies in such a way that theybelieved the situations to be real. Asmany as one third of new recruits fledin panic, rather than perform theassigned task that would have resultedin a cessation of the mortar attack.These studies have yielded indicationsof the devastating effects that veryhigh stress levels can have on theperformance of even thoroughly trained,reliable personnel.
In this study, based on the most rele-
vant available data an estimate of 0.2to 0.3 is assumed as the average errorrate for nuclear power plant personnelin a high-stress situation such as aLOCA. -Thi's estimate is based on theassumption that the perceived stress ina LOCA situation is comparable to theperceived stress in the two casesstudied, whereas it might, in fact, belower. The human-reliability analystsmaking this study have judged that theperceived stress would not be higher, sothe range of 0.2-0.3 is to be consideredconservative.
The average failure rate of 0.2 to 0.3can thus be used as a rough gauge foraverage performance of nuclear plantpersonnel under extreme accident condi-tions. The value, of course, is simplya rough average value, and, to obtainmore accurate evaluations, each particu-lar situation must be individuallyanalyzed to assess the specific humanfailure rate which is applicable.
Other reported data on stress and humanbehavior (Ref. 8) indicate that theerror rate for a task bears a curvi-linear relationship to perceived stresslevel (see Fig. 111 6-1). That is, withvery low stress levels, a task is sodull and unchallenging that most opera-tors would not perform at their optimallevel. Passive-type inspection tasksare often of this type and can beassociated with error rates of 0.5 orhigher (Ref. 9). The average errorrate of 10-1 assigned for less passivemonitoring tasks is based on data fromthe above reference and from reference10.
When the stress level of a job is some-what higher (high enough to keep theoperator alert) optimum performancelevels are reached. But when stresslevels are still higher, performancebegins to decline again, this time dueto the deleterious effects of worry,fear or psychological responses tostress. At the highest level of stress,human reliablity would be at its lowestlevel, as shown .in Fig. 111 6-1.
The curve form1 shown in Fig. 111 6-1has been applied to various tasks innuclear power plants in determining someof the values in the human error ratedata base presented later in *thisreport. For example, the error rate ina typical walk-around inspection of afacility after maintenance is presumedto correspond to an inspector error rate
1 Alfigures appear at the end of text.
111-60
of 0.5 for a passive inspection taskrepresented on the curve as performanceunder a "very low" stress level. on theother hand, it is judged that the normalcontrol room situation is sufficientlydemanding that performance should beoptimal, considering only the effects ofstress. Performance after a large LOCAis presumed to correspond to the higherror rate (low performance) end of thecurve, due to the effects of high stresslevels.
Following a LOCA, human reliabilitywould be low, not only because of thestress involved, but also because of aprobable incredulity response. Amongthe operating personnel the probabilityof occurrence of a large LOCA is be-lieved to be low so that, for somemoments, a potential response wouldlikely be to disbelieve panel indica-tions. Under such conditions it isestimated that no action at all might betaken for at least one minute and thatif any action is taken it would likelybe inappropriate.
With regard to the performance curve, inthe study the general error rate wasassessed to be 0.9 (9 x 10-1) 5 minutesafter a large LOCA, to 0.1 (10-1) after30 minutes, and to 0.01 (10-2) afterseveral hours. It is estimated that by7 days after a large LOCA there would hea complete recovery to a normal, steady-state condition and that normal errorrates for individual behavior wouldapply.
There is an important exception to theshape of the performance curve de-scribed. This exception would occur ifthe operators are called on to take somecorrective action after a LOCA and thetime available to take this correctiveaction is severely restricted. Onetheory of human behavior under time-stress (Ref s. 2, 11) holds that thenormal error rate for each succeedingcorrective action doubles when an errorhas been made in the precedingcorrective attempt or when the precedingaction did not have its intendedcorrective effect. Thus, if one startsout with an error rate of 0.2,theoretically it takes only three moreattempts at corrective action to reach alimiting case of an error rate of 1.0.This limiting condition corresponds toan individual's becoming completely dis-organized. Extensive clinical experi-ence exists in the literature on humanperformance to support the theory thatlarge numbers of individuals will failto perform assigned tasks under severestress and may become completelydisorganized (Refs. 8, 12).
Sufficient data do not exist todetermine empirically the exact shapeand spread of the distributions of humanerrors which are directly applicable fornuclear power plant tasks. Therefore,estimates of the human error distribu-tion have been formed with the use ofdata from other sources.
For the particular shape, a log-normalcurve was used in the study, based inpart on a Monte Carlo analysis of humanperformance data (analysis byL. W. Rook, in Ref. 13) and on the timetaken to respond to a simulated alarmsignal superimposed on normal tasks in anuclear power plant (Ref. 4). In thesestudies the human performance curve wasfound to be skewed, with more perform-ance scores tending towards the lowerror rates and low response times.
Other studies have yielded curves withshapes that differ in details, but ingeneral the performance curve is skewedtoward the higher error rates or re-sponse times. In view of the accuraciesrequired for the purposes of the studyand the general insensitivity of theoverall results to the particular shapeused, it is reasonable to assume thelog-normal distribution. Therefore, thelog-normal distribution which was em-ployed in other areas of study was usedfor the human error distributions, i.e.,the distribution associated with theerror ranges and spreads.
Table 111 6-1 presents general humanerror rate estimates derived fromexisting data (as described above), asmodified by the independent judgments oftwo human-reliability analysts. Thesejudgments were made after reviewinginformation on nuclear power plant per-sonnel skill levels, previous jobs heldby these personnel, operating proce-dures, and the design of the controls,displays, and other equipment read ormanipulated by the operating personnel.The information was obtained in inter-views with operating personnel, supervi-sor, and engineering personnel atnuclear power plants, by observation ofcontrol room, test, maintenance, andcalibration tasks at several plants, andby a study of written materials andphotographs.
As noted in the table, modification ofthese underlying (basic) probabilitieswas made as necessary when incorporatedinto the fault trees. The modificationsconsidered the exact nature of the humanengineering, e.g., the close similarityof labeling of different switches, withthe attendant higher probability ofgrasping and manipulating the wrong
111-61
switch. A later section describes theapplication and modification of thebasic error rate estimates to a samplehuman-reliability analysis problem.
In general, human error ratds for taskshave been estimated to the nearest orderof magnitude, with two analysts makingindependent estimates based on a de-tailed description of the task require-ments (including written instructionsand photographs of controls, displays,valves and other items to be read ormanipulated by operating personnel). Inall cases, the independent estimatesagreed to the nearest order of magni-tude. The associated assessed errorfactors (probability ranges) covered thepossible variations and uncertaintiesassociated with the final estimates.
The two specialists attempted to avoidoverestimating human reliability, thatis, underestimating error rates. Con-currently, they tried to avoid deliber-ately overestimating error rates toprovide only conservative estimates.However, in post-accident situations,e.g., after a LOCA, it was deemed properto avoid overly optimistic assessmentsof human reliability.
Some of the estimates were based direct-ly on data collected on tasks identicalor highly similar to nuclear reactortasks. For example, UKAEA experience isthat large manual valves that have noreadout of their position except thevalve itself are left in the incorrectposition after non-routine operationsapproximately once in 100 times (10-2occurrence). Such information was ap-plied in the present study withoutmodification. (This is the case when nospecial precautions are taken, such asuse of padlocks with administrativelycontrolled keys.)
In other cases an analytical. approachwas necessary to apply existing data onhuman error rates. In these cases, anuclear power plant task was broken downinto individual steps involving percep-tual, conceptual/emotional, and motoraspects of behavior. In more commonterms, this means taking a particularstep in a task and considering thefollowing three aspects:
1. The inputs to the operator, as pro-vided by such things as displays oncontrol panels, labels, configura-tion of manual valves (includingpresence or absence of padlocks),written instructions, and othersignals.
2. The thinking and decision making
done by the operator is influencedby the interaction of his emotionalstate (e.g., fear and worry inmuedi-ately after a large LOCAd.
3. The responses the operator makes bymeans of switches, large valves,oral orders, writing down infor-mation etc.
The above analytical approach was usedto break down the tasks into smallerbits of behavior that could more readilybe combined with existing data or withthe experience of the analysts.
Finally, the estimates of error ratesfor the individual behavioral units werecombined into estimates of error ratesfor larger units of behavior, cor-responding to nuclear power plant tasksor groups of tasks. In this recombina-tion operation, the estimated errorrates for smaller behavioral units wereat times modified in consideration oftheir interdependencies to avoid thederivation of unrealistically low esti-mates of task error rates. In thepresent study, the task error rateestimates so derived were combined withconsensus-estimated error rates to en-hance the stability of the estimates.
The estimated task error rates weremodified, where appropriate, by theeffects of available personnel redundan-cy, that is, the checking of a man'sperformance by another man. In somecases, the total estimated failure rateof a task, including recovery from anoriginal error made possible by usingpersonnel redundancy, was equal to orless than 10-6. However, experiencewith human reliability analysis and theobservation of "the impossible" have ledmost specialists in this field to viewwith skepticism any task error rate lessthan 10-5 for any but the very simplesthuman acts. Consequently, in the pres-ent analysis, estimates of human errorrates smaller than 10-5 were not used.
The estimatesincorporated intree analysts,were treated infailure events:
of task error rates werefault trees by the faultand human failure eventsthe same manner as other
6.1.3 PERFOPRMANCE-SHAPING FACTORS
Several factors had to be considered inderiving estimated error rates fornuclear power plants. Following are themore important of these factors, each ofwhich is discussed under the topicheadings which follow.
*Level of presumed psychologicalstress
111-62
e Quality of human engineering of
controls and displays
* Quality of training and practice
e Presence and quality of written
instructions and method of use
e Coupling of human actions
e Type of display feedback
e Personnel redundancy
6.1.3.1 Level of Presumed PsychologicalStress.
As discussed earlier, the highest errorrates were assigned to the time periodimmediately after a large LOCA, withrecovery to normal levels of human reli-ability occurring as a function of time.Implicit with this assumption that errorrates decrease with time is the underly-ing assumption that things do getbetter. That is, the nuclear powerplant is brought under control withappropriate automatic and manualresponses to the emergency.
Normal error rate values have beenassigned to routine control roomoperations and to maintenance and cal-ibration tasks, as it is assumed thatthe normal stress level has a facilita-tive effect. In the interviewing andobservation of control room operators,maintenance personnel, and calibrationtechnicians, it appeared that .the jobswere sufficiently challenging to main-tain facilitative levels of motivation.No one seemed bored or "just putting intime". (This is a clinical judgmentbased on the independent observations oftwo psychologists trained in clinicalevaluations.)
6.1.3.2 Quality of Human Engineering ofControls and Displays.
The basic error rates in Table 111 6-1were modified by assigned higher ratesto situations where the arrangement andlabeling of controls to be manipulatedwere potentially confusing. For exam-ple, motor operated valves MOV-1860A andMOV-1860B are to be opened at the RWSTlow level set point (14.5% full). Imme-diately adjacent to these switches areMO0V-1863A and MOV-1863B. The two setsof switch numbers are similar, and theyhave similar functional labels:
LO HEAD S.I. PP A SUMP SUCT VV
and
LO HEAD S.1. PP A DISC ISO VV
Furthermore, at the low level set point,both sets of valves would normally beclosed and the green indicator lampsabove them would be illuminated. Asample human reliability analysis usingthese switches is described in a latersection to illustrate how the potentialconfusion in using these switches canresult in human errors.
Fairly high rates were assigned to theprobability of manipulating the wrongswitch in cases where similar appearingcontrols and displays were close to-gether without separation by functionalf low lines on the panels or some othermeans to show normal process flow, adesign characteristic of operating pan-els on some research reactors (Ref. 14).In general, the design of controls anddisplays and their arrangements onoperator panels in the nuclear plantsstudied in this analysis deviate fromhuman engineering standards specifiedfor the design of man-machine systemsand accepted as standard practice formilitary systems (See Ref s. 15 through19). Whether such standards arenecessary and would result in a netbenefit is outside the goal of thisanalysis.
It was appropriate to assign fairly lowerror rates to tasks where the qualityof human engineering is such that thecues given for task initiation andcorrect task completion are difficult toignore. For example, lower error rateshave been assigned to cases where thetask initiation cue is an annunciatoralarm than where the cue is merely thedeviation of a meter on a panel in thecontrol room. Also, for some largemanual valves, the use of a specialpadlock and chain with administrativelycontrolled keys and associated paperwork reduces the probability of for-getting to return the valve to thenormal condition after maintenance. Inthe latter case the primary cause ofleaving such a valve in the wrongcondition after maintenance would befailure to use the required procedures.An estimated 10-4 error rate peropportunity was assigned to suchfailure.
In certain cases, a high recovery factorwas assigned to the error of manipulat-ing an incorrect MOV or pair of MOV's.An example of a recovery f actor is asfollows. Assume an operator is supposedto open a pair of MOV's to increase theflow rate as displayed on a meter. Thenormal procedure would be for theoperator to make the switch manipulationand then observe the flow meter for theproper rate of flow. If the proper rate
111-63
of flow fails to materialize, the opera-tor would have a high probability ofrealizing something was wrong and wouldlikely take corrective aCtion. Theexample in a later section illustratessome recovery factors.
In general, it was found that mosterrors in maintenance and calibrationtasks either had immediate and com-pelling feedback of their correctness orincorrectness or that subsequent recov-ery factors made it highly improbablethat errors would remain undetected forlong.
6.1.3.3 Quality of Training andPractice.
On the basis of interview, observation,a visit to a training center, and reviewof training materials, the level oftraining of nuclear power plant per-sonnel was judged to be outstanding.For example, interviews with controlroom operators revealed a clear under-standing of normal reactor operation.They can readily describe the eventsoccurring in normal on-line operationand have a clear conceptual picture ofthe processes involved. (In one inter-view an operator who was considered byhis supervisor to be "below average" for.operators at the site demonstrated theabove thorough understanding.) There-fore, for routine maintenance, calibra-tion, and control room operations, ahigh degree of trained-in excellence hasbeen assumed with associated highestimates of human reliability.
Although original training includesresponses to emergencies, there is noprovision for frequent on-site practicein responding to simulated emergencies(such as a large LOCA) at the sitesvisited. In the absence of appropriatesimulation equipment, such on-site prac-tice could be simulated by frequent.atalk-through" of responses to emergen-cies. This type of informal test wasmade in the course of the present study.It was found that the operators inter-viewed could explain in general termswhat they should do in. postulated emer-gency situations, but they did notalways appear to be sure of thelocations of switches and readings ondisplays relevant to manual backupactions required in the event of failureof automatic safeguards systems. Thisdoes not imply that, based on such alimited "test" of operator ability inemergencies (i.e., a discussion of ahypothetical situation), operators wouldnot be able to carry out emergencytasks. Nevertheless, the lack of abili-ty to "talk through" appropriate proce-
dures without hesitation or indecisionpotentially indicates lack of a clearplan of action should such emergencysituation6 occur. Based on the abovefindings, relatively high error rateswere consequently assigned to operatoractions required soon after the onset ofa major emergency such as a large LOCA.
6.1.3.4 Presence and Quality of WrittenInstructions and Method of Use.
Generally, a lower error rate was as-signed to procedures for which writteninstructions are available. It wasnecessary to make an estimate of thelikelihood that written instructionswould be used by the operator, main-tenance technician, or calibration tech-nician, rather than trusting his memoryof the procedures. For example, in oneof the cases analyzed, even with appro-priate use of calibration procedures, itwas observed that a technician anticipa-ted what approximate instrument readingshould appear for each step in theprocedure. He had performed thislengthy calibration procedure so oftenthat he 'knew what to expect. Thisknowledge coupled with a very lowfrequency of finding an out-of-toleranceindication sets up a very strongexpectancy that each reading will be intolerance. Under these circumstancesthere is some likelihood (estimated as10-2) that the technician will "see" anout-of-tolerance indication as being intolerance. (In this particular in-stance, however, there were so manyrecovery factors that even with theassumption of a 10-4 error rate, theprobability of an uncaught and uncor-rected calibration error was negligi-ble.)
In estimating error rates, the qualityof the written instructions was evalu-ated. Of concern were such factors asthe easewith which an operator couldfind a written emergency procedure, theextent to which the format would aid theoperator, the likely ease of under-standing non-routine instructions, andso on. The style of written instruc-tions contributed materially to theestimated error rates. The written in-structions do not conform to establishedprinciples of good writing; they aremore typical of military maintenanceprocedures of approximately 20 years'ago. Other deficiencies which contribu-ted to relatively high error rate esti-mates were poor printing quality, nodistinctive binder or location foremergency procedures, lack of tabs andinappropriate indexing which made itdifficult to find specific procedures,and poor format for each procedure.
111-64
The observed method of use also contri-buted to relatively high estimated errorrates. Men were observed performingseveral tasks and then checking them offon the check list. The correct and morereliable procedure would be to perform alisted task, check it off, and then moveon to the next item in the check list.Lower error rates were assigned to caseswhere information from a meter or a dialhad to be recorded on the check listrather than merely checking off that anitem had been completed. Such a proce-dure markedly reduces the probability offorgetting to perform a step in thecheck list.
6.1.3.5 Coupling of Human Actions.
Another important factor is related tothe type of grouping of switches ormanual valves plus the effects ofwritten instructions. This factor isthe amount of coupling of human actions,that is, the relative lack of independ-ence of such actions. Four levels ofcoupling were used in the analysis: nocoupling (i.e., complete independence),loose coupling, tight coupling, andcomplete coupling (complete dependence).The degree of coupling is assigned on anindividual failure basis but some gener-al guidelines were used as illustratedbelow.
An example of no coupling between taskswould be where the probability of errorin one task is independent of theprobability of error in another task.Tasks which are dissimilar or which aregreatly separated in space and time tendto be independent. However, such tasksmight be affected by the same conditions(e.g., the stress after a large LOCA)and the estimates of their error rateswere influenced by this consideration.
Loose coupling can be illustrated by twotest valves in the PWR containment sprayinjection system located in a buildingnext to the RWST. Both these largemanually operated valves are chained andpadlocked in the normally closed posi-tion. Periodically they must be un-locked and opened for test purposes. Theprocedures call for one valve to beopened and that part of the systemtested, and then for the valve to beclosed, chained, and padlocked beforeproceeding to open the other valve totest the other part of the system. Itwas judged there was a small probabilitythat, for convenience, an operator wouldregard both valves as a unit and notfollow the prescribed procedures. Thatis, he would open both valves prior toany testing and after all testingreclose both valves. Therefore, the
probability of forgetting to reclose onevalve would not be independent of theprobability of forgetting to reclose theother valve. Since most operators wouldbe likely to follow the prescribedprocedure, loose coupling best expressedthe relationship errors of forgettingfor the two valves.
For the valves in question, the impor-tant error was forgetting to recloseboth valves. The probability of thiserror was calculated as follows: Gener-ally, loose coupling was taken to be thelog-normal median value between theupper and lower bounds. The upper boundon coupling is defined by the assumptionof complete coupling between the two acts(i.e. reclosing of the two valves). Thelower bound is obtained from theassumption of complete independencebetween the two acts. Given an estimateof 10-2 for the error of forgetting toreclose a sIngle valve, the upper boundbecomes 10- and the lower bound10-2 x 10-2 = 10-4. The log normalmedian is the square root of the productof the lower and upper bounds, or,
._10-2 x-10-4 = IX 10-3
Thus, the probability of forgetting toreclose each valve is estimated as 10-2and the probability of forgetiting toreclose both valves (the only error ofimportanc-i-n the analysis) is estimatedas 1 x 10-3.
Tight coupling can be illustrated by therequirement to calibrate three bistableamplifiers in the reactor protectionsystem (SCRAM). One calibrationtechnician performed the calibration inthe instrument room while communicatingwith an operator in the control room. A10-2 probability was assessed for theerror of the technician's miscalibratingthe first bistable amplifier, as byusing an incorrect set level. Theincorrect set level, for example, couldbe due to a simple misreading error.Given that the calibration technicianhas miscalibrated the first amplifier,there is a substantial probability ofcarrying over the incorrect set level tothe second bistable amplifier. It wasestimated that the conditionalprobability of miscalibrating the secondamplifier, given miscalibration of thefirst, would be 10-1, or a jointprobability of 10-3 of miscalibratingboth amplifiers. It was estimated thatthe conditional probability of miscali-brating the third amplifier, given
111-65
miscalibration of the first and secondamplifiers, would be 1.0, or a jointprobability of 10-3 of miscalibratingall three bistable amplifiers. In otherwords, a tightly coupled sequence ofevents was assumed. In this particularoperation, there were several recoveryfactors, so that the final estimatedinfluence of human errors on the reactorprotectiog system was smaller than theabove 10- estimate for the basic act.
An example of complete coupling is foundwhen one basic act results in severalfailures. For example, one step in thewritten procedure calls for the operatorto open two valves. The two valves areregarded as one unit by the operator.In estimating the probability of hisomitting to open these valves, the sameestimated error rate was given for oneor both valves. That is, it was consid-ered that if he would open one valve, hewould open the other. Likewise, if hefailed to open one valve, he would failto open the other. This analysis is anapproximation, of course. Absolutelycomplete coupling can be very unlikely--yet, in this particular example, it wasassessed that human behavior wouldexhibit high dependency, and completecoupling was assumed as a reasonableapproximation.
As a contrast to the above discussions,the following example. shows how an ap-parent common mode error due to apparentcoupling was estimated to have noresulting net effect on safety systemavailability. At one site two possiblecommon mode errors for comparator cali-bration in the reactor containmentpressure consequence limiting systemwere:
a. using the wrong decade resistancefor all channels, and
b. using the wrong scale on the digitalvoltmeter for all channels.
Once either error is made, the calibra-tion technician might indeed recalibratean entire rack. The estimated error ratefor either comnon mode error was 10-2.However, when the technician went to thesecond rack, he would discover that thecomparators in that rack, too,. needed agross recalibration, and he should sus-pect that something was wrong with thetest procedure rather than merely pro-ceed to recalibrate the second rack.The estimated failure rate of the recov-ery factor for the second rack was 10-2.(This estimate was deliberately madeconservative.) Since the techniciantypically calibrates all four racks inone shift, it can be seen that the
overall rate of making one of the abovetwo calibration errors and then failingto catch this error and incorrectlyrecalibrating all four racks isapproximately 10-2 (the initial error) x10-2 (second rack) x 10-2 (third rack) x10-2 (fourth rack), or much less than10-5. (Recall that we do not use anyestimates smaller than 10-5.)
6.1.3.6 Type of Display Feedback.
One of the most important recovery fac-tors to mitigate the effects of an erroris the type of display feedback. If anerror resulted in an immediate annuncia-tor warning, a relatively low failurerate was assigned to the recovery fac-tors. The total task failure rate wouldbe the product of the initial error rateand the low failure rate of the recoveryfactor. But if the feedback consistedof a slow rise in pressure, for example,as displayed on a meter on the verticalwall underneath the annunciator panels,a higher failure rate was assigned, incertain instances 0.5.
6.1.3.7 Personnel Redundancy.
Another important recovery factor is theuse of personnel redundancy (or, as itis sometimes called, human redundancy)which refers to the use of a secondperson to verify that the performance ofa first person was correct. Personnelredundancy can vary from completeredundancy (i.e., complete independenceof the initial act and the checking act)to very low degrees of redundancy (i.e.,high degrees of dependency between theinitial act and the checking act).Lower recovery factor failure rates arerelated to higher degrees of personnelredundancy.
Beneficial use of a high degree ofpersonnel redundancy is illustrated bythe calibration of the water levelsensors and drywell sensors at one site.A two-man team performs the calibrationwith one man reading and recording thereadings on the check list while theother man does the calibration. Afterthe calibration has been completed thetwo men reverse roles and perform afunctional check. With this extensiveuse of personnel redundancy, an estimateof 10- was assigned to the joint proba-bility of a miscalibration being madeand the functional check failing tocatch the miscalibration.
A low degree of personnel redundancy isillustrated by the use of a singleperson to perform critical actions,followed by an informal type ofchecking. For example, in the case of
111-66
one critical manual valve located at theRWST, one man is responsible for reopen-ing this valve after maintenance.Should he forget to open the valve, theRWST would not be available in the eventof a large LOCA. At certain times awalkaround inspection is performed, but(as already noted) the estimated errorrate for this type of passive monitoringtask is high (0.5).
It is sometimes thought that requiring aperson to sign a statement that he hasaccomplished a task will ensure that hereally performed the task. For tasksthat are frequently performed, thesigning of one's name tends to become aperfunctory activity with no moremeaning than checking off an item on achecklist. In general, very littlereliability credit was allowed for therequirement to sign off that a procedurehad been completed.
In general, the degree of personnelredundancy was high for calibrationoperations, lower for certain operatortasks such as manipulating MOV's, andlowest for maintenance tasks. However,in the case of the latter, a highlyreliable recovery factor was the testingof maintained system components beforethe system was put back on line.
6.1.4 A SAMPLE HUMAN RELIABILITYANALYSIS
To illustrate how a typical human relia-bility analysis was performed, thissection outlines a sample analysis basedon paragraphs 4.8 and 4.9 of theprocedure entitled "Loss of ReactorCoolant," provided by the utility thatruns the subject PWR. The two para-graphs are:
4.8 When the RWST reaches the low levelsetpoint (14.5%) and CLS [Conse-quence Limiting System] initiationhas been reset (RESET PERMISSIVE <0.5 psig) complete the followingactions:
4.9 When the RWST reacheslevel setpoint (7%)following actions:
the low-lowcomplete the
4.9.1 Close *MOV-862, suction tothe low head safety injec-tion pumps from the RWST
4.9.2 Open the charging pump suc-tions from the discharge ofthe low head pumps byopening MOV-863A and B.
This sample analysis is restricted tosteps 4.8.1, 4.9.1 and 4.9.2. The MOVswitches inovlved are MOV-1860A and B,MOV-1862, and MOV 1863A and B. [NOTE:the procedures drop the initial digitsince it is understood, for example,that MOV-860A could refer to this switchfor either the number 1 reactor (i.e.,MOV-1860A) or the number 2 reactor (MOV-2860A).] These switches are shown inthe bottom row of the sketch in Fig. III8-2. The two rows of switches shown inthe sketch are the bottom two rows ofseven rows on the left most panel offour segemnts in a large switch board(one plane). There are other safetypanels in other planes.
In the sketch the switches are associ-ated with indicator lamps: G stands forgreen (closed condition of motoroperated valve) and R stands for red(open condition of MOV). The linesradiating from some of the indicatorlamps indicate the normal "on" conditionof these lamps prior to the low levelsetpoint.
Not shown in the sketch, but of impor-tance to the analysis, is the third rowfrom the bottom of MOV switches. Therow consists of 5 switches identical inshape and size to the bottom row. The 5switches are physically arranged fromleft to right and are labeled asfollows:
LO HEAD S.I. PP A DISC ISO VVMOV-1864A
ISO DISC FROM COLD LEGS
4.8.1 Open MOV-860A andto the low headInjection] pumpscontainment sump.
B, suctionSI [Safety
from the
LO HEAD S.I. PP A RECIRC ISO WVMOV-1885A I
LO HEAD S.I. PP A&B RECIRC ISO WVMOV-1885C
4.8.2 Stop the containment spraypump motors and close spraypump turbine steam supplyvalves MS-103A, B, C and D
LO HEAD S.I. PP B RECIRC ISO VVMOV-1885B ~1
4.8.3 Close Spraydischarge100A, 100B,D.
pump suction andvalves MOV-CS-101A, B, C and
LO HEAD S.I. PP B DISC ISO WVMOV-1864B
ISO DISC FROM COLD LEGS
(Normally open-red lamp)
111-67
The procedures in paragraph 4.8 are tobe performed about 20-30 minutes after aLOCA, and the procedures in 4.9 shouldbe pqrformed about 2 minutes after thosein 4.8. The 14.5% low level setpoint isindicated by a meter that shows droppingwater level in the RWST, and also by anannurwiator. The 7% low-low level set-poipt is similarly indicated.
,Reference to Table I11 6-1 indicatesthat the basic operator error rate atthe end of 30 minutes after a LOCA isapproximately 10-1. This basic errorrate was used for certain of the activi-ties as described below.
The first question to be asked in theanalysis was: what is the probabilitythat no action would be taken at the lowlevel setpoint condition? The secondquestion was: what is the probabilitythat some pair of switches, other thanMOV-1860A and B would be manipulated?
In answering the first question thebasic error rate of 10-1 was used.However, it was assumed that by 20-30minutes after a LOCA at least threepeople would be present in the controlroom, and that each of these peoplewould have to fail to notice the needfor taking action indicated in step4.8.1. Furthermore, it. was estimatedthat the presence of the meter indi-cation of falling RWST level should adda probability of 0.9 that someonepresent would be cued to perform step4.8.1. (This estimate is based on anassumed probability of 0.5 that anindividual will fail to notice a changein a meter indication under the circum-stances. For three people the jointprobability that the change will beunnoticed is 0.53 = .125, yielding aprobability of 0.875 that it will benoticed. For convenience, this wasrounded to 0.9.) The probability thatstep 4.8.1 would not be executed is thusestimated as about 10-4 prior to theauditory alarm, which would provideanother cue for action. This estimateof 10-4 is shown in the first branchingof the probability tree diagram shown inFig. III 6-3.
Once the alarm has sounded, the opera-tors have 2 minutes in which to performstep 4.8.1. It was reasoned that if noaction has been planned until the alarmsounds, some degree of disorganizationis indicated and the basic error rate of10-1 is applicable for each of the threeoperators. Thus a probability of 10-3was estimated for the failure to takeaction by any of the three operatorswithin 2 mintues after the first audito-ry alarm at the 14.5% low level set-
point. This 10-3 estimate is shown inFig. III 6-3 as the second branchleading to failure event F1 . Thus, thetotal estimated failure rate F1 (failingto perform step 4.8.1 in time) is 10-4 x10- = 10-7. Although as stated previ-ously an estimated failure rate of lessthan 10-5 should be viewed with skepti-cism, it can be concluded that theprobability of failure to perform step4.8.1 is relatively small, and thispotential failure was therefore droppedfrom further consideration.
It was estimated that if step 4.8.1 wereperformed, the probability of selectingsome pair of switches other than MOV-1860A and B would be of the order of10-2. The reliability of this task isestimated at this value because it wasassessed to be highly probable thatresponsibility for operating the valveswould be assigned to one person, thatis, no personnel redundancy would beused. This judgment was based onobservation of operators at work. Mis-selection of switches is the type oferror that operators tend to disregardas a credible error. Therefore, it wasdeemed unlikely that anyone would checkthe operator who actually manipulatedthe MOV's. The basic error rate of10-1 was assessed to be too large forthis type of action, and 10-2 was ac-cordingly selected as the nearest orderof magnitude estimate.
Reference to Fig. III 6-3 indicates thatthere are two paths leading to misselec-tion of the pair of switches. The path
A-F2 (10-4 x .999 X 10- 2 V 10-6)
has a small probability and hence can berejected. The only remaining failurepath of consequence is thus
A-F 3 (.999 x 10-2)
which reduces to 10-2.
Given that the operator selects a wrongpair of switches at the low levelsetpoint there now arise the possiblecandidates of incorrect pairs he willselect. It was assessed that the mostprobable candidates are MOV-1863A and Bsince they are on the same row ofswitches, are adjacent to the desiredswitches, and have similar MOV numbersand labels. The probability of select-ing a pair of switches from the secondrow from the bottom is lower in valuebecause of the dissimilarity of switchnomenclature and the different appear-ance of the switches themselves (they
111-68
have an AUTO position). The switches inthe third row from the bottom havelabels similar to the desired switches,but the outboard switches (the mostlikely candidates for mis-selection) arenormally open. Their red-indicatorlamps would furnish a cue that they arenot the correct switches to be manipula-ted. In addition, this third row isspatially somewhat remote from thedesired switches.
Given the initial error of selectingsome pair of switches other than May-1860A and B, it is therefore estimatedthat there is a probability of .75 thatthe operator would select MOV-1863A andB and a probability of .25 that someother pair of switches would be selec-ted. The error of mis-selection of MOV-1863A and B has a recovery factor whichenters at the 7% (low-low) levelsetpoint. That is, in step 4.9.2 theoperator is supposed to close MOV-1863Aand B. If the error of mis-selectionhad already been committed, the operatorwould find these M'OV's already closed.This situation will likely cue him thatsomething is wrong. A 0.9 probabilityis therefore used for his noting anerror, and hence the total estimatedfailure rate for step 4.8.1, includingfailure of the recovery factor, is 10-zx 0.75 x 10-1 = 0.00075 which is roundedto approximately 10-3.
A similar analysis was performed forsteps 4.9.1 and 4.9.2. The detailedanalytical approach described aboveinvolves a degree of subjectivity. Forthe study this subjectivity was notparticularly crucial because what isimportant and affects the overall re-sults is the order of magnitude of thehuman error failure rate and not itsexact value. The error bounds attachedto the final estimate also gave coverageto uncertainties and errors which mightexist. As a tool in itself, the de-tailed analytical approach is valuablefor the following reasons:
a. The exercise of outlining all plau-sible modes of operator actiondecreases the probability that someimportant failure path will beoverlooked.
b. Due to the lack of error rate datafor nuclear power plant tasks, it isnecessary to break down operatoractions to a level where existingdata can be used.
c. The detailed approach makes iteasier for analysts making independ-
ent estimates to check on the sourceof any disagreement and to resolveit.
6.2 AIRCRAFT CRASH PROBABILITIES
The AEC Regulatory Staff has compileddata (Ref s. 20, 21, 22) on aircraf tmovements and calculated crash probabil-ities as a function of distance from anairport and orientation with respect torunway flight paths. The probabilitiesare computed per square miles per air-craft movement so that the individualplant sites can be evaluated by deter-mining the plant vulnerable area, dis-tance from the airport and the number ofaircraft movements involved. Table III6-2 which was taken from Reference 23 isbased on general aviation aircraftmovements for the years 1964 through1968 and includes 3993 fatal crashes asa result of 320,000,000 aircraft move-ments. Only crashes resulting in afatality were considered. It is reason-able to assume that accidents severeenough to create significant damage to anuclear plant would generally involvefatal injuries, however.
Table 111 6-3 presents fatal crashhistories of air carrier and militaryaircraft. Crashes within ten miles ofan airport runway and within a 60 degreereference flight path symmetric aboutthe extended center line of the runwayare considered.
Although the number of aircraft move-ments per year may increase significant-ly in the uiext_ four decades, the fatalcrash probability per aircraft movementper square mile is expected to stayrelatively constant and will probablydecrease as safety technology developsin future years. The updating of thecrash probabilities to account forfuture growth can then be accomplishedby estimating the increase in aircraftmovements for the period of concern. Astudy conducted by Sandia Laboratoriesindicates that the accident rate permile for all U.S. air carriers steadilydecreased over the period of 1968through 1971 even though the number ofmiles flown increased significantly.
It is reasonable to expect this trend tocontinue so that extrapolation of crashprobabilities based solely on the ex-pected increase in aircraft movementswill result in conservative answers.
Based on the reference data on the prob-ability of aircraft crashes as a func-tion of number of aircraft movements and
111-69
vulnerable area, the analysis ofspecific plants is dependent on (1) thenumber and nature of aircraft movementsin the vicinity of the plant, (2) thevulnerable area of the plant arid (3) thedamage potential of aircraft crashesinto the vulnerable area.
6.2.1 NUMBER AND NATURE OF AIRCRAFTMOVEMENTS
Aircraft movements considered have gen-erally been limited by size or weightrestrictions. The assumption commonlymade is that aircraft having a weight of12,500 lbs. or greater will cause seri-ous damage to a reactor plant. It isassumed that some portion (25% forSurry) of the smaller aircraft is largeenough to cause damage. Judgements onsize and speed considerations are madefor individual airport-plant interac-tions based on the type of aircraftinvolved.
6.2.2 DETERMINATION OF PLANT VULNERABLEAREA
The plant vulnerable area is calculatedas the "shadow" area in square miles ofvulnerable plant structures based on adefined impact angle. The angle isgenerally assumed to be 200 although itmay vary from 100 to 300. It should benoted that the effective area will varydepending on the direction of approach,terrain features, and type of damage.
6.2.3 DAMAGE POTENTIAL
Two types of damage are generally con-sidered, (1) fire damage either from theaircraft exploding and burning or fromsprayed fuel igniting, and (2) structur-al damage due to impact of the aircraftframe and engines.
Table 1II 6-4 was taken from Reference23 and shows the calculatedprobabilities for three plants. Thetable has been expanded to include theSurry plant Units 3 and 4. Theinformation for Surry was taken from theSafety Analysis Report and from the AECRegulatory Staff evaluation.
6.2.4 TYPICAL DAMAGE CALCULATIONS
(SURRY 3 and 4)
6.2.4.1 Source.
a. Felker AAF Field
Five miles SE of the site.
Maximum gross weight of aircraft47,000 lb.
1972 number of operations = 81,500.
b. Assumed Conditions:
1. Only 1/2 of the 81,500 opera-tions fly over the site. (Since1/2 are landings and 1/2 aretakeoffs, it is likely that onlyone or the other and not bothtypes of operation would beinvolved.)
2. Half of the operations are bylarge aircraft and half bysmaller aircraft (less than12,500 lb.).
3. Of the smaller aircraft, only1/4 are large enough to causedamage.
4. Vulnerable areas of 2 each unitari less than 0.01 mi and 0.005mi for large and small aircraftrespectively.
5. Probability of fatal crash isless than 0.3 x 10- 8/mi 2 peroperation. (Military aviationhas a better safety record thangeneral aviation.) Accordingly,the probability of an aircraftaccident resulting in structuraldamage is:
P <811500 1 00S,A , x½x 0.01
x 3 x 0 81,5000
x I x 0.005 x 3 x 10.9T 0
P. <-7 x 10-7 /year
6.2.4.2 Source.
a. Williamsburg - Jamestown Airport
Five miles N-NW of the site.
Maximum gross weight of aircraft12,000 pounds.
1972 number of operations - 45,000.
b. Assumed Conditions:
Using I probability of crash of I x10 8 /mi' and assuming that only 1/4of aircraft are large enough tocause damage since this is a rela-tively small airport with predomi-nately light aircraft traffic.
45,000 005PS, < •M X 0.005
SB 2
x x1 O 10- 8 x 14
111-70
PS,B < 3 x 10- 7/year .
To determine the likelihood of an impactof the containment vessel the ratio ofthe containment vessel area to the over-all target area was estimated at 0.5,which results in a probability of 5 x10-7 for impact on the containmentstructures.
Further, in Reference 23, it wasconcluded the likelihood of apenetration (given impact) resulting indamage to a critical element within thecontainment vessels (such as thereactor, the primary piping, etc.) wasreduced at least a factor of 100.Therefore, the estimate of criticaldamage due to an aircraft accident isconservatively established at:
P < 5 x 10- 9/plant year .
6.3 TOTAL LOSS OF ELECTRIC POWER
An event of major concern in the reactorsafety study is total loss of electricalpower at LOCA or during the course of aLOCA. Accordingly, the statistics andmethodology used to quantify the likeli-hood of such an event are reportedherein.
This event requires the failure of twoessentially independent systems, theoffsite power system and the onsitepower system. Further, because theelectrical requirements are reduced astime progresses subsequent to a LOCA,the event was evaluated for two discretetime periods: (1) at the instant of aLOCA; (2) at time periods up to ninemonths after a LOCA, provided that theelectrical system operated properly atLOCA.
Because time is not a factor for loss ofelectric power at LOCA, cyclic or perdemand statistics were used to computethe probability of such a loss in lieuof the more standard failure rate data.Conversely, because time is a factor forloss of electric power during the courseof a LOCA, applicable failure rates wereused to compute the probability of sucha loss.
6.3.1 TOTAL LOSS OF ELECTRIC POWERAT LOCA
The sequence that leads to this event isloss of the offsite power sources atLOCA, and the subsequent failure of thediesel generators to start or to pick upload. The Technical Specifications do
not permit operation of the reactorwithout offsite power. Therefore, off-site power is assumed to be availableimmediately prior to a LOCA. Since thetime frame of interest for this event isin the order of one minute, the likeli-hood of losing offsite power by a fail-ure which is not causally related to theLOCA is negligible. Likewise, becauseof the short time span, credit cannot betaken for corrective actions during thisevent.
A LOCA will cause a generator trip,resulting in a sudden loss of genera-tion. If this sudden loss of generationexceeds the transient stability limit ofthe power system, then offsite powerwill be lost. The Federal Power Commis-sion has provided transient stabilityinformation for power plants east of theRockies. Based on this information, theprobability is assumed to be 10-3 thatoffsite power would be lost as a resultof the generator trip that would arisefrom a LOCA. This is the value used inthis study, although for the particularplant considered in this study, thisnumber might be lower (i.e., thetransmission system of the plant review-ed has a high transient stability limitdue to high installed capacity, the ex-tensive grid interconnections with otherlarge utilities, and the number of 500and 230 kV transmission lines connectingthe plant to the grid). Conversely,this number would be higher for otherareas, e.g., Florida, where the tran-sient stability limit is relatively low.The associated error spreads serve tocover such possible deviations.
If offsite power is lost at LOCA, thenthe subsequent loss of two dieselgenerators results in total loss ofelectric power at LOCA. Both dieselscould either fail to start, or bothgenerators could trip due to the suddenapplication of load. Either case,failing to start or tripping, wouldresult in total loss of power. Thefailure of both diesels to start isconsidered to be a random event due totwo independent failures. Nuclear oper-ating experiences (the data tables)indicate that the failing to start prob-ability is 3 x 10-2 per demand. Sincetwo diesel generators are involved, theprobability that both fail to start is9 x 10-4, or approximately 10-3. Ifboth diesels start, the subsequenttripping of both generators would resultin total loss of power at LOCA. Sinceboth generators must pick up allemergency loads upon loss of offsitepower, this is a single event that couldtrip both units. Based on analyses andsparse engineering data, the probability
111-71
of such an event is assessed to be 10-2,compared to 10-3 for independent failurecalculation (Ref. 24 through 27). Theerror spreads again serve to cover theassociated variabilities of thisestimate.
The loss of offsite power at LOCA,(qnet), was estimated to be 10-3, andthe loss of both diesel generators,(q2DG) was governed by the trippingsequence and estimated to be 10-2.Since offsite power and onsite powermust be lost to cause total loss ofpower at LOCA, the point probability ofsuch an event, (qAC) can be computed asfollows:
qAC-- net (q2DG)" 10- 3x 10- 2
=10-5 .
Because the 9SP requirements are moststringent immediately after a LOCA(e.g., the core would be uncovered in amatter of minutes without electricpower), no credit is taken for remedialactions such as restoration of offsitepower or manual start or repair ofdiesel generators.
6.3.2 TOTAL LOSS OF ELECTRIC POWERDURING A LOCA
A premise for this event is that powerwas available at LOCA and that thesubsequent total loss of power was dueto random uncorrelated events. As inthe case of total loss of electric powerat LOCA, this event requires the loss ofoffsite and onsite power. In contrastto the case of total loss of electricpower at LOCA, this event allows creditto be taken for corrective actions.Credit for corrective action is allowedbecause the requirements of the ESF sys-tems, primarily the heat removal system,become progressively less stringent astime passes after the LOCA.
The probability of this event thereforeinvolves two aspects: (1) reliability,(2) maintainability. The reliabilityaspect is the probability that the totalelectric power system will fail at sometime, T, after the LOCA; the maintaina-bility aspect is the probability thatpower cannot be restored before themaximum allowable outage time (i.e., thetime required to uncover the core).Thus, the relevant probability for thisevent is the joint probability that allpower is lost and that it is notrestored before the maximum allowableoutage time.
Vendor data indicate that the timerequired to uncover the core upon lossof all electric power, Tmax, can beapproximated by a linear functionwhenever the time t after LOCA exceed144 hours;
Tmax Wt)- 0 ; t < 144 hr
tTmax Mt) 1+ - ; t > 144 hr
Thus, all electric power may safely belost for approximately two hours in theperiod starting one month after a LOCAoccurrence. As a result, the repairmodels used for restoration of electricpower allow a maximum repair time whichcoincides with the above equations.
The computed maximum allowable outagetimes were subsequently coupled withapplicable repair data, and the proba-bility of not restoring power within themaximum allowed outage time was deter-mined. The cumulative probability oflosing all power increases directly withtime; however, because the time allowedto repair such outages also increaseswith time, the cumulative probability ofmeaningful failures increases less rap-idly than would otherwise be the case.
The data on which the probabilitycalculations are based include nuclearoperating experience for loss of offsitepower and diesel failure and repair, andutility operating experience for resto-ration of offsite power. Nuclear oper-ating experience for 1972 includes threeevents where offsite power was lost.
These events occurred in about 150,000operating hours, giving a point estimateof the failure rate for offsite power,X(net), of 2 x 10-5 failures per hour.This data was not inconsistent with theother experiences.
The repair model for restoration ofoffsite power was based on outage dataof the Bonneville Power Administrationfor the years 1970, 1971 and 1972. Thestatistics represent the operatingexperience of more than 11,000 miles oftransmission lines rated at 500, 345,287, 230, 138 and 115 kV, and includemore than 1500 outages. These statis-tics are summarized in Tables I11 6-5,6-6, 6-7. These data represent singlefailures, andnot necessarily the lossof offsite power; however, the repairdata are applicable because the- repairof a single line would constituterestoration of offsite power. For theoutages reported, the restoration time
111-72
ranged from more than 150 hours toessentially zero time. A cumulativedistribution curve of these outages wasplotted (Fig. III 6-4), and the meanrepair time was found to be less than0.25 hour. For the post-accidentenvironment, a conservative, constantmean repair time (Tnet) of 1 hour wasused. Thus, the probability thatoffsite power is not returned to serviceby time t after failure is approximatedby exp (-t/Tnet). As shown in thetables, the outages are caused by suchfactors as trees in line, lightning,storm, fire, malicious damage,accidental damage and fire. The majorcontributor to the total number ofoutages is lightning, and the outageswhich require the longest time to repairare generally those associated withfire, ice or line material failures. Tobetter depict the distribution of theseoutages, a histogram was plotted onsemi-log paper, Fig. III 6-5.
The data were in the form of numbers ofincidents and total outage times withineach cause category. Although this pre-averaging may distort details of thedistribution (i.e., all incidents of agiven type are assigned the same averageoutage time) the conclusions are notsensitive to it. The distribution inFig. III 6-4 bears a reasonable resem-blance to a log-normal curve, and themean repair time used in further calcu-lations was assessed to be adequate forthe purposes of the study.
As previously stated, the probabilitythat both diesels fail to startindependently is approximately 10-3.However, if the diesels are required topick up a significant load immediatelyafter start, as is the case, the proba-bility that both generators will tripout, q(2DG), is 10-2. Data for repairof diesel generator sets were not verydetailed. For the study's purposes,however, the 1972 nuclear operatingexperience data were able to be used toestimate the mean repair time, TDG, ofthe diesel generators, which was twenty-one hours.
Total loss of electric power during thecourse of a LOCA involves the loss ofoffsite power with both diesels failingto pick up load, and neither the offsitepower source nor any diesel being re-paired before the maximum allowed outagetime, Tmax, has elapsed. The cumulativeprobability for this combined event canbe given by the following equation:
otpt) W f (net) dt'
0
q (2 DG) exp
S- /max (t_xp net /
( 2
= X(net) q (2 DG)
= A(net) q (2 DG)
TmaxtWD
T DG)
t, t<tO
+t +0 T 1
ex (-T' t~ + 1
- exp
where
t0
= 144 hrs
i/ = i/Thnet + 2/TDG = 1.095
T max(t) = 't + 1
T' = 1/720
X(net) = 2.0 x 10-5
q (2 DG) = 10-2
6.3.3 SUMMARY
The probability of total losstric power was computed for twotime periods: (1) at LOCA anding the course of a LOCA. Theare tabulated as follows:
of elec-discrete(2) dur-results
a. Total loss of electric power atLOCA, Qmed = 10-5 per demand. The90 percent probability bounds(range) on this median estimate are:
Qlower = 10-6 per demand;
Qupper = 10-4 per demand.
b. The point estimates of total loss ofelectric power during a LOCA, given
111-73
success at LOCA, and the associated90 percent probability bounds forvarious times after a LOCA (seeTable III 6-8) were computed byusing the aforementioned equationand by including the relativelysmall contributions from other faulttree analyses. (The point estimateswere taken as median values withregard to the probability bounds.)
6.4 PIPE FAILURE DATA.
The probabilities of pipe failure as aninitiating event for loss of coolantaccidents are listed in Table III 6-9.
The pipe rupture assessments noted inTable III 6-9 were obtained from exami-nation of nuclear data sources, indus-trial data sources, and a number ofother data sources. The same type ofrange approach as used for the componentdata base was used for the pipe ruptureassessments. Each of the various datasources was individually evaluated toobtain pipe rupture assessments. Ranges(i.e., error spreads) were then deter-mined which covered and were notinconsistent with the individual esti-mates yielded by the various sources.
In general, the pipe data from thevarious sources were quite rough andgave much freedom of interpretation. Toincorporate the resulting uncertaintyand possible variations that could existin the assessments, the ranges (errorspreads) were required to be large insize. As with the other data, theassociated median values represent thegeometric midpoint of the ranges; theassociated error factor from median torange endpoint is thus 10. The range,or error spread, and median values areagain rounded to the nearest half valueon the exponent scale. For error deter-mination, a log normal was assigned tothe above ranges and the ranges wereinterpreted at 90% probability.
Various pipe sizes were included in theevaluations and the rupture data werecategorized into different sizes. Ingeneral, the basic pipe data, as givenin the data sources, could be brokeninto two general categories, rupturesoccurring in pipes less than roughly 4"in diameter and ruptures occurring inpipes having diameters greater than 4".In the summaries of the individual datasources which will be presented, thedata are broken into these two categor-ies for analyses where the less than 4"diameter pipes are simply termed "smallpipes" and the greater diameter ones,"large pipes".
For the final assessments, the rupturedata were extended and interpolated intothree categories as shown above. Thisfiner categorization was done principal-ly for modeling considerations and issomewhat subjective, based on judgementand on extrapolation of general trendsobserved in the basic data. The finerstructure is not inconsistent with thebasic data and the two group classifica-tions, the highest and lowest bounds(10-2 and 10-3) agree with the twogroups and the total range which isobtained from the basic data. The largeranges stemming from basic data whichare associated with each category tendto cover any categorization errors madeand any categorization variation whichcan occur, with the range sizes causingall the categories to overlap heavilyone another.
In addition to the pipe sizes, therupture size and severity varied over aspectrum, which contributed to theuncertainty. In general, ruptures werecategorized as those breaks of major,severance-type size. Minor leaks werenot counted in the rupture assessments.When there were questions concerningparticular failures, evaluations wereperformed both including and excludingthese failures which served in determin-ing the ranges for the assessments.
The assessments made in the study applyto those types of pipe ruptures whichwould cause LOCA's. When data sourceswere in the form of total, per plantprobabilities that were applicable to arupture occurring in systems anywhere inthe plant, these total probabilitieswere normalized by the ratio of LOCAsensitive piping to the total piping inwhich failures were reported. Averageplant characteristics were used todetermine the fraction of piping in thedata base associated with possible LOCAinitiation; the characteristic valuesused are shown below, followed by theevaluation of the individual datasources. The variation in these charac-teristic values from plant to plant wasjudged to be negligible compared to theassessed ranges associated with thebasic data variability.
Finally, event trees were constructed toanalyze additional, plant-peculiarcauses of rupture which were not includ-ed in the data histories which wereexamined. These additional causes werethen incorporated along with the dataassessment values in the final riskevaluations.
111-74
6.4.1 PLANT PARAMETERS
Average characteristics are listed asfollows:
a. LOCA Sensitive Piping - 10% of totalpiping in the reported data base.
b. LOCA Sensitive Small Piping - 4.7%of total piping in the reported database, 10% of small piping.
c. LOCA Sensitive Large Piping - 5.3%of total piping in the reported database, 10% of large piping.
From the average plant characteristics,approximate relations are obtainablebetween total plant failure rates andfailure rates for the LOCA sensitivepiping. If failures are recorded forthe total plant, then:
Large Pipe LOCA'Rupture RateA
Small Pipe LOCA)Rupture Rate /
If the failuresoccurring in largpiping, then thmultiplied by 0.1rates:
( Large Pipe LOCAtLRupture Rate
= (Rupture RateTotal Plant
x 0.047
= (Rupture Rate
Total Plant
x 0.053
for)
f or)
X(LPB) will be used to represent thelarge pipe LOCA rupture rate (Z 4") andA(SPB) will be used to represent thesmall pipe LOCA rupture rate (:. 4").
6.4.2 NUCLEAR AND NUCLEAR-RELATEDEXPERIENCE
In approximately 150 reactor years ofcommercial nuclear power plant experi-ence to date, there have been no cata-strophic failures of the primary coolantloop. A crack in the secondary loop wasrecorded, believed due to a water hammereffect; however, complete severance didnot occur. Using 1 failure as an upperbound, therefore,
1 10-3/plantX(LPB) < 150 /plant year
Essentially the same result is obtainedif zero (0) failures are used and a 95%chi square (or Poisson) confidence boundis taken (X(LPB) 9 5 % < 3/150). The boundis high, not particularly due to theactual failure rate being high but tolack of sufficient data.
If one interprets the above values asapplying to the large piping of theentire plant, then the 7 x 10- 3 valuecan be multiplied by the LOCA sensitivi-ty factor (susceptibility) of 0.10 toobtain another bound for X(LPB).
X(LPB) < 7 x 10-3 x 0.10
< 7 x 10- 4/plant year
With regard to small pipe ruptures, thesame type values as above are also ob-tained. Several failures have occurred,none of which were complete ruptures,ahd there is freedom as to preciseapplicability and failure counts. Using1 failure as an order of magnitude typevalue,
X(SPB) < 7 x 10- 3 /plant year
Extrapolation to the small piping of theentire plant as before will yield anadditional factor of 10 reduction.
The above values represent gross orderof magnitude type bounds, which aredominated by lack of sufficient andprecise data. Because of the associateduncertainties, attempts to categorizethe history in more detail, by subjec-tive judgement, will yieid no furthersignificant information with regard tothe overall statistical assessments.
are broken into thosepiping and in smallrespective rates are
to obtain the LOCA
(RuptureLarge
x 0.10
Rate for\Piping )
Small Pipe LOCA) = (Rupture Rate for
Rupture Rate /\ Small Piping )
x 0.10
The aforementioned relationships assumea uniform occurrence of failure withregard to pipe location. For order ofmagnitude calculations the relationshipis reasonable if the error spreads arelarge enough to incorporate any errorsmade in this extrapolation. For thetotal plant rate relationships, eachfactor (i.e., 0.047 and 0.053) is ap-proximately 0.05, which is a factor oftwo different from the large and smallbreakdown fractions of 0.10. For orderof magnitude calculations, this differ-ence is generally not significant. Inthe following data source summaries,
111-75
If the experimental reactor experienceand military applications experience(naval) are added to the commercialnuclear experience, then additional val-ues can be obtained. There are approxi-mately 40 odd years of experimentalreactor experience and on the order of1200 reactor years of military experi-ence. Including this experience withthe approximately 150 years of commer-cial experience gives on the order of1400 years of combined nuclear experi-ence.
In the 1400 years of total experiencethere have been no reported large piperuptures occurring in the primary loops.Using 1 failure as an upper bound, whichwithin the accuracies being computedagrees with the 95% zero failure bound,one obtains
)X(LPB) < • = 7 x 10-4 /plant year
In the above calculation, a plant yearis taken to be synonymous with a reactoryear. The 10% LOCA sensitivity factorcan be applied to obtain another orderof magnitude reduction; however, sincethe data are not directly correlatedwith plant characteristics, the 10% fac-tor adds extra uncertainty. Precisesmall pipe rupture data were not availa-ble; however, the same order of magni-tude value as above, i.e., 10-3, wouldbe roughly applicable, the value beingless conservative with several failuresbeing counted for the bound.
In addition to the bounds obtained fromcommercial experience and combined nu-clear experience, rough bounds can alsobe obtained from non-rupture failuredata on process piping. Rupture proba-bilities are obtained (extrapolated)from the non-rupture statistics by ap-plying non-rupture to rupture detection(severity) factors. Process piping doesnot necessarily have the same failurecharacteristics as the better qualitycoolant piping, the LOCA related piping,which causes additional possible con-servatism and uncertainty to be includ-ed. Since the bounds are to be inter-preted as rough indicators, the effectswill not impact the bound applications.
Using the 1972 nuclear history examinedfor the general data base, the processpiping failures can be grossly categor-ized as follows:
a. Process Piping Failures (17 plants)
4 Breaks (severity lying betweenminor leakage and major rupture)
4 Minor leaks
b. Other failure related occurrences
1 Pipe dented - no break
1 Pipe hanger failure - no resultingdamage
The pipe sizes are not separated sincethe detection, or severity factor, willserve to differentiate large and smallrupture probabilities. The above dataare taken from the more detailed tabula-tions given in the general data basediscussion.
Rate of breakage in large LOCA-sensitivepiping (per plant per year):
4 x 0.047 = 1.0 x 10-2
Since the amount of small piping isapproximately equal to the amount oflarge piping,the rate of breakage forsmall LOCA sensitive piping will also beapproximately 1.0 x i0-Z. This breakagerate can then be taken as an upper boundfor the small pipe LOCA rupture rate:
X(SPE) < 1.0 x 10-2
If a fraction of the breakage rate istaken as advancing to large ruptures,then the upper bound will be reduced bythis fraction to obtain the large piperupture rate. In terms of experiencedata, this severity fraction is theratio of large ruptures occurring to thenumber of breakages occurring. The se-verity fraction represents a detectioninefficiency and can be taken as incor-porating the probability that a rupturewill occur without intermediate leakageor breakage.
Using the average empirical value of0.05 from the G.E. and English data(given in their associated data assess-
ments), which represents a 95% detectionefficiency.
A(LPB) < 1.0 x 10-2 x 0.05
< 5 x 10-4
6.4.3 U.S. NON-NUCLEAR UTILITYEXPERIENCE
One of the more complete analyses avail-able is the General Electric study ofnon-nuclear power utility experience(GEAP-574). The amount of experience
was one of the largest analyzed and was
111-76
sufficient to obtain statistically sig-nificant results. The data base doeshave the weakness that is non-nuclear.Because of the applicable general utili-ty environment and the general agree-ments between nuclear and industrialdata observed in the other componentassessments, the G.E. results can beinterpreted as being of more significantapplicability. To account for the ex-trapolation uncertainties for nuclearapplications, the results must, however,be interpreted as having large errorspreads.
The G.E. basic data are summarized as
follows:
Plant years of experience = 9 x 103*
Total number of failures = 399
Number of severances (ruptures) = 19
19Severity fraction T =3 0.05
Percentage of failures occurring withleakage - 94%
Percentage of failures occurring withoutleakage - 6%
The 399 failures covered the range ofmore minor breaks to more severe rup-tures. There were 19 failures of thelarge rupture type, which were charac-terized as being more complete typeseverances. The severity fraction wasdiscussed earlier, and empirically isthe ratio of severances to total numberof failures. The percentage of failuresoccurring without leakage is in generalagreement with the severity fraction.
The failure rate evaluations of the G.E.data are:
Total Failure Rate(Per plant year)
_ 3993 = 4 x 10-29 x 103
Non-Severance Failure Rate(Per plant year)
- (399-19) 4 x 10-2
9 x 103
Since the above rates are interpretableas applying to those reported for theentire plant, the large pipe rupturerate can be evaluated as:
X(LPB) = 2 x 10-3 x .047
= 9 x 10- 5/plant year
The 399 failures included minimum breaksizes comparable to the small rupturesizes defined in the study, and hence acorresponding small pipe rupture ratecan be obtained by using the non-sever-ance failure rate, which is essentiallythe total failure rate:
X(SPB) = 4 x 10-2 x .053 = 2 x 10-3
6.4.4 UNITED KINGDOM DATA
The Phillips and Warwick report (AHSB(S)R162) principally analyzed pressure ves-sel failures; however, some piping datawere included. Non-nuclear history wasevaluated which covered the period from1962 to 1967 and was comprised of atotal of 132 failures occurring inroughly 100,300 plant years of experi-ence. To better correlate with nuclearapplications, system ages were restrict-ed to be less than 30 years, had associ-ated working pressures above 150 psi,and were built to the English Class 1standards. Because the pipe failuresreported on were not as detailed as thevessel failures and because of the ex-trapolation uncertainties, the resultsmust be interpreted as having largerassociated error spreads. The evalua-tions of the Primary Circuit PipingFailure Rate (per plant year) are:
Severance Failure Rate(Per plant year)
- 19 =2 x 10-3
9 x 10
PotentiallyDangerous
5 x 10-4
Catastrophic
2 x 10-5
The potentially dangerous rate corre-sponds approximately to a range greaterthan minor leaks but less than completeseverance. The value can thus be takenas roughly comparable to the small pipeLOCA rate. The catastrophic rate can betaken as being roughly comparable to thelarge LOCA rate.
*The plant years have been obtained fromdata and some analyses, where the plantyears can be taken to be roughly equiv-alent to nuclear plant years.
111-77
As one other data source, the UK SystemsReliability Service, in its data evalua-tions, reports a rate of pipe defects tobe approximately 3 in 107 feet of pipingper year. The defect severities coverthe spectrum from smaller breaks tolarger ruptures. This rate is based onexperience with approximately 70 conven-tional boiler plants operating in the100 to 500 MW range.
If this total plant failure rate isapplied as an upper bound to the largeLOCA sensitive piping, then a value isobtained of:
A < 3 x 10-3 /plant year
Because of the defect definition, the3 x 10-3 value can also be taken as anupper bound for the small LOCA failurerate. Since the defects cover aspectrum of severities, this bound canoverestimate the true LOCA failure rateby an order of magnitude. Using thesame factors as previously, theassociated large pipe LOCA rate or smallLOCA rate can be obtained by applyingthe 0.05 approximate severity factorobtaining the value of:
A(LPB) t- 3 x 10-3 x 0.05
- 1.5 x 10-4 /plant year
The factor and its uncertainty can can-cel any conservatism in this large pipevalue.
6.4.5 OTHER REPORTED PIPE FAILURE RATES
Listed on Table III 6-10 are pipe fail-ure rates which have been given invarious published reports. The refer-ences are with regard to those given inthe bibliography found in section 7 andare associated with the study's database. The reported values are taken atface value since insufficient documenta-tion was provided in the reports to beable to assess the relative validity ofthe numbers. The values are in generalsimilar, with a few having higherdeviations.
6.5 FAILURE RATES COMPARED WITHLOG NORMAL
Figures III 6-6 through III 6-9 illus-trate the log-normal model distributionsversus experience failure data. Thelog-normal distributions are those util-ized in the study to predict variationsin component failure data. The experi-ence failure data consist of the rawdata which were obtained from the vari-ous sources employed in the data assess-ments. Since the log-normal distribu-tions utilized in the study are based ondata assessment and not on simple empir-ical fitting, the distributions will notnecessarily "best fit" the experiencedata (in the data assessments performed,for example, greater importance is givento nuclear and nuclear related data thanto data which are not as directlyapplicable).
References
1. Rook, L. W., Reduction of Human Error in Industrial Production, SCTM-93-62(14),Sandia Laboratories, Albuquerque, New Mexico, 1962.
2. Swain, A. D., A Method -for Performing a Human Factors Reliabiliy Analysis,Monograph SCR-685, Sandia Laboratories, Albuquerque, New Mexico, 1963.
3. Ablitt, J. F., A Quantitative Approach to the Evaluation of the Safety Functionof Operators of Nuclear Reactors, AHSB(S)R-160. Authority Health and SafetyBranch, United Kingdom Atomic Energy Authority, Risley, England, 1969.
4. Green, A. E., Safety Assessment of Automatic and Manual Protective Systems forReactors, AHSB(S)R-172, Authority Health and Safety Branch, United KingdomAtomic Energy Authority, Risley, England, 1969.
5. Kletz, T. A. and Whitaker, G. D., Human Error and Plant Operation, EDN 4099,Safety and Loss Prevention Group, Petrochemicals Division, Imperial ChemicalIndustries, Ltd., Billingham, England, 1973.
6. Ronan, W. W., Training for Emergency Procedures in Multiengine Aircraft, AIR-153-53-FR-44, American Institutes for Research, Pittsburgh, Penna., 1953.
7. Berkun, M. M., "Performance Decrement Under Psychological Stress", Human.Factors, 1964, 6, 21-30.
III-78
8. Appley, M. H. and Trumbull, R. (eds.), Psychological Stress, Appleton-Century-Crofts, New York, 1967.
9. Harris, D. H. and Chaney, F. B., Human Factors in Quality Assurance, John Wiley
and Sons, New York, 1969.
10. McCornack, R. L., Inspector Adequacy: A Study of the Literature, SCTM-53-61(14), Sandia Laboratories, Albuquerque, New Mexico, 1961.
11. Siegel, A. I. and Wolf, J. A., Man-Machine Simulation Models, John Wiley and
Sons, New York, 1969.
12. Grinker, R. R. and Spiegel, J. P., Men Under Stress, McGraw Hill Book Co., 1963
(reprinted from 1945).
13. , Some Limitations in Using the Simple Multiplicative Model in Behavior
Quantification", W. B. Askren (ed.), Symposium on Reliability of HumanPerformance in Work, AMRL-TR-67-88, Wright-Patterson Air Force Base, Ohio, 1967.
14. Raudenbush, M. H., "Human Engineering Factors in Control Board Design for
Nuclear Power Plants", Nuclear Safety, 1973, 14, 21-26
15. MIL-H-46855A, Military Specification, Human Engineering Requirements forMilitary Systems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C.,
2 May 1972.
16. MIL-STD-1472A, Military Standard, Human Engineering Design Criteria for MilitarySystems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C., 15 May
1970.
17. Morgan, C. T., Cook, J. S. III, Chapanis, A. and Lund, M. W. (eds.), HumanEngineering Guide to Equipment Design, McGraw Hill Book Co., New York, 1963.
18. Van Cott, H. P. and Kincade, R. G. (eds.), Human Engineering Guide to EquipmentDesign, (Rev. Ed.), U.S. Govt. Printing Office, Wash., D.C., 1972.
19. Woodson, W. E., and Conover, D. W., Human Engineering Guide for EquipmentDesigners, Univ. of California Press, Berkeley, Cal., 1964 (2nd ed.)
20. Insurance Facts (1972), (Disaster Impact Data) Insurance Information Institute,
New York, New York.
21. Docket 50-289 (Aircraft Impact Data) Files, Bethesda, Maryland.
22. FAA (Air Traffic Data) Federal Aviation Administration (FAA), Dept. of
Transportation, Washington, D.C.
23. D. G. Eisenhut, "General Aviation Fatal Crash Probability Distribution for Use
in Nuclear Reactor Sitings", August 1972.
24. Reactor Incident File (1972) (Component Failure Data) Office or OperationsEvaluation (OOE) of Regulatory Operations (RO), Atomic Energy Commission (AEC),Bethesda, Maryland.
25. Reactor Incident File (1971) (Component Failure Data) Data control of RSS,Bethesda, Maryland.
26. EEI Availability Report (Component Failure Data) Edison Electric Institute
(EEI), New York, New York.
27. Systems Reliability Service, UKAEA, Office of Operations Evaluation (OOE) ofRegulatory Operations (RO) are Members of Service.
28. Insurance Facts (1972), (Disaster Impact Data) Insurance Information Institute,New York, New York.
29. Docket 50-289 (Aircraft Impact Data) Files, Bethesda, Maryland.
111-79
TABLE III 6-1. GF•Jt'RAL ERROR PATF ESTIMAtTES(a'b)
Estimated
Rates Activity
10-4 Selection of a key-operated switch rather than a non-key switch (thisvalue does not include the error of decision where the operator misin-terprets situation and believes key switch is correct choice).
10-3 Selection of a switch (or pair of switches) dissimilar in shape orlocation to the desired switch (or pair of switches), assuming nodecision error. For example, operator actuates large handled switchrather than small switch.
3 x 10-3 General human error of commission, e.g., misreading label and thereforeselecting wrong switch.
10-2 General human error of omission where there is no display in thecontrol room of the status of the item omitted, e.g., failure toreturn manually operated test valve to proper configuration aftermaintenance.
3 x 10-3 Errors of omission, where the items being omitted are embedded in aprocedure rather than at the end as above.
3 x 10-2 Simple arithmetic errors witn self-checking but without repeatingthe calculation by re-doing it on another piece of paper.
i/x Given that an operator is reaching for an incorrect switch (or pair ofswitches), he selects a particular similar appearing switch (or pairof switches), where x = the number of incorrect switches (or pair ofswitches) adjacent to the desired switch (or pair of switches). Thel/x applies up to 5 or 6 items. After that point the error rate wouldbe lower because the operator would take more time to search. With upto 5 or 6 items he doesn't expect to be wrong and therefore is morelikely to do less deliberate searching.
10-1 Given that an operator is reaching for a wrong motor operated valve MOVswitch (or pair of switches), he fails to note from the inditatorlamps that the MOV(s) is (are) already in the desired state and merelychanges the status of the MOV(s) without recognizing he had selectedthe wrong switch(es).
-1.0 Same as above, except that the state(s) of the incorrect switch(es) is
(are) not the desired state.
-1.0 If an operator fails to operate correctly one of two closely coupledvalves or switches in a procedural step, he also fails to correctlyoperate the other valve.
10-1 Monitor or inspector fails to recognize initial error by operator.Note* With continuing feedback of the error on the annunciator panel,this high error rate would not apply.
10-1 Personnel on different work shift fail to check condition of hardwareunless required by check list or written directive.
5 x 10-1 Monitor fails to detect undesired position of valves, etc., duringqeneral walk-around inspections, assuming no check list is used.
.2 - 3 General error rate given very high stress levels where dangerousactivities are occurring rapidly.
TABLE 111 6-1 .(Continued)
EstimatedRates Activity
-1.0
9 x 10-1
10x1
10-2
Given severe time stress, as in trying to compensate for an error madein an emergency situation, the initial error rate, x, for an activitydoubles for each attempt, n, after a previous incorrect attempt, untilthe limiting condition of an error rate of 1.0 is reached or until timeruns out. This limiting condition corresponds to an individual'sbecoming completely disorganized or ineffective.
Operator fails to act correctly in the first 60 seconds after the onsetof an extremely high stress condition, e.g., a large LOCA.
Operator fails to act correctly after the first 5 minutes after theonset of an extremely high stress condition.
Operator fails to act correctly after the first 30 minutes in anextreme stress condition.
Operator fails to act correctly after the first several, hours in a highstress condition.
After 7 days after a large LOCA, there is a complete recovery to thenormal error rate, x, for any task.
(a) Modification of these underlying (basic) probabilities were made on the basis ofindividual factors pertaining to the tasks evaluated.
(b) Unless otherwise indicated, estimates of error rates assume no undue timepressures or stresses related to accidents.
TABLE III 6-2 AIRCRAFT CRASH PROBABILITIES
Probability of a FatalDistance From Airport, miles Crash per Mile 2 Per
Aircraft Movement
0 - 1 84 x 10-8
1- 2 15 x 10 8
2 - 3 6.2 x 10-
3 - 4 3.8 x 10-
4 - 5 1.2 x 10-8
TABLE Il 6-3 COMPARISON OF PROBABILITY OF All AIRCRAFT CRASH FOR VARIOUS TYPES OFAIRCRAFT
Distance Probability (xlO 8) of a Fatal Crash
From End Per Square Mile per Aircraft Movement
Of Runway,(mile) U.S. Air Carrier USN/USMC USAF
0- 1 16.7 8.3 5.7
1 - 2 4.0 1.1 2.3
2 - 3 0.96 0.33 1.1
3 - 4 0.68 0.31 0 42
4 - 5 0.27 0.20 0.40
5 - 6 0 0 (a) NA(b) NA(b)
6 - 7 0.0 NA UA
7 - 8 0.0 NA NA
8 - 9 0.14 NA -'A
9 - 10 0.12 '!A NA
(a) No crashes occurred at these distances witlin a 600 flight path.
(b) Data not available.
TABLE III 6-4 CRASH PROBABILITIES AT VARIOUS SITES
ThreeMile Shoreham, Rome Surry
Island (1 Unit) Point Units 3-4
(2 Units) (2 Units) (2 Units)
Usage (movements year)
Air Carriers 8 0 , 0 0 0 (a) -- 3,000 dO,000
Navy -- 8,000 9 7 , 0 00(c) 40,000
Miscellaneous -- 3 , 0 0 0 (b).
Location (plant-airport
distance in miles) 2.5 4.5 3.5 5
Target Area (used in (d)2 2 2 2 d
probability analysis) 0.02 mi 0 01 mi 0.02 mi .01 ml
Probability of a
potentially damaging
crash (per year) 5 x 10-7 2 x 10-7 4 x 10-7 1 x 10-6
(a) The facility is designed to withstand the crash of all but 2,400 of these
movements.
(b) Air-carrier statistics were used for these movements.
(c) The facility is designed to withstand the crash of all of these 97,000 movements.
2(d) For small aircraft, area used was 0.005 ml
Table III 6-1 - Table III 6-4
111-81/82
TABLE 11 6-5 SUMMARY OF TRANSMISSION LINE OUTAGES (BASED ON BONNEVILLE POWER ADMINISTRATION DATA--
1970 STATISTICS)
Transmission Line Outages & Durations (a)
Cause 500 kV 345 & 287 kV 230 kV 138 & 115 kV Total
No Hr Min No Hr Min No Hr Mn "ao Hr Min No Hr Min
1. Tree in line 0 0 0 0 0 0 2 7 9 7 25 27 9 32 36
2. Lightning 9 1 28 4 0 38 87 27 8 71 71 46 171 101 0
3. Storm 0 0 0 0 0 0 0 0 0 4 209 57 4 209 57
4. Snow, Frost or Ice 1 0 8 0 0 0 10 29 58 23 192 23 34 222 29
5. Living Creature 0 0 0 0 0 0 0 0 0 3 0 6 3 0 6
6. Contamination 0 0 0 0 0 0 0 0 0 3 0 28 3 0 28
7. Fire 0 0 0 0 0 0 2 23 24 1 1 7 3 24 31
8. Line Material Failure 1 0 18 1 53 25 1 152 26 4 64 33 7 270 42
9. Terminal Equipment Failure 6 52 2 2 5 7 7 5 19 12 a 23 27 70 51
10. Overload 3 0 33 0 0 0 2 0 4 0 0 0 5 0 37
11. Improper Relaying 6 0 40 0 0 0 2 4 6 1 0 0 9 4 46
12. Accidental Tripping 8 9 43 5 0 14 14 3 28 4 0 25 31 13 50
13. Improper Switching 1 0 18 1 0 0 4 0 11 5 0 41 11 1 10
14. Malicious Damage 1 0 7 0 0 0 1 6 19 12 75 35 14 82 1
15. Accidental Damage 0 0 0 1 0 1 3 0 11 2 0 0 6 0 12
16 Supervisory Misoperation 0 0 0 0 0 0 0 0 0 a 0 49 1 0 49
17. Unknown 26 5 40 3 0 1 30 10 46 35 10 42 94 27 9
TOTAL 62 70 57 17 59 26 165 270 29 188 662 22 432 1063 14
MILES OF LINF 1707 797 4685 3836 11,025
(a) In each case, the number of incidents is given together with the total time for all of those incidents.
TABLE 111 6-6 SUMMARY OF TRANSMISSION LINE OUTAGES (BASED ON BONNEVILLE POWER ADMINISTRATION DATA--
1971 STATISTICS)
Transmission Line Outages & Durations
Cause 500 kV 345 & 287 kV 230 kV 138 & 115 kV Total
No Hr Min No Hr Min No Hr Min No Hr Min No Hr Min
1. Tree in line 0 0 0 0 0 0 0 0 0 16 176 13 16 176 13
2. Lightning 11 0 56 7 0 8 83 12 13 69 30 13 170 43 30
3. Storm 0 0 0 0 0 0 4 11 29 12 41 6 16 52 35
4. Snow, Frost or Ice 0 0 0 1 140 55 1 0 0 19 0 16 21 141 11
5. Living Creature 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0
6. Contamination 5 0 20 0 0 0 4 2 10 0 0 0 9 2 30
7. Fire 0 0 0 0 0 0 3 122 57 3 28 22 6 151 19
8. Line Material Failure 1 7 2 0 0 0 2 18 26 10 32 30 13 57 58
9. Terminal Equipment Failure 6 78 56 1 0 22 15 7 11 4 2 19 26 88 48
10. Overload 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
11. Improper Relaying 2 1 25 0 0 0 2 0 4 0 0 0 4 1 29
12. Accidental Tripping 9 1 14 0 0 0 10 1 11 8 1 33 27 - 3 58
13. Improper Switching 0 0 0 0 0 0 2 0 0 2 0 2 4 0 2
14. Malicious Damage 0 0 0 0 0 0 1 5 59 3 19 44 4 25 43
15. Accidental Damage 2 0 44 3 9 18 1 0 0 4 9 4 10 19 06
16. Supervisory Misoperatmon 0 0 0 0 0 0 1 0 10 3 13 47 4 13 57
17. Unknown 21 3 15 2 5 36 26 21 32 35 0 45 84 31 8
TOTAL 58 93 52 14 156 19 155 203 22 188 355 54 415 809 27
MILES OF LINE 1810 797 4836 3669 11,112
II
TABLE III 6-7 SUMMARY OF TRANSMISSION LINE OUTAGES (BASED ON BONNEVILLE POWER ADMINISTRATION DATA--1972 STATISTICS)
Transmission Line Outages & Durations
Cause 560 kV 345 & 287 kv 230 kV 138 & 115 kV Total
No Hr Min No Hr Min No Hr Min No Hr Min No Hr Min
1. Tree in line 0 0 4 6 10 18 145 16 22 151 26
2. Lightning 49 2 29 22 25 194 22 8 98 3 37 363 28 39
3. Storm 17 2 13 5 10 25 13 0 13 27 44 53 62 57 44
4. Snow, Frost or ice 5 5 22 1 3 9 1 0 0 7 6 52 14 15 23
5. Living Creature 0 0 0 0 0 0 0 0 0 2 1 58 2 1 58
6. Contamination 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0
7. Fire 0 0 0 0 0 0 1 5 49 0 0 0 1 5 49
8. Line Material Failure 4 22 11 0 0 0 0 0 0 3 40 28 7 62 39
9. Terminal Equipment Failure 11 64 45 0 0 0 17 328 42 10 1 46 38 395 13
10. Overload 4 1 14 0 0 0 0 0 0 1 1 15 5 2 29
11. Improper Relaying 6 1 46 1 0 0 8 0 57 6 0 26 21 3 9
12. Accidental Tripping 11 2 8 1 0 0 18 1 30 7 0 35 37 4 13
13. Improper Switching 2 0 16 0 0 0 3 0 14 3 0 7 8 0 37
14. Malicious Damage 0 8 0 0 0 0 2 15 33 9 76 11 11 91 44
15. Accidental Damage 0 0 0 0 0 0 2 12 26 38 16 23 40 28 49
16. Supervisory Misoperation 0 0 0 0 0 0 2 0 51 2 1 4 4 1 55
17. Unknown 35 45 8 5 0 15 19 2 2 44 2 16 103 49 41
TOTAL 144 147 32 35 14 14 284 396 35 276 343 7 739 901 28
MILES OF LINE 1931 797 4601 3676 11,005
TABLE 1I1 6-8 PROBABILITY OF TOTAL LOSS OF ELECTRIC POWER AFTER A LOCA
Time after Q - 90 percent Probability Bounds (a)
LOCA med Upper Lower
I hour 2.0 x l0-7 2.0 x 10-6 2.0 x 10-8
24 hours 5.2 x 10-6 5.0 x 10-5 5.0 x lo-7
4 months 7.5 x 10-5 7.0 x 10-4 7.0 x 10-6
9 months 7.6 x 10-5 8.0 x 10-4 8.0 x 10-6
(a) Assessed range.
TABLE III 6-9 PIPE FAILURE ASSESSED VALUES
Pipe Rupture Size LOCA Initiating Rupture Rates
(Inches) (Per Plant Per Year)
90% Range Median
1/2 - 2 ix10-4 - ixl0-2 1xl0-3
2 - 6 3x10-5 - 3xlO-3 3x10A
> 6 ixl0-5 -ixl0-3 ixl0-4
Table III 6-5 - Table III 6-9
111-83/84
TABLE 1l1 6-10 REPORTED PIPE FAILURE RATES
1. Green and Bourne:
"Probability of Large Scale Rupture of Primary Coolant System"
(1968) X = 2 x 10-3 to 3 x 10-6/plant year
2. Salvatory:
"Catastrophic Rupture of Primary System Pipes"
(1970) X = 1 x 10- 4/plant year
3. Erdmann:
"Pipe Rupture"
(1973) X = 1.5 x 10- 6/section year
(corresponding to roughly A = 10-4 to 10-2 per plant year)
4. Otway:
"Pessimistic Probability for Catastrophic Failure of Primary System of PWR"
A = 1.7 x 10 -7/plant year
5. General Electric Report:
"Total Probability of Severance Anywhere in Primary System Piping"
(1970)without ultrasonic testing: X= 1 x 10-3/plant yearwith ultrasonic testing: A = 5 x 10- 4/plant year
6. Wells-Knecht:
"Failure Rate for Rupture
(1965) A = I x 10- 7/plant
of Primary Coolant System Piping"
year
Table III 6-10
111-85/86
ii
High
W)IA
C
0
C
0
CL
Low
Very Low ModerateStress Level Very High
FIGURE III 6-1 Hypothetical Relationship between Performanceand Stress
Circles we IndhAtOý r lihnO-Ge1.. AR".d
0 0 00_0 0_ 0 _0 0r AUTO0-- AUTO r-AU-TO--
ICLOSSE 0" ILOSt OE N CLOSE SPi de0SAUTO IALTO~J
: Van T.
P. T
I• N O~~uilat RF•C1RC O.lIW RECIAC 0.1-1 RIEICIFIRC ISo,-4.s ~t1*1.5 A Top-INJI TK-llsA lT 14-SI.I
150.WS 160 ISO IAOWCI II
TV18A A
CLOSE I IOPEN f 'L 0- V0PV-I AC --. 7VS -SC t-0IS-VVI
FI a I I.-S, I-*. II
FIGURE III 6-2 Motor Operated Valve (MOV) Switches on ControlPanel
A
10-4
No action until.1.,r (3 people)
0 0999
Take action0 999 to Failure to
2 minutes afteralarm (3 oeopl.)
itl2
Swrong palr of
Correct 9.1, switches
of switches FI
Step 4 8 1 not0 99 done 4. time.
Correct painof switch•e$
SL F Wrong pasrof CitcheS
s5 F,
FIGURE III 6-3 Probability Tree Diagram for Step 4.8.1
9--- ]
go - ----
* / Ate~tm mo S*%OAO.tCha, SI AkntCCC TutpN..
0. . o 0.-. C.. .. 12 . . ,. .
0
-- - Crmat I-O-- - - --n - -b~l~
5 - -- ~ ~ ~ ~ T. ------1-- 0.I.OfI..I.I.vs
0 R 0 'O
FIGURE 111 6-4 Cumulative Outage Duration Distribution Curve
I I
HISTOGRAM - RESTORATION OF TRANSMAISSION tllt OUTAGES
37.9% Owtg.Rewrt.d in0.1 TO 0.32 Hoon.
2 0.0 -I00
UAWConýWiud:
:57%O.,ugn.Anon In0.0.12 To 0.1wHouw.HowConwt.n-..
Ligh-Kn AndAnnid.,IoITrippingft-Nd. In
0.010 To 0.W
Cnon*lon,1.1% 0.-g Lndinn., AndR-Wsd,61 OWm M~jonn.7%, 0.01 Mon. Owo
Mowft
12.8%'~ '.4%w 10.2.0..03To10 1.0 To3.2" R.,.nnOI.
Moian N-., 3.2 To 10.0
MM-nm MConýý M
Tnn-En., S~w-n. And Tm. In Lim.Tn Eod'- 5no. F-nn. Sno. P.... 0n
Or I. 1..And".iono.
.400
48
- 0
II I I I [III ' I I I I I III I I I I I lI1.0
I 1 11I1111120.00.0O 0.1
O.Uag. Ow--o4 T.-e IHon)
FIGURE III 6-5 Histogram - Restoration of Transmission LineOutages
Fig. III 6-1 - Fig. III 6-5
111-87/88
II I
10 I II I
I I PUMPS
7 I Ix7--
5--
4-I
5 I I
4 - I
I I
3-x2
NDx1I
1 0- 1 103 1 x 102 1 x 101
Failure Rate
FIGURE III 6-6 Log-Normal Distribution - Pumps
10I I
I I
a-
6--
I I
3-
1- I
1 105 1 x 1a 4 1 x 10.3 t x 102 I a 101
Failure Rate
FIGURE III 6-7 Log-Normal Distribution - Valves
HI
1.0
.9 -
,8 -
.7
.6
.5
.4
.3
.2
.1
0
1 . I10
I II I
I II II I
I I
I I
I I
I IcI I
xx
I II I
NO I
I II I
I I
ICLUTCH-EIectrical
I I I II ll I I I I III I I 1 1 1 11 1 I I II x 105 1 x 104 1 x 10.3
Failure Rate
RE III 6-8 Log-Normal Distribution - Clutch -
I . 102 I I I
FIGUF Electrical
1.0
.9
.8
.7
.6
.5
.4
.3
.2
.1
DIESELSDIESELS
x
!-p
II a 10-4
I I I I 1ll1l1 x 1(4
FIGURE 111 6-9
Illll1l I I 1 11111111I x 1I-2 1 10"1l
Failure Rate
Log-Normal Distribution - Diesels
Fig. III 6-6 - Fig. III 6-9
111-89/90
Section 7
References
7.1 DISCUSSION OF REFERENCES
In addition to the Nuclear Operatingexperiences (Refs. 1, 2 and 3,) approxi-mately 50 other sources of failure ratesand failure data were reviewed in sup-port of the estimates used in this anal-ysis. These sources can be broadlygrouped into two categories: (1) gener-al reliability data sources and (2) spe-cial sources.
7.2 GENERAL SOURCES
The general sources consist primarily ofthe United Kingdom Systems ReliabilityService, FARADA, AVCO, LMEC, Collins andPomeroy and Holmes and Narver. Thesesources provide failure data on aspectrum of hardware and failure modesfrom a variety of applications includingnuclear and non-nuclear utilities, testand research reactors and military andNASA components.
7.3 SPECIAL SOURCES
The other sources are described as spe-cial in that they generally containinformation on particular hardwarefailure modes or operating conditions.For example, References 10, 12, 13, 14,15, 16, 17, 18 and 20 involve pipe andpipe hardware failures. References 23,24, 25, 26 and 27 refer to aircraft ac-cidents, earthquakes and otherbackground phenomena. References 34through 52 contain analyses ofparticular hardware and systems innuclear and non-nuclear utilities andchemical industry applications.
It should be noted that these referencesdo not represent 50 independent sources.Some refer to and use data from otherreferences by updating, the data to re-flect current experiences and interests.The references, therefore, represent abroadly based amalgamation of experi-ence, operation conditions, and useapplications.
ReferenceContact, Service
Office or OriginatorContact, Reportor Source Date
Report, ListingSource or Content
1. Reactor IncidentFile (1972) (Com-ponent FailureData)
2. Reactor IncidentFile (1971) (Com-ponent FailureData)
3. EEI AvailabilityReport (ComponentFailure Data)
Office or OperationsEvaluation (OOE) ofRegulatory Operations(RO), Atomic EnergyCommission (AEC),Bethesda, Maryland.
Data control of RSS,Bethesda, Maryland.
Edison ElectricInstitute (EEI), NewYork, New York.
1/1/72to
12/31/72
9/4/73
8/16/73&
10/12/73
Contains approximately 30%unusual occurrences atnuclear facilities and 90%of reportable abnormaloccurrences observed inthe year of 1972.
Contains approximately onequarter of 1971 unusualand abnormal occurrencesobserved from the files ofOOE.
Contains 66 unit years offossil and nuclear powerplants component availa-bility and outagestatistics of contributingfacilities.
Contains Failure RateAssessments derived. UKand other availableEuropean sources.
4. SystemsReliabilityService, UKAEA
Office of OperationsEvaluation (OOE) ofRegulatory Opera-tions (RO) areMembers of Service.
All Service Pub-lications plusSpecial Requests
9/12/73.
111-91
11
Reference Contact, ServiceOffice or Originator
Contact, Reportor Source Date
Report, ListingSource or Content
5. FARADA
6. AVCO
7. LMEC
8. Collins &Pomeroy
9. Holmes & Narver
10. ChemicalAbstracts(Piping FailureData)
11. The ChemicalEngineer
12. NASA LiteratureSearch (PipingFailure Data)
13. AEC RECON(Piping FailureData)
14. DOT PipelineSafety (PipelineLeak Summary)
Converged FailureRate Data Handbooks,published by FleetMissile SystemsAnalysis and Evalua-tion Group Annex,NWS, Sea Beach,Corona, Calif.
Reliability Engineer-ing Data ServicesFailure Rates. AVCOCorp.
Failure Data Hand-book For NuclearPower Facilities,Liquid MetalEngineering Center.
EnvironmentalReports, Directorateof Licensing,Division of Compli-ance, Regulatory,AEC.
Collection of relia-bility data atnuclear power plants,Holmes & Narver, Inc.
AEC HeadquartersLibrary, Germantown,Maryland.
The Institution ofChemical Engineers,16 Redgrave, LondonS.W.I
Information TiscoInc., NASA Scientificand Technical Infor-mation Facility,College Park,Maryland.
AEC HeadquartersLibrary, Germantown,Maryland.
Office of PipelineSafety, Department ofTransportation (DOT),Office of the Secre-tary, Washington,D.C.
1962
1969
11/1/71
1968
9/24/73
1971
9/12/73
9/10/73
10/10/73
All currentissues.
Contains Failure RateAssessments derived fromArmy, Navy, Air Force, andNASA sources.
Contains Failure RateAssessments for primarilymilitary quality hardware.
Compilation of failurerates derived from testand research reactoroperating experiences.
Operating experience andrelated data from litera-ture in support of occur-rence rates to be assumedfor further interimguidance on accident eval-uations.
Contains failure rate datagathered from operatingexperience, one plant--4 months.
Bibliography listing ofmetallurgical and pipinganalysis reports (65j ofindustrial conduitsystems.
Contains data on reliabi-lity of instruments in thechemical plant environment.
Listing of steam pipefailure reports (393) fornormal and limited distri-bution of industrial steamsystems.
Listing of Nuclear ScienceAbstracts search on piperupture and pressurevessel analysis of primarysteam systems.
1971 and 1972 gas pipeline leak and rupturehistory of transmissionand distribution systemsthroughout the UnitedStates.
111-92
ReferenceContact, Service
Office or OriginatorContact, Reportor Source Date
Report, ListingSource or Content
15. NSIC LiteratureSearch (PipingFailures)
16. GIDEP "ALERT"(ManufacturingDefects)
17. NAVSHIPS Report(Main SteamPiping Data)
18. DDC LiteratureSearch (Steam &Water PipeFailures)
19. DDC LiteratureSearch (Manu-facturingDefects)
20. GEAP (PipingFailure Data)
21. Nuclear ScienceAbstracts(ContainmentBreaches)
22. NSIC LiteratureSearch (SpecialCommon ModeFailures)
23. EngineeringIndex (Environ-mental Factors)
24. Geologic Litera-ture Search(Disaster Im-pact Data)
Nuclear Safety Infor-mation Center (NSIC)of the AEC, OakRidge, Tennessee.
National TechnicalInformation Service(NTIS) U.S. Departmentof Commerce, Spring-field, Virginia.
Maintenance SupportOffice, Naval ShipSystems Command,Department of theNavy, Arlington,Virginia.
Defense DocumentationCenter (DDC), DefenseSupply Agency, Alex-andria, Virginia.
Defense DocumentationCenter (DDC), DefenseSupply Agency, Alex-andria, Virginia.
9/13/73
9/3/73
10/3/73
9/12/73
8/23/73
Listing of references ofpiping failures (317) inindustrial uses of atomicpower.
Parts, materials, andprocesses experiencesummary of NASA and Govern-ment-Industry DataExchange Program (GIDEP)reports.
Printouts contain mainten-ance data covering mainsteam piping on nuclearsubmarines and surfaceships for a three yearperiod ('70, '71, and '72).
Bibliography of pipingproblems and simulatedfailures throughout themilitary and industrialworld. (53 itemizeddescriptions).
Bibliography on probabi-lities of manufacturingerrors from the stand-point of design evalua-tions (147 items).
Periodic reports (series10207 of the ReactorPrimary Coolant SystemPipe Rupture Studysummarizing failure mech-anisims and probabilities.
Subject index for nuclearscientific reports over asix year period.Reference book.
A ten year literaturesearch for five categor-ies of qualitativereports and bibliogra-phies.
A search for quantitativereports on the earth-quakes electrical firesand airplane crashes.
A listing of topics (220)associated with earth-quake predictions fromthe standpoint ofgeologic effects.
General ElectricCompany, AtomicPower Department,San Jose, Califor-nia.
Technical Informa-tion Center (TIC)of the U.S. AtomicEnergy Commission,Oak Ridge,Tennessee.
Nuclear SafetyInformation Center(NSIC) of the U.S.Atomic EnergyCommission, OakRidge, Tennessee.
AEC HeadquartersLibrary, Germantown,Maryland.
American GeologicInstitute,Washington, D.C.
1964 thru 1972
1967 thru 1972
8/2/72
8/17/73
8/17/73
111-93
iI
Reference Contact, ServiceOffice or Originator
Contact Reportor Source Date
8/21/7325. DDC LiteratureSearch(DisasterImpact Data)
Defense Documentation\Center (DDC), Defense.Supply Agency, Alex-andria, Virginia.
26. Insurance Facts(1972) (DisasterImpact Data)
27. RESPONSA(Seismic Effect
Data)
28. RESPONSA (ECCSAnalysis Data)
29. RESPONSA (Parts& MaterialsData)
30. NASA LiteratureSearch(Disaster)
31. NASA LiteratureSearch (Manu-facturingDefects)
32. Docket 50-289(Aircraft ImpactData)
33. FAA (AirTraffic Data)
Insurance InformationInstitute, New York,New York.
Selected NuclearScience Abstracts(RESPONSA), AECHeadquarters Library,Germantown, Maryland.
Selected NuclearScience Abstracts(RESPONSA), AEC Head-quarters Library,Germantown, Maryland.
Selected NuclearScience Abstracts(RESPONSA), ABC Head-quarters Library,Germantown, Maryland.
Information TiscoInc., Scientific andTechnical InformationFacility, CollegePark, Maryland.
Information TiscoInc., NASA Scientificand Technical Informa-tion Facility, CollegePark, Maryland.
Files, Bethesda,Maryland.
8/20/73
8/15/73
8/1/73
8/24/73
8/17/73
Report, ListingSource or Content
Bibliography on unusualnatural occurrences(192).
A yearbook of propertyand liability insurancefacts of losses asreported by U.S.companies.
Listing of seismictopics (245) for reactorsiting and nuclearapplication: includesdocket material.
Listing of Emergency CoreCooling System (ECCS)topics (approx. 928) andassociated analysis.
Listing of topics (approx.936) on fractures ofreactor parts and mater-ials with emphasis onsteel and alloys.
Listing of disaster pre-diction or forecastingreports (608) on-meteoro-logical and climatologicalmeasurements.
8/23/73 Quality control in manu-facture of machinery orpower generating equip-ment a brief survey.
8/28/73 Three Mile Island Unit 1(Metropolitan Edison Co.of Pennsylvania) report,Summary of AircraftImpact Design.
Federal AviationAdministration (FAA),Dept. of Transporta-tion, Washington, D.C.
March 1972 En Route IFR Air TrafficSurvey Peak-Day FY 1971,authored by the FAAStatistical Division.
34. Letter from W. F. Shopsky to D. F. Paddleford dated October 20, 1972.
35. A. J. Bourne, "Reliability Assessment of Technological Systems," Report, SystemsReliability Service, UKAEA, October 1971.
36. K. H. Lindackers, W. Stoebel, Part I, 0. A. Kellerman, W. Ullrich, Part II:Probability Analysis Applied to LWR's, Institute of Reactor Safety, W. Germany,Paper 9.
111-94
37. F. M. Davies, "A Worked Example on the Use of Reliability Analysis Techniques -
Decay Heat Removal", Lecture No. 58 Reactor Assessment, Section I, Safety and
Reliability Directorate, Risley, U.K.
38. "Meeting of Specialists on the Reliability of Electrical Supply Systems and
Related Electric-Mechanical Components for Nuclear Reactor Safety", European
Nuclear Energy Agency Committee on Reactor Safety Technology, Session I, Ispra,
Italy, (June 27-28, 1968).
39. M. C. Pugh, "Probability Approach to Safety Analysis", United Kingdom Atomic
Energy Authority, 1969.
40. R. M. Stewart, G. Hensley, "High Integrity Protective Systems on Hazardous Chem-
ical Plants", European Nuclear Energy Agency Committee on Reactor Safety Tech-
nology, Munich (May 26-28, 1971).
41. J. C. Moore, "Research Reactor Fault Analysis", Parts I and II, Nuclear Engi-
neering (March, June 1966).
42. "IEEE Transactions on Nuclear Science", Volume NS-18, February 1971.
a. B. M. Tashjian, "Sensitivity Analysis of a Two-out-of-Four Coincident Logic
Reactor Protective System" pg. 455.
b. R. Salvatori, "Systematic Approach to Safety Design and Evaluation, pg. 495.
43. A. J. Bourne, G. Hensley, A. R. Eames, A. Aitken, "Reliability Assessment of the
S.G.H.W.R. Liquid Shutdown System", AHSB(S)R 144 (March 1968).
44. H. J. Otway, R. K. Lohrding, M. E. Battat, "A Risk Estimate for an Urban-Sited
Reactor", Nuclear Technology, Vol. 12 October 1971.
45. F. R. Farmer, "Siting Criteria - A New Approach", United Kingdom Atmoic Energy
Authority, Risley, Warrington, Lancs, U.K.
46. J. R. Beattie, G. D. Bell, J. E. Edwards, "Methods for the Evaluation of Risk",
AHSB(S)R 159 UKAEA, (1968).
47. G. D. Bell, "Risk Evaluation for Any Curie Release Spectrum and Any Dose Rise
Relationship", AHSB(S)R 192, UKAEA, (1971).
48. "Fault Tree Analysis, SPERT IV Scram System" INC Work Request No. N-42128.
49. W. L. Headington, M. E. Stewart, J. 0. Zane, "Fault Tree Analysis of the PBF
Transient Rod Drive System", IDO-17272 (November 1968).
50. Gulf Electronics Systems, Nuclear Instrumentation Specifications.
51. "Proceedings of the Meeting of Specialists on the Reliability of Mechanical
Components and Systems for Nuclear Reactor Safety," RISO Report No. 214,
Establishment (February 1970).
a. S. Antocisco, G. Tenoglia, A. Valeri, "A Theoretical Reliability Assessment
of a Fire Protection System", pg. 22.
b. W. Bastl, H. Gieseler, H. A. Maurer, U. Hennings, "The Reliability of Emer-
gency Core Cooling Systems of Light Water Nuclear Plants", pg. 91.
c. H. Huppman, "Frequency and Causes of Failure to Components of Large Steam
Turbines", pg. 171.
d. U. Hennings, "Auslegung and Anordnung Einer Reaktor-Beschickungsan-lageAuggrund von Zwerlassigngeitsbetrachtungen" pg. 213.
e. G. Mieze, "Analysis of a German Pressure Vessel and Boiler Drum Statistics",
pg. 301.
111-95
!I
f. G. A. G. Phillips, R. G. Warwick, "A Survey of Pressure Vessels Built to aHigh Standard of Construction", pg. 323.
g. J. Ehrentreich, H. Maurer, "Reliability Considerations for Mechanical Compo-nents of Control Rod Drive Systems of Gas Cooled Power Reactors Operated inthe European Community", pg. 481.
52. NRTS National Reactor Testing Station, Ihaho: Failure History 1968-1972,B. A. Thomas ETAL.
53. D. G. Eisenhut, "General Avaiation Fatal Crash Probability Distribution for Usein Nuclear Reactor Sitings", August 1972.
54. Ablitt, J. F., A Quantitative Approach to the Evaluation of the Safety Functionof Operators of Nuclear Reactors, AHSB(S)R-160, Authority Health and Safety
,Branch, United Kingdom Atomic Energy Authority, Risley, England, 1969.
55. Appley, M. H. and Trumbull, R. (eds.), Psychological Stress, Appleton-Century-Crofts, New York, 1967.
56. Berkun, M. M., "Performance Decrement Under Psychological Stress", Human Fac-tors, 1964, 6, 21-30.
57. Green, A. E., Safety Assessment of Automatic and Manual Protective Systems forReactors, AHSB(S)R-172, Authority Health and Safety Branch, United KingdomAtomic Energy Authority, Risley, England, 1969.
58. Grinker, R. R. and Spiegel, J. P., Men Under Stress, McGraw Hill Book Co., 1963(reprinted from 1945).
59. Harris, D. H. and Chaney, F. B., Human Factors in Quality Assurance, John Wileyand Sons, New York, 1969.
60. Kletz, T. A. and Whitaker, G. D., Human Error and Plant Operation, EDN 4099,Safety and Loss'Prevention Group, Petrochemicals Division, Imperial ChemicalIndustries, Ltd., Billingham, England, 1973.
61. McCornack, R. L., Inspector Adequacy: A Study of the Literature, SCTM-53-61(14), Sandia Laboratories, Albuquerque, New Mexico, 1961.
62. Meister, D., Human Factors: Theory and Practice, John Wiley and Sons, New York,1971.
63. MIL-H-46855A, Military Specification, Human Engineering Requirements forMilitary Systems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C.,2 May 1972.
64. MIL-STD-1472A, MilitaZy Standard, Human Engineering Design Criteria for MilitarySystems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C., 15 May1970.
65. Morgan, C. T., Cook, J. S. III, Chapanis, A. and Lund, M. W. (eds), Human Engi-neering Guide to Equipment Design, McGraw Hill Book Co., New York, 1963.
66. Rasmussen, J., "Man-Machine Communication in the Light of Accident Records",Proceedings of the International Symposium on Man-Machine Systems, Cambridge,England, 1969.
67. Raudenbush, M. H., "Human Engineering Factors in Control Board Design for Nu-clear Power Plants", Nuclear Safety, 1973, 14, 21-26.
68. Ronan, W. W., Training for Emergency Procedures in Multiengine Aircraft, AIR-153-53-FR-44, American Institutes for Research, Pittsburgh, Penna., 1953.
69. Rook, L. W., Reduction of Human Error in Industrial Production, SCTM-93-62(14),Sandia Laboratories, Albuquerque, New Mexico, 1962.
111-96
70. Shapero, A., Cooper, J. E., Rappaport, M., Schaeffer, K. H. and Bates, C. J.,Human Engineering Testing and Malfunction Data Collection in Weapon SystemPrograms, WADD TR 60-36, Wright-Patterson Air Force Base, Ohio, 1960.
71. Siegel, A. I. and Wolf, J. A., Man-Machine Simulation Models, John Wiley andSons, New York, 1969.
72. Swain, A.D., A Method for Performing a Human Factors Reliability Analysis,Monograph SCR-685, Sandia Laboratories, Albuquerque, New Mexico, 1963.
73. , Some Problems in the Measurement of Human Performance in Man-Machine
Systems", Human Factors, 1964, 6, 687-700.
74. , "Some Limitations in Using the Simple Multiplicative Model in
Behavior Quantification", W. B. Askren (ed.), Symposium on Reliability of HumanPerformance in Work, AMRL-TR-67-88, Wright-Patterson Air Force Base, Ohio, 1967.
75. Van Cott, H. P. and Kincade, R. G. (eds.), Human Engineering Guide to EquipmentDesign (Rev. Ed.), U.S. Govt. Printing Office, Wash., D.C., 1972.
76. Williams, H. L., "Reliability Evaluation of the Human Component in Man-MachineSystems", Electrical Manufacturing, 1958, 4, 78-82.
77. Woodson, W. E. and Conover, D. W., Human Engineering Guide for Equipment Design-ers, Univ. of California Press, Berkeley, Cal., 1964 (2nd ed.).
111-97
!I
WASH- 1400(NUREG-75/014)
COMMON MODE FAILURES
Bounding Techniques
and
Special Techniques
APPENDIX IV
to
REACTOR SAFETY STUDY
U.S. NUCLEAR REGULATORY COMMISSION
OCTOBER 1975
11
Appendix IVTable of Contents
Section Page No.
1. INTRODUCTION AND OVERVIEW ......................................... IV-l
2. COMMON MODES IN EVENT TREES AND FAULT TREES ........................... IV-7
2.1 Introduction ................................................. IV-72.2 Contribution of Event Trees to the Study of Common Mode
Failures ..................................................... IV-7
2.3 Common Mode Failures ......................................... IV-8
REFERENCES ............................................................... IV-9
3. BOUNDING AND QUANTIFICATION TECHNIQUES FOR COMMON MODEFAILURES .......................................................... IV-l1
3.1 Introduction ................................................. IV-ll3.2 Bounding by Smaller Combinations ............................. IV-12
3.2.1 Basic Considerations ................................. IV-123.2.2 Bounding Combinations of Two Failures .................... IV-13
3.2.3 Bounding Combinations of Three or More Failures ...... IV-16
3.3 Analyses and Quantifications Applied in the Study ............... IV-173.4 More Detailed Quantification Approaches ........................... IV-19
4. FAILURE COUPLING .................................................. IV-27
5. SPECIAL ENGINEERING STUDIES TO IDENTIFY POTENTIAL COMMON
MODES IN ACCIDENT SEQUENCES ....................................... IV-35
5.1 Summary of Results ........................................... IV-35
5.1.1 Large LOCA Sequences ................................. IV-35
5.1.2 Small LOCA Sequences ................................. IV-36
5.2 Summary of Secondary Failure Methods .............................. IV-375.3 PWR LOCA Sequence Common Mode Failure Evaluations ............... IV-37
5.3.1 Sequence CD (Given A or S) ............................... IV-37
5.3.2 Sequence CDI (Given A or S) .............................. IV-37
5.3.3 Sequence HF (Given A or S) ........................... IV-38
5.3.4 Sequence G (Given A or S) ............................ IV-385.3.5 Sequence AD (Given A) ................................ IV-385.3.6 Sequence CF (Given A or S) ............................... IV-395.3.7 Sequence B (Given A or S) ................................ IV-395.3.8 Sequence F (Given A or S) ................................ IV-405.3.9 Sequence HI, FI, or HFI (Given A or S) .................. IV-4Q5.3.10 Sequence HG (Given S) ................................ IV-405.3.11 Sequence D (Given S) ................................. IV-40
5.4 Supporting Material .......................................... IV-41
5.4.1 Summary of the Results of Examining Inter-SystemInterfaces for Sequence Failure Possibilities ........ IV-41
5.4.2 Summary of Plant Layout Examination for SequenceSecondary Common Mode Failures ........................... IV-41
5.4.3 Systems Which Can be Failed by Common ModeFailure of Similar Component ............................ .V-42
IV-i
II
Table of Contents (Continued)
Section Page No.
6. SPECIAL ENGINEERING STUDIES TO IDENTIFY POTENTIAL COMMONMODES IN ACCIDENT SEQUENCES ....................................... IV-45
6.1 Summary of Results ........................................... IV-45
6.1.1 Large LOCA Sequences .............................. IV-456.1.2 Small (1) and Small (2) LOCA Sequences............... .. IV-456.1.3 Transient Sequences .................................. IV-46
6.2 Summary of Methods............................................ IV-466.3 Consideration of Common Mode Effects in Particular
Sequences .................................................... IV-47
6.3.1 Large LOCA ........................................... IV-47
6.3.1.1 Sequence AE - LLOCA/ECI ...................... IV-476.3.1.2 Sequence AI - LLOCA/LPCRS .................... IV-476.3.1.3 Sequence AJ - LLOCA/HPSW .................... IV-47
.6.3.2 Small LOCA's ......................................... IV-476.3.3 Transients ........................................... IV-47
List of Tables
Table Page No.
IV 1-1 Common Mode Treatment in the Various Analysis Stages .............. IV-5/6
IV 3-1 Classes of Potential Common Mode Mechanisms ....................... IV-25/26
IV 3-2 Combination Properties Indicating Potential Common CauseSusceptibility............. .... ..................... IV-25/26
IV 4-1 PWR Coupling - BWR Coupling ................................... .... IV-31/32
IV 5-1 Similar Component Failures and Significant Affected Sequences(Large LOCA) ........ .... . .............. .. ....... 0 IV-43/44
IV 5-2 Interface Examination Results ............ ............. ..... IV-43/44
IV 5-3 Electrical Power Interfaces ......................................... IV-43/44
IV 6-1 Sequence AE-LLOCA/ECI, Principal Common Mode Possibilitiesand Effects......... *.......................................... IV-49/56
IV 6-2 Sequence AI-LLOCA/LPCRS, Principal Common Mode Possibilitiesand Effects .............. .......*............................... IV-49/50
IV 6-3 Sequence AJ-LLOCA/HPSW, Principal Common Mode Possibilitiesand Effects ..... o....... ................................... IV-51/52
IV 6-4 Sequence SiE-Small LOCA (1)/ECI, Principal Common ModePossibilities and Effects ........ .......... . .......... IV-51/52
IV-ii
List of Figures
Figure Page No.
IV 4-1 Independent Versus Coupled Failure Rate Distributions[Frequency on Vertical Axis (Ordinate), Failure Rate onHorizontal (Abscissal)] ........................................... IV-33/34
IV 4-2 Increased System Uncertainties Due to Coupling Effects(Vertical Axis - Frequency; Horizontal - System Probability) ...... IV-33/34
IV-iii
Section 1
Introduction and Overview
With regard to the analyses performed inthis study, potential common mode fail-ures can be defined as multiple failureswhich are dependent, thereby causing thejoint failure probability to increase.The multiple failures are common mode ordependent because they result from asingle initiating cause, where "cause"is used in its broadest context.
The single initiating cause can be anyone of a number of possibilities: acommon property, a common process, acommon environment, or a common externalevent. Multiple failures which are de-pendent can likewise encompass a spec-trum of possibilities such as multiplesystem failures caused by a commoncomponent failure, system failurescaused by a common external event,multiple component failures caused by acommon defective manufacturing process,a sequence of failures caused by acommon human operator, etc.
Because potential common mode failuresentail a wide spectrum of possibilitiesand enter into all areas of modeling andanalysis, common mode failures cannot beisolated as one separate analysis, butinstead must be considered throughoutall the modeling and quantificationsteps involved in the risk assessments.In the study, common mode considerationswere incorporated in every stage of theanalyses. Table IV 1-1 gives a generalbreakdown of common mode treatments thatwere performed as an integral part ineach of the analysis steps.
This appendix will describ~e in detailonly those aspects of the common modefailure methodology which are not dis-cussed in other portions of the report.Bounding and coupling techniques, inparticular, will be described (pertain-ing to Table items 111-2, 111-3, IV-2,and IV-3 of Table IV 1-1) and specialengineering investigations conducted toidentify additional potential commonmode failures are discussed in section5-1 of this appendix. Specific examplesand applications pertaining to all theabove items are also described through-out the fault tree and event treeappendices.
odology will be given here to place thematerial of this appendix in bettercontext. A fuller discussion of theoverall common mode methodology is foundin Appendix XI and the Main Report.
Following the outline of the table, theevent tree constructions first treatedcommon mode failures in their detailedmodeling of system to system functionalinteractions. If failure of one systemcaused other systems to fail or be inef-fective, then this was explicitlymodeled in the event trees by drawingstraight lines through the other systemcolumns.1 These straight lines had nosteps for the affected systems and hencedid not require consideration of possi-ble interaction with these eliminatedsystems.
The systems rendered failed or ineffec-tive by the single system failure weretreated in the subsequent analysis asbeing essentially non-existent, and theanalysis then concerned itself only withthe critical single system failure. Byconsidering these functional interac-tions, multiple system possibilitieswere thus changed to single system fail-ure analyses. From a common modeviewpoint, the affected systems consti-tute common mode events which arecoupled to the single system failure.Incorporation of this coupling in theevent trees was most significant sinceit in essence changed a product ofsystem probabilities into one, singlesystem probability. The imrpact of theevent trees on this type of common modedependency can be gauged by the numbersgiven in section 2 of Appendix I whichshow the reduction in size for the eventtrees constructed in the study, whichincorporated dependencies, as comparedto the unconstrained size obtained whendependencies are not considered.
In addition to incorporation of systeminterdependencies, the event trees alsodefined the context for which the indi-vidual fault trees were to be construct-ed. Particular system failures, i.e.,the top events of the fault trees, weredefined within the context of other
1See Appendix I for event tree descrip-tions.
Beforen ique 5review
discussing the bounding tech-and special investigations, aof the overall common mode meth-
IV- 1
11
particular systems having alreadyfailed. The fault trees in an accidentsequence were coupled by the systemfailure definitions and by the commonaccident conditions (the faUlt treeswere thus conditional fault trees). 1
The construction of the fault treesincluded common mode considerations indetermining the level to which failuresshould be analyzed and the failurecauses and interfaces which should bemodeled. The fault trees were con-structed to a level of detail such thatall relevant common hardware in thesystems would be identified. Because ofthis depth of analysis, single failureswere identified that would cause multi-ple effects. These included potentialsingle failures that could cause severalsystems to fail or be degraded and thatcould cause redundancies to fail or benegated. Had the fault trees stopped ata less detailed level, these singlefailures would have had to be treated ascommon mode causes and given specialcommon mode treatments since they wouldnot have been explicitly shown in thefault trees.
The failure causes modeled in the faulttrees included not only hardware failurebut also failures caused by human inter-vention, test and maintenance acts, andenvironmental effects, which enabled po-tential dependencies to be investigatedand incorporated in the quantification.To illustrate the effects of this morecomplete failure cause identification,in a number of the fault trees con-structed, a valve being in a closedposition was determined to be a failure.The failure could be caused by the valveitself failing closed, i.e., a hardwarefailure, and this cause is the causeusually included in the fault treemodel. In addition to the valve hard-ware failure, however, the valve couldalso be in a closed position due to itsbeing purposely closed for testing ormaintenance and it could also be in aclosed position due to the operator'sforgetting to open it after the-previoustest or maintenance act. These othercauses are often ignored in fault treemodeling; however, they have the sameeffect on the system as the hardwarefailure. These other causes were in-
1 The definition and probability quanti-fication of the containment failuremodes, incorporating accident dependen-cy considerations, are given in Appen-dices V and VIII.
.cluded in the analysis of the faulttrees for the study, and in certaincases they had much higher probabilitycontributions to system failure than thehardware bauses. In a number of casesthese non-hardware contributions gavesignificantly high system failure proba-bilities (essentially single failureprobabilities) such that all other con-tributions had minor impact on thesystem number.
In addition to their individual impacts,the non-hardware contributions were ex-amined in the quantification stage forpossible interdependencies. Multiplefailures caused by human errors weredependent if the same operator couldperform all the acts. Testing or main-tenance caused failures to be dependentif several components could simultane-ously be brought down for testing ormaintenance. Accident environmentscaused multiple failures to be dependentif the failures could be due to the sameenvironment. Identification of non-hardware causes laid the basis forindividual and dependent event calcula-tions which were performed in the quan-tification stage, and the resultingsignificance can be seen by the largecontributions predicted for non-hardwarecauses.
The fault tree quantification stage,also tended to implicitly cover depend-ency and common mode considerationswithin the basic calculations. Thecomponent data which were input to .thecalculations were total failure data andhad error spreads (probable ranges) toaccount for uncertainties and varia-tions. The failure rate for a particu-lar component included not only contri-butions from hardware failure (sometimescalled the random failure rate), butalso contributions due to testing ormaintenance, human causes, environmentcauses, etc. The error spreads aided incovering uncertainties not only fromstatistical estimation but also frompossible defects in the component, pos-sible failure mechanisms not included inthe data sources, and from other physi-cal causes of possible variations. Tkisrealistic treatment of data gave highersystem failure probabilities, which of-ten proved to be insensitive to commonmode effects when sensitivity studieswere performed.
The quantification formulas treated bothhardware and non-hardware contributionswith their relevant dependencies. Thehuman errors and test and maintenancedowntime contributions identified in thefault trees were quantified to obtain
IV-2
their probability contribution. Errorspreads were used for human probabili-ties to account for individual varia-tions and posqible inefficiencies(tiredness, possible confusion, etc.).
A log-normal distribution was used toobtain test and maintenance downtimes,where the distribution is positivelyskewed (having a tail for longer down-times) to account for test and mainte-nance problems, possible laxities, andother test and maintenance associateddeviations. When human or test andmaintenance contributions had additionalinterdependencies, coupling formulas us-ing the log-normal median approach wereemployed. Accident environment effectson both components and human responseswere treated by using higher failurerates when appropriate and couplingindividual failures when the same envi-ronment affected the failures.
1
In the fault tree quantification stage,error spreads were propagated throughthe calculations to determine the re-sulting error spreads on the computedsystem probabilities. The system errorspreads thus included the possible devi-ations in test and maintenance, humanerrors, and failure rates which therebycaused other potential common mode ef-fects not explicitly included to haveless impact since they now needed to lieoutside the error spreads. Bounding andcoupling calculations were also per-formed throughout the quantification todetermine maximum possible impacts fromcommon mode failures which might existand were not previously included. Thebounding and coupling studies served asan additional check on the calculationsand identified areas that needed furtherinvestigation because of their largerpossible impact. Failure rates werealso coupled to determine the potentialeffects of several components all havinga high failure rate due to a bad manu-facturing batch, quality control error,etc. Since the bounding and couplingtechniques were not described in detailin the modeling and analyses appendices(Appendices I, II, III, and V), they aretreated in this appendix.
After the fault trees were quantified,the event tree quantification stagecombined the individual fault tree prob-abilities to obtain sequence probabili-ties. To obtain the sequence probabili-ties, Boolean techniques were used onthe fault trees to extract any compo-
1See Appendix II for detailed applica-tions and discussions.
nents which were common to severalsystems in the sequence. Single fail-ures that could fail multiple systemswere thus identified and quantified, andas a result independent system failuresbecame dependent failures.
Since an accident sequence in the eventtrees can be viewed in terms of faulttree logic, the same quantificationtechniques were used on the individualfault trees. (In terms of fault treerepresentation, the individual systemsin a sequence are viewed as being inputsto an AND gate to form the accidentsequence.) Human errors, test and main-tenance, and accident environment wereevaluated for their contributions to thesequence, and the contributions werecoupled when they were dependent. Sincemultiple systems were analyzed, thecouplings now included dependenciesacross systems.
For the consequence calculations, theaccident sequences were partitioned intorelease categories. 1 The probabilitiesfor sequences assigned to the Samecategory were then summed to obtain thetotal release category probability whichwas used as the input for the f inal con-sequence calculations. The groupingtended to cover effects of dependenciesand common modes since single systemfailures often existed in each releasecategory. Multiple failure accident se-quences thus became negligible, evenwith possible common modes, when theywere added to the single failureaccident sequences to obtain the totalrelease category probability. Boundingand error propagation techniques wereused on the multiple failure accidentsequences to investigate maximum commonmode effects. The bounding techniquesencompassed those used for the faulttrees, which are described in thisappendix.
As a final check on possible dependen-cies and common mode effects, specialengineering investigations were per-formed to complement the modeling andmathematical techniques which had beenused throughout the study. The eventtree accident sequences which werejudged to be possible susceptible tocommon mode impacts which had not beenidentified were reexamined for anyextraneous dependencies which may havebeen previously overlooked. These se-quences were also examined to determine
I Appendix V.
IV- 3
i I
potentials for interdependencies betweeninitiating events and system failures.As part of the common mode investiga-tions, a design adequacy task investi-gated the effects of earthquakes andexternal events. The fafil2t tree andevent tree models were also reviewed,and checks were made comparing modelpredictions versus available past histo-ry experiences. The comparisons withpast history are contained in the dataand fault tree appendices. As stated,since they are not contained in theother appendices, the accident sequencespecial investigations are described inthis appendix.
With regard to the impact of common modefailures on the spectrum of individualresults computed in the study, in manyareas common mode contributions hadsignificant effects and in some areasthey did not. This conclusion may notseem simple, however, many differentdetailed results were computed in thestudy to arrive at the final risk as-sessments. 1
In the accident sequence definitions andin the containment failure, mode analy-ses, common mode considerations had asignificant impact. Common mode consid-erations of functional interdependenciessignificantly modified the event treesequences and hence the resulting proba-bilities. Consideration of containmentfailure mode dependencies gave signifi-cantly modified probability values to beused for the accident sequences.
1 fone looks specifically at the finalrisk assessment numbers then commonmodes in general had a very significanteffect as discussed in Aippendix XI andthe main report. (In .Large part, thiswas due to the event tree effects.)
In the fault tree and event tree quanti-fications, common mode failures in manycases did not have as significant aneffect. Single system failure probabil-ities dominated the accident sequenceswhich determined the release categoryprobabilities, and single componentfailures, in turn, dominated the singlesystem failure probability. Commnon modefailures between components thus hadlittle impact since at most they couldchange multiple. component failures intosingle component failures and thesealready existed for the system.
Human errors, because of their largerbasic probabilities as compared to com-ponent failure rate data, in a number ofcases dominated the system again causingcommon modes between components to havea small effect.
.In certain systems, however, common modecontributions did significantly enter,for example, in cases when "severalfailures were coupled to a common humancause. There were other cases in whichcommon modes did impact, either throughthe fault tree development and faultdefinition or through the quantifica-tion. These specific cases, along withthe specific event tree findings, arediscussed in their appropriate sections(Appendices 1, 11, and V).
The outcomes of the varying significanceof common mode failure which were foundin the study further reinforce the re-quirement that common modes and generaldependency considerations should not be-isolated and treated separately, butshould be incorporated throughout allstages of the analysis. However, thisalong with all the other modeling con-siderations, is what should be automati-cally done in any thorough and completeanalysis.
IV- 4
TABLE IV 1-1 COMMON MODE TREATMENT IN THE VARIOUS ANALYSIS STAGES
I. EVENT TREE CONSTRUCTION
1. Incorporation of functional dependencies between systems in the sequence
constructions.
2. Establishment of accident sequences including containment failure mode
definitions which incorporate system and accident interdependencies.
II. FAULT TREE CONSTRUCTION
1. Resolution of failures to a level such that common system hardware will
be identified.
2. Fault tree construction which identify human interfaces, test and
maintenance interfaces, and other interfaces of potential dependency.
III. FAULT TREE QUANTIFICATION
1. Practical data utilization, which incorporates uncertainties and
variations.
2. Quantification formulas which incorporate dependencies and contributions
due to human error, test and maintenance, and accident related
environments.
3. Mathematical techniques involving bounding calculations and error propa-
gation calculations, which serve to determine the significance of possible
dependencies and serve to incorporate resulting uncertainties.
IV. EVENT TREE QUANTIFICATION
1. System fault trees combined and analyzed by Boolean techniques to extract
common components between systems.
2. Quantification formulas which incorporate couplings and dependencies
across systems due to human error, test and maintenance, and accident
environments.
3. Grouping of accident sequences of similar outcome and identification of
the dominant accident sequences using discrimination and bounding
techniques.
V. SPECIAL ENGINEERING INVESTIGATIONS
1. Investigation of special, susceptible accident sequences to determine any
remaining possible common modes including those due to external events and
common component sensitivities.
2. A special design adequacy task to investigate common mode failures result-
ing from earthquakes, other external forces, and post accident
environments.
3. Final checks on the fault tree and event tree models for model accuracy
and consistency.
Table IV 1-1
IV-5/6
11
Section 2
Connmon Modes in Event Trees and Fault Trees
2.1 INTRODUCTION
For the convenience of the reader,excerpts of the common mode discussionsin Appendices I and Ii are reproducedhere. (The bounding techniques andspecial engineering investigations aregiven in the following sections.) Forfurther specific details, the fault treeand event tree quantification sectionsinclude discussions and considerationsapplicable to common mode failures whenthey were significant contributors.
2.2 CONTRIBUTION OF EVENT TREES TOTHE STUDY OF COMMON MODEFAILURES
The potential effects of common modefailures (CMFs) on the safety of nuclearpower plants have been increasinglydiscussed in recent years. Currentdesign requirements related to safetyaddress this matter in certain areas,principally with regard to possibleexternal forces due to natural phenomenaand airplane crashes. This is because alarge external force such as an earth-quake might not only initiate an acci-dent but also result in failures ofengineered safety features provided tomitigate the accident. Therefore, allthe systems that contribute to assuringthe safety of the plant (e.g, the reac-tor coolant system and all the ESFs) aredesigned to withstand substantial earth-quakes without failure (Ref. 1). In ad-dition to the above, LOCAs can imposelarge reaction forces and cause missileswhich have the potential to damagecomponents whose failure can interferewith the performance of ECCs and otherESFs. This has led to the use of piperestraints, missile shields and othersuch design requirements to preventdamage by the LOCA. Beyond this,limited analysis has been done toquantify the effects of potential commonmode failures on reactor accidents.
An important objective of this study hasbeen to develop methodologies suitablefor quantifying the contribution of com-mon mode failures to reactor accidentrisks. Event trees play a role in CMFstudies because they eliminate illogicaland meaningless accident sequences.Evaluation of potential CMF contribu-tions requires examination of the poten-tial CMF interrelationships of thevarious events in each accident se-
quence; any sequences that can beeliminated need not be examined. Thedisciplined examination of the function-to-function, function-to-system, andsystem-to-system interrelationships inthe specific context defined by theaccident sequences has made a keycontribution in limiting the magnitudeof the CMF effort needed in this study.
A measure of this contribution is com-parison of the number of interactionspossible with the number actually in-volved. This can be done, for instance,by examining the large LOCA and contain-ment event trees described above for thePWR and BWR. The PWR trees have 8 and 5headings, respectively; the BWR, 9 and7. Use of 2n- tree with all possiblepermutations and combinations of choicesincluded would give roughly 4000 acci-dent sequences for the PWR and 32,000for the BWR. Since each sequence wouldhave 12 and 15 elements, respectively,the number of potential CMF interactionsto be investigated would be about 48,000for the PWR and about 480,000 for theBWR. However, the PWR and BWR largeLOCA and containment event trees involveonly about 150 sequences each, with anaverage of about 10 potential interac-tions per sequence. Thus the totalnumber of potential interactions for thePWR and BWR would be about 1500 each, ora reduction from the 2 n-± approach ofabout a factor of 32 for the PWR and 320for the BWR.
Thus, for the large LOCA, the use ofevent trees has eliminated illogical andmeaningless combinations of events andthus reduced the areas requiring exami-nation for CMFs by about three orders ofmagnitude. This approach contributesenormously to making the analysis ofpotential CMFs tractable.
In considering the total number of eventtrees involved in the overall study (seesections 4 and 5 of this Appendix), itcan be seen that many thousands of po-tential accident sequences involvinghundreds of thousands of potentialinteractions were screened in this studyto arrive at a relatively small numberof potential CMF interactions. As willbe shown in later Appendices (IV and V),further screening involving theidentification of those particularsequences which were the dominant
IV-7
ii
contributors to risk reduced the numberof potential interactions of interest byadditional very large factors.
In addition to the above, it should benoted that the containment trees dis-cussed in Appendix II represent an ex-tensive common mode failure investiga-tion of the relationship between coremelting and containment integrity.While it has long been known that amolten core would almost surely resultin loss of containment integrity, thisstudy has shown that there are widelydifferent consequences having widelydifferent probabilities for the variousmodes of containment failures. 1
2.3 COMMON MODE FAILURES
Hardware failures, human errors, andtest or maintenance outage all have adirect effect on the probability ofsystem failure (i.e. the unavailabilityor unreliability). System failure prob-abilities can also be affected by moresubtle factors such as common environ-ment, common design, common manufactur-ing processes, or common human interven-tion with the system (includingoperation, maintenance, and their asso-ciated test procedures). All of thesecommon links represent potential depen-dencies which can compromise anyassumptions of independence of failures.Events related to common hardware andother single events having direct inputto a system are identifiable in theprocess of constructing the fault treeas described in Appendix II. The compo-nent failure event RWST lCS-TK-l"Rupture" (common hardware) and faultevent "RWST Vent Plugged" (direct inputevent) as shown in the Containment SprayInjection System (CSIS) example (SeeAppendix II section 5.4) are events thatlead to multiple system and subsystemfailure. The PWR refueling water stor-age tank (RWST) is common to both CSISsubsystems and also to the emergencycore cooling injection systems. Ruptureof the RWST or plugging of the RWST ventwould fail the two CSIS subsystems andthe low pressure injection system (LPIS)of the emergency core cooling systems.
Other types of events identified on the'detailed fault trees may have commonmode failure implications but requirefurther investigation to determine ifthey are probable. For example, thethird level event on the CSIS detailedtree "Containment Pressure Sufficiently
ISee Appendices V, VI, VII, and VIII.
High to Reduce Spray Effectiveness" is acommon mode suspect since the eventappears as an input to both redundantsubtree branches. If upon furtherinvestigation (relating CSIS designoutput pressure with the maximumpressure which might be attained in thecontainment) the event is determined tobe probable, then the event is a commonmode contributor since it is a singleevent thaf can fail both spray subsys-tems. Further investigation of thisevent, however, indicated that it wouldbe unlikely to occur; that is, thecontainment pressure will not reach alevel sufficiently high to reduce CSISeffectiveness. The event was, there-fore, not shown on the reduced treewhich was quantified.
Some human interactions with a system,whether for operation, test, mainte-nance, or calibration are potentiallyimportant common mode events. In con-structing the detailed fault treesoperational errors which can causecomponents not to be in their properoperational state when required areshown as individual events on the tree(e.g., "Operational Error - Switch S8
Not Closed," "Operational Error - Valve506 Closed,".etc.).
In the process of evaluating the faulttrees, functionally related human errorevents were examined to determine theirpotential for common mode failure. Forexample, four human error events, eachrelated to failure to start one of fourredundant BWR high pressure servicewater pumps, were examined to determinewhether those errors were likely to becommitted independently or as a singleact. The major contributor to BWR highpressure service water system failure asdetermined in the analysis was failureof the operator to turn on one or moreof the four redundant pumps when thesystem is needed. If the operator doesnot start one pump, there is a highprobability that he will not start theother pumps as well.
Human errors related to the testing andmaintenance of components can also beimportant common mode contributors. Forexample, instruments can be "valved-out"for calibration purposes and not re-stored to their operational state whenthe calibrations are complete, valvescan be aligned to divert pump flowduring a test and not realigned follow-ing the test, reset switches may not bedepressed following logic test, etc.
All components in a system can be poten-tially coupled to common environmental
IV-8
causes for failure by' expanding thefault tree analysis into secondarycauses, i.e., by postulating possiblecauses for component failures whichexceed the design ratings of the compo-nents and then developing the fault treeto identify possible causes for thosesecondary events occurring. For exam-ple, the analyst, knowing that a relayis rated for 1800F, would show an eventon the fault tree which states, inessence, that "relay fails due totemperature >1800F. The fault treewould be developed, then, to identifypossible causes for the temperatureexceeding 1800F. The fault tree wouldbe similarly developed about other envi-ronmental conditions which would causethe relay to fail. Some of the eventscould be common to other componentfailures and, therefore, would be commonmode events.
To develop a fault tree indiscriminatelyinto common mode or secondary causeswithout regard to the likelihood ofoccurrence results in a large number ofevents that must be subsequently dis-carded because of their insignificance,thus causing a considerable waste oftime and effort. In order to assurethat adequate consideration was given tocommon mode causes of system or subsys'-tem failure an initial screening ofcomponent failure events was made, andthose events which have potential forcontributing significantly to commonmode system failure were examined andanalyzed further. The approach used forthis initial screening of events insearch of common mode contributors is asfollows:
System fault trees and drawingswere reviewed to identify multiplecomponents and their respectivefailure modes that would be mostlikely to contribute to system andmultiple system failures. Ingeneral those components selectedfor further consideration wereredundant operating partners (com-ponents of the same type operatingin parallel whose failure couldfail the system). Components ofthe same type and manufacture wereretained for further considerationon the basis that those componentscould potentially be more likelyto have common latent defects.Also, like components would morelikely be subjected to common op-
erational, maintenance, and test-ing procedures, etc., that couldcontribute to common mode failures.
Components that could potentiallybe affected by a common operatingenvironment were examined relativeto their proximity to one anotherand to energy releasing sources(rotating machinery, flammablefluids, steam lines, etc.) withinthe plant. A determination wasmade as to whether energy waslikely to become released or notand, if released, whether or notmultiple components would likelybe affected. Among the itemsconsidered were the amount ofenergy which could be released,physical barriers between compo-nents and the energy sources, thevulnerability of components to theforms of energy that could bereleased, the modes in which thecomponents would need to fail inorder to fail systems, and themanner and time in which correc-tive action would or could betaken.
The event coding scheme described inAppendix II facilitates the sorting ofevents having a common property. Forexample, human error events related tomanual valves in a system can be re-trieved by sorting for valve type MX andfault mode designator X. In some casesthe fault tree analyst may decide thattwo or more components may be subject tocommon events due to their proximity toan energy source, or their being subjec-ted to the same maintenance procedure,etc. Because of location in a largefault tree, it is not immediately clearwhether the potential dependency isimportant or not. In the process ofanalysis the analyst will give thecomponents the same name. Later, whenthe fault tree is processed for evalua-tion, it can then be determined whetherthe common mode is potentially signifi-cant.
In addition to the fault trees them-selves, common mode failures within asystem are accounted for in the methodsof quantification used for the tree;common failures which affect multiplesystems are accounted for in the eventtree quantifications. These quantifica-tions are discussed in Appendix IV andin the individual fault tree quantifica-tions.
lReferences
1. AEC General Design Criteria, Appendix A, Title 10, Code of Federal Regulations,
Part 50, Criterion No. 2.
IV- 9
I1
Section 3
Bounding and Quantification Techniquesfor Common Mode Failures
a.1 INTRODUCTION
As stated previously, common mode fail-ures can be defined to be multiplefailures which occur because of a singleinitiating or influencing cause. Thesingle cause or mechanism serves as acommon input to the failures affected.If this mechanism or cause occurs, allthe failures are triggered and a commonmode failure occurs. The componentsaffected by the common mechanism orcause may constitute hardware, systems,subsystems, or particular events. 1
Examples of common mode failures arenumerous. Two spring loaded relays inparallel fail because of a common designdefect. The defect causes both relaysto simultaneously fail and is the commoncause. Because of an error of incor-rectly disengaging the clutches, threemotor valves are placed in a failedstate after maintenance. The commoncause for the valve failures is thecommon maintenance error. A steam lineruptures causing multiple circuit boardfailures. The common mode failures arethe circuit board failures and thecommon cause is the steam line rupture.
Instead of triggering simultaneous fail-ures, which is the extreme case, thecommon cause may produce a less severe,but common, degradation of the compo-nents. The components do not simul-taneously fail together; however, theirjoint probability of failure can begreatly increased. In this degradationsituation, the second component, forexample, may fail at a time later thanthe first component failure. Because ofthe common impressed cause, however, thesecond component failure is dependent'and coupled to the first failure. Thejoint probability of failure of the twocomponents can consequently be muchhigher than the product of the individu-al component probabilities (the inde-pendent failure situation).
IThe term "component" may therefore, beinterpreted in the general sense, re-ferring to any basic failure beingconsidered.
Numerous examples can again be given foroccurrences of degradation common modefailures. Because of harsh accidentenvironment, two pumps become degradedin performance. Given one pump hasfailed due to this environment, there isa high probability that the second pumpwill also fail. The second pump may notfail immediately when the first pumpfails. However, the probability for thesecond pump's failing is now higher thanits unconditional failure probability.The second pump, for example, may notfail at the same time, but there may bea high probability it will fail near thefirst pump's failure time.
In the above example, the common mode ordependent failure is the failure of thetwo pumps and the common cause is theharsh environment. Another example inthe same general category is a failureinduced by a test or maintenance error.Because of improper maintenance andcalibration, three motor valves becomedegraded in performance.
Depending upon the extent of the test ormaintenance error, the valves may sufferminor degradation to complete inopera-bility. Even if the degradation is notsevere, their joint failure probabilitywill increase. In conjunction with thisincrease in probability, the failuredependence of the valves will be in-creased due to the common test ormaintenance.
Another example of common mode failuresof the degradation type is the loadingor dragging effect caused by anotherfailure. Three pumps are operating andone fails. Because of this failure, theother two pumps suffer a degradation dueto the extra load placed upon them.Their failure probability will then behigher than their joint unconditionalprobability of failing.
For this pump loading example, the com-mon mode failures are the failures ofthe second and third pumps. The commoncause is the failure of the first pump.The common causes may be compounded, forexample, if, in addition, the threepumps are located in a harsh accidentenvironment. An additional common causeis then the environment imposing its owndegradation.
IV-11
If a common cause occurs, the failuresof the affected components must betreated as dependent events and not asindependent events. In conjunction withthe dependency of the events, the timesof failure of the affected componentsare also coupled to one another. Toquantify common mode failures, statisti-cal and reliability methods must there-fore be employed which treat dependen-cies in failure occurrences. Inparticular, conditional probabilitiesand conditional failure distributionsmust be analyzed and be combined. Anumber of techniques can be used,certain of these which are considered tobe the most straightforward and whichwere applied in the study.
It should be noted that common modefailures do not encompass all thedegradation phenomena or all the depend-ency phenomena which exist in any reallife situation. For those types ofdegradation and dependency which are notmodeled explicitly as common modes, thetechniques to be described may not beapplicable. Even for common mode typefailures, other techniques may be usedwhich better model a particularphenomenon.
A technique, for example, is describedin a later section where a particulartype of degradation is modeled by simul-taneously increasing all affected compo-nent failure rates. The components nowall fail with a greater failure rate.The effect of this degradation isincorporated in the error bounds of thesystem failure probability. That modelis useful for incorporating and investi-gating manufacturing defects, certainmaintenance errors, and certain environ-mental effects.
Other types of degradations, which maynot be common mode associated, includecertain types of wear-out phenomena anddrifting phenomena. If these phenomenaare judged pertinent to the problem,then other approaches may need to beused.
The techniques in the next sectionsdescribe methods by which a maximumbound can be placed on the. contributionfrom common mode failures. These boundshave importance, for example, in deter-mining the adequacy and believability ofother contributions which have beencomputed in a quantification analysis(such as the independent failurecontributions). If data are available,more exact calculations of common modecontributions can be performed. Thesecalculations are also discussed.
3.2 BOUNDING BY SMALLER COMBINA-TIONS
3.2.1 BASIC CONSIDERATIONS
One of the first questions to be askedis whether common mode failures can havean impact on a particular quantitativeevaluation. A general technique isfirst described by which an upper bound,or maximum value, can be obtained forthe common mode failure contribution.The upper bound technique, which will becalled'"combination bounding", has theadvantage of being relatively simple toapply. It can therefore be used as apreliminary check to determine possibleimpacts. If the upper bound, whichrepresents a maximum possible effect,does not significantly change a predict-ed system failure probability, then thenumber is insensitive to conmnon modecontributions. If the upper bound doeschange and increase the result, thenmore detailed analyses need to be per-formed to determine the actual effect ofcommon mode failures.
As is true in any bounding approach,instead of serving as a check, the upperbound itself can be used as a result.For example, if the upper bound satis-fies specification requirements, then nofurther analysis need perhaps beperformed. Alternatively, if error barsor uncertainties are given for a systemresult, these error bars can beincreased to account for 1a maximumpossible common mode effect. If theincreased uncertainties still satisfyaccuracy requirements, then furtheranalysis may not be needed.
The -upper bounds can finally be used tohelp direct and scope general commonmode failure investigations. The upperbounds represent a maximum effect andhence a list of candidate common modefailures can be ordered with regard totheir respective upper bounds. Thecommon mode failures having the largestupper bounds can have the maximum effectand hence these are analyzed andinvestigated first.
Although the combination bounding tech-nique is simple in principle, it doeshave the disadvantage in a number ofsituations of giving too conservative aresult (i.e., too large of an upper
fIn a statistical sense, the error barsand uncertainties would thus accountfor systematic-type errors as well asrandom-type errors.
IV-12
bound). Other sections will discusstechniques by which better and hencetighter bounds are obtainable for commonmode failure contributions. If the dataare available, techniques are alsodiscussed for computing exact commonmode contribution.
3.2.2 BOUNDING COMBINATIONS OF TWOFAILURES
Since common mode approaches are notnormally found in the literature, thisdiscussion will be somewhat basic. Thereader with a background in probabilitycan skim over this section, referringprincipally to the result obtained[Equations (IV 3-6) and (IV 3-20)through (IV 3-22)]. Section 3.3 treatsapplications in the study and section3.4 deals with more involved modeling.
The bounding technique is given the namecombination bounding because smallervalued combinations or redundancies areused for establishing the bounds. Con-sider the event of both A and B failingand denote this joint failure occurrenceby AB. The expression AB thus repre-sents the combination of A and B bothfailing. The symbol A and the symbol Bmay for example represent failures ofparticular components and the expressionAB then represents both of thesecomponents failing.
Let the probability of A failing bedenoted by P(A) and the probability of Bfailing be denoted by P(B). For thecombination AB, denote its probabilityby P(AB);
the product of the individual probabili-ties.
P(AB) ý P(A)P(B), A and B dependent
(IV 3-3)
However, even in the dependent case, inorder for AB to fail, A must individual-ly fail and B must individually fail.Therefore, in all cases, both independ-ent and dependent;
and
P(AB) < P(A)
P(AB) < P(B)
(IV 3-4)
(IV 3-5)
Since both inequalities are true, theminimum of either P(A) or P(B) may betaken as the best upper bound; 1
P(AB) < MIN[P(A) , P(B)] (IV 3-6)
Therefore, MIN[P(A), P(B)] denotes theminimum, or smallest value, of P(A) orP(B). Equation (IV 3-6) thus gives theupper bound obtained by the combinationbounding technique. This equation isapplicable to the spectrum of commonmode failures, from simultaneous trig-gerings to minor degradations.
In Equation (IV 3-6), P(AB) can repre-sent the total probability of A and Bfailing from all mechanisms, both randomand common mode. The equation thereforegives an upper bound and conservativeestimate on the total, true probabilityof the combination failing. SinceEquation (IV 3-6) applies when P(AB)represents the total probability for AB,it therefore also applies when P(AB)represents the probability of a partic-ular common mode failure of AB.
The probabilities and failure events aregeneral representations and can be par-ticularly interpreted and applied to anyspecific calculation. If A and B areunavailability related failures thenP(A), P(B), and P(AB) are availabilities
P (AB) = the probability of both A andB failing.
(IV 3-1)
The -probability expression P(AB), whichwill be called the combination probabil-ity,. is completely general and as suchimplies nothing about the independenceor dependence of A and B.
If A and B are independent, the combina-tion probability, P(AB), can beexpressed as the product of the individ-ual probabilities P(A) and P(B);
P(AB) = P(A)P(B), A and B independent
(IV 3-2)
If the events are not independent andcan be due to a common cause, then ingeneral the above equation is not trueand the combination probability is not
lIn terms of Boolean theory, AB is asubset of A and is also a subset of B.Therefore, Equations (IV 3-4) and(IV 3-5) follow. The results can alsobe obtained using conditional probabil-ities, e.g., for Equation (IV 3-4),P(AB) = P(A)P(B/A) and sinceP(B/A) < 1, therefore P(AB) < P(A).The quantity P(B/A) is the probabilityof B, given A has occurred.
IV-13
11
(denoted by Q's in the earlierappendices). If A and B are operation-ally related failures then the probabil-ities can be interpreted as beingfailure probabilities or cumulativeprobabilities, which may be timedependent.
As an example of the use of Equation (IV3-6), assume a system has been analyzedand evaluated to obtain a system proba-bility number. Among the contributionsthat cause system failure is the failureof two pumps to start when demanded.There is concern because the investiga-tion has shown that the two pumps may besusceptible to common mode failure.(Possibilities of common causes include,for example, design defects andenvironmental degradation). For thisproblem, the possible impact of thecommon mode contribution is desired inorder to compare with the system numberwhich has been obtained.
With regard to the two pumps let A nowbe the failure of one pump and B be thefailure of another pump. From the database (Appendix III), the probability ofone pump failing to start when demanded-is 10-3.
insensitive to this common mode contri-bution, even at its maximum value. Ifthe system probability is significantlysmaller than 10-3, additional analyseswould need to be performed to verifyindependence or to better define thedegree of possible common causedependency.
Instead of serving as a check, the upperbound of 10-3 may itself be used in theevaluations. This bound, for example,can be used in the system quantificationto determine whether the system failureprobability will contribute to theoverall risk, even with this maximumcommon cause contribution. Alternative-ly, if extreme accuracy is not requiredand error bars or probability ranges,are associated with the system result,they can be increased to account for thepossible maximum 10-3 contribution.
As a further example of this boundingtechnique consider two failures A and B,where now P(A) = 10-5 and P(B) - 10-2.In the independent case
P(AB) = 10-5 x 10-2independent
(IV 3-11)Thus,
P (A) = 10-3
and
(IV 3-7)
(IV 3-8)
If common causes are determined to be apossible significant failure mechanism,then Equation (IV 3-6) can be used togive,
P (B) = 10-3
If the pump failures are independent,the probability of both failing tostart, P(AB), is simply the product ofthe individual pump probabilities; i.e.,p(AB) - 10-3 x 10- - 10-6. However, ifthe pump failures are due to commoncauses, Equation (IV 3-6) can be appliedand hence,
or
P(AB) < MIN(10-5, 10-2)
(PAB) < 10-5; dependent
(IV 3-12)
(IV 3-13)
P(AB) < MIN[10-3, 10-3]
or •
P (AB) < 10-3
(IV 3-9)
(IV 3-10)
since 10-3 is the minimum individualpump probability (both individual pumpprobabilities being equal). Therefore,using combination bounding, an upperbound of 10-J is obtained for thecombination probability P(AB).
Having obtained an upper bound of 10-3this number can then be compared to thetotal system failure probability. Ifthe %ystem probability is of the orderof 10- or larger, then the system is
since 10-5 is the minimum individualprobability. Whereas assuming independ-ence, the probability of A and B failingis 10-7; even if common causes aresignificant, the probability is stillless than or equal to 10-5.
In Equation (IV 3-6) and the aforemen-tioned examples, point values are usedfor the probabilities and the upperbound obtained is a point value upperbound. If error spreads or probabilityranges are used in the calculations,then these can be incorporated in theupper bound by using the error spreadsor probability ranges in Equation (IV3-6). If, for example, the upper valuesof the error spreads are used for theindividual probabilities in Equation (IV3-6), then an upper bound on thecombination probability will be obtainedwhich now incorporates the uncertaintiesin the individual probabilities.
IV-14
In the preceding example, if factors of10 error spread are associated with P (A)and P(B), an upper bound on P(AB) can beobtained which now incorporates the un-certainties on P (A) and P (B) if conser-vative values (upper error spread val-ues) are used in Equation_ IV 3-6). ForP(A) = 0- and P(B) = 10 4 with factorsof 10 error, the conservative values forP(A) and P(B) are 10-5 x 10 =i1-4 and10-2 x 10 = 10-1, respectively. There-fore P(AB) < MIN[l0-4, 10-1] =- 0-which now inc~orporates the uncertaintiesand variabilities on P(A) and P(B).This use of error spreads and conserva-tive values accounts for the possibleomission of specifically defined failuremechanisms in individual estimatedprobabilities as well as uncertaintiesdue to statistical estimation.
In the following discussions, pointvalue calculations will be described.It will be understood, however., thaterror spreads or probability ranges canbe incorporated by using them in placeof the point values. In particular,combination upper bounds which incorpo-rate uncertainties can be obtained byusing conservative values for theindividual probabilities in all theformulas.
For the upper bound in Equation (IV 23-6)the minimum individual component proba-bility is used, and 'not the maximum,since the combination probability isless than all of the individual compo-nent probabilities. Since the combina-tion probability is less than every oneof the component probabilities, it istherefore less than the minimum of theseprobabilities.
The mathematics used in obtaining theupper bound is quite general and dependsonly upon basic Boolean and set opera-tion properties. Since the same eventspace is tacitly assumed in thesemathematical operations, one must onlytake care that the individual componentprobability is applicable with regard tothe combination probability. Thisapplicability property is important andneeds some elaboration.
The individual component probability,e.g., [P(A)], gives the probability ofthe component failing by various mecha-nisms. Likewise the combination proba-bility (P(.AB)] gives the probability ofthe combination failing by its variousmechanisms. The dominant componentfailure mechanisms need not necessarilycoincide with the dominant combinationfailure mechanisms ("dominant" meaninghere those that contribute most to the
probability). For example, randomfailures may dominate and contributemost to the individual component proba-bility, while common mode failures maydominate and contribute most to thecombination probability.
For the individual component probabilityto be applicable, i.e., to be able to beused as in Equation (IV 3-6), either oftw9 conditions must be satisfied:
a. The dominant combination mechanismsshould be contained in the individu-al component failure mechanismswhich are thereby included in theindividual component probability, or
b. The dominant combination mechanismsshould cause an insignificant changein the individual component proba-bility if they were included as partof the individual component failuremechanisms.
In the first of the above conditions thecombination mechanisms are includedamong the individual component f ailuremechanisms. The combination mechanismsmay or may not be dominant with regardto the component failures. In thesecond of the alternative conditions,the combination mechanisms are notincluded among the individual failuremechanisms; however, if they were, theywould cause negligible effect on theoverall component probability.
The above two conditions are obtainedfrom standard reliability considerationsand can also easily be derived mathemat-ically by decomposing the probabilityinto constituent mechanisms contribu-tions. In practice, the conditions canbe checked before the upper bounds arecomputed. For example, if common modefailures due to design defects are beinginvestigated, then the component failureprobability should contain designdefects in its contributions. If thecomponent probability does not coverfailures from design defects, then,alternatively, design defect failuresshould be insignificant with regard toother types of failures affecting theindividual component which are coveredby the component probability.
As another example, if common modefailures due to environmental degrada-tion are being analyzed and bounded,then the individual component probabili-ty should apply to this environment orshould be negligibly affected by it. Inthis example and the previous one, onlyone mechanism is of interest. The sameapplicability checks are used when a
IV-15
series of mechanisms can enter into anumber of possible common mode failures.
To bound a number of common-mode failurecontributions due to a possible group ofmechanisms, the component' Orobabilityshould contain and cover this group ofmechanisms as they affect the individualcomponent. Alternatively, with regardto the individual component, these mech-anisms should have negligible effect ascompared to other types of failures theindividual component may suffer. Forthis alternative condition, it is againimportant to note that the mechanismsare assessed with regard to theiraffect, not on the combination, but onthe individual component.
The above applicability conditions canbe rephrased with regard to Equation (IV3-6) giving the upper bound on P(AB).If P(AB) represents a particular commonmode probability, then the individualprobabilities P(A) and P(B) shouldtherefore contain or be negligibly af-fected by the particular common modemechanism. If P(AB) represents thetotal combination probability, includingvarious common mode mechanisms, then theindividual probabilities should containor be negligibly affected by thesemechanisms.
If error spreads or probability rangesare incorporated in the calculations,then the above applicability conditionsand discussions apply to the errorspreads or ranges. The individual errorspreads or ranges should incorporate theuncertainties and variabilities from themechanisms which affect the combinationor should be negligibly affected bythese uncertainties and variabilities.
3.2.3 BOUNDING COMBINATIONS OF THREE ORMORE FAILURES
The combination bounding technique hasbeen applied in the previous discussionsto combinations consisting of two fail-ures. The technique can be simply ex-tended to combinations consisting of anynumber of failures. Consider first acombination of three components failingand let this combination failure be re-presented by the expression ABC. Theexpression ABC thus represents the fail-ure of A and the failure of B and thefailure of C. Let the probability ofthis combination failure be denoted byP(ABC);
P(ABC) = the probability of A,B, and C failing.
(VI 3-14)
Since the combination consists now ofthree failures, an upper bound can beobtained by considering either singlefailure or two failure combinations.Using the same Boolean and conditionalprobability methods as in the previoussection, one obtains for the singlefailure bound.
Single Failure Bound:
P(ABC) < MIN [P(A), P(B), P(C)]
(IV 3-15)
In the above equation, the symbol MINagain denotes that the minimum, orsmallest value, of either P(A) or P(B)or P(C) is used as the upper bound. Toobtain an upper bound for a triple com-bination probability, one therefore sim-ply uses the smallest individual compo-nent probability.
Equation (IV 3-15) is the result yieldedby the combination bounding technique,which is mathematically simple. To beable to use this result, the same appli-cability conditions must be satisifed asfor the two combination casel i.e., thecombination mechanisms should be con-tained in the component probability usedas the upper bound or should have negli-gible effect with regard to its othercontributions.
In addition to the single bound, P(ABC)can also be bounded by considering com-binations of two failures. Treating aparticular double combination as an in-dividual failure event, one obtains, us-ing the same appraoches as before,
P(ABC) < P(AB)P(ABC) • P(BC)P(ABC) • P(AC)
(IV 3-16)(IV 3-17)(IV 3-18)
or
Double Failure Bound:
P(ABC) < MIN [P(AB), P(BC), P(AC)]
(IV 3-19)
By combination bounding therefore, an-other upper bound for a triple combina-tion is obtained by taking the minimumof all possible double combination prob-abilities. This compares with the pre-vious, alternative upper bound which isobtained by taking the minimum of theindividual component probabilities. Forthe double bound, i.e., Equation (IV 3-19), the same applicability conditionshold, where the double combinations arenow the individual failure events
IV-16
("double combination" is substituted for"component" in the applicability condi-tions).
Either the single failure bound or thedouble failure bound can be used for thetriple combination. The double failurebound will in general give a smaller andhence better value. However, combina-tion probabilities must be computed forthis bound, i.e., P(AB), P(BC), orP(AC); and, if common modes dominatethese doubles, then the computation maybe infeasible.
The minimum probability does not need tobe used, since by Equations (IV 3-16)through (IV 3-18), the triple combina-tion is bounded by any double combina-tion probability. The double bound istherefore useful when two of the compo-nents are determined to be reasonablyindependent. For example, if A and Bare independent and the common modesinvolve only C, then Equation (IV 3-16)may be used to obtain
P(ABC) < P(AB) =P(A)P(B)(A and B independent) (IV 3-20)
In general, for this type of bounding,the upper bound always used is the dou-ble combination that can be justified tobe reasonably independent.
Using the same approaches as for thedouble and triple combinations, the com-bination bounding technique can be ap-plied to a general combination consist-ing of n failures:
the smaller combination which is used inthe equation.
3.3 ANALYSES AND QUANTIFICATIONSAPPLIED IN THE STUDY
Because the combination bounding tech-nique is uncomplicated in its mathemat-ics, it can be easily and simplyapplied. In the Reactor Safety Study,the technique helped to serve as a checkand an analysis tool. In its use as acheck, upper bounds were computed forcombinations of failures where engineer-ing principles and experience suggestedthat they could be possible common modefailure candidates. These bounds werethen compared to the predicted systemfailure probability to determine itssensitivity to possible common modecontributions. If the bounds had animpact, further investigation was per-formed and more detailed analyses wereundertaken. As will be described, in anumber of cases the bounds were alsoincorporated as part of the uncertaintyand variability.
In checking for common mode impacts, oneof the first steps was to identify po-tential common mode mechanisms. Thesemechanisms can be categorized into vari-ous classes, and one such breakdown usedin the study is listed on Table IV 3-1.
In the breakdown, on Table IV 3-1, envi-ronmental variations include both acci-dent and non-accident environments.Failure or degradation due to an ini-tiating failure includes, for example,an extra load placed on the second pumpdue to the first failing. It alsoincludes the cases of missile generationand piping ruptures affecting nearbycomponents. Other forces that couldpotentially cause failure, include suchphenomena as fire, floods, tornadoes,etc.
A number of the mechanisms in Table IV3-1 were also investigated in otheraspects of the study. As an example,certain areas relating to design defects(E, G) were analyzed as part of thedesign adequacy task in Appendix X.Also, functional dependencies were in-corporated in the event trees. Theseother coimnon mode related studies aredescribed in their respective appen-dices.
For the particular studies undertakenhere, in which combination boundingserved as one of the tools, the commonmode mechanisms in Table IV 3-1 werethose not directly covered by the eventtree and fault tree efforts. The common
Single Failur3 BoundP(Al A2 ... An) < MIN[P (Al) , P (AD), ... P(An)];
Double Failure BoundP(Al A2 ... An) < MIN[Probabilities of all doublecombinations]
Triple Failure BoundP(AlI A2 ... An) < MIN[Probabilities of all triplecombinations]
(IV 3-21)
(IV 3-2 2)
(IV 3-23)
etc
The various upper bounds are thereforeobtained by computing the probabilitiesof smaller combinations contained in theoriginal, large combination. The upperbounds are obtained, not only for theminimum, but for any smaller combinationprobability which is computed. For anyof these upper bounds, the applicabilityconditions must again be satisfied by
IV- 17
mode mechanisms were analyzed with re-gard to their effect on the individualsystem fault trees and their effect onthe combined fault trees which the eventtrees required. II
After identification of potential commoncause mechanisms, the component combina-tions were then examined for their sus-ceptibility to these mechanisms. Thecomponent combinations which were exam-ined were the critical paths, or minimalcut sets, i.e., those failure combina-tions that would cause system failure orcombined system failures.
A listing of properties indicating po-tential susceptibility that was used inthe examination is given in TableIV 3-2. The letter or letters inparenthesis beside each property referto the possible common mode mechanismswhich can be associated with property(the letters refer to those used inTable IV 3-1).
in examining for susceptibility proper-ties, all components in the combination(i.e., on the critical path) must havebeen susceptible to the same potentialfailure mechanism, Conversely, the com-ponents having a common potential mecha-nism must have constituted a failurecombination (critical path).
When the susceptible combinations wereidentified in the examination process,upper bounds were then taken to deter-mine their maximum impact. In the com-bination bounding process, single fail-ure bounds were principally used. Sincethe bounding determination was quitesimple (using the minimum componentprobability), the checking was performedin conjuction with the basic analysisand quantification of the fault tree.
In a number of cases, the bounds showedlittle potential impact, either indivi-dually or collectively, on the predictedsystem failure probability and its asso-ciated error bars that had already beenobtained. This was attributed to twoprincipal factors: one, the larger mag-nitude which had already been obtainedfor the system probabilities, and two,the lesser precision required for theoverall risk analysis along with therelatively large widths of the systemerror spreads.
The magnitude factor can be seen heuris-tically. For the system and combinedfault trees, the pertinent componentprobabilities were component unavaila-bilities and component failure probabil-ities. From the data base, the highestunavailability for a. single active
component is of the order of 10-3.Analogously, the highest unavailabilityfor a Single passive component iLs of theorder of 10-4. Using the single failurebound, the maximum effect from commoncauses is thus 10-3 or 10-4, whicheveris pertinent (i.e., MI1N [P(A), P(B)Jequals 10-3 or 10-4) . As seen from thefault tree and event tree report~s, for anumber of systems the relevant: systemvalues are not impacted by even thesehighest potential effects of 10-3 or10-4.1
With regard to the precision of thepredicted values of system failure prob-abilities, system values are required toonly .one or two orders of magnitude inaccuracy for the overall risk analysis.Common mode contributions that were ofthe same order as the system value wouldtherefore at maximum change the value bya factor of two or so, which was -withinthe accuracy requirements. Furt~hermore,the system values already had largererror spreads due to data and modelinguncertainties. The addition of commonmode contributions did not thereforeimpact these existing larger spreads.
There were of course exceptions. in whichcommon mode failures did impact the sys-tem values and the pertinent contribu-tions are discussed in the fault treereports in Appendix II.
The cases of large potential common modeimpact consisted principally of failuresinvolving human errors, environmental.variations, and particular externalevents and failures causing or acceler-*ating additional failures. The combina-tion bounding technique was used inthese cases to quantify a range for theprobability contribution. If f urtherinvestigation and analysis did not pro-duce any more accurate information orresults, the range was used as thecontribution to the system failureprobability.
In determining a range for the commonmode probability, an upper bound and alower bound are required to define therange. The upper bound is given by thecombination bounding technique and was
1 The insensitivity to common modes wasalso due to the fact that the systemfault trees already contained singlecomponent failures. Common modes atthe extreme could change multiple com-ponent failures to single componentfailures which already existed.
IV- 18
that value used in the checking. Repre-senting an opposite end point, the lowerbound gives a minimum value for thecombination probability; i.e., the truecombination probability is greater thanthe lower bound value. Where commonmode failures can prevail, a lower boundon the combination probability cantherefore simply be taken as the inde-pendent failure situation in whichindividual probabilities are simply mul-tipled. When information existed, abetter lower bound value was insteadused.
With the upper and lower bound, therange is determined and can be used inthe quantification analyses. The mid-point of the range, for example, can beused as a best estimate of the trueprobability value. Instead, the boundsthemselves can be used in conservativeor optimistic calculations.
In the study, since a probabilisticapproach was being used, a probabilitydistribution was associated with therange. As for the other parts of thestudy, a log-normal was used with itsmedian (50% value) positioned at thecenter (geometric midpoint) of the rangeand its 90% bounds lying within therange.
In the actual determination of the log-normal distribution which was to beassociated with the original range,Monte Carlo simulation was employedusing the SAMPLE CODE. The reader isreferred to Appendix II for details onthis methodology. When there was knowl-edge that the true probability would liein a particular portion of the range(for example, in the high value region),then the bounds were adjusted to incor-porate this knowledge. When there wasno such knowledge, then the bounds werekept as originally determined. 1
As an example of the application of thebounding and range approach that wasperformed in the study, consider themiscalibration of two sets of bistableamplifiers discussed in earlier appendi-ces. If both sets of amplifiers aremiscalibrated then system failure willresult. The probability for any partic-
'With regard to the log-normal, themedian was thus centered at thegeometric midpoint of the originalrange, or on geometrically subdividedregions, depending upon the relevantinformation.
ular set being unsafely miscalibrated is1 x l0-3.
Using the combination bounding tech-nique, the upper bound for the combina-tion failure of two sets being miscali-brated is 10-3 (i.e. MIN [10-3, 10-3]).This represents the completely dependentsituation (given the first is miscali-brated, the probability is then one forthe second miscalibration). The otherside of the range, the lower bound, isobtained from the independent calcula-tion, 10-3 x 10-3 = 10-6. This repre-sents the situation of the two miscali-bration being completely independent.
When the probabilistic approach was usedto incorporate the possible contribu-tions, then the log-normal technique wasused. Since there was neither strongdependence nor strong independence, themidpoint of the range was used, which isapproximately
3 x 10-5 (i.e., 10-6 x l0-3).
To cover the possible variations, theindividual probabilities were treated asrandom variables and Monte Carlo simula-tion was employed for the final systemquantification (section 3.6.2 of Appen-dix II).
3.4 MORE DETAILED QUANTIFICATIONAPPROACHES
This section discusses certain of theconcepts and techniques which can beapplied if more detailed quantificationof common mode failures is necessary.In the Study, because of the resultsobtained, these more detailed quantifi-cations had a minor role. An approachwill be discussed here which was used asa supplemental technique for common modequantification. It will also serve toillustrate the types of considerationswhich can be included in general depend-ency modeling.
The approach presented deals with dis-crete failure events, which can then beextended to the continuous time domain(incorporating time dependencies of theprobabilities). Consider again the com-bination AB, which represents the fail-ure of both A and B. Various mechanismscan cause AB to fail, and hence theprobability of AB, P(AB), can be brokeninto various mechanistic contributions.
Let M denote a particular mechanismwhich if it were to occur could cause
IV-19
both A and B to fail. The total proba-bility, P(AB), can then be expressed as
N
P(AB) = EP(M) P(AB/M) (IV 3-24)
M=l
where
P(M) = the probability of mechanism Moccurring
(IV 3-25)
and
P(AB/M) = the probability of AB fail-ing when mechanism M exists
(IV 3-26)
In equation (IV 3-24), the summationN
symbol F denotes summation over allM=1
pertinent mechanisms (say, a total of Nof them). Equation (IV 3-24) is thestandard decomposition of a probabilityinto its elemental contributions (termeda mixture decomposition in probabilitymethodology).
It is important to note in Equation (IV3-24) that the likelihood of M, P(M),and its effect on AB, P(AB/M), enter inthe form of a product, i.e., P(M)P(AB/M). Therefore, if the effect of M
on AB is large but its likelihood issmall then the resulting product contri-bution could be small. However, if thelikelihood of occurrence of mechanism Mis small but is of sufficient size tocause the product term to dominate, thecontribution would then be significant.The summation in Equation (IV 3-24) cantherefore be considered to be over thosemechanisms for which the product termsdominate.
The mechanisms defined in Equation (IV3-24) are general and incorporate thespectrum of component properties andenvironments which can exist. Since thesummation is over all mechanisms whetherthey are common cause related or not,the independent, non-common cause situa-tion can be treated as one "mechanism".This non-common mode mechanism, or envi-ronment, is within the design environ-ment under which components fail inde-pendent. This environment will betermed the independent environment.
If the independent environment is denot-ed by Mo, then Equation (IV 3-24) can be
broken into an independent contributionand a common cause contribution:
P(AB) = (PMo)P(AB/Mo)
+ EP(M)P(AB/M)
M (common cause) (IV 3-27)
The last term in Equation (IV 3-27) is asummation over all mechanisms which donot lead to independence, i.e, over allcommon cause mechanisms.
By the definition of the independentenvironment Mo, the components fail in-dependently of one another. Hence,
P (AB/Mo) = P (A) P (B) (IV 3-28)
Consider now the occurrence probabilityfor Mo, i.e., P(Mo). Under efficientdesign, manufacturing and quality con-trol, and testing and maintenance, alarger portion of potential common modesare eliminated or are detected andcorrected. Hence, for these cases,which are characteristic of present-day,efficient procedures, P(Mo) u 1.
The above equality, P(Mo) = 1, simplysays that *for a larger portion of thetime and cases, say at least 50%, anapproximately independent environmentexists. This does not say that commoncause mechanisms do not dominate thecombination failures since their rela-tive effects can be large. In fact, allcombination failures which occur can bedue to common causes. This is arelative effect, where the combinationfailures constitute the base of compari-son. The equation P(Mo) 1 1, concernsan absolute frequency, for exampleimplying that the combination failuredoes not occur daily.
For normal environments the approxima-tion P (Mo) = 1 is thus reasonably ac-curate, yielding results with reasonableaccuracy.l (For peculiar situationswhere non-normal deviations are morelikely, the assumption will be slightlyconservative and yield conservativeresults.) Using P(Mo) 1 and the
1 The accuracy for example, is withinseveral significant figures for failuredetection efficiencies of greater than90%, where the efficiency incorporatesthe efficiencies of all stages, design,manufacturing, testing, etc.
IV-20
independence of A and B underEquation (IV 3-27) then becomes:
Mo,
P(AB) = P(A)P(B)
+ ZP(M)P(AB/M)
M (common causes) (IV 3-29)
The above equation is the final formthus obtained, in which failures aredecomposed into independent and commonmode contributions.
Equations (IV 3-24) or (IV 3-29) can beused to quantify the total combinationprobability or a particular common causecontribution. The occurrence probabili-ties P(M) are obtained from examinationof quality control processes, testing,etc., to determine their relative effi-ciencies. Processes can be grouped intoclasses for greater information utiliza-tion, thus giving larger populationbases. The probabilities P(M) can bedetermined directly from experience datausing standard estimation techniques orcan be modeled using such techniques asstochastic process theory.l
The probabilities P(AB/M) representfailure behavior under various givenenvironment and situations. These prob-abilities can be modeled using standardreliability techniques, taking intoaccount the particular sensitivities andproperties of the components involved.
If the mechanisms are extreme, then theapproximation can be used that P(AB/M)= 1 (the mechanism is certain to causefailure). Degradation models can beemployed where the mechanisms imposestress-type conditions (k factors andArrhenius modeling are examples of suchapproaches).
Instead of being obtained by modeling,the probabilities P(AB/M) can also bedirectly obtained from experience data.This is particularly so when the mecha-nism causes a higher failure probabili-ty, thereby yielding some data. Even ifthe mechanism is corrected, the data canstill be utilized for estimation, withchecking and correction then separatelyincorporated in the model (analogous toincorporating repair in standard relia-
1 For this estimation and modeling, theformulas are generally utilized intheir time dependent form, as discussedlater.
bility modeling). Empirical data fit-ting and controlled designs can also beemployed (use of the Weibull distribu-tion is an example of the former andenvironmental testing of the latter).
In the quantification of Equation (IV3-24) or (IV 3-29), the amount of detailcan be adapted to the problem needs anddata available. For those calculationsin which order of magnitude accuracyonly is desired, the analysis and re-quired information will be greatly sim-plified. In certain cases, one mecha-nism can be isolated as yielding thedominant contribution (for example,considering the one mechanism for whichthe components are most failure-sensi-tive). Bounding and range calculationscan also be performed. Flexibilitytherefore exists in the utilization ofthese equations, as will be illustratedin the application discussions of thissection.
Equations (IV 3-24) and (IV 3-29) canstraightforwardly be transformed to in-corporate time dependencies. These timedependent forms are often the onesutilized in quantification and modeling.If the mechanism can exist at the timeof component installation, i.e., att = 0, then P(M) is a constant, ini-tial-condition probability P(M) = P.This is applicable to design, manufac-turing, and quality control defects, andalso other phenomena which are inherent-ly associated with the component.
If the mechanism is not directly tied toa component property, but instead canoccur over some exposure time, then P(M)is a cumulative time-dependent distribu-tion, or equivalently a time dependentdensity function. This form is appli-cable to testing and maintenance errors,environmental degradation, and otherphenomena which occur during operationand use of the component. Applicableforms for P(M) are those associated withrenewal theory or stochastic processtheory for example. A common model is aPoisson process, with either time inde-pendent or time dependent occurrencerate; i.e.,
P(M) = I - e- Xt or P(M) = I - e-A(t)
where A and A(t) are the associatedparameter rates.
In time dependent analyses, failureprobability P(AB/M) is treated by stand-ard reliability techniques, with the
IV-21
condition that mechanism M has occurred.The probability is thus conditional,analyzed under the environment or char-acteristics of the mechanism M, and theprobability is in general dependent (abivariate for example). The definitionsof P(AB/M) are similar to those normallyemployed; for operating or standby fail-ures, P(AB/M) is a cumulative failureprobability or an unavailability, re-spectively. For cyclic failures,P(AB/M) can be treated as a demandprobability.
The functional forms for P(AB/M) arethose used in reliability and statistic-al theory with, for example, parametervalues chosen to correspond with thegiven condition of M having occurred.Exponentials, for example, can be usedwith modified failure rates (such as inthe k-factor approaches).
The standard bivariate exponential canbe used for correlated failure modeling,where the bivariate form is given by,
P (AB/M - exp[-A1 tl-A 2 t 2 -A3 max (tl,it2)]
(IV 3-30)
where tI and t2 are the failure times ofA and B. The probability is for failuretimes being greater than tI and t2. Theparameters A1 and A2 relate to the indi-vidual failures and A3 to the coupled ordependent contribution. 1
Instead of dealing directly with thecombination probability P(AB/M), the in-dividual contributions (marginal distri-butions) can also be analyzed. In termsof the individual probabilities, P(AB/M)= P(A)P(B/A), where the given conditionof M is implicit in each probability onthe right hand side. A straightforwardapproach is, for example, to use anexponential distribution for P(A) withan appropriate failure rate and a trun-cated normal or exponential for P(B/A)located at the failure time of A. Aheuristic diagram of this model is shownbelow. 1<00 Distribution of B
tt - Failure Time of A
1 If the failures were independent, thenA3 = 0, giving simply a product ofexponentials as in the random failureapproach. For )3 9' 0, the failuretimes are coupled.
As illustrated, given A has failed, B isno longer independent but has a highprobability of failing at or near thetime of the A failure. In the extremecase, the distribution of B becomes adelta function. The equations for thismodel and other coupled, conditionalmodels are obtained from conditionalprobabilistic theory.
The techniques that have been brieflyoutlined above are by no means exhaus-tive, but they help in circumscribingthe various possible approaches. Sincethe approaches are varied, each indivi-dual problem must be evaluated todetermine the specific approach which isapplicable, and also compatible with theavailable data. The approaches are allstraightforward and involve standardstatistical and reliability techniques,utilizing either gross data or detaileddata.
Upper bounds can be obtained fromEquations (IV 3-24) and (IV 3-29) byusing conservative values for P (M) andP (AB/M). Lower bounds can be obtainedby using associated lower bounds forthese terms or by neglecting contribu-tions in the summation [for example,using only the independent contributionin Equation (IV 3-29)].
The above bounding approaches can, forexample, be applied to common modefailures that can be due to externalevents or previous failures havingoccurred. As a specific illustrationconsider the common mode failure due toa steam line rupture .which was investi-gated in the study.
For the steam line rupture mechanism,using Equation (IV 3-29), P(M) is thenthe probability that the steam linerutpures, and P(AB/M) is the probabilitythat the nearby components (controlcircuits, etc.) are failed by this oc-currence. An upper bound for this con-tribution can be obtained by using aconservative estimate for the steam linerupture P(M) and a conservative estimatefor the affected failure probabilityP(AB/M).
A straightforward approach for P (AB/M)is to use the fraction of solid anglesubtended by the pertinent components(i.e., fraction of area exposed) or toassume P (AB/M) = 1. For the steamline rupture P (AB/M) - 1 was used andthe solid angle approach was used forthose cases involving missile-typegeneration, e.g., turbine runaways [forthe missile investigations P(N) Wprobability of turbine runaway, P (AB/M)= critical fractional solid angle].
IV-22
using P(AB/M)rupture case,becomes,
= 1 for the steam lineEquation (IV 3-29)
P(AB) < P(A) P(B) + P(M) (IV 3-31)
From the .Study's data base an upperbound for P(M) is 10-7, when a conserva-tive, leak type failure rate is used anda 1 hour window exists about the acci-dent time. Hence, to order of magnitude
bility is less than 10-7, then 10-7 canbe used as the upper bound, for example,in assigning the log-normal probabilityrange for P(AB) (the lower bound of therange consisting of the independentcontribution). Equation (IV 3-32) andthe bounds are applicable to any combi-nation AB which were encountered in thefault trees (constituting a criticalpath) and which were located adjacent toa steam line. 1
iFurther detailed descriptions of thistype of analyses are given in thespecial engineering investigations tobe discussed.
P(AB) < P(A)P(B) + 10-7 (IV 3-32)
For these cases then, if the independentprobability P(A)P(B) is greater than10-7, the common mode contribution isnegligible. If the independent proba-
IV-23
TABLE IV 3-1 CLASSES OF POTENTIAL COMMON MODE MECHANISMS
A.
B.
C.
D.
E.
F.
G.
Design Defects
Fabrication, Manufacturing, and Quality Control Variations
Test, Maintenance, and Repair Errors
Human Errors
Environmental Variations (Contamination, Temperature, etc.)
Failure or Degradation Due to an Initiating Failure
External Initiations of Failure
TABLE IV 3-2 COMBINATION PROPERTIES INDICATING POTENTIAL COMMON CAUSE SUSCEPTIBILITY
1.
2.
3.
4.
5.
6.
7.
All Components Identical in Type and Specification (A,B)
Components All Under the Same Maintenance or Test (C)
All Components Having Similar Failure Sensitivity (E,G)
Components All in the Same Locations (E,F,G)
Components All Exposed to a Possible Accident Environment (E)
All Components Loaded or Degraded by a Previous Failure (F)
All Component Failures Human Initiated (D)
Table IV 3-1 - Table IV 3-2
IV-25/26
Section 4
Failure Coupling
Because of common quality control, com-mon manufacturing processes, common de-sign, or common influencing environment,components can be coupled in a differenttype of common mode manner. One form ofthis coupling manifests itself in thefailure rates of the components. Thespecific result is that affected compo-nents will all have higher failure ratesthan normal. In certain beneficialsituations, the affected components canalso all have lower failure rates ascompared to the normal values for thosecomponents.
A particular example of failure ratecoupling is the existence of a manu-facturing/manufacturing defect in agroup of relays. Because of the defectall relays in the produced batch willthus be affected. This effect willmanifest itself in all the failure ratesbeing higher than the average failurerate for that type of relay.
Instead of a detrimental effect, thefailure rates may all be lower thantheir standard value. Such an effectwill occur, for example, if better thanaverage maintenance is being performedon a set of components. -Whether theeffect is detrimental or beneficial, acoupling occurs in the affected compo-nents thus causing a certain loss ofindependence.
As a numerical illustration of the fail-ure rate coupling effect, assume twolatching relays are in parallel (i.e., adouble failure is needed for systemfailure). For this type of relay1assume the normal failure rate is 10-Oper demand. If normal situationsexisted, the probability for both inde-pendently failing is then 10-3 x10-3 = 10-6. For the two particularrelays, however, because of a couplingdefect assume that both failure ratesare now 10-2. The joint probabilitygiven this defect, is therefore10-2 x 10-2 = 10-4. The failure ratecoupling consequently yields two ordersof magnitude increase in the joint prob-ability of failure.
The above example yields a two order ofmagnitude effect given that the defectdoes indeed exist. A quantitativetreatment must also incorporate theprobability of the defect first exist-
ing. In the Study, to investigate theeffects of failure rate coupling in aprobabilistic manner, the failure ratedistributions were coupled in a one toone correspondence.
In the normal calculations (representingno failure rate coupling), each compo-nent failure rate in the Study wasassigned a distribution to account forindividual variations and uncertain-ties. 1 The distributions were thenpropagated to obtain the possible varia-tion on the resultant system failureprobability. The possible system varia-tion is represented by confidencespreads (probability ranges) on thesystem probability. In the normal cal-culations, all component failure ratedistributions were treated as beingindependent of one another.
In the failure-rate coupling analyses,the same failure rate distributions wereused for the normal calculations. Com-ponents were however, now categorizedinto characteristic classes where thecharacteristic classes were defined suchthat all components in a particularclass had a potential common couplingcause. A characteristic class thusrepresented a potentially coupled set.
In the Monte Carlo simulation, compo-nents of one characteristic class werecoupled by equating the component fail-ure rates to a common single failurerate. An example of the failure ratecoupled model used in the study is shownin Fig. IV 4-1. .The components are ofthe same characteristic class, forexample two similar relays. Each of thecurves in Fig. IV 4-1 represents thedistribution of the individual failurerate (i.e., its density function). Inthe independent case, when one failurerate is low (the above figure), theother failure rate can be high (lowerfigure). This independent behaviorrepresents the independent individualcomponent variations which can occur.
In the coupled case, when one failurerate is high, the other failure rate inthe same coupled class is also high. In
iSee Appendix II.
IV-27
complete coupling, as is shown, all com-ponents have the same failure rate (oneto one correlation).' In this coupledtreatment, the probability of the cou-pled variation existing is in6orporatedby the individual component failure ratedistribution (the upper curve in thecoupled case). (Given a particularfailure rate value (the Ox"~ sampled on acurve) the coupling is then establishedby assigning the same failure rate valueto all the other components of the samecharacteristic class.)
In the Study, the characteristic classesof components coupled were defined to be_components of the same basic functionaltype. All relays constituted one class,all pumps another, motor valves, wires,etc., other classes. This categoriza-tion corresponded to the general cate-gorization breakdown in the failure ratedata base (Appendix III). The estab-lishment of these characteristic classesenabled the examination of a very broadrange of potential couplings to be made.in general, many people have thought of
Such potential couplings as includingonly components that were quite specifi-cally related such as relays, pumps,valves, etc. of a given manufacturer.Since the classes used herein were muchbroader, the coupling studies performedincluded all generally similar compo-nents such -as all relays, all pumps etc.within a particular system.
Since the test and maintenance downtimerepresents a unique, non-component con-tribution to the system probability, no6oupling was assigned to it. The testand maintenance downtime was thustreated as in the independent case.Common mode human errors are explicitlyincorporated as separate contributionsto the system probability. Therefore,the human contributions were also notfailure rate coupled (human contribu-tions were thus also treated as in thestandard independent case).* The coupledclasses were consequently those composedonly'of hardware failures.
In the study, the coupled variation wasevaluated by Monte Carlo sampling usingthe SAMPLE program (described in Appen-dix 11). Sampling a failure rate valuefrom an individual distribution gave allthe failure rates for that class. The
I1n a statistical methodology the one toone correlation is represented byequating the random variable failurerates, X1 - A2 - 13, etc.,
coupling was repeated in this samplingmanner to obtain the resultant variationin the system probability. (A moredetailed description of the actualsampling procedure is given in section3.6.2 of Appendix II.)
The coupled modeling which was used hadthe effect of increasing the errorspread of the system probability. Thedistribution and associated errorspreads on the system probability thenrepresented the possible variationsincluding 'the common mode couplingeffects. The system error spreads thusbecame larger, as compared to the normalindependent calculations, accounting forthe coupling effects. The amount ofwidening, as compared to the independentcase, represents one measure of theeffect of coupling existing in the sys-tem. The coupling effect is illustratedin Fig. IV 4-2.
It should be -noted that the model de-scribed is simply one method of coupledtreatment. It is applicable when coup-ling effects are incorporated into thesystem distribution. More detailedmodels can be employed by which thecoupling effects are incorporated intothe actual system probability value.This requires a more detailed type ofdata, but is useful when, for example,higher accuracy is required.
Table IV 4-1 shows the results of stud-ies that were performed to determine theeffect of common mode coupling on thePWR and BWR system probability bounds,using the modeling techniques previouslydiscussed. The independent 90% boundswere those obtained by the standard,independent treatment. The coupled 90%bounds were those obtained by completelycoupling all the generic classes. ingeneral the error bands became largerfor the dependent case and the median,only slightly changing. The resultslisted in the table are those for whichthe coupling had some observable ef-fects. Even for these cases, thecoupling effect is not an order ofmagnitude significance and does not havea very large impact.1 As extra error
1 n general, the coupling has greatereffect in systems having dominant fail-ure contributions from single charac-teristic classes. The coupling effect
. is therefore useful for general inves-tigations of -component diversity withinsystems. The smaller effect in thestudy's results was due to the systemsbeing dominated by single failure andnon-hardware contributions (test andmaintenance, human).
IV- 28
coverage, however, the coupled valueswere used in the fault tree reports forthose systems where the relative effectwas larger and could impact further
evaluations. (This also gave added pro-tection against biases and correlationsresulting from non-independent estima-tion of the component data.)
IV-29
TABLE IV 4-1 PWR COUPLING - BWR COUPLING
System Case Lower Bound Median Upper Bound
PWR COUPLING
RPS
LPRS
HPRS
HPIS
Independent
Dependent
Independent
Dependent
Independent
Dependent
Independent
Dependent
Independent
Dependent
1.3 x 10-5
8.4
4.4
2.1
4.3
2.1
4.4
2.4
7.0
4.2
x
x
x
x
x
x
x
x
x
10-6
10-3
10-6
10 6
3.6
3.0
1.3
9.6
9.0
9.0
8.6
1.8
3.7
x
x
x
x
x
x
x
x
x
10o3
103
10-
10-2
1.0
4.3
3.1
6.5
2.2
4.0
2.7
5.0
3.0
x
x
x
x
x
x
x
x
x
10-
10-
10-2
102AFWS
SPB(Start & 8 Hrs.)3.2 x 10-5 6.0 x 10-4
BWR COUPLING
ECI - I
ECI - II
ECI - III
RPS
CSIS(Both Legs)
Independent
Dependent
Independent
Dependent
Independent
Dependent
Independent
Dependent
Independent
Dependent
1.0
9.4
1.0
8.2
8.4
6.3
4.3
2.3
6.7
4.5
x
x
x
x
x
x
x
x
x
x
10-4
10-4
10-
10-6
10-
10-
1.5
1.5
2.0
2.0
9.3
8.6
1.3
1.3
9.5
9.5
x
x
x
x
x
x
x
x
x
x
103
10-
10-7
10-7
10- 5
2.1
3.6
3.0
5.0
1.0
4.2
4.8
8,9
1.4
2.6
x
x
x
x
x
x
x
x
x
x
10- 3
10- 4
10- 4
10-
10-
10-
Table IV 4-1
IV-31/32
lx"'
I
II
11*
Independent Case Coupled Case
FIGURE IV 4-1 Independent Versus Coupled Failure Rate Distribu-tions [Frequency on Vertical Axis (Ordinate),Failure Rate on Horizontal (Abscissa)]
Independent System Distribution
/Z Coupled System Distribution
FIGURE IV 4-2 Increased System Uncertainties Due to CouplingEffects (Vertical Axis - Frequency; Horizontal -System Probability)
Fig. IV 4-1 - Fig. IV 4-2
IV- 33/3 4
Section 5
Special Engineering Studies to IdentifyPotential Conunon Modes in
Accident Sequences
5.1 SUMMARY OF RESULTS
In this special engineering study, com-mon mode failures are again examined fortheir possible contribution to PWR acci-dent sequence failure probabilities.From these engineering studies, it wasfound that the common mode failureprobabilities in general did notsignificantly impact these failureprobabilities.
Many of the accident sequence failureprobabilities are dominated by componentfailures in subsystems that have inter-faces with more than one system in asequence or by common human errors thataffected redundant systems. These arefailures, however, which were identifiedand evaluated in the individual systemfault analyses, 1 and were previouslytaken into account when the systems wereconsidered together in the evaluation ofthe accident sequence probabilities. 2
This common mode failure study thereforedid not include the already consideredmulti-system sequence failures due toindividual component failures in inter-facing subsystems, or the human inter-face, acting through a common humanerror, failing redundant legs of asystem.
Two types of common mode failures wereexamined in this special study:
a. Common mode failures from secondaryfailure sources, are componentfailures resulting from phenomena,such as flooding or fire, which
.exceed component design limits.This type of common mode includesfailures in one system which canindirectly fail the other systems inthe sequence. In some cases, thesecondary failure sources may causemultiple system failures through acommon interface.
1 See Appendix II for system fault analy-sis descriptions.
b. Common mode failures in similar com-ponents are failures involvingseveral similar components (such asmotor-operated valves or motorstarter breakers) used in more thanone system where the components canall fail within a critical timeframe due to some common cause (suchas a manufacturing error).
5.1.1 LARGE LOCA SEQUENCES
In addition to the above, the potentialfor common mode caused damage to safetysystems and to the containment structuredue to whipping motions of ruptures RCSpiping was considered. ("Pipe whip" isa term commonly given to this typedamage potential.) In this considera-tion, the layouts of the reactor coolantsystem (RCS) and other high energy pip-ing relating to the preservation ofcontainment integrity and the safetysystems piping runs were examined. Re-straints to prevent potential pipe whipwere found to be applied where thepossibility of interaction between aruptured pipe and containment might po-tentially occuj (e.g. main steam andfeedwater lines ). No pipe whip damagemechanisms were identified in the caseof safety systems since, in all areasconsidered, the presence of the cranewall and operating decks provided ade-quate protection. In these cases whereindividual legs of emergency cooling(ECCS) piping ran from the crane wall tothe RCS connections, the loss of func-tion for that ECCS leg was assumed tooccur whenever that part of the RCS loopruptured. This common mode failure ofthe ECCS connection to a single RCS loopwas incorporated in the analysis of ECCSoverall failure probability as stated inAppendix I, section 2.4 and in AppendixII, section 5.6.
The accident sequences in the Large LOCAevent tree which were investigated forthese types of failures were chosenbecause they had some potential suscep-tibility for common modes and theirprobability could have been affected if
ISee Appendix X, subappendix A, sectionA6.3.2.
2 See Appendix I for eventsions, and Appendix Vevaluations.
tree discus-for sequence
IV-35
such common modes existed. The symbolsused in the subsequent discussions areas follows:
A = Large LOCA (loss-of-coolantaccident);
B = EP (Electric Power);
C = CSIS (Containment Spray Injec-tion System fails);
D - ECI (Emergency Cooling Injec-tion failure, which is. essen-tially the failure of the LPIS,or Low Pressure InjectionSystem, for a large LOCA);
F = CSRS (Containment Spray Recir-culation Systems fails);
G = CHRS (Containment Heat RemovalSystem failure);
H = ECRS (Emergency Cooling Recir-culation System failure, thefailure of the LPRS, or LowPressure Recirculation System,for a large LOCA);
I = SHAS (Sodium Hydroxide AdditionSystem failure, the system tosupply NaOH to the, containmentand the containment sump byinjection into the RWST).
The sequences for which the common modefailures were evaluated, and the resultsof the evaluation, are as follows:
The' HF (given A) sequence has as acontributor the common mode failure ofthe containment sump. The blowdownduring a LOCA causes an accumulation ofdebris in the containment which in turnplugs the sump, with a value on theprobability of plugging the sump of10-610o].*1
The D (given 'A) sequence had as acontributor a common mode failure inwhich a LOCA on the discharge side ofthe primary coolant pump causes pumpoverspeed and flywheel fracture. Apiece of the fractured flywheel pene-trates the cubicle wall in the vicinityof a single pipe for low pressureinjection to the cold legs, therebystriking and failing this line (there-fore failing D). This event sequencehad a probability of approximately:
QCM - 1.3 x 10-6
5.1.2 SMALL LOCA SEQUENCES
Small LOCA event sequences involve mostof the same systems and event codes asthe large LOCA events, except for thefollowing:
S = Small LOCA;
D = ECI (essentially the failure ofthe HPIS, or High Pressure In-jection System);
H = ECR (the failure of the HPRS,or High Pressure RecirculationSystem);Sequence
CDCDIHF
DCFBFHFI, HI, FI
Common Mode Impact
InsignificantInsignificantMinor ImpactInsignificantWithin Error SpreadsInsignificantInsignificantInsignificantInsignificant
K = RPS (failure of theProtection System);
Reactor
The sequences HF (given A) and D (givenA) were identified as having some poten-tial for non-negligible effects, buteven for these cases the impact on theprobability of the release category wasassessed to be small and within theerror spreads.
1 See the PWR event tree discussion inAppendix I for discussion of the de-tailed meaning of these sequences.
L = AFWS and SSR (failure of theAuxiliary Feedwater System andSecondary Steam Relief valves).
The results of the evaluation for thecontribution of common mode failures tosmall LOCA event sequences are in gener-al the same as for the large LOCA eventsequences; that is, the common modecontributors have probabilities which lonot significantly impact the sequencefailure probability or the release cate-gory probability.
The D (given S) sequence does notinclude the common mode contributor of
iQuantity within the brackets is theerror factor which applies.
IV-36
the flywheel failure (pump B flywheelfailure), because the relatively slowdepressurization of the reactor coolantsystem (RCS) will not cause pump over-speed. Other sequence common modefailures (primarily a RCS stop valvefailing closed causing a severe waterhammer and a LOCA) have probabilitiesthat are orders of magnitude less thanthe independent unavailability of D (theHPIS).
The small LOCA sequences involving the Kand L systems are not among the impor-tant contributing sequences for smallLOCA events. Since no significant com-mon mode failures were determined for Kor L that affect other systems in thesequences (common mode failures involv-ing only K or L systems were developedand evaluated as a part of the analysisfor those systems1 ), common mode fail-ures for those small LOCA sequencesinvolving K and L systems will not bediscussed further.
The C (given S) sequence is an importantsmall LOCA sequence for the S2 LOCA (asmall LOCA due to a break in the RCSequivalent to a hole with a 1/2 to 2inch diameter). However, no significantcommon mode failures could be found forthe CSIS, other than common human errorsalready considered as a part of the CSISfault analysis.
2
These considerations leave the HF (givenS) sequence as the important small LOCAsequence with a common mode failurebetween systems of the containment sumpplugging failure. Even though the prob-ability of the sequence is affected, theimpact on the release category is,however, insignificant and within theerror spreads of the release categoryprobability.
5.2 SUVMMARY OF SECONDARY FAILUREMETHODS
Secondary failure sources were identi-fied in studies of plant layout, and ofpotential interactions between systemcomponents and between energy sourcesand system components. Plant drawingsand visits to the plant were used forthis study. A summary of the influence
1 See Appendix II, section 5.2 for the
RPS, section 5.3 for the AFWS.
2 See the CSIS analysis in section 5.4 ofAppendix II.
of the secondary failure sources on thesequences being evaluated is in subsec-tion 5.4.2. A summary of common facesthrough which common mode failures mayfail PWR LOCA sequences is in subsection5.4.1.
A list was compiled from the systemfault trees, system drawings, componentspecifications, and other plant designinformation listing similar componentsused in the PWR Safety Systems which canfail a system or multiple systems by thefailure of several similar components ina given failure mode within a criticaltime frame. The listing, and the PWRLOCA sequences which can be affected bymultiple failures of similar componentsare presented in Table IV 5-1.
5.3 PWR LOCA SEQUENCE COMMON MODE
FAILURE EVALUATIONS
The more detailed evaluation of the po-tential common mode failures for the PWRLOCA sequences summarized earlier isgiven below. The single letter codesused to identify PWR systems are listedin the preceeding section 5.1. Theevaluation discussion below does notinclude those common mode failurecontributors which were found to have anegligible influence on the total commonmode failure contribution.
5.3.1 SEQUENCE CD (GIVEN A OR S)
Common mode contributors are not signif-icant contributors to the CD sequencefailure probability, since their proba-bility was one to two orders of magni-tude less than for the CD sequence asdetermined from the basic fault trees.A common mode contributor for the CDsequence is the event of four or more480 V motor starter breakers for thesystem pumps could all trip due to acommon cause. The probability for thiscommon mode contribution was assessed tobe much less than the CD sequence fail-ure probability already evaluated.
5.3.2 SEQUENCE CDI (GIVEN A OR S)
The CDI sequence failure probability hasas a contribution failure of the RWSTcommon interface, primarily by pluggingof the 8 inch RWST vent. This probabil-ity was assessed to be comparable tothat of passiye component failures forthe LPIS systemy.
1 See section 5.6.3 in Appendixthe LPIS analysis.
II for
IV-37
! I
CDI sequence common mode contributors(interacting with the sequence by fail-ing the RWST) do not significantly addto the CDI sequence failure probability,as follows:
a. Rupture of the RWST by an explodinghigh pressure gas bottle in the ad-jacent bottle farm.
b. Rupture of the RWST by a vehiclecrashing into the RWST. This wasthe dominant common mode failure.The probability of this event, how-ever, was insignificant comparedwith the CDI sequence failureprobability.
Common mode failure of the SafetyInjection Control System (which fails D)coupled with failures of the CI sequencealso can contribute to common modefailures for the CDI sequence. Thesefailure combinations are again assessednot to be significant contributors.
5.3.3 SEQUENCE HF (GIVEN A OR S)
The possible common mode contributor forthe HF sequence is:
Plugging of the containment sump after aLOCA is assessed as 10- 6 [10]. Thiscontribution is included in the eventsequence probability; however, the ef-fect on the total release categoryprobability is small. 1
5.3.4 SEQUENCE G (GIVEN A OR S)
The G(CHRS) sequence failure probabilityfor the first day of recirculation hasas a contribution the drainage of theintake canal, an interfacing system. Ahuman interface common mode failure,previously developed and evaluated inthe CHRS fault tree analysis, 2 is the
1 Consideration of the overall probabili-ty results for core melt (see TableV 3-14, Appendix V) also indicates thatthe results are not particularly sensi-tive to large variations in the proba-bility estimates for containment sumpplugging. For example, an increase oftwo orders of magnitude in the HF se-quence due to the sump plugging contri-bution still has small effect.
2 See section 5.6.3 in Appendix II forthe LPIS analysis.
failure of operators to open thecontainment heat exchanger vent valves,which leads to air entrapment in heatexchangers when flow is initiated andfailure of the heat exchanger function.
Other identified common mode contribu-tors which were assessed to have insig-nificant contribution to the G sequencefailure probability are:
a. A rupture of the turbine oil condi-tioner spilling oil into the adja-cent service water valve pit. Ifthis oil is ignited, the normallyclosed motor operated valves (MOV's)in the valve pit for service waterto the containment heat exchangersmay be failed.
b. Two check valvesdemand due to acause.
fail to open oncommon failure
c. Rupture of a service water line inthe service water valve pit floodscontainment heat exchanger MOV's,preventing their opening for a LOCA.
d. Four MOV's inadvertentlywithin 24 hours.
closed
e. Two bellows joints rupture within 24hours.
5.3.5 SEQUENCE AD (GIVEN A)
Identifiedcould affectprobabilitylstill within
common mode contributorsthe AD sequence failurehowever, the impact is
the error spread.
A possible common mode contributor forthe AD sequence has a probability whichcould at most double the probability forindependent A and D events. This commonmode failure is a rupture (LOCA) in theRCS piping at the discharge side of RCSpump B which would cause the pump tooverspeed and potentially result in aflywheel fracture. A piece of thefractured flywheel penetrates the loop Bcubicle wall near the single line forlow pressure injection to the cold legs,and ruptures this line thus failing theLPIS (D). The common mode failure wasconservatively evaluated as follows:
OC•4 - OLOCA OBD/L QPF/Bb QTA
QLOCA - The probability of a largeLOCA - 1 x 10- /yr.
IV-38
QBD/L
QPF/BD
OTA
QCM
= The probability of arupture in the pump B dis-charge line Z .13(l)
= The probability of fly-wheel fracture : 1.0(2)
The fraction of the sus-ceptible circumferentialarea around pump B z .1
(.1) = 1.3 x 6, whichwould be approximatelydouble the probability forindependent A and Devents. The value is,however, within the errorspreads.
and evaluated in the CLCS fault treeanalysis.1
The CLCS, and the CSIS and CSRS mayalso be failed due to common mode fail-ures of similar components. An evalua-tion for these failures found them notto impact the CF sequence failure proba-bility. These similar component commonmode failures (not including human cali-bration errors) are:
a. Three CLCS Hi-Hi relays fail toenergize.
b. Three containment pressure trans-ducers fail to respond to lowpressure.
Regarding the AD sequence, another iden-tified potential common mode failureresults if one of the six RCS stopvalves fails, allowing the valve disc todrop and suddenly stop loop flow. Thesudden flow stoppage could cause anexcessive water hammer which rupturesseveral emergency core-cooling system(ECCS) piping connections to the RCS inmore than one of the loops, resulting ina LOCA and failure of several ECCSsystems. Essential ECCS piping would belost if 2 out of 3 accumulator lineswere ruptured, or if 3 out of 3 LPISlines to the cold legs were ruptured.This common mode failure was assessed tohave a probability less than the pumpflywheel failure.
5.3.6 SEQUENCE CF (GIVEN A OR S)
The CF sequence failure probability isdominated by failure of the consequencelimiting system (CLCS), a common inter-facing system with the CSIS and CSRS.Failure of the CLCS is in turn dominatedby a human common mode failure,miscalibration of CLCS instrumentation.This common mode failure was developed
140% of the RCS loop piping is on the
discharge side of the pumps and thereare 3 loops; so QBD/L = .4/3 = .13.
2 The value used for QPF/Bp is consideredsomewhat conservative since the pumpoverspeeds attained may not be greatenough to cause flywheel missiles to begenerated. As can be inferred fromTable V 3-14, Appendix V and from theabove result, use of this potentialconservatism still had no significanteffect on the resulting overall proba-bilities of a core melt.
c. Three power supplies havevoltage.
low
d. Three signal comparators drift up.
e. Six 480 V motor-starter breakersfail to close.
f. A fire in the instrument room failsboth trains of the CLCS.
g. Four MOV's inadvertently closed.
h. Six 480 V motor-starter breakerstrip.
5.3.7 SEQUENCE B (GIVEN A OR S)
Possible common mode contributors for EPfailure are determined not to impact theEP failure probability.
These common mode contributors, for theB sequence are:
a. The electrical switchgear overheatsand fails when switchgear room airconditioning is lost due to an ex-plosive failure of one of the threeair conditioning chiller air com-pressors which fails adjacent chill-ers, or fails the service watersupply to the chillers, or fails thepower to the chillers.
b. The switchgear overheats and failswhen air conditioning is lost due toexplosions of high pressure airbottles in Mechanical Equipment RoomNo. 3 failing the service watersupply to the air conditioningchillers or severing the powercables for the chillers.
1 See section 5.5 of Appendix II for the
CLCS analysis.
IV-39
nl
c. The electrical switchgear is floodedwhen one of 8 condenser inlet linesruptures and quickly floods the tur-bine rooms and the adjacent switch-gear room.
The aforementioned three common modefailure sequences require a lower proba-bility passive failure as an initiatingevent. The probability of the initiat-ing event in combination with the shorttime window for the failure sequences tocause significant problems in respondingto an accident (about 24 hours) resultsin probabilities for the common modefailures that are less than the EPfailure probability determined from thefault tree analyses.1
Other common mode failures were evalu-ated but were also found to be insignif-icant. These were common mode failuresof similar components in switchgear andmotor control centers which could failelectrical power, by failing thosecombinations qf buses defined in theelectrical power failure analysis.
5.3.8 SEQUENCE F (GIVEN A OR S)
The identified common mode contributorsare assessed not to be a significantcontributor to the F sequence failureprobability as evaluated in the CSRSfailure analysis given in the fault treereports. 2 The identified common modecontributors for the F (CSRS) sequenceare common mode failures of similarcomponents. These failures are:
a. Two MOV's inadvertently closed.
b. Four 480 V Motor-starter fail tostart. This is the dominant commonmode failure of these threefailures.
c. Four 480 V Motor-starter breakerstrip.
5.3.9 SEQUENCE HI, FI, OR HFI (GIVEN AOR S)
Since the injection of NaOH (I) into theRCS is not a critical requirement forsafety system operations after a LOCAwithin the first days of opezation, andsince NaOH can be delivered via theCSIS, LPIS, or HPIS, no significant and
ISee section 5.1 of Appendix II for thePWR electrical power failure analysis.
See section 5.7 of Appendix 11.
impacting commonfound to exist for(HI, FI, or HFI)recirculation.
mode failures werethese 3 sequences
for the first day of
Long terni failure of I(NaOH) or I andF(CSRS) has also been previously assess-ed as having a negligible probabilitybecause of the several possibilities foroperator action to deliver NaOH to theRCS after a LOCA. But, if NaOH is notdelivered to the RCS, and if theoperators are aware that NaOH is notdelivered to the RCS, then the long termfailure of NaOH can lead to stresscorrosion in the ECR and CSR systems,due to an expected buildup of chloridesin the containment sump water followinga large LOCA. Therefore, the long termfailure probabilities for the HI, FI,and HFI sequences all have a common modecontributor equivalent to the long termfailure probability of NaOH (I), throughthe above common mode failure interac-tion. This failure sequence requiresundetected NaOH delivery failures [con-tributed by failure of an operator toopen chemical addition tank (SHAS) blockvalves after a CSIS flow test], andfailure of the chemical addition tanklevel instrumentation or failure of theoperators to detect the lack of lowlevel in the chemical addition tank,therefore, failing to detect that NaOHwas not delivered to the RCS.
This common mode event is assessed notto be an impacting contributor to longterm recirculation failure probabilitiesfor the HI, FI, or HFI sequences becauseof the dominance of system componentfailures (primarily pumps).l
5.3.10 SEQUENCE HG (GIVEN S)
This sequence, like the G sequence, hasas a contribution the drainage of theintake canal, since successful operationof both the CHRS and HPRS requires ser-vice water for cooling.
Other identified common mode contribu-tors do not significantly contribute tothe GH (given S) sequence failureprobability.
5.3.11 SEQUENCE D (GIVEN S)
This sequence can occur due to failureof an RCS stop-valve disk, which is acommon mode failure as described for theAD sequence. The probability of this
1 See Appendix II.
IV-40
event is evaluated to be lessprobability determined fromfault trees.
than thethe basic
A number of possible common mode fail-ures were identified for the HPIS(D),but they required a low probabilitypassive failure as an initiating event(such as a high energy pipe rupture oran explosive pump failure). Therefore,these common mode failures did notresult in an impact of the HPIS(D)unavailability.
This conclusionHPRS (H), sinceused in aconfiguration.
also applies to thethe same components are
slightly different
c. Sequences - CD or CDISecondary Failure: LPIS pump B hasa catastropic failure in which ahigh energy missile punches throughthe pump B cubicle wall failing thepower cables to LPIS pump A and theCSIS motor operated valves (MOV's).Power to LPRS suction MOV's couldalso be failed. This would have tooccur within roughly a minute tofail the CSIS (by not allowing CSISMOV's to open).
d. Sequence - ADSecondary Failure: A LOCA at thedischarge of RCS pump B causes pumpoverspeed and a fracture of the pumpflywheel. A fractured flywheelmissile punches through the loop Bcubicle wall and fails the singlepipe or LPI to the cold legs.
e. Sequence - AD or ADHSecondary Failure: An RCS loop stopvalve disk falls into the closedposition. The sudden flow stoppagecauses a large water hammer whichfails several ECCS piping connec-tions to the RCS in more than 1loop. Failure of the ECCS pipingconnections is also a LOCA.
5.4 SUPPORTING MATERIAL
5.4.1 SUMMARY OF THE RESULTS OFEXAMINING INTER-SYSTEM INTERFACESFOR SEQUENCE FAILUREPOSSIBILITIES
Interfaces, such as common systems,common components, or the human opera-tion interface, were examined to deter-mine the combinations of systems andcorresponding sequences which would beaffected by the interface failure. TheTable IV 5-2 list summarizes the resultsof this interface examination.
The electrical interfaces were found tonot fail any of the sequences other thanB (electrical power failure) since anyof the combinations of the redundantemergency buses fails systems which aregiven to have succeeded in the sequences.
An exception is failure of the motorcontrol centers IHI-I and iJl-l, whichwould only fail the HPIS and HPRS.These systems, however, are not requiredfor a large LOCA. The electrical businterfaces for the PWR systems are shownin the Table IV 5-3.
5.4.2 SUMMARY OF PLANT LAYOUTEXAMINATION FOR SEQUENCESECONDARY COMMON MODE FAILURES
a. Sequence - FSecondary Failure: Containment sumpplugs.
b. Sequence - F (CSRS only)Secondary Failure: If a high proba-bility exists for inside CSRS pumpfailures in a steam environment,then only one CSRS system need befailed for system failure in thefirst day after a LOCA, or 2 CSRSsystems after that. This hasalready been included in the CSRSanalysis.
f. Sequence - B (EP)Secondary Failure: Switchgearair conditioning is failed by:
room
1. Catastropic failure of chillerair compressor which fails anadjacent unit, or service watersupply lines, or power cables.
2. Catastropic failure of highpressure dry air bottles inMechanical Equipment Room No. 3fails the service water supplyor chiller power cables.
g. Sequence -Secondaryswitchgear
B (EP)Failure:
room by:Flood the
1. The service water supply intoMechanical Equipment Room No. 3ruptures and floods switchgearin the adjacent switchgear room.
2. Rupture of a condenser inletline, floods the turbine roomand the adjacent switchgearroom.
h. Sequence - GSecondary Failure: A pipe rupturesin the service water valve pit andfails CHRS MOV's before they haveopened.
IV-41
i. Sequence - GSecondary Failure: Spilled oil froma rupture of the turbine lubricatingoil conditioner, next to the servicewater valve pit, is ignited causingburning oil to spill into the ser-vice water valve pit and fail CHRSMOV's before they have opened.
j. Sequence - GSecondary Failure: A small rupturein a condenser inlet line, or arupture that id quickly stopped,floods the service water valve pit,nearby, before CHRS MOV's haveopened.
A high energy missile from a failedCSIS or AFWS pump could penetratethe concrete floor and fail HPISand/or HPRS suction piping below thefloor. Missiles from one failedcharging pump could fail HPISsuction.
Rupture of a steam generator blow-down line can fail HPIS dischargeMOV's at the boron injection tank,or a whipping blowdown line can failthe normal charging line to contain-ment and fail the HPIS isolationMOV's for this line. Continuedsteam discharge through the rupturedblowdown line can result in an envi-ronmental failure of the chargingpumps, thus failing the HPIS orHPRS.
A rupture of one charging pump ser-vice water pipe in MechanicalEquipment Room 3 can flood and failthe pump in the redundant chargingpump service water pipe, below.This failure would fail the HPIS orthe HPRS.
k. Sequence - CDISecondary Failure:ruptured by:
1. High pressure gasbottle farm nextexplode.
The RWST is
bottles in theto the RWST
2. A vehicle crashes into the RWST,which is near the parking lotand the truck gate.
1. Sequence - CDI or CF(G,I)Secondary Failure: A fire in theinstrument room fails the safetyinjection control system (SICS) orthe consequence limiting controlsystem (CLCS) (SICS cabinets arenext to each other, as are the CLCScabinets).
m. Sequence - HFISecondary Failure: Failure to getNaOH into the RCS causes chloridestress corrosion in ECR & CSRsystems, failing the piping.
n. Sequence - D (given S) or H (givenS)Many common mode failures which canfail the HPIS or HPRS were identi-fied. These failures, requiringpassive initiating events, are notlikely to be significant contribu-tors to HPIS or HPRS unavailabil-ity.
Secondary failure numberwill also fail the HPIS orfailing the service waterthe charging pumps.
6, above,HPRS *by
supply to
5.4.3 SYSTEMS WHICH CAN BE FAILED BYCOMMON MODE FAILURE OF SIMILARCOMPONENT
Table IV 5-1 shows the results of anexamination of PWR safety systems forsimilar components which can fail asystem or several systems if they failby a given failure mode within a criti-cal time frame by some common modefailure. This type of failure would bemost likely due to manufacturing,design, or installation errors. Thenumbers in the table under the sequencecodes designate the minimum number ofthe similar components which must failto cause the sequence failure. Theeffects of these failures were evaluatedto not impact the previously obtainedprobability.
IV-4 2
TABLE IV 5-1 SIMILAR COMPONENT FAILURES AND SIGNIFICANT AFFECTEDSEQUENCES (LARGE LOCA)
Component FailureType Modes Affected Sequences
MOV Fails to CH CHI CG CHG CGI CHGI CD (b) CDI (b)
open 6 8 8 10 10 12 6 8
Closes H HI G HG GI HGI F HF2 4 4 6 6 8 2 4FI HFI D DI DG DGI DF DFI4 6 1 3 5 7 3 5CH CHI CG CHG CGI CHGI CF CHF4 6 6 8 8 10 4 6CD CDI CDG CDGI CDF3 5 7 9 5
480 V Pump Fail to D DF CF CD CDF FMotor-starter start 2 6 6 4 8 4
Trips H F HF D DF CH CF CHFpump 2 4 6 2 6 4 6 8
CD CDF4 8
Manual Valve Closes H HI D DI CH CHI CD CDI2" or greater 2 4 (a) 1 3(a) 4(a) 6 (a) 3(a) 5 (a)
Check Valve Fails to H G HG D DG CH CG CHG2" or greater open 2 2 4 (a) 1 3(a) 4(a) 4 (a) 6(a)
CD CDG3 (a) 5 (a)
SIS Relays Fail to CDIenergize 2
CLS Relays Fail to CFenergize 3
Pressure Fail to CDITransducers low 2
pressure
Fail to CFshow high 3pressure
Power Hi CDISupplies voltage 2
Low CFvoltage 3
Signal Drift CDIComparators down 2
Drift CFup 3
Level Fail to CDITransmitters show low 2
level
Bellows Rupture GJoints 2
(a) Valves used in C, F,in D and H systems.
(b) For small LOCA where
G, and I systems have manufacturers different from those used
D includes the HPIS.
TABLE IV 5-2 INTERFACE EXAMINATION RESULTS
AffectedSequence
HF
F
Interface
Containment Suinp
Containment Environment
None
RWST
SICS
Operator
Discussion
CD
CDI
D
CI
Both inside CSRS pumps couldbe failed by post-LOCA envir-onment. But, 2 outside CSRSpumps would remain.
Interfaces are ruled out sincethey fail systems assumed tosucceed.
Valve positioning failuresafter a CSIS flow test.
Draining the intake canal failsthe service water supply forthe CHRS. This failure alsofails the HPRS, which is notrequired for a large LOCA.
CF(G,I)
G'HG(given S)
CLCS
Intake canal
TABLE IV 5-3 ELECTRICAL POWER INTERFACES
Systems Affected
Bus C F I D H D(b) H(b) G CLCS CLCS
Identifiers CSIS* CSRS NaOH LPI LPR HPI HPR CSHX SICS Hi Hi-Hi
JAGO 4160-iJ X X
JB00 4160-1H X X
JCOO 480-lJ X X X X X
JDOO 480-1H X X X X X
JFOO lHl-l X X X(a)
JGOO lJl-2 X X X x x x
JHOO lHl-2 X X X X X X
JJOO DC-lB X X X X X X X X X X
JKOO DC-lA X X X X X X X X X X
VBI-I X X X X
VBl-II X X
VB1I-III X X X X
VBl-IV X X X X
(a) With loss of station power
(b) For small LOCA
Table IV 5-1 - Table IV 5-3
IV-43/44
TABLE IV 6-1 SEQUENCE AE-LLOCA/ECI, PRINCIPAL COMMON MODE POSSIBILITIES AND EFFECTS
Common Mode Failure
1. LLOCA in one CSIS injection line.
2. Similar power relays fail on
safety buses.
3. Pipe or valve rupture on one CSIS
subsystem causes rupture of pipe
or valve on adjacent selected LPCIS
line or vice versa.
4. Damage to sensing switches in racks
25-5 and 25-6 caused by secondary
failure (fire, explosion, pipe
burst) preventing the generation of
initiating signals to CSIS and LPCIS
valves and motors.
5. Damage to relays located on the 9-32
and 9-33 panels in the cable spreading
room caused by secondary failures
(fire, explosion, pipe burst) pre-
venting the generation of initiation
signals to CSIS and LPCIS valves and
motors.
Effect
1. Failure probability of ECI increases
however, failure probability of
LLOCA decreases because of specific
location, with net effects leading
to cancellation.
2. Already covered on fault tree and
not dominant failure.
3. Probability of ruptures is small
compared to other contributors, and
commom mode combination would have
no impacting contribution to ECI
failure probability.
4. Probability of secondary environment
at the time of, and independent of,
the LOCA is more remote than the
failure probability for ECI. The
overall probability is further re-
duced by structural protection such
as the barrier between racks 25-5
and 25-6.
5. Not impacting due to same reasons
indicated in 4.
TABLE IV 6-2 SEQUENCE AI-LLOCA/LPCRS, PRINCIPAL COMMON MODE POSSIBILITIES AND EFFECTS
Common Mode Failure Effect
1. Loss of emergency service water to
all four pump room coolers.
2. Damage to both LPCIS injection linesin drywell by LOCA.
3. Failure of both LPCIS injectionvalves to open due to common compo-
nent fault.
4. Failure of LPCIS contribution to ECIsuccess (success mode which requiresall CSIS contribution, no LPCIS).
5. Failure of all 4 LPCIS pumps or fail-
ure of 4 valves of the same type orfailure of all four heat exchangersbecause of similar component commonmode.
6. Rupture of ESW supply in torus com-partment by LOCA in HPCI or RCICsteam supply line and resultant fail-
ure of LPCIS pumps by loss of roomcoolers.
1. This already is included as the dom-inant contribution to LPCRS failure.
2. Only plugging of both lines would be
significant since break in drywell
would permit flow to torus while
CSCRS provided the continuous core
flooding. Physical arrangement of
LPCIS lines makes plugging of both
caused by LOCA an extremely remote
possibility.
3. This effect can be negated by switch-
ing flow to torus through the test
lines, bypassing the problem.
4. Those failures which could cause loss
of all LPCIS (instead of 2/4 pumps)
where considered when LPCRS was eval-
uated.
5. Not impacting because of the low pro-
bability of all foUr components of a
type failing in the same time frame.
6. Close proximity of HPCI or RCIC sup-ply and ESW lines has been compensatedfor to some extent by restraints inthe supply lines. Also, RCS rupture
in these supply lines can be isolatedand the core water loss stopped. Theresultant special sequence of requiredfailures does not dominate the conseq-uence probability results.
Table IV 6-1.- Table IV 6-2
IV-49/50
TABLE IV 6-3 SEQUENCE AJ-LLOCA/HPSW, PRINCIPAL COMMON MODE POSSIBILITIES AND EFFECTS
Common Mode Failure Effect
1. Rupture of HPSW line in torus com-
partment by LOCA in HPCI or RCIC
steam supply line.
2. Failure of all 4 HPSW pumps or fail-
ure of 4 valves of the same. type or
failure of HPSW side of all four heat
e~changers because of similar compo-
nent common mode.
1. A HPSW line passes within about 6
feet of the HPCI supply line in the
torus compartment. The HPCI line is
restrained at expected break points
and the surmised HPSW line break does
not itself cause loss of HPSW. It
reduces the available pumps from 4 to
2 and requires continued closure of
the normally closed HPSW cross over
valve at the pump building. The net
effect of this common mode failure is
assessed to not influence the release
probability.
2. Not significant because of the rela-
tively lower probability of all four
components of a type failing in the
same time frame.
TABLE IV 6-4 SEQUENCE S IE-SMALL LOCA (1)/ECI, PRINCIPAL COMMON MODE POSSIBILITIES ANDEFFECTS
Common Mode Failure Effect
1. HPCIS supply line is the LOCA site 1. HPCIS is lost raising failure prob-
inside drywell between steam header ability. Failure probability de-
and first isolation valve, creases however because of specific
location. Net effect is judged to be
within error spread of failure seq-
uence.
2. HPCIS supply line is the LOCA site 2. Same as 1, plus ADS would fail.
inside drywell between steam header Chance of common mode effects is re-
and first isolation valve and effects latively small because a severed HPCI
of LOCA fail ADS operate air supply pipe which might move around would be
lines or electrical signal lines to a large LOCA and ADS would not be
valve air operators. needed. Effects of small LOCA would
be small missiles and jet forces only.
3. SLOCA in one CSIS injection line. 3. Same as large LOCA, effects tending
to cancel.
Table IV 6-3 - Table IV 6-4
IV-51/52
0
Printed/on recyclledk>
S paper.:::::: . ... .......... Me
... .'-••: :•:•:-•• :•..•......... •iii:i!:
