ML20024E726
| ML20024E726 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 01/26/1981 |
| From: | Stewart M EG&G, INC. |
| To: | |
| References | |
| PROC-810126, NUDOCS 8309060609 | |
| Download: ML20024E726 (54) | |
Text
'o
' . . ._ 'g -'y
.,3 ___
Revision 2 a
IrifERIM RELIABILITY EVALUATION PROGRAM 3ROWNS FERRY TEAM FAULT TREE GUIDE Milan E. Stewart January 23, 1981 Reliability and Statistics Branch Engineering Analysis Olvision EG&G-Idaho, Inc.
g309060609 910126 9 PDRADOCK05000g s
i }
i y . . 4 8
CONTENTS
- 1. INTRODUCTION ...................................................... 1
- 2. SY STEM FAILURE D EFINITION AND UNDESIRED EVENT . . . . . . . . . . . . . . . . . . . . . 3
- 3. FAU LT TR EE CO N STRU C T I O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1 Conven ti onal Faul t Tree Cons truc tion . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Abbreviated Fault Tree Construction .......................... 13
. 4. COMPONENT FAULT STATES ............................................ 17
- 5. G AT E TY P E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
- 6. TR AN S F E R S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
- 7. EVENT NAMING ...................................................... 21 7.1 House Events ................................................. 21 7.2 Fault Events ................................................. 21 7.3 Secondary Events ............................................. 28
- 8. R EQU IR ED CO N D ITIO N S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
- 9. BOOLEAN SIMPLIFICATION ............................................ 35
- 10. COMMON CAUS E FAI L UR E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
- 11. H UM AN ER R OR S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 12 . - TEST AND' MAINTENANCE .............................................. 42
- 13. AN ALY S I S . STAG I NG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
- 14. SY ST EMS FA I L UR E ANALY S I S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 15 . . D E F I N I T I ON S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
- 16. R EF E R EN C ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' 46 FIGURES
- 1. Simpilfled schematic PWR hign pressure -injection system ........... 6
.2. Top two f au l t t r ee t i er s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
- 3. .Transl ation of system event into. subsystem even ts . . . . . . . . . . . . . . . . . 9
- 4. ' Transl ation of sys tem event i nto path events L . . . . . . . . . . . . . . . . . . . . . 10 11 L:
5
- 5. Enumerating component f ault modes and interf acing events on conventional fault tree ....................................... 12
- 6. Basic f aul t even ts shown by code name only . . . . . . . . . . . . . . . . . . . . . . . 15
- 7. Abbreviated fault tree logic gates ............................... 19
- 8. Required conditions incorporated as inverted inputs to AND gate ...................................................... 31
- 9. Mu tually exclu s i ve cond i tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
- 10. Cl ass ifying f aul ts us i ng the house . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
- 11. Sy s tem b o u n d ar i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
- 12. Typical two-train safety system .................................. 46
- 13. Two- t ra i n sy s tem f au l t t ree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 TABLES
- 1. F au l t Su nn ary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
- 2. System Code ...................................................... 22
- 3. Component Code ................................................... 23
- 4. Subsystem Code ................................................... 26
-5. F a i l u re M o de C ode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
- 6. Secondary Event Type Code ........................................ 29
- 7. Comnon Mode Events on F aul t Sunnary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 i
ill
.0
r l , [ .l ; . ,
' INTERIM RELIABILITY EVALUATION PROGRAM ,
BROWNS FERRY TEAM FAULT TREE GUIDE
- 1. INTRODUCTION Faul't trees will be used -to f ault model systems in the Interim Rell-l ability Evaluation Program (IREP). ' A modified and abbreviated version of ;
- tihe -f ault tree method:is used to determine, system failure probabilities wnere the system,~ In turn, is related to-the overall public risks associ-ated with the nuclear plant. Fault tree analysis is a systematic procedure
~
. used' to identify and record the various combinations of component fault
~
states that can result .in a predefined, undesired state of a system.- Unlike the' familiar _ tinductive method of_ first postulating a ' component failure mode and then determining its effect on the system, fault -tree analysis is an .
-opposite deouctive approach wnereby;the. analyst first defines an undesired:
Jsystem effect and then'identifles:all:the component failure modes that can,
'by.'.hemselves or in combinAtton with'other component failure modes, produce that predefined system effect. A f ault tree, as opposed to f ault tree
~
. analysis, . isia result ofL the fault ; tree _analysisL and is a graphic display
- of all the component f ault modes and the combinatorial AND and OR logic.
~
staat relates- those fauit modes to the ' predefined,' undesired'statie 'of- the
~
-C
. sys tem.- It is a f ault model ofithe' system which, when expressedLin its
^
no'n-redundant' Boolean form, can be used a's a probabilistic'model:to deter-mine a-probability of the system failing,in~ that' predefined state, b'ased on
. - known,'or easily ' computed, probability values for individual events shown Lon the tree. A complete treatise on f ault trees'is contained lin the f ault
' tree! handbookl .
!This._ guide describes the abbreviated fault tree method to be used by
. .the Browns' Ferry team .in IREP. ' To facilitate' description and understanding _ _
9 ofl the abbrevlated methodology, Lit is- first ~ necessary that the conventional
- approach be : described briefly. ' Essentially,' tne abbreviated method is the Tsameias:the conventional method except that. basic fault events are shown'on
~
the treef by code,name on.ly, 'and the basic event ~ statements are shown in ~a'-
f ault> sunmary table. ' A few rules are ~ presented for -handling other' kinds 'of; 2 events,isuch as -interf acing system events and conson. cause events, bman -
.1
,.J
error events, and test and maintenance events. Required conditions, logic gates to be used, transfers, and the naming of events are also discussed.
The guide also contains a general discussion of systems failure analyses and staging of failure "alyses
. using the abbreviated method.
2
.' , 'O 'O
- 2. SYSTEM FAlt.URE DEFINITION AND 'MDESIRED EVENT Fault tree analysis begins with a statement of the undesired event.
Embodied in that statement must be the conditions which constitute failure of the system. For example, the undesired event, " insufficient coolant flow through the reactor core when the reactor is generating heat" is con-sidered. This event statement is a' complete logic statement specifying the requirements for reactor coolant.~ If a f ault tree were to be developed aoout tne undesired event, the analyst would examine all systems, normal operating and emergency systems, which deliver coolant to the reactor ves-sel. The. analyst may define a more restrictive undesired event, for' exam-ple, " insufficient emergency coolant flow'when normal flow is lost," for wnich a fault tree is developed for the auxiliary coolant systems only.
In 'any case, the top event, including conditions, must be compatible with the event tree sequence for which it pertains.
.'The undesired event examples previously presented are stated rather generally which, in most cases, =is perfectly acceptable. For-example, the word " insufficient," implies = that below some flow value, the system will' have failed. Where' redundancy has been'provided,' however, the generalized statement must oe translated l'nto a statement more-specific in order to
' account for the redundant capabilities of tthe system. . For' example,- the statement, " insufficient- coolant -flow . . . ." might be translated into the more specific statement, "less than two-pump coolant flow . . . ," where
- more than twof pumps have been provided.7 The fault tree.will be developed about the selected undesired event,
-and only events-which relate logically to the occurrence of that ' undesired event.will be identified. Component failures that' produce other undesired
' events 1(for example, inadvertent. operation of the system)'when loss of flow
~
.is-of concern will not be identified unless the particular component fall-ures relate' to the occurrence .of both undesired events. .
'The undesired event and all subsequent events shown on the fault--tree
.are binary. That is, - if- the event, ' as stated, occurs,' the system -(or com-ponent, in more detailed parts'of the tree) has failed; if the event does
- 3 s
not occur, the system has not f ailed. Ambiguous or "maybe" statements are not allowed on the tree. The statement is either true if the event exists or false if the event does not exist.
4
1
- 3. FAULT TREE CONSTRUCTION j Once an undesired event has been defined, a fault tree can be con-structed about that undesired event. To illustrate the procedure, a PWR high pressure injection system will be used as an example. First, the top I tiers of. the f ault tree will be constructed using the conventional method; then, the tree will be restructured using an abbreviated approach.
Figure 1 is a simplified schematic of the high pressure injection system (HPIS). It is used to provide emergency coolant to the reactor vessel in the event of a snall loss of coolant accident where the reactor coolant system (RCS) is not depressurized sufficiently for core flood or for low pressure coolant injection. The HPIS is initiated automatically by ,
an engineered safeguards actuation system (ESAS) upon 1500 psig decreasing RCS pressure or 4 psig increasing containment pressare. Upon receipt of an ESAS signal, tne three pumps start, refueling water storage tank (RWST) valve 6 opens (RWST valve 5 is nonnally open), and injection valves 1, 2, 3, and 4 open. All valves (not shown) in connecting piping are assumed to be closed for this example.
3.1 Conventional Fault Tree Construction The undesired event selected for the HPIS must be compatible with.the event tree sequence for which it applies. Suppose, for example, that a relief valve sticks open, heat removal through the power conversion system is lost, and it is incumbent upon the HPIS to provide emergency coolant to the reactor ve'ssel. Suppose too, that one-pump HPIS flow ' through any path shown will suffice. An undesired, or top, event selected for the f ault tree mignt be "less than one-pump HPIS flow to the reactor coolant system (RCS) given a stuck-open relief valve, no heat removal through the power conversion system." Other top events would have been selected for other accident initiators and sequences, _but this will be the' top event used to illustrate the method. Since the "given" part of the undesired event state-ment specifies the conditions under which the f ault events to be defined by .
the fault tree produce system failure (see Section 8), the top undesired event, as shown in the top rectangle, Figure 2, is translated into the two 5
L __ J
l j
n_ f
-i 1
All valves Reactor I shown in normal
( _\ ,
plant operation state.
1 '2 ~U _ '
'3 4
~ ~
7 8 ~10
\~9 Inside Containment Outside Containment-2}h -A 3
4 OVAC-B 4
460VAC-A 460VAC-B 125VDC-A 125VDC-B 125VDC-A 125VDC-B ESAS-A
^~ ^~ ESAS-B 4160V-A 4160V-A 4160V-B / s ESAS-A '
ESAS-A ESAS-B 125VDC- 125VDC-A 125VDC-B i CCW-A ) CCW-A )- CCW-B l'460V-B 250VDC-A /- 250VDC-A / 250VDC-B / 125VDC-B RWST ESAS-B From RHR I, .
Sy2 tem w61
, 13
,, u%
460V-A 125VDC-A ESAS-A Figure 1 Simplified Schematic PWR High Pressure Injection System 6
J.,
Less than one-pump HPIS flow to RCS given stuck open relief valve, and no heat removal from power conversion system.
f I i 1
Stuck open Less than one pump HPIS relief valve, flow to RCS, and no heat removal from power conversion y system.
l Figure 2 Top Two Fault Tree Tiers l
t I
7 i
' logic statements: (a) " stuck-open relief valve, no heat removal through power conversion system," shown within a house symbol and (b) "less than one-pump flow to the RCS," shown within a rectangle. The house indicates the conditions upon whicn "less than one-pump HPIS flow to the RCS" is a f aul t. The rectangle symbolizes a f ault event which is developed further.
- Although not shown in this example, other conditions about the known state of the plant or system that are pertinent to the evaluation of HPIS should also be'specified (for example, no offsite power) in the top event state-
-ment: and in the house statement. As a typical analysis progresses, other house events are shown on subsequent tiers of the fault tres which indicate the normal operational state of components from which they transfer to a faulted state, unless these conditions are obvious.
The next step in the analysis will be to translate the system event, "less than one-pump HPIS flow to the RCS," into subsystem fault statements.
There are several ways this can be done, all of which, in the end result, should be logically equivalent. Examination of Figure 1.shows that there are four redundant injection paths * (since the initiating event is a stuck-open relief. valve, all paths are available), three redundant pump paths, two redundant pump suction paths, and a single. refueling water stor-age tank (RWST). Thus, the above event can be translated into the subsystem events shown in Figure 3. All the su'osystem events relate to the system event by OR-logic since any one or more of- the subsystem events, as: stated, will produce the system event. The subsystem events are further translated into individual patn events. Figure 4 is an example of one subsystem event and the path events that cause it. - The individual path f ault events are input to an. AND gate since adequate flow can be achieved through any one path; that is,:the paths are redundant. The event " insufficient water in the RWST" shown in Figure 3, will not be expanded into its respective causes; so, the event is shown within a diamond.
-a. In some cases, the -injection lines are designed for high impedance
~(small size) such that more than one line is required to produce suffi-cient flow. In such cases, the logic would change because of less redundancy.
8
f Less than one pump HPIS flow to the RCS.
+
1 1 I Less.than one Less than one Less than one pump' flow through pump flow through flow through the the injection the pump paths. pump suction paths.
Insufficient Paths. Water in the RWST A A~ ,L Figure 3 Translation of. System Event Into Subsystem Events
T Less than one pump flow.
through injection paths.
I
'l l' ._
I Less than once Less than one Less than one Less than one pump flow pump flow pump flow pump flow through through through through injection path #1. injection path #2. injection path #3. injection path #4.
8 L 3
~ ~ -
3 3 Figure 4 I
Translation of System Event Into Path Events-o S'
The development of the f ault tree, thus f ar, has been a restatement of eacn event to increasing levels of resolution: from system, te subsystems, and to paths. Tne top logic for the f ault tree has been established, a'nd the next step is to enumerate all the component fault modes, as well as the f ault modes of support systems which may interf ace with those individual path components. The top logic .and the interfacing system events generally determine the. degree of redundancy inherent in a particular safety system function. This is.not always true, however, and the fault. tree should be developed into:the interf acing systems and into the control and power cir-cults;to identify the more subtle, but important, contributions to risk.
Also, some component f ault modes will appear in more than one path, thus reducing redundancy for that particular fault mode. For example, rupture of_ any~ pipe downstream of the pumps and upstream of the injection valves (shown in Figure 1) will appear as faults in the.f ault tree developnent for each path. This~ is to say that when the~ f ault tree is converted to its simplest Boolean form (see Section 9 below), the pipe rupture event will be a single f ault. Knowing this is the case, the top f ault tree logic could
~
L be changed.to reflect pipe rupture as a single event.
Figure 5 shows the conventional method for enumerating component fault modes and interfacing events. Each of the events shown within a circle.is a basic component. failure for which failure rate data are expected
- to be available. The events shown within diamonds-are basic events that are not expanded elther because the event is! judged not to be important, i insufficient information is available, or' the analyst merely wishes to postpone development. In any case, the event is given a name (see Sec-tion-7-below) and is accountable in the Boolean expression for the fault.
tree.. The events shown _within rectangles are interface events that will be expanded'during the course of evaluating'the interfacing; systems.(not
~
L evaluated'herein).
.The f ault_ tree is developed in.the preceding manner until all compo-nents of Lthe system are identified in their basic ~ f ault states. - The result zis a b i nary model oft eh system which can be reduced to its simplest Boolean f onn.- Failure rates, ._ human error rates, and appropriate time intervals can be-assigned to determine probability values for the components, subsystems, 11
Less than one pump flow through injection path #1.
' +
f'
. _ _ . . _ .. k --
Piping Check Motor No Opening 7
[ Pipe Downstreact Valve 7- Operated Power Applied l 1 l
of Pumps I I Doesn't Valve 1 I To Valve 1 Plugged Rupture .Open. Doesn't e
g IIPP0000R . IICV00007D IntV0001D llPP0001P
+
f%
_ f . . _ . . . _ -
Faults No ESAS No 125VDC No 480V Power In Control Circuit for s'N_d Signal to Open Valve 1 Power To Valve A to Valve 1 Control Circuit MCC V - - --- - .
- \.alve1, . - '
1&fVCC01D Figure 5 Enumerating Component Fault Modes and Interfacing Events on Conventional Fault Tree g
n O
and the system. .The quantification process involves the naming of events and the transferring of all the infonnation contained on the fault tree to event tables and coding sheets for ease in the assignment of data to events and for'canputer processing.
3.2 Abbreviated Fault Tree Construction
'Since all basic fault event statements on the conventional fault tree are subsequently transferred to tables, one way to. reduce the f ault tree analysis effort is to not put those statements on the fault tree in the first place. . The first step in the abbreviated method, then, is to enter
~
all- basic f ault statements directly into fault sunnary tables (a portion of a f ault sunnary table is shown in Table 1). Only the event code name, described in Section 7, is shown on the f ault tree.
The second step in the procedure is to define a new logic gate, the Itabulation GL gate (described in Section 5), to f acilitate the listing of event names on the tree rather than to show named individual event state-ments within event type symbols as is conventionally done. Typically, ,
. systems which are evaluated.contain.a large number of events that are logi-cally in series when- reduced. For example,- the .f ault tree development for
-the twofinjection path components connected in series (shown in Figure 5) is considered. This development can be restructured as shown in Figure 6, where the code nanes for basic input events are listed under a tabulation OR gate, . inputs ~ to a canponent can be-shown under the tabulation OR 1as
-shown; otherwise, they can be expanded into their respective causes. The same treatment can be ~ applied to any number of canponents. logically in series. 'A completed f ault tree for-a system would be typically depicted by -
1
- a. top undesired event, . basic .f ault events listed by code name under one or
[ .-more . tabulation OR gates, a few input' events identified within rectangles
-which-are inputs to-chains of components and. inputs-to the system, a few
. house events, and the logic AND.and 0R gates used to relate the events.
' All the' other information is contained-in the f ault summary table.
S 6
13-
c.
TABLE 1 FAULT
SUMMARY
Primary Failure Event Failure Failure Faul t ' Error Name Event / Component Mode Rate. Duration Factor Location PIP 000RU Pipe downstream Rupture of pumps PIP 011PL Pipe 1 Plugged VCK071N9 Check Valve 7 Does Not Open VM9011NG Motor-0perated Does Not Valve 1 Open VM9011NG. Control Circuit Does Not Valve 1 Open_ Valve ESA ESAS-A to Does not Valve:1 open valve DCA 125VDC control Does not power to open valve Valve 1 ACA 480VAC power to D'es o not Valve 1 open valve The abbreviated fault. tree procedure has several distinct advantages over the conventional approach, all of which ultimately reduce the time and effort required to evaluate a system. Some of the more important of those advantages can be sunnarized as follows:
- 1. Fault trees are readily restructured for each new acci-dent situation. Events can ce expeditiously added or crossed off, and blocks of events can be moved if- the logic changes. .
14
~
g Less Than One Pump Flew Through Injection Path #1
+
I ._._ _. _ .1 .
Injection Path Injection Path g' #1 Faults #1 Interface Faults PIP 000RU PIP 011PL +
VCK071N$. w VM$011N$
l-VMdC11N$ k- .
No ESAS-A No 125VDC No 480V Power Signal to Power to to Valve 1 Valve 1 Valve 1 MCC Control Circuit Figure 6 Basic Fault Events Shown by Code Name Only m
. 2. Component f ault modes and their logical relationship to system f ailure are more visible on the abbreviated f ault' tree. - A typical system f ault tree developed according to the conventional procedure usually requires 20 to 30~large sheets of paper in order to show all the
- component fault statements. These same component faults usually can be shown on two or three 8 1/2- x 11-inch sheets when presented in the abbreviated form. Because of their reduced size and because of the improved f ault mode visbility of the system, the fault trees are much easier to check.
I
- 3. A system evaluation is easier-to stage using the abbrev-iated method. Analysis staging Is discussed more fully in Section 13.
- 4. The . abbreviated' procedure .is more amen'able co the treat-ment of 'comon cause failures. This procedure is discussed in Section 10.
- 5. Where fomalized reports are required, most diagrams are superseded by tables which require less publication
' effort.
i l
l f'
1 I
i
- 16 I
- 4. COMPONENT FAULT STATES A canponent can transfer to a fault state due to any one of three categories of causes: primary f ailure, secondary f ailure, and connand transition. A primary f ailure is the so-called " random" f ailure found in the reliability literature and refers to failure from no known external causes. A secondary fault results when a component is exposed to an oper-ational or enviromnental condition which exceeds the design rating of that component. A connand transition does not involve actual component failure.
It simply means that the conponent is in' the wrong state at the time of interest because it was connanded to that faulted state by another faulted component, a human error, or, in some cases, by an environmental condition.
Most of tne data available on nuclear components embody both primary s.
and. secondary causes for failure; therefore, the distinction between the two types o'f failure is not made on the fault tree except for the case in whicn a secondary cause results in multiple component failu'res, and the distinction is made in code only.' A procedure for screening secondary failures for connon cause failures- is discussed in Section 10.
^
17 3
e
^'
5.. GATE TYPES
' The b'asic logic gates used in fault tree work are the AND a'nd OR gates.
- A numoer of:: variations of these basic gate types have been introduced in the literature from time to time which are~ used to handle special situa--
ti ons. Shown in Figure 7 are the standard AND and OR gates as well as- two
. other gates to oe-used in'IREP. The' ta'bulation OR gate 'is used to enumer-
- ate a set of fault events which are associated with a series arrangement of components. Safety-systems-are typically comprised of redundant subsystems.
each having numerous conponents connected in series. A fault tree construc-
-tion for one of these systems will have, then, a large number of OR gates eacn with several inputs. The advantage.of. the tabulation OR gate is that -
it' permits all the f ault events within a series arrangenent of components
-to be tabulated rather than being' spread out, sonetimes over several pages,
~
within ~ individual f ault symbols connected' together by OR gates.
The combination gate is used to . simplify' the task of showing several (combinations of subsystem events, each containing the same elements (f aults). For example, the high pressure injection system shown 'in Figure 1 may require that two of the three pumps operate for a particular -
reactor coolant system break size. Also,'nufaerous control systems incor-porate coincident logic such as two-of-four taken twice or two-of-three.
In evaluating 'these systems,Jit 11s necessary that the combinatorial f ault.
i logic be. reflected on the tree.
6 f
- ~
n 18 l l
. 1
A AND GATE The ortput event A occurs when input events X and X and X coexist.
2
- I L--- A = Xi Xg . . . X, (all input events independent)
X.g X
2 X ,
A OR GATE The output event A occurs when any one or more input events X ,
1 X,,-
... X exist, n
g%
(all i put events
-X y l
X
---]X AN X +X2 + *** Xn independent) 2
. A M ULATION OR GATE The output event A occurs when any one or more OR input events X y , X2 *** X n exist.
X I
.X A%X +X2 + *** Xn (811 input events 2 independent)
X n
^ COMBINATION GATE n/N The output event A occurs when any subset of n of the N input events coexist. For example, if Q n = 2 and N = 3:
~
i X
1 X
2 X
n.
A=XX2+XX23 3 1 Figure 7 Abbreviated Fault Tree Logic Gates '
19
.j
- 6. TRANSFERS Most system fault trees, even the abbreviated form discussed herein, may extend to more than one sheet of paper. To facilitate the extension of a fault tree branch from one sheet to another, transfers are used as follows:
s Fault Fault Event X Event f A Transfer Into Transfer From The transfers are-arbitrarily lettered or numbered to facilitate crosa reference.-
I i
20
I I
l
- 7. EVENT NAMING j In order to facilitate the computer handling of events, and as discus-sed earlier, to simplify f ault tree construction, each non-expanded event on the tree is given a code name. This includes " house" events, inter-f acing systems events, basic component events, and secondary events having comon cause failure potential. These event naming codes are described as follows:
7.1 House Events
.X, .H, XX_
Sequentially Numbered 01-99 Distinguishes House System (Table 2) 7.2 Fault Events X XX XXX X X Fault Mode (Table 5)
Subsystem Code (Table 4)
Component Identifier Component Type (Table 3)
System (Table 2)
The component identifier-in the code is identifiable (where practi-cable) with the name .given the component in the facility identification.
21 9
.. ~ . .. .
. ~,
. , . i.
-l
, - 1
\
l TABLE 2. SYSTEM CODE Code System Name A 'AC Power B Autsnatic'Depressurization System C Containment Absosphere Dilution Systet. '
' l
-0 LCondenser Circulating Water E Containment Isolation System -
F Control Air System ._
G Control Rod Drive Hydraulics -
H Condensate Transfer and Storage System _
I DC Power J Equipment Area Cooling K Emergency Equipment Cooling Water ]
L Engineered' Safety Features Actuation System M High Pressure Coolant Injection N Keep Fill System 0 Low Pressure . Core _ Spray P Power / Conversion System Q Reector Core Isolation Cooling R Residual Heat Removal- '
-ST' ResidualHeat Removal Service Water
. 'T Reacter'Ffotection System -
-0 / Raw Cooling Water System .
V' Reactor Redirculation System
- tt Reactor Water _ Clean-Up
= X St'andby[CoolanESupplySystem
' ^
Y., Standby.[ Gas Treabnent Z.- Vapor Suppression 4 J
9
,,a
?
\
x - 22 .
_'g ,
. re . , . . , s , - , . - . - - - , -
3 ...
(
TABLE 3. ,
COMPONENT CODE Code Mechanical Conponents AC Accumulator
,' CD Control Rod Drive Unit CH Chiller
~ ^
CL Clutch Y c- CM Compressor
. CN Condenser DL Diesel FE Flow Element
- h. FL Filter or Strainer
~
FN Fan GB Gas Bottle HX Heat Exchanger NZ Nozzle 00 Conditional Event OR Orifice
. -f
~
PD ' Pipe Device PM Pump (Motor-driven)
PP Pipe PT Pump (Turbine-driven)
'~'
PV Pressure Vessel RD Rupture Disc SD Steam Drum SL Seals
^
SP Sparger-
'TB Turbine TK - Tank VA Valve (Pneumatic)
VC Valve (Control) r-: VE Valve (Solenoid-operated)'
7,r .VH Valve (Manual)
~
VK. . Valve (Check)
[v VM Valve (Motor-operated) 8^ 2 23
-=
e
+ } }
_____________.______._m. _ . _ . . . _
~j
% .{
TABLE 3. (continued) y
- Mechanical Components Code V0 . Valve (Hydraulic-operated)
.VR Valve (Relief)
_. . V S Valve (Stop check)
Code Electrical Canponents AM Amplifier.
AN . Annunciator
' AT Switch (Autanatic Transfer)-
BC Battery Charger
.BS Bus BY . Battery CA Cablez CB Circuitl Break'er CC. CapacitoF C0 Connec tor - ,
CT Transfonner (Current)
DC DC Pcwer Supply DE Diode or. Rectifier-DP Distribution Panel .
.GS? Ground Switch HR Heater HT. Heat Tracing IN ~ Ins trumentation IV _ Inverter'(Solid State)
KS Switch (Lock-out)
^
LA LightingArredtor. -
14' '
LS L'linit Switch LT 'Li gh t ME- Meter
- M0 Motor 4
- s 24 l
TABLE 3. (continued)
Code Electrical Conponents
.MS Motor Starter ND Neutron Detector 00 Conditional Event OT" Transformer (Potential or Control)
PI Process Indicator
'PS Switch (Process)
RC Recorder RE Relay RG Voltage Regulator RS Resistor RT Resistor (Temperature Device)
SC Speed Controllers ST Solid State Device SW* Switch (Manual)
- SZ . Position Sensor TE Temperature Element TI- Timer TP ~ Process Transmitter TR Transformer (Power)
TZ Position Transmitter
' WR Wire XT Transformer (Voltage) 25 a
TABLE 4 SUBSYSTEM CODE
. Alphanumeric: Use "A" or "B" for Train A or B or use "l .
or "2" for Loop 1 or 2 For non-redundant trains or components, use "U" 4
f l
f L
l' f
L:-
f, L
F L .26 l.
j:
.= .
-TABLE 5 FAILURE MODE CODE Code Failure Mode
'A Short to Power B Open Circuit C Short to Ground D
E Plugged F. Leakage / Rupture G No Input H Wrong Input I Erroneous Output J Unavailable Due to Test or Maintenance
-- Passive.
Active K Does Not'Reclose L Conditional Event Occurs M Calibration Shift N -Does Not-Close 0 Does Not Remain Closed P Does Not Open Q Does Not Renain Open _(Plugged) .
.R Does Not' Start S -Does Not Continue to Run T Does Not Operate U Does.Not Insert V Does Not Enegize W ' Loss of Function X- (0perational or Maintenance Fault Y Disengaged /Does Not. Engage Z. Engaged 27
O' 7.3 Secondary Events
~ ~
. Secondary events whicn are expected to have significant effect on component failure and are suspect 'of affecting multiple components (comon cause) are'given~ a different eignt-character name from that described previously. This secondary event code is characterized by the type of
. secondary event and location:
X; XXXXXXX Location Secondary Type (Table 6)
The potential secondary event location is best identified by building, room number within f acility, and cabinet number, if applicable. If all rooms within'the facility are uniquely numbered, the building number is not needed.
All events whicn.are unique in the system.must be given a' unique name.
~An event may appear in more than one place on the model or on multiple models but, if it is the same event, it must be given the same name.
28 1
___m___m_m_________m.._ , _ _
TABLE 6 SECONDARY EVENT TYPE CODE Code Event C Freezing D Dust E Earthquake F' ' Fire G Wind H Humidity K Corrosion M Missile P High pressure R Radiation S Steam T High tenperature W Flood X Pipe whip or hanner a
Z Proximity
- a. Z is a code used to indicate that redundant components, because of their close proximity, are subject to a large number of unknown secon-dary events not readily classified.
r 4
29
- 8. REQUIRED CONDITIONS A system can assume -a variety of possible off, standby, or' normal operationalLstates depending-on plant conditions and operational require-ments. For exanple, .a water pump may be off if the water level in a tank is high but on if the water level is low, a diesel generator may be required
.to start if the offsite power falls, or a valve.may be required to close if a fault has occurred in a downstream component. In f ault modeling, inelus-
'lon by the analyst of the conditions upon which a system or component is required. In the analysis is important. A system fault is not considered a fault unless tne system is required. For example, failure of a diesel to
. start at any time other than when the diesel is needed is not a f ault inso-far as the analysis is concerned.
~
Required conditions in a fault' tree analysis can be in the form of-
' ; explicit' assumptions and the f ault tree constructed accordingly, or the required conditions 'can be 1ncorporated directly in the .f ault model. The
.latterits preferred because it provides versatility in the use of the model.
When incorporated:into the model, required conditions are shown within the
- " house" symbol. The " house" serves as a switch to turn on those events
'which are. faults when the; required conditions exist and off when the required conditions-do not exist. The(" house" 'is input into one input of an AND gate, and the subtree of faults is input into other inputs of the
~
- AND gate as' shown in Figure 2.
In some situations, to turn 'on or off subtrees by connecting the
~
" house" to the input of- an OR gate :is< desireable before going- to an AND gate-as shown -in Figure 8. LI n this ' case, the required conditivo is inverted-(stated negatively) such that when the " house" statement is true, the AND gate is enabled; when the " house" statement is false, only the existance of _f aultsidescribed by the associated subtree enable the-gate.
Typically, this inverted-logic arrangement is used in fault modeling
~ standby redundancy.
30
Y No Input to Scram .
Bus from Scram Channels T"T 1 l No Scram Input from High b No Scram Input from Low Flow Pressure Channel Channel When When Required Required WN #5 I I No Scram Input No Scram Input
" from Low Flow High from High "
Pressure Pressure Channel Channel tW "E"
- Applicable gg Appli- j, j, cable l Figure 8 t
j Required Conditions Incorporated as Inverted Inputs to AND Gate i
l l
l !
l 31 l
The house is also used to describe mutually exclusive f aults, in which
~
case, two " houses," as shown in Fiqure 9, ara used--one or the other house can be on but not both at the ssne time.
.The house is also frequently used-to classify faults for which each f ault classification results in a different consequence. For example, in the evaluation of a reactor containment classification of breach areas (f aults) according to size may be desirable, as shown in Figure 10. In the computerfevaluation of this f ault tree, either or both houses may be turned on depending ~ on wnether. the- analyst is interested in f aul ts ,2 in.2 ,
.2 In.2, or all faults, respectively, where the faults in each category are listed under the tabulation OR gate.
Any other conditions which are pertinent to the analysis and which should affect the analyst's thinking about the evaluation should also be spec ified. For exsuple, knowing that_ a large LOCA has occurred and that suddenly large loads are to be placed on the electrical system should guide
'the analysis 'of the electrica'l system. That is, the analyst should concen-trate his evaluation on those components (e.g., overload trips) which are vulnerable to transient loading. Turbine trip.also occurs, and those compo-nents most likely to'be eff ected by turbine trip should be examined. .
32
No N2 In Storage Tank I
N,4
+ !
T' l . I
~ No N2 In g No N2 In Storage i Storage Tank With i Tank With Compressor On Compressor Off 1 I 1 l l l No N2 In Storage .
Compressor
'No N2 In Storage l , \
Compressor I
Tank On Tank Off k .h Figure 9
-Mutually Exclusive Conditions 33
Loss of Containment Integrity l l vm I I Loss of Loss of Containment Containment IntegritzDue Integrity Due to < 2 in: Faults to >2 int Faults 1 I U I I OR OR 2
> 2 in
<2 m 2 ANC A-5853 Figure 10 Classifying Faults Using the House i
I 34 l
J
- 9. BOOLEAN SIMPLIFICATION The final process in developing a fault model of a system to which
-probabilistic values can be assigned involves removing redundancies from the Boolean expression of the model, usually by using computer codes. The analyst can, however, often save considerable time by the application of the same process in developing the fault model in the beginning. However, the analyst should not necessarily try to-reduce the model to its simplest Boolean form as it is Deing constructed,'but knowledge of how the model is simplified will sometimes allow the analyst to cor.struct the model more efficiently.
The process of reducing a fault model to its nonredundant Boolean form
' requires first that the fault model be transformed into an algebraic expres-sicn as illustrated by .the following example:
A A A 2 i i 3 A) 7 T A x,1 x', x; I I i .I X
X) 2 35
A=A 2 A-3
=:(A1 -+ X1 ) - (X1+X) 3
= (X Xy 2 * *l) -(X1+X) 3
=XXX1y2*XXI 1 +X X Xy23+XXI2 (1)
The preceding algebraic expression contains "AND" and "0R" redundancies which can be removed by using the following idempotent relations:
A A=A (2)
A+A=A (3)
~A + AB = A (4).
By application of 'these relations to agebraic Expression _(1), the model reduces to_A = XI . In this example, the analyst would not expand X 2.and X3 into their respective causes of: failure because the models represented by _
those variables would disappear.in the end result.
36
- 10. COMMON CAUSE FAILURES Single events that fall components in two or more redundant systems or subsystems are common cause events. They are ' events which violate any assumptions of independence of redundant systems. Common cause events can take the form of design or manuf acturing defects which emerge as component failures in a ' common time frame; systematic human errors in the maintenance, testing, or operation of systems; or unexpected environmental or operational transients which result in multiple component failures.
Connon cause f ailures due to operational and environmental variables are usually identified in fault tree analysis by expanding component failure events into secondary causes for failure. That is, component failure eveqts
-are expanded-to show tne potential f allure mechanisms which exceed the design ratings of the components. For example, the event " Pipe _1 plugged" l ni Figure 5 mignt be expanded into possible causes for failure tuch as
" Pipe 1A plugged due to freezing" or due to any number of_possible causes depending on the imagination of the analyst. If, in this example, freezing can plug' Pipe 1 and components. in the redundant subsystem, freezing would be .a potenti,al common cause f ailure event. To expand the fault tree indescriminately without some real basis for doing so, however, into secon-dary events can be extremely time consuming and costly.
The method proposed herein for treating single environmental causes for multiple component failures requires, first, that the analyst determine the location of each component identified by the f ault tree analysis. The
! location is recorded 'in the colunn provided in the fault summary of Table 7. Next he examines _each component in its operating location to i determine: first, whether any of the secondary events listed as column
~ headings-can occur in the component location; and, second, whether, if a secon'dary. event'can occur l'n.that location, will the secondary event cause failure of the_ component.- ~ An estimate of the secondary event occurrence
' likelihood is shown in the upper half of the space provided in the fault suonary and an estimate of the likelihood of the secondary event producing component f ailure is shown in the lower half of the space provided. These r
F-37
i
. e e 9
4 o le l
i n t ,
o n.
a m
- eT H I
6;E!
s:
,2o{o S; 6 ;52 -
_\
r
- 5 "I 3 4 l T4 Ei h r Y t w
I rs -
t
- 6
=
R (
"$s a 2 A y n
M D a !i e-6 M N U O c
35k S g.Ot. a 2 M - -
l T )Rg N E
L B U 3$n M
A a U F 3IEi -
3 -
H goe N R 7 O yc S
_ E W
E S n O L TN o = L r
c o o (
B . ,a i t A EV E N
. lRT T U .. E N E E n B E A , o. MV E
F V
r a
0 7
0 7
- c. UE D #
a n
u 2 2
~
. Nv s
O ei a Rp M R P
s EA r . S- P D N a n o o PN r
0 1
i n UO 2 ( C F GE w
O NS I
C a o .,
a n NN e
s RE
- u. o UV
,.e % D% B C
C G oER T
N L U E
- ~ VAS E F c
i A
6 2
Y T RN AE oN r
,. NO
. po R ia e
m oPM C
EO sC rF R
A A 6
2 OO
,s i
~an o 2 0
VY o T T a E
.n e R e I p
S LL a I B mO A A aS OO R R p P Wg
.- q*
f need only be order of magnitude probability estimates and are usually writ-
- ten -1, -2, -3, . . . , corresponding to probability values of 10-1
'10-2, 10-3 '. . . , respectively. The list of secondary events shown.
In the f ault sumary colunn headings is certainly not complete and should be expanded wnere appropriate.
Finally, if there are secondary events that have a relatively high likelihood-of occurring and causing _ component failure, they should be named and treated as additional component failure events on the fault tree and on the f ault sumary. The product of these two probabilities, likelihood of occurrence and likelihood of _ causing failure, should be large compared with other secondary events treated in the'same manner. Typically, these events l do not take on much significance _unless the product is of the order of 10~6 and' greater. The procedure for treating common modes can be illus-trated by examining Table 7". Pipe 1A might rupture due to an earthquake
'(probability of 10-3), high pressure .(10-2), freezing (10-1), missiles F (10-2), or: pipe whip-(10-1). .The likelihoods of these events occurin'g in the pipe tunnel are'10-8, 10-8, 10-9, 10-8, and 10-7, respectively. The products of these probabilities are relatively low (10-11),10-10),10e10 ,
10-10 and 10-8); therefore, they are-relatively insignificant. contributors.
Relay 26A'is' subject to fallure by l fire (10-2), dust (10-2), or corrosion
_(10-3). The. likelihoods of- fire,- dust, and corrosion in Room 211 are 10-6 ,
10~3, and 10-5 ., respectively. ! Dust, whicn has a combined likelihood of_
occurrence and' causing failure of- 10-5 1s potentially an important contri-
~
bution to relay. failure; therefore, a new event, " dust," with a code name D0000211, is entered :In the fault _ sumary. . The code name is also listed on the f ault tree under the tabulation OR gate where the failure modes of.
-Relay 26A are shown. D0000211- is.a unique identifter for." dust in
- Room 211."- If, in the process of applying this procedure. to other compo-nents, the event _ name' 00000211' appears in other trees or subtrees represen -
ting redundant systems or subsystems, respectively, the event is a comon-
-a. The values shown are for illustration purposes only and are not intended to be characteristic of any plant.
39
' cause/ event. ;That lis, the' event 0000021'l would' appropriately affect the nonredundantiform of. the Boolean expression resulting from one or more
_ trees c'ontaining the event.
T 4
V s
W'.
^
- . 40
-f w e e y-*-t v te'a+T.pe 4-wv-T- r TIr7ve+e-
- 11. HUMAN ERRORS Human errors are relatively high probability events; therefore, human intervention or human inputs to components are important contributions to the probability of system f ailure. Switches,' valves, adjustment pots, and test. plugs are o'ly a few of the many components which are subject to nor-mal human input. All potential human errors should be identified on the f ault tree at the component where the human intervention takes place. For example, if the only place a valve can be operated is from a switch in the control room, the human error event would be associated with the switch in the control room and not the valve. If the valve can be operated remotely and locally, then the human error f ault events should appear both places.
Human errors are shown on the tree and in the fault summary as a mode of failure for the particular component subject to the human error.
Human errors are generally classified as errors of commission and errors of omission2. Errors of commission are those for which an oper-ator or maintenance man will act inadvertently with a compor,ent of the system (for example, an operator throws the wrong switch or a maintenance man misadusts a limit switch). Errors of omission are those for which the operator forgets to perform a required act-(for example, falls to start pump). The type of human error should be clear in the f ault statement.
For-example, the fault statement in the fault summary might read, " operator forgets to start Pump 1B" for an act of omission, or " valve inadvertently closed" for an act,of , commission.
41
]
.12. TEST AND MAINTENANCE System outages due to tests and maintenance and the human errors which can accompany. test and maintenance activities can be important contributors to the risks 'of nuclear plants. Some systems and components associated with ' nuclear plants are tested and maintenance is perfonned when the reactor is shut down; therefore, test and maintenance outage, as such, is not an important risk f actor. However, where on-line testing and maintenance has been provided in the design, a system which is redundant can change to a nonredundant system during the time tests and maintenance are performed unless override features have also been provided in the design.
Outage due to test or maintenance is treated on the abbreviated f ault
~
mode 1 ~ by showing an additional component-fault event on the f ault tree and on the f ault sumnary for any subsystem or portion thereof which is unavall-
.able during test and maintenance.. Although not a failure in the strict sense of the word, outage is treated as a basic component f ault with a mode designation " test" or " maintenance" and a fault mode code designation "T."
Unless each component is tested or maintained separately and at different times, only the component requiring the longest outage time is shown as a
' f aul t time. If ^ each component is tested or maintained separately and at different times, each component should be treated as a test and maintenance f aul t.
If a valve or other component can be lef t in the wrong state as a result .of a test or maintenance error,-the f ault is also shown on the f ault
-tree and is treated as a human error as discussed in Section 11.
42
a i
- 13. ANALYSIS STAGING !
The abbreviated fault tree analysis described in a preceding section helps the analyst to stage the analysis effort. That is, he can determine the overall logic structure of canplex systems and multiple systems first before performing a detailed examination of components within the system.
Thus, staging allows- the analyst to identify the more important, or criti-cal, paths of the system without wasting time on details which may, in the end result, be unimportant. To stage the analysis, the analyst _ constructs the abbreviated f ault tree without identifying tne individual events nor-mally listed under the tabulation OR gate. Instead, each tabulation OR is treated as a single component until the f ault tree is reduced to its non-redundant Boolean form. Then, only those tabulation OR gates which appear as critical . cut sets in the nonredundant Boolean form are expanded to include individual component events.
Caution should be exercised regarding the analysis staging just dis-cussed: first,-the' tabulation OR gates must be independent of other tabu-lation OR gatesL(they should not contain common elsnents if expanded), and, second, reliance on the importance of tabulation OR gates.resulting from staging can Lignore potential significant common cause events among those individual component f ault modes not included, particularly if the staging effort does not produce single component events that can result in system or multiple system failure.
The IREP analyses will be staged according to the " parent . tree-daughter
. tree" concept where the daughter tree describes the ensnerated individual canponent faults under. tabulation OR gates; the parent _ tree describes every-thing else, i.e., the' top f ault events, the interf ace events, the tabulation OR outputs as individual events, and the logic gates which relate those events. The parent tree is constructed first; the daughter tree construc-tion is: deferred until sane assesment is made of the need -t-o do so. This, of course, is canpatible with the discussion in the first paragraph above.
The caveats of the second paragraph are also applicable.
43
- 14. SYSTEMS FAILURE ANALYSIS The-reliability of a typical nuclear safety system is dependent on the degree of redundancy in the system and its support systems and on the reli-ability of individual components in those systems. The redundant elements in those systems must be independent, and the individual components must be reliably mature for the expected operational and environmental demands on them. The failure analysis of a safety system, for the most part, requires that the analyst determine the degree of redundancy based on system requirements, that he verify the independence of those redundant elements by examination of individual component fault modes, and that he verify that
. components have been properly selected for the expected operation and environment. Fault tree analysis permits this failure evaluation of a system to take place systematically.
The failure evaluation of any system requires first that the analyst establish the physical boundaries of the system to be analyzed. These boundaries can be rather arbitrary, but they are usually about the same as those defined by the designer. Typically, the system, as defined, will have one or more outputs and one or more inputs (see Figure 11). The first task in evaluating that system will be to break the system down into redundant elements which must be done_on the basis of the requirements of the system. This is to say that one accident may require that two of three pumps operate; another accident may require that _only one of three pumps respond. For a two-train safety system which provides a single output function, the system broken down into its two redundant trains might be represented by the two " black boxes" as shown in Figure 12. The inputs to each redundant train, or subsystem, are also separated as shown. The abbreviated fault tree respresenting the two subsystems is shown in Figure 13.
The failure evaluation of systems in IREP will be conducted much as just presented', first for the front line systems and' then for the support systems. The requirements for support systems, of course, are based on the requirements for the front line systems. The enumeration' of individual 44
l Input A +
Input A27 , Output y Input A p Output 2 n
Input B y System l
+ Output Input B
, 2 e
- E Input B J, Figure 11 System Boundaries
x A
t u
p t
u O
m e
t s
y S
A B y t
m m e I e e f t t 2 a s s 1 S y y s s e n b b r i u u u a g r S S i T F -
' o w
T l
a c
i p
y
., , - * , T
+- *T e',
, 1 ,
_ l$
p 2 y 2
' A A A B B' . B t t t t t t
% u u u u u p p u
p p p p n n n n nI n I I I I I w
g e
l l{ 1,l i l :l ll ll m
s No System Output I .l _
No Output From No Output From Subsystem A Subsystem B
+ +
'\' T t, I l l l Subsystem A Support Subsystem B Support Faults Systems A- Faults Systems B Faults Faults OR OR
+
m "%
Faults-in Faults in Faults in Faults in Faults in Faults in Support Support Support Support Support Support System A System A System An System B,- System B System B l- 2-- 2- n-2 n \
Figure 13 Two-Train System Fault Tree
- a. ]
f aults under the OR gates will be deferred according to the discussion
.about staging in Section 12.
Failure analyses are usually performed to the-component level of reso-lution where a component is defined as the largest entity of hardware for
- which experience data are expected to be available. A component is usually an off-the-shelf item which the designer uses as building . blocks for his system. . Sometimes it is necessary for the analyst 'to examine components, however, in order _to determine how component inputs relate logically to the component output.
When examining component fault modes,'the analyst should think not only about how each of those f ault' modes may affect the system being anal-yzed, but he should also concern himself about how those fault modes may affect other systems. For example, a timer in a residual heat removal pump
-circuit which is used to stagger the load application to emergency buses c
could actually trip a circuit breaker in the electrical power system if it
. becomes f aul ted. A _ leaky valve in a recirculation loop could result in fission product leakage to the atmosphere even though leakage may not affect recirculation performance.
48
-. - .. . - - . . . . .. -~ - _ - . - _.
.p * -
i 15. DEFINITIONS 4 1. Fault--Any state of:a component or system that prevents that component or system from providing its desired function when-it is required to
'do so.
- 2. Failure--N special kind 'of f ault and represents an irreversible compo-nent state that requires-repair in order to restore it to a workable condition.
I 3. . Primary f ailure--A f ailure which results from no known external cause.
It is the so-called random f ailure found in literature.
p
- 4. Secondary f ailure--A failure ~ which results from an external influence
- of a magnitide that exceeds the design rating of the component.
!= 5. Commaad- f ault--A component which -is In the . wrong state at the time of-interest because of ;another. component (or human error) ;is a' consnand
,- fault; For example,I a switch inadvertently closed ~ by an operator and
- a valve that won't close because of a f aulty motor controller are
~
- command f aults.
_ . 6. . Coupling--A qualitative term used to describe the degree of'indepen-
~
dence~of-events. 'If a.second event occurs'every time a first event-
~
- occurs, the two events are' direct coupled. -If a second event very rarely occurs because _of -an initial event, the events'are loosely coupled.. .
- 7. Failure ' mode--A description of the output state of a faulted component. ,
- 8. Front' line system--A system which provides directly a safety-related 4
~-
function, e.g., emergency core cooling system, plant protection system..
~
'9. - Support system--A~ system which provides a particular service.to a front line system, e.g., service water system, AC electrical power
~
sys tem. .
49 a
m
.. r ..
7 , q.
1 , . , . -1 u
p..
- 10. Parent ~ tree--A f ault? tree rdeveicped lto a subsystem level only and_ -
which defines.the top logic and which identifies the various interface l f aul ts with other , systems.
7 c _
- 11. Daughter tree--That part of a' fault tree which enumerates the various component f aul ts in -a subsystem. -
s 6
9
~
A M"
m r
'+ -
/
l ',%,,,
~
\
b ..w f
e '
.')
n ,
-m. .
.:~.
m h 6
.{ .
y s
.'~ .,
L' , f f
.r- \
' - i._
= .
, y s
t t
', 1 4 ,
3 -
- g
- %t ,
.<h 2, n 50-r -
'.' g. rs s u
~% } ' t
r ~
FT: yy
.; ^; .
- )
M '. ' f[,f. ,
WJ.- a,:
g ; ;
- 16. REFERENCES-0.- F. Haasi, "Faul t Tree Handbood," NUREG-0492,
~
- 1. N. H. Roberts, November 1978, Draf t, U.S. Nuclear Regulatory Comission.
. 2 .' " Reactor-Safety Study," WASH-1400, NUREG-75/014, October 1975,
. .- U.S. Nuclear Regulatory.Comission.
1 4 I i t.
- r. \
4 m
1
, ' f e .
- ?M (
.ls~
(
y T:n ,
^.,,
. m.
h J,'
y n,'.~4-
~
.y .
I t,- h 51
- 3.
% n= l
. 't *
's
(
-}