• 5 i

n, 4

)

I i i 1 ! i i1I I

e I

f f I.t0 t

4

) I 1 l 'i l

, i ! at,,

e t

,, ' IIi a

p 1 1, i, +

',CrmOnt Yankee -

5 i

. J, II I

(

l t

igi i

J l e, si,l t

i iei:o l

i i i i,ai i i a

, ei#

e i

l

$$h,,

UC C47

=

1

. h i i f f I Ili 0

1 1 I a,il 1

I I 4,fi g

I 4

I i

( l : Il 1

I f

I,i1I I

8 i

)

• t6 1 1

1 I i II) 4 4 6 1 4 t il 4

4 4 1 e i gli 4

I 1

l 8 0 l fil I 1 ' li i

t 1 1 i i lll i

t t

, I t 4 ll.

f

, i

,63, 1

i

, ;, gai imstry mean l

l l,

l ',; ' l

l l 'l'l

l l ',l ' "

l with recoVCry

,, i

,,, i m

,it i i i i i,,

4 i,,

without recovery i

. o

..i.,o A,,i.,

,,, i,,,i.

1 I

!, 8

,1 1

I i i i1 l l4 I

I a! i il4 i i 4

,i1 1

.t i

1.0E 05 1.0E-04 1.0E-03 1.0E-02 1.0E-01 FTR rate (per hour)

Figure 11. Plot of the PRA/IPE and operating experience estimates of the fail-to-nm hourly fail No plant-to-plant variation was observed in the operating experience data, so the industry-wide applies to all plants.

38

i 333 Maintenance-out-of-service The MOOS contribution to the total RCIC unreliability is about 6% (calculated on a 24-hour mission time and based on operating experience data), compared to the 18% contribution estimated from the PRA/IPEs. The average MOOS probability for the PRA/IPEs is 2.lE-2 per demand, whereas the operati experience mean is 1.lE-2 per demand. Several of the PRA/IPEs have MOOS being a major cont RCIC system unreliability. However, the total reliability for the RCIC system at these plants is better those at the other plants.

A possible explanation for the larger contribution, based on PRA/IPE estimates, may be the f RCIC is not a designated ECCS system. The technical specifications for RCIC are not as restrictive w considering the limiting condition of operation for the RCIC system as compared to an ECCS syst as HPCI. Another reason may be due to the different methods used to calculate the PRA/IPE and o experience estimates. In this study, maintenance failures and demands 9 vere based oLy on the RCIC system was required to inject water into the reactor (i.e., a reliability parameter.) Risk an generally account for the MOOS probability as an unavailability estimate (i.e., fraction of R compared to total plant operating time). In theory (i.e., infinitely large sample) these two esti be equivalent. For this reason, the reader is cautioned when making absolute comparisons and operating experience MOOS estimates.

Figure 12 plots the PRA/IPE estimates and the mean estimate and associated uncertain from the operating experience data. The racge of MOOS estimates found in the PRA/IPEs is 4.2E-4 to 5.8E-2 per demand. Comparing this range of values to the uncertainty interval for the M failure probability reveals one plant lying below the lower 5% uncertainty bound. The probab MOOS for this plant is a factor of 50 lower than the PRA/IPE average for MOOS. Nine PRA/IPEs u mean probability of MOOS that was greater than the upper 95% uncertainty bound estima operating experience data. The River Bend IPE reported the largest MOOS failure probabilit the River Bend MOOS contribution (25%) to the RCIC system failure probability compares favora MOOS contribution (27%) based on operating experience data.

33.4 Restart Failure and Failure to Transfer During Recirculation Extracting the corresponding data from the PRA/IPEs to make comparisons to the FRS an failure modes was not possible for most plants, because of the summary nature (i.e., lack of de PRA/IPEs. For these reasons, the focus of the RCIC restart / recirculation discussion is based the estimates for FRS and FRC derived from the operating experience data.

Not all plants entered into the restart mode during a long term operational mission of th system. Approximately 50% of the plants (11 of 23 plants) identified restarts of the RCI Approximately 25% (18 of 72 long term missions) of the RCIC system initiations resu restart mode of operation. Based on the restart information contained in the LERs, the RCIC system restarted 46 times.

1 39

PRMPE approximate value e

+ Operating experience failure prcbability & uncertainty intental ei I

,,,, ',,l',,ll

,,,, ',,,ll.ll Brunswick 1 r

i i,,,

i i

. i Brunswick 2 liii,,

l l l e.r l

'ii

.4 i

i, i,

,',lll, I

,' l,l'lll I

l,'

i,,,,,'

l o,l l,',' l Clinton i

4 ii,,,,

ii*

l l

Cooper l

l l

+i,si

,i l ','

'l, l,

I l

,' ' ' l Duane Arnold l

l, ', ',,,, '

' i

' ii,,

Fermi 2 i..,

,,i, e

i.,

i i,,,

iiii l

> i,',,,

,' l ','

l l,',' i FitzPatrick i

i i

i i ii i

I I,lll

' ll.ll;'

,llll,l*

Grand Gulf

+ i i

l i,,,

l,'

l l

Hatch t i

i, i<i-,

i I l i

,,'ll

,',,,,', l l l I

il,ll

,e l

Hatch 2

,i,,

i le ii,'>>

Hope Creek l

.',',',4 i

i a

i ll~ l Io l

, ' ',, ',l,l l l LaSalle 1 l l

, ',,...ll,l l

i i i,,', '

i i,

l LaSalle 2 i,',,,,

l i>i,

• 'i i

i e

i,

4 i

I I

l Limerick I i

i,',',,',

ii,,,

,,i.,

le,'

Limerick 2 l

i,

i

' < i i,,,i

' iii.,,

'e i i, i

1

, i, i,,i.

Montice!Jo l

,,',l,';

l l lll,'l' l

el

',,'l,'

,, ',',',,lil,

,, ',, ',,ll i,' ' i l3 Nine Mile Pt. 2 r

e i

Peach Bottom 2 l

l,' ',',' l l l

l l ' l l'l l e llll,'

I l lllll*

I l

' l l,',',','

ll',ll Peach Bc: tom 3

' i,,,,,.

>,r i

,1 Perry -

' '>,>i l

i

,, ',,,,,,'lll e

l l l,,,,,

l l

,,,, ',,ll,l Pilgrim -

i Quad Cities !

l

,'i,<

l el,' i,',,'

' i,

i i

lll, I

l l l,lll;*

l ll ll Quad Cities 2

,,,,'l,'

' i River Bend l

,' i i,,

>'ii

,i, l l l,', l,','

i

' i Susquehanna l l

l

,l-l l l4 l 'l i

I

.', l l l l I

l l lllll e -,'

llil, Susquehanna 2 -

i,

l 4l l ',',','

vennont Yankee -

l l

,ii,,,,

I l l ll l,

ll,,, ',ill e

Wash. Nuclear 2 l,, ', ',, '

i i

e,'

l i,

,,',,,l,' l l l l

l

,,l,l l.'

ll Industry mean l

l l

i 4

i,,,,,,

I I

1.0E-04 1.0E-03 1.0E-02 1.0E-01 MOOS probability (per demand)

Figure 12. Plot of the PRA/IPE and operating experience estimates of the fai mainterance-out-of-service failures. No plant to-plant variation was observe ro a tyfor data, so the industry-wide mean applies to all plants.

a ngexperience 40

Estimates of the failure probability for FRC and associated 90% uncertainty bounds calculated from the operating experience data are 2.8E-3,1.2E-2, and 2.7E-2 per hour. The estimates are expressed in hours because the number of cycles would be expected to increase as system operating time (i.e., recirculation phase) increases, and there was no way to count the number of valve cycles during this mode of operation.

However, two insights were gained as a result of reviewing the PRA/IPEs for the relevant information on RCIC system unreliability and associated failure data. First, it was found that most of the PRA/IPEs do not model the RCIC system in the way it is observed to be operated based on the operating experience data.

Specifically, the maintenance oflevel following initial injection by either restart and/or recirculation, which places extra demands on the hardware and operators,is generally not modeled. Collectively, FRS and FRC modes (operating experience data with recovery) contribute approximately 50% to RCIC unreliability for a postulated PRA mission. Based on the limited PRA/IPE information, these two modes were either not modeled, or if modeled, were not identified as major failure modes of RCIC operation. Only 8 of the 29 PRA/IPEs mentioned restart and/or recirculation modes as phases of RCIC operation. Further, for the PRA/IPEs identifying these modes, no details on the quantification of the failures modes were provided.

For the purposes of this study, the PRA/IPE results displayed are calculated assuming one restart and no recirculation. Second, for the PRA/IPEs that model the system with restart and/or recirculation mode of RCIC, the component failure probabilities assigned to these modes of operation appear to be optimistic compared to the estimates calculated from the operating experience data. For example, the initial failure to start (other than the injection valve) probabilities and the restart failure probabilities differ from each other by about a factor of 2.6, based on the operating experience data. However, the PRA/IPEs appear to use the same component failure probabilities for restart as for initial start. As shown in Table 9, the mstan contribution to overall unreliability is a factor of 2 greater than the FTSO contribution,26% versus 11%,

respectively. Statistical analysis of the FTSO data (7 failums in 132 demands) and FRS data (4 failures in 46 demands) identified no statistical difference (P-value = 0.41) between the two failure modes; however, the FTSO and FRS data sets were not pooled, because from an engineering perspective, there is a difference between a cold start and a hot-quick start of the system.

I 1

41

4. ENGINEERING ANALYSIS OF THE PLANT OPERATING DATA This section documents the results of an engineering evaluation of the RCIC system o derived from LERs. The objective of this evaluation was to analyze the data and provide performance of the RCIC system. Unlike the risk assessment provided in Section 3, for this ev LERs submitted during the evaluation period and all the Accident Sequence Precursor (AS mentioned the RCIC system were considered; no data were excluded.

The engineering data analysis provides qualitative insights into the performance of the throughout the industry and on a plant-specific basis. These qualitative insights characterize the fa contributing to the quantitative estimates of RCIC reliability presented previously in Section 3. He rea is cautioned when comparing the individual plant data to the unreliability estimates provided in Sect A plant-specific estimate derived solely from the failure data at a particular plant may result in a differe estimate than one derived from the population as a whole, especially when the data are sparse. I the effects of recovery will influence any comparisons to the results shown in Section 3. Appe provides additional information into the effects ofperforming plant or gmup-specific investigations.

The results of the operational data review were:

The frequency of system failures per year showed no statistically significant trend. However, a decreasing trend in the frequency of system unplanned demands per year was statistically significant. The decrease in RCIC unplanned demands appears to be related to the decrease in the average number of critical reactor scrams that have occurred over the same time period, which typically include a demand for RCIC injection.

Bere were eight failures observed during short term missions; these are failures that directly affect system unreliability. These failures included one maintenance-out-of-service event and seven failures to start. nree of the failures to start were recovered.

The one maintenance-out-of-service event occurred when the system was demanded to restore reactor vessel level (following a full power reactor scram) at a time when the system was unavailable because of routine instrumentation surveillance testing.

For the failures to start, five were associated with turbine speed control, one was associated with the operation of the automatic start circuit, and one was assoc.iated with the turbine steam supply valve. These failures were caused by personnel error (2) and hardware malfunctions (5). The two personnel-error-related failures and one hardware failure associated with the turbine speed control were recovered by operator actions.

In addition to the eight short term mission failures, there were eight failures observed during long term missions. These failures included two failures to run, four failures to restart, and two failures during transfer from recirculation to reactor vessel injection. Five of these failures were recovered by operator actions.

42

r For the two failures to mn, one was caused by a personnel error in the operation of the flow controller, and the other by a spurious isolation of the turbine steam supply. Only the personnel error in operation of the flow controller was recovered by operator actions.

The four failures of the RCIC system to restart were the result of hardware problems. The failure to restart probability was twice the failure to start probability; the difference might be the result of the difference in failure mechanism. Specifically, the failures that contributed to failure to start were primarily turbine speed control problems, while the restart failures were primarily related to cycling valves. Two of the four restart failures were recovered by operator l

actions.

The two faihires to transfer from recirculation to reactor vessel injection were the result of I

hardware-related problems causing the test-return line MOV not to fully close on demand.

Both of these failures were recovered by operator actions (a second valve in the test return-line was closed).

i Durmg the performance of cyclic surveillance tests, only three failures of the RCIC system were I

observed. Rese three failures were classified as failures to start and were the result of hardware (2) and procedural (1) problems. Two of these failures were associated with the flow controller, and the other failure was asscciated with the turbine exhaust check valve.

i Failures detected by methods other than during the performance of a test or unplanned demand were primarily (62%) associated with the instrument and controls subsystem, specifically the isolation logic circuit. While a few isolation logic malfunctions were caused by procedural problems or personnel error, the majority were the result of hardware failures (i.e., detectors, relays, transmitters, etc.)

The operating data contained five instances where multiple systems either had failed or had the potential to fail at the same time, possibly as the result of a common cause mechanism. He events involved motor-operated valves, the steam leak detection circuitry, and the turbine govemors.

Rese events are important because common cause failures across systems are generally not modeled or considered in the PRA/IPEs. In two of the five instances, the RCIC and HPCI systems l

were affected during an unplanned demand. The other events were discovered during surveillance testing (2) and other routine plant operations (1).

There was no correlation observed between the plant's low-power license date and the frequency of failures per operational year. He average number of failures per operating year was 0.62, and this average frequency was observed for plants licensed from 1970 through 1990. Two plants licensed in the 1970s and two plants licensed in the 1980s had relatively high failure frequencies.

l The following subsections provide a comprehensive summary of the operating data supporting the l

above results, as well as additional insights derived from: (a) an assessment of the operating data for trends j

and patterns in system performance across the industry and at specific plants, (b) identification of the subsystems and causes that contribute to the system failures, (c) a comparison of the failure mechanisms found during surveillance tests and unplanned demands, (d) an evaluation of the relationship between system railures and low-power license date, and (e) Accident Sequence Precursor (ASP) events involving the RCIC system.

i i

43 1

l

~

4.1 Industry-wide Evaluation 4.1.1 Trends by Year Table 10 tabulates the RCIC system faults, failures, and unplanned demand events tha the industry for each year cf the study period. Figures 13 and 14 are illustrations of the fa unplanned demand frequencies for each year of the study with 90% uncertainty inte include a fitted trend line and a 90% confidence band for the fitted trend. The frequency events that occurred in the specific year divided by the total number of plant operating years calendaryear.

Table 10. Number of RCIC system faults, failures, and unplanned demands by year.a Classification 1987 1988 1989 1990 1991 1992 1993 Total Faults 7

5 10 4

4 7

12 49 Failures

• 20 11 6

8 19 13 15 92 Unplanned demand events 33 23 15 23 15 14 10 133 Restarts during unplanned 0

26 2

8 5

3 2

46 demand events Plant operating years' I8.7 19.1 19.7 22.4 23.3 21.7 22.7 147.6 a Each entry consists of the number of events or restarts that occurred that calendar year,

b. The one event where the system was out of service for pre-planned maintenance was excluded from the

c. Shut downs longer than two calendar davs are excluded from the operational years calculation.

The results of the trend analysis of the RCIC failures per operating year show, in general, n over the past seven years. Analysis of the trend of RCIC system unplanned demand eve year shows a statistically significant decreasing trend over the past seven years.

The data indicate a decrease in the frequency of RCIC unplanned demand events of approximately a factor of fou through 1993. A potential factor affecting the decrease in the frequency of RCIC unplanned dem corresponding decrease in the average number of critical reactor scrams occurring during the Approximately a factor of three decrease, from 3.6 to 1.1, is observed in the frequency of reactor s (See AEOD Performance Indicators for Operating Commercial Nuclear Power Reactors March 1995). It appears that the decrease in RCIC unplanned demands is related to the decrea average number of critical reactors scrams.

4.1.2 Factors Affecting RCIC Reliability The RCIC system failures were reviewed to determine the factors affecting overall system To direct the review, the system failures were partitioned by method of discovery for each subsy component within each subsystem. The methods of discovery are unplanned demands, surveillance tests (all types and frequencies), and other. The other category includes failures found from design walkdowns, control room annunciators and indications, plant tours, etc. The results of this data pa provided in Tables 11 and 12 and illustrated in Figures 15 and 16. The data counts provided in the ta and figures exclude the one event where the system was out of service for pre-planned mainten because there were no failed components.

44

l 1

l Table 11. Subsystem contribution to RCIC system failures by method ofdiscovery.

1 Subsystem Method of discovery Unplanned Surveillance Other demand

• test l

Turbine and Turbine Control Valves 6

24 13 l

Instrumentation and Control (I&C) 6 11 23 l

Coolant Piping and Valves 3

5 1

Total 15 40 37 a Excludes the one event where the system was out of service for pre-planned maintenance, W='se no component failed.

Table 12. Component cestribution to RCIC system failures by method of discovery.

Method of discovery l

Component Subsystem Unplanned Sutveillance Other demand test i

Turbim,.r,ernor Turbine & Turbine Control Valves 2

15 Steam line MOV Turbine & Turbine ControlValves 3

9 8

Flow controller Instrumentation & Control 5

6 2

Isolation logic Instrumentation & Control 1

5 19

)

)

Injection valve Coolant Piping & Valves 1

4 1

J l

Me 3

1 7

Total 15 40 37 l

t Excludes the one event where the system was out of service for pre-planned mamtenance, because no component failed.

l

{ Year specific frequency and uncertainty interval

-. 90% conf. band on the fitted trend Fitted tsend Ine 2.00 1.50

--C--------------------------------------------

c l

~,

h 1.00

~

E l

s l

=

i J

e ta.

0.50 ----------}-------

l 3

l i

__s

__,t i

l 0.00

~

1987 1988 1989 1990 1991 1992 1993 l

Year I

i l

Figure 13. RCIC failures per plant operating year, with 90% uncertamty intervals and confidence band on the fitted trend. The trend is not statistically significant (P-value = 0.67).

l 45

{ Year-specific frequency and uncertainty interval 4

- 90% conf. band on the fitted trend Fitted trend line 2.50 0Ce

3 N

cr 2.00 x-------------------------------------------

%g s

N V-V

s C

1.50

8 l

{

N E

s s

e

)'

'O 1.00

._L

- l - -

,.e----

teC

• ~a m,

I

~-.

Cm 0.50

- - - - - - - - - - - - - - - -. = - - - - - - - - - - - -

c.

CD 0.00 1987 1988 1989 1990 1991 1992 1993 Year Figure 14. RCIC unplanned demand events per plant operating year, with 90% uncertamty intervals and confidence band on the fitted trend. The trend is statistically significant (P-value = 0.003).

EEUnplanned demand D$urvemance test COther 76 70 He-------------------------------------------------

65 60 H------

55 H------

)

50 e---------------------

4 i

45 1-----------------

l---------------------

c m

j 40 p...

4'.._...__.

?g]j

.=o 35 H---

m-a-

e E

30 b---

&.9 l

oo 25 H---

• py ;

pg 20 W

W e:?

r.<

15 ms C1:

$k' v:

10 H-~-

g*.].

'.h (i

N.

O!

5 j

%/

h j

m.? '

i 0

7' Turbine & Control VaWes coolant Piping & Valves Instrurnentation & Controls subsystem Figure 15. Histogram of the RCIC subsystem failures by method of discovery.

)

46

o usUnplanned demand CSurveinance test Cother 60 50

g 40 8

30 3

,i c

h 1

20 L-F-----

10 fy - - - - - - - -

ri i

b 7

4 hl1 b-N 1

E

?

E-c f

O Flow controller isolation logic Turbine governor injection valve Steam line MOV Other Subsystem Figure 16. Histogram of the RCIC component failures by method of discovery.

As shown in Figure 15, no one subsystem clearly dominated the failures found during unplanned demands. Of the three subsystems, Turbine and Control Valves and Instrument and Controls subsystems collectively contribute 80%, while coolant piping and valves makes-up the remaining 20%. Durmg surveillance tests, the turbine and turbine control valves subsystem was dominant and accounted for 60% of the failures (24 of 40). The smallest contribution to surveillance test failures were attrib"ted to the coolant piping and valves subsystem,13% (5 of 40). For failures that were found other than during the performance of a surveillance test or an unplanned demand, the I&C subsystem failures were dominant,62% (23 of 37),

and most of these failures resulted in a system isolation.

Factors Affecting Reliability <turing Short Term Missions-Failure to start was the primary contributor to system unreliability during shon tenn missions. These short term missions typically occurred as a result of a reactor scram with normal feedwater available, and decay heat was able to be removed using the main condenser (MSIVs open). If a loss of main feedwater occurred, in these events, it was recovered quickly by plant operators. The missions were on the average about 5 minutes in duration. During these short duration unplanned demands, only two failure modes were observed in the operating data:

maintenance-out of-service (one event), and failure to stan (seven events). Three of the failures to start were recovered by operators restaning the system manually or taking manual control of the flow controller.

The maintenance-out-of-service event was observed during an automatic reactor scram from 100%

reactor power. The scram was a result of a lightning strike that caused a high flux signal in the power range instrumentation. The RCIC system received a start signal, but did not inject, because the trip throttle valve 47

i was closed in preparation for an instrument surveillance test. Normal feedwater was used to restore and maintain reactor vessel level, and the HPCS system was operable in standby throughout the event. This maintenance-out-of-service event was selected for the ASP program for analysis, and was assigned a conditional core damage probability (CCDP) of 1.2E-6. The CCDP for this event was a result of both the lightning strike on offsite power and RCIC being out of service for testing.

For the FTSO failure mode, problems associated with turbine speed control contributed to most of the failures. Rese failures were caused by personnel error (2) and hardware malfunctions (5). He two personnel-error-related failures and one hardware-related failure were recovered by operator actions. Even though an unplanned demand of the system, which typically is a cold quick-start of the turbine, is the most i

stressful, no failures of the system can be attributed to a cold quick start. The cold quick-start failures that would be expected include (a) failures due to low oil temperatures resulting in turbine overspeed trips, and (b) condensate in the steam supply lines causing either overspeed or high exhaust p;rssure trips.

The two personnel-error-related failures were the result of operators inadvertently not starting the system manually in accordance with established procedures. In the first instance a loss of effsite power event occuned, during which an operator did not open the injection valve in the manner specified by procedure; this operator error resulted in a turbine trip. At the plant where this failure occurred, the flow element is located in the main piping downstream of the minimum flow bypass line. The location of the flow element msults in no flow being sensed by the flow transmitter on manual starts until the injection valve is opened. This arrangement causes the turbine governor valve to open fully in an attempt to achieve rated flow. If the operator does not open the injection valve quickly after starting the turbine, the turbine trips on overspeed in approximately four seconds. In the second instance, a reactor trip occurred during which plant recovery v as hampered by a loss of two buses powered by the reserve auxiliary transformer (loss of normal feedwater). The control room operator depressed the automatic start push-button for RCIC and observed the injection valve opening; however, the operator believed the RCIC turbine had tripped on overspeed and released the push-button. The start sequence was not completed, resulting in no RCIC flow to the RPV. When reactor vessel level reached -12 inches and with feedwater still not available (17 later), operators used the manual RCIC start procedure to restart RCIC and restore reactor vessel level.

The five hardware-related failures were primarily attributed to problems associated with turbine speed control, specifically, the flow controller (2) and turbine governor (2). The other failure was associated with the turbine steam supply valve. The flow controller failures were attributed to a limit switch failure and a problem with the automatic controller, ne limit switch malfunction failed to pick-up the relay, which provides the ramp switch signal to the Woodward controller. This resulted in the controller not responding to speed demands. He automatic controller failure caused flow, speed, and pressure oscillations. The controller was shifted to manual, and turbine performance parameters stabilized. The LER did not state a cause or corrective action for the controller failure in hutomatic. However, based on other plants experiencing similar problems, the failure could have been the result of excessive feedback.

He turbine govemor failures were the result of a failed diode in the magnetic pickup module and a loose mechanical trip linkage. The failed diode caused an overspeed trip of the turbine. The diode failed as a result of higher than normal amperage conditions over a period of years. The high amperage was caused by a bent internal pin connection inside the module, which prevented a good power supply connection. The loose mechanical trip linkage caused the RCIC turbine to trip on three start attempts. He loose trip linkage resulted from repeated closing of the trip and throttle valve, normal system vibration, and a slight rounding of the tappet nut latching surface. Additionally, a substance (possibly from a joint sealing compound) was 48

found in the tappet guide of the tappet and ball assembly. This caused a sluggish reset action, resulting in j

improper resetting of the trip and throttle valve. The substance may have contributed to the turbine tripping at 200 to 500 rpm below the trip setpoint.

The failure associated with the turbine steam supply was a result of the valve failure to open on the start sequence. He cause was an undersized motor-operator and the normally closed position of the valve.

Plant design required the valve to be closed, which was unique to the plant. The plant design was changed to require the valve to be normally open to correct the cause of the failure.

Factors Affecting Reliability during Long Term Missions-In addition to the maintenance-out-of-service and failure to start events observed in the short term missions, three other failure modes were observed in the long term missions. These three failure modes are failure to run, failure to restart, and failure to transfer during recirculation. During short term system operation, typically with normal feedwater available, the RCIC system is not likely to experience these failure modes because, once RCC restores normal vessel level, the feedwater system will maintain level and the RCIC system is shu: down. awever, when normal feedwater is not available or when the reactor vessel is isolated, safety relief valves are cycled or the HPCI system is operated in the pressure centrol mode to maintain vessel pressure within desirable limits. As a result, the water level in the reactor vessel lowers because of continued steam generation by decay heat. With the continued lowering of vessel level, the control room operator could manually initiate I

the RCIC system and restore reactor vessel level. Once level was restored, the operator can divert RCIC flow back to the CST through the test-return line MOV, or as an altemative, the operator can allow the

(

system to automatically cycle on and off between the high and low reactor vessel water level setpoints. In either case, long term operation of the system can result in failures to run and either repeated starts and possible failures to restart, or flow diversion and possible failure of the Mst-return-line MOV in the open position.

There were two failures that contributed to ttr i.Jlure to run probability, and these were associated with the flow controller and an isolation of the turbine steam supply during turbine operation. He flow l

controller faRure caused the turbine to trip, which was recovered by operator action. The trip was attributed i

to operator error in the adjustment of the RCIC flow controller before switching from manual to automatic mode. The isolation of the mrbine steam supply was the result of the high room delta-T instrument indicating a steam line leak; however, no leak existed. The cause of the high room delta-T was excessive room cooling resulting from low service water temperatures. He isolation was not recovered by operator actions. The isolation of the turbine steam supply was not identified as a major contributor to system unreliability in the PRA/IPEs reviewed for this study There were four failures that contributed to the failure to restart probability, and these failures were the result of hardware problems. As discussed previously in Section 3, the restart failure probability is twice that of the failure to start probability. The mechanism of the failures that contributed to the failure to restart probability is different than the mechanism of the failures that contributed to the failure to start probability. This difference in the mechanism of the failures may indicate a potential reason for the difference in failure probabilities. Specifically, speed control problems contributed to a majority of the l

failures to start, and valve-related problems contributed to a majority of the restart failures. He speed control problems caused the turbine to trip on initial start or caused flow and pressure oscillations that resulted in the need for operators to take manual control of the system. However in contrast to the failures to start, the restart failures were, in three out of the four cases, the result of valve failures resulting from cycling the valve.

49 l

l l

i One of ti. valve-related restart failures was a malfunction of the turbine steam supply valve. H valve failed to fully close on a high level trip, and as a result, the turbine tripped on ove j

)

restan. This overspeed trip occurred several times for the same reason during the event and wa by operator actions. (Since the number of restarts and subsequent failures was not prov only one restart and failure were counted in the unreliability analysis.)

He second valve-related restart failure was caused by tripping of the thermal overload devices fo turbine, with the throttle valve being tripped on the founh restart attempt (this failure was no operator actions). The thermal overload devices would not reset to allo'w subsequent system starts. No i specific cause for the tripped thermal overload devices was identified in the LER.

The other valve-related restan failure was the result of a failure of the injection MOV to function properly. During the event the RCIC system tripped on high reactor vessel water level; however, the injection valve exhibited stem binding and overloaded the motor-operator, tripping the breaker with the valve partially open. With the valve partially open, the subsequent system restan resulted in only a smj amount of flow to the reactor vessel. Operators did not recover the system for this event. In addition to this 1

RCIC injection valve failure, the HPCI system did not function as designed and had to be controlled manually throughout the loss of feedwater event.

The fourth restart failure (not valve-related) was associated with the turbine and was the resu

^

condensate in the steam lines that could not be drained fast enough through the drains lines. The condensate flashed to steam as the steam supply valve was opened and caused a high exhaust pressure trip of the turbine (this event was recovered by operator actions). This type of turbine trip would normally be expected during a cold quick-start, and not during a hot start. Even though the high exhaust pressure trip functioned properly, bursting of the turbine exhaust mpture discs from high pressure could have failed the system for the duration of the event. A review of the PRA/IPEs indicated that turbine exhaust failures due to this mechanism are not identified as contributing to the system failure probability.

The events that contributed to the failare to transfer during recirculation were the result of hardware-related problems associated with the test-retum line MOV. In both of the observed failures, the test-retum line MOV failed to fully close on demand, resulting in a significant reduction of flow to the vessel. In each case the failure of the system was recovered by dispatching an operator to locally close the MOV or close a second manual valve in the test-retum line in one of these events, the loss of RCIC flow was compounded by a concurrent loss of HPCI due to failure of the HPCI injection MOV to open on demand.

Factors Affecting Reliability During Surveillance Tests-During the performance of cyclic surveillance tests only three failures of the RCIC system were observed. These three failures contributed to the FTSO failure mode and were the result of hardware and procedural problems. Two of these failures were associated with the flow controller and the other failure was associated with the turbine exhaust check valve. One flow controller problem was caused by the proportional band being too narrow. A small change in the controller output caused large fluctuations in the process variable, which produced offscale flow oscillations. The other flow controller failure occurred at the same plant during the next cyclic test and was the result of the same proportional band adjustment problem. The failure of the exhaust check valve in the RCIC turbine exhaust line resulted in a turbine trip immediately after initiation, with the trip being due to high exhaust pressure. Several repeated start attempts also resulted in an immediate turbine trip on high exhaust pressure. Investigation revealed that the disk of the check valve had broken away from the disc arm 50

and lodged in the valve body, thus restricting turbine exhaust flow. In contrast to the above FTSO failures, there were no failures found during the performance of cyclic tests that contributed to the FTR failure mode or any other failure mode.

During the performance of other smveillance tests (quarterly, monthly, etc.), there were 37 failures of the system. Of these 37 failures,34 were associated with either the FTSO or FTSV failure mode, and only three were associated with the FTR failure mode. Hardware-related problems associated with the turbine governor and steam line MOV contributed to most of these failures.

Analysis of the mechanisms that caused the govemor failures indicated that governor problems were i

primarily caused by electrical-related malfunctions, with one exception. On three occasions, at the same plant, the govemor valve experienced sticking between the valve stem and the carbon packing spacer rings.

This failure has not recurred since 1992. Examples of the mechanisms that caused the electrical malfunctions of the governor are: a failed transistor in the control valve circuit, improper calibration of the governor controller, faihire of the speed control actuator, and a broken speed sensor for the control logic.

Analysis of the mechanisms that caused the steam line MOV malfunctions indicated that these failures were caused by diverse and unrelated hardware problems; however, one plant did have five failures of this valve to open in one year, all of indeterminate cause. This plant's design has been changed such that a nonnally-open valve is used rather than a normally-closed valve. No additional failures have been reported at this plant. Other than some personnel errors, the causes of the steam line MOV malfunctions were split between electrical and mechanical hardware failures. The largest number of malfunctions were the result oflimit switch or torque switch failures. Examples of other failures include: grounded circuits due to water intrusion, corrosion buildup between the stem and stem nut, a broken disk retainer pin, MOV breaker trip due to valve hydraulic lock, and a motor-operator detached from its yoke because of loose cap screws.

Overall Factors Affecting System Reliability-Overall, for the unplanned demand failures, malfunctions associated with controlling system flow under varying flow rates coupled with personnel errors in operation of the flow controller are the major contributors to system unreliability. System failures that occmTed during long term operation of the system represent a significant contribution to system unreliability. These restart and recirculation failures are generally not modeled or are only vaguely mentioned in the PRA/IPEs; however, they collectively represent 43% of the system unreliability. In addition, the restart and recirculation failures are not observed during the performance of surveillance tests, indicating that long term operation, as assumed to occur during a loss of feedwater or vessel isolation, is not well mimicked during surveillance tests.

Comparison of the Operating Experience and Surveillance Test Failures--A comparison was made with the failures and failure mechanisms experienced during opemting experiences (unplanned and cyclic test demands) versus surveillance tests (other than cyclic). The results of this comparison indicated that for the FTSO failure mode during operating experiences, problems associated with controlling system flow under varying flow conditions contributed to a majority of the failures, while during other surveillance tests, failures from other mechanisms (e.g., steam line MOV and govemor problems) contributed to a majority of the failures. For the FTR failure mode, a meaningful comparison was not possible due to the sparse number of FTR events observed in the data.

51

i Other Factors-Failures discovered by means other than during the performan isolation logic circuit. A review of these instrumentatio failures primarily occurred as a result of failed process detectors. These fail by control room annunciators and other system indications available to plant operators.

While a few isolation logic malfunctions were caused by procedural problems or overwhelming majority have been the result of electrical hardware failures.

The largest number have occurred from temperature sensor / switch malfunctions.

disables the system from initiating when given a tenns ut numbers of events, because these spurious isolation events are self-annunciated quickly repaired, they do not contribute significantly to the system unreliability.

and therefore 4.1.3 Fotential Common Cause Failure Susceptibility Aeross Systems During the review of the operational data selected for this study, several instance where either a failure or a potential failure ofmore than one component or system are of concem because they indicate a potential for defeating the diversity and re In addition, some of these failures could have defeated the same system at m RCIC systems at Units 1 and 2). The events may not in all cases be commo represent a susceptibility of multiple systems failing to operate when demanded. W one component may have actually failed, the information provided in the LER indicated tha in the same system or across systems as a result of the same mechanism we corrective actions taken by plant personnel were such that preventive measures were systems or components in an effort to lesson the chance of similar failures in the future.

interpreting and classifying the failures, especially acros involved. This section only provides an identification and qualitative review of the ev are generally not modeled or considered in the PRA/IPEs.

ese fail concurrently. Two of these events were observed durin RCIC and HPCI systems.

operations. Two of the events affected the RCIC and HPCI syste 13 provides a listing of these five events, the plants and systems involved, and a brief event.

A review of the events indicated that three of the five events involved motor-oper to operate, one ev.nt involved the steam leak detection circuitry, and one event the turbi Three of the five events were caused by hardware-related problems, and the other two attributed to m. o r tance practices.

52

Two of the motor-operated valve events occurred at the Brunswick site and were attributed to hardware-related failures. The cause of the failures was attributed to heat-related breakdown of the motor-operator windings as a result of high current flow. The high current flows were the result of either (a) attempting to operate the valve against high differential pressures or (b) voltage transients.

The first Brunswick event was found during surveillance testing that affected the RCIC and HPCI system suction valves from the suppression pool for both units. The suction valve failures affect the long term operation of the systems and would contribute to the failure to run probability. These failures have a greater influence on HPCI completing a long term risk-based mis, ion than RCIC, because the long term mission requirements for RCIC do not in all cases require a suction source from the suppression pool.

Specifically, during a vessel isolation event or loss of normal feedwater, the water source from the condensate storage tank (normal supply) would be sufficient to mitigate the consequences of the event.

The other Brunswick event occurred at Unit 2 during an unplanned demand of both the RCIC and HPCI systems. Both systems were needed to mitigate the consequences of a reactor vessel low-level condition following a reactor scram when feedwater was not available. In both cases the systems were being used to reduce reactor vessel pressure, and a motor-operated valve failed to reposition to allow subsequent injection of coolant to the reactor vessel. In this event the HPCI injectior. valve failed to open l

and was not recovered, and the RCIC test return-line valve failed to close, diverting flow from the vessel.

The RCIC valve failure was recovered when operators shut another valve in the test retum line, thereby re-establishing flow to the vessel. This event was selected for the ASP program for analysis and was assigned a CCDP of 2.4E-4.

The other motor-operated valve event occurred at the Quad Cities site during monthly surveillance testing and involved the RCIC and HPCI system for both units. The improper torque switch settings of 14 motor-operated valves in these systems were identified. He valves included the pump suctions (normal and altemate) and discharge, and test return-line isolations. The torque switch settings were such that the valves would not open under a differential pressure. The pump discharge and test retum-line 5alves could I

be subjected to multiple cycling against a differential pressure during a vessel isolation or loss of normal feedwater event. These two events typically do not require continuous injection, and operators could be switching modes of system operation (i.e., recirculation / pressure control or injection) as necessary to control reactor vessel water level or pressure. Failure of these valves to operate would have resulted in a loss ofinjection by flow diversion through the test retan line.

A steam leak detection system failure was caused by intemal problems with test switches that resulted in the spurious isolation of the RCIC, HPCI, and RWCU systems during routine plant operations at Duane Amold. Troubleshooting of the steam leak detection system switch panel revealed that a light tapping of the input and output leads for the test switches would result in switch actuation. Because the isolation l

rignal logic is a one-out-of-one circuit, any one switch actuation would induce a short spurious actuation signal that would result in a system isolation. The switches were replaced and a modification was installed in the system to increase the time delay from one to three seconds to prevent the spurious short-duration signals from isolating these systems.

53 l

~ ^~

i k

(

Table 13. Potential common cause failure susceptibility across systems.

Plant nsme Event date LER numixr Systems involved Description

)

liruns'vick I&2 12/3I/87 32387023 RCIC,itPCI he RCIC turbine steam supply and ilPCI pump suction DC motor operators failed dunn 3258801i Units I & 2 surveillance test due ta voltage transients caused by opening the power supply breaker to the mo of the motor-operators. To prevent additional failures, surge sup control circuitry for DC motor operators at both units.

13runswick 2 01/05/87 32487001 RCIC, llPCI An automatic reactor scram occurred as a result of a primary lockout trip of the main ge scram recovery, the RCIC test retum-line motor-operated valve failed in the open position and the IIPC injection motor-operated valve failed in the closed position. De failure of both these valves n systems inoperable for reactor vessel injection. He motor operator was replaced on the IIPCI in valve, and the RCIC test retum-line valve stem anti-rotation device was replaced.

Duane Amold 02/24/89 33189006 RCIC,IIPCI, An isohtion of the RCIC system occurred due to a spurious signal from the stern leak dete Reactor water Troubleshooting determined the cause to be a ncady broken thermocouple wire or a detectio cleanup (RWCU) 03/02/89, an isolation of the IIPCI system occuntd as a result of a spurious signal from the s'eam de*cction sy:: tern. Troubleshooting revealed an intemal problem within the test switches and the thermocouple wires on the detection modules. The test switches were replaced for the 1IPCI R WCU system steam leak detection systems.

Pilgrim 09/02/90 29390013 RCIC,llPCI An unplanned manual reactor scram was mitiated at 60% reactor power in response to ditilculties experienced in controlling reactor vessel water level. During the event, the RCIC system was declare inoperable as a result of the turbine tripping on three start attempts. The trips were caused by mechanical overspeed trip linkage. The llPCI system also experienced two overspeed turbin attempts. The exact cause for the IIPCI overspeed trips was not identified in the LER. In addition, t RCIC suction piping experienced a pressure transient as a result of the injection check valv seating aller the second start attempt.

Quad Cities I A2 01/2$/88 25488003 RCIC,liPCI While performing the monthly motor-operated valve surveillance te=t for the RCIC system at U Units I & 2 pump discharge valve would not open on the first two attempts. He valve did open on the t Investigation revealed that the turque sw;tch bypass limit was set too close to the full closed setpoint of the torque switch prevented the valve from opening under a differential pressure switch bypass limit setpoints were adjusted for 13 additional motor-operated valves Rir the Unit i Unit 2 IIPCI and RC!C systems.

54 I

he turbine governor problems were maintenance related, and affected the HPCI and RCIC systems during startup attempts from an unplanned demand at Pilgrim. The systems were needed to maintain reactor vessel level following a manual reactor scram initiated as a result of difficulties in controlling water level. The RCIC governor problem that resulted in three overspeed trips during start attempts was discussed earlier in Section 4.1.2.

The HPCI turbine experienced two overspeed trips on start attempts. Flow oscillations were also observed with the flow controller in ntomatic while in the pressure control mode of operation. He cause of the turbine trips was attributed to the oil relay pilot supply valve being open to a position different than that specified by the vendor. Additionally, there were organic impurities and a significant amount of water in the turbine oil. Each of these factors may have contributed to the turbine trips. The cause of the flow oscillations was attributed to two factors: the design of the flow control system and the position of the EG-R hydraulic-actuator-needle valve. The LER specified that the flow controller was not designed for low flow conditions, only full injection flow. Also, the needle valve was found one complete turn open, instead of one-quaner tum open as specified by the vendor. The improper needle valve position caused the turbine to respond too quickly to flow changes (excess feedback). This event was selected for the ASP program for analysis and was assigned a CCDP of 8.4E-5.

4.2 Plant-Specific Evaluation Table 14 shows the following information for each plant: operating years during the study period, number of faults, number of failures, number of unplanned demand events and restarts, and the frequency of failures, unplanned demand events, and restarts per unplanned demand event. As used here, afrequency is simply an event count divided by the number of operating years. The number of failures listed in Table 14 does not include the one event where the system was out of service for pre-planned maintenance when a demand occurred.

The reader is cautioned when comparing the individual plant data to the reliability estimates provided in Section 3. Plant-specific estimates derived solely from the failure and demand data at a panicular plant may produce results that differ from those presented in Section 3. Here are several reasons for this, two of which are the sparse data associated with RCIC system performance at individual plants and the ability to recover from RCIC system failures. Although, sparse data alone do not create differences between the best estimates of unreliability presented in Section 3 (which are calculated using Bayesian statistics) and what can be calculated if only the individual plant data were used (that is, using classical statistics). Sparse data provide the opportunity for rare or atypical performance to overly influence any unreliability estimate that is based solely on the plant-specific data. (Note that in the long run the atypical high reliability performance will be balanced out by atypical low reliability. " Sparse data" is defined here such that the RCIC system experience is not sufficient to allow the data to converge on the true unreliability.) This atypical data can result in the unreliat ility estimate either overpredicting or underpredicting the true unreliability of the RCIC system. Of course it is impossible to determine absolutely whether or not the sparse data are atypical of the Nevertheless, to true system performance; maybe the system really is as reliable as the data suggest.

minimize the chance of producing non-representative estimates based on sparse data, the best estimates presented in Section 3 are calculated using Bayesian statistics that use all knowledge of RCIC performance across the industry.

55

~

Table 14. RCIC faults, failures, and unplanned demands differentiated by plant.

Plant name Opummg faults failures Failure Unplanned Unplanned years frequency demandsa demand Browns Ferry 2 2.25 0

2 0.89 0/0 0.00'0.00 frequencyb Brunswick 1 3.83 1

2 0.52 4/1 1.04/0.25 Bnmswick 2 4.59 3

3 0.65 10/6 2.18/0.60 Clinton 4.87 0

3 0.62 2/14 0.41/7.00 Cooper 5.64 0

3 0.53 8/0 1.42/0.00 Duane Arnold 5.63 1

2 0.36 4/0 0.71/0.00 Fermi 2 5.55 1

2 0.36 5/0 0.90/0.00 FitzPatrick 4.49 0

5 1.11 4/0 0.89/0.00 Grand Gulf 6.10 2

3C 0.49 14/1 2.29/0.07 Hatch I 5.89 0

3 0.51 12/12 2.04/1.00 Hatch 2 5.97 0

1 0.17 12/2 2.01/0.17 Hope Creek 6.15 0

1 0.16 8/l 1.30/0.13 LaSalle 1 5.44 7

11 2.02 2/0 0.374.00 LaSalle 2 5.21 7

4 0.77 1/1 0.19/1.00 Limerick 1 5.70 4

1 0.18 2/0 0.35/0.00 Limerick 2 3.85 1

0 0.00 1/0 0.26/0.00 Monticello 6.28 0

1 0.16 2/0 0.32/0.00 Nine Mile Pt. 2 4.47 0

3 0.67 6/0 1.34/0.00 Peach Bottem 2 3.97 0

1 0.25 2/0 0.50/0.00 Peach Bottom 3 3.$4 0

0 0 00 4/0 1.13/0.00 Perry 5.00 1

10 2.00 9/0 1.8at.00 Pilgrim 3.85 6

10 2.59 4/3 1.04/0.75 Quad Cities 1 5.53 7

10 1.81 1/0 0.18/0.00 Quad Cities 2 5.44 4

5 0.92 2/0 0.37/0.00 River Bend 5.29 1

1 0.19 3/0 0.57/0.00 Susqueharma 1 5.67 0

0 0.00 2/1 0.35/0.50 Susquehanna 2 6.05 0

0 0.00 2/0 0.33/0.00 Vermont Yankee 6.22 1

3 0.48 1/1 0.16/1.00 Wash. Nuclear 2 5.07 2

2 0.39 6/3 1.18/0.50 Industry 147.56 49 92 0 62 133/46 0.91/0.35 a The fust value conesponds to the omnber ofevents, and the second value conesponds to the number o evems.

c. The number of events listed excludes the one MOOS event that had at this plant.

The second issue to consider when reviewing the individual plant experience is the p recovering fmm a RCIC system failure. Industry-wide, there were several opponunities in personnel, due to circumstances of the particular events, attempted to recover the RCIC system failure event. In about half of these instances, the recovery was successful. Conseque 56 l

l estimates presented in Section 3 include the likelihood that the failure events will be successfully recovered, l

whereas the results of individual plant-specific comparisons presented in Section 4 do not necessarily include consideration of recovery.

The unplanned demand and failure frequencies are plotted in Figures 17 and 18, respectively. The data plotted in Figure 17 for unplanned demands are for events only and do not include restart demands. To account for plants with no failures or unplanned demands, Bayes statistical techniques were used to estimate the failure and unplanned demand frequencies shown in the figures. In each plot, the plant-specific point estimate is shown with the 90% uncertainty interval. As the data in Table 14 indicate, a small percentage of plants account for many of the failures and unplanned demands. Specifically,47% of the failures occurred at 14% of :he plants (LaSalle 1, Peny, Pilgrim, and Quad Cities 1). Furthennore,53% of the unplanned demands for RCIC occurred at 24% of the plants (Brunswick 2, Grand Gulf, Hatch I and 2, and Perry).

7 Because the plants with high failure frequencies do not necessarily have high demand frequencies, Figure 19 shows the two frequencies from Figures 17 and 18 plotted on the two axes of one graph. The points that are far from (0,0) in this graph are labeled with the plant name. To avoid clutter, points in the lower left are not labeled. Any point in the upper right of the graph corresponds to a plant with both a high failure frequency and a high frequency of unplanned demands. Based on the data displayed in Figure 19, eight plants were selected for detailed review of their failure and unplanned demand data: Brunswick 2, Grand Gulf, Hatch I and 2,'LaSalle 1, Perry, Pilgrim, and Quad Cities 1.

Brunswick 2-Brunswick 2 has a relatively high frequency associated with unplanned demands as compared to the industry average. The demands were primarily associated with reactor scrams. The plant had a low frequency of failures. Brunswick 2 reported only three failures. However, two were observed during unplanned demands. One of the unplanned demand failures had a concurrent HPCI failure and was selected for ASP analysis; the resulting CCDP was 2.4E-4. One of the two unplanned demand failures contributed to the failure to transfer from recirculation (this faihire was recovered by plant operators), and the other was a failure to restart. The failure to transfer from recirculation was the result of a hardware failure of the test-retum-line MOV. The failure to restart was the result of the thermal overload devices for the trip and throttle valve being tripped on the fourth restart attempt. The other failure was the result of a malfunction in the steam leak detection circuit, which caused a steam supply isolation when the system was in standby. Brunswick I reported only two failures, none of which were observed during an unplanned demand or cyclic surveillance test. Both failures were unrelated hardware problems associated with the steam leak detection system and the turbine governor.

t 57

H Frequency and Bayes interval Browns Ferry 2 Brunswick 1 Brunswick 2 l

Clinton e-I Cooper Duane Arnold Fermi 2 FitzPatric.k Grand Gulf l

Hatch 1 Hatch 2 l

Hope Creek LaSalle 1 LaSalle 2 Limerick 1 Limerick 2 Monticello Nine Mile Pt. 2 Peach Bottom 2 Peach Bottom 3 -

l:

Perry -

Pilgrim -

Quad Cities 1 I

Quad Cities 2 River Bend -

Susquehanna 1 I

Susquehanna 2 Vermont Yankee

[

Wash. Nuclear 2 l

Industry mean i

~

t i

1 l

l 1

1 0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 Unplanned demand frequency Figure 17. Plant-specific unplanned demand events per operating year with 90% B..yesian intervals 58 i

H Frequency and Bayes interval Browns Ferry 2 '

,e Brunswick I

l Brunswick 2 -

5-6 Clinton L Cooper - +-* ;

Duane Arnold l

Fermi 2 FitzPatrick -

Grand Gulf -;

e, e'

Hatch 1 - ;

Hatch 2

.l Hope Creek

-e-LaSalle 1 -

l LaSalle 2 -

l:

Limerick 1 1

i Limerick 2

+-

Monticello e

'l Nine Mile Pt 2 Peach Bottom '

Peach Bottom 3

+--

Perry l

Pilgrim l

Quad Cities 1 e

Quad Cities 2

{

River Bend Susquehanna 1 l

Susquehanna 2 e-Vermont Yankee Wash. Nuclear 2 Industry mean

~. _

0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Failure frequency Figure 18. Plant-specific RCIC system failures per operating year with 90%

59

~

~

3.00 Note: ne plot represents the failures observed by all methods of discove.fc versus all 2.50 e Pilgrim unplanned demands, not the failures that occurred during unplanned demands.

0 2.00

• LaSalle i C

y e Perry e Quad Cities 1 O'

1.50 e

3 1.00 e

e e

0.50 e

o Brunswick 2 11atch I e e

e Grand Gulf

.e 0.00

=

e Hatch 2 O.00 0.50 1.00 1.50 2.00 2.50 3.00 Unplanned demand frequency j

Figure 19. Plant-specific unplanned demand event frequency versus pl ant-specific failure frequency.

l 60 1

Grand Gulf-Grand Gulf has a relatively high frequency associated with unplanned demands as compared to the industry average. The demands were primarily associated with reactor scrams. The plant reported four failures, of which one was a MOOS event in 1989. The system was out of service for an instrumentation surveillance test when a lightning strike on an offsite power line resulted in a reactor scram and low RPV water level condition. This event was selected by the ASP program for analysis, the resulting CCDP was 1.2E-6. The other three failures at Grand Gulf were associated with the instrumentation for the steam leak detection circuit. These failures resulted in system isolations while in a standby status. These three failures were observed in 1992 (1) and 1993 (2).

Hatch Units 1 and 2-Hatch Units 1 anel 2 have relatively high demand frequencies as compared to the industry average. While the site only reported four failures during the study period, all four failures occurred during unplanned demands (three at Unit I and one at Unit 2). Two of the events were classified as faihres to start and the other two as failures to restart. The failures were observed from 1987 through 1991. A review of the individual failure events indicated that all four failures were hardware-related l

failures. The two restan failures occurred at Hatch Unit I and both involved malfunctions of MOVs, specifically the turbine steam supply and coolant injection valves. He turbine steam supply valve failure was the result of set screws backing out of the stem for the torque switch, which caused the valve to partially close (this was the only event at Hatch that was recovered). The injection MOV failure was the result of a blown fuse in the valve actuator control power circuit. His interrupted power to the valve, thus preventing valve operation. When the injection valve failed, the HPCI system malfunctioned in the automatic mode and had to be controlled manually. He third failure at Hatch Unit I was attributed to an electrical malfunction of the turbine go emor; specifically, a failed EG-M pickup module caused an overspeed trip of the turbine. The RCIC f tilure sbserved at Hatch Unit 2 was a flow control malfunction.

This failure prevented RCIC injection to tne RPV. The failure was due to a failed switch on the flow control valve that provides the ramp switch signal to the Woodward controller. This resulted in the controller not responding to speed demands. All four of the RCIC failures were events selected for ASP analysis. These events had CCDPs that ranged from 7.7E-6 to 2.0E-5. Each of the events included a loss of feedwater or offsite power that contributed to the CCDP value.

LaSalle Unit 1-LaSalle Unit I had a relatively low unplanned demand frequency, and a failure frequency that is relatively high as compared to the industry average. There were no failures reponed during unplanned demands or cyclic surveillance tests. However, there were eight reponed failures during the perfonnance of quarterly surveillance tests. Seven of these eight failures were attributed to failures in the turbine and turvine control subsystem. Seven of the eight were classified as failures to start. The one failure to run was caused by a failure of the govemor. Most of the failures were caused by hardware-related problems that occuned at a frequency of one or two per year throughout the study period (with the exception of 1993, where five failures were observed). While LaSalle 1 experienced a relatively high failure frequency, LaSalle Unit 2 reported only f;ur failures. One failure occurred during an unplanned demand and was classified as a failure to restan. This event at LaSalle Unit 2 was selected by the ASP program for analysis and was estimated to have a CCDP of 6.lE-6. The three other failures were found during quanerly surveillance tests. The failures were observed in 1992 and 1993. The failures at LaSalle Unit 2 were all hardware-related problems different from those observed at LaSalle Unit 1. The failures at LaSalle Unit 2 were associated with the flow controller and steam line MOV.

Perry-Perry has plant-specific failure and unplanned demand frequencies that are relatively high as compared to the industry averages. Of the ten failures reponed at Perry, two contributed to system unreliability. Both failures occurred during an unplanned demand. One failure was the result of an 61

isolation of the turbine steam supply caused by a high room delta-T instrument indicat however, no leak existed. The cause of the high room delta-T was excessive room co l

low service water temperatures. The isolation was classified as a failure to run and wa operator actions. The other failure was a failure to start event caused by a malfunction of th valve to open. This was a design problem that was corrected by changing the valve configuratio normally closed to normally open. Both of the unplanned demand failures at Perry were selected for A analysis, and the events were assigned CCDPs of 1.4E-6 and 6.6E-6, respectively.

The other eight failures all occuned in 1987. Five of the failures were reoccurring problems with the steam supply line MOV that were corrected. Three were recurring problems with the steam leak detection system that were corrected, and one was a result of a personnel error. The recurring failures of the steam supply line MOV and steam leak detection circuit were all problems occurring shortly af+er receivi low-power license. The unplanned demands that occurred at Perry were distributed throughout t period and were typically a result of feedwater problems resulting in reactor scrams.

Pilgrim-Pilgrim has a relatively high failure frequency as compared to the industry average. A review of the factors contributing to the system unreliability indicated that two failures were observed during unplanned demands (no cyclic surveillance test failures were observed). Both of the unplanned i

demand failures at Pilgrim were selected by the ASP program for analysis. In these events the RCIC failure i

occurred concunent wii a HPCI failure or a loss of offsite power. The resulting CCDP for these events was 8.4E-5 and 1.2E-4. The failures during unplanned demands at Pilgrim were classified as failures to One fr.ilure was attributed to an improper manual start sequence as specified in the operating start.

procedure and/or a loose mechanical overspeed trip. This failure was not recovered by operator actions.

The other was the result of the operator not opening the injection valve as specified in the procedure for a manual start (the location of the flow element contributed to the failure). This failure was subsequently recovered.

A review of the individual failure events (all 10 reported failures) for Pilgrim indicated approximately 60% of the failures can be attributed to personnel error or procedure problems. The other 40% were hardware-related malfunctions. These failures occurred on an average of about two per year from 1990 through the end of the study period, with four failures occurring in 1993. The failures at Pilgrim primarily contributed to the FTSO failure mode. The failures were found in all subsystems (except the coolant piping and valves subsystem) and included failures of the govemor, the trip throttle valve, the steam supply MOVs, the flow controller, and the steam leak detection instmmentation.

Quad Cities 1-Qud Cities I has a failure frequency that is relatively high as compared to the industry average, and a relatively low unplanned demand frequency. All ten failures that were observed at Quad Cities 1 occurred from 1987 through 1991. Only one unplanned demand occurred during this review period. A review of the operating data for these years indicated that about half of the failures were caused by malfunctions of either the pump discharge or steam supply valves. Examples include torque switches set wrong, dirty limit switch contacts, binding of the torque switch cam, and contacts failing to close due to the roller binding.

Even though Quad Cities 2 had a relatively low failure frequency of 0.92 and a relatively low unplanned demand frequency (0.37), three of the five observed failures contributed to the unreliability l

estimate provided in Section 3. Of these three failures, one was observed during an unplanned demand, and two were observed during the performance of cyclic surveillance tests. These failures were all classified as 62

failures to start. He unplanned demand failure was the result of operator error in starting the system during a loss of feedwater event. He operator inadvertently tripped the turbine during the start sequence. The trip was reset and the system was manually restaned several minutes later. Both of the reponed failures that occurred during cyclic surveillance tests were associated with the flow controller. One flow controller problem was caused by the proportional band being set too narrow. A small change in the controller output caused large fluctuations in the process variable, which produced offscale flow oscillations. The other flow controller failure occurred during the next cyclic tett (two years later) and was the result of the same proportional band adjustment problem.

4.3 Evaluation of RCIC Failures Based on Low-power License Date To determine if the age of the plant affects RCIC performance, a trend of plant-specific total failures per operational year was plotted against the plant low-power license date. He failure frequency for a plant was estimated as: (number of failures)/(number of plant opemtional years), with plant operational years estimated as described in Section A-13 of Appendix A. The fregaencies and 90% Bayesian intervals are plotted in Figure 20. A fitted trend line and 90% confidence band on the fitted line are also shown in the figure. A similar plot based on unreliability for short term missions was presented earlier in this report (Figure 7). Shown in Figure 20 noticeably it is not statistically significant (P-value = 0.17). Specifically, there was no correlation observed between the plant's low-power license date and the frequency of failures per operational year. The average number of failures per operating year was 0.62, and this average i

frequency was observed for plants licensed from 1970 through 1990. Two plants licensed in the 1970s (Pilgrim and Quad Cities 1) and two plants licensed in the 1980s (LaSalle 1 and Perry) had relatively high l

failure frequencies. Considering that about half of the plants in the study were licensed in each time frame (i.e.,1970s and 1980s) having two plants in each time frame with high failure frequencies is consistent with the trend indicated in Figure 20.

4.4 Accident Sequence Precursor Review I

The events identified by the ASP Program (NUREG/CR-4674) were reviewed. He purpose of this review was to relate the operating data to the types of events that resulted in a conditional core damage probability (CCDP) of greater than 1.0E-6. The search for ASP events was limited to the 1987-1993 study period, and included all ASP events in which the RCIC system was identified in the ASP database.

The search resulted in the identification of 31 events in which the RCIC system was mentioned. Of these 31 events, five simply stated that RCIC was available without mentioning any RCIC inoperability or actuation, therefore, only 26 events were analyzed further. The 26 ASP events were evenly distributed over the seven year review period ranging from two events in 1988 to five events in 1987,1989, and 1991.

These events occurred at 17 different plants. Pilgrim, Hatch 1, Perry, and Brunswick 2 each accounted for three events (12% each), Hatch 2 accounted for two events (8%). The other 12 events occurred at twelve I

different plants.

I Twenty-five of the ASP events were related to a demand of the RCIC system; 13 identified a system malfunction during an unplanned demand, and 12 were unplanned demands with no system malfunction. A brief description of the ASP events thzt identified a system malfunction during an unplanned demand is provided in Table 15. He ASP events that identified a RCIC unplanned demand without a system malfunction or a potential need of the RCIC system when it was out of sersice for maintenance are listed in Table 16.

63

I I Plant-specific failure frequency and 90% interval

- Fitted trend line

- 90% Conf. band on the fitted trend 4.00 a.

~

l 3.00 -----1-----~~~~~--------------.

3 1

E 7

T l

- - - - - i - - - - - - - - - - - - - - - - - - - - - - -:;- - - - - - - -,l C

2.00 6

e c.

I l-hi I

?

~ '

g 1.00

- - - - 1 ;- --- -g - - - - - - - - - - - - - - - - -} - - - - -

h

. ~ ~.: *,LE l

- =

h $.-:e.*f t -

T

~ T '~

w 0.00

" 2 1,_

1970 1974 1978 1982 1986 1990 Low-power license date The decreasing trend is not statistically significant (P-value =

The ASP events that identified a demand and subsequent RCIC system malfun ranged from 1.2E-6 to 2.9E-4. No common element was found in the ASP events fo system malfunctioned. The ASP events that indicated that a demand of the RCIC syst primarily initiated or caused by turbine trip events, loss of feedwater events, or l The causes of the RCIC malfunctions were also diverse. Three of from manual to automatic control. Two of the malfunctio open. The remaining eight failures were all for different causes.

from 6.5E-6 to 3.8E-4. Three of the ASP events indicated RPV level as a result of vessel isolation. Three of the ASP events involved use o restore level in response to a main turbine trip event; two events were initiated due to los two events were initiated by loss of offsite power. One ASP event was caused by a loss of and one event was only a partial actuation of the RCIC system, with no injection into the r,

64 l

d

l l

Table 15. Summary of the ASP events in which a RCIC malfunction was identified during an unplanned demand.

Plant name LER Event date CCDP Desenption number Brmswick 2 32487001 01/05/87 2.4E-4 A failure of the voltage regulator caused a turbme tnp, which resulted in a reactor scram and SRV actuations to limit RPV pressure. RCC was started to control RPV level; however it was ineffective because the full flow test line was partially open. During the time ROC system was degraded, HPCI was inoperable due to the injection valve failmg closed. After isolating the RCIC full flow test line, both CRD pumps and RCIC were used to restore RPV level.

Grand Gulf 41689016 11/07/89 1.2E-6 A reactor scram was caused by an electrical spike from a lightning strike. The RCIC system received an actuation signal but was out of service in preparation for surveillance testing. Vessel level was recovered by the feedwater system.

Hatch 1 32187011 07/23/87 7.7E-6 A loss of feedwater resulted in a reactor scram. ROC automatically actuated but tripped on overspeed due to a failure of an electronic component in the electric govemor magnetic pickup module.

Hatch 1 32188018 12/17/88 1.5F-5 A reactor scram occurru! when the turbine tripped due to loss of electrohydraulic control system pressure. After use of the RCIC system, the ROC turbine steam supply valve failed to close fully due to a loose yoke bushing. During subsequent restart of the RCIC system, the turbine tripped on overspeed due to the turbine supply valve previously not going completely closed. The turbine was reset and restaned. 'Ihis scenario was repeated several tunes while safety relief valves were used for pressure control.

Hatch !

32191001 01/18/91 1.1E-5 A loss of offsite power resulted in a reactor scram. HPQ was actuated to restore RPV level, but operated erratically due to a failed speed controller. Turbine bypass valves were used to control RPV pressure.

During subsequent recovery actions, ROC failed due to failure of the injection valve. Injection valve failed when being closed from initial actuation.

Hatch 2 36688017 05/27/88 2.0E-5 A loss of feedwater resulted in a reactor scram. RC'C automatically started but the pump failed to ramp up to full speed due to a failure of a limit switch on the injection valve.

l LaSalle 2 37492012 08/27/92 6.1E-6 A reactor scram occurred when the turbine tripped due to a failed thrust bearing indication. ROC automatically staned but later tripped due to high reactor vessel level. Two subsequent anempts to restart ROC resuhed in trips due to high exhaust pressure caused by water in the l

steam lines downstream from the turbine. The third attempt to stan l

ROC was successful.

Perry 44087012 03/02/87 6.6E-6 A loss of feedwater resulted in a reactor scram. The ROC received an aut^matic actuation signal but didrft initiate due to failute of the steam supply valve to open.

^ ' *

• Penv 44090002 01/07/90 1.4E-6 automatically actuated but tripped after 37 minutes due to high room differential temperature The high differential temperature trip was l

65 l

l

P Table 15. (continued)

Plant name LER Event date CCDP Desenpuon number caused by cooling water flow and the differential temperature tnp set-point set improperly for winter time operations.

Pilgrim 29390013 09/02/90 8.4E-5 A failure in the feedwater control system caused the operators to manually scram the reactor. RCIC manually started but tripped on overspeed. Two more attempts were made, but both resulted in overspeed trips. HPCI was manually started for level control; however, turbine trips on startup and subsequent flow oscillations were noted until the system was taken to manud control. The RCIC trips were caused by an inadequate procedure and looseness in the mechanical overspeed linkage.

Pilgrim 29391025 10/30/91 1.2E-4 A loss of offsite power occurred shortly after the plant was shut down in response to a severe norm. RCIC was manually started but tripped on overspeed when the injection valve was not opened promptly after starting the turbine. RCIC was reset and started; however, starting an RHR pump caused a voltage transient that tripped the RCIC inverter and prevented RCIC from ammmg rated flow. The RCIC system was shut down, the inverter reset, and RCIC started successfully.

Pilgrim 29393004 03/13/93 4.6E-6 A loss of offsite power and reactor scram were caused by a severe storm. RCIC was used several times during shut down for level and 1

pressure control. An overload alarm was received on the RCIC turbine barometric condenser conde usate pump, but it did not affect the operability of the RCIC system.

Vermont 27191009 04/23/91 2.9E-4 A switchyard breaker failure caused a turbine trip and reactor scram.

Yankee RCIC tripped on overspeed due to operator error while switching from manual to automatic control.

i l

Table 16. Listing of the ASP events that identified a RCIC unplanned demand without a system malfunction or a potential need of the RCIC system when it was out of service for maintenance.

Plant name LER number Event date CCDP Brunswick 1 32591018 07/18/91

~

6.0E-5 Brunswick 2 32487004 03/11/87 1.9E-5 Brunswick 2 32489009 06/17/89 3.6E-5 Duane Arnolda 33189003 02/02/89 6.5E-6 FitzPatrick 33389020 11/05/89 13E-5 Hatch 2 36690001 01/12/90 6.0E-5 LaSalle 1 37393015 09/14/93 1.3E-4 Limerick 2b 35389013 12/11/89 1.5E-5 Nine Mile Pt. 2 41091017 08/13/91 3.8E-4 Perry 44093010 03/26/93 1.2E-4 Quad Cities 1 25492004 02/06/92 6.9E-6 Wash. Nuclear 2 39787002 03/22/87 6.5E-6

a. This ASP event was a potential demand of the system when it was out of service for maintenance. However, the I

system did not receive a start signal, nor was it required to inject.

b. ' Ibis ASP event identified a short duration demand of the RCIC system; however, the signal cleared before RCIC l

could start and inject to the RPV.

66

5. REFERENCES 1.

Tennessee Valley Authority, Browns Ferry Nuclur Plant, Technical Specifications, Unit 2, November 28,1985.

2.

Mississippi Power and Light Company, Grand Gulf Nuclear Station, Technical Specifications, October 9,1991.

3.

Niagara Mohawk Power Corp., Nine Mile Point Unit 2, Technical Specifications, July 1987.

4.

Peach Bottom Power Station Units 2 & 3 Technical Specifications, TSCR 93-16.

5.

Pennsylvania Power and Light Company, Susquehanna Steam Electric Station Unit 1, Technical Specifications (TSI), November 28,1990.

6.

Boston Edison Company, Pilgrim Nuclear Power Stetion, Technical Specifications, March 25,1993.

l 7.

Niagara Mohawk Power Corp., Nine Mile Point Unit 2 Final Safety Analysis Report, November 1984.

8.

John R. Boardman, Special Study, Operating Experience Feedback Reliability of Safety-related Steam l

Turbine-driven Pumps, AEOD/S93-02, April 1993.

9, Tennessee Valley Authority, Browns Ferry:luclear Unit 2 Probabilistic Risk Assessment Individual Plant Examination, September 1992.

10. Carolina Power & Li; ht Company, Brunswick Steam Electric Plant Probabilistic Risk Assessment, April 1988, l

11. I1linois Power, Cli>ston Power Station IndividualPlant Examination Final Report, September 1992,

12. Nebraska Public Power District, Cooper Nuclear Station Probabilistic Risk Assessment Inel 1, March 1993.

13. Iowa Electric Light & Power, Co., Duane Arnold Energy Center Individual Plant Examination, November 1992.

14. Detroit Edison, Fermi 2 IndividualPlant Examination (InternalEvents), August 1992.

15. New York Power Authority, James A. Fit: Patrick Nuclear Power Plant Individual Plant Examination, August 1991.

16. Sandia National Laboratories, Analysis of Core Damage Frequency: Grand Gulf Unit 1 Internal Events, NUREG/CR-4550 SAND 86-2084, September 1989.

17. Georgia Power, Edwin I. Hatch Nuclear Plant Units 1 and2 Individual Plant Examination, December 1992.

67

18.

Public Service Electric and Gas Company, Hope Creek Generating Station Individual Plant i

Examination, April 1994.

19.

Sandia National Laboratories, Analysis of the LaSalle Unit 2 Nuclear Power Plant:

Risk Methods Integration andEvaluation Program (RMEP), NUREG/CR-4832, SAND 92-0537,1990.

20.

Philadelphia Electric Company, Limerick Generation Station Units 1 and 2 Indhidual Plant Examination, July 1992.

21.

Northern States Power Company, Monticello individualPlant Examination, February 1992.

22.

Niagara Mohawk Power Corp., Nine Mile Point Unit 2 Individual Plant Examination, July 1993.

23.

Kolaczkowski, et al., Analysis of Core Damage Frequency: Peach Bottom, Unit 2 Internal Events, NUREG/CR-4550, Vol. 4, Rev.1, August 1989.

24.

Cleveland Electric Illuminating Company, Individual Plant Examination ofthe Perry Nuclear Power Plant, July 1992.

25.

Boston Edison Company, Pilgrim Nuclear Power Station Individual Plant Examinationfor Internal Events, September 1992.

26.

Commonwealth Edison Company, Quad Cities Nuclear Power Station Units 2 and 3 Indhidual Plant Examination SubmittalReport, December 1993.

27.

Gulf States Utility Company,1ndividualPlant Examination, River BendStation,1993.

28.

Pennsylvania Power and Light Company, Susquehanna Steam Electric Station Indhidual Plant Examination, December 1991.

29.

Vermont Yankee Nuclear Power Corporation, Vermont Yankee Individual Plant Examination, December 1993.

30.

Washington Public Power Supply System, Individual Plant Examination, Washington Nuclear Plant 2, Rev.1, July 1994.

31.

M. T. Drouin, F. T. Harper, A. L. Camp, Analysis ofCore Damage Frequencyfrom Internal Events:

Methodology Guidelines (Volume 1), NUREG/CR-4550, VI, SAND 86-2084, September 1987.

68

6. UmEX

.24,25,29,31,32,39,41,49,50,51 frequency ix, xvii, 42, 43, 44, 55, 56, 57, 60, 61, 62, 63 A

frequency, failure xvii,57,60,61,62,63 frequency, unplanned demand ix,61,62 Accident Sequence Evaluation Program xix,36 accident sequence precursor xv, xviii, xix,42,48,53,55, I

57,61,62,63,64,65,66 assumptions xxii,6,15,20,24,30,32,36,51 inoperability xv,xxi, xxii,9,10,11,13,14,63 interval, confidence 19 B

interval, uncertainty vi, x, xi, xvi, xvii, 16,20,24,30,31, 33,34,36,39,44,45,46,57 isolation, spurious vi,8,43,52,53 Bayes 19,22,25,30,31,57 Bayes, empirical 19,30 Bayes, simple 19 i

C maintenance out of service xx, xxii, 11,14,17,19,20,22, 24,25,29,31,32,39,56,61 tr.ethod of discovery xvii, xviii,44,45,47,

contributor, major vi, 16,39,49,51 mission, long term v, vi, vm, ix, xvi, xvu,, xxt,4, 5,15,16, 17,18, 22, 23, 24, 25, 26, 27, 29, 39, 42, 49, 51, $3 mission, short term v, vi, viii, ix, x, xvi, xvii, xxi,4,5,15, g

16,18,19,20,21,22,25,27,28,29,42,47,49,63 I

data, pooled - 10,19,27,41 data, sparse 20,42,55 y

demand, full 13,14 distribution, beta 22,25,31 distribution, gamma 31 probabilityrestart xx,25 distribution, prior 27 R

t

- g rate xvii,4,19,30,34,36,38 error, personnel v, vi, 42, 43, 48, 49, 51, 52, 62, 63, 66 error, procedural 43,50,52 S

F Sequence Coding and Searth System xx,1,9,10,12,13 significant ix, x, xi, xvi, xvii, 1,19,27,28,42,44,46,50, failure to recover from recirculation - 17,24,25,27,31 51,52,55,63,64 failure to recover from restart 17,24,25,27,31 start, quick 6,13,41,48,50 failure to recover from run 17,24,25,27,31 system, boundaries 8 failure to recover from start 17,20,22,24,25,27,31 system, We 3 l

failure to restart vi, xix, xxi, 11,17,18,24,25,31,32,39, l

41,43,49,50,57,61 failure to run v, vi, xix, xxi, 11,16,17,18,19,20,22,24, I

25, 29, 30, 31, 32, 34, 36, 49, 51, $3, 61, 62 failure to start v, vi, xvii, xix, xxi, 11,16,17,19,22,25,31, test, cyclic xxi, 10,13,17,18,19,20,24,30,34,43,50,51, 32,34,35,36,37,41,43,47,49,62 57,61,62,63 failure to start due to injection valve xix,17,18,19,20,22, test, monthly 13,53 24,25,31,32,36,51 test, surveillance xxi, xxii, 12,13,30,42,43,44,47,48,50, failure to start other thaninjection valve xix, 17,18,19,20, 51,52,53,54,57,61,62,63,65 22,24,25,31,32,34,36,41,48,50,51,62 time, mission vi, xviii, xxi, xxii, 3,16, 30, 31, 32, 34, 36, 39 failure to transfer during recirculation xix, xxi,11,17,19, time,run 20,29,30,32,36 69

l trend 27 unreliability, recovered 27 1

U i

V unavailability nii,8,16* 32,39 vadability, plant-to-plant - 19,30,36 i

i l

l l

70

l I

i l

l Appendix A RCIC Data Collection and Analysis Methods i

i i

A-1 l

4

.m.me n,

&-6.dse4 areE.4J 4mest-4 S.e4 -e m hhd A4-.-&--.eJ44eem 2*d&

dAL-e-@-,44mJbeJ4-#4,.+a-44 m=

a-44

--52. JA4-AM 24 Mem-MLmm 44 4A M2Wh4 emw s JrM -W da_im4

.h._.A_mA

- g,#444Ai&a s_ Ls,g,64_,,m,_4 k

1 i.

W s

I J.

i 4

6 4

8 i

I o

I

?

s a

s W

I r

f i

A-2

Appendix A RCIC Data Collection and AnalySh Methods To characterize reactor core isolation cooling (RCIC) system performance, operating data pertaining to the RCIC system from U.S. commercial nuclear boiling water reactor plants having RCIC systems were collected.and reviewed. This appendix provides descriptions for the data collection and the subsequent data characterization for the estimation of RCIC system unreliability. The descriptions give details of the methodology, summaries of the quality assurance measures used, and discussions of the reasoning behind the choice of methods.

A-1. DATA COLLECTION AND CHARACTERIZATION The source of RCIC system operating data used in this report was LERs found using the Sequence Coding and Search System (SCSS) database. The SCSS database was searched for all RCIC records for the years 1987 through 1993. To ensure the data set was as complete as possible given the LER reponing requirements, a search was conducted of all the immediate notification repons requ' red by 10 CFR 50.72 for the same time period that mentioned the RCIC system. The immediate notification report search results identified fewer events than the SCSS LER search results. Moreover, the RCIC l

events identified in the immediate notification reports were also captured in the LERs. Also, the immediate notification repons did not contain the detail necessary to conduct a reliability analysis. This being the case, only the LER data were used in this report.

In the subsections below, methods for acquiring the data used in this study are described.

A-1.1 Inoperability Identification and Classification The LER rule (10 CFR 50.73) specifies when events are to be reponed to the NRC. The section most relevant to the reporting of RCIC system inoperabilities is 10 CFR 50.73(a)(2)(v): Any event or condition that alone could have prevented thefulfillment of the safetyfunction ofstructures or systems that are needed to: (A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident. However, RCIC is not pan of the emergency core cooling system (ECCS) nor is it normally classified as an engineered safety feature (ESF). Therefore, it is not clear that RCIC is relied upon to perform a safety that would be directly reportable. Nevenheless, all plants with RCIC systems have submitted LERs documenting RCIC inoperabiliGes, with the majority being reported under section (a)(2)(v).

Since it is not normally classified as an ESF, RCIC system actuations are not specifically covered by the event reporting rules [i.e., section (a)(2)(iv)]. However, the RCIC shares low-low reactor water level actuation setpoints with the ESF high pressure coolant injection or high pressure core spray systems (HPCI/HPCS). Event reporting requirements, state that each LER (i.e., HPCI/HPCS actuation report) shall contain a clear, specific, narrative description of what occurred so that knowledgeable readers not familiar with the details of a particular plant can understand the complete event. Thus, any unplanned actuation of RCIC from low-low reactor water level will also result in a reportable actuation of HPCI/HPCS and the report on the HPCI/HPCS should also describe the RCIC system actuation. All A-3

HPCI/HPCS actuations were reviewed in order to verify and count the number of RCIC demands.

RCIC is commonly included in plant technical specifications (TS) because ofits similar function to the ECCS. Therefore, RCIC system failures are directly reportable if the system function is lost fo period that exceeds the TS Limiting Condition for Operation (LCO) or if the reactor complete shutdown in order to correct a RCIC malfunction [i.e., section (a)(2)(i)].

A full function test of the entire RCIC system is nominally to be conducted every 18 months (typically required by TS). This is the basis for estimating RCIC test demands. Corrections to this 18 month cycle are based on information provided in monthly operating reports, and are included to account for shorter of longer operating periods. As mentioned aoove, RCIC failures in general, might not necessarily be required to be reported under section (a)(2)(v). However, the LERs reviewed for this study (i.e., 1987-1995) identified three instances where failures of RCIC were reported during the cyc tests. An engineering and statistical comparison of these failure data (failures and demands) with those identified during unplanned demands indicated that the two data sets were similar and because of this, the cyclic test data were used and pooled with the demand data in the analysis of RCIC reliability. The net effect of not including the cyclic test data due to concems relating to reportability of failures increases the uncertainty of the failure probability estimates without changing the mean value for the system appreciably. These reporting requirement, in combination with the other reporting criteria and the knowledge of RCIC actuations concurrent with reportable HPCI/HPCS actuations, provides a sufficiently accurate sample of RCIC demands and associated failures to make meaningful RCIC demand reliability estimates.

In this report, the term inoperability is used to describe any reported RCIC malfunction. The inoperabilities were subsequently classified asfaults andfailures for purposes of computing reliability estimates. The fault and failure classifications were based on an independent review of the events. 'Ihe termfailure is used to identify the subset of the inoperabilities for which the coolant injection function of the RCIC system is lost. The termfault is used to describe the subset of inoperabilities that are not classified as failures.

A-1.1.1 Failure Classification Each of the LERs 4dentified in the SCSS database search was reviewed by a team of U.S.

commercial nuclear power plant experienced personnel, with care taken to properly classify each event and to ensure consistency of the classification for each event. Because the focus of this report is on risk and reliability, it was necessary to review the full text of each LER and classify or exclude events based on the available information reported in the LER. Specifically, the information necessary for determination of reliability, such as, classification of RCIC failures and faults, failure modes, failure mechanisms, causes, etc. in this report were based on the independent review of the information provided in the LERs.

Two engineers independently evaluated the full text of each LER from a risk and reliability perspective. At the conclusion of the independent review, the data from each independent LER review were combined, and classification of each event was agreed upon by the engineers.

O A-4

Failure classification of the inoperability events was based on the ability of the RCIC system to function as designed. Each LER was reviewed to determine if the system reasonably performed its assigned function. Examples of the types ofinoperabilities that are classified as failures include:

l Malfunction of the initiation circuit, preventing the system from starting automatically.

e J

Malfunction of the injection MOV to open with the turbine operating properly and RPV e

water level at or below the initiation setpoint.

RPV water level at or below the initiation setpoint and the system out of service for pre-planned maintenance.

Malfunction of the flow controller either preventing the system from providing flow to the RPV, or requiring the operator to place the controller in manual because of erratic operation.

Failure of the test return-line MOV to close when demanded.

Spurious closure of the containment isolation valves during system operation.

Turbine overspeed trips on startup.

Personnel error in operation of the flow controller, causing the turbine to trip.

The RCIC events identified in this study as failures represent actual malfunctions that prevented the successful operation of the system. When the RCIC system receives an automatic start signal as a result of an actual low RPV water level condition or a manual start, the system functions successfully if l

the turbine starts and obtains rated speed and pump pressure, the injection valve opens, and coolant flow is delivered to the RPV until the flow is no longer needed. Failure may occur at any point in this process.

For the purposes of this study, the following failure modes were observed in the opemting data:

i l

Maintenance-out-of-service (MOOS) occurs if, due to maintenance, the RCIC system is prevented from starting during an unplanned demand.

Failure to start (FTS) occurs if the system is in service but fails to automatically or manually start, obtain rated speed in the turbine, develop sufficient injection pressure, and provide flow to the reactor pressure vessel.

Failure to run (FTR) occurs if, at any time after the system is delivering sufficient coolant flow, the RCIC system fails to maintain this flow to the RPV while it is needed.

Failure to restart (FRS) occurs if, during an unplanned demand after a successful start and run to restore RPV level, the RCIC system is shutdown (manually or as a result of a high level trip), and subsequently the system is demanded to restart (automatically on low vessel level or manually) and fails to restart. The failure to restart can occur on any restart attempt.

Failure to transfer during recirculation (FRC) occurs if, during an unplanned demand of the system, the test return-line MOV is opened to divert flow from the RPV to the CST and subsequently fails to close, or the injection valve fails to re-open, resulting in no flow to the vessel for level restoration.

l Recovery of faihtres is important and was considered when estimating system unreliability. To recover from a failure, operators have to recognize that the system is in a failed state, restart it without performing maintenance (for example, without replacing components), and restore coolant flow to the RPV. An example of such a recovery would be an operator (a) noticing that the injection MOV had not opened during an automatic start of the system, and (b) manually operating the control switch for this I

valve, thereby causing the MOV to open fully and allow rated coolant flow to the RPV. Recovery for the other failure modes is defined in a similar manner. Each failure during an unplanned demand was evaluated to determine whether recovery by an operator occurred.

A-5

In addition to the failure mode data, other information concerning the event was collected from the detailed review of the full text of the LER:

The plant conditions at the time of the event (e.g., power operations, hot / cold shutdown, or refueling).

For events classified as failures to run, the run time before the failure.

The immediate cause of the event (e.g., hardware, personnel, or procedures)

The subsystem and component involved.

e The method of discovery of the event (unplanned demand, surveillance test, other routine plant operations), and for surveillance tests, the test frequency.

For the events not classified as failures, the analysis section of each LER provided information to aid in determining if the system would have been able to perform as required even though the system was not operable as defined by plant technical specifications. As an example, the LER may have been submitted specifically for the late performance of a technical-specification-required surveillance test. His event would be classified as a fault and not a failure in this study. His classification is based on the judgment that given a demand for the system, the system would still be capable of functioning as designed.

Moreover, plant personnel typically would state in the LER that the system was available to respond and that the subsequent surveillance test was performed satisfactorily. If the system failed the subsequent surveillance test the event would have been classified as a failure.

In addition, administrative problems associated s ith RCIC were also classified as faults, given the system had successfully passed a recent surveillance test or remained operable as defined by the requirements identified in safety analysis reports or a plant-performed engineering analysis. As an example, the discharge piping was found not to have the seguired number of seismic restraints. However, the results of an engineering analysis for the missing restraint provided by the plant in the safety analysis section of the LER indicated that the existing system configuration would adequately perform its assigned mission. From the information provided by plant personnel in the LER, the event would be classified as a fault.

As a result of the review and evaluation of the full text of the LER, the number of events classified as failures and used in this study to estimate RCIC unreliability will differ from the number of events and classification that would be identified in a simple SCSS database search. Differences between the data used in this study and a tally of events from a SCSS search would stem primarily from the repor* ability requirements identified for the LER and the exclusion of events for which the failure mechanism is outside the RCIC system boundary defined for this study.

4 Each LER usually has the reportability requirements identified in Block 11 of page 1. As an example, the event is reported based on the requirements identified in 10 CFR 50.73 (t)(2)(i), technical specification prohibited operation or condition. The LER may be submitted spec;fically for the late performance of a technical-specification-required surveillance test. His event would be classified as a failure in the SCSS coding methodology. However, for this study late performance of a surveillance test was classified as a fault.

Other differences would be observed because the definition of failure used in this study and that used in the SCSS database are not the same. Specifically, a system that is out of service for maintenance at the time of an unplanned demand would not be classified as a failure in the SCSS database, however, it would be classified as a failure for this study in an effort to estimate a maintenance-out-of-service A-6

unavailability. Also, the SCSS database would identify a system as failed if the system is out of service for pre-planned maintenance and another system subsequently fails, for example, if the RCIC system is out of service for maintenance when the HCPI system fails a surveillance test. The SCSS database would identify both systems as failed; however, pre-planned maintenance of the RCIC system without a corresponding demand is not counted as a failure in this study.

Because of these differences, the reader is cautioned from making comparisons of the data used in this study with a simple tally of events from SCSS without first making a detailed evaluation of the data provided in the LERs from a reliability and risk perspective. The results of the LER review and classification are provided in Appendix B, Section B-2.

A-L2 Demands To estimate unreliability, demand counts must be associated with failure counts. The set of system demands must be complete and consistent with the set of failures in order to be used in the reliability calculations. Two criteria are important in selecting data sets for reliability analysis. First, the data must of course, be countable. Reasonable assurance must exist that the total number of events can be estimated, that all failures associated with these events will be reported, and that sufficient detail will be present in the failure reports to match the failures to a complete set of corresponding demands.

The second criterion is that the demands must reasonably approximate the conditions being considered in the unreliability analysis. The unplanned demands or tests must be rigorous enough that l

successes as well as failures provide meaningful system performance information. Since one of the purposes of the study is to compare unreliability estimates based on plant operating experience with the unreliabilities predicted by the PRAs, it is important that the unplanned demands included in the study be as challenging as the scenarios modeled in the PRAs.

l A-1.2.1 Unplanned Demands LERs can be used to provide information on unplanned demands following plant transients that resulted in an actual low RPV water level condition (that is, an actual need for the RCIC system). These unplanned demands were identified by searching the SCSS database for all LERs containing critical reactor scrams for plants having a RCIC system during the 1987-1993 study period. Critical reactor scram events are reportable under 10 CFR 50.73 (a)(2)(iv). In addition to critical reactor scram events, unplanned HPCI and HPCS engineered safety feature (ESF) actuations are reportable under the same reporting requirements as reactor scrams. The LERs reponing ESF actuations of these system were also searched for RCIC actuations.

l l

LERs reporting critical reactor scram events were reviewed to determine if the RCIC system was used to control RPV water level during the scram. Also, for the critical reactor scram events that identified a feedwater problem, a rda steam line isolation valve closure, or turbine supply valve i

closure, any use of the RCIC system would be identified in the LER. Unplanned HPCI and HPCS ESF actuations on low RPV water level are typically at the same setpoint as for the RCIC system. Therefore, RCIC actuations would be found in the LERs reporting HPCI and HPCS actuations. As a result, identification of all the RCIC demands associated with a RPV water level transient is possible, even if A-7

the system is not a designated ESF system, by a search of the LERs for critical re and HPCS ESF actuations, which are reportable.

The LERs that described RCIC actuations were screened to determ actuation.

The RCIC actuations identified in the LERs that were classified in this study as unplanned demands were events that resulted in actual coolant flow to the RPV. RCIC fa during a low vessel level condition, which normally would have resulted in flow to the ve included in the unplanned demand count. In addition, events where a low RPV water level condition existed (that normally would have required RCIC to start) and the RCIC system was identif service for maintenance were also included in the unplanned demand count. For each demands, the associated running time and the number of restarts were obtained if it was sta be reasonably estimated from the sequence of events stated in the LER.

This determination was particularly important for quantifying the failure modes associated with the long term and P as explained in Section A-2.

Some of the RCIC actuations identified in the LERs were demands of only a part of the sy These partial demands did not exercise the RCIC system in response to an actual need for inj i

because RPV water level was restored using another source (typically feedwater) before the i MOV opened. 'llese events were excluded from the count of RCIC unplanned demands because the demands did not meet the second criterion identified above. That is, the partial demands did not reasonably approximate the conditions being considered in the unreliability analysis. This conclusion is based on: (1) the injection MOV was not required to open, thereby completing the start sequence of the system, and (2) the flow controller was not required to operate in the same manner as would be observed during situations that result in flow to the vessel.

Other events excluded from the demand counts include ESF actuations associated with c isolation. ESF actuations associated with RCIC's containment isolation function were exclu though they are reportable in LERs [10 CFR 50.73(a)(2)(iv)], because the containment isolation function was outside the scope of this study. Specifically, demands for closure of the turbine steam supply and/or exhaust valves are not germane to estimating RCIC injection reliability.

Because of the above identified exclusions from the count of unplanned demands, the reader is cautioned from making comparisons of the data used in this study with a simple tally of events from SCSS without first making a detailed evaluation of the data provided in the LERs based on a full system response to a low RPV level transient. The results of the LER review and evaluation for unplanned demands are provided in Appendix B, Section B-3.

A-1.2.2 Surveillance Tests Data from the surveillance tests that are performed on a periodic basis may be used to estimate selected aspects of RCIC system unreliability. For reasons described below, surveillance tests that are conducted on a cyclic interval (approximately 18 month) were included in the unreliability calculation for the RCIC system.

Routine surveillance tests of the RCIC system are performed every operating cycle, quaner, and inonth. As discussed in Section 2.2.1, the RCIC system failure count from routine surveillance tests is believed to be as complete as possible. To ensure accuracy in comparing the surveillance test A-8

demands and associated failures with the type of demands modeled in the PRAs, the completeness of each of these tests was evaluated based on a detailed review of several sets of technical specifications.

The conclusions of the technical specifications review were as follows:

The cyclic surveillance tests require the system to be functionally tested. This testing includes simulated automatic start of the system throughout its emergency operating sequence and verification that each automatic valve in the flow path actuates to its correct position. The ability of the RCIC turbine to sustain coolant flow (through the test return line) over a period of time is also verified. Therefore, the cyclic surveillance tests were regarded as demands on the system that reasonably approximated the conditions l

being considered in the unreliability analysis. However, these cyclic surveillance tests I

do not in all cases challenge the injection MOV at the pressures, flow rates and temperatures that the system would experience during a demand for RPV level restoration. Some plant technical specifications actually state that injection of coolant into the reactor vessel may be excluded from the test. Therefore, the injection MOV was excluded from consideration in the analyses. Test failures reported in LERs can be identified as occurring on cyclic tests by supplementing the LER narrative with the event date and the dates of the plant's refueling outages, because cyclic tests are typically performed after a refueling outage.

The quarterly tests also test the system except for the injection MOV. However, the LERs d, lot always specify what type of surveillance test was being performed when a failure occurred. For some plants, failures from quarterly tests and post-maintenance tests are indistinguishable in the LERs. The date of the event du not help distinguish the two. Since post-maintenance surveillance tests are not prbhe, realistic demand counts for these tests could not be estimated. In addition, hot quick starts and slow starts of the turbine are generally performed during these tests. Because a hot quick start and a slow start are not the type of starts the system would experience during a demand for RPV level restoration following a transient, these demands were not considered as reasonably approximating the conditions being considered in the unreliability analysis.

Therefore, both quarterly and post-maintenance test results were not used for estimating unreliability.

Monthly tests typically exercise only part of the system (i.e., MOV cycling, instrument calibration checks, etc.), and therefore were not used in the unreliability estimates.

These surveillance tests were not regarded as demands on the system that reasonably approximated the conditions being considered in the PRAs.

Demand counts for cyclic surveillance tests were estimated as follows. The plants are required to perform the test at least every 18 months. The tests are typically scheduled to coincide with startup from refueling outages. These startup dates are found in the monthly operating reports submitted by the licenser. and entered in the NRC's OUTINFO database. For this study, a plant was assumed to perform the cyclic surveillance test after each refueling outage. If the time to the start of the next refueling outage was more than 550 days (18 months), the necessary number ofintermediate tests were assumed.

A-13 Times for Rates The reported system failures and unplanned demands were characterized and studied from the perspective of overall trends and the existence of patterns in the performance of particular plant units.

A-9

These assessments were based on rates of occurrence per operating year. Thus, estimation of the operating time for each plant and year was also part of the data collection. Operating time, ide time when the reactor pressure is at or above the pressure requirement identified in plant techni specifications for RCIC operation. This time was not known exactly. The NRC's database, OUT lists the starting and ending dates of all periods when the main generator is off-line for each p During short generator off-line periods, the reactor may remain critical and pressurized; therefore, starting and ending days of such outages were treated as operational periods. The outages likewise w treated as operational if they spanned two calendar days or less. The operating time for a plant was estimated by calendar time minus all periods when the main generator was off-line for more than two calendar days.

Rates were also used to quantify the overall probability of failure to run and the probability of failure to switch to an injection mode of operation from the recirculation mode for the PRA mission. For these calculations, the injection and recirculation run times stated in the LERs were used for the unplanned demands. However, in about half the instances, the duration of the run time was not specified in the LERs. For the purpose of estimation, the run times were separated into those known or believed to be greater than 15 minutes, called long, and those that were less than 15 minutes, called short. The short run times were applied only to the failure to run mode, and not to the recirculation failure mode. The short demands for RCIC injection typically only result in RCIC starting and injecting long enough to restore RPV level. These shon demands were with normal feedwater avcilable, which was used to maintain RPV water level after the level was restored, The engineering and operational aspects of the RCIC function when normal feedwater is not available require the RCIC system to be used for longer periods of time until normal feedwater is restored. In these long demands RCIC would restore RPV level and then be placed in the recirculation mode until RPV level dropped sufficiently to require subsequent injection. For the iag run time missions the exposure times were applied to both the failure to run and failure to transfer duing recirculation modes. For both sets of demands, an average run time was calculated based on the known run times. The duration of the unknown run times was then approximated using these averages. In practice, this algorithm resulted in an estimate of 0.06 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> per unspecified short run time, and 2.53 hours6.134259e-4 days <br />0.0147 hours <br />8.763227e-5 weeks <br />2.01665e-5 months <br /> per unspecified long run time.

As noted in the section on tests (above), based on the operating experience obtained from the LER narratives and discussions with plant-experienced operators, one and one-half hours of running time was estimated for each cyclic test. This time was applied in estimating overall failure to run probabilities. It was not used for the failure during recirculation mode because that failure mode is failure to transfer from recirculation to injection, and injecting into the RPV is not part of the test.

A-2. ESTIMATION OF UNRELIABILITY

~

RCIC unreliability estimates were generated for two operating missions and a PRA-based mission. In the operating missions, each LER was treated as a single mission, either short term or long term. Each mission was treated as a success or a failure. As discussed in Section 3.1.1, the following failure modes were considered for the short term operational mi? - maintenance-out-of-service (MOOS), failure to start other than the injection valve (FTSO), failur; -.ecover from FTSO (FRFTS),

failure of the injection valve to open (FTSV), and failure to run in the short term mission (FTR-ST).

Failures to start were divided into two modca, FTSV and FTSO, because the injection valve is isolated before the cyclic surveillance operability testing (the balance of the system is tested). Recovery from FTSV and from FTR-ST were not modeled because there were no data (no demands for either recovery).

A-10

The estimate for failure to run in the short term mission was based solely on the unplanned demands that were identified as short term missions.

RCIC system requirements are more rigorous for long term operating missions. In addition to the MOOS and failure to stan components described above (FTSO, FRFTS, and FTSV), the long term mission requires a longer and more varied running period, recirculation, and possibly system restarts.

Failure to run in the lorig term mission (FTR-LT) was estimated from the number of long term missions, including cyclic test missions, and the associated failures. Failure to recover (FRTTR) from these failures was also modeled, using the unplanned long-term mission events.

Long term mission recirculation (FRC-LT) and failure to recover from these events (FRFRC) were modeled in the same way as the long term failures to run, except that testing data were not judged applicable. Three failure modes were associated with restart failures: the probability of restart being needed in an event (IFRS), the probability of a restart failure given an event needing one or more restarts (FRS-LT), and the probability of failure to recover from such events (FRFRS).

l As discussed in Section 3.2, ten failure modes were identified for the estimation of unreliability for the PRA mission. They are similar to the long term mission, but with the following exceptions:

1 Failure to run (FTR): Since the PRA mission time postulated in the PRA/IPEs spans runnmg j

(

times of at least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and as long as 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the actual running time associated with each vent was used to develop a failure rate. The fact that short missions provide less infonnation conce ig long term running than long missions was thus considered; both sets of events were used.

Failure to recover from FTR (FRFTR): Failures from both short and long term missions were combined to estimate the FRFTR probability (numerically, the same results were obtained as for the long term mission, since no running failures were observed in the short term missions).

Failure during recirculation (FRC): As with failure to run, the actual running times were used to quantify a rate of failure. The rate was based on those running periods that were at least 15 minutes long.

Failure to restart (FRS): The PRA-based mission modeling differs in two ways from the long tenn operating mission. These differences are explained below.

In accordance with the treatment of restans in the IPE models, which tends to be sketchy and not detailed, exactly one restart was assumed for the PRA-based mission. After the initial injection of coolant, a restart followed by continued operation in the recirculation mode is assumed. Of course, the frequency of events requiring restart is not applicable to the PRA mission, since the PRA mission assumes rare degraded conditions (such as a small break LOCA) that generally are not seen in the operating data.

Since a single restart is assumed, its failure probability estimate is based on the total number of restans observed in the data, rather than the number of events having one or more restarts. Furthermore, all events rather than just long term mission events are considered (three restarts occurred among 56 short tenn missions, whereas 43 restarts occurred among 72 long term missions). For MOOS, FTSO, FTSV, FRFTS, FRFRC, and FRFRS, no differences from the modeling for the long term mission apply.

A-11

In the statistical analysis process for the PRA-based mission, a rate-based analysis wa performed for two failure modes, FTR and 7RC. For FTR, most of the demands were re compared with the mission times typically assumed in PRAs. Rate-based models specifical for the fact that unreliability tends to increase as the mission time gets longer. The data p evidence that the failure rates were increasing or decreasing.

Since actual rmining times were often unknown, these were estimated for much of the data.

introduces additional uncertainty into the estimates. For example, the estimated standard devia average used for the unknown long run times is approximately 22% of the average. This uncert not been accounted for in the overall estimates. However, the effect of this uncertainty paramet overall model uncertainty is negligible. For the current study, use of the rates to account f mission times was important in spite of the fact that the uncertainty in this process was no since a large range of running times was present in the operating events.

For failure to transfer during recirculation, a natural estimate of the probability of failure for the PRA mission would come from the ratio of the number of failures and number attempted. However, the LERs do not provide the transfer demand information. Assuming that the number ofdemands is proportional to the total time spent in the recirculation mode leads to the use occurrence rate for this failure mode for the PRA mission. For modeling purposes, recirculation was assumed to be the mode of RCIC operation during demands lasting at least one-quarter hour. As with failure to run, the uncertainty associated with estimating the length of the unspecified recirculatio running times using an average based on known running times was not quantified in the cur Recovery modes were modeled for applicable initial failure modes; i.e., each initial failure mode was considered except for MOOS. The two failure to start modes, FTSV and FTSO, were no combined in the modeling of recovery because no injection valve failures occurred.Thus, no information exists in the operating data to characterize recovery from FTSV separate from an ove failure to start recovery. The other three recovery modes correspond naturally to divisions in the da Actions to recover from failures to start generally differ from the types of actions required to failures to run, failures to restart, and failures to transfer out of recirculation.

In the PRA/IPE comparisons, the recovery tailure modes are included.

Although PRAs typically model recovery separately, the recovery event defined for this study encompasses on failures for which no actual diagnosis and physical repair of a failed component occurred. Ex these events include the recovery of a failure related to automatic start that was recovered by t operator manually starting the system. This kmd of recovery is different from PRA-defined recoveries that require diagnosis and actual repair of failed equipment that will restore the system to ope Generally, PRAs take credit for the recovery failure modes defined for this study if statur.

procedures / training direct the operator to perform these actions.

The individual failure mode probabilities identified for the short term mission and the probabilities identified for the long term mission were combined to estimate the total unreliability f each of these missions. Similarly, the individual failure probabilities, failure rates, and mission times were combined to estimate the total unreliability for the PRA mission. Estimating each unreliability and its uncertainty involves two major steps: (a) estimating probabilities and uncertainties for the different failure modes, and (b) combining these estimates. These two steps are described below.

A-12

i A-2.1 Estimates for Each Failure Mode Estimating the probability for a failure mode requires a decision about which data sets (unplanned demands, cyclic surveillance tests, or both) to use, a determination of the failure and demand counts in each data set, and a method for estimating the failure probability and assessing the uncenainty of the estimate.

A-2.1.1 A Priori Choice of Data Sets Out of service for maintenance is only associated with an unplanned demand of the RCIC system's injection function. Recovery is typically not attempted after a failure on a test. Surveillance tests do not involve attempts to inject or to transfer during recirculation to injection. The surveillance tests were judged similar to the long term rather than the shon term operational mission. Therefore, useful data for the failure modes MOOS, FTSV, FRFTS, FTR (short term), FRC, FRFRC, IFRS, FRS, and FRFRS, were found only in the unplanned demands, not in the cyclic surveillance tests. For the start failure mode FTSO and the failure to run failure modes FTR (PRA-based and long term), both the unplanned demands and the cyclic surveillance tests were relevant. Statistical tests, described further below, were used to determine whether the data for the unplanned demands and tests could be combined for these modes.

A-2.1.2 Demand and Failure Counts The unplanned demands were counted by failure mode as follows. The total number of demands, d ull, was obtained as described in Section A-1. This number of demands applies to the f

MOOS failure mode. The number of demands for FTSO was taken to be d ull minus the number of f

MOOS events. Since injection valve operation is the last step in the start-up sequence, the number of demands for FTSV was taken to be the number of demands for FTSO minus the number of unrecovered FTSO events. The number ofinitial demands to run was the number of demands for FTSV minus the number of unrecovered FTSV events. A run time was known or estimated for each of these events.

Based on the mn time, the events were divided into short and long term missions. The run times in all the events were considered for the PRA failure to run mission. The number of demands for restan was based on the number of events with restart for the long term mission and on the number of restarts indicated in the LERs for the PRA mission. In the long term mission case, the fraction of long term events that required restart was used to estimate the probability of needing one or more restarts.

Additional run times accrued from each restart for which no unrecovered failures to restart occurred.

The number of recirculation demands, for which run times for the transferring function were assessed, is the number of demands with total run times equaling or exceeding 15 minutes. Failures in running and failures in recirculation were modeled such that neither failure prevented observation of success for the l

other failure mode. For each recovery mode, the number of demands is the number of corresponding l

failures.

Cyclic surveillance tests also result in demands for the FTSO and FTR modes. The number of demands to start (failure mode FTSO) was taken to be the estimated number of cyclic surveillance tests.

After a felure to start on a test, the plant personnel normally terminate the test, fix the problem, and again attempt to stan and run the system. The first attempt resulting in a failure was counted in this study as a test demand to start, but the later post-maintenance attempts were not. If the intervening repairs did not change the ability of the system to run, a demand to run was then counted. This was the case if the failure to start resulted from, for example, procedural errors, instrumentation problems, A-13

problems with the auxiliary oil pump, or problems with the injection valve. Failures to start governor problems were considered to affect the ability of the system to run; such events were counted as demands to run. In other cases, an engineer read the LER narrative to decide if t should be considered a demand to run. Based on discussions with plant-experienced op one-half hours of run time was estimated for each applicable test demand to run tha failure.

A-2.1.3 Data-Based Choice of Data Sets At this point, failures and demands or running times had been counted or estimated for two of data, unplanned demands and cyclic surveillance tests. To determine which data to use FTR, FTSO failure probabilities and FTR rates and their associated 90% confidence interva computed separately for unplanned demands and cyclic surveillance tests. The confidence inte FTSO and FTR long term assume binomial distributions for the number of failures observed number of demands, with independent trials and a constant probability of failure in each data Similarly, the confidence intervals for FTR (i.e., hourly failure rates) assume Poisson distrib the number of failures observed in a fixed time period, with independent failures and a const occurrence rate in each data set.

indication of whether the data sets could be pooled.A comparison of the plotted confide

'Ihe hypothesis that the underlying failure probability for unplanned demands and for c surveillance tests is the same was tested for the FTSO failure mode. Fisher many statistics boolv ~as used, based on a contingency table with two rows corresponding to and successes and.

t - - 2mns corresponding to unplanned demands and cyclic surveillance tests the failure mode. %

. For

' ch this hypothesis could not be rejected, the two sources of data were pooled; otherwise, the unpumned demands data set was selected as most closely reflecting tru conditions.

A similar procedure was used to compare the rates for failure to run in the unplanned and test demand data sets. A chi-square test was performed to assess whether the cata provide eviden separate rates in the two data sets. Further details on the assessment of failure rates are in Section A-2.1.6 below.

A-2.1.4 Additional Assessments of Data Groupings Using Demands To further characterize individual probability estimates and their uncertainties, probabilities and confidence bounds were computed in each applicable data set and in the selected pooled data sets each year and for each plant unit. The hypothesis of no differences across each of these grou tested in each data set, using the Pearson chi-square test.

Often, the expected cell counts were small enough that the asymptotic chi-square distribution was not a good approxtmation for the distribution of the test statistic; therefore, the computed P-values were only rough approximations. They a for screening, however.

As with Fisher's exact test, a premise for these tests is that variation between subgroups in the data be less than the sampling variation, so that the data can be treated as having constant pro failure across the subgroups. When statistical evidence of differences across a grouping is ident hypothesis is not satisfied. For such data sets, confidence intervals based on overall pooled data a A-14

short, not reflecting all the variability in the data. However, the between-subgroup variation is likely to result in the rejection of the hypothesis of no significant systematic variation between years, plant units, or data sources, rather than to mask existing differences in these attributes.

A-2.1.5 Estimation of Failure Probability Distributions using Demands Three methodi of modeling the failure / demand data for the unreliability calculations were employed. They all use Bayesian tools, with the unknown probability of failure for each failure mode represented by a probability distribution. An updated probability distribution, orposterior distribution, is formed by using the observed data to update an assumed prior distribution. One important reason for using Bayesian tools is that the resulting distributions for individual failure modes can be propagated easily, yielding an uncertainty distribution for the overall unreliability.

In all three methods, Bayes Theorem provides the mechanics for this process. The prior distribution describing failure probabilities is taken to be a beta distribution. The beta family of distributions provides a variety of distributions for quantities lying between 0 and I, ranging from bell-shape distributions to J-and U-shaped distributions. Given a probability (p) sampled from this distribution, the number of failures in a fixed number of demands is taken to be binomial. Use of the beta family of distributions for the prior on p is convenient because, with binomial data, the resulting output distribution is also beta. More specifically, if a and b are the parameters of a prior beta distribution, a plus the number of failures and b plus the number of successes are the parameters of the resulting posterior beta distribution. The posterior distribution thus combines the prior distribution and the observed data, both of which are viewed as relevant for the observed performance.

The three methods differ primarily in the selection of a prior distribution, as described below.

After describing the basic methods, a summary section describes additional refinements that are applied in conjunction with these methods.

Simple Bayes Method. Where no significant differences were found between groups (such as plants), the data were pooled and modeled as arising from a binomial distribution with a failure probability p.

The assumed prior distribution was taken to be the Jeffreys noninformative prior distribution.A-1 More specifically, in accordance with the processing of binomially distributed data, the prior distribution was a beta distribution with parameters, a = 0.5 and b = 0.5. This distribution is diffuse, and has a mean of 0.5. Results from the use of noninformative priors are very similar to traditional confidence bounds. See Atwood -2 or further discussion.

A f In the simple Bayes method, the data were pooled, not because there were no differences between groups (such as plants), but because the sampling variability within each group was so much larger than the variability between groups that the between-group variability could not be estimated. The dominant variability was the sampling variability, and this was quantified by the posterior distribution from the pooled data. Therefore, the simple Bayes method used a single posterior distribution for the failure probability. In the absence of fitted empirical Bayes distributions described in the next paragraph, l

it was used both for any single group and as a generic distribution for industry results.

Empirical Bayes Method. When between-group variability could be estimated, the empirical Bayes method was employed.A-3 Here, the prior beta (a, b) distribution is estimated directly from the data for a failure mode, and it models between-group variation. The model assumes that each group has i

A-15

its own probability of failure,p, drawn from this distribution, and that the number of failures from group has a binomial distribution governed by the group's p. The likelihood function for the data is based on the observed number of failures and successes in each group ar.d the assumed be model. This function of a and b was maximized through an iterative search of the param a SAS routine.A-2 In order to avoid fitting a degenerate, spike-like distribution whose variance is less than the variance of the observed failure counts, the parameter space in this search was restrict where the sum, a plus b, was less than the total number of observed demands.

The a and b corresponding to the maximum likelihood were taken as estimates of the generic beta distribution parameters representing the observed industry data for the failure mode.

The empirical Bayes method uses the empirically estimated distribution for generic results, bu also can yield group-specific results. For this, the generic empirical distribution is used as a pr is updated by group-specific data to produce a group-specific posterior distribution. (In this p generic distribution itself would be assigned to any groups for which no demands occurred.)

The empirical Bayes method was always used in preference to the simple Bayes method when a chi-square test found a statistically significant difference between groups. Because of concerns ab power of the chi-square test, discomfort at drawing a fixed line between significant and nonsignif and an engineering belief that there were real differences between the groups, an attempt was mad each failure mode to estimate an empirical Bayes prior distribution over years and over plants. Th fitting of a nondegenerate empirical Bayes distribution was used as the index of whether b variability could be estimated.

The simple Bayes method was used only if no empirical Bayes distribution could be fitted, or if the empirical Bayes distribution was nearly degenerate, with smal dispersion than the shnple Bayes posterior distribution.

Sometimes, an empirical Bayes distribution could be fitted even though the chi-square test did not find a between-group variation that was even clo to statistically significant.

In such a case, the empirical Bayes method was used, but the numerical results were almost the same as from the simple Bayes method.

When more than one empirical Bayes prior distribution was fitted for a failure mode, such as a distribution describing variation across plants and one describing variation across years, the g principle was to select the distribution with the largest variability.

Alternate Method for Some Group-Specific Investigations. Occasionally, the unreliability was modeled by group (such as by plant, by year or by design class) to see if trends existed, such as trends due to time or age. The above methods tend to mask any such trend. The simple Bayes met pools all the data, and thus yields a single generic posterior distribution. The empirical Bayes method typically does not apply to all of the failure modes, and so masks part of the variation. Even when no differences can be seen between groups for any one failure mode, so that the above methods w the data for each failure mode, the failures of various modes could all be occurring in a few years or few plants. They could thus have a cumulative effect and show a clearly larger unreliability for thos few years or plants. Therefore, it is useful to calculate the unreliability for each group (each year o plant) in a way that is very sensitive to the data from that one group.

It is natural, therefore, to update a prior distribution using only the data from the one group. The Jeffreys noninformative prior is suitably diffuse to allow the data to drive the posterior distribution toward any probability range between 0 and '. if sufficient data exist. However, when the full data set is

}

split into many groups, the groups often have sparse data and few demands. Any Bayesian update method pulls the posterior distribution toward the mean of the prior distribution. More specifically, wit A-16

beta distributions and binomial data, the estimated posterior mean is (a+f)/(a+b+d). The Jeffreys prior, with a = b = 0.5, thus pulls every failure probability toward 0.5.

When the data are sparse, the pull toward 0.5 can be quite strong, and can result in every group having a larger estimated unreliability than the population as a whole. In the worst case of a group and failure mode having no demands, the posterior distribution mean is the same as that of the prior, 0.5, even though the overall industry experience may show that the probability for the particular failure mode is, for example, less than 0.1.

j Because industry experience is relevant for the perfonnance of a particular group, a more practical prior i

distribution choice is a diffuse prior whose mean equals the estimated industry mean. Keeping the prior diffuse, and therefore somewhat noninformative, allows the data to strongly affect the posterior distribution; and using the industry mean avoids the bias introduced by the Jefferys prior distribution when the data are sparse.

To do this, the " constrained noninformative prior" was used, a generalization of the Jeffreys prior defined in Reference A-4 and summarized here. The Jeffreys prior is defined by transforming the binomial data model so that the parameter p is transformed, approximately, to a location parameter p.

The uniform distribution for p is noninformative. The corresponding distribution for p is the Jeffreys noninformative prior. The generalization replaces the uniform distribution for p with the constrained maximum entropy distributionA-5 for which the corresponding mean ofp is the industry mean from the pooled data, (f+0.5)/(d+1). The maximum entropy distribution for is, in a precise sense, as flat as possible subject to the constraint. Therefore, it is quite diffuse. The corresponding distribution for p is found. It does not have a convenient form, so the beta distribution for p having the same mean and variance is found. This beta distribution is referred to here as the constrained noninformative prior. It corresponds to an assumed mean for p but to no other prict information. For various assumed means of p, the noninformative prior beta distribution pa ameters are tabulated in Reference A-4.

For each failure mode of interest, every group-specific failure probability was found by a Bayesian update of the constrained noninformative prior with the group-specific data. The resulting posterior distributions were pulled toward the industry means instead of toward 0.5, but they were sensitive to the group-specific data because the prior distributions for each failure mode were so diffuse.

Additional Refinements in the Application of Group-Specific Bayesian Methods. For both the empirical Bayes distribution and the constrained noninformative prior distribution, beta distribution parameters are estimated from the data. A minor adjustmentA-6 was made in the posterior beta distribution parameters for particular plants, years, and classes to account for the fact that the prior parameters a and b are only estimated, not known. This adjustment increases the group-specific posterior variances somewhat.

Both group-specific failure probability distribution methods use a model, namely, that the failure probability p varies between groups according to a beta distribution. In a second refinement, lack of fit to this model was investigated. Data from the most extreme groups (plants or years) were examined to see if the observed failure counts were consistent with the assumed model, or if they were so far in the tail of the beta-binomial distribution that the assumed model was hard to believe. Two probabilities were l

computed, the probability that, given the resulting beta posterior distribution and binomial sampling, as many or more than the observed number of failures for the group would be observed, and the probability that as many or fewer failures would be observed. If either of these probabilities was low, the results were flagged for further evaluation of whether the model adequately fitted the data. This test was most important with the empirical Bayes method, since the empirical Bayes prior distribution might not be A-17

diffuse. No strong evidence against the model was seen in this study. See Atwood -2 or more details A f about this test.

Group-specific updates were not used with the simple Bayes approach because this method is based on the hypothesis that significant differences in the groups do not exist.

6 A-2.1.6 Assessments and Estimation of Failure Probability Distributions using Rates As stated above, the FTR and FRC probabilities for the PRA model were derived from hourly rates of occurrence rather than from failures and demands. Chi-square test statistics were computed to identify significant differences, if any, among plant units and among calendar years for the two occurrence rates. Bayesian methods similar to those described above were also used. The analyses for rates are based on event counts from Poisson distributions, with gamma distributions that reflect the variation in the occurrence rate across subgroups ofinterest or across the industry. The simple Bayes procedure for rates results in a gamma distribution with shape parameter equal to 0.5+f, wherefis the number of failurer, and scale parameter 1/T, where T is the total pooled running time. An empirical Bayes method also exists, but the data were too sparse to find a non-degenerate distribution. Finally, the constrained noninformativeprior method was applied in a manner similar to the other failure modes this resulted in gamma distributions for the rates. These methods are described fmther in References A-8 and A-4.

The resulting gamma distributions for uncertainty in FTR and FRC were converted to beta distributions describing the probability of failure during a specified mission time. Given an occurrence l

rate, say r, the probability of failure in mission time T (assuming a Poisson distribution for the occurrence of failures)is:

p(r) = 1-exp(-r7).

j If E(r) is the mean of the rate and V(r) is its variance, and r has a gamma distribution with parameters (a,b), then it can be shown that the mean of p(r) is i

1-(1 + T/b)*

and the variance of p(r)is (1 + 2T/b)* - (1 + T/b)*.

These equations were applied using the gamma distribution means and variances for the rates for the two failure modes. Beta distributions having the resulting means and variances were computed by matching moments. This evaluation was performed for the mission times that span the range of mission times typically assumed for RCIC in PRAs, namely,24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

A-2.2 The Cornbination of Failure Modes The failure mode probabilities are combined to obtain the unreliability.

An algebraic approximation was used to quantify the model. The method is presented in more generality by Martz and Waller,A-7 but is summarized for the present application here. According to the logic models, the mission unreliabilities are given by the following expression:

A-18

P i

Short term mission unreliability = Prob [ MOOS or (FTSO and FRFTS) or FTSV or FTR-ST).

Long term mission unreliability = Prob [ MOOS or (FTSO and FRFTS) or FTSV or (FTR-LT and

)

FRFTR) or (IFRS and FRS-LT and FRFRS) or (FRC-LT and FRFRC)].

PRA mission unreliability = Prob [ MOOS or (FTSO and FRFTS) or FTSV or (FTR and FRFTR) or (FRS and FRFRS) or (FRC and FRFRC)].

Each of these expressions can be rewritten by repeatedly using the facts that Prob (A and B) = Prob (A)* Prob (B)

Prob (A or B) = 1 - Prob (not A)* Prob (not B) = 1 - [1 - Prob (A)]*[1 - Prob (B)]

where A and B are any independent events. The resulting algebraic expression is linear in each of the failure probabilities.

The estimated mean and variance of the unreliability can therefore be obtained by propagating the means and variances of the failure probabilities. These means and variances are readily available from the beta distributions. Propagation of the means uses the fact that the mean of a product is the product of the means, for independent random variables. Propagation of variances of independent I

factors is also readily accomplished, based on the fact that the variance of a random variable is the expected value of its square minus the square of its mean. In practice, estimates are obtained by the following process:

Select appropriate beta distributions for each failure mode for the group.

Compute the mean and variance of each beta distribution.

Compute the mean and variance of the unreliability for each case using simple equations for expected values of sums for "or" operations and of products for "and" operations.

Compute parameters for the beta distribution with the same mean and variance.

Report the mean of the unreliability and the 5th and 95th percentiles of the fitted beta distribution.

The first step in this process requires further discussion. When no empirical Bayes distribution can be fitted for variation between groups for a particular failure mode and grouping, such as plant, a single generic distribution describing industry performance for that failure mode is used for all the plants. However, there may be more than one choice for this distribution. Generic industry distributions may exist that reflect variation in some other variable, such as year. In that case, the distribution showing year-to-year variation is a more accurate model of the industry data for the failure mode than the noninformative distribution that reflects just sampling variation. The Jeffreys noninformative prior updated with industry data was selected only when no other empirical Bayes distributions were found for the data being analyzed. Of course, for the group-specific trend investigations for which a minimal amount of data filtering occurs, the beta distributions derived from updating the constrained noninformative priors were used.

l The means and variances calculated from the above process are exact. The 5th and 95th percentiles are only approximate, however, because they assume that the final distribution is a beta distribution. Monte Carlo simulation for the percentiles would be more accurate than this method if enough Monte Carlo runs were performed, because the output uncertainty distribution is empirical and l

A-19 l

t

f not required to be a beta distribution. Nevertheless, the approximation seems to be clo comparisons were made, and therefore the beta approximation was used for the o for unreliabilities by plant and by year in Appendix C.

A-3. ESTIMATION OF RATE DISTRIBUTIONS FOR TREND ANA In addition to 'the analyses used to estimate system unreliability, the overall ra unplanned demands, and restarts per unplanned demand were analyzed by plant an possible trends and patterns. Two specific analyses were performed for these three occurrence ;

First, the rates were compared to determine whether significant differences exist amon t

among the calendar years. Rates and confidence bounds were computed for each type of rate for e year and plant unit.

The hypotheses of simple Poisson distributions for the occurrences with no differences across the year and plant groupings were tested, using the Pearson chi-square The computed P-values are approximate since the expected cell counts were often small; howeve useful for screening.

Regardless of whether particular years or plants were identified as having different occurrence frequencies, the occurrence frequencies were also modeled by plant and by year to see if trends exist.

For plants, trends with regard to plant ege were assessed, as measured from the plant low-power date. For years, calendar trends were assessed. Least-squares regression analyses were used to asses i

the trends. The paragraphs below describe certain analysis details associated with the frequency analyses.

i With sparse data, estimated event frequencies (event counts divided by time) are often zero, and regression trend lines through such data often produce negative frequency estimates for certain group (years or ages). Since occurrence frequencies cannot be negative, log models are considered. Thus, the analysis determines whether log (frequency) is linear with regard to calendar time or age. An adjustment is needed in order to include frequencies that are zero in this model.

t Using 0.5/t as a rate estimate in such cases is not ideal. Such a method penalizes groups that have no failures, increasing only their estimated frequency. Furthermore, industry performance may show that certain events are very rare, so that 0.5/t would be an unrealistically high estimate. A method that adjusts the frequencies uniformly for all the grouping levels (plants or years) and that uses the overall frequency inforrration contained in the industry mean is needed for sparse data and rare events.

As stated in Section A-2.1.6, constrained noninformative priors can be formed for frequencies.

This method meets the requirements identified above. Because it also produces occurrence frequencies for each group (each year or plant) in a way that is very sensitive to the data from that one group, it preserves trends that are present in the unadjusted frequency data. The method, described in Reference A-4, involves updating a prior distribution using only the data from a single group. For rates, such distributions are gamma distributions rather than beta distributions. Since industry experience is relevant for the performance of a particular group, a practical prior distribution choice is a diffuse prior whose l

mean equals the estimated industry mean, (0.5+N)/T, where N is the total number of events across the industry and T is the total exposure time. This specification for the prior distribution mean is the constraint. Keeping the prior diffuse, and therefore somewhat noninformative, allows the data to strongly affect the posterior distribution. This goal is achieved by basing the modeling on a maximum

)

entropy distribution. The details are explained in Reference A-4; the resulting prior distribution is a gamma distribution with shape parameter 0.5 and scale parameter T/(2N+1). The mean of the updated A-20 l

posterior distribution is used in the regression trending. This process thus adds 0.5 uniformly to each event count and T/(2N+1) to each group exposure time.

In practice, an additional refinement in the application of the constrained noninformative prior method adjusts the posterior gamma distribution parameters for particular plants and years to account for the fact that the prior distribution gamma scale parameter is only estimated, not known. This A-6 ncreases the group-specific posterior variances somewhat.

adjustment i

A-4. REFERENCES A-1.

George E. P. Box and George C. Tiao, Bayesian Inference in Statistical Analysis, Reading, MA:

Addison Wesley,1973, Sections 1.3.4-1.3.5.

A-2.

Corwin L. Atwood, Hits per Trial: Basic Analysis of Binomial Data, EGG-RAAM-11041, September 1994.

A-3.

Harry F. Martz and Ray A. Waller, Bgresian Reliability Analysis, Malabar, FL: Krieger,1991, Section 7.6.

A-4.

Corwin L. Atwood, ConstrainedNoninformative Priors. INEL-94/0074, October 1994.

A-5.

B. Harris, " Entropy," Encyclopedia of Statistical Sciences, Vol. 5, S. Kotz and N. L Johnson, editors,1982, pp. 512-516.

A-6.

Robert E. Kass and Duane Steffey, " Approximate Bayesian Inference in Conditionally Independent Hierarchical Models (Parametric Empirical Bayes Models)," Journal of the American Statistical Association, 84,1989, pp. 717-726, Equation (3.8).

A-7.

H. F. Martz and R. A. Waller, " Bayesian Reliability Analysis of Complex Series / Parallel Systems of Binomial Subsystems and Components," Technometrics,32,1990, pp. 407-410.

A-8.

M. E. Engelhardt, Events in Time: Basic Analysis of Poisson Data, EGG-RAAM-11088, Sept.

1994.

I A-21

Appendix B RCIC Operating Data,1987-1993 1

i 1

B-1

a.m-i D

4 e

1 e

I I

h I

P 4

J 1

1 l

4 l

i i

I B-2 l

Appendix B RCIC Operating Data,1987-1993 In subsections.below, listings of the data used for the reactor core isolation cooling (RCIC) system performance study are provided. First, the plants used are listed. Then their inoperabilities are described and listed. Unplanned demands are then described, followed by cyclic surveillance testing demands. Finally, a tabular summary is given for the data used to estimate unreliability.

B-1. PLANTS USED Each of the data listings is restricted to the period from 1987 to 1993, and to the set of plants listed in Table B-1 below. Table B-1 includes all the boiling water reactors (BWRs) with a RCIC system except for Browns Ferry I and 3 and Shoreham. These plants were excluded because they were in extended shutdown throughout the study period. Some of the plants listed had calendar-year-long or longer periods in which they did not operate. Specifically, there was no operational time for Browns Ferry 2 in 1987,1988,1989, or 1990; for FitzPatrick in 1992; for Peach Bottom 2 in 1988; for Peach Bottom 3 in 1988; and for Pilgrim in 1987 and 1988. The data for these plants were not used for the years when they did not operate.

The operating years for each plant during the study period are shown in Table B-1. Operating years were estimated from information in the OUTINFO database. This database is developed from monthly operating reports submitted to the NRC by the licensees. The database provides starting and ending dates for generator off-line periods. To estimate operating time for this study, the starting and ending days themselves are treated as operating periods. Periods between these dates that are at least hvo calendar days long are treated as outage periods and subtracted from the total number of operating days in that year for a plant.

l B-2. RCICINOPERABILITIES t

The search for RCIC inoperabilities resulted in the identification of 142 inoperability events during the 1987 through 1993 time period. Some of the LERs found during the search identified multiple inoperabilities either at a dual unit site or inoperabilities on different dates at the same plant. As a result, the number of unique LERs will be different than the number of unique inoperabilities found for i

this study. Of the 142 inoperabilities,93 were classified as failures based on a detailed review of the LER by a team of engineers with commercial nuclear power plant experience. The classification was i

based on a risk perspective. Therefore, the number of failures would be different than the number of l

failures based on a definition provided by plant technical specifications for the system. Table B-2 l

provides a breakdown of the inoperabilities by method of discovery and by failure mode for the l

inoperabilities classified as failures for this study.

Table B-3 defines the column headings used in Table B-4. Table B-4 is a listing of the RCIC inopembility events. In the injection function lost (IFL) column, footnote a marks the failures for which both the design function was lost and the number of demands could be counted (i.e., the method of discovery is either A, for unplanned demands, or S, for surveillance). In the latter case, the surveillance B-3

had to be a cyclic surveillance test. Cyclic surveillance tests are marked in Table discovery column with "(C)."

Table B-1. BWR plants selected for this study with their associated op: rating years.

Plant Name

' Docket Operating Plant name Docket Operating years Browns Feny 2 260 2.3 Limerick 2 353 3.8 years Brunswick 1 325 3.8 Monticello 263 6.3 Bmnswick 2 324 4.6 Nine Mile Pt 2 410 4.5 Clinton 461 4.9 Peach Bottom 2 277 4.0 Cooper 298 5.6 Peach Bottom 3 278 3.5 Duane Amold 331 5.6 Peny 440 5.0 Fermi 2 341 5.6 Pilgrim 293 3.9 FitzPatrick 333 4.5 Quad Cities 1 254 5.5 Grand Gulf 416 6.1 Quad Cities 2 265 5.4 Hatch 1 321 5.9 River Bend 458 5.3 Hatch 2 366 6.0 Susquehanna 1 387 5.7 Hope Creek 354 6.2 Susquehanna 2 388 6.1 LaSalle 1 373 5.4 Vermont Yankee 271 6.2 LaSalle 2 374 5.2 Wash. Nuclear 2 397 5.1 Limerick 1 352 5.7 Table B-2. RCIC inoperability counts.

Method of discovery Cyclic Other Unplanned surveillance surveillance demands tests tests Other*

Total Failures Maintenance-out-of-service (MOOS) 1 NA NA NA 1

Failure to start Other than injection valve (FTSO) 7 3

29 35 74 Injection valve (FTSV) 0 0

4 1

5 Failure to restart (FRS) 4 NA NA NA 4

Failure to transfer (FRC) 2 NA NA NA 2

Failure to run(FTR) 2 0

4 1

7 Subtotal, Failures 16 3

37 37 93 Faults 2

0 22 25 49 Grand Total 18 3

59 62 142

a. Plant tours, control room annunciatert/ indication. design review etc.

B-4

\\

Table B-3. Column heading definitions and abbreviations use in Table B-4.

Column Heading Definition Plant name Self-explanatory I

LER number Self-explanatory. However, in some cases the LER number listed is for the unplanned demand in which a failure was observed. It is not unusual for a plant to report the unplanned demand in one LER and mention that the system did not respond as designed (i.e., LER number XXX89001) and a follow up LER (i.e., LER number XXX89003) provide the details of the failure and subsequent corrective actions.

Also, the LER number may not match the docket number for a dual unit site. The LER may be under a Unit I number because the event affected both units, however, a failure may also be identified at Unit 2.

Event date The event date is typically the date identified in Block 5 of the LER. In some cases the Block 5 date may be different than the failure date, because the system may have run for a period of time before the failure. In all cases the event date is the date of the actual failure.

IFL Injection function lost (failure): T (true) indicates that the deficiency was such that the system would not have been able to respond as designed for a risk-based mission.

F (false) indicates that the deficiency was such that the system would have been able to respond as designed for a risk-based mission. These events (IFL = F) are referred to as faults. The T/F determination is based on a review of the full text of the LER.

These classifications are not based on the reportability requirements identified in Block 11 of the LER.

The failure mode is risk-related information provided only for the events that are Failure mode classified as failures (i.e., IFL = T). FTS, failure to start; FTSV failure to start due to the injection valve; FTR, failure to run; FRS, failure to restart the system for subsequent injections; FRC, failure to transfer during recirculation to injection; MOOS, maintenance-out-of-service.

Method of discoveryThe method of discovery identifies how the inoperability was found. O, operational occurrence, through the normal course of routine plant operations. This category includes operator walkdowns, control room annunicators or alarms, etc. S, periodic surveillance test, [S(C)] identifies a cyclic surveillance test; A, unplanned demand.

Subsystem Subsystem: T, turbine and turbine control valves; I, instrumentation and controls; F, coolant piping and valves; H, dedicated heating, ventilation, or room cooling.

B-5

l Table B-4. RCIC inoperabilities.

Plant LER Event IFL Failure Method of Subsystem Name Number Date Mode Discovery Browns Ferry 2 26093001 01/24/93 T

FTSO O

T Browns Ferry 2

,26093009 08/22/93 T

FTSO S

I Brunswick 1 32588014 06/06/88 F

N/A S

I Brunswick 1 32588020 09/15/88 T

FTSO S

T Brunswick 1 32591013 05/07/91 T

FTSO O

1 Brunswick 2 32487001 01/05/87

?

FRC A

F Brunswick 2 32487003 02/02/87 F

N/A S

1 Brunswick 2 32487007 05/04/87 T

FTSO O

I Brunswick 2 32588014 06/06/88 F

N/A S

I Brunswick 2 32490008 08/16/90 F

N/A A

H Brunswick 2 32490009 08/19/90 P

FRS A

T Clinton 46187052 09/02/87 T

FTSO O

I Clinton 46187067 11/24/87 T

FTSO S

I Clinton 46191004 08/19/91 T

FTSO O

I Cooper 29890009 08/08/90 T

FTSO S

T Cooper 29892005 03/25/92 T

FTSO O

T Cooper 29892012 07/15/92 T

FTSO S

T Duane Arnold 33188001 01/11/88 F

N/A S

T Duane Arnold 33189006 02/24/89 T

FTSO O

I Duane Arnold 33191007 08/06/91 T

FTSO S

T Fermi 2 34187012 05/05/87 F

N/A O

1 Fermi 2 34187023 06/11/87 T

FTSO S

I Fenni2 34188005 02/10/88 T

FTSO O

T FitzPatrick 33387013 09/05/87 T

FTSO O

1 FitzPatrick 33388002 0W10/88 T

FTSO O

T FitzPatrick 33389021 10/31/89 T

FTSV S

F FitzPatrick 33389024 11/29/89 T

FTSO S

1 FitzPatrick 33390004 02/07/90 T

FTSO O

1 Grand Gulf 41689016 11/07/89

?

MOOS A

T Grand Gulf 41692020 12/15/92 T

FTSO O

I Grand Gulf 41693004 05/17/93 T

FTSO O

I Grand Gulf 41693005 06/08/93 F

N/A O

1 Grand Gulf 41693006 07/20/93 T

FTSO O

I Grand Gulf 41693017 11/26/93 F

N/A S

T Hatch 1 32187011 07/23/87

?

FTSO A

T Hatch 1 32188018 12/17/88 P

FRS A

T Hatch 1 32191001 01/18/91 P

FRS A

F Hatch 2 36688017 05/27/88

?

FTSO A

I Hope Creek 35491016 07/24/91 T

FTSO O

I B-6

Table B-4. (continued)

Plant LER Event IFL Failure Method of Subsystem Name Number Date Mode Discovery LaSalle 1 37387015 03/28/87 F

N/A S

F LaSalle 1 37387039 12/16/87 F

N/A O

F LaSalle 1 37388015 07/12/88 T

FTSO S

T LaSalle 1 37389017 05/15/89 F

N/A O

H LaSalle 1 37389020 05/29/89 F

N/A O

I LaSalle 1 37389021 06/09/89 T

FTSO S

T LaSalle 1 37390007 06/18/90 T

FTSO S

T l

LaSalle 1 37390009 05/11/90 F

N/A S

I LaSalle 1 37390011 08/01/90 F

N/A S

I LaSalle 1 37391012 07/29/91 T

FTSO S

T LaSalle 1 37391017 10/23/91 T

FTSO S

T LaSalle 1 37392005 04/06/92 T

FTSO S

T LaSalle 1 37393003 01/29/93 F

N/A S

H LaSalle 1 37393003 01/30/93 T

FTR S

T LaSalle 1 37393004 02/10/93 T

FTSO O

T LaSalle 1 37393007 02/26/93 T

FTSO S

T LaSalle 1 37393000 03/07/93 T

FTSO S

I LaSalle 1 37393016 10/22/93 T

FTR S

I LaSalle 2 37487020 11/19/87 F

N/A S

I LaSalle 2 37489018 12/16/89 F

N/A O

I LaSalle 2 37491005 06'21/91 F

N/A S

I LaSalle 2 37492008 06/15/92 F

N/A S

T LaSalle 2 37492009 07/14/92 F

N/A S

T LaSalle 2 37492010 08/10'92 T

FTSO S

T LaSalle 2 37492012 08/27/92 T

FRS A

T LaSalle 2 37493001 02/22/93 F

N/A S

I LaSalle 2 37493002 02/23/93 T

FTSO S

I LaSalle 2 37493006 08/19/93 F

N/A O

H LaSalle 2 37493010 12/25/93 T

FTSO S

I Limerick 1 35289002 01/04/89 F

N/A O

I Limerick 1 35289012 02/15/89 F

N/A O

F Limerick 1 35289039 06/01/89 F

N/A O

I Limerick 1 35289050 08/25/89 F

N/A O

F Limerick 1 35291016 06/10/91 T

FTSO O

T Limerick 2 35289050 08/25/89 F

N/A O

F Monticello 26389006 04/14/89 T

FTSO O

T Nine Mile Pt. 2 41088011 03/01/88 T

FTSO O

I Nine Mile Pt. 2 41091017 08/13/91 T*

FTSO A

I Nine Mile Pt. 2 41092024 12/04/92 T

FTSO O

I Peach Bottom 2 27791034 10/22/91 T

FTSO O

I 44087003 01/10/87 T

FTSO S

T 44087003 01/22/87 T

FTSO S

T Perry Perry 44087003 02/17/87 T

FTSO O

T Perry 44087003 03/12/87 T

FTSO O

T Perry B-7

Table B-4. (continued)

Plant LER Event IFL Failure i

Name Number Date Method of Subsystem Perry 44087006 02/08/87 T

FTSO O

I Mode Discovery Perry 44087012 03/02/87 T*

FTSO A

T Perry 44087040 06/2487 F

N/A O

I Peny 44087044 06/24/87 T

FTSO O

I Perry

~44087063 09/06/87 T

FTSO O

I Perry 44087075 11/14/87 T

FTSO O

T Perry 44090002 01/07/90 T*

FTR A

I Pilgrim 29390013 09/02/90 T'

FTSO A

T Pilgrim 29391001 01/25/91 T

FTSO S

T Pilgrim 29391004 03/19/91 F

N/A S

I Pilgrim 20391020 08/15/91 T

FTR S

T Pilgrim 29391021 10/09/91 F

N/A P

I Pilgrim 29391025 10/30/91 T'S FTSO Pilgrim 29392003 03/25/92 T

FTSO O

T A

I Pilgrim 29392007 06/18/92 F

N/A S

I Pilgrim 29392010 08/18/92 F

N/A S

I Pilgrim 29392015 11/25/92 T

FTSO O

T Pilgrim 29393002 02/25/93 T

FTSO S

T Pilgrim 29393004 03/13/93 F6 N/A A

H Pilgrim 29393007 03/17/93 T

FTSO O

I Pilgrim 29393013 05/30/93 T

FTR S

T Pilgrim 29393021 08/24/93 T

FTR O

I Pilgrim 29393025 10/24/93 F

N/A S

F Quad Cities 1 25487003 02/05/87 T

FTSO S

I Quad Cities 1 25487032 12/23/87 T

FTSO S

F Quad Cities 1 25488003 01/25/88 T

FTSV S

F Quad Cities 1 25488011 06/25/88 T

FTSO O

1 Quad Cities 1 25488013 08/22/88 F

N/A O

H Quad Cities 1 25489001 01/06/89 T

FTSV O

O Quad Cities 1 25489005 05/22/89 F

N/A S

I Quad Cities 1 25490005 03/13/90 T

FTSO S

T Quad Cities 1 25490023 10/31/90 F

N/A O

H Quad Cities 1 25491009 04/26/91 T

FTSO S

T Quad Cities 1 25491018 09/13/91 T

FTSO O

I Quad Cities 1 25491021 10/25/91 F

N/A S

I Quad Cities 1 25491029 04/24/91 T

FTSV S

F Quad Cities 1 25492005 12/01/91 T

FTSV S

F Quad Cities 1 25492026 10/27/92 F

N/A O

I Quad Cities 1 25493001 02/04/93 F

N/A O

F Quad Cities 1 25493004 03/31/93 F

N/A O

H Quad Cities 2 26587009 08/01/87 T'

FTSO A

I Quad Cities 2 26587016

$ 1/03/87 F

N/A S

T Quad Cities 2 26588003 03/01'88 T

FTSO S

T Quad Cities 2 26590006 05/08/90 T'

FTSO S(C)

I Quad Cities 2 26592015 05/12/92 T'

FTSO S(C)

I Quad Cities 2 26592017 05/24/92 F

FTR O

H Quad Cities 2 26592020 08/l1/92 T

FTSO S

T Quad Cities 2 26593018 08/28/93 F

N/A O

T Quad Cities 2 26593022 10/07/93 F

N/A O

H B-8

Table B-4. (continued)

Plant LER Event IFL Failure Method of Subsystem Name Number Date Mode Discovery River Bend 45888027 12/19/88 F

N/A O

T River Bend 45892027 11/25/92 T

FTSO O

T Vermont Yankee 27187018 11/14/87 T'

FTSO S(C)

T Vermont Yankee 27189014 07/18/89 F

N/A S

F Vermont Yankee 27191009 04/23/91 T*

FTR A

I Vermont Yankee 27192015 04/24/92 T

FTSO O

I Wash. Nuclear 2 39788003 02/04/88 T'

FRC A

F Wash. Nuclear 2 39791001 01/08/91 T

FTSO O

I Wash. Nuclear 2 39792016 04/22/92 F

N/A O

I Wash. Nuclear 2 39793013 03/18/93 F

N/A O

F

a. This event was used in the estimation of unreliability,

b. This event indicated 2 inoperabilities for the same date.

B-3. RCIC UNPLANNED DEMANDS The results of the data search and screening of the SCSS data file for unplanned demands of the RCIC system's injection function identified 133 LERs in which at least one demand for RCIC's injection function occurred. Detailed review of each of the LERs showed that there were 179 operating experiences of the RCIC system's injection function. These events are listed in Table B-5 with the plant name and event date. Included in the table are the number of demands associated with each event, the run times associated with each demand for the first three demands if given in the LER, and the total mission time. If no run times were given in the LER then a long or short classification was assigned to the event based on a review of the event. The times listed in the table are in a HHMM format (e.g.,0516 corresponds to 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and 16 minutes).

B-4. RCIC CYCLIC SURVEILLANCE TESTING DEMANDS The estimated number of RCIC cyclic surveillance testing demands is summarized by plant in Table B-6. The method used to estimate the number of cyclic surveillance tests is described in Appendix A, Section A-1.2.2. The totalis 142 tests.

B-5. DATA USED FOR STATISTICAL ESTIMATION OF UNRELIABILITY A subset of the inoperabilities was used for estimating unreliability. The first requirement for this subset was loss of the safety function. Table B-7 provides a summary description of the events used to determine system unreliability. The Table lists the events by those that occurred during unplanned demands i

I and cyclic surveillance tests alphabetically by plant name.

l i

l B-9 i

Table B-5. RCIC unplanned demands.

Plant LER Number Event Date Number of Run Time Run Time Run Time Total Pump Stans Start (1)

Start (2)

Stan(3)

Mission Time Brunswick 1 32587019 07/01/87 1

Long Brunswick 1 32591018 07/18/91 1

Shon Long Brunswick 1 32592003 01/17/92 2

0001 0017 Short Brunswick 1 32592005 02/29/92 1

0516 0018 0516 Brunswick 2 32487001 01/05/87 1

0429 Brunswick 2 32487004 03/11/87 1

0146 0429 Brunswick 2 32488018 11/16/88 1

Long 0146 Brunswick 2 32489009 06/17/89 1

1206 Long Brunswick 2 32490008 08/16/90 1

0007 1206 Brunswick 2 32490009 08/19'90 4

0001 0023 0009 Long 0007 Brunswick 2 32490015 09/27/90 4

0004 0015 0017 Long Brunswick 2 32490016 10/12/90 1

0020 Brunswick 2 32491001 0I/25/91 1

0009 a

0009 0020 Brunswick 2 32492001 02/02/92 1

Short Shon Clinton 46188019 07/12/88 13 0002 0005 Short 0421 Clinton 46189029 07/14/89 3

0009 0110 Long Long Cooper 29887003 01/07/87 i

Shon Cooper 29887006 01/10/87 i

Long Short Cooper 29887009 02/18/87 1

Shon Long Cooper 298870!!

05/17/87 1

Short Short Cooper 29888021 08/25/88 1

Long Short Cooper 29889026 11/25/89 i

Long Long Cooper 29890011 10/17/90 1

Short Long Cooper 29893038 12/14/93 1

Short Short Short Duane Arnold 33189008 03/05/89 1

Long Duane Arnold 33189011 08/26/89 1

0026 Long Duane Arnold 33190002 03/29/90 i

Long 0026 Duane Arnold 33190019 10/19/90 1

0006 Long 0006 Fermi 2 34187017 05/13/87 i

Shon Fermi 2 34187025 06/25/87 1

0016 Shon Fermi 2 34188004 01/10/88 i

Long 0016 Fermi 2 34192012 11/18/92 1

Short Long Fermi 2 34193010 08/13/93 1

Short Short Short FitzPatrick 33387008 06/10/87 1

Short FitzPatrick 33389020 11/05/89 1

Short Short FitzPatrick 33390009 03/19/90 1

Short Shon FitzPatrick 33393009 04/20/93 1

0001 Short 0001 Grand Gulf 41688006 01/20/88 1

0031 0031 Grand Gulf 41689006 05/05/89 1

Short Grand Gulf 41689010 07/22/89 1

0002 Short Grand Gulf 41689012 08/14/89 i

Long 0002 Long Grand Gulf 41689016 11/07/89 1

N/Aa N/A B-10

Table B-5. (continued)

Plant LER Number Event Date Naber of Run Time Run Time Run Ttme Total Pump Stans Start (1)

Stan(2)

Stan(3)

Mission Time Long Grand Gulf 41689019 12/30/89 1

Long 0130 Grand Gulf 41690011 07/24/90 1

0130 Short Grand Gulf 41690017 09/16/90 2

Short Short Long Grand Gulf 41690028 12/10/90 1

Long Long Grand Gulf 41690029 12/18/90 i

Long Short Grand Gulf 41691004 06/11/91 1

Short Grand Gulf 41691005 06/17/91 1

Long Long Grand Gulf 41691007 07/28/91 1

Short Short Grand Gulf 41692013 06/18/92 1

Short Short N/A l

Hatch 1 32187011 07/23/87 1

N/Aa 0003 l

Hatch 1 32187013 08/03/87 1

0003 Short Hatch 1 32188013 09/04/88 1

Short Hatch 1 32188018 12/17/88 10 0113 Long Long Long 0005 l

Hatch 1 32190013 06/20/90 1

0005 Long Hatch 1 32190021 10/15/90 1

Long Hatch 1 32191001 01/18/91 2

0020 N/Aa 0020 Long Hatch 1 32191017 09/11/91 2

0009 Long Long Hatch 1 32192021 08/27/92 2

0002 Long Short Hatch 1 32192024 09/30/92 1

Short Long Hatch 1 32193013 10/22/93 1

Long 0005 Hatch 1 32193016 12/07/93 1

0005 0015 Hatch 2 36687003 01/26/87 1

0015 Long Hatch 2 36687008 04/22/87 1

Long 0002 Hatch 2 36687006 07/26/87 1

0002 0004 Hatch 2 36687009 08/03/87 1

0004 0003 Hatch 2 36688008 03/21/88 1

0003 Hatch 2 36688011 04/17!88 2

0018 Long Long N/A Hatch 2 36688017 05/27/88 1

N/Aa 0004 Hatch 2 36688020 08/05/88 1

0004 Long Hatch 2 36689005 09/03/89 1

Long Hatch 2 36690001 01/12/90 2

Long Long Long Hatch 2 36691004 02/14/91 1

0015 0015 0003 Hatch 2 36692009 0605/92 1

0003 4

Long Hope Creek 35487017 02/24/87 1

Long Short Hope Creek 35487034 07/30/87 1

Short Hope Creek 35487037 08/16/87 1

Long Long Long Hope Creek 35487039 08/29/87 1

Long Long Hope Creek 35488012 04/30/88 2

0026 Long 0018 Hope Creek 35488027 10/15/88 1

0018 0010 Hope Creek 35488029 11/01/88 1

0010 Short Hope Creek 35490003 03/19/90 1

Short Short LaSalle 1 37392003 03/01/92 1

Short 0755 LaSalle 1 37393015 09/14/93 1

0755 LaSalle 2 37492012 08/27/92 2

0001 Long Long 0152 Limerick 1 35287048 09/19/87 1

0152 0025 Limerick 1 35291009 04/12/91 1

0025 B-11

Table B-5. (continued)

Plant LER Number Event Date Number of Run Tune Run Time Run Time Total Pump Starts Stan(l)

Stan(2)

Start (3)

Mission Time Limenck 2 35390015 09/10/90 1

0227 0227 Monticello 26387009 04/03/87 1

Short Short Monticello 26391019 08/2561 1

Long Long Nine Mile Pt. 2 41088001 01/20/88 1

0002 0002 Nine Mile Pt. 2 41088012 03/05/88 1

0003 0003 Nine Mile Pt. 2 41088014 03/13/88 1

0102 0102 Nine Mile Pt. 2 41089014 04/13/89 1

Long Long Nine Mile Pt. 2

'41091017 08/1381 1

0145 0145 Nine Mile Pt. 2 41091023 12/12/91 1

0056 0056 Peach Bottom 2 27789033 12/20/89

.1 0001 0001 Peach Bottom 2 27792012 07/17/92 1

0030 0030 Peach Bottom 3 27890002 01/28/90 1

0036 0036 Peach Bottom 3 27890008 07/27/90 1

Long Long Peach Bottom 3 27792010b 07/04/92 1

0335 0335 Peach Bottom 3 27892008 10/15/92 1

0200 0200 Perry 44087012 03/02/87 1

N/Aa N/A Perry 44087042 06/17/87 1

Long Long Peny 44087064 09/09/87 1

0003 0003 Perry 44087072 10/27/87 1

0003 0003 Perry 44088012 04/27/88 1

0037

_0037 Peny 44088023 06/08/88 1

0406 0406 Peny 44090002 01/07/90 1

0037 0037 Peny 44092017 09/10/92 1

0001 0001 Peny 44093010 03/26/93 1

Long Long Pilgrim 29390013 09/02/90 1

N/Aa N/A Pilgrim 29391025 10/30/91 2

0043 0402 0445 Pilgrim 29393004 03/13/93 3

0516 0042 0006 0603 Pilgrim 29393022 09/10/93 1

0044 0044 Quad Cities 1 25490004 03/10/90 1

0001 0001 Quad Cities 2 26587009 08/01/87 1

0004 0004 Quad Cities 2 26587013 10/19/87 1

0002 0002 River Bend 45888018 08/25/88 1

0001 0001 River Bend 45888021 09/06/88 1

0001 0001 River Bend 45889008 02/25/89 1

Short Shon l

Susquehanna 1 38787013 04/02/87 1

0004 0004 Susquehanna 1 38791008 07/31/91 2

0003 0739 0742 1

Susquehanna 2 38887006 04/16/87 1

Short Short Susquehanna 2 38890005 05/28/90 1

0009 0009 Vermont Yankee 27191009 04/23/91 2

0219 1841 2100 Wash. Nuclear 2 39787002 03/22/87 i

Short Short B-12

Table B-5. (continued)

Plant LER Number Event Date Number of Run Tune Run Time Run Time Total Pump Starts Start (1)

Start (2)

Stan(3)

Mission Time

'Wa.;h. Nuclear 2 39787020 07/02/87 1

0056 0056 Long Wash. Nuclear 2 39787022 07/06/87 1

Long 1214 Wash. Nuclear 2 39788003 02/04/88 2

0001 1213 Wash. Nuclear 2 39788006 02/13/88 3

0001 0001 Shon Short Short Wash. Nuclear 2 39793027 08/03/93 1

Short

a. A non-recovered failure occurred during the demand, therefore there was no run time associated with the demand.

b. Although LER number is a Unit 2 number, the repon describes an event that occurred at Unit 3.

Table B-6. Estimated number of cyclic surveillance tests.

Plant Name Total Plant Name Total Browns Feny 2 3

Limerick 2 4

i Brunswick 1 4

Monticello 6

f Batnswick 2 5

Nine Mile Pt 2 5

I Clinton 5

Peach Bottom 2 4

Cooper 6

Peach Bottom 3 5

Duane Arnold 5

Perry 5

Fermi 2 4

Pilgrim 5

FitzPatrick 4

Quad Cities 1 5

Grand Gulf 6

Quad Cities 2 7

Hatch 1 5

River Bend 5

Hatch 2 4

Susquehanna1 4

Hope Creek 5

Susquehanna 2 4

LaSalle 1 4

Vermont Yankee 5

LaSalle 2 6

Wash. Nucle r 2 7

Limerick 1 5

Total 142 B-13

~

~

Table B-7. Summary of RCIC failure events used for unreliability.

Plant Name Failure Mede LER Number Event Date Description Unplanned Demand Failures Brunswick 2 FRC 32487001 01/05/87 (Recovered)

A failure of the voltage regulator caused a turbine trip, which resulted in a reactor scram and SRV actuations to limit RPV pressure. RCIC was started to qontrol RPV level. Two hours aller the initial injection and restoration of RPV level, RCIC was unable to maintain RPV level because the full flow test line would not fully close due to a failure of the valve stem antirotation device. During the time the RCIC system was degraded, llPCI was inoperable due to the iajection valve failing closed. After isolating the RCIC full flow test line, both CRD pumps a.,d RCtC were used to restore RPV level Brunswick 2 FRS 32190009 08/19/90 (Not Recovered)

Following a reactor scram event caused by an inadvertent MSIV isolation of the RPV, the RCIC trip and throttle valve could riot be reset for a fourth system restart. The cause of the failure to reset the trip and throttle valve was that the thermals for the motor operator had tripped.

Grand Gulf MOOS 41689016 11/07/89 (Not Recovered)

A reactor scram was caused by an electrical spike from a lighting strike. The RCIC system received an actuation signal but was out ofservice in preparation for surveillance testing. Vessel level was recovered by the feedwater system.

Ilatch 1 FTSO 32187011 07/23/87 (Not Recovered)

A loss of feedwater resulted in a reactor scram. RCIC automatically actuated but tripped on overspeed due to a failure of an electronic component in the electric governor magnetic pickup module.

Ilatch I FRS 32188018 12/17!88 (Recovered)

A reactor scram occurred when the turbine tripped due to loss of electrohydraulic control system pressure. After use of the RCIC system, the RCIC turbine steam supply valve failed to close fully due to loose yoke bushing. During subsequent restart of the RCIC system, the turbine tripped on overspeed due to the turbine supply valve previously not going completely closed. The turbine was reset and restarted. This scenario was repeated several times whh safety relief valves were used for pressure control, llatch 1 FRS 3219I001 01/18/91 (Not Recovered)

A loss of olTsite power resulted in a reactor scram. IIPCI and RCIC were actuated to restore RPV level, but operated erratically due to a failed speed controller. Turbine bypass valves were used to control RPV pressure. During subsequent recovery actions, RCIC failed due to faciture of the injection valve. The injection valve failure was caused by a blown fuse on the valve actuator control power circuit, which occurred when the valve was closed after the initial actuation.

B-14 l

=

1 I

Table B-7. (continued)

Plant Name Failure Mode LER Number Event Date Description flatch 2 FTSO 36688017 05/27/88 A loss of feedwater resulted in a reactor scram. RCIC automatically started, but the pump failed to ramp up to full speed due to a failure of a limit switch on the injection valve.

(Not Recovered)

LaSalle 2 FRS 37492012 08/27/92 An automatic reactor scram o curred as a result of a main turbine stop valve closure trip.

The RCIC system auto-started due to a low RPV water level signal within a few seconds (Recovered) of the scram. Water level was promptly restored by RCIC injection. During subsequent RCIC restart attempts, the turbine tripped twice as a result of high exhaust pressure. The high exhaust pressure trips v'ere the result of water in the exhaust lines. In both cases the RCIC steam line drain valves operated properly, but there was insufTicient time to drain all the water from the steam lines between start ettempts.

Nine Mile Pt. 2 FTSO 41091017 08/13/91 An automatic reactor scram occurred as a result of a turbine trip caused by a "11" phase main transformer intemst fault. He RCIC system was manually started when operators (Recovered) recognized that the two operating reactor feedwater pumps had tripped. The RCIC turbine experienced flow, speed, and pressure oscillations vhile in the automatic mode and was transferred to manual control. Subsequently turbine performance parameters stabilized.

Perry FfSO 44087012 03/02/87 He RCIC system failed to auto-start following an automatic reactor scram that occurred as a result of a low reactor vessel water level. The cause of the RCIC failure was (Not Recovered) attributed to a normally closed steam supply isolation valve that failed to open. The p* ant design was chauged to require the valve to be normally open in order to preclude a recurrence of this failure. This failure was identitied in LER 44087012; however, the corrective action was reported in LER 44037003 as a revision.

Perry FTR 44090002 01/07/90 A loss of feedwater resulted in a reactor scram. He RCIC system automatically actuated but tripped after 37 minutes due tohigh room differential temperature. The high (Not Recovered) differential temperature trip was caused by high cooling water flow and the differential temperature trip set point set improperly for winter time operations.

Pilgrim FTSO 29390013 09/02/90 A failure in the feedwater control system caused the operators to manually scram the reactor. The RCIC system was manually started but tripped on overspeed. Two more (Not Recovered) start atternpts were made, but both resulted in overspeed trips. The IfPCI system was manually started for level control. He RC!C trips were caused by an inadequate procedure and a loose mechanical overspeed linkage.

B-15

Table B-7. (continued)

Plant Name Failure Mode I.ER Number Event Date Description l

Pilgrim FTSO 29391025 10/30/91 l

(2 failures)

(Recovered)

A loss of o!Tsite power occurred shortly aller the plant was shutdown in response to a severe storm. RCIC was manually started but tripped on overspeed when the injection valve was not opened promptly after starting the turbine. RCIC was reset nnd started; however, starting an RilR pump caused a voltage transient which tripped the RCIC inverter and prevented RCIC from attaining rated flow. The RCIC system was shutdow the inverter reset, and RCIC started successfully. (Note: The sec'ond failure was caused by a problem in the 4160 vac power system, which is outside the RCIC system boundaries an;umed for this study. Therefore, this second failure was not included in the unreliabili calculations.)

Quad Cities 2 ITSO 26587009 08/01/87 (Recovered)

A main transformer fault caused a generator trip and reactor scram. Power to both feedwater pumps was also lost due to a loose termination. An operator attempted to initiate RCIC by pushing the automatic initiation push-button but failedio maintain the button depressed long enough. Believing that RCIC had tripped, the operator then manually started RCIC and injected in the RPV to maintain level.

Vermont Yankee FTR 27I91009 04/23/91 (Recovered)

A switchyard breaker failure caused a turbine trip and reactor scram. RCIC tripped on overspeed due to operator error while swhching from manual to automatic control.

Wash. Nucles:2 FRC 39788003 02/04/88 (Recovered)

A technician error caused the main steamline isolation valves to close while operating at full power. A reactor scram occurred and safety relief valves opened to maintain reactor pressure. The RCIC system was mamrally started to maintain vessellevel To maintain reduced feedwater flow to the reactor, part of the RCIC flow was being recirculated to the condensate storage tank. During this operation, the test return line valve failed to fully close, although she valve position indication indicated " closed". Operators were able to maintain the desired flow to the reactor vessel by closing a second valve in the test return line.

Cyclic Surveillance Test Failures Quad Cities 2 ITSO 26590006 05/08/90 During cyclic survei!!ance testing, the RCIC pump flow experienced large oscillations.

'Ihe proportional band setting on a newly installed flow controller was set to respond too quickly to flow changes, causing the unstable flow.

Quad Cities 2 FTSO 26592015 05/12/92 During cyclic surveillance testing, the RCIC pump flow experienced large oscinations.

The proportional band setting on the flow controller was set too narrow, causing the unstable flow.

1 B-16

g Table B-7. (continued)

Plant Name Failure Mode LER Number Event Date Description Vermont Yankee ITSO 27187018 11/14/87 During an initiation of a full flow surveillance test, the RCIC turbine tripped due to high RCIC turbine exhaust pressure. The disk of a check valve in t'ac turbine exhaust line had broken from the di k arm and lodged in the valve body thus restricting ti.e turbine s

exhaust flow.

B-17

Appendix C Failure Probabilities and Unreliability Trends C-1

.u,,

-a

~s 4s

-u.

x

-a..+<

.s.

-+s

-..s

-a-a a

-~n

-.e

.,-s.

.,,tm,

....aa.,-

n.

w+

.a

-...x, l

1 I

I l

1

.f I

r e

.I i

I 1

1 1

i a

i C-2

Appendix C Failure Probabilities and Unreliability Trends This appendix, displays relevant reactor core isolation cooling (RCIC) system event counts and the estimated probability of each failure mode, including distributions that characterize any variation observed between ponions of the data. It then summarizes the ir.vestigation of whether trends exist in the RCIC data. Three types of detailed analyses are given: a plant-specific analysis for probability of individual failure modes; an investigation of the possible relation between plant low-power license date and RCIC performance, as measured by unreliability and by the frequency of failures; and an investigation of whether overall performance as measured by these attributes changed during the seven years of the study.

C-1. FAILURE MODE PROBABILITIES C-1.1 Analysis ofIndividual Failure Modes l

Table C-1 contains results from the initial assessment of data for the modeled failure modes, including point estimates and confidence bounds for the probability of each mode. These results are plotted in Figure C-1.

Table C-2 summarizes the results from testing the hypothesis of constant probabilities across groupings for each failure mode based on data source (if applicable), calendar year, and plant unit.

Statistical evidence of differences across these groupings, based on chi-square statistics, was found in only two cases: between plants for the FTSO mode and for the probability that a RCIC restart is required (IFRS) mode.

Specific descriptions of the particular data used to analyze each failure mode are contained in subsections below. The plant units that account for much of the variation in the data for each failure mode are identified, and the implications of the Table C-2 tests for the analysis of unreliability are described. The latter include the rationale for choosing particular data sets and types of modeling to calculate the distributions that characterize sampling and/or between-group variation.

C-1.1.1 Maintenance-out-of-service (MOOS)

'Ihe single maintenance-out-of-service event occurred during one of the 14 unplanned RCIC demands at Grand Gulf. Based on demand counts, the probability of a MOOS event occurring at Grand Gulf instead of some other plant if the occurrence probability per demand is the same across plants is 14/132, or 0.11. Since such a test is being perforraed for more than 20 plants, Grand Gulf being the plant that experienced the MOOS event is not statistically significant. In accordance with the methods described in Section A-2.1.4 of Appendix A, a simple Bayes beta distribution describing approximately the same vr.dion as the confidence interval was derived. This distribution was used in the variance propagatiw to quantify the statistical variation in the RCIC unreliability estimate.

l C-3 l

Table C-1. Point estimates and confidence bounds for RCIC failure modes.

Failure Mode Data source Failuresf Demands d Probabilitya Mamtenance-out-of-service (MOOS)

Unplanned i

133 (0.000, 0.008,0.035)

Failure to start (other)(FTSO)

Unplanned 7

132 (0.025, 0.053, 0.097)

Cyclic 3

142 (0.006, 0.021, 0.054)

Pooled 10 274 (0.020, 0.036, 0.061)

FTSO recovery failure (FRFTS)

Unplanned 4

7 (0.225, 0.571,0.871)

Failure to start (valve)(FTSV)

Unplanned 0

128 (0.000, 0.000, 0.023)

FTR-short mission (FTR-ST)

Unplanned 0

56 (0.000,0.000,0.032)

FTR-long mission (FTR-LT)

Unplanned 2

72 (0.005,0.028,0.085)

Cyclic 0

141 (0.000, 0.000, 0.021)

Pooled 2

213 (0.002, 0.009, 0.029)

Failure to run rate (FTR)

Pooled 2

Unplanned 2

Cyclic 0

FTR recovery failure (FRFTR)

Unplanned 1

2 (0.025,0.500,0.975)

Prob.(restart required)(IFRS)

Unplanned 1R 72 (0.168,0.250, 0.348)

FRS-long mission (FRS-LT)

Unplanned 4

1E (0.080, 0.222, 0.439)

FRS-PRA mission (FRS)

Unplanned 4

46 (0.030,0.087,0.188)

FRS recovery failure (FRFRS)

Unplanned 2

4 (0.098,0.500,0.902)

Recirculation failure rate (FRC)

Unplanned 2

FRC-long mission (FRC-LT)

Unplanned 2

72 (0.005,0.028,0.085)

FRC recovery failure (FRFRC)

Unplanned 0

2 (0.000,0.000,0.776)

a. The middle number is the point estimate (//d) and the two end numbers form a 90% confidence intersal.

i C-1.1.2 Failure to Start, Other than Injection Valve (FTSO) l Table C-2 shows statistically significant differences in FTSO between Quad Cities 2 and the 1

other BWR plants in the combined unplanned demand and cyclic surveillance test data. As shown in Table C-2 and in the overlapping confidence intervals of Figure C-1, no statistically significant 3

difference was noted between the unplanned demand and cyclic surveillance test data for the FTSO failure mode. Consequently, the data for unplanned demands and cyclic surveillance test were pooled for the subsequent analyses.

The empirical Bayes distribution was fitted to describe differences in FTSO probabilities among plants. This distribution showed much greater variability than the confidence interval. For example, in the homogeneous model used to develop the confidence interval, the P-value associated with Quad Cities 2's three failures in nine demands was 0.0026 (with a total of 10 failures in 274 demands). However, an assumption implicit in the use of any empirical Bayes distribution is that variation exists among members of the population for the variable being modeled. Plant-specific beta distributions for the FTSO probability obtained by updating the generic beta distribution were fairly wide, reflecting the sparseness of the plant-specific data. In the non-homogeneous model arising from the fitted empirical Bayes distribution, the P-value for Quad Cities 2 is just 0.017. However, there are nearly 30 plants involved in the evaluation that provide opportunities to see data in the tails of the distribution.

Accounting for the many plants and multiple opportunities, the P-value for having 3 or more failures in nine demands for at least one plant with the beta-binomial model is approximately 0.40, which is not significant.

C-4

Failure mode (data source) m Point estimate and 90% confidence bounds MOOS (unplanned)

1

: i ilni i

l i siin i

4 1 1 I til6 4

I i t i e il i i I t Ille i i 5 e i 1iI t

1 i i i f lit i

f 4 I I IIll I 4 i I 4 A ll a

i t t it.i l 4 5 1 t ill 8 + 1 1 Illi I

t i I t t ill I

t I i ; Ill FTSO (unplanned) - i i i ' I

'

• i ' i'on

> '. i ii i i I,'

e i i i ioo i

t I i 1,ni i.... ini

. i I c e' ' ' "l

' ' ' i ni" FTSO(cyclic) -,'

'.' 'i l i

' ' i "

i i i iun I i i i r,

til

., i i iin FTSO(pooled) - ' ' ' i ' ' ' "

a.' t,' ' "

e i i.'n e

i in I

i i iili i i i i i ii n i i i 4

i ' i ! I ili i i i l a e ii1 1

I 6 I i e iii t i I I lll 1

i e i l ill; I

4 4 I 41814 i

! i i i lit t 1

i e i l11.

FTSV(unplanned)

I i i iini i. 6 i iin 1

4 9 ' i lill i

I I I t ill 1

1 I i 18131 1

I e i 8ill

• i i l iiIIt i i i t i iiII i

6 4 i e iiil i 1 I IIIe I

i 3 I t iIl1 I

4 l l l 1iEI I

f i 1 11111 1,

1 4 i 'It!

F 4

1 I i l li f t i i 1 d 18 6 pl i

I I44ill I-i e i I t ill i

4 1 9 I i t al I

t i 5 iidie p

t i 111 l. I i 4 I llbI i

8 i t ( llit t

t t 1 44]Il I

E i t (la I

I i 1I lif t t

i e i I8*Lt I

t 4 i 1litt t

I & 5 4 II; FTR short-mission (unplanned)

-,,, ;nn

. In1 I,

1,t,,

a e i eii:ai l

i s i 3etil i

e i e illi i

e i : i s el FTR long-mission (unplanned)

-,,, iIon i

1,

,,,,, Il, I

i siIstas i e 6 a 1 t iil t

i t i l i lli a

i t I i ti FTR long-m.ission (cyclic)

, i,iiin i r I i iI,,

i i ilin) i.i1 ini

.. i iiiui i i

) iiil FTR long-mission (pooled)

- i i t iinn i iiiin i i i i iin I

4 1 8 11(11 J

l I I e I 644 I

e i i i i t il 4

4 l 11 Ill t

i 1 414 t it I

• l 3111:

0 t I 1 i s Ill I

i I !,Iti i i i i ileil 4 1 Ii4til I

i 1 I t 4 Ill I

i'l i i g li FRFIRlong mission (unplanned)

- i i t i 1iin i i i 1, n i.

1 I i : ilift 6 4 1 iffft I

i 1 i i lill a

i f I i ill 1

I l i I t ill i

1 ( l I t ill i

I l i i 1 ill i

I ( l 11i s i

s e i i t ill i

t 6 i 11 g i i

1 4 I r i b 11 I

t i i ifit FTR rate (unplanned)

- i 9 ' I iinn i i i i iiin i i I ' ilin i e i iiin i

t I iititt i i J l 8 litt i

I 4 8 i B ill 4

i i i i t il M {glg(Q[h I

l 6 1 i4114 I

i 1 e i1II I

I I a t ieI t

6' 1 I i iiI i e i.,,in i i i Iii.,

. i i 3.iln i i. i iin Q pggg g[

4 1

I 6

!IeI t

I a1 141)I i

I i I a 115 6 f

I I l44ii i

t

! J4 8Ill I

i I L a g lit I

i i i ! 1911 4

t I i i ill I

i i 1 i1ii i e i I i 1,4 I t i

l i I IIII6 1

1 i i t4$4 l

l 1 6 ! e ill i

t i e illif 8

I 6 i lill i i e I I Ill i, 'I i n'

' ' "n

a. '..' ', ' 'e 'n' FRFIR unplanned

- i ' '

i i i i :.i i

i 6

.r...

I i i 1

1 1 l 4 I 111 9

I l i I i 1Il i

I 6 i liil l

1 I l tIlI l

I i a 19 i11 I

i 1 1 ' t ill I

I l i Itill I

6 4 4 t il P(restan required)(IFRS)

- l

' ' ', l ' ' l

', l ' l l'l

l l l ' l',ll l !.e4 l l l ' "

~ i t f l 6 Ilf f a

1 1 I i 1818 I I i !llit i

e 3 i i t il

, i I 6 lit s I

I e i l i f ti i

l i i t illt I

6

't i 1 t il l l ' l'l" l

• l l ",'

l l ' ' l ', l [

l:,' ' lll FRS long mission (unplanned)

{

l I 4 t il:t i

4 I I 5 t ill I i l i lif t l

I i i i li t 1

I I IIIf90 a a lI lill I

I e a t lilt i

I I I iiit FRS (unplanned)

,8,,,,

, - i i Il'Il I

i i 118i i

l I 1814 6

I I I L t ill I

e

,0 3,,, In I

i 14'fr' l

4 i i ilitt 6

i t I i l l l1 I

I 1 a i lil I

I I IeII:n a

i j I Ilill i i i i i t ill I

I i f II4I I I11t I

I 1

• ILtl i

e 1 1 I e III i i 1 11 illa I

I I i i n.'

FRFRS (unplanned) 1 1 1 4 inn

, i,,iiin

, i I 1

I I i 14114 e

i t 4 I Illi a i I i I t ill a

l 8 4Itil 1

I i 1 4 3 lig 1

I I I I Illi i

l 1 I ilit 1

I t Iliel I

i 4 i iIlli a

l i I i I III i i l I 1 Illi e

i i fIlit FRC long mission (unplanned) i i. i iiio i i i.

i i i i i ioi t

I l I t i lil I

I i 1 1 f Ill 5

I I I I Ilit I

I i I i !83 t

t I i i e Ill i

I I I Ittil 1

I i 1 4 81Il t

I t 14I8l 1

5 i 6 I Iall l

q l I t 4 ;ll J

I i t l l 111 1 6 I t lli FRFRC (unplanned) 1I,.e I i I llin 1

, 1 e illit i

I... Inl

, i 1 1,

t t 1 1iile 4

I I i i t t il I

l i I t t ill i

I I I 4Ill 1

6 I i iflet i

I t I i i Ill I

f I I I I lli i

f f i i III 1

5 8 I f 1Ie1 8

i i i e IIiI 8

1 i I B t iil 1

8 1 1 I Bii IE-04 IE-03 IE-02 IE 01 IE+00 Probability Figure C-1. Point estimates and confidence bounds for RCIC failure modes.

C-5

Table C-2. Evaluation of differences between groups for RCIC failure modes.

P-values for test of variationa Entities with Failure Mode Demand type In in in relatively high chi-square statisticsb demand years plants types Mamtenance-out-of-service.

Unplanned IF IF (MOOS)

Failure to start, other than injection Unplanned valve (FTSO)

NS NS None Cyclic test NS NS Pooled NS NS 0.031 Quad Cities 2 Failure to recover fwm FTSO Unplanned NS NS (FRFTS)

Failure to start, injection valve Unplanned 0F OF (FTSV)

Failure to run-short term (FTR ST)

Unplanned 0F 0F Failure to run-long term (FTR-LT)

Unplanned NS 0.006 None. However, I failure in I demand at Vermont Yankee Cyclic test 0F OF Pooled NS NS NS None Failure to run (rate)(FTR)

Unplanned NS NS None Cyclic test NS NS None Pooled NS NS NS None Failure to recover from failure to run Unplanned IF IF (FRFTR)

Prob (restart required)(IFRS)

Unplanned NS 0.037 None Failure to restart-long mission Unplanned NS NS None (FRS-LT)

Failure to restart (FRS)

Unplanned NS NS None Failure to recover from failure to Unplanned NS NS None restart (FRFRS)

Failure to transfer from recire. (rate) Unplanned NS NS None (FRC)

Failure to transfer from recirc.-long Unplanned NS NS None term (FRC-LT)

Failure to recoverfrom failure to Unplanned 0F OF transfer from recire. (FRFRC) a.

, not applicable; NS, not significant (P-value >0.05); 0F, no failures (thus, no test); IF, only one failure (thus, no

b. Years or plants whose contribution to the chi-square statistic is in the upper 1% of a chi-square distribution with o degree of freedom are flagged.

C-1.1.3 Failure to Recover from FTSO (FRFTS)

Of the total of six RCIC system failures to start after unplanned demands, there were only three recoveries by operator actions.

None of the chi-square tests showed significant differences between plants or years for the failure to recover from FTS data. A simple Bayes beta distribution was used for the unreliability analysis.

C-6

C-1.1.4 Failure to Start, Injection Valve (FTSV)

For the FTSV failure mode, no failures were identified. No significant differences were found between plants. Therefore, a simple Bayes beta distribution describing approximately the same variation as the confidence interval was calculated for the three unreliability analyses. No estimate was developed for failure to recover from FTSV since there were no failures.

C-1.1.5 Failure to Run, Short Term Mir,sion (FTR-ST)

For the short term and long term missions, failure to run probabilities were calculated from the number of missions and the number of failures. Among the unplanned demands,56 were assessed as short term missions (the longest of which lasted 10 minutes). No failures to run occurred among these Thus, a simple Bayes beta distribution describing approximately the same variation as the events.

confidence interval for the FTR ST probability was calculated for the short term mission unreliability analysis.

C-1.1.6 Failure to Run, Long Te-m Mission (FTR-LT)

As just stated above, failure to run probabilities were calculated from the number of missions and the number of failures. Two failures to mn occurred, and both were among the 72 long term unplanned demands No failures to run occurred among the cyclic surveillance tests. A chi-square test i

I for differences between these two groups has a P-value of 0.11, which is not significant. The two data sets were pooled. No noticeable differences in the data subgroups were found, and no empirical Bayes distributions were found. Thus, a simple Bayes beta distribution describing approximately the same variation as the confidence interval for the FTR-LT probability was calculated for the long term mission unreliability analysis.

I C-1.1.7 Failure to Run, PRA Mission (FTR)

As observed above, two failures to run occurred among the unplanned demands, and no failures occurred among the cyclic surveillance tests. A chi-square test for differences in these two groups has a P-value of 0.16, which is not significant. The two data sets were pooled. No noticeable differences in the data subgroups were found, and no empirical Bayes distributions were found.. Thus, a simple Bayes gamma distribution describing approximately the same variation as the confidence interval for the FTR rate was calculated for the PRA mission unreliability analysis.

C-1.1.8 Failure to Recover from FTR (FRFTR)

Among the two failures to run on unplanned demands, only the one at Perry was not recovered.

7 These data are not sufficient to draw conclusions about differences in years or plants. The simple Bayes l

beta distribution was used for unreliability for the long term model and for the PRA mission evaluation.

Since neither of the failures occurred on the short term missions, failure to recover for the short term missions was not modeled.

1 l

C-7

C-1.1.9 Failure to Restart, Long Term Mission (FRS-LT and IFRS)

Among the 72 unplanned long term missions, eighteen had restans.

The eighteen missions involved a total 43 restarts at eleven different plants (for comparison, among 56 shon term missions three restans occurred in two events, one of which was at a twelfth plant). For the long term missi the need for restart was combined with the overall mission restart success or failure, without r the particular number of restarts involved in each restart event.

Empirical Bayes distributions were found both for between-plant variation and for between variation for the probability of needing restart demands (based on the 18 eveats among the 72 plant-specific estimates were available for the plants having restans as part of the long term missions The generic enipirical Bayes distribution was used for the other plants in this model.

In the eighteen long term missions with restans, one restan failure was observed in each of four missions. The failures occurred at three different plants, and the plant having two failures (Hatch had the most restan demands (four events with opportunities for restart failure). Thus, no evidence for differences among these plants in the mission restart failure probability was found. No empiric distributions were fitted to the data. The simple Bayes beta distribution was used for unreliab the long term mission model.

C-1.1.10 Failure to Restart, PRA Mission (FRS)

In the total unplanned demands,46 restarts occurred in 20 events involving a total of twelve plants. The estimate of a single failure to restan probability for the PRA missions was developed fro tho plant-specific data based on the fact that 4 failures to restart occurred among the 46 demands.

Although, as stated above, two of the failures occurred at Hatch 1, Hatch also had among the hig munber of restan demands (12)(six plants had one each). Therefore, the FRS probability for Hatch was not found to be significantly different the probability for the other plants. One of the failures occurred at LaSalle 2, a plant having just one demand. On the other hand, Clinton had no restan failures in 14 demands.

With just four 'ailures and many plants with few demands, the data were too sparse to estimate an empirical Bayes distribution for differences among plants or among years. The simple prior distribution was applied to characterize the FRS probability for PRA mission unreliability estimation.

C-1.1.11 Failure to Recover from FRS (FRFRS)

No failures occurred in the few restarts in the shon unplanned missions. Therefore, a single estimate for recovery can be applied to both the long term mission model and the PRA model. Two of the four failures to restan were not recovered. These data are not sufficient to draw con differences in plant units. The simple Bayes beta distribution was used for both the long term mission model and the PRA model unreliability evaluations.

C-8

-A

I C-1.1.12 Failure to Transfer during Recirculation, Long Term Mission (FRC-LT)

For the long term missions, the simple approach of counting missions with recirculation and counting the number of failures in these missions was used. Based on plant operations, run times lasting at least 15 minutn were assumed to involve recirculation. Each of the long term mission events (whose total length was t.t least 15 minutes) had at least one such long operating period. Two failures to transfer during recirculation occurred in the 72 long term unplanned demands, one each at Brunswick 1 and Washington Nuclear 2. These data are not sufficient to draw conclusions about differences in plants.

The simple Bayes beta distribution was used to characterize the long term operations probability for failure.

C-1.1.13 Failure to Transfer during Recirculation, PRA Mission (FRC)

For the PRA missions, the fact that some events had more time in recirculation than others was considered in the modeling. Some of the events involved two or three long periods. The number of switches from recirculation to injection during these periods was not know 1, but no evidence to discount the idea that the number of switches would be roughly proportional to the run time was found in the data.

The lengths of the known long periods varied from the cutoff of 15 minutes to as Inng as 18.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. To fully accommodate the recirculation performance information contained in these events, a rate-based analysis was performed for the PRA model. Rates were computed from the number of failures and the total time in recirculation estimated for each plant and year. For the rate-based PRA model as well as the probability-based long term model discussed in the previous section, the two failures to transfer during recirculation were not suffichnt to draw conclusions about differences in plant units. The simple Bayes gamma distribution was used to characterize FRC rates for the PRA mission unreliability estimates.

C-1.1.14 Failure to Recover from FRC (FRFRC)

Both of the failures to transfer during recirculation were recovered. These data are not sufficient to draw conclusions about differences in plants. The simple Bayes beta distribution was used for both the long term model and the PRA model unreliability evaluations.

C-1.1.15 Summary of Beta Distributions for Individual Failure Modes Tables 3,5, and 8 in the main body of this report describe the beta and gamma distributions selected to model the statistical variability observed in the data for each RCIC unreliability model.

These tables differ from Table C-1 and Figure C-1 because the Bayes distributions and intervals shown on Tables 3,5, and 8 are not confidence intervals. The Bayes distributions ellow the results for the failure modes to be combined to give an uncertainty distribution for each unreliability model.

C-9 c_______

C-1.2. Plant-Specific Failure Probabilities This section provides plant-specific failure probabilities for the FTSO and IFRS failure modes These are the two modes for which such variation was modeled. For all other RCIC failure m significant variation was not observed between plants.

The results for FTSO are presented by plant in Table C-3. The results for IFRS are pre plant in Table C-4. As explained in Section C-1.1.2 above, each plant is modeled as being ho with a constant probability in time of FTSO failure or of restart.

The probabilities themselves are assumed to differ from plant to plant. Table C-3 and Table C-4 provide the plant-specific raw failure data:

failure counts, demand counts, probability estimates, and confidence intervals.

The empirical Bayes distributions summarizing the uncertainty are tabulated. Rese distributions are obtained Bayesian update, as described in Section A-2.1.5 of Appendix A. Note that the empirical Bayes in are more consistent with each other than the confidence intervals are, because the empirical Bayes method pulls the extreme cases toward the general population.

Table C-3. Probability of FTSO, by plant.

Plant f

d 90% conf. interval

• a b

Empirical Bayes 90%

interval

• Browns Ferry 2 0

3 (0.000,0.000, 0.632) 0.60 18.63 (0.000, 0.031, 0.I11)

Brunswick 1 0

8 (0.000,0.000, 0 3 12) 0.58 2239 (0.000, 0.025, 0.091)

Brunswick 2 0

15 (0.000,0.000, 0.181) 0.55 26.75 (0.000,0.020, 0.074)

Clinton 0

7 (0.000,0.000,0348) 0.59 21.71 (0.000,0.026,0.094)

Cooper 0

14 (0.000, 0.000, 0.193) 0.55 26.16 (0.000,0.021, 0.076)

Duane Amold 0

9 (0.000,0.000, 0.283) 0.58 23.06 (0.000,0.024,0.088)

Fermi 2 0

9 (0.000,0.000,0.283) 0.58 23.06 (0.000,0.024, 0.088)

FitzPatrick 0

8 (0.000,0.000, 0 3 12) 0.58 2239 (0.000, 0.025, 0.091)

Grand Gulf 0

19 (0.000,0.000, 0.146) 0.53 29.05 (0.000, 0.018, 0.067)

Hatch 1 1

17 (0.003,0.059,0.250) 1.51 30.50 (0.006,0.047, 0.120)

Hatch 2 1

16 (0.003, 0.063, 0.264) 1.50 29.25 (0.006,0.049,O.124)

Hope Creek 0

13 (0.000,0.000,0.206) 0.56 25.56 (0.000, 0.021, 0.078)

LaSalle 1 0

6 (0.000,0.000, 0 3 93) 0.59 20.99 (0.000,0.027,0.098)

LaSalle 2 0

7 (0.000,0.000, 0 348) 0.59 21.71 (0.000, 0.026, 0.094)

Limerick 1 0

7 (0.000,0.000,0 348) 0.59 21.71 (0.000, 0.026, 0.094)

Limerick 2 0

5 (0.000,0.000, 0.451) 0.60 20.25 (0.000,0.029,0.102)

Monticello 0

8 (0.000,0.000, 0 3 12) 0.58 2239 (0.000,0.025, 0.091)

Nine Mile Pt. 2 1

11 (0.005,0.091, 0 3 64) 137 22.67 (0.006,0.057,0.149)

Peach Bottom 2 0

6 (0.000,0.000, 0 3 93) 0.59 20.99 (0.000,0.027,0.098)

Peach Botte.2 3 0

9 (0.000,0.000,0.283) 0.58 23.06 (0.000, 0.024, 0.08'd)

Perry 1

14 (0.004,0.071,0.297) 1.46 26.69 (0.006,0.052,0.133)

Pilgrim 2

9 (0.041, 0.222, 0.550) 1.42 13.03 (0.011, 0.098, 0.247)

Quad Cities 1 0

6 (0.000,0.000,0 3 93) 0.59 20.99 (0.000,0.027,0.098)

Quad Cities 2 3

9 (0.098,0333, 0.655) 138 8.87 (0.015,0.135,0.336)

River Bend 0

8 (0.000,0.000,0 3 12) 0.58 2239 (0.000,0.025,0.091)

Susquehanna 1 0

6 (0.000,0.000, 03 93) 0.59 20.99 (0.000,0.027,0.098)

{

Susquehanna 2 0

6 (0.000, 0.000, 0 3 93) 0.59 20.99 (0_000,0.027, 0.098)

C-10

Table C-3. (continued)

Plant f

d 90% conf. interval' a

b Empirical Bayes 90%

6 interval Vermont Yankee 1

6 (0.009,0.167,0.582) 1.15 15.61 (0.005,0.069,0.189)

Wash. Nuclear 2 0

13 (0.000,0.000,0.206) 0.56 25.56 (0.000,0.021,0.078)

Industry 10 274 (0.020,0.036,0.061) 0.66 17.51 (0.001,0.037,0.124)

n. The middle number is the maximum likelihood estimate,fd, and the end numbers form e 90% confidence interval.

l

b. The middle number in cach triple is the Bayes mean, c/(a+b), and the end numbers form a 90% interval, leaving 5% in each tail.

Table C-4. Probability of FRS, by plant.

Plant f

d 90% conf. intervala a

b Empirical Bayes 90% intervalb 0.88 2.47 (0.013,0.263,0.681)

Browns Ferry 2 0

0 Brunswick 1 1

3 (0.017,0.333,0.865) 1.74 4.14 (0.056,0.296,0.620)

Brunswick 2 2

7 (0.053,0 286,0.659) 2.78 7.21 (0.084,0278,0.525)

Clinton 2

2 (0.224,1.000,1.000) 1.32 1.13 (0.093,0.539,0.946)

Cooper 0

3 (0.000,0.000,0.632) 0.68 4.22 (0.003,0.139,0.437)

Duane Arnold 0

3 (0.000,0.000,0.632) 0.68 4.22 (0.003,0.139,0.437)

Fermi 2 0

2 (0.000,0.000,0.776) 0.72 3.66 (0.004,0.165,0.497)

FitzPatrick 0

0 0.88 2.47 (0.013,0.263,0.681)

Grand Gulf 0

7 (0.000,0.000,0.348) 0.60 6.42 (0.001,0.085,0.292)

Hatch !

4 6

(0.271,0.667,0.937) 3.33 3.05 (0 215,0.522,0.820)

Hatch 2 2

6 (0.063,0.333,0.729) 2.73 6.12 (0.093,0.308,0.574)

Hope Creek 1

5 (0.010,0.200,0.657) 1.80 6.19 (0.041,0.225,0.490)

LaSalle 1 0

1 (0.000,0.000.0.950) 0.77 3.03 (0.006,0.203,0.579)

LaSalle 2 1

1 (0.050,1.000,1.000) 1.13 1.48 (0.049,0.433,0.880)

Limerick 1 0

2 (0.000,0.000,0.776) 0.72 3.66 (0.004,0.165,0.497)

Limerick 2 0

1 (0.000,0.000,0.950) 0.77 3.03 (0.006,0.203,0.579)

Monticello 0

1 (0.000,0.000,0.950) 0.77 3.03 (0.006,0.203,0.579)

Nine Mile Pt. 2 0

4 (0.000,0.000,0.527) 0.65 4.77 (0.002,0.120,0.389)

Peach Bottom 2 0

1 (0.000,0.000,0.950) 0.77 3.03 (0.006,0.203,0.579)

Peach Bottom 3 0

4 (0.000,0.000,0.527) 0.65 4.77 (0.002,0.120,0.389)

Perry 0

5 (0.000,0.000,0.451) 0.63 5.32 (0.001,0.106,0.351)

Pilgrim 2

3 (0.135,0.667,0.983) 1.98 2.38 (0.116,0.454,0.818)

Quad Cities 1 0

0 0.88 2.47 (0.013,0.263,0.681) 0.88 2.47 (0.013, 0.263, 0.681)

Quad Cities 2 0

0 0.88 2.47 (0.013, 0.263, 0.681)

River Bend 0

0 Susquehanna1 1

1 (0.050,1.000,1.000) 1.13 1.48 (0.049,0.433,0.880)

Susquehanna 2 0

0 0.88 2.47 (0.013,0.263,0.681)

Vermont Yankee 1

I (0.050,1.000,1.000) 1.13 1.48 (0.049,0.433,0.880)

Wash. Nuclear 2 1

3 (0.017, 0.333,0.865) 1.74 4.14 (0.056,0.296,0.620)

Indusuy 18 72 (0.168,0250,0.348) 0.88 2.47 (0.013,0.263,0.681)

a. The middle number is the maximum likelihood estimate,fd, and the end numbers form a 90% confidence interval.

b. The middle number in each triple is the Bayes mean, c'(a+b), and the end numbers furm a 90% inten al, leaving 5% in each tail.

C-11

' ~'

C-2. INVESTIGATION OF RELATION TO PLANT LOW-POWE LICENSE DATE The possibility of a trend in RCIC reliability performance with plant age as mea low-power license date was investigated for each of the three unreliability mode trend was found for the short term mission unreliability model, so results for this ca trends were found for the long term mission unreliability estimate (P-value = 0 07) or e.

o mission unreliability estimate (P-value = 0.5).

Table C-5 shows the RCIC short term mission unreliability by plant, along with the power license date. The details of calculating the plant-specific un eliabilities deserve som The unreliabilities from Figure 5 are not used, since the failure probabilities for four of t modes in the model are generic, not plant specific The trend study estimates were obtain in Section A-2.1.4. First, the data for a failure mode were pooled and a diffuse prior w (more specifically, a constrained noninformative prior) was formed for each failure mode obtain plant-specific posterior distributions for each failur

. For each RCIC that were very sensitive to the plant data.were combined for each plant a A simple approach for seeking trends is to plot the plant-specific unreliability aga low-power license date.

Such a plot is shown in Figure 7 of the body of this report, with 90%

uncertainty bars plotted vertically. The slope of the trend line was not statistically significan unaliabilities (P-value = 0.15). The 90% intervals were not used in the trend calculations, as a matter ofinterest. Linear regression (least squares fitting) was used to see if there was a tre and in the work described in the next section. A straight line was fitted to the unreliability dots in the plot), and a straight line was also fitted to log (unreliability). The fit selected w accounted for more of the variation, as measured by R2, provided that it also produced a regression confidence limits greater than zero. The regression-based confidence band show lines on the plots applies to every point of the fitted line simultaneously; it is the ba Hotelling, and Scheff6, described in References C-1 and C-2 and in statistics books that regression.

The unreliability results used only those failures that occurred during unplanned demands cyclic surveillance tests, and that were applicable to the short term mission. To make use of the plant-specific frequency of failures per operating year was estimated

. Frequencies were also estimated for unplanned demand events. The simplest normalizing technique was used:

time estimated as described in Section A-13 of Appendix A the frequency number of restarts per event (calculated as the number of restarts divided by the numbe e

demands).

C-12

\\

[

Table C-5. Plant-specific short-term mission unreliabilities, based on diffuse prior distributions, ordered by low-power license date.

Plant Name Low-power 90% Intervala License Date Monticello 09/08/70 (2.05E-03,3.53E-02,1.03E-01)

Quad Cities 1 10/0101 (2.02E-03,3.70E-02,1.08E-01)

Quad Cities 2 03/21/72 (5.03E-03,6.93E-02,1.92E-01)

Pilgrim 09/15n2 (1.58E-02,8.32E-02,1.89E-01)

Vermont Yankee 02/28n3 (7.07E-03,6.86E-02,1.79E-01)

Peach Bottom 2 12/14n3 (2 ME-03,3.68E-02,1.08E-01)

Cooper 01/18/74 (2.07E-03,3.05E-02,8.66E-02)

Duane Arnold 02/22/74 (2.03E-03,3.42E-02,9.91E-02)

Peach Bottom 3 07/02n4 (2.79E-03, 3.44E-02, 9.47E-02)

Browns Ferry 2 08/02n4 (2.87E-03,4.03E-02,1.13E-01)

Hatch 1 10/13n4 (1.03E-02,5.88E-02,1.38E-01)

FitzPatrick 10/17/74 (2.05E-03,3.44E-02,9.96E-02)

Brunswick 2 12/27D4 (2.00E-03,3.00E-02, 8.55E-02)

Brunswick 1 11/12/76 (2.02E-03,3.48E-02,1.01E-01)

Hatch 2 06/13n8 (1.05E-02,6.02E-02,1.41E-01)

LaSal': 1 04/17/82 (2.00E-03,3.68E-02,1.08E-01)

Grand Wf 06/16/82 (6.39E-03,4.49E-02,1.1lE-01)

Susquehau a 1 07/17/82 (2.00E-03,3.68E-02,1.08E-01)

LaSalle 2 12/16/83 (2.72E-03,3.64E-02,1.02E-01)

Wash. Nuclear 2 12/20/83 (2.06E-03,3.16E-02,9.02E-02)

Susquehanna 2 03/23/84 (2.01E-03,3.66E-02,1.07E-01)

Limerick 1 10/26/84 (2.71E-03,3.62E-02,1.01E-01)

Fermi 2 03/20/85 (2.05E-03,3.37E-02,9.73E-02)

River Bend 08/29/85 (2.06E-03,3.48E-02,1.01E-01)

Perry 03/18/86 (1.10E-02,6.42E-02,1.51E-01)

Hope Creek 04/11/86 (2.03E-03,3.11E-02, 8.90E-02)

Clinton 09/29/86 (2.71E-03,3.62E-02.1.01E-01)

Nine Mile Pt. 2 10/31/86 (3.09E-03,3.96E-02,1.10E-01)

Limerick 2 07/10/89 (2.58E-03,3.80E-02,1.08E-01)

a. The middle number is the Bayes mean, and the end numbers form a 90% interval. The calculations use a diffuse prior, updated by plant-specific data, for each hiiure mode. Therefore, the intervals are wide, and the means vary greatly between plants.

As was done for Figure 7, a trend of failures was fitted to the frequency and to the log (frequency). An additional detail of the methodology.for frequencies deserves mention. The log model, which avoids zero and negative regression lines and bounds, cannot be used directly when a frequency is zero. Rather than simply using an (arbitrary) fraction of a failure or demand divided by exposure time to estimate a non-zero frequency for these cases, all the data for a particuer type of frequency were adjusted uniformly. The constrained noninformative prior gamma distribution described in Section A-3 was updated with plant-specific data, and the resulting plant-specific mean was used for the frequency.

It was strictly positive, and therefore its logarithm was defined. For the RCIC failure and demand frequencies, this adjustment effectively added approximately 0.5 to each failure count and, depending on the frequency under consideration, from 0.4 and 0.8 years to each exposure time. For the restarts per C-13 l

l

)

4 start,0.5 restarts were effectively added to the restart count and 1.4 events were added to each total demand count. This process results also in the calculation of 90% Bayesian uncertainty bounds for each frequency; these bounds are shown in the plots as a matter ofinterest.

For log models, a refinement to the methodology helps stabilize the simultaneous confidence intervals on the trend lines. The method, described in the Erample 2: Poisson Regression section of Ref. C-2, weights the log (frequency) inversely according to their variances.

No significant frequency trends with plant age were found. The data for failures are plotted in Section 4.3 of the main report. Use oflog models was necessary to avoid negative regression prediction limits; thus, the fitted regression lines have a small curvature.

The frequency analyses did show significant differences among plants for all three frequencies:

unplanned demands per year, failures per year, and restarts per start. Each chi-square test for differing occurrence frequencies across plants had a P-value less than 0.00005. Among failures, the lower Bayesian limit on the frequency lies above the fitted line for Pilgrim, LaSalle 1, Perry, and Quad Cities 1.

Overall differences between plants are discussed in Section 4.3.

C-3. ANALYSIS BY YEAR,1987-1993 The analyses described in Section C-2 were modified to see if there was a time trend during the period of the study. As in Section C-2, the analyses apply to the three unreliability analyses (short term, long tenn, and PRA-based missions), for unplanned demands per plant operating year and failures per operating year.

A significant trend was found for the short tenn unreliability analysis. The P-values for the tests of trends were, respectively,0.03 for the short term mission,0.73 for the long term mission, and 0.85 for the PRA mission. Since the lowest P-value among these models occurred for the short term mission, results are displayed just for this model.

Table C-6 and Figure 6 (in the main report) show the short term mission unreliability by year.

The estimates are obtained in the same manner as described in Section C-2, except that the data used to update the constrained noninformative prior for each failure mode are pooled across plants for each calendar year instead of across calendar years for each plant. Similarly, the linear model method to test for a trend was the same as described in Section C-2, except that the time variable was calendar year instead oflow-power license date. The logarithmic fit was selected in preference to the linear model in order to avoid cegative lower limits from the regression, but the slope of the trend was not statistically significant in either case.

Rates for each calendar year were also analyzed b' pooling the data from all the plants during y

each calendar year. The Bayesian adjustment described in Sections C-2 and A-3 was needed only for the restarc 3dssion frequencies for the calendar year data. Logarithmic models were selected for this situation and for the failure frequencies to ensure positive trend lines and bounds.

C-14

Table C-6. Unreliability (includes recovery) by year, based on constrained noninformative prior distributions and annual data.

Year 90% intervala 1987 (0.021,0.063,0.122)

~

1988 (0.007,0.039,0.091) 1989 (0.006,0.042,0.103) 1990 (0.013, 0.052, 0.111) 1991 (0.003,0.029,0.079) 1992 (0.005,0.035,0.088) 1993 (0.002,0.026,0.074)

a. The middle number is the Bayes mean, and the end numbers form a 90% innval.

The results of the frequency analyses are shown in Figures 13 and 14 of the main report. For the RCIC system, unplanned demand event frequencies were found to be significantly decreasing during the study period (P-value = 0.003). No trend was found among the failure frequencies (P-value

= 0.67).

The frequency analysis did show significant differences among years for the overall unplanned demand frequency (P-value <0.00005).

Forty-nine demands occurred in 1988 and thirty-three occurred in 1987, while only 12 occurred in 1993.

C-4. REFERENCES C-1.

M. E. Engelhardt, Modeling Patterns in Continuous Data: Linear and Related Models, DRAFT INEL-95/0120, April 1995.

C-2.

Corwin L. Atwood, Modeling Patterns in Count Data Using Loglinear and Related Models, INEL-95/0121, December 1995.

C-15

_ _ _ _