Methodology and Application of Surrogate Plant PRA Analysis to the Rancho Seco Power Plant.Task 1 - Analysis of ANO-1 and Oconee PRAs

ML20236D918
Person / Time
Site:	Oconee, Arkansas Nuclear, Rancho Seco, 05000000
Issue date:	07/31/1987
From:	Gore B Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V)
References
CON-FIN-B-2803 NUREG-CR-4768, NUREG-CR-4768-V01, NUREG-CR-4768-V1, PNL-6032-1, NUDOCS 8707310128
Download: ML20236D918 (75)
v • d • e

Text

..... .. .

NUREG/CR-4768 PN L-6032-1 Vol.1 Methodology and Application of Surrogate Plant PRA Analysis to the Rancho Seco Power Plant Task 1- Analysis of ANO-1 and Oconee PRAs Prepared by B. F. Gore Padfic Northwest Laboratory Battelle Memorial Institute U S Nuclear Regulatory P

DC h*h h67 PDR

N.$ <

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of re-sponsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

l NOTICE Availability of Reference Materials Cited ir; NRC Publications Most documents cited in NRC publications will be available from one of the following sources-

1. The NRC Public Document Room,1717 H Street, N W.

Washington, DC 20555

2. The Superintendent of Documents. U.S. Government Printing Of fice, Post Of f ece Box 37082, Washington, DC 20013 7082

3. The National Technical Information Service, Springfield. VA 22161 Although the hsting that follows reoresents the majority of docume; , cited in N RC publications it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Pubhc Docu ment Room include Nif C correspondence and internal NRC mem randa, N RC Of fice of Inspection and Enforcement bulletins, circulars, information notices, inspection and inve!,'igation notices; Licensee Ew Reports; vendor renc<ts and correspondence, Commission papers; and applicant and licensee dr ,ients and correspondence The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances, Documents available from the National Technical Information Service include NUREG series reports and technica! reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission. forerunner agency to the Nuclear Regulatory Commission Documents available from public and special technical libraries include all open hterature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the pubhcation cited Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Information Support Services, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.

NUREG/CR-4768 PNL-6032-1 Vol.1 ,

s

,..=

Methodology and Application of Surrogate Plant PRA Analysis s to the Rancho Seco Power Plant Task 1-Analysis of ANO-1 and Oconee PRAs Manuscript Completed: March 1987 Date Published: July 1987 Prepared by B. F. Gore "fcnn" e"f*ne' ' '

• i Prepared for Division of Reactor Safety and Projects Region V s U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN 82803 i

SUMMARY

In this task three PRAs'have been analyzed to determine the relative importances of critical safety-related systems and the failure event sequences most likely to lead to core melt during accident conditions. Tables 1, 2 and 3 present the most important event sequences (dominant cut sets) leading to core melt identified in one PRA for ANO-1 (Kolb et al.1982), in a recent, extensive PRA for Oconee performed by EPRI (Sugnet et al. 1984), and in an older PRA for Oconee performed as part of the Reactor Safety Study Methodology Applications Program (RSSMAP) (Kolb et al.1981).

Table 4 presents the Fussell-Vesely Importance calculated for major events and.olant systems. The F-V Importance is the fraction of the total core melt probability resulting from event sequences (cut sets) involving that particular system or event type. Tables A.1, A.2 and A.3 in Appendix A present the definitions of the individual events, grouped according to the system they were assigned to for purposes of Importance calculations. Variations of calculated F-V importances result from both plant differences and PRA approach differences as discussed in the body of the report.

Succeeding tasks of this project will examine the important system failures identified in Tables 1, 2 and 3 more closely. These failures will be used to focus comparisons of system designs between the surrogate plants and Rancho Seco. Important Rancho Seco failure modes and components will then be inferred.

iii

ACKNOWLEDGMENTS Our heartfelt thanks are extended to Lou Miller and Bill Albert of NRC Region 5, who made it possible for us to perform this first application of generic PRA analysis. We also wish to thank Al Toth, our Region 5 Project Moniter, for his interest and support, and for many helpful suggestions during the course of our work. Thanks are also extended to the authors of the documents from which figures have been reproduced (in Volume 2) for permission to copy them. In particular, we thank the Electric Power Research Institute for permission to reproduce copyrighted figures from "0conee PRA: Probabilistic Risk Assessment of Oconee Unit 3," NSAC-60, volume 1-5, 1984.

v

rc

[g '.,

(

f

.Y ,,

c 1

CONTENTS

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii ACKNOWLEDGMENTS . . . . . . .?. . . . ............... v

1.0 INTRODUCTION

. . . . . ..... . . . . . . . . . . . . . . . . . . 1 2.0 METHOD . . . .  ;. . . . . . . . . . . . . . . . . . . . . . . .- 1  !

3.0 RESULTS. . . . . . . . . . . ... . . . . . . . . . . . . . . . . 5 4.0 CHANGES AT ANO-1 . . . . . . . . . . . . . . . . . . . . . . . . 16' REFERENCES ............................. 17 l APPENDIX A - EVENT DEFINITIONS AND PROBABILITIES ......... A.1 i i

l' 1

u vii' 1 l

l

~- . - - -

i l

l TABLES l

i i

1. ANO-1 Event Sequence -

ng Core Melt Probabilities l Exceeding SE-8 Per Year .................... 6 1

2. Oconee PRA Event Sequences Having Core Melt Probabilities Exceeding IE-7 . . . . . . . . . . . . . . . . . . . . . . . . . 8

3. OCONEE-RSSMAP PRA Event Sequences Having Core Melt P obabilities Exceeding 1E-7 . . . . . . . . . . . . . . . . . . 10

4. Fussell-Vesely Importance of Major Events and Plant Systems ......................... 14 i

A.1 AN0-1 PRA Dominant Sequence Events (cut set elements) of Table 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . A.2 A.2 Oconee PRA Dominant Sequence Events (cut set elements) of Table 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . A.26 A.3 Oconee-RSSMAP PRA Dominant Sequence Events (cut set elements) of Table 3 . . . . . . . . . . . . . . A.37 ix

I

1.0 INTRODUCTION

Probabilistic risk assessments, PRAs, are being developed for nuclear power -plants for several reasons. Among these are the assessment of overall plant safety, the identification and optimization of plant design changes to improve plant safety, and to allow the cost benefit analysis of regulatory requirement changes. The information contained in these PRAs is also useful in identifying systems and components of greater safety importance. This can help focus attention on plant areas where accident probabilities are most sensitive to performance degradation.

Recent studies have addressed the use of plant specific PRA information in the development of inspection plans for several power plants (Higgins 1986, Higgins et al.1984, Hinton and Wright 1986a, Hinton and Wright 1986b). These studies have demonstrated the feasibility of this approach and the usefulness of the information derived. However, plant specific PRAs have not .been performed for many plants. Because individual plants differ significantly in system and component design, a direct application of PRA information cannot be assumed to be valid between plants, even those from the same reactor vendor.

Nevertheless, with the proper incorporation of technical differences between specific plants, existing PRAs can provide a foundation from which inspection guidance can be developed.

This report presents the first step in an effort to develop information ,

useful in the planning and performance of inspections for a powerplant lacking  ;

a PRA, by using PRA results from related plants. This is being done for Rancho Seco, a Babcock and Wilcox powerplant, using PRA results for two other B&W plants; ANO-1 and Oconee.

In this step one ANO-1 (Kolb et al. 1982) and two separate Oconee PRAs (Sugnet et al. 1984, Kolb et al. 1981) are analyzed to determine the relative importances of critical safety-related systems, and the failure modes most likely to lead to core melt during accident conditions. In succeeding steps the detailed designs of these systems will be compared to those of Rancho ,

Seco to determine similarities and differences important to calculations of '

core melt probability. This information will then be used to identify critical Rancho Seco systems and failure modes, and identify specific components  ;

important to public safety at the plant. These succeeding steps will be I addressed in a subsequent report. )

2.0 METHOD Our approach to the development of inspection guidance for Rancho Seco )

powerplant using PRAs for surrogate plants (ANO-1 and Oconee) begins with a l review of the results of each of the surrogate plant PRAs to identify the I primary accident sequences leading to core melt. From these sequences we l identify and evaluate the importance of safety-related systems whose failure )

leads to core melt. For this initial, system-related analysis we have excluded I from consideration accident sequences initiated by external factors such as 1

1

l earthquakes, floods, fires and tornados. Although such sequences may be significant, their analysis is beyond the scope of this study.

A sequence of specific failures which, in combination, results in core melt is called a cut set. The primary accident sequences leading to core melt, dominant cut sets, are listed in the PRAs, along with probability per year (frequency) that core melt will result from each of them. In general, 50 to 100 dominant cut sets are associated with up to 90% of the core melt probability.

In this study our objective is to obtain insights from the surrogate PRAs which can be applied to Rancho Seco. Consequently, we have focused our attention on the dominant cut sets, tabulating, sorting, and analyzing them.

For each PRA the list can be comprehended conceptually, and analyses do not require computerization. Thus we focus on lists of comprehensible size, which address most of the probability of core melt.

We have chosen core melt probability, as opposed to public risk, as the fundamental p aameter on which to base our analyses. This choice was based on the need to maintain the conceptual complexity of the analysis at a manageable level, while addressing the results of three different PRA studies dnd comparing the systems of three different plantr. From a regulatory standpoint public risk is certainly the move fundamental parameter. However, determination cf public risk requires determination of containment failure modes after core melt, plus subsequent estimation of public radiation doses incorporating both meteorological and demographic considerations. Clearly, this greatly increases the complexity of the failure sequences which must be studied. Consequently, this analysis addresses only the " front line" safety systems and important support systems which are called upon to prevent core melt.

Our analysis begins by tabulating the dominant cut sets listed in each of the PRAs studied. We have included cutsets representing more than 85% of the total core-melt probability for each of the three PRAs. Each cut set begins with an initiating event, and contains one or more subsequent events which lead to core melt. Thcse cut sets are " minimal" cut sets, they contain enough events to cause core melt and no more. The cut set listing begins with a code identifying the initiating event, and continues with codes identifying each of the subsequent failures until core melt is reached. Event codes are separated by astericks.

In the following section on Results, these tabulations of dominant cut l

sets and their probabilities are presented for each of the PRAs studied. In

, addition, the codes for the initiators and cut set elements are listed, along I with the frequency of initiating events and the probabilities of subsequent events.

For each PRA the tabulated cut sets have been analyzed to determine the

relative importance of the various systems involved in the failure sequences.The I literature on risk assessment defines many measures of "importance". Entire reports (Vesely and Davis 1985) have been devoted to definition and use of 2

importance measures. In some analyses as many as nine different measures of importance have been calculated (Hinton and Wright 1986a).

We have selected the Fussell-Vesely Importance (Lambert 1975) for use in this study for several reasons. Most important is the fact that it provides a good, common sense, easily understood assessment of the significance of a failure. In addition, it is easy to compute. It has been used as the primary measure used for system ranking in other studies addressing inspection guidance, both directly (Hinton and Wright 1986b) and with a minor variation (Hinton and Wright 1986a).

The F-V Importance of a system, component, or initiating event is simply the fraction of the total core melt probability to which it contributes. It is obtained by summing the core melt probabilities for all cut sets which include failures of the system and dividing by the total core melt probability. J It is thus both conceptually and computationally simple. l An alternate measure of importance, which has not been used in this study, is the Risk Achievement Worth (Veseley et al. 1983). This measure has also l been used for system ranking in studies addressing inspection guidance (Higgins l 1986, Higgins et al .1984) . It measures the amount by which core melt frequency l is increased if the system (or component) in question is assumed to fail l (component failure probability set to one for each occurrence in each cut set). This measure is most sensitive to components designed to be highly reliable, such that failure during plant lifetime may be improbable. Thus failure of the Reactor Protection System to scram the reactor (probability 1.0 E-5), when assumed by settiag the probability to unity increases the calculated core melt frequency by roughly five orders of magnitude for sequences requiring reactor scram.

The F-V Importance, which we use, identifies the systems which make the greatest contribution to core melt probability during normal operation. In addition, it is roughly correlated with (though not linearly proportional to) the effect of an increase in system failure probability. For instance, consider a system with a F-V Importance of 0.25. By definition, it is involved in failures causing one part in four of the core melt probability. If the failure probability of that system is doubled, it then is involved in two parts in five of the r,ew total core melt probability, yielding an F-V Importance of 0.4. The greater the F-V Importance, the greater the increase in core melt probability caused by a doubling of the system failure probability. Thus, the F-V Importance measure.which was selected for use in this study is easily understood, and it approximately models the relative importances of systems with widely varying failure probabilities.

The F-V Importance has been calculated for each of the major systems and accident initiators addressed in the PRAs. This was done by reviewing the elements of the dominant cut sets and assigning them each to a system or failu e mode. Then, for each system or failure mode, the core melt probabilities for the cut sets to which it contributed were summed and the F-V Importance was calculated.

3

]

With one exception, the assignment of cut set elements to systems or.

failure modes was straightforward. The exception is human error. Human errors can cause failures two ways._ First, operators can make mistakes or fail to properly follow emergency operating procedures when responding to any of the off-normal or transient conditions identified as accident initiators. We have called these mistakes operator errors, and assigned cut set elements of this type to this category. Such errors are important to considerations of operator training and procedural clarity.

Second, components may be mispositioned or otherwise left in a condition which prevents them from performing their intended function by personnel errors made during previous maintenance, surveillance, or operational activities.

Cut set elements of this type were assigned to the system whose function was impaired. lhus, tney were treated the same as component malfunctions within that system. This results in a loss of information about hume errors associated with normal operations, maintenance and surveillance for the plant in question. However, we are dealing with two plants and three separate PRAs here, intending to make inferences about yet a third plant. Our approach includes the effects of human errors on system unavailability for each PRA, sacrificing only higher order details which are expected to be highly plant specific.

Many cut sets include recovery factors. These factors result from recognition by the PRA analysts that there cre many alternate ways to perform important system functions by cross connecting to other units, using equipment from other systems, or otherwise jury-rigging equipment during emergencies.

These recovery factors have been assigned a non-recovery probability in the PRAs to incorporate the fact that only in a fraction of component failures will operator ingenuity fail to provide the. function (if time and equipment for improvisation is available). Clearly, they are highly plant and sequence specific. The effect of the recovery factors is to reduce the core melt probability associated with cut sets containing failures which may be recovered from. Thus, from our point of view, they simply adjust the failure probability to a more appropriate value. Since the adjusted failure probabilities are used in calculating system importance, recovery factors are thus included implicitly in the calculations of system importance. They are not addressed otherwise. Also, we note the distinction between operator errors and recovery factors. Operator error addresses operator failure to accomplish something which has been explicitly planned for. The failure to recover failed functions by improvisation is not operator error.

In summary, then, for each PRA we tabulated the dominant cut sets associated with internal initiating events, and their corresponding core melt probabilities. We reviewed each of the elements of these dominant cut sets and categorized them according to the appropriate system or transient initiating event. We then used the cut set probabilities to calculate the Fussell-Vesely Importance for each system and initiating event. The following section on Results presents the products of these activities.

Subsequent steps in this project will study the details of these dominant cut sets and of the systems at ANO-1, Oconee and Rancho Seco to infer important failure modes likely to exist at Rancho Seco. This information will then be

I used to identify components at the Rancho Seco plant which are important to I the prevention of core melt during upset conditions.

1 3.0 RESULTS Tables 1, 2 and 3 present the event sequences with.the highest associated core melt probabilities from the ANO-1, Oconee, and Oconee-RSSMAP PRAs, respectively. Both of the Oconee PRAs which have been published have been studied, ta allow comparison of the results and to incorporate the insights of each. These tables provide the basis for the remainder of this project.

Each of the events contributing to these sequences will be investigated for relevance to the Rancho Seco powerplant and its implications for inspections there. These events are defined in Appendix A, in Tables A.1, A.2 and A.3.

Tables 1, 2 and 3 present information extracted from their parent PRAs. '

Their significance derives from the analysis and filtering process applied to condense the information important to this project from three large multi-volume reports. Along with the event definitions in Tables A.1, A.2 and A.3, they present the information necessary for the reader to understand the PRA results without having refer to the original documents. Houever, they retain the nomenclature and organization of the parent documents, to facilitate comparison to the parent documents. Further information may be found in Chapter 8 of the ANO-1 document (Kolb et al. 1982), Chapter 8 and Appendix D of the Oconee  ;

document (Sugnet et al. 1984), and Chapter 6 of the Oconee-RSSMAP document (Kolb et al. 19E.).

The layout of Tables 1, 2 and 3 parallels the organization of the PRA summary tabulations and the event-tree approach used in the PRAs ther, elves.

The first column identifies the type of event sequence to which the specific j event sequences listed in column 3 belong. Basically, these sequences denote j an initiating event (LOCA, loss of offsite power, electrical bus fault, etc.),

followed by event types such as loss of all feedwater, failure of emergency core cooling safety injection, etc., which ultimately leads to core melt.

Column 3 of the tables identifies the specific failure sequences belonging to the event types. Column 2 lists the total core melt probability associated j with all event sequences of that event type, and the last column lists the core melt probability associated with each of the specific sequences identified in column 3. Probability values are listed using an abbreviated scientific notation to facilitate presentation. Thus, 0.001 is represented by 1.0E-3 to avoid superscripting powers of 10. Table 2 contains an extra column providing information to facilitate reference to the original Oconee PRA document.

Comparison of the probability totals of column 2 and the last column for each table shows that between 86% and 94% of the total core melt probability is accounted for by the listed sequences. That is why column 3 is titled dominant event sequences (referred to in the PRAs as dominant cut sets) -

they dominate the core melt probability. The criterion for listing was that each event sequence have probability exceeding SE-8 (ANO-1) or 1E-7, which l

5

lllI i

t y

s l

e i b) 7 8 67 67 7 7888 68 6 7888 6677 7 8 i ar - - -

t tb a eoe 6E8E 65E- 5E8E - -

E E 5 E- EE8 E- EEEE EEEE7E8E i Sry P

E2576

3. 5 A. E42 213 3 1. E- 4 8581 1777 6888 8

15S 4.E - 8 1

9111 5777 5 1 4 1.E 7. E 2 11612187 l b r ut e i Cl p e(

b W a e r .=-

b o _

o C r -

P

=

t l

e M W C

F 2 e L 1D 1I -

r C C

ED o F L

V

- 1 SC FF C C 8

85 8 -

EE C 4 8S FF 4 3 g ,>

V

- 2C H 4T LL e

• D B

8 S

n (

• B5V 8 -

1S I -

PF 2

G 6

6 3

8 4C EA S i s 8S LL D D S - - W v e c

4 W 1S F e

C C

S

- SC FF S

- e a n e

I -

P L A D I S

EE F LA8 e W e CW ._

H r u) qs 1LJ W e e e C C

F L

F L

f FF LL e4 4 2HH t

e e .eD2822 4 e1C e -

s a et C4 5V e e e lA8 *

• 8CC l 92BD7DY .

S e - 1 2 - l 7 e44 21 l 5VV l422CC81S -

W-e Ye s PH LA G 6 2HH 05 e EEEEAVBDC -

t W - - 7 D D 8CC D - D CS - -

nt UI I8 - SVV - S - I S C c eu v c PP P4 L1 MC CA C

D W-CS CT DS C

D SS F F n r E( I -

- H

- I T - - - T - - -

R -

PF E

E e PF FP AF F SS FF F H, L F F u Pe t HL LL BL R - LL e e e L, e ee e Le n

a )

e e e

)

• e

)

e e .Le PF

)

e

• e t

)

o ) e* e q i n 2 2 P D

H.Le

)

ee 1 8

2 0

6 6

)

l e

e 8 m o (

1

(

1 L

(

4

(

D

(

D

(

1

(

D

(

S -

D B B T B T T B T -

t E S -

n y eg v ei t

E in pl yi Tb a) 1 d eb r coa e nr e O c e eP y u

qt r 6 6 6 6 6 6 6 6 N x el e S ep E E

E E- E E

E 5 -

A E W( 8 4 9 4 1 5 2 6 .-

lae 2 4 9 1 3 2 1 4 t r oo

. TC 1 -

E -

L e p

B y C C C 3 A T C

Y 1

Y 1

Y 1 i D

T e t i D D D H Q c D D L L L ) L n ) ) ) i ) ) 6 )

e 2 2 P H 1 2 6 1 u

q D ) 0 B 8 1 1 L 4 D D 1 D e ( ( ( ( ( ( ( (

S B 8 T B T T B T n

c I1I l

)

l y a t

t o i

l T

5f ib) a r 677 7777 777788 77 7778 688

- - - - o tb a EEE EEEE 7EEEEEE EE8 EEEE8 EEE k.

287 61 eoe S ry 926 1 111 E

- 534 288 6 1. E- 1 64287 5 7 1. E -

186 38 6

P 2* 1 7777 7421165 41 8 (

t r ut e Cl p e(

W e

r o

C 2

W C

P s

_ W e U n P i

) - l

_ I P

_ d H g

n

_ e e e Fr e i

_ u LtFF 4 W d

et

_ n - - LL CC - -

CCCC 1 D2 9BD C

2 en ce

_ i BBCC 1 42CC D cc ue t - BB W EEEAV 1 2I 12D sl DDCC CW - -

n 21 2I D0CC 4

D282 1 C W C1 S C EED n

e o 0000 91BD7D 1DE 21 E E S C

od e

(

c )

(

a 0900 SSSS PPPP 4 21CCB1 EEEAYBD 1 I EDS

- F F

L E E- -

dt ea s S C - - F L. * * * - F F t e e R. R e eR*R F E SCE F L e *

• L a p ee c

n e

• F L

F L

E F

F

- EEF

- - L

- L C

- F L

pr e

u) W C C L L FF* C - rh qs Q C C C * * *

• o

• LL3 V C c 1

• B B *

• W - C sa et *2 4 8 V t e S e 1 2D - - 1 4 C n s 1 2I B A H 1 - 8 -

er E t EED B 0

A 0 I

- H P

W 8

4 8

8 v e L nt - -

U 0 Ed eu S C 0 9 P I 1 n

v c H P P D 4 B E( E F E S 0 O S - H - I 1

.u A t F F

- P P R

F L F.

- I P

P L

I P yk T n a L. *

• L k. e * *

) )

• * * = e e e t e

H

• * )

L. *

• t s iir

) A l ) 1 ) l in 3 I e 3 A

0 D

3 A

i e bt m A F D ( ( a s o ( ( ( (

T T T T d a D T T a en r a eg y v n oi ei t rpo w

pl ml yi Tb a) ilo of eb r t c oa k nr eP y e d n u

ea 7 6 6 5 tl qt r 6 6 6 el e E

E E

E E

E

- ~

E iab S ep 4 H v a W( 3 8 2 5 8 e

l a e 3 2 2 9 1 1 T r y bb t r b oo ad TC e st ia c

ni od n

e p

iti a

y t e T 3 ci ci l

a or D 3 i D t N a e - D D i D o c Q K L D L n L ) ) L ) L T )

A ) 1 )

e ) l 8 3 a u 3 I e 3 D A (

q A F D A (

( (

e ( ( (

T T T S T T T w

y it l

i b)

__ a r

_ tb a

_ eoe S r y

_ t P

r t ut e 6 667777 6 67777777 6 67 cl p - - - 66 777 7777 l W e( E 5

EEEEEE-264426 E

EEEF.EEEE E

EE EE EEE EEEE e e 4 485911 4 7 42286293 7 89 2 121 9568 M r 15261 562 4 22 11 362 1152 o _

C e

r o E P

C AT Y

A G SS BB S

5 S

V R/ / /

E F B A TT 1 T

/ /

g PN I

1 3 3 3

/. /

6 6

// /

33 5

/

6 n B i

v a

H7 sE e1 cng H H

5 T

en 6 T

S7' 1 S7 D1 TW ui D1D FF qd TWT EE FFF + e ee EEE e *

• 6

/

Se 6 2 c /

2 2

2 1

F tx e 1 I nE } I 2 F E E R e (' S F

1 W

E R

e e vs c s

e S

S S

E 6 e e .

2 R

I Ee n E

R R. /

2 F

T A

i e

• R B L u) e A S U E J0 L At qs 2

H W e I U S L N0 J

N O

• e

• e-1 P8 E F E T DF IC Ri S e W eS S8P P9 B1 R 1 R e e .E* R

• e e e T OF WT I

E CW TF Pl s E9P 3W D H BL B Ll t H 21 B WS F I RL e

• o e

• e e i nt 2 W3 SE P HX F F F F eb ea v

R P F5W 8ES e

• R e

E R

e H

T T3 P2 W

F VCW RTF W

F F ea E( H X

9R eR 1 eRW T H I

U

• e e e e .e .

LP e e t

e e Sn f e e E. E, eTRCV nb t n H e

08PP

)AP W P H

6 FF H

W F

S F

S F

S MS oo a 5 8

/9WA W1S3 8

9 T T

T DE EU H

R O

L P

R P P cr in m Y R (( eW W 1 t e ES FS P

L F

P R.

B B e *

'2 R

e e .

• OP D o

S

• 2 2 4 S.

111 e e S g t T 5T A X

L e e R

U R

U T

2B TRl TTTTTT T e A T T T y

. t ei 2 pl yi Tb E eb r a)

L coa nr e B eP y 6 5 6 6 A u qt r E E

E E

6 E

6 E

6 6

6 T el e S ep 9 5 8 7 3 E

8 E E l W( 5 1 4 4 E.

4 3 J 5 2 1 1 a e t r oo TC e

p y

T e

c n

e u X s uB U q 8 s 2 9 U A e Y 1 1 B X X A S S S S S T T T A V W F A T T T o

c

l) a y t t o i T l

i f

b) o a r 5 tb a 7 eoe S r y 8

(

P t r 7 7 5 ut e 6 77 77 77 7 7 7 77 Cl p W

e( E-1 EE 36 E

45 E-23 E E- E 4

E E-2 E E-53 E

5 E-3 F

7 S.

e 1 43 21 14 3 4 4 11 2 1 T r

o C

_ 7 E d E 7 e P t

_ Y 7 R B A B A a

_ AT A V / / / / C B C 8 F c R R R R / // / /

R/

PN

/ /

3 5 1 1 2 2 2 1 1 3 2 din

_ I i B

_ e r

a

) s e

d i n

e l u g n in

_ i t

n d

e e

c c

o u s

C I C

U n

_ ( P S o L R W H d S D e t

E E

. R R a .

) *H e et 2 , -

E V C 2 pn ee

( R V U 1 s B2 S V rm E e 2 I4 R E 2 e c W P 1 H E W sl L n D L4 D R D H t e e F WP P e F 2 n B u) qs E

R 0

Q SL e *

• L H 2

H P

O R

E R R 1 ed ve A et + G E

1 R

C R

E F

e P L

Et s

T S e s

F T S MH V C P P H

E S

M T

S P

H .y t S M IV I L X ye nt I P P0 V P s P U eu v c R E H e H L4 VP R

S H

X

)

8 H

• H F E C e t i r E( e Y0 H SL M e 0 VD + S lh H MP CF e e e T 1 MP H V R

i c b a t 5G H O 5D l n

a I

P H

2E 4 S WT 8E S T S

N H /

0 2E 4S P

H S

C d ae n T 2M 28 E S W 2M T R ar i

U, PP PP 8 B ( PP U e ee m LL 0 R 2 HH + 3 rd o 2 R H.H+ e

• e o e Y 1 o e 4 1 eu n

D T V R R R R S T S T T v

ok y rpi s

t ei mr pl ie yi t Tb os a) t a eb r d n

oa .

ea n r e eP y 6 6 7 7 7 7 7 7 7 7 7 T5b t ag u

qt r E E

E E

E E

E E- E E- E 2

EEL- - in vi el e S ep 2 1 5 9 4 8 9 9 4 1 334 ew r o M( 1 1 8 3 7 4 8 5 4 4 2 TSb bl lae bl t r ao oo f TC s ik n

e na p ol y ib T t aa e larl t ea t

oy c s s ont Nb n 0 X t 't o e G 4 0 R BOT u U O g s s 3 u )

q 8 R R R 2 9 a

e 2 R U U X X X 1 U 4 1 S e (

S T V R R R R S T S T T o

lll y

t i

l i

)

b) d ar (

tb a 6 6 )

t eoe 5 67 66777 66777 6 6677777 67 67 l Sr y P

E- E- E- EE EEEEE- EEEEE- E-EEEEEEE EE EE e t ut e r

1 1

8 2

4 7

85 21 55855 99411 2 8888888 58 98 M Cl p 44522 33422 1 2255333 e( ( 41 31 W

e e r r o

o C C

g n

i v

a -

H s

e c )

c, n

e b u ('* )

q7 s d

(

e- e c S E

S lE n e

u N

A R

U q) W L P I E )

t es H A

• ng n St e R e

N F

RN NA PW

(

)

S e t s N A E v id n

et vu S

C P

W P

H V

L A

OP LH N

e

• Sg W

C E C

N W E e E c( e

• V A RIE3X PP- - -

E CX i 2 W HLDED U X -

t T T K H Q e

• e *

• WW rt Ae n a

S N

S N E C H e e Q CC E

S W C q e e Rcx i n O C

O C C H

B 3

M*e*

. e SS RIEfX U 3

D4 S

I e e W CX PE e o W e

M I W e e W

e eee e PP-HLDED E HH DECCt6L P M. e X-D 2 P e * *

• e 2 e *

• e e e e VT T

1 1 2 3 T W e e P T L T T S (

l S 2 3 As Me T 5 S it t y

Si ei Rl pl yi Tb a)

Ei eb r E ba coa nr eP y e

Nb u qt r

)

O d Co el e (

S ep 6 6 5 6 )

r W( - -

5 5 6 6 6 OP lae E 2

E E- E E E- E E

- 6 t r 8 4 2 1 8 2 8 E- E oo 1 2 7 8 2 2 1 TC 1 1

( 6 5 4 3

E e p

L y B T A e c U T n H H e

u U U E - 'O U F q

e E2 E 3 8

Q W H E2 D Q d

S T T d 1 1 T

2 T S 3

T S 1 W T

2 '3 S

aO l'1,

y t

i l

ib) a r ))) ))) ) )

tb a 6 666 666 66 6 6 6777 777 67 C6 77 eoe - - - - - - - - - - - - - - - - - - - - - -

S r y E EEE EEE EE E E EEEE EEE E E- EE EE P 2 555 999 1 1 8 8 24 44 5 43 62 44 88 t r ut e 1 4 4 4 333 52 7 7 1111 442 1 5 31 62 Cl p ((( ((( ( (

e(

W e

r o

C

_ )

_ d )

e c,

- u b, n a i (

s t e n c n

o e u

C q) e s

( St )) )

e WW 4 S t s )CC 1 H E )

n WSS GC C S et CIR - - N E

. v u XPP 1 1 1 E C 3

Ec t

( dLH R

e *

)CC

))

WW FF R

• e N

A W

U Q

E W 1 N

E u 1H 4 1H GC 4

n * *

• WSS N P S 1 1B q C1 1 0. C 1 -1 E a W CRI S H S88 8B- E L

n C X

Me = o XPP 5HL C

P K e U K

I - - E Pl 1 lH 1 S 11 FF F.F*

tCADl -

i m V W  :

• e e e W CAC DA o 1 B D o

2

• 2 T

3 S

W 2

W 2

2 T

e e e *

• e 3 e S3 W W 3

A S ((( ((( T T (

2 S

3 S (S 1

T T T

y t

ei pl yi Tb a) eb r coa n r e eP y u

qt r el e ) ) ) )

S ep 6 5 5 6 6 6 6 6 67 6 7 l W( E E

E E

E E

E E

EE E E

a e 3 3 2 2 6 8 8 4 82 8 6 t r oo 1

(

1 1

(

7 7 7

(

2 1

(

15 4 9 TC e

p y

T e

c H n C s '0 D O e - U U J U U u H Q H K M D q

e F

2 W

2 C

3 E2 W 2

K 2

D 2

D 3

C 3

E1 E3 S S T 5 T T T S S S T T d

l{ll1 ljl 1jl{ !II lljilI,! >

g Y

y l) it a l

t i

o b) ar T e y

) v y t tb a 777 67 5f o ei eoe - - - - o em it ldn vl S ry EEE E E- E ai t

P r

117 38 65 4

a h t re i a b

hb a

ut e 552 16 69 ( y f o a , Ab Cl p ( b ot b e Ro e( or Pr p e W d yt r u e e t n pl e t i e h e r

o a

c l m it if nai t g r

C i b s ea d au dt cl in bj en n od d e s e

ra p

um n

ist r

a ea n lci na si ef h it go s t o n n e t t o ae n , oc h s

)

i k e n cu l su t a d g id r

en re ec re e i n es t e au q d ub u d e

si d e n s ed cn n )

e c

at nl i

ab u

oa r

i c, c ai ,s p ,

u go n t b s b, s f a eo n a n ob o

ct .

n ns ti a o (

s o d r ap ed nt e ueear C e c d e

e tl eeaues

. qt mr

( n t sagsl c pi e a nua eoOh u

q) e idtd rd t p ue

. St es )

S e

r divot oi sA stR so

.r 3 e E .id eicPiF .

ts 1 C st rncl e s n 11B N t nein f ey et BB' E nep a yf h l .

E vu Ec ( 1 l' H1 U

Q em v eah es enl et ae nd L t CAC e

• e EA S e El ey tt ueoao B n a

Q Q bfiii nomt s m A n i e De

- l

.d yed oavt nie me oh r T i m Pe e QP We itt l at et cepoirf stl u

o W 2W eaum r ri D 2 T 2 iprd af sa oa T (T b e a o s o n pf f a r ;,r om d

ah s - pesiossi .

ec radh eutet a cl aretti aht y

ei t e eet t mcet o oid atf e pl vrsnrlit od yi oeiaf psin u rdlh t gdunloii yl Tb pn t c a) n ccdi x eb r coa imuersie ael e -

nre eP y osk ast el rAfti aR nb o ti sl u P ouat u

qt r

) rt ss t ob el e 6 67 5

denyeem et el rsoy coe rl E-

_ S ep EE E t svt erl t pb

_ l W( 5 88

e. aaeh shf no a a e t r 1 26

(

7 iv n gi gnt ont onenh o ea inl str iel est sa

_ oo TC _ r b gt b nusb peh eer uri uase d e l

a aibii r cc t

wi rn d nus o isornti yeedi ed ue e T l t l

niosh onuqrt p noot ceTl e csyi y d of ca c e nen n l T t a

itk anrbb us eil e .iVt e, a u e e t aeauqeeeel c D p ol h eoeurh ra n D C e NbW rdS saTgv e - - R u

q Q Q -

W W n ) ) ) )

e 2 2 o a b c d S T T N ( ( ( (

a

[

ll ll ll ' lllI llIl I 1 1l, 1llllll ll l1 illll

was selected to ensure that at least 85% of the total sequence type core melt probability was incorporated in the list of dominant events.

Tables A.1, A.2 and A.3 of Appendix A present the definitions of the events listed in Tables 1, 2 and 3. These events have been grouped according to associated system or event type. Event probabilities are also listed, in units of frequency per reactor year for initiating events, and probability of component unavailability for subsequent events. For each event sequence leading to core melt, the associated core melt probability is the product of the initiating event frequency, times the probability of unavailability for each of the subsequent events, times a recovery factor.

Recovery factors are used to account for the fact that operators may be '

able to use alternate systems, components or flow paths to maintain coolant inventory and prevent core melt, in spite of the occurrence of the sequence of events identified in the tables as leading to core melt. A recovery factor i is actually the probability that operators will not be able to recover and prevent core melt (i.e., actually a non-recovery factor). Thus a small recovery factor indicates a high probability of recovery, and a recovery factor of  ;

unity indicates certain failure to recover.  !

All three of the PRAs studied use recovery factors, but in different ways. In the ANO-1 PRA, although recovery factors were associated with the event sequences, they were not named and tabulated separately. Consequently, they are not listed in Table A.1. For this PRA the event scquence probabilities of 1 differ from the product of the sequence probabilities by the recovery a factor for each event. For the Oconee PRAs recovery factors have been defined for specific event recoveries. They are defined in Tables A.2 and A.3, and listed in the event sequences of Tables 2 and 3. Consequently, for these tables the event sequence probability equals the products of the contributing events (including the recovery factors). ,

Table 4 presents the Fussell-Vesely Importance calculated for the major plant systems, for each of the PRAs. In general, each of the initiating and subsequent events listed in Tables 1, 2 and 3 are associated with a particular system. Tables A.1, A.2 and A.3 group these events according to the system with which they are associated. Initiating events were assigned to systems when associated with them; exceptions included LOCAs and loss of offsite power (LOP) which are not associated with plant front-line systems. Control failures were assigned to the system which failed due to loss of control. Recovery factors were not assigned to systems, because they simply adjust the system failure probability to the appropriate value leading to core melt.

With one exception, the F-V Importance values presented in Table 4 are ordered according to the system groupings used to organize Tables A.1, A.2 and '

A.3. The exception is that operator error has been listed first, to emphasize its high contribution to core melt probability estimates. The importance of operator qualifications, training, alertness, and of the clarity, completeness and ease of use of emergency operating procedures to transient control and termination are immediately apparent. Inspection planning should include attention to these factors, particularly as related to the errors identified in the vent sequences.

13-

TABLE 4. Fussel-Vesely Importance(a) gf Major Events and Plant Systems F-V Importance Calculated from PRA results Oconee Event or System ANO-1 Oconee RSSMAP Operator Error 0.14 0.42 0.44 LOCA 0.19 0.24 0.33 Loss of Offsite Power 0.22 0.03 0.13  ;

Core Cooling:

HPI 0.07 0.07 0.04 LPI 0.17 0.12 0.27 Electrical:

DC Power 0.46 - -

Vital AC 0.14 0.02 0.03 Emergency Feedwater 0.31 0.10 0.04 Main Feedwater 0.62 0.19 0.61 Service Water 0.03 0.28 0.19 Safety Relief Valves 0.17 0.02 0.24 Reactor Trip (RPS) 0.07 0.09 0.05 Instrument Air -

0.05 -

Reactor Vessel Rupture -

0.02 -

{

\

(a) The F-V Importance is the fracticn of the total core melt i probability resulting from sequences (cut sets) involving {

the event or system. I l

14 D

System Importances listed in Table 4 differ both between plants analyzed l and between the two PRAs for the Oconee plant. Nevertheless, some general i I

conclusi u s may be drawn about relative system Importances based on these results. The high importance of operator error has already been noted. In

(

addition, the initiating events--LOCA and loss of offsite power--have high Importance since they are automatically involved in the cut sets including subsequent system failures. Loss of main feedwater is likewise seen to have a very high Importance, since it must occur before emergency feedwater or HPI cooling is called upon and has the opportunity to fail.

Direct heat removal from the reactor has a high Importance in general.

Emergency Feedwater has a very high Importance for ANO-1, and for Oconee it is still quite significant despite the greater variety of EFW sources which may be cross-tied at this multi-unit plant.

ECCS core cooling, particularly LPI, also has a high Importance at both plants. The lower Importance of HPI may be somewhat misleading, because failures in the LPI system can fail the HPI system by denying it a water source, even when the HPI system operates properly. Two important ways this can happen are failure of the BWST outlet valves (belonging to the LPI system) which supply water to the HPI suction, and LPI system failure to provide water from the reactor building sump in the " piggy-back" mode of operation required for HPI supp y during small break LOCAs (including relief valve and pump seal failures .

The Importance of support systems is also high, but with plant specific di f ferences. The Service Water system at Oconee is highly Important because it cools both the HPI pumps and the EFW pumps. Consequently, SWS failure can cause a common mode failure of both of these systems. At AN0-1 (and also at Rancho Seco) the EFW pumps are cooled by recirculation of part of their own discharge and lack this dependence.

Support systems for onsite electrical supply also show Importance differences due to plant differences. The single-unit ANO-1 plant lacks the diversity of power sources which may be cross-tied at Oconee. In addition, Oconee has hydroelectric generators with greater reliability than the diesel '

generators at ANO-1. Consequently, ANO-1 is believed to better represent Rancho Seco in this area. It should be noted, however, that the high Importance value for the ANO-1 DC power system is dominated by a single, common-mode failure of both station batteries. The probability of such a failure has been greatly reduced since performance of the PRA, by changes to maintenance and surveillance procedures. The Importance value for the DC Power system with this failure excluded is just half of the tabulated value. Therefore, DC Power is still expected to be quite Important at Rancho Seco.

Differences in calculated system Importance values also result from differences in PRA approach. Thus, for instance, only the Oconee PRA specifically identified instrument air failures as cut set elements. In the other PRAs instrument air failures were considered as subevents leading to component unavailabilities, but were not itemized separately in the cut sets.

Consequently, only the Oconee column lists an importance value for the instrument air system.

15

From Table 4 we see that three emergency systems, two electrical systems, two support systems, plus safety relief valves and the reactor trip system have significant values of F-V Importance. Clearly, these nine systems are the ones upon which attention should be focused during inspections to ensure that the probability of core melt.is not increased by system degradation. Since l nuclear powerplants have on the order of a hundred identifiable systems, this use of PRA results has already provided significant system prioritization information to help focus inspection activities.

At this stage in the analysis, it is not possible to numerically rcnk i system Importances for Rancho Seco--indeed it may be neither possible nor i desirable to do so without plant-specific probability studies. Nevertheless, we have constrained the list of Important systems to a manageable number, and we have taoulated specific component failures in each of these systems which contribute significantly to the core melt probability at the surrogate plants.

In succeeding tasks we will examine for each of these systems the component failures identified in Tables 1, 2 and 3 as significantly affecting the core melt probability for the surrogate plants. By comparison of these system designs with those at Rancho Seco we will infer the Rancho Seco system components expected to be similarly important.

4.0 CHANGES AT ANO-1 After preparation of this report, and well into performance of the second phase of this project, we were informed that plant design changes have been made at ANO-1 which significantly affect the PRA results for this plant.

Dependence of the feedwater system on Vital AC and DC power has been changed so that loss of one of these buses would not trip the plant and provide an initiating event for fault tree analysis. Incorporation of the effects of this change into the ANO-1 PRA would eliminate many of the dominant cutsets listed in Table 1, and change F-V Importance values calculated for the Vital AC and DC Power systems.

We have not attempted to incorporate the results of these changes into our work for three reasons. First, a PRA incorporating the effects of these changes has not yet been published. Second, we have neither the time nor budget necessary to incorporate these changes. Third, it is not necessary for our purposes that the ANO-1 PRA represent the existing plant - only that the PRA and the plant descriptions which we use in subsequent comparisons with the Rancho Seco plant be self consistent.

For these reasons, the results presented in Table 1 are those obtained from the published PRA for ANO-1. The detailed comparisons of systems and operations performed in subsequent project activities utilized system descriptions drawn from the same source. Self ;onsistency has thus been maintained. We note that the function of the surrogate plants in this study is to provide examples against which Rancho Seco can be compared. The AN0-1 PRA, as published, fills that function.

16

REFERENCES Higgins, J. C., S. M. Wong, M. A. Azarm, and W. T. Pratt. 1984. Limerick Systems Prioritization and Inspection Program Recommendations. A-3451, Brookhaven National Laboratory, Upton, NY.

Higgins, J. C. 1986. Probabilistic Risk Assessment (PRA) Applications.  !

NUREG/CR-4372, U. S. Nuclear Regulatory Commission, Region I, King of Prussia, PA.

Hinton, M. F. and R. E. Wright. 1986. PRA Applications Program for Inspection at Seabrook Station Draft Report. EGG-EA-7194, Idaho National Engineering Laboratory, Idaho Falls,10.

Hinton, M. F. and R. E. Wright. 1986. Pilot PRA Applications Program for l

Inspection at Indian Point 2. EGG-EA-7136, Idaho National Engineering Laboratory, Idaho Falls, ID.

Kolb, G. J., S. W. Hatch, P. Cybulskis, and R. O. Wooton. 1981. Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant, NUREG/CR-1659/2 of 4, Sandia National Laboratories, Albuquerque, NM.

j Kolb, G. J., et al. 1982. Interim Reliability Evaluation Program:

Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant. NUREG/CR-2787, Sandia National Laboratories, Albuquerque, NM.

Lambert, H. E. 1975. " Measures of Importance of Events". In Reliability and Fault Tree Analysis, ed. R. E. Barlow et al., pp.77-100. SIAM Press,  ;

Philadelphia, PA. l Sugnet, W. R., G. J. Boyd, S. R. Lewis et al. 1984. Oconee PRA, A Probabilistic Risk Assessment of Oconee Unit 3. NSAC-60, Electric Power Research Institute, Palo Alto, CA.

Vesely, W. E. and T. C. Davis. 1985. Evaluations and Utilizations of Risk Importances. NUREG/CR-4377, U. S. Nuclear Regulatory Commission, Washington, D. C.

Vesely, W. E., T. C. Davis, R. S. Denning, and N. Saltos. 1983. Measures of Risk Importance and Their Applications. NUREG/CR-3385, Battelle Columbus Laboratories, Columbus, OH.

17

l I

APPENDIX A 1

l EVENT DEFINITIONS AND PROBABILITIES l 1

i

APPENDIX A EVENT DEFINITIONS AND PROBABILITIES This appendix presents tables listing the definitions and probabilities of individual events (cut set elements) which contribute to the dominant event sequences (dominant cut sets) leading to ccre melt. Tables A.1, A.2 and A.3 list events from the ANO-1 (8), Oconee (9) and Oconee-RSSMAP (10) PRAs, respectively, corresponding with Tables 1, 2 and 3 in the body of the report.

Events have.been grouped according to the plant system to which they were assigned for system importance calculations. Event sequence probabilities listed in Tables 1, 2 and 3 generally equal the product of probabilities of .

the contributing events, except for the AN0-1 PRA, which does not itemize i recovery factors (see discussion in the body of the report).

I l

A.1

TABLE A.1. ANO-1 PRA Dominant Sequence Events (cut set elements)'of Table 1.

l INITIATING EVENTS Event Frequency Symbol Description per year l

B(1.2) Reactor coolant pump seal rupture or rupture of 0.02 l Reactor Coolant System (RCS) piping with diameter I

>0.38" but $1.2" (small-small LOCA).

B(1.66) Rupture of RCS piping with diameter >1.2" but 3.1E-4

$1.66" (small LOCA).

B(4) Rupture of RCS piping with diameter >1.66" but $4 3.8E-4 (small LOCA). ,

T(LOP) Loss of offsite power. 0.32 T(FIA) Reactor trip with all front line systems initially 7.1 available (e.g., turbine trip).

T(A3) Failure of Engineered Safeguards (ES) power bus A3 0.035 (4160VAC) with concomitant failure of the power conversion system, [ fails Emergency Feedwater '

System (EFS) electric pump, and High Pressure Injection System (HPIS) A and B pumps].

T(D01) Failure of ES power bus D01 (125VDC) with 0.018 I concomitant failure of the power conversion system, [ fails EFS electric pump and 1/2 turbine pump flow control valves and 1/2 turbine pump steam admission valves, HPIS A and B pumps, Reactor Building Cooling System (RBCS) fans A and B, Reactor Building Spray Injection System (RBSI) pump A].

T(D02) Failure of ES power bus D02 (125VDC) with 0.018 concomitant failure of the power conversion system, [ fails HPIS pump C, RBCS fans C and D, RBSI pump B, 1/2 EFS turbine pump flow control valves and 1/2 turbine steam admission valves, 1/2 EFS electric pump flow control valves].

l A.2 1

TABLE A.I. (continued)

OPERATOR ERRORS Event Probability Symbol Description of Unavailability HPI-PUMP- Failure of operator to initiate HPIS following 1E-4 CM1 certain small LOCAs requiring manual initiation of the HPIS. B(1.2) sequences.

HPI-PUMP- Failure of operator to initiate HPIS. (This proba- 0.1 CM2 bility was assigned to be 0.1 to reflect an extremely high stress situation.) T(FIA) sequences.

HPI-PUMP- Failure of operator to initiate HPIS and establish SE-4 CM3 a " feed and bleed" core cooling operation. T(A3) sequences.

HPRS-CM Failure of operator to initiate the HPRS. 1.6E-3 l CORE COOLING - HPI- 1 Event Probability  ;

Symbol Description of Unavailability LF-HPI- Local faults in HPIS pipe segment H14 [ fails output 0.014 H14 from pipe segment H14 and thus fails output from HPIS C pump (P36C)].

Composite failures:

Component Subevent Subevent Type Description Unavailability Check valve Failure to open 1E-4 (MU19C)

Manual valve Failure to remain 1E-4 (MU20C) open(plug)

Manual valve Failure to remain 1E-4 (MU18C) open (plug)

Motor driven Failure to start 1E-3 pump (P36C)

Maintenance 2.2E-4 Open circuit in 1.1E-3 cable Circuit breaker (406)

(a) Failure to transfer IE-3 (b) Local fault in 2E-3 control circuit

~

A.3

l TABLE A.1. (continued) l CORE COOLING - HPI (continued)

Component Subevent Subevent Type Description Unavailability LF-HPI- Manual valve Plugged 1E-4 .

H14 (180)  !

(cont'd) i Motor operated Failure to operate 4E-3 i '

valve (CV3810)

Plugged 1E-4 Open circuit in 1.1E-3  ;

cable Circuit breaker (6214)

(a) Failure to transfer 1E-3 (b) Local fault in 2E-3 control circuit Unit control- Relay fails to energize 1E-4 ler (201)

CORE COOLING - LPI Event Probability S.,ymbol Description of Unavailability LF-LPI- Local fault of LPIS pipe segment L25 [ fails pump 1E-4 L25 suction to all HPIS (P36) and RBSI (P35) pumps].

Composite failures: {

Component Subevent Subevent l Type Description Unavailability Manual valve Failure to remain 1E-4 (BW1X) open i

LPI1407A- Local faults of Low Pressure Injection System (LPIS) 8.2E-3 I

VCC-LF valve CV1407A [ fails suction to HPIS (P36) A and B ]

f pumps and RBSI A pump (P35A)].

Composite failures:

Component Subevent Subevent )

Type Description Unavailability J i Motor operated Failure to operate 4E-3 j valve (CV1407A) i Failure to remain IE-4 l

open - plugged A.4 i

TABLE A.1. (continued)

CORE COOLING - LPI (continued)

Component Subevent Subevent Type Description Unavailability l LPI1407A- Open circuit in 1.1E-3 VCC-LF cable 1

(cont'd)

Circuit breaker (5164)

(a)Failuretotransfer 1E-3 (b) Local fault in 2E-3 control circuit (c) Maintenance e Outage due to mainte- 1.6E-6 nance on valve (CV1405)

LPI14088- Local faults of LPIS valve CV1408 [ fails suction to 8.2E-3 VCC-LF HPIS C pump (P360) and RBSI B pump (P350)].

Composite failures:

Component Subevent Subevent Type Description Unavailability Motor operated Failure to operate 4C-3 valve (CV14088)

Failure to remain IE-4 open - plugged Open circuit in 1.1E-3 cable Circuitbreaker(6164)

(a) Failure to transfer 1E-3 (b) Local fault in 2E-3 control circuit (c) Maintenance e Outage due to mainte- 1.6E-6 nance on valve (CV1406)

ELECTRICAL - DC POWER Event Probability Symbol Description of Unavailability T(D01) Initiating event A.5

TABLE A.1. (continued)

ELECTRICAL - DC POWER (continued)

Event Probability Symbol Description of Unavailability.

T(D02) Initiating event BATCM Common mode failure of both station batteries [ fails 2.6E-5 all mitigating systems].-

LF-DC- Local faults of ES bus D01 (125VDC) [ fails HPIS (P36) 1.0E-4 D01 A and B pumps, RBCS (SF1) A and B cooler fans, RBSI A pump (P35A),1/2 EFS turbine pump flow control valves, and EFS electric pump (P78)].

Composite failures:

Component Subevent Subevent Type Description Unavailability Bus (D01) Open circuit 7.2E-5 Maintenance (a) Repair of circuit 8E-6 4 breakers 0122B or 5622B (b) Repair of battery 2.2E-5 charger 005 LF-DC-D02 Local faults of ES bus D02 (125VDC) [ fails 1/2 EFS 1.0E-4 turbine pump flow control valves, HPIS C pump (P36C),

RBCS (SF1) C and D cooler fans, and RBSI B pump (P358)].

Composite failures:

Component Subevent Subevent Type Description Unavailability.

Bus (D02) Open circuit 7.2E-5 Maintenance (a) Repair of circuit 8E-6 breakers 0222A or 6143A (b) Repair of battery 2.2E-5 charger 004 A.6

TABLE A.1. (continued)

, ,~

l, ELECTRICAL - DC POWER (continued)

Probability Event of Unavailability Symbol Description LF-DC-D06 Local fault of battery D06 [ fails HPIS C pump (P36C), 1.1E-3 1/2 EFS turbine pump control valves, and RBCS (SF1)

CandDcoolerfans].

Composite failures:

Component Subevent Subevent Type Description Unavailability Battery (D06) Failure to provide 1.1E-3 proper power Maintenance, cleaning 1.6E-5 of battery Fuse Premature open 2.4E-5 Relay Premature open 2.4E-6 LF-DC-D07 Local fault of battery 007 [ fails HPIS (P36) A and B 1.1E-3 pumps, EFS electric pump (P7B) and 1/2 turbine pump flow control valves, RBCS (SF1) A and B cooler fans, and RBSI A pump (P35A)].

Composite failures:

Component Subevent Subevent Type Description Unavailability Battery (007) Failure to provide 1 1E-3 proper power Maintenance, cleaning 1.6E-5 of battery Fuse Premature open 2.4E-5 Relay Premature open 2.4E-6 A.7

TABLE A.I. (continued)

ELECTRICAL - VITAL AC POWER Event Probability Symbol Description of Unavailability T(A3) Initiating event LF-AC-DG1 Local fault of diesel generator 1 [ fails HPIS (P36) 0.033 A and B A pump P35A),

(pumps, andRBCS (SF1) A EFS electric and(P7B)].

pump B cooler fans, RBSI Composite failures:

Component Subevent Subevent Type Description Unavailability Diesel gener- Failure to start 2.5E-2 ator(DG1)

Failure to run, 7.8E-4 given start 1 of 5 shorts to SE-5 power in time delay relays Maintenance, repair 1.5E-3 l

of DG1 Unavailability of 1.2E-4 DG1 due to test Output circu!t Failure to mechani- IE-3 breaker for cally transfer DG1 (308)

Circuit breaker control cicult (a) Failure of 1 of 5.4E-4 5 contacts (b)1 of 2 relays fail 2E-4 to energize Maintenance, repair of 4E-6 CB308 A.8

TABLE A.1. (continued)

ELECTRICAL - VITAL AC POWER (continued)

Component Subevent Subevent Type Description Unavailability Failure to mechani-LF-AC-DG1 Tie breaker 1E-3 j (cont'd) from Al to A3 cally open (309)

(A)1of3cir- (a)1 of 2 relays not 2E-4 cuit breaker energized UV control circuits (b) Failure of 1 of 2 2.2E-4 (309-A31) contacts

[ANDed and with (B) (c)0 pen circuit in (C) below] 1.1E-3

, cable l

(B)1of3cir- (a)1 of 2 relays not 2E-4 cuit breaker energized UV control circuits (b) Failure of 1 of 2 2.2E-4 (309-A32) contacts

[ANDed with (A) ,

above and (C) (c)0pencircuitin 1.1E-3 1 below] cable i 1

(C)1 of 3 cir- (a)1 of 2 relays not 2E-4 I cuit breaker energized )

UV control l circuits (b) Failure of 1 of 4 4.3E-4 (309-B5) contacts  ;

[ANDed with (A) and (B) above] (c)0pencircuitin 1.1E-3 cable Circuit breaker Overload surge pro- 2.4E-5 (0114) tection malfunction Cable (D114) Open circuit 7.2E-5 Bus (0114) Open circuit 7.2E-5 Motor-driven Failure to start IE-3 fuel pump for DG1 (P16A) Failure to run, 7.2E-4 given : tart Circuit breaker over- 2.4E-5 load surge protection malfunction (5114)

Open circuit in cable 7.2E-5 A.9 i

TABLE A.)._ (continued)

ELECTRICAL - VITA .AC POWER (continued)

Component Subevent Subevent Typa Description Unavailability s

[1 LF-AC-DG1 Exhaust fan Failure to start 3E-4 (cont'd) (24A)

Failure to run, 2.4E-4 given start Circuit breaker over- 2.4E-5 load surge protection malfunction (5122)

Open circuit in cable 7.2E-5 Exhaust in Failure to start 3E-4 (248)

Failure to run, 2.4E-4 given start Circuit breaker over- 2.4E-5 load surge protection malfunction (5123)

Open circuit in cable 7.2E-5 LF-AC-DG2 Local fault of diesel generator 2 [ fails HPIS C pump 0.033 (P36C), RBCS (SF1) C and D cooler fans, and RBSI B ,

i pump (P358)]. I Composite failures:

Component Subevent Subevent T,ype Description Unavailability l Diesel gener- Failure to start 2.5L-2  !

ator(DG2)

Failure to run, 7.8E-4 given start 1 of 4 shorts to 4E-5 power in time delay relays Maintenance, repair 1.5E-3 of DG2 Unavailability of 1.2E-4 DG2 due to test A.10

TABLE A.1. (continued)

ELECTRICAL - VITAL AC POWER (coatinued)

Component Subevent Subevent Type Description Unavailability LF-AC-DG2 Output circuit Failure to mechani- IE-3 (cont'd) breaker for cally transfer DG2 (408)

Circuit breaker control curcuit (a) Failure of I of 5.4E-4 5 contacts (b)1 of 2 relays fail 2E-4 l to energize Maintenance, repair of 4E-6 CB408 A2 to A4 Failure to mechani- IE-3 Supply (409) cally open ,

(A)1 of 3 cir- (a)i of 2 relays not 2E-4 l cuit breaker energized l UV control circuits (b) Failure of 1 of 2 2.2E-4 l' (409-A41) contacts

[ANDed with (B) and (C) below) (c)0 pen circuit in 1.1E-3 cable (B)1 of 3 cir- (a)1 of 2 relays not 2E-4 cuit breaker energized UV control circuits (b) Failure of 1 of 2 2.2E-4 (409-A42) contacts

[ANDed with (A) above and (C) (c)0pencircuitin 1.1E-3 below] cable (C)1 of 3 cir- (a)1 of 2 relays not 2E-4 cuit breaker energized UV control circuits (b) Failure of 1 of 4 4.3E-4 (409-B6) contacts

[ANDed with (A) dnd (B) aboVe] (c)0 pen circuit in 1.1E-3 cable ,

Circuit breaker Overload surge pro- 2.4E-5 (D2114) tection malfunction Cable (02114) Open circuit 7.2E-5 A.11

^

TABLE A.1. (continued)

ELECTRICAL - VITAL AC POWER (continued)

Component Subevent Subevent Type Description Unavailability LF-AC-DG2 Bus (D2114) Open circuit 7.2E-5 (cont'd)

Motor-driven Failure to start IE-3 fuel pump for DG2 (P16B) Failure to run, 7.2E-4 given start Circuit breaker over- 2.4E-5 load surge protection j malfunction (6114)

Open circuit in cable 7.2E-5 Exhaust fan Failure to start 3E-4 (24C)

Failure to run, 2.4E-4 given start Circuit breaker over- 2.4E-5 load surge protection malfunction (6122)

Open circuit in cable 7.2E-5 .

Exhaust fan Failure to start 3E-4 (24D)

Failure to run, 2.4E-4 given start Circuit breaker over- 2.4E-5 load surge protection malfunction (6123) 1 Onen circuit in cable 7.2E-5 EMERGENCY FEEDWATER Event Probability Symbol Description of Unavailability LF-EFC- Local faults in "EFIC Initiate' signal path [ fails 0.011 ACBD4 1/2 EFS turbine pump steam admissien valves].

I A.12 i

I TABLE A.I. (continued)

EMERGENCY FEEDWATER (continued)

Comr)osite failures:

Component Subevent- Subevent Type Description Unavailability LF-EFC- Cable (AC04) Open circuit 1.1E-3 ACBD4 (cont'd) Cable (AC03) Open circuit 1.1E-3 Cable (AC02) Open circuit 1.1E-3 Cable (AC01) .Open circuit 1.1E-3 l

Cable (BD04) Open circuit 1.1E-3 Cable (BD03) Open circuit 1.1E-3 ,

i Cable (BD02) Open circuit 1.1E-3 Cable (BD01) Open circuit 1.1E-3 Logic (3AC) Fails to function 3.6E-4 Logic (2AC) Fails to function 3.6E-4 Logic (1AC) Fails to function 3.6E-4 Logic (3BD) Fails to function 3.6E-4 i Logic (2BD) Fails to function 3.6E-4 LF-EFC- Local faults in "EFIC Intitiate" signal path [ fails 5.4E-3 BB7B1CM 1/2EFSturbinepumpsteamadmissionvalves].

Composite failures:

Component Subevent Subevent Type Description Unavailability Cable (RS22) Open circuit 1.08E-3 Cable (AC06) Open circuit 1.08E-3 Cable (AC05) Open circuit 1.08E-3 Cable (B006) Open circuit 1.08E-3 Cable (BD05) Open circuit 1.08E-3 A.13

TABLE A.1. (continued)

EMERGENCY FEEDWATER (continued) i

! LF-EFC- Local faults in "EFIC Initiate" signal path [ fails 3.9E-3 CSY2 1/2 turbine pump steam admission valves]. <

Composite failures:

Component Subevent Subevent Type Description Unavailability Caole(CSY2) Open circuit 1.1E-3 Cable (AC08) Open circuit 1.1E-3 Cable (PD08) Open circuit 1.1E-3 Cable (AC07) Short to ground 1.1E-4 Cable (8007) Short to ground 1.1E-4 Logic (BDC1) Fails to function 3.6E-4 LF-EFC- Local fault in " Emergency Feedwater Initiation and 4.6E-3 D1D2CM Control System (EFIC) Vector" signal path (fails EFS turbine pump flow control valves].

Composite failures:

Component Subavent Subevent j Type ,_

Description Unavailability Cable (VD25) Open circuit 1.1E-3 Cable (VD12) Open circuit 1.1E-3 Cable (VD27) Open circuit 1.1E-3 l Cable (VD28) Short to ground 1.1E-4 Logic (220) Fails to function 3.6E-4 Logic (25D) Fails to function 3.6E-4 Logic (18D) Fails shorted 3.6E-5 l Logic (19D) Fails shorted 3.6E-5 Logic (140) Fails shorted 3.6E-5 Logic (15D) Fails shorted 3.6E-5 I

! Bistable (10D) Fails shorted 4E-7 i A.14 ]

l I

TABLE A.1. (continued)

EMERGENCY FEEDWATER (continued)

Component Subevent Subevent Type Description Unavailability LF-EFC- Bistable (11D) Fails shorted 4E-7 D1D2CM (cont'd) Buffer Ampli- Open circuit 1.2E-5  ;

l fier (60)

uffer Ampli- Open circuit 1.2E-5 fier (70) l Sensor (2D) Shift in calibration 1.2E-4 Sensor (3D) Shift in calibration 1.2E-4 Unidentified remainder

1E-4 LF-EFC- Local faults in "EFIC Vector" sianal path [ fails 9.4E-3 VCD2 1/2 EFS turbine pump flow contrci valies]. 1 Composite failures:

Component Subevent Subevent Type Description Unavailability Cable (VD41) Open circuit 1.1E-3  ;

J Cable (VD24) Open circuit 1.1E-3 l Cable (VD35) Open circuit 1.1E-3 Cable (VD22) Open circuit 1.1E-3 l 1

Cable (RS23) Open circuit 1.1E-3

' Cable (VD34) Open circuit 1.1E-3 1

Cable (VD14) Ope'a circuit 1.1E-3 Cable (VD36) Short to ground 1.1E-4. l Cable (VD21) Short to ground 1.1E-4 ,

1 Cable (VD13) Short to ground 1.1E-4 Logic (34D) Fails to function 3.6E-4 Logic (280) Fails to function 3.6E-4 Logic (24D) Fails to function 3.6E-4 A.15

TABLE A.1. (continued)

EMERGENCY FEEDWATER (continued)

Component Subevent- Subevent Type Description Unavailability LF-EFC- Logic (21D) Fails shorted 3.6E-5 VCD2 (cont'd) Logic (170) Fails shorted 3.6E-5 Bistable Fails shorted 4E-7 (120)

Buffer Open circuit 1.2E-5 amplified (8D)

Sensor (4D) Shift in calibration 1.2E-4 Unidentified remainder: 1E-4 l

LF-EFS-E4 Local faults in EFS pipe segment E4 [ fails 1/2 0.012 turbine pump flow control valves].

1 Composite failures:

Component Subevent Subevent Type Description Unavailability j Check valve Failure to open 1E-4 (Q4)

Motor operated Failure to open 4E-3 1

valve (CVX-1)

Failure to remain 1E-4 open (

Maintenance 7.2E-6 l

l Motor operated Failure to open 4E-3 valve (CV2620)

Failure to remain 1E-4 open l

l Maintenance 7.2E-6

! Circuit Failure to transfer 1E-3 l breaker (D02) j Faults in control 2E-3 circuit l Open circuit in cable 1.1E-3 )

A.16 l

l l L

EBLEA.I. (continued)

EMERGENCY FEEDWATER (continued)

Loctl fault in EFS pipe segment E11 (and pipe 4E-3 LF-EF5-E11 segments E8, E16, E17, E25, E26, and E43 according to IREP report)[ fails turbine driven pump (P7A)].

Composite failures:

Component Subevent Subevent Type Description Unavailability l Turbine-driven Failure to start 3E-3 pump (P7A)

Failure to run, 1.2E-4 given start Testing e l

Maintenance 2.2E-4 l

Check valve Failure to open IE-4 (10B)

Motor-operated Failure to remain open 1E-4 valve (Y3)

Maintenance 7.2E-6 ,

Motor-operated Failure to remain open 1E-4 valve (Y4)

Maintenance 7.2E-6 LF-EFS- Local faults in EFS pipe segment E11 [ fails suction 3E-4 E22 path to both EFS pumps (P7A&B)].

Composite failures:

Component Subevent Subevent Type Description, Unavailability Check valve Failure to open IE-4 (99)

Condensate Rupture e storage tank Mar' sal valve Failure to remain open 1E-4 (19)

Check valve Failurekoopen' 1E-4 l (98)

A.17

i l TABLE A.1. (continued)

EMERGENCY FEEDWATER (continued)

LF-EFS- Local faults in EFS pipe segment E29 [ fails 1/2 8.1E-3 E29 EFS turbine pump steam admission valves].

Composite failures:

Component Subevent Subevent Type Description Unava1' ability Motor operated Failure to open 4E-3 valve (CVY-2)

Failure to remain 1E-4 j open Maintenance 7.2E-6 Circuit Failure to transfer 1E-3 4 breaker (BBBB)

Faults in control 2E-3 ci rcuit Open circuit in cable 1E-3 MAIN FEEDWATER Event Probability ,

Symbol Description of Unavailability l B(1.66) Initiator I T(D01) Initiator T(D02) Initiator T(A3) Initiator SERVICE WATER Event Probability Symbol Description of Unavailability LF-SWS-S1 Local faults in SWS pipe segment S1 [ loss of cooling 5E-3

, to switchgear fails AC/DC power to HPIS C pump (P35C), I to RBSI B pump (P35B), and HPRS of cooling to HPIS C pump (P36C) lube pump room fans; oil coolers, to loss l l RBSI B pump (P35B) lube oil coolers, and RBCS (SF1) C and D coolers thus failing the pumps and coolers].

{ Composite failures:

A.18 d

TABLE A.1. (continued)

SERVICE WATER (continued)

Component Subevent Subevent Description Unavailability Type LF-SWS-S1 Check valve Failure to open 1E-4 (cont'd) (001C) [ assumed]

Manual valve Failure to remain e i (002C) open [ assumed]

Motor driven Failure to start IE-3 pump (P4C)

Failure to run 7.2E-4 Maintenance 1.9E-4 )

Open circuit in 7.2E-5 cable Circuit breaker (402)

(a) Failure to transfer 1E-3 (b) Local fault in 2E-3 control circuit LF-SWS-S2 Local faults in Service Water System (SWS) pipe SE-3 segment S2 [ fails cooling to HPIS (P36) A and 8 pump lube oil coolers, High Pressure Recircu-lation System (HPRS) (P36) A and B pump room heat exchangers, and RBSI pump (P35A) lube oil cooler] .

Composite failures: )

Component Subevent Subevent Type Description Unavailability l Check valve Failure to open 1E-4 I

(0018) [ assumed]

Manual valve Failure to remain e l (0028) open [ assumed] l Motor driven Fail'are to start 1E-3 pump (P4B)

Failure to run 7.2E-4 Maintenance 1.9E-4 Open circuit in 7.2E-5 ,

cable A.19

TABLE A.1. (continued)

SERVICE WATER (continued) c Component Subevent Subevent Type Description Unavailability LF-SWS-S2 Circuitbreaker(303)

(cont'd) (a) Failure to transfer 1E-3 '

(b) Local fault in 2E-3 control circuit <

LF-SWS- Local fault in SWS pipe segment S82 [ failure of S82 0.023 S82 can likelyfail suction fails cooling cooling (to all HPRS pumps but most to P36A&B)].

Composite failures: ,

Component Subevent Subevent Type Description Unavailability l

Heat exchanger Flow blockage - 3E-4 (E35A) plug Motor operated Failure to operate, 4E-3 valve (CV3822) plugged Open circuit in 3.2E-3 cable Circuit breaker (5182)

(a) Failure to transfer 1E-3 l

l (b) Local fault in 2E-3 control circuit Manual valve Plug 1E-4  ;

(022A)

Testing outages 9E-4  !

2E-4

! Failure to restore 8E-3 following testing Failure to restore 1.8E-4 following maintenance Unidentified remainder: 3E-3 A.20 J

TABLE A.I. (continued)

SERVICE WATER (continued)

LF-SWS- Local fault in SWS pipe segment S83 [ failure of S83 0.023 S83 can likelyfail suction fails cooling cooling (to all HPRS pumps but most to P36C)].

l Composite failures:

Subevent i Component Subevent Type Description Unavailability

{

Heat exchanger Flow blockage - 3E-4 (E35B) plug Motor operated Failure to operate, 4E-3 valve (CV3821) plugged ,

Open circuit in 3.2E-3 cable Circuitbreaker(6183)

(a) Failure to transfer 1E-3 (b) Local fault in 2E-3 control circuit Manual valve Plug 1E-4 (0228)

Testing ,

(a) outages due to 9E-4 testing 2E-4 )

(b) failure to restore 8E-3 following testing (

Failure tc restore 1.8E-4 I following maintenance Unidentified remainder: 3E-3 )

LF-SWS- Local faults of AC and DC switchgear room cooler 0.023 VCH4A VCH4A [ loss of coolirg to switchgear fails AC/DC power to HPIS C pump (P36C), to RBSI B pump (P35B),

to HPRS pump-room heat-exchanger fans, and to RBCS (SF1) C and D cooler fans].

Composite failures:

A.21

1 TABLE A.1. (continued) l SERVICE WATER (continued) l Component Subevent Subevent Type Description Unavailability l

LF-SWS Chill Water Failure to start 2.3E-3 VCH4A Unit (VCH4A)

(cont'd) Failure to run 1.4E-3 Maintenance (a) outage due to 4.3E-3 (b) failure to restore 1.8E-4 Open circuit in 1.1E-3 cable Circuit breaker (listed as 6254 but assume that shouldbe61102B)

(a) Failure to transfer 1E-3 (b) Local fault in 2E-3 l control circuit Thermostat - failure 5.4E-3 to close Motor operated Plug IE-4 3-way valve i (CV6034) Failure to operate 4E-3 t Bypass port closed - 1E-4 plug l

Maintenance l 7.2E-6 Manual valve Plug 1E-4 (SW3903)

Manual valve Plug IE-4 (SW608A)

Manual valve Failure to remain IE-4 (SW602A) open (plug)

Check valve Failure to remain open 1E-4 (SW604A) (plug)

A.22

TABLE A.1. (continued)

SERVICE WATER (co:itinued) i

)

Component Subevent Subevent Type Description Unavailability  ;

i LF-SWS- Manual valve Failure to remain open IE-4 VCH4A (SW601A) (plug)

(cont'd)

Manual valve Plug 1E-4 1 (SW606A)

Manual valve Plug 1E-4 (SW3905)

Manual valve Failure to remain open 1E-4 (SW600A) (plug)

Manual valve Failure to remain open 1E-4  :

l (AC200A) (plug)

LF-SWS- Local faults of AC and DC switchgear room cooler 0.023 VCH4B VCH4B [ loss of cooling to switchgear fails AC/DC '

power to HPIS (P36) A and B pumps and RBSI A pump  !

(P35A) plus " odd" AC/DC power fails causing SWS pump which feeds the HPRS room heat exchanger to fail].

Composite failures:

Component Subevent Subevent Type Description Unavailability Chill Water Failure to start 2.3E-3 Unit (VCH48)

Failure to run 1.4E-3 Maintenance (a)outagedueto 4.3E-3 (b) failure to restore 1.8E-4 Open circuit in 1.1E-3 ,

cable  !

Circuit breaker (listed as 5254 but assume that shouldbe51102B)

(a)Failuretotransfer IE-3 (b) Local fault in 2E-3 control circuit A.23

TABLE A.1. (continued)

SERVICE WATER (ccntinued) ]

Component Subevent Subevent ,

Type Description Unavailability j LF-SWS-VCH4B Thermostat - failure 5.4E-3 (cont'd) to close

]

Motor operated Plug IE-4 3-way valve (CV6036) Failure to operate 4E-3 Bypass port closed - 1E-4 plug i Maintenance 7.2E-6 Manual valve Plug 1E-4 (SW3900)

Manual valve Plug 1E-4 (SW608B) 1 Manual valve Failure to remain 1E-4 (SW6028) open (plug)

Check valve Failure to remain open 1E-4 (SW604B) (plug)

Manual valve Failure to remain open 1E-4 (SW6018) (plug)

Manual valve Plug IE-4 (SW6068)

Manual valve Plug IE-4 (SW3902)

Manual valve Failure to remain open 1E-4 (SW600B) (plug)

Manual valve Failure to remain open 1E-4 (AC200B) (plug)

SAFETY RELIEF VALVES Event -

Probability Symbol Description of Unavailability Q Failure of one of two pressurizer safety / relief 0.02 1 valves to'close after being demanded open.

1 A.24 L _ -.

TABLE A.1. (continued)

REACTOR TRIP - RPS Event Probability Symbol Description of Unavailability RPS000AA- Reactor trip breaker A fails to open [A and C1 or 1E-3 BCC-LF C2 will cause RPS failure].

RPS000BB- Reactor trip breaker B fails to open [B and D1 or 1E-3 BCC-LF D2 will cause RPS failure].

RPS00CIC- Reactor trip breaker C1 fails to open [C1 and A 1E-3 f BCC-LF will cause RPS failure].

RPS00C2C- Reactor trip breaker C2 fails to open [C2 and A 1E-3 l BCC-LF will cause RPS. failure].

RPS00D1D- Reactor trip breaker D1 fails to open [D1 and B 1E-3 l

BCC-LF will cause RPS failure].

l RPS00D2D- Reactor trip breaker D2 fails to open [D2 and B 1E-3 BCC-LF will cause RPS failure].

l 1

l A.25

l TABLE A.2. Oconee PRA Dominant Sequence Events (cut set elements) of Table 2.

INITIATING EVENTS Event Frequency l Symbol Description per year A Large LOCA 9.3E-4 R SG tube rupture 8.6E-3 VR Reactor-vessel rupture 1.1E-6 S Small LOCA 3.0E-3 T Summation of all transient frequencies 7.0 TURB Summation of transient frequencies not involving loss of feedwater as an initiator. T - (T2+T4+TSSUBF +

T5FEEDF + T6+T10 + Til + T14) 5.7 T2 Loss of MFW 6.4E-1 T4 Loss of condenser vacuum 2.1E-1 T5FEEDF Failure of offsite power due to grid or feeder failure 4.0E-2 TSSUBF Failure of offsite power due to 230-kV substation 1.3E-1 i failure (both buses) l T6 Loss of IA 1.7E-1 1 T

10 Large feedline break 9.3E-4 4

T12 (108 only)

Loss of LPSW by the transfer of LPSW-108 7.8E-4 T12 (w/ 108)

Loss of LPSW by failures other than LPSW-108 3.2E-3 )

i T

13 Spurious low pressurizer pressure signal '4.4E-2 T

14 Loss of 4-kv switchgear 3TC 5.4E-3 j OPERATOR ERRORS l Event Probability Symbol Description of Unavailability HPRCPH Operators fail to trip RCPs following loss of seal 1.0E-2 1 cooling (within 15 min)

A.26

_--_-_______________-___________________L

TABLE A.2. (continued)

OPERATOR ERRORS (continued)

Event Probability Symbol Description of Unavailability j

LPiHROTTLE Operator fails to throttle high f1C. in LPI system, 3.0E-3 or overthrottles to insufficient flow SW3BPPSH Operators fail to start standby SW pump 2.0E-3 4 XALPRH Operators fail to attempt low-pressure recirculation 5.0E-3 l' within 30 min following a large-break LOCA XHPLPR12H Operators fail to attempt high- or low-pressure 3.0E-4 l recirculation within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> following a large-break i LOCA XHPR2H Operators fail to attempt high-pressure recirculation 3.0E-3 within 2 hr after small-break LOCA UTHPIH Operators fail to initiate HPI cooling following loss 1.0E-2 of all FW YRBSH Operators fail to terminate RB spray operation provided 5.0E-1  ;

the RB cooling system is operating YRBSHNOT Complement of event YRBSH 5.0E-1 CORE COOLING - HPI Event Probability Symbol Description of Unavailability BWINJ ATWS overpressure causes valve damage which prevents 1.0E-1  !

boron injection HP2425MVH MOVs HP-24 and HP-25, HPI ES suction valves, both left 5.0E-5  ;

unavailable due to human error i HPMSEGP0 Failure of suction flow to HPI pumps via 6.5E-3 "A" flowpath Component Subevent Subevent Type Description Unavailability HP101CVO Tilting-disc CV 8.7E-5 HP-101 fails to open on demand A.27

TABLE A.2. (continued)

CORE COOLING - HPI (continued)

Component Subevent Subevent Type Description Unavailability i

/

HP24MVO MOV HP-24 fails to 6.4E-3 open on demand I

HPMSEGQ0 Module: Failure of suction flow to HPI pumps via 6.5E-3 "B" flowpath Component Subevent Subevent Type Description Unavailability i HP102CVO Tilting-disc CV HP-102 8.7E-5 <

fails to open on demand HP25MVO M0V HP-25 fails to 6.4E-3 open on demand l CORE COOLING - LPI ,

Event Probability Symbol Description of Unavailability ;

l LPBWSTF BWST fails to provide suction flow. 1.8E-5 l LPBWSTF = (LP61VVO

• LPVRF)

+ [LPHRLO

• LPHRH * (LPHPF + LPHRF)]

+(LPBWF

• LPBWLH)

Component Subevent Subevent Type Description Unavailability LP61VVO Vacuum breaker fails 8.1E-5 to operate LPVRF Main oypass plugged / 2.6E-4 blocked LPHRLO Temperature below 40 F 3.0E-1 )

i LPHRH Operators fail to 2.0E-2 l restore BWST heating LPHPF Local power loss to '.0E-3 i BWST heaters j LPHRF BWST heaters fail 1.0E-4  :

LPBWF BWST level low 3.1E-4 LPBWLH Operators fail to 2.0E-2 restore BWST level A.28  !

TABLE A'.2.. (continued)

CORE C00 LING'- LPI (continued)

LPDHRSUC 'DHR suction ' flew from the reactor vessel' 2.0E-2 is unavailable Component Subevent Subevent Type Description Unavailability LP1MVO MOV LP-1 fails to open 6.3E-3 LP2MV0 MOV LP-2 fails to open 6.3E-3 LP3MV0 M0V LP-3. fails to open 6.3E-3 LP1MVMH MOV LP-1 unavailable due 3.0E44 I

> to maintenance error i LP2MVMH MOV LP-2 unavailable due 3.0E-4 to maintenance error LP3MVMH MOV LP-3 unavailable due 3.0E-4 to maintenance error LP1MVPST Interlock on LP-1 fails 2.4E-4 to operate LP2MVPST Interlock on LP-2 fails 2.4E-4~

to operate LP3MVPSF Interlock on LP-3 fails 2.4E-4 I to operate '

LPFLOWH High flow develops in LPI system. (Eventonlyapplies 1.0 for low-pressure. recirculation.)

LP28VVCH BWST suction valve inadvertently left in closed position 2.8E-5 (includes 7.5 x 1.0E-6 contribution from valve transfers closed) ,

)

LP40VVH Test valve LP-40 left in open position 1.0E-3 .

LP4142VVH Test valves LP-41, -42 left in open' position. 1.0E-1 (The indicated value (0.1) is for the case when LP4142VVH appears with LP40VVH. The human errors are coupled.)

LTC00L ATWS' overpressure causes a LOCA and results in other l '. 0 E-l' damage ~, including valve failures, which fail.long term.

core cooling ELECTRICAL - DC' POWER NONE

/ 29 ,

l

1 l

l TABLE A.2. (continued) l l

l ELECTRICAL - VITAL AC POWER Event Probability )

Symbol Description of Unavailability

]

T g4 Initiating event P23XLF Local faults 208-V MCC 3XL 3.1E-4 Component Subevent Subevent Type Description Unavailability l P23XLBSF Bus fault 3XL 4.3E-6 PFEED27CAF Feed cable fault 2.0E-4 )

i P23XLBSUM Unscheduled main- 1.0E-4 j tenance 3XL i

P3XLTFF Transformer failure /.4E-6 j 3XL l EMERGENCY FEEDWATER Event Probability Symbol Description of Unavailability EFM17 Local faults cause failure of TD EFW pump 5.6E-2 Component Subevent Subevent Type Description Unavailability EFTDDPS TD EFW pump fails 3.8E-2 to start on de-mand EFTDPPM TD EFW pump in 3.5E-3 maintenance EFTDPP1H TD EFW pump not re- 1.0E-2 stored properly after T or M l EF88VVH MV FDW-88 left open 1.0E-3 after test, diverting flow to test recircu-l lation path MS93AVO A0V MS-93 fails to open 1.6E-3 to admit steam to TD EFW pump A.30

TABLE A.2. (continued)

EMERGENCY FEEDWATER (continued)

~

Component Subevent Subevent Type Description Unavailability EFTDDCPPS Auxiliary dc oil pump 5.0E-4 i fails to start to provide lube oil pressure EFTDPPR TD EFW pump fails to run during the event' 2.4E-2 1

EFTDST5H Failure to provide suction flow to the TD 1.5E-1 j (EFTDST6H) EFW pump after UST is depleted under loss of offsite j power (loss of IA) conditions Component Subevent Subevent Type Description Unavailability

.q CW157VV1H Failure of the oper- 1.0E-1 ators to successfully lock open valve C-157 to prevent cavitation of TD EFW pump.

CW391MV2H Failure of the oper-ators to open MOV'C-391 to establish a suction path from the hotwell to the TD EFW pump; con-- 1 sidered together'with CW157VV1H ETDPP2S TD EFW pump fails to 3.8E-2 restart following i transfer of suction

]

EFUSTF Insufficient level in UST. Based on about one error 4'0E-4 i per year of a few hours duration .

EFWF Emergency feedwater fails after ATWS transient 1.0E-1 I

q MAIN FEEDWATER j Event Probability Symbol Description of Unavailability .j Initiating event. Loss of MFW.

T2 T4 Initiating event. Loss of condenser vacuum 1 fails MFW. . I J

T.

6 Initiating event. ' Loss of IA fails MFW. l j

A.31 i l

4

TABLE A.2. . (continued)

MAIN FEEDWATER (continued)

Probability Event of Unavailability Symbol Description T10 Initiating event. Large feedline break.

SERVICE WATER Probability Event of Unavailability Symbol Description Initiating event T12(108)

T12(wo/108)

Initiating event I

SWLPIAMF LPSW flow through decay-heat cooler A fails 1.2E-2 j Component Subevent Subevent l

Type Description Unavailability SW71VVT MV LPSW-71 transfers 1.9E-4 closed j SWDHCAF Decay heat cooler fails 1.1E-4 SWO4MVO M0V LPSW-4 fails to open 6.4E-3 CV LPSW-75 fails to open 1.0E-4 I SW75CVO l

SW77VVT MV LPSW-77 transfers 1.9E-4 1 closed SW405AVT A0V LPSW-405 transfers 1.7E-3 i

closed SW405AVH LPSW-405 left closed 1.0E-3 after maintenance l

SW71VVH LPSW-71 left closed by 2.0E-3 l by operations staff

l SWDHCAM Decay-heat cooler A in 2.7E-4 maintenance LPSW flow through decay-heat cooler B fails 1.2E-2 SWLPIBMF Component Subevent Subevent Type Description Unavailability SW72VVT MV LPSW-72 transfers 1.9E-4 closed A.32

TABLE A.2. (continued)

SERVICE WATER (continued)

Component Subevent Subevent Type Description Unavailability.

SWDHCBF Decay heat cooler 1.1E-4' fails i

SWO5MVO MOV LPSW-5 fails to 6.4E-3 open SW76CVO CV LPSW-76 fails to 1.0E-4 i open  ;

i SW78VVT- MV LPSW-78 transfers 1.9E-4 closed i SW404AVT A0V-valve LPSW-404 1.7E-3 I

transfers closed SW404AVH LPSW-404 left closed 1.0E-3 after maintenance SW72VVH LPSW-72 left closed by 2.0E-3 -

by operations staff-SWDHCBM Decay-heat cooler B in 2.7E-4 maintenance SWPAR SW pump A running (alternated with pump B) 5.0E-1 SW3APPMR LPSW pump 3A fails to continue running 6.7E-4 Component Subevent Subevent j Type Description Unavailability #

SW120MVT MOV LFSW-120 transfers 2.9E-6 closed ;l l

SW122VVT MV LPSW-122 transfers 2.1E-6 )

closed 1 SW3APPR Pump'3A fails to con- 6.7E-4 tinue-running (

SW3BPPMR. Service water pump 3B fails to operate . 2.0E-2 i Component- Subevent Subevent j Type Description Unavailability l SW124CVO CV LPSW-124 fails *to 8.7E-5 open  :

A.33-i

TABLE A.2. (continued)

SERVICE WATER (continued)

Component Subevent Subevent Type Description Unavailability SW123MVT MOV LPSW-123 transfers 1.0E-5 1 l

closed before needed SW125VVT MV LPSW-125 transfers 1.1E-5 l closed before needed SW3BFPH Pump train left unavail- 1.4E-2 able following mainten-ance or backwash SW3BPPM Pump B unavailable due 1.6E-3 to maintenance (includes contribution from pump A also as a simplification)

SW108VVT MV LPSW-108 transfers closed during event 2.1E-6 SAFETY RELIEF VALVES Event Probability Symbol Description of Unavailability MSRVIC Any of 8 main SRVs fail to close after opening 4.0E-2

(= 8 x 5E-3)

RCSRVSC One of 2 SRVs fails to reclose after steam relief; 9.6E-3 RCSRVSC = 2 (4.8E-3) = 9.6E-3 SRVF Primary relief valve fails after ATWS transient 2.0E-2 REACTOR TRIP - RPS Probability Event Description of Unavailability Symbol RPSF Reactor fails to trip following initiating turbine 3.0E-5 trip or main feedwater loss transient RECOVERY FACTORS Event Probability Description of Unavailability Symbol OBWSTH Failure of the operating staff to initiate makeup to 5.0E-1 the BWST to maintain suction for HPI pumps during a SGTR. Value is based on lack of procedural guid-A.34

TABLE A.2. (continued)

RECOVERY FACTORS (continued)

Probability Event of Unavailability Symbol Description ance and is conditional on failure of cold shutdown, which is the preferred mode Failure of the operating staff to open LFI suction 1.0E-1 REDHRSUC MOVs for DHR, given failure of remote operation.

Value is based on 5% of failures being non-recoverable REEF 122/6 Failure of the operating staff to initiate SSF FW 1.0E-1 within ~1 hr after losing EFW due to EFTDST5H or l i

EFTDST6H. For these cases, EFW failure is delayed for approximately 2 to 6 hr allowing more time for operator action following the failure due to reduced decay heat. This recovery is in addition to the potential for feed and bleed method of cooling REFDW1 Failure of the operating staff to recover FW in 30 min; 5.0E-1 one source available for recovery REFDW2 Failure of the operating staff to recover FW in 30 min; 3.0E-1 j

two sources available for recovery REIA2/6 Failure of the operating staff to recover IA (allowing 5.5E-2 recovery of FW) prior to depletion of the UST. 2 to 6 hr l

are available depending on UST volume. This recovery occurs with EFTOST6H which represents failure to main-tain EFW suction following IA failure. Based on analysis of failure modes and the actions needed to mitigate them.

I Total nonrecovery value is based on:

P (IA not recovered in 6 hr)

+ P (IA air not recovered in 2 hr)

• P (UST level at under 10 f t)

= (0.04) + (0.3)(0.05)

= 0.005 Failure o' the operating staff to initiate SSF seal 1.0E-1 RESSFCI injection in approximately 30 min following a loss of normal seal injection (HPI pumps), i RESUBAIR2 Failure to recover offsite power in 2 hr and to reload 3.1E-2 load-shed air compressors following a loss of offsite power due to substation failure. Based on:

P (nonrecovery of substation in 2 hr)

• (P failure to load compressors on CT4 or CTS)

+ P (failure to reload air)

= (0.21) (0,1) + 0.01

= 3.1 x 1.0E-2 A.35

TABLE A.2. (continued)

RECOVERY FACTORS (continued)

Event Probability <

Symbol Description of Unavailability l RESW12 Failure of the operating staff to recover LPSW from 1.3E-2

)

another source before failure of all HPI pumps. Failure

! probability includes two contributions:

P (operator fails to properly cycle HPI pumps to prevent overheating) + P (operator fails to get service water including other units and HPSW)

= (8.0 x 1.0E-3) + (5.0 x 1.0E-3)

This value assumes the ES signal is not present to start the HPI pumps. This recovery does not apply to the failure of LPSW due to LPSW108, or to the cut set

[T14

• SW3BPPSH] which describes a misdiagnosis of tSe event.

RESW108 Failure of the operating staff to recover LPSW to HPI 1.1E-1 pumps given failure of LPSW108. Includes diagnosis of event, cycling of HPI pumps to extend time for action, and opening HPI discharge line drain valves to allow cooling flow.

RESWLPI failure of the operating staff to recover failures that 2.0E-1 lead to isolation of LPSW to LPI coolers. Value based on essentially perfect recover of failures that can be recovered.

I f

4 I

A.36

TABLE A.3. Oconee-RSSMAP PRA Dominant Sequence Events (cut set elements) of Table 3 INITIATING EVENTS Frequency Event per year Symbol Description T Loss of offsite power. 0.2 1

T Loss-of-power-conversion-system (PCS) transient 2 3 caused by other than a loss of offsite power.

Transients requiring shutdown with the PCS T3 4 initially available S

i Rupture of reactor coolant system (RCS) piping with 1E-4 diameter >10" but (13.5".

The probability of event S3 is taken to be that for a large LOCA (diameter >6") from WASH-1400 (IE-4/ry). ]

I S2 Rupture of RCS piping with diameter >4" but (10". 4E-4 The probability of event S2 is taken to be the sum of those for a large LOCA and a small LOCA (diameter >2" but(6")fromWASH-1400(IE-4/ry+3E-4/ry=4E-4/ry). i

)

RuptureofRCSpipingwithdiameter(4". 0.0013 j S3 The probability of event S3 is taken to be the sum of those for a small LOCA and a very small LOCA (diameter

>1/2" but (2") from WASH-1400 (3E-4/ry + .001/ry =

.0013/ry) 4 1

i l

l A 37

TABLE A.3. (continued)

OPERATOR ERRORS Event Probability Symbol Description of Unavailability HHMAN Operator fails to manually start the high head 0.1 auxiliary service water system. This system is a backup to the EFWS.

HPMAN Operator fails to start the HPIS 0.015 HPMAN1 Operator fails to start the HPIS during an ATWS 0.1 sequence (extremely high stress)

HPRSCM Common-cause failure of the operator to align 0.003 suction of the high pressure recirculation system to the discharge of the low pressure recirculation system.

WXCM Common-cause failure of the operator to open both 0.003 containment sump suction valves in the low pressure /

containment spray recirculation system (LP/CSRS) at l the start of the recirculation.

1 CORE COOLING - HPI Event Probability Symbol Description of Unavailability Al Failure of a pump discharge valve in the discharge 0.0098 line common to both backup pumps (A & B) of the HPIS.

Event Al occurs if either of the following fails:

1. An NC M0V. It has failure probability of 0.0096 with the contributory modes as shown in event D.

l

2. An N0 ManV. It has a failure probability of O.0002 with the contributory modes as shown in in event D.

I f The failure probability of event Al is the sum of the above.

B1 Failure of a component in the main line (containing) 0.035 l pump C) of the HPIS downstream from the borated water storage tank (BWST) isolation valve.

Event B1 occurs if any of the following fails:

1. Either of two NC MOVs. Each has a failure probability of 0.0096 with the contributory modes as shown in event D.

A.38

TABLE A.3. (continued)

CORE COOLING - HPI (continued)

Probability Event

'ymbol Description of Unavailability

2. One of three NO ManVs. Each has a failure probability of 0.0002 with the contributory modes as shown in event D.

3. Either of two CVs. Each has a failure probability for hardware failure of 0.0001.

4. HPIS pump C. Its failure probability is the sum of the following contributory modes: l hardware - 0.001 control -

0.0011 circuitry ,

lube oil -

0.01 l I

becoming

! viscous j service water -

0.001 not valved in maintenance' -

0.0021 outage test outage -

0.0019

.017 The failure probability of event B1 is the sum of the I above with a multip(le 0.0021 removed: 2 0.0096)maintenance outage probability

+ 3(0.0002) + 2(0.0001) + of 0.017 - 0.0021 = 0.035 The factors two and three account for the contributions from the multiple valves of the same type.

C1 Failure of a pump suction valve in the suction line 0.0098 (downstream from the BWST isolation valve) common to both backup pumps (A & B) of the HPIS.

The expansion of event C1 into its contributory failures  ;

is analogous to that for event A1.

CH1 Failure of logic channel 1 of the engineered safeguards 0.0050 protective system (ESPS)

Event CH1 occurs if there are single or double hardware failures in the logic channel (failure probability =

0.0029) or if there is a test or maintenance outage (failure probability = 0.0021). The failure probability of event LH1 is the sum of these.

A.39

TABLE A.3. (continued)

CORE COOLING - LPI Event Probability Symbol Description of Unavailability A Failure of BWST isolation valve 4E-4 B Failure of a pump suction valve in train B of the low pressure / containment spray injection system (LP/CSIS). 0.003 Event B occurs if either of the following fails:

1. A normally-open (NO) motor-operated valve (MOV).

Its failure probability is the sum of the following

~

contributory modes:

operator error - 0.001 plugged -

0.0001 maintenance outage - 0.0021 0.0032

2. A check valve (CV). Its failure probability is that for a hardware failure (0.0001). >

The failure probability of event B is the sum of the above.

C Failure of a pump suction valve in train A of the 0.003 LP/CSIS The expansion of event C into its contributory failure is analogous to that for event B.

CH3 Failure of logic channel 3 of the ESPS 0.005 The expansion of event CH3 into its contributory failures is analogous to that for event CH1.

CH4 Failure of logic channel 4 of the ESPS. 0.005

, D Failure of a pump discharge valve in train A of the 0.018 LP/CSIS Event D occurs if any of the following fails:

1. Either of two CVs. Each has a failure probability i for hardware failure of 0.0001.

2. Either of two NO MOVs. Each has a failure probability of 0.0M2 with the contributory modes as shown in event B.

A.40

I TABLE A.3. (continued)

CORE COOLING - LPI (continued)

Event Probability Symbol Description of Unavailability

3. A normally-closed (NC) M0V. Its failure probability is the sum of the following contributory modes:

hardware - 0.001 plugged - 0.0001 control -

0.0064 ci rcuitry maintenance - 0.0021 outage 0.0096

4. An N0 manual valve (ManV). Its failure probability is the sum of the following contributory modes:

operator error -

0.0001 plugged - 0.0001 0.0002

5. An NC ManV. Its failure probability is that for operator error (0.001).

6. A pump. Its failure probability is the sum of the following contributory modes:

hardware -

0.001 control -

0.0018 circuitry test outage -

0.0019 0.0047

7. Valves in test line A inadvertently left open. The failure probability is that for human error (0.001).

The failure probability of event D is the sum of the above.

^'0.0001) + 2(0.0032) + 0.0096 + 0.0002 + 0.001 + 0.0047 +

G. 91 = 0.023. The factors of two account for the j contributions from two CVs and two N0 MOVs. -

E Failure of a pump discharge valve in train B of the 0.018 LP/CSIS The expansion of event E into its contributory failures is analogous to that for event D.

LPISCM Common-cause failure to reclose valves in test train 0.003 i of the LP/CSIS '

A.41 1

TABLE A.3_. (continued)

CORE COOLING - LPI (continued)

Event Probability Symbol Description of Unavailability V Undetected failure of both check valves combined with 7.4E-5 opening of the NC M0V for quarterly testing, all in either train of the LPIS discharging to the core flood nozzles.

The expansion of event V into its contributory failures is somewhat complex. A recent procedural modification at Oconee no longer allows the NC M0Vs in the LPIS trains to be opened during power operation. Thus, the probability of event V has been decreased.

W Failure of the containment sump suction valve (NC MOV) 9.6E-3 in train A of the LP/CSRS.

X Failure of the containment sump suction valve (NC MOV) 9.6E-3 in train B of the LP/CSRS.

ELECTRICAL - DC POWER None ELECTRICAL - VITAL AC POWER Event Probability Symbol Description of Unavailability 8

3 Failure of both emergency AC hydroelectric generators SE-4 Event B3 occurs if any of the following occurs:

1. Both emergency hydroelectric generators fail on

, demand (each has a failure probability of 0.006).

l l 2. Either hydroelectric generator fails on demand while

} the other is down for maintenance (with probability l

of0.0058).

3. Both emergency DC batteries needed for generator startup fail (this probability is dominated by a common-cause miscalibration error and has a value of4E-4).

Thefai}ureprobabilityforeventB3 is the sum of the above:

(0.006) + 2(0.006)(0.0058) + 4E-4 = SE-4. The factor of two accounts for the contribution from both possible pairings of a generator demand failure with the other generator's maintenance outage. i A.42

)

TABLE A.3. (continued)

EMERGENCY FEEDWATER Event Probability Description of Unavailability Symbol CONST1 Failure of the emergency feedwater system (EFWS) due 2.4E-4 to primarily hardware failure-of the turbine pump train and both of the electric pump trains, or blockage of flow through both steam generator lines.

The expansion of event CONST1 into its contributory failures is somewhat complex. Double and triple maintenance contributions have been removed.

CONST2 Failure of the EFWS due to failure of both electric 6.5E-4 pump trains or blockage of flow through both steam generator lines.

The expansion of event CONST2 into its contributory failures is somewhat complex. Double and triple maintenance contributions have been removed. ,

i l MAIN FEEDWATER Event Probability Symbol Description of Unavailability Initiating event T2 M Interruption of the power conversion system. 1.0 Assumed to occur with all transients involving T1 and T2 -

M1 Interruption of the power conversion system. 0.01 Assumed to occur with all T3 transients.

SERVICE WATER Event Probability Description of Unavailability Symbol CH4 Failure of logic channel 4 of the ESPS 0.005 The expansion of event CH4 into its contributory failures is analogous to that for event CH1.

F1 Failure of a pump in train B of the low pressure 0.0014 service water system (LPSWS).

A.43

TABLE A.3. (continued)

SERVICE WATER (continued)

Event Probability Symbol Description of Unavailability s

Event F1 occurs if either of the following fails:

1. A normally-operating centrifugal pump.

2. A normally-operating vacuum pump.

The failure probability of each is that for failure to run over a 24-hr period at a failure rate of 3E-5/hr. This gives a failure probability of 7.2E-4 for each. The failure probability of event F1 is the sum of these.

4 G1 Failure of a pump in train A of the LPSWS. 0.014 Event G1 occurs if either of the following fails:

1. A normally-idle centrifugal pump.  ;

2. A normally-idle vacuum pump. '

The failure of probability of each is the sum of the i following contributory modes:

hardware - 0.001 control -

0.0018 circuitry test outage - 0.0019 maintenance - 0.0021 outage 0.0068 The failure probability of event G1 is the sum of these.

SAFETY RELIEF VALVES Event Probability Symbol Description of Unavailability Pi Pressurizer safety / relief valves demanded open 0.01 Q Failure of any pressurizer safety / relief valve to 0.05 reclose.

l A.44 L

TABLE A.3. (continued)

REACTOR TRIP - RPS Event Probability Symbol Description of Unavailability K Failure of the reactor protection system due to 2.6E-5 nrimarily test and maintenance faults (88%

contribution). l The expansion of event K into its contributory failures is somewhat complex.

RECOVERY FACTORS Event Probability Symbol Description of Unavailability LOPNRE Failure to restore offside or onsite AC power 0.2 within approximately 40 min. This power is needed to operate the high pressure injection system (HPIS).

PCSNR Failure to restore the PCS within 30 min. following 0.1 {

aT2 transient. ]

I I

i A.45

i l

i NUREG/CR-4768  !

I VOLUME 1 PNL-6032-1 DISTRIBUTION No. of No. of Copies Copies l OFFSITE OFFSITE V.S. Nuclear Regulatory Commission D. J. Campbell 1 J. G. Partlow JBF Associates, Inc. l EWS-360 1000 Technology Park Center j

(

' Knoxville, TN 37932 J R. W. Starostecki f EWW-322 J. C. Higgins l Brookhaven National Laboratory B. K. Grimes Upton, NY 11973 EWW-341 J. H. Taylor l L. Whitney Brookhaven National Laboratory 1 EWS=346 Upton, NY 11973 U.S. Nuclear Regulatory Commission A. Fresco Region 1 Brookhaven National Laboratory Upton, NY '11973 S. Collins B. Hillman M. F. Hinton W. F. Kane EG&G Idaho, Inc.

Idaho Falls, ID 83415 U.S. Nuclear Regulatory Commission Region 2 R. Wright EG&G Idaho, Inc.

M. Ernst Idaho Falls, ID 83415 A. Gibson F. Jape K. Canady A. Herdt Duke Power Co.

P.O. Box 33189 US Nuclear Regulatory Commission Charlotte, NC 28242 I ?;: %n 5 W. A. Sugnet 10 A. Toth (6) Electric Power Research Institute A.-E. Chaffee 3412 Hillview Avenue J. Crews Palo Alto, CA 94303 J. B. Martin L. Miller R. Pate Distr.1 I

i l

DISTRIBUTION No. of No. of

Copies Copies 0FFSITE ONSITE G. J. Kolb 29 Pacific Northwest Laboratory Sandia National Laboratories Albuquerque, NM 87185 W. J. Apley T. T. Claudson A. D'Angelo L. R. Cadd i.

NRC Senior Resident Inspector B. F. Gore (10)

Rancho Seco Nuclear Power Plant J. C. Huenefeld (5)

I 14440 Twin Cities Road C. H. Imhoff l Herald, CA 95638 W. J. Scott l B. D. Shipp T. V. Vo Publishing Coordination (2) i Technical Report Files (5) l i

Distr.2

bs' BIBUOGRAPHIC DATA SHEET NUREG/CR-4768 Volume 1

" ""U ' '8 k ' "' """ PNL-6032-1

! nv a .~o sue n rt 3 uin n u  ;

Methodolog and Application of Surrogate Plant PRA  !

Analysis to he Rancho Seco Power Plant . o.n m.o.pu,uno 3 womia g veia (

i .ur-o.ns, June f 1986 l

'#"""'" I B. F. Gore uomra g veaa July f 1987  :

, na.oau1~o cas.~a.1,0~ ~. . .~ .u ~c . con n ,,,,, . u C.,

.,aa,cr1.s7.v~awo..a l i

Pacific Northwest ) oratory #

PO Box 999 " 'f ' '"*"

Ri iland, WA 99352 B2K3 to SPONsoaiNG OHGANi2 AT LON N AME ANO M AluNG ORESS tracrum 4 Ceder 1 ret OF EPoaT Division of Reactor Safe ^ and Projects Region V Task Final Report U. S. Nuclear Regulatory C unission o n-w conaw -~ ~~  ;

Washington, D. C. 20555 4/86 to 6/86 12 SUPPLEMENT Aav NOTES 1

4 aaSTR ACT M@ woras rem This two-volume report presents th developmen and first application of a methodology for using generic PRA information t . identify isk-important systems and components at a plant lacking a PRA. The metho logy r ' uires the detailed analysis of both j similarities and differences between ' lat plants. It is applied in an analysis of  !

the Rancho Seco plant using informatio 1 f m PRAs for the ANO-1 and Oconee plants, j It is generic, drawing upon the functio ' and design similarities of B&W plants, yet it l incorporates considerable plant specif~ ty through the detailed comparative analysis of systems. Volume 1 presents the an ys p of the surrogate plant PRAs. Dominant cut j sets leading to core melt are identi ed a_ analyzed to determine the Fussel-Vesely  !

Importance of plant systems. In V me 2 dominant cut sets are further analyzed to ,

identify and categorize important L ystem fai , re modes. The Rancho Seco plant is then I studied to determine the plausibi ity and imp' tance of similar failure modes for: 1 High Pressure Injection, Low Pr ' sure Injectio Emergency Feedwater, Service Water, j Vital AC power and DC Power s tems. Plant-spe ific information is then presented )'

identifying Rancho Seco comp ents, power suppl 1> , and operating modes associated with the failure modes for le first four of thes systems. 3 1

A i4 DocuveNT ANatvses - naywoaos, cairrons is ava na o r, PRA, risk analysis generic PRA applications Rancho Seco, com tents important to risk -

Unlimited

i. $$CURif y C(.33#p ic.flON

<rme mai e iosN'inias'on~ enc- naMs , Unclassified

. t rn,s a.oom 17 NyM$ta Q6 PAGE$

e .

18 PAiCE

• U.S.CCW.RN% Ni W!hTINC Orrlct:19e N igt.6a2 60159

UNITED STATES speciAt rounts.ctass nAre NUCLEAR REGULATORY COMMISSION rosrace r rees rAio WASHINGTON, D.C. 20555 wNE"Ec.

PERMIT No. G 47 0FFICIAL BUSINESS PENALTY FOR PRIVATE USE,4300 H

O

-1 I

m-T' l

2 l O I

O; l v> 1 m.

O O]

m.

O:

Ei m

TI m:

bl z5 H

c

(

l t

(

[

c f

'O c

=