ML20082N092: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot insert) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 15: | Line 15: | ||
| document type = CONTRACTED REPORT - RTA,QUICK LOOK,ETC. (PERIODIC, TEXT-PROCUREMENT & CONTRACTS | | document type = CONTRACTED REPORT - RTA,QUICK LOOK,ETC. (PERIODIC, TEXT-PROCUREMENT & CONTRACTS | ||
| page count = 375 | | page count = 375 | ||
| project = | |||
| stage = Draft Other | |||
}} | }} | ||
Latest revision as of 09:04, 26 September 2022
| ML20082N092 | |
| Person / Time | |
|---|---|
| Site: | Waterford  |
| Issue date: | 06/18/1991 |
| From: | Auflick J, Haney L, Kelly D EG&G IDAHO, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20082N081 | List: |
| References | |
| CON-FIN-B-5699 EGG-2650-DRFT, NUDOCS 9109060177 | |
| Download: ML20082N092 (375) | |
Text
{{#Wiki_filter:, l NUREG/CR-5745 EGG-2650 Draft
# ASSESSMENT OF ISLOCA RISKS - METHODOLOGY-AND APPLICATION: COMBUSTION ENGINEERING PLANT (DRAFT)
-4 i
D. L. Kelly i J. L. Auflick ; L. N. Haney
- i f
i i June 18, 1991 i EG&G Idaho, Inc.
- Idaho Falls, Idaho 83415 '
t 1 A Prepared for the ! Office of Nuclear Regulatory Research ! U.S. Nuclear Regulatory Commission ! Washirigton, D.C.' 20555 i Under DOE Contract No. DE-AC07-761001570 i FIN No. B5699 + i i t
)hh DbKO )O 82 p PDR ;
I . ABSTRACT Intersystem loss of coolant accidents (ISLOCAs) have been identified as in.portant contributors to offsite risk for some nuclear power plants. A methodology has been developed for identifying and evaluating plant-specific hardware designs, human factors issues, and accident consequence factors relevant to the estimation of ISLOCA core damage frequency and risk. This y report presents a detailed description of the application of this analysis methodology to a Combustion Engineering plant. 4
~9 9
ii
O EXECUTIVE
SUMMARY
Intersystem loss of coolant accidents (ISLOCAs) have been identified in some probabilistic rish assessments (PRAs) as major contributors to offsite risk at nuclear power plants (NPPs). They have the potential to result in core damage and containment bypass, which may lead to the early release of large quantities of fission products to the offsite environment. Recent events at several operating reactors have been identified as ISLOCA N precursors. These events have raised concerns over the frequency of occurrence, plausible initiators, and means of identifying and mitigating this [ potential accident. In response to these concerns, a June 7, 1989 memorandum titled " Request for Office of Nuclear Regulatory Research (RES) Support for Resolution of the ISLOCA Issue" was transmitted from Dr. Thomas E. Murley to Dr. Eric S. Beckjord. The ISLOCA research program described in this report was initiated ir response to this memorandum. The objective of the ISLOCA research program is to provide the NRC with qualitative and quantitative information on the hardware, human factors, and ! accident consequence issues that contribute to ISLOCA risk. To meet this objective, a methodology has been developed to estimate the core damage frequency and offsite consequences associated with an ISLOCA, and this methodology is being applied to individual NPPs. This report describes the 1 l l ISLOCA methodology and the results of its application to a Combustion l Engineering (CE) NPP. An eight-step methodology was developed to evaluate the SLOCA issue qualitatively and quantitatively. These steps and their relationships to one , another are shown in Figure 51. This methodology was applied to a CE plant by a team of PRA and human factors specialists. The important results, specific l to this plant, are: ' t
- 1. Human errors that could occur during startup and shutdown of the plant were not found to be significant contributors to ISLOCA core daraage frequency and risk.
iii i 1
1!
- 2. ISLOCA sequences initiated by hardware failures were the dominant contributors to core damage frequency and risk.
- 3. Isolation of the break would be an important recovery action during an ISLOCA. Refueling water storage pool (RWSP) makeup capacity is insufficient to maintain an adequate reactor coolant inventory for breaks outside the containment that are larger than
-a approximately two inches in diameter. The analysis indicates that hardware would be available to isolate these ISLOCA breaks;
, however, post-break procedures are not available to ensure that this hardware is used in all sequences.
- 4. At the time of the plant visit, a general survey was made of the interfacing system flow paths to qualitatively estimate the impact on equipment of ruptures in various locations. This survey could not verify that the emergency core cooling systems (ECCS) are adequately separated such that any postulated rupture would not affect redundant ECCS trains.
- 5. It appears that relatively simple changes to procedures and training could reduce ISLOCA risk substantially by reducing the initiator frequency and increasing the likelihood of successfully isolating an intersystem break.
- 6. The ISLOCA methodology has been successful in providing important insights on the relative contribution of both hardware faults and
, human actions to ISLOCA core damage frequency and risk.
Caution must be exercised when using these results to draw general conclusions about the ISLOCA risk at other NPPs. iv
O As_sess potential forISt.0CA Gother detailed plant specific . informotion Develop event trees Estimate Perform human rmture reliability po'.entio! analysis Quantify , event trees Evoluote consequences Perform sensitivity 000 LYSIS Figure Sl. Approach for Plant-Specific Evaluation of ISLOCA. v L
i' ACKNOWLEDGMENTS We would like to thank all of the plant personnel who assisted in the data-gathering visits, especially Neil DuBry, who was our primary liaison at the plant, Without his persistence and diligence, this analysis could not have been completed. . At the INEL, thanks are due to John Schroeder, who assisted in the l rupture probability calculations, to Craig Kullberg, who provided the core
- uncovery time estimates, and to Curtis Smith, who assisted in the sequence screening analysis and developed the simplified system flow diagrams, Special thanks go to operator examiner Mark Jones for his invaluable assistance in interpreting the plant operating procedures and developing the sequence progression. {
Bob Richards aided in programming the software used in the human ' reliability analysis. Finally, we would like to thank all the members of the ISLOCA inspection team for their aid in gathering and interpreting plant data, l d R
?
G o I vi ,
[] CONTENTS 5 ABSTRACT . ............................... 11 EXECUTIVE
SUMMARY
. . . ......................... iii ACXNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi ACRONYMS *
............................... x
- 1. INTRODUCTION ,............. . . ...... . ..... I ?
- 2. APPROACH .... ....... . . . . . .. .. . ..... 4 2.1 Assessment of ISLOCA Potential . . . ...... ...... 4 2.2 Gathering of Detailed Plant-Specific Information ...... 6 2.3 Development of Event Trees . . . . , ............ 7 2.4 Estimatian of Rupture Potential . . . . . . . . . . . . . . . 7 2.5 Human Reliability Analysis . . . . . ...... ...... 8 2.6 Quantification of Event Trees . . . . . . . . . . . . . . . . 14 2.7 Consequence Evaluation .......... ,.,..... 14
- 3. DESCRIPTION OF THE INTERFACING SYSTEMS . . . ...... ...... 16 3.1 Interfacing Systems ..................... 16-3.2 Potential ISLOCA Scenarios . . . . . . . . . . . . . . . . . . 22 3.2.1 SDC Suction Lines During Shutdown .......... 23 3.2.2 SDC Suction Lines During Startup . . . . . . . . . . . 23 3.2.3 LPSI Cold Leg Injection Lines to RCS . . . . . . . . . 23 3.2.4 HPSI Cold Leg Interface . . . ............ 23 3.2.5 HPSI Hot leg Interface . . . . . . . . . . . . . . . . 24 }
3.2.6 SDC Suction Lines During Normal Shutdown . . . . . . . 24
- 4. RESULTS ............................... 25 4.1 Event Trees .............,........... 26 4.1.1 Premature Entry into Shutdown Cooling - SEQ-1A .... 27 4,1,2 Shutdown Cooling System / Reactor Coolant System Intersystem LOCA During Startup - SEQ-18 . ...... 27 4.1.3 RCS To LPSI Coid Discharge - SEQ 2 . . . . . . . . . . . 28 4.1.4 RCS Cold Legs to High Pressure Safety injection *
(Header A) - SEQ-3A . . . . . . . . . . . . . . . . . . 28 4.1.5 RCS Cold Legs to HPSI (Header B) - SEQ-38 . . . . . . . 33 4.1.6 RCS Hot Legs to HPSI (Header A) - SEQ-4A ....... 33 . 4.1.7 RCS Hot Legs to HPSI (Header B) - SEQ-4B ....... 33 4.1.8 RCS to LPSI During Shutdown - SEQ-5 . . . . . . . . . . 33 4.2 Human Reliability Analysis . .. . . ............ 38 4.3 Quantification of ISLOCA Model . . . .. ......... 41 4.4 Risk Assessment . . . . ................... 43 4.5 Uncertainty and Sensitivity Study Results . . . . . . . . . . 45 4.5.1 Component Rupture Pressure Uncertainty. ........ 45 4.5.2 Auxiliary Building DF Uncertainty . .......... 46 vii 1
!l .
L I
- 5. CONCLUSION AND RECOMMENDATIONS ......... ..... ..... 58 5.1 Pl ant-Speci fic Conclusions . . . . . . . . . . . . . . . . . 58 ,
5.2 General Conclusions .......,............. 59 l
- 6. REFERENCES ....................... ..... 60 ,
r I APPENDIX A SYSTEM DESCRIPTIONS . . . . . . . . . . . . . . . . . . . . . A-1 ; APPENDIX B ISLOCA EVENT TREES . . . . . . . . . . . . . . . . . . . . . . B 1 APPENDlX C HUMAN RELIABILITY ANALYSIS ....... ....... .. C-1 ;
., APPENDIX D USE OF CONSTRAINED LOGNORMAL DISTRIBUTION IN HUMAN RELIABILITY :
ANALYSIS . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 l APPENDIX E CORE UNC0VERY TIME ESTIMATES . . . . . . . . . . . . . . . E-1 ' APPENDIX F CALCULATION OF SYSTEM RUPTURE PROBABILITY .. . ... . F-1
.. APPENDlx G ISLOCA CONSEQUENCE ANALYSIS . . .. . ... . G-1 -
APPENDIX H COMPONENT FAILURE ANALYSIS . .. ....... . ..... H-1 i FIGURES Figure Sl. Approach for Plant-Specific Evaluation of ISLOCA. . . . . . . v Figure 2.1 Approach for Plant-Specific Evaluation of ISLOCA. . . . . . . 5 Figure 2.2 Example of HRA Event Tree . . . . . . . . . . . . . . . . . . 12 Figure 3.1 Flow Diagram of RCS Cold Legs to Low Pressure Safety - Injection Pump Discharge .................. 18 Figure 3.2 Flow Diagram of RCS Cold legs to High Pressure Safety ' Injection Pump Discharge ..............,... 19 - Figure 3.3 Flow Diagram of RCS Hot legs to High Pressure Safety Injection Pump Discharge .................. 20 Figure 3.4 Flow Diagram of RCS Hot Legs to the RWSP via the LPSI System ........................... 21 l Figure 4.1 SDC System ISLOCA During Startup (SEQ-1B) . . . . . . . . . . 30 Figure 4.2 Event Tree for LPSI Cold Leg Discharge to RCS (SEQ-2) . . .. 31 Figure 4.3 Event Tree for HPSI Header A Cold le 3A) . . . . . . . . . . . . . . . . g Discharge to RCS (SEQ-
............. 32 -
Figure 4.4 Event Tree for HPSI Header B Discharge to RCS Cold Legs (SEQ-38) ..... ................. .. 34 Figure 4.5 Event Tree for HPEI Header A Discharge to RCS Hot Legs (SEQ- ' 4A) . . . . . . . .... . ........ ...... 35 , figure 4.6 Event Tree for HPSI Header B Dischar
- 48) . . . . . . . . . . . . . . . . ge to RCS Hot legs (SEQ-
............. 36 ,
Figure 4.7 Event Tree for RCS to LPSI During Shutdown (SEQ-5) .... . 37 : Figure 4.8 Mean Early fatality Consequence Results as a Function of !
. Decontamination Factor for the Dry ISLOCA Sequences. .... 49 Figure 4.9 Mean Latent Fatality Consequence Results as a function of r i
Decontamination Factor for the Dry ISLOCA Sequences. .... 50 Figure 4.10 Mean 50-Mile Population Dose Consequence Results as a Function of Decontamination factor for the Dry ISLOCA Sequences. ............ .. .......... 51 Figure 4.11 Mean Early Fatality Consequence Results as a Function of ; Decontamination Factor for the Wet ISLOCA Sequences (all ' t release elevations are 0.0 m). ...... ..... . 52 i viii - l
O Figure 4.12 Mean Latent Fatality Consequence Results as a function of Decontamination Factor for the Wet ISLOCA Sequences (all release elevations are 0.0 m). . . . . . .' . . . . . . . . 53 Figure 4.13 Mean 50-Mile Population Dose Consequence nesults as a ,, function of Decontamination Factor for the Wet ISLOCA Sequences (all release elevations - 0.0 m). . . . . . . . . . 54 Figure 4.14 Comparison of Dry and Wet ISLOCA sequence Mean Early fatality Consequence Results as a function of Decontamination Factor (release elevation - 10.0 m for DFs of 50.0 and 100.0, otherwise elevation - 0.0 m). . . . . . . 55 Figure 4.15 Comparison of Dry ar.d Wet ISLOCA Sequence Mean Latent f atality Consequence Results as a Function of Decontamination f actor (release elevation 10.0 m for DFs - of 50.0 and 100.0, otherwise elevation 0.0 m). . . . . . . 56 , Figure 4.16 Comparison of Dry and Wet ISLOCA Sequence Mean 50-Mile Population Dose Consequences as a function of DF (release elevation - 10.0 m for DFs of 50.0 and 100.0, otherwise elevation - 0.0 m). . . . . . . . . . . . . . . . . . . . . . 57 TABLES Table 3.1 List of Potential ISLOCA Scenarios . . . . . . . . . . . . . 22 - Table 4.1 Estimated Mean HEPs for Sequence 2 . . . . . . . . . , . . . 40 Table 4.2 Estimated Mean HEPs for Sequence 5 . . . . . . . . . . . . . 40 Table 4.3 ISLOCA Core Damage Frequency (per reactor-year) . . . . . . 43 Table 4.4 Base Case ISLOCA Consequences Conditional Upon Severe Core Damage ..... ................ . . . . . . 44 Table 4.5 Base Case ISLOCA Risk (per reactor-year) . . . . . . . . . . 45 Table 4.6 Distribution of DF for the base case analysis of the wet ISLOCA sequences as specified in the SEQSOR input . . . . . . 47 ] Table 4.7 Mean MACCS Consequence Results for Each Dry ISLOCA Sequence Sensitivity. .... ........., ........ 47 Table 4.8 Mean MACCS Consequence Results for Each Wet ISLOCA Sequence Sensitivity. . . ..... . . . . .. . . . . . . . . . . . 48 e ix L
I , ACRONYMS , ACI Auto closure interlJck AFW Auxiliary feedwater ARP Annunciator response procedure B&W Babcock and Wilcox ; BNL Brookhaven National Laboratory ' CVCS Chemical and volume control system CDF Core damage frequency CE Combustion Engineering i CRS Control room supervisor Decontamination factor DF DHR Decay heat removal i ECCS Emergency core cooling sys; ems
~, EPRI Electric Power Research Institute GLP Gross leak pressure HCR Human cognitive reliability HEP Human error probability ;
HOV Hydraulically operated valve . HRA Human reliability analysis , INEL Idaho National Engineering Laboratory ISLOCA Intersystem loss of coolant accident IST In-service _ testing LER Licensee Event Report : L LOCA Loss of coolant accident i MAAP Modular Accident Analysis Program MACCS MELCOR Accident Consequence Code System ' MOV Motor-operated valve NPP Nuclear power plant NRC Nuclear Regulatory Commission NSSS Nuclear steam supply system P&ID Piping and instrumentation diagram ' PIV Pressure isolation valve PRA Probabilistic risk assessment PSF Performance shaping factor PWR Pressurized water reactor ' RCS Reactor coolant system R0 Reactor operator - F.PV Reactor pressure vessel RWSP Refueling water storage pool SDC Shutdown cooling SHARP Systematic Human Action Reliability Procedure SI Safety injection ; i SIT Safety injeqtion tank (accumulator) TALENT Task Analysis-Linked Evaluation Technique THERP The Handbook of Human Reliability Analysis with Emphasis on i i Nuclear Power Plant Applications X l t i i
. O ASSESS' TENT Of ISLOCA RISKS - METHODOLOGY AND APPLICATION: COMBUSTION ENGINEERING PLANT
- 1. INTRODUCTION The Reactor Safety Study, WASH-1400 [1], identified a class of accidents ,
that can result in overpressurization and rupture of systems that interface with the reactor coolant system (RCS). These events were postulated to be - caused by failure of the check valves and motor-operated valves (MOVs) ~~ normally used for system isolation. In a subset of these interfacing system loss of coolant. accidents (ISLOCAs), called V-sequences or event V, the system rupture occurred outside of the containment building. In casas where the rupture led to severe core damage, ISLOCAs were found to be significant contributors to risk, because fission products released from the RCS bypassed the containment and were discharged directly to the environment. Subsequent probabilistic risk assessments (PRAs), including the NUREG-ll50 [2] results for Surry and Sequoyah, have identified ISLOCAs as important contributors to public health risk. Researchers at Brookhaven National Laboratory (BNL) have evaluated the vulnerability of several reactor designs to an ISLOCA and identified improvements that could reduce ISLOCA frequency [3,4]. I Recent events at several operating reactors have been identified as precursors to an ISLOCA. These events have raised concerns over the frequency of occurrence, potential initiators, and means of identifying and mitigating this potential accident. In response to these concerns, a June 7, 1989 memorandum titled " Request for Office of Nuclear Regulatory Research (RCS) Support for Resolution of the ISLOCA Issue" was transmitted from Dr. Thomas E. Murley to Dr. Eric S. Beckjord. The ISLOCA research program described in th' . report was initiated in response to this memorandum. The objective of the ISLOCA research program is to provide the NRC with qualitative and quantitative information on tne hardware, human factors, and accident consequence issues that contribute to ISLOCA risk. This information 1 L
!I is to be used in: -
Developing .a l'RA framework for evaluating the ISLOCA issue and identifying insights with respect to the risk contribution from both hardware and human factors, along with recommendations for reducing the ISLOCA risk. [ Highlighting the effects of specific types of human errors and their root causes on ISLOCA risk, along with recommendations for i risk reduction. ' Evaluating the fragility of low pressure systems exposed to high [ pressure, high temperature reactor coolant. This evaluation will include identification of likely failure locations and failure probabilities,
,ldentifying and describing potential ISl0CA sequences with respect !
to timing, possible accident management strategies, and effects on , other plant equipment and systems. Estimating the fission product source terms and offsite consequences for postulated ISLO',As. Again, important issues will be identified and recommendations wil' be made on possible consequence reduction actions, f To meet the above program objectives, a methodology has been developed , to estimate the ISLOCA core damage frequency and offsite risk, and this _i; methodology is being applied to a limited sample of NPPs of different design. This report describes the_ISLOCA methodology and documents the results from ,
. its application to a CE plant. These results tend to emphasize the effect of ;
hardware failures and human actions on the ISLOCA core damage frequency. The offsite risk measures are considered to be most useful in comparing results ! from the sensitivity studies. Major uncertainties in this estimate are also ! identified. p 2 i , i [ F
0' l Section 2 of this report describes the methodology developed to evaluate , ISLOCAs, the approach taken for its application to a specific plant, and a description of the plant systems that were identified as potantial 'SLOCA flow ,, paths. Section 3 describes the interfacing systems and the possible ISLOCA scenarios. Section 4 describes the plant-specific results and Section 5 contains the cc,nclusions and recomendations from this assessment. Appendices are used to document the details of the separate analyses. 9 6 4 h 9 e 1 ) f 3 L
l l
- 2. APPROACH The general approach that is being used to evaluate ISLOCA risk and 4
plant vulnerabilities to ISLOCA is to perform a detailed analysis for a small but diverse' sample of plants and, to the extent possible, extrapolate and j generalize these results for additional plants. A detailed plant analysis ! methodology was developed to meet the program objectives discussed in the !
. previous section. The steps in this individual plant methodology are f
illustrated in figure 2.1. Subsections 2.1 through 2.7 briefly discuss each j of these steps. Before beginning the individual plant evaluations, hi e tal plant ! operating information was reviewed to provide insights on potentia? ISLOCA {
. issues. The major emphasis of this eva',Jation was identification and
[ evaluation of Licensee Event Reports (LERs) that (a) involved valve failures ! resulting from either hardware failures or human errors, or (b) inoicated that an ISLOCA had occurred. The results from this search provided information on the causes and frequencies of valve failures and provided important insights f on the systems involved and the potential causes of those ISLOCAs that have , occurred. This information was used during the plant visits to aid in { identifying systems to be reviewed, during the development of the event trees, and in quantifying the failure rates of sou interfacing system valves. jt Appendix A to NUREG/CR 5604 [5] summarizes the results of this evaluation. ! 2.1 Assessment of 15t.0CA Potential L s The first step in the individual plant evaluation approach is a preliminary assessment of the potential for an ISLOCA to occur. Plant- , specific information on the systems that could be involved in an ISLOCA is ! obtained during a short data-gathering visit to the plant. Detailed information is obtained on tha nardware and operation of a range of low and [ high pressure interfacing systems. Examples of information collected include: l plant procedures, piping and instrumentation diagrams (P&lDs), isometric j drawings, and training manuals. This formation is then reviewed by a team f of PRA and human factors specialists to familiarize them with the systems and ; 4 l
~ ~ . . . _ _ , . _ _ . _ _ _ _ _ . , _ _ _ _ . . _ . . _ _ _ . . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . .
0 Assess Potential for ISt.0CA - Gother deldiled plant specific , information Develop ' event trees Estimate Perform human . rtoture reliability po.ential anoysis Ouontify event trees 1 Evoluote consequences Perform - sensitivity anohsis figure 2.1 Approach for Plant-Specific Evaluation of ISLOCA. 5 L
II operations that have the potential to initiate, prevent, or mitigate an ISLOCA. All systems that interface with the RCS are identified during this-preliminary assessment. A determination is then made of the maximum interfacing system break size that would not be expected to result in core damage. The systems are screened to identify those with interfacing pipe sizes larger than this maximum value with the potential to bypass containment. The systems that meet this screening criterion are analyzed further to
. identify specific ISLOCA initiators and scenarios. The identified scenarios are developed in sufficient detail to guide the team in obtaining detailed information during a subsequent extended plant visit.
2.2 Gatherin( of Detailed Plant Specific Information An extended visit to the plant allowed the team to gather the information needed to complete the review, development, and assessment of the candidate ISLOCA scenarios. Members of the team that developed the_ candidate scenarios.obtain this information by interviewing plant personnel and walking down the systems of interest. The inspection team members proved to be a valuable source of information and insight in this study. This task was performed in conjunction wit.h an ISLOCA inspection conducted by the NRC Office of Nuclear Reacter Regulation. The types of information that are obtained during this visit include: a. Detailed information on the hardware that would be involved in an ISLOCA. For example, data were collected on: control valves, relief valves, piping, flanges, pumps, and heat exchangers.
- b. Detailed information on the procedures and guidelines followed by plant personnel during startup, normal power operation, and i , shutdown of the plant, as well as detailed information on
, maintenance and in-service testing practices, i
- c. Detailed information on factors that could influence performance of plant personnel as related to initiation, detection, diagnosis, prevention, or mitigation of an ISLOCA.
6 l
O 2.3 Development of Event Trees After the plant specific information is collected, the final list of low pressure interfaces and scenarios is generated and the detailed accident ; sequence analysis is begun. This analysis is a joint effort of the PRA and l human factors specialists. The sequences are modeled using (primarily) component level event trees that combine the hardware faults and the human errors that constitute each sequence. Generally the event trees comprise - three phases:
- 1. The initiating events, which are those combinations of failures, -
both hardware and human related, that result in a failure of the RCS pressure isolation boundary and expose the low pressure ; interfacing system to the RCS.
- 2. The rupture events, which model a break in the interfacing system, .
its size, and location.
- 3. The post rupture events, which model the perfonnance of the control room and auxiliary operators in recovering from or mitigating the consequences of an ISLOCA.
1 2.4 Estimation of Rupture Potential it is important to realistically assess the performance of those components designed for low pressure conditions that are exposed to the beyond-design pressures associated with an ISLOCA. The basic approach for , performing this assessment is:
- a. The failure probability of each piece of equipment in the
- interfacing system is described by a lognormal distribution with a specified median failure pressure and logarithmic standard deviation.
- b. Thermal-hydraulic response of the systems is simulated, if 7
L
. . . . . . . - = _ - - . . _ _ _ _ - - - - _ . - - - . - -
necessary, to estimate the pressure distribution in the system I based on the expected initiating event, initial primary system ! conditiuns, and the expected performance of relief valves designed to protect the systems from overpressurization. '
- c. The failure pressure of each component is compared with the !
calculated pressure at that point in the syst'em to estimte the { component failure probability (see Appendix F for details). i i
- d. The individual component failure probabilities are combined to '
give an estimate of the system rupture probability. The component and piping failure pressures and distributions used in the rupture calculations were developed from an independent structural analysis l performed by Impell Corporation (see Apper. dix H). Not only were failure f pressures calculated, but likely leak rates and leak areas, also. In this respect, flanges are somewhat unique in that there are actually two failure [ pressures of interest. First, there is the estimated gross leak pressure [ (GLP) at which a measurable leak area develops. At lower pressures, leakage ! is possible but only at very small rates (measured in mg/sec) caused by l seepage around the flange gasket. Once the GLP is exceeded, the flange bolts begin to stretch (elastic deformation) and the flange surfaces begin to I separate. At some yet higher pressure (P,), the bolts begin to undergo plastic deformation. At this point, large leak areas begin to develop with correspondingly large leak rates. These three regimes (below GLP, between GLP ; and P,, and greater than P,), are associated with three leak sizes, respectively: spray leaks, small leaks, and large leaks. : s t 2.5 Human Reliability Analysis f
- l Human reliability analysis (HRA) was used to model the predominant human e errors for each scenario in the ISLOCA PRA that had a screening core damage '
frequency > 10 e/y. HRA is a methodological tool which involves the t quantitative analysis, prediction, and evaluation of work-oriented human [ performance. HRA can be used to determine which factors in ti.e system lead to {
?
O less than optimal human performance. As a diagnostic tool, HRA can estimate the error rate anticipated for individual tasks and can determine where errors are likely to be most frequent. The general methodological framework for the ISLOCA HRA was devised using guidelines (under development) from the NRC-sponsored Task Analysis-Linked Evaluation Technique (TALENT) Program [t), which recommends task analyses, time line analyses, and interface analyses as appropriate techniques for use in a detailed HRA. NUREG/CR-1278, the Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications (THERP) [8), [ recommends similar techniques and provides a data base that can be used to generate human error probabilities (HEPs). Finally, the ISLOCA HRA integrated the steps from the Systematic Human Action Reliability Procedure (SHARP) [9), and A Guide for General Principles of Human Action Reliability Analysis for Nuclear Power Generation Stations (the draft IEEE standard P1082/D7 (10]). This combination of approaches resulted in 11 basic steps to be followed in performing the CE plant HRA. The first three steps of the SHARP method and IEEE P1082 have already been discussed earlier in this report so they will not be repeated here (see Appendix C for details). The remaining seven steps include the following: ,, A
- 4. Build the initial plant model (model systems and interactions)
(IEEE P1082).
- 5. Identify and screen specific human actions that are significant contributors to the safety and operation of the plant. This was ,
accomplished through detailed task analyses, time line analyses, observations of operator gerform,nce, and evaluations of the human-machine interface (SARP dd IEEE P1082). 4
- 6. Develop a detailed description of the important human interactions and associated key factors necessary to make the plant model complete. This should include the key failure modes, identification of errors of omission / commission, and review of 9 .
L
i! relevant performance shaping factors (SHARP) (IEEE P1082),
- 7. Select and apply the appropriate HRA techniques for modeling the important human actions (SHARP).
- 8. Evaluate the impact of significant human actions identified in Step 6 (SHARP).
- 9. Calculate probabilities for the various human actions and
~ interactions, determine sensitivities, and establish uncertainty ranges (SHARP and IEEE P1082).
- 10. Review results for completeness and relevance (IEEE P1082).
- 11. Document all information necessary to provide an audit trail and to make the information understandable (SHARP).
Because most of the human actions in this HRA involved the use of various written normal, abnormal, and emergency operating procedures THERP-type HRA event trees (8) were used to model most of the human actions in the detailed analyses. However, not all ISLOCA scenarios were best represented by these THERP event trees. In that case, an HRA fault tree was used in conjunction with the typical THERP event trees. Detailed analyses were conducted using the fault trees and THERP event trees to estimate the probability of human error for each of the dominant human actions. These event trees traditionally model human performance through the use of a diagram like that shown in figure 2.2, with operator error generally placed along the descending right br:nches of the event tree, and successful . operator actions sequenced on the left side of the tree. For example, on the top lef t, Event "a" R0 (Reactor Operator) Detects Decreasing Pressurizer (PZR) Level and Pressure, is the success path, failure to accomplish this task is modeled as Event "A" R0 Fails to Detect Decreasing Pressurizer (PZR) Level and Pressure. When a second operator, or group of operators, is involved, such as in Event "B" - Control Room falls to Detect PZR Hi-Lo Alarm, 10
O the action of this second operator may be modeled in a recovery branch, as shown in Figure 2.2. Event "b" models how the control room also has an opportunity to detect the pressurizer Hi lo alarm, i f the control room does , detect the alarm, this becomes a recovery action because it would bring the model back to the success path (via the dotted lines in Figure 2.2), Individual error branches on each of the HRA event trees (see Appendix C for details) were quantified using techniques from THERP and HCR (Human Cognitive Reliability, see [11]). Specific human actions were assigned an , estimate of a basic, or unmodified HEP. These basic HEP estimates were then - revised using performance shaping factors (PSfs) to realistically describe the work process at the plant. Each PSF was either positive or negative and, accordingly, either decreased or increased the likelihood of a given human error, for example, an analog meter, like a pressure gauge, which does not i have easily seen limit marks, may be judged to have a negative PSF and there would be a higher probability for human error in reading the gauge.
- Individual PSFs were derived from the task analyses, time line analyses, evaluation of the human-machine interface, and direct observations of operator performance. They are presented as part of the ISLOCA Inspection Report [12].
]
Specific PSFs which were investigated include: 1- the quality of the human-machine interface; 2- written procedures (emergency, abnormal, maintenance, etc.); 4 3- P&lDs; 4- response times for systems and personnel; , 5- communication requirements; 6- whether the operator action: were skill , rule , or knowledge-based;
- . 7- crew experience; 8- levels of operator stress in different scenarios; 9- feedback from the systems in the plant; 10 - task dependence and operator dependence; 11 - location of the task (control room, auxiliary building, 11
]
.L , , , , . . - - - , -- w --
m --,,m - ,_._,7. . . , - - - - - -. ,e
.->_u_.~.wa~-a. u ~~.nww.-n---a- < - . - - ~ . - - + . . . . ~ - . - - ~ ~ -
h 1I i f I h F b f 4 e k~ e t I
- s. I
;{; -# "O 2 --
m e-
- a. ( %-
G, b k0-t gr
-e-S' .s
- d o {
2 e - -T , e h & k OO A' t
%4
~,
I L d ? s % b( _' '.'c b i s
. r an
- e e 4
f (
' A'
~/ '%
/
*A
-{. & / }
2 / .N 3
, .n /
eeN t-04.. 4 6 # 3
, / - -
4 _' fs(' A4 w
- c. .
-/,/r [k k
.A
- e O
( u
- O C
+9 a '1, D,
~
, w %. 'J C +
s .. ., g,. n . l
*1 }1 {. c3
- , e. s . 2 y. t r3 5
.t3 ,h
- a. .
gy oe
,3
~
43 N~a s o e. ~q o
$s V i; w
v d! v o s tvm #
- ;g
;i{# y
, - 1 g 2 i,
>; y ,- .
~
os c
+ s
. e- . /
4 # st ay s,
-x
@ 4 w y \;<
u, -
~3 eau 4
g: .- v c, m a - c- u' {.. o c w f s 'e y
~
w 'Ns i\
$0 7 ,i - -
1 g C A: I N + S i ij r N. ! Si
.n 4
N i
. n.l
- u. , &a, y e +
. e L t , o O- .;
- i.
-> 0 ,
ry - t GP f. 6") ' m. If) tR - %' Figure 2.2 Example of-HRA [. vent Tree
. 12
O etc.); 12 - training for individual operator actions including those required in ISLOCA situations. . finally, all possible failure paths (i.e., sequences that included either single or multiple human errors leading to a failure o;f the action modeled by the HRA tree) were identified and used to estimate the total failure probability for the action modeled in the HRA tree, in accordance with the THERP guidelines. As depicted by figure 2.2, each human error event tree , may have several unique error paths. For example, event "A", event "B", and event "C", constitute an error path in which the R0 fails to detect decreasing PlR level and pressure, followed by individual failures of the control room to detect two PZR level alarms, in a similar manner, failure path "A-b D E" models a sequence where the RO fails to detect decreasing PZR level and pressure, then recovers (e.g., the control room detects the PZR Hi Lo alarm) from this first failure (event "b"), only to have both the CRS and SS fail to
- enter OP-901-046. Probabilities for each unique error path were calculated by multiplying each HEP on a given error path by other HEPs on the same path.
For example, the error rate for path "A B -C" would be calculated by multiplying the HEP of failure "A" by that for failure "B" and then by the HEP for failure "C", resulting in a nominal HEP for that specific path. Other
]
error paths for this event tree include "A-B-c D-E" and "a D-E." The individual error path failure probabilities were then summed to give the total event tree failure probability. Comprehensive details of this process are provided in Appendix C for each event, and the results are summarized in Section 4.2. A detailed HRA analysis was conducted for each of the significant scenarios identified in the ISLOCA PRA. Tables 4.1 and 4.2 (see Section 4.2 below or Appendix C for details) summarize the results of these analyses. These tables provide the identifier and description for each significant human error, as well as both nominal and mean HEPs. Nominal HEPs in these tables are assumed to be median point estimates from a lognormal distribution (using guidelines from THERP), while mean values are mean HEPs from a lognormal distribution, which were derived using the following formula: l . 13 l l 1
1 il i Mean HEP = exp (p + " ) ; Where A = the Median HEP, : p = Ink,
, , In (Error Factor) ,
1.645 e 1 The conversions to mean values were carried out as a result of ; mathematical concerns where median values from a lognormal distribution should ; not be multiplied by mean values in estimating the mean core damage frequency, i a process which has been followed in some past HRAs. ! 2.6 Quantification of Event Trees , i The top _ events on the ISLOCA accident sequence event trees are I quantified by separate calculations that generate the conditional ' probabilities of occurrence of each event for each path through the tree. The ! means of obtaining the rupture event probabilities and the probabilities , relating to failure of plant personnel have already been discussed. Hardware j failure probabilities were developed using the data base documented in i Appendix B of [5). The ISLOCA event trees were constructed using the ETA-Il ' personal computer code (13). l
- 2.7 Consequence Evaluation !
The ISLOCA core damage frequencies are multiplied by the corresponding consequences (conditional on the occurrence of core damage) calculated using . the MACCS code [14] to obtain the ISLOCA annual risk estimates. The ; conditional consequences were generated with MACCS using a hybrid input deck. I The fission product source terms were obtained from the SE0SOR parametric ' source term generation code (15). The source terms generated are the ones . L 14 : i l P i E
_ _ - - - . . . - . -._ _ . - - - __ _-_ .. - .. - ._~ .-.. _ .- . ~ _ - - _ _ _ _ - - . _ _ _ _ _ O identified with the containment bypass V-sequence in NUREG-ll50 [2]. The site information was taken from the Surry MACCS input deck used in the NUREG ll50 program. The Surry site was chosen by reviewing the Sandia Siting Study [16) and calculating an average site based on weather weighted population density.
- This average population density was then compared to the five NUREG ll50 sites and Surry was chosen because it most closely matched the calculated average population density. Further details of the consequence calculations can be found in Appendix G. -
O 15 L
il
- 3. DESCRIPTION OF THE INTERFACING SYSTEMS lhe unit analyzed is a 3390 MWt pressurized water reactor (PWR), with a two by-four loop (two hot legs and four cold legs) CE NSSS. It is equipped with a large, dry, atmospheric-pressure containment and a separate reactor auxiliary building and turbine building. An overview of the interfacing systems is presented in the following section. For more details on the interfacing systims, see Appendix A.
3.1 Interfacing Systems All interfacing systems were screened to identify those systems that required further evaluation. The first criterion used in screening was that any system with an interfacing pipe diameter larger than one inch shoulJ be evaluated. The one-inch pipe size was selected based on an estimation of the discharge from a one-inch high pressure pipe break, which was about 200 gpm. A 200-gpm leak rate outside of the containment is considered to be critical based on: the capacity of the RWSP (minimum Technical Specification volume of 443,000 gal), the capacity of the three charging pumps (132 gpm), and the normal makeup rate to the RWSP (-150 gpm). Based on these considerations and the number of hours it would take for the plant to achieve cold shutdown (conservatively assumed to be about 10 hours), leak rates of 200 gpm or less were judged not to be risk significant. The second criterion was that systems j whose low pressure portions were isolated from reactor pressure by three or ( more normally closed valves or periodically leak-tested check valves in series : would not be analyzed, The basis for screening out such systems is the low 5 expected frequency of occurrence of failure of the pressure isolation l boundary. ; The initial screening resulted in the selection of the safety injection ! (SI) system for further analysis, including the high and low pressure safety j injection pumps and the shutdown cooling (SDC) lines. Figures 3.1 through 3.5 show simplified flow diagrams of the Si system hardware configuration. Additional details on these systems are provided in Appendix A. The SI system ; interface comprises 12 separate reactor pressure vessel (RPV) injection lines, l 16 l
?-->s--- ,s, y a+- - - + , v w- w-- -a
O' eight high prassure and four low pressurt Starting from the RPV, each injection line contains two check valves in series, a normally closed motor-operated flow control valve, and the $1 pump discharge check valve. The SDC e interface consists of four low pressure injection lines to each of the RCS cold legs, two high pressure recirculation lines to the RCS hot legs, and two suction lines from the RCS hot legs used for shutdown cooling. ;, i 9 i
*i P
t 6 17 . t I
li P 650 ps9 24B5 P5'9
=
.s.
- me =cs n
o { j- Q 3A S1 14 ] A $8-))fA
~~
LPSI Pump A . w;gpgg u
?N W DW si- 13aA SI- i22A Si- 124 A S3- 129A Si- 140A S1-3360 y_
\d '-
b
$1- 139B SI-1430 si-33%
LPsj pm 8 51-1228 51-1240 SI- 1290 Wm :~% g w e U N x %- S1-1380 51-1408 A j' 51-3350 ; IN , ,o I out side es.oe Conto,nment Cont oinment Figure 3.1 flow Diagram of RCS Cold Lega to low Pressure Safety injection i Pump Discharge 18
0: l r 1 I-H
'f
- c. : ~s +
..u . - l I N I f ***
Ov N -t< ww wr=
=
r 4s g., . S. .a.-. l Q,
****,a l
******* w22M F
v m t e. 9 sna . - . - . , W H v-a.: N---tv-s-rw 5 uw o l Dv N - i . s.m.* ; = N- - -t N - - ; l w244 9 1%a w?? e a : To RCS *
"--' H .
Iwree t *. Cold Le9 9 221e N
- s. ,.. s.u A .
G men--c< wm 81-. 9-n o
. . ,, n a
i wy _. tsp j;
. m. ,
H : 5 -24 : p sw I 9-274 w mw. a :
.___ w .
-~
2:::: ! --
= . i.,s ..,
i I l Figure 3,2 Flow Diagram of RCS Cold Legs to High Pressure Safety
- Injection Pump Discharge t-19 I
t l ! t I t L I L 1 i, h f t b t O-tP4 N [
.. m .... l =.N ... ,
. 01 to Res i,.m Loop 1 f i
. i n$. wt.,.
___A<. s,. ;
\ u.
G .
.N, ,,---N in
=
,N, .FS b,-A.. .;
t
= .m -t 3p - ***
W-- 6
,g stu l espp ,.n ,a u t -- v o ,
J G N i s.wus
' =e - - e_._ A _
,, M. . To RCS I
i, 1r Cold L.eg n,- 2 =
. o. .
n w..tw_ _
. l
_ w_ . 4
- y ',E, &.M, u.. l,
.42,.
.x , .. .. ;
a, no m ww m 4., ,- im m - E*[,,[ I t wu i
* -- ~ *
- 0[ [o*ofk
,.. m .... .
... f
=O ' N j .N =N i
}
. = =
l
-= 2, ,
y
'i t
f I l figure 3.3 Flow diagram of RCS Hot legs to High Pressure Safety injection { Pump Discharge i r 20 ; t i- I t n
?
r [
., , . . _ . . _ , . , _ . , . . , _ . . , - , - _ , _ _ _ _ , _ _ . . . _ _ . . . . _ , _ _ - - . . _ , _ . . ~ . - _ _ _ _ . _ . , _ - , . _ _ _ . , . . _ , . _ . . . . . . -
Q Reactor Vessel s A RCL Hot Loop i RCL Hot Loop 2
= =
v d SI-400 d SI-40 % 23*o 993 1 I SI-4058 SI-405A 440 psi; n 3 % SI-4068 % SI-406A
..... ho.w. c.entenment j SI-4078 d SI-407A G~ "
G-SI-4 OB SI-4 CA 1 [ SI-088 [ SI-CaA l
'40 Paa "
/ SI-07e /SI-07%
20 Pas v
}
/. SI- 078 ./ SI-07A L .
Refue6ng water , Storage PM 1
, r. ,
i figu_re 3,4 . flow Diagram of RCS Hot Legs to the RWSP via the LPSI System (
- j. . 21 i-
.b l; '
u.. _.,.;__ __ _ __=_ _=_ _._ _.___--- -..----_ - - -
gr 3.2 Potential ISLOCA Scenarios Potential scenarios were developed by examining the system interfaces and plant operational information. A team of PRA and human factors specialists was involved in the scenario devclopment. In some cases (e.g., the SI system injection lines), the sequences are hardware-drivent that is, the ISLOCA potential is a function of the hardware failure rates of the . pressure isolation boundary valves. In other cases, (e.g., the SDC suction lines), human errors can initiate an ISLOCA. Table 3.1 summarizes the ISLOCA scenarios identified.
- Table 3.1 List of Potential ISLOCA Scenarios interface- Description Notes SDC suction lines failure to close Two scenarios valves during startup investigated: one or premature opening startup and one during shutdown shutdown (SEQs-1A and IB)
LPSI cold leg failure of two check initiated by hardware injection lines valves with stroke- failures in testing of normally conjunction with MOV closed MOV stroke testing (SEQ-2) HPSI cold leg failure of two Only hardware failures interface pressure isolation considered (SEQs 3A check valves and and 3B) stroke test of ' normally closed MOV, plus failure of safety injection pump discharge check valve HPSI hot leg interface failure of two Only hardware failures pressure isolation considered (SEQs 4A check valves and and 48) stroke test of normally closed MOV. plus failure of safety 22
[] ' injection pump discharge check valve 1 SDC suction lines failure of two check Sequence initiated , valves during normal shutdown ! (SEQ 5) ; 3.2.1 SDC Suction Lines During Shutdown 'i Ouring the plant shutdown process, the operators will open motor- . operated valves (MOVs) 51-401 and 51 407 and hydraulically operated valve (H0V) S1 405 to allow for the removal of decay heat. Sequence 1A investigates the likelihood that the valves (which will be opened by the operators) are opened prematurely, that is, at an RCS pressure greater than the procedural l limit of 396 psig. 3.2.2 SDC Suction Lines During Startup Sequence IB is similar to Sequence 1 A, except that the plant is undergoing a startup. Thus, failure to close MOVs SI-401 and HOVs SI-405 is modeled, as opposed to Sequence lA where the failure mode for valves 51-401
)
and 51-405 was premature opening. 3.2.3 LPSI Cold Leg injection Lines to RCS I Through the normal reactor operating year, MOVs SI-138 (A/B) and S1-139 (A/B) are stroke-tested quarterly. Thus, the accident sequence for the LPSI , pump discharge is based upon the fact that the MOVs will be opened once each quarter.
+!
3.2.4 HPSI Cold Leg Interface l These scenarios are similar to Sequence 2. Once each quarter, MOVs SI- !
- 225 through 51-228 (A/B) are stroke-tested while the plant is operating at '
l 23 l ,L a
l normal power. Thus, the accident sequence path for the high pressure safety injection (HPSI) pump cold leg discharge is based upon the fact that the MOVs will be opened once each quarter. Note that Sequence 3B is similar to ' Sequence 3A, but there is one less check valve to protect the low pressure portions of the SI system. 3.2.5 HPSI Hot Leg Interface Once every quarter MOVs SI-502A and SI-506A are stroke tested. Therefore, sequence 4A is based on the opening of MOV SI-502A, Since valve e 51-502A is opened and closed before valve 51 506A is opened, the opening of SI-502A is defined as the initiating event for the sequence. Once again, the assumption of no prior knowledge of the condition of the system is used. Sequence 4B is similar to Scquence 4A except that check valve 51-216 is missing from piping header B. 3.2.6 SDC Suction Lines During Normal Shutdown When the CE plant enters the shutdown mode, the operators rely on check valves S1-108 and 51-1071 closing when the RCS pressure exceeds the interfacing system design pressure. Thus, Sequence 5 is based upon failure of the two check valves, k, t r i 9 24
... j E
- 4. RESULTS Because of the unique nature of the ISLOCA sequence, a detailed understanding of the capabilities of the platt hardware and personnel is needed to accurately analyze the ISLOCA challenge. for this report, an ISLOCA is considered to involve a loss of reactor coolant outside containment. Since the supply of water available for makeup to the RCS is essentially limited to the available inventory in the RWSP, a high priority item for the control room
- operators should be to isolate the break expeditiously and terminate the loss of reactor coolant. If the break were isolated in a timely manner and the ,
loss of RCS inventory terminated, the plant could be cooled down safely using the auxiliary feedwater (AfW) system (secondary cooldown) or SDC (primary cooldown). Before discussing the detailed results, some general comments can be made that are applicable to all the postulated ISLOCA scenario'.. O During the course of the plant visit, particular attention was paid to the issue of local environmental effects resulting from ruptures in the interfacing systems. At the time of the plant visit, the probabilistic system rupture calculations had not been completed, so a general survey was made of the interfacing system flow paths to qualitatively estimate the impact of ruptures on equipment in various locations. This survey included walkdowns of the ECCS systems to 1 examine likely break locations, for example, the assumption was made for this analysis that all equipment in the compartment where a break occurs will be rendered unavailable for use in isolating / mitigating the ISLOCA. Therefore, equipment in compartments judged to be candidate locations for an ISLOCA break was inventoried. This survey could not verify that the emergency core cooling , systems (ECCS) are adequately separated such that any postulated rupture would not affect redundant ECCS trains. If there were a piping break and blowdown of steam from the RCS into one of the safeguards pump rooms, the plant
- configuration may not ensure that at least one train of ECCS would still be available after a rupture had occurred. However, we stress that these conclusions are not based on mechanistic heat and mass transfer calculations and are therefore qualitative in nature.
25 L
_ . _ -_ . _ . . _ . _ _ _ _ - _ _ . . _ . . . _ - _ _ . _ _ _ m F 4.1 Event Trees The following sections describe the event trees developed for the postulated ISLOCA scenarios. The quantification of the event trees is done on f a yearly or quarterly basis, as reflected in the frequency of the initiating event. The event trees are constructed such that the downward branch depicts [ the failure event listed at the top of the event tree and the upward branch denotes the complement of the event (i.e., typically success). The top events I are a combination of individual component failures, human errors, and functional failures that describe the progression of the ISLOCA from Initiation to core damage or recovery. ' i i All event tree quantification is performed using mean failure probabilities. The derivations of the event tree split '. actions are ! preseated in Appendices B and C. Note that detailed (i.e., non-screening) f failure prubabilities were calculated only for Sequences 2 and 5; all of the [ other sequences had core damage frequencies < 10/y in the screening analysis I and were not developed further. r i finally, each event tree end state was assigned to one of the source f term bins listed below. t t I OK - No overpressurization of the low pressure system occurred (no fission product release). f r OK-op - Scenario results in overpressurization of the interfacing system ! but the system does not rupture or leak (no fission product release), f r LK-ned - Scenario results in RCS leakage from the interfacing system, through either a break or an open relief valve, but severe core damage , (sufficient to cause offsite health effects) does not occur because the ' t leak is either isolated before core uncovery or the leak is too small to ; interfere with core cooling (no fission product release). ! LOCA-ic - Identifies scenarios that produce a 1.0CA inside containment. 26 i t h L
. O Because these sequences are enveloped by the design basis analysis of the plant, they are not fully developed on the event trees and are net considered to be core damage events for the purposes of this analysis. ,
REL mit - An ISLOCA with core damage occurs but the radioactive fission product release is mitigated through some means, such as scrubbing through an overlying water pool or general area fire sprays in the auxiliary building. REL-1 9 An ISLOCA with core damage occurs and results in a large .. unmitigated radioactive release. Note that this does not necessarily mean that the break size is large. 4.1.1 Premature Entry into Shutdown Cooling - SEQ-1A A risk-significant scenario at the Babcock and Wilcox (B&W) plant (see * [5)) involved premature entry into shutdown cooling, with RCS pressure and temperature above the open permissive set point of the decay heat remcval (DHR) system suction isolation valves. This scenario was considered credible et the B&W plant because the plant procedures allowed operators to bypass the open permissive interlock for one of the two shutdown cooling isolation g valves. This allowed an error of commission to be postulated in which, once the decision is made to enter shutdown cooling early, the operators will be led to bypass the interlock for the other valve, also, even though the procedure does not instruct them to do so. For the CE plant, the HRA did not reveal any circumstances that would lead to an analogous scenario. Therefore, this scenario was not deve vped further. , 4.1.2 Shutdown Cooling System / Reactor Coolant $ystem Intersystem LCCA During Startup - SEQ-1B Figure 4.1 shows the event tree used to model an intersystem LOCA between the RCS and SDC system during startup. The SDC suction isolation valves from the RCS are open initially, because the SDC system is being used to remove decay heat from the reactor. Since startup is a ' low pressure" 27 L i
ll i procedure compared to normal full RCS pressure, it is assumcil that any f overpressurization that causes the relief valve t.o open will no; cause an [
!$LOCA. The event tree models one flow line (out of two) on a mission time of -
one year. , L 4.1.3 RCS To LPSI Cold Discharge - SEQ 2 [ l
. Through the normal reactor operating year, MOVs SI 138 (A/B) and $1-139 f
(A/B) are stroke tested quarterly. Thus, the accident sequence path for the l low pressure safety injection (LPSI) pump discharge is based upon the fact ! o i that the MOVs will be opened once each quarter. Figure 4.2 shows the event j tree used to model this sequence. Obviously, if the two isolation check valves ($1 335/336 (A/B) and SI-142/143 (A/B)) protecting the MOVs had f iled, it would not be desirable to l open tha MOVs. But, for analyzing this sequence, it is assumed that no prior { information (for example, a high pressure reading on the pressure indicator ! between the two isolation cneck valves) is kncwn for the system. This [ issumption is made because the stroke testing procedure does not direct the l operators to check pressure between the PlV check valves before performing the i stroke test. In addition, the annuciator card for this pressure indicator was ! found to be de activated during the plant inspection (see [12)), so no credit i was given for this annunciator. -Therefore, for the model, it is postulated ( that internal failure of the two isolation check valves will automatically < 1 lead to an overpressurization of the interfacing system when the M0V is ! stroke tested. Note that the event tree evaluates one flow path (out of four j possible) for a mission time of one quarter. Thus, to get the failure ; frequency for the complete system based on a one year mission time, the [ sequence end state frequencies must be multiplied by 16. ; e
-f 4.1.4 RCS Cold Legs to High Pressure Safety Injection (Header A) - SEQ-3A lhis scenario is similar to Sequence 2. Once each quarter, HOVs SI-225 l through 51-228 (A/B) are stroke tested while the plant is operating. Thus, !
the accident sequence path for the high pressure safety injection (HPSI) pump l 28 [ I h _-y y77,-- _-7-y. .,.,,,,,m,-
,, , - , . e ,n, . . - , , ., - ~ . . <
O discharge is based upon the fact that the MOVs will be opened once each quarter. Once again, if the isolation check valves in the sequence protecting the l MOVs had failed, it would not be desirable to open the MOVs. But, for this analysis, no prior knowledge for the system is assumed (see discussion in Section 4.1.3). Thus, for the model, random failure of the two isolation check valves is assumed to lead automatically to a demand on check valve SI-216. figure 4.3 shows the event tree for this sequence. , D 29 L
t I li
.a '
i. s i i t
>9
[
,l
. 4 1
- w. . e i. .
t
,..4 -
1 - 4 -
,i 4
,.' .' . ,.J s
4 4 '% d
.6 , . . . . , . . .-
[] d 9k d
.o
** .-d , - - < _.*i N..,, m y
,.. e, a o
}
45 lj 4$ I'd 35 *
.u.meC- t
,, o , ,. , , . .. . - . . ,
. e c, .. . .,
5
- m. o. o.
m. 1, . m ..- .. <. m- .. .A . ~ mw- . , t N
. d
,..,i.
y "f
. t.. s + 4,. ..o
. .- a m.
t e m. c m e ,.- e do .. s de u' (1 0 45 15 sy s [j p ye d p O p r m J ar. @ (t m , , . . . ,, .e. !,
- 4. e o - o . y ,,, e o r .,, o ~ , e .
y ? ! 1 * "
- _ .. , e e .t '
~
. + ,- , t .
L . a
, ; c
< ~ !
? t. n e
_ _ _. _ _. _ _. _ _ _. _ . >s I
.- l i i
.i .
t t
._ i, t
t, s , t T- e . [ e, , , t v , o ;
- t. , ,
i., ,
%- t. e, ,
t t-
,1 r
e n, -t
; o/
.t ,, 4
. t: 1, _ g i, n
.: .s .. f
. ~?c,. 3 c: . ,- & o t
~ . , . + -, +. ,
. .e
,.., < - ,t
. r
. . r .<.
1 t a.,.,.,. . , c, 41
?
_ i t, w ,3e g. - ( $. I*
. .o ., 4- ',.
< w. ,
a. c e i a j t. .e 1 + j w e-
..er
?1 3
_ l o .
-m
,a..,. o l 1
- a. .,
., 3 .
u
.. .r- -
i i
.. . i, figure 4.1 SDC Systs ISLOCA During Startup-(SEQ 1B) i 30 -
1 I i ir
-+w=, -,_:,cv.s M-.,-,-..-- , _ , , _ , _-- , , , , _ . , ,,,_m, ,,,,,.,,,,.;.m.,. .. . .m _ ,_,-, ,. ,,,c... . , ~ , , . - r c. m m ,- r,- , , - - - . . . , - - -
.- . . mm. ...m ..m _. _ . - ~. m__ - . .
, O v e w 0 " - -
@ O g in 2 s. v E E -
E~ - a y c
'l .J ,J .' 4 J .c
.J 4 A 'e b L4J it.4 6,U W W 4&J b* h I' *J J d O C O G Q C O. T & O C 6 O Ch O tp C C C C O O O C Q c o ^
(T * = e e e e O a W th 4.1 w tu us w w w w & O C ^ O O r D tD 0 CD d O O J5 P Q O ** O m Q e w D
- m
<4 er cr c- .- o n o 3 O
'.J n
40
\, w. r- --
ig
- c a
j , a + .- ; w
- m. < 44 , .g-
-
- e; 'i _
+i 4 i p
3
* - C. L*)
- 4. q p
} h u
j
~ ~
. s ^T e
+
- Y e -
* : ,4 ?n r:,
.w 5 C~ he C ," e c'.s _-
s g
.~- ~ -
_'! ' 4 m
- - > ~. q N u.
ya J. e-I s 5 - e- % L
. E*.
g w4, m 4 t- . e ',1 g 'I C Ci AJ J o > 2
- ) s 'fa h-LL e,.
3 C m a
), )
- a 9 1
? k c 9
* ** C
, "s. Ca C.
.2+-,
.-_3. u c w s
w e - - 1 . wpq - w
=
. e
>;a~: ,
u a
.A Um C 9 V
- t figure 4.2 Event Tree for LPSI Cold Leg Discharge to RCS (SEQ-2) 31 L
r i
p
, e .- - ,. -
a 4-b t O J 4 L3 - 4 g a g.
- e. e ,o, 1, ,
a
, ,, . n . .e .- .n ,
. r. , ,. ,
o . - 0. e ., m. .. , . . O wt W, 0 0 9 0 4 ,
# M v
+ <..
- . , ; . y.
e .m, ., a
.e'.
< 4 w w 3
W
... _ ~
g& 4
+
- t,a. , .
- 4. 4 C
- n. 4 %
m.4. ;. e
.s.
;_ .t .
,.-,n :.
4 *f *<
- w. . .t : _
3
- 'a s,It e+.: . .
.. c
) C'
- b N
6-4 -
~ ,
. s2., , e.
c
. a,,. ,
~
m : -. . ..
=
figure 4.3- Event Tree for HPSI Header A Cold leg Discharge to RCS (SEQ 3A) 32
oi F 4.1.5 RCS Cold legs to HPSI (Header B) - SEQ-38 :
~
Sequence 3B is comparable to Sequence 3A with the exception that Sequence 3B has one less check valve to protect the interfacing system. Whereas header A has check valve SI-216, header 8 does not have the corresponding check valve in the piping design. Figure 4.4 shows the event .i tree for this sequence. l
'i 4.1.6 RCS Hot Legs to HPS: (Header A) - SEQ-4A .. -
Once every quarter MOVs SI-502A and SI-506A are stroke-tested. Therefore, Sequence 4A is based on the opening of M0V SI-502A. Since valve SI-502A is opened and closed before valve SI-506A is opened, the opening of f SI-502A is defined as the initiating event for the sequence. Once again, the i assumption of no prior knowledge of the condition of the system is used. Figure 4 5 shows the event tree for this sequence.
-f t
4.1.7 RCS Hot Legs to HPSI (Header B) - SEQ-4B Sequence 4B is similar to Sequence 4A except that check valve SI-216 is y; missing from piping header B. The initiating event for Sequence 48 is the ! opening of MOV SI-5028. The initiating event probability is identical to that 7 of Sequence 4A, and is assumed to be 1.0. Figure 4.6 shows the event tree for : t this sequence. i I
- 4.1.8 RCS to LPSI During Shutdown - SEQ-5 .
l 1 !- When the analyzed plant enters shutdown cooling, the operators rely on r ! check valves 51-108 and 51-1071 clo:ing when the RCS pressure exceeds the 'f interfacing system design pressure. Thus, Seghence 5 is based upon failure of ! l the-two check valves. Figure 4.7 shows the event tree for this sequence. l ! 33 I r
.L i l
L
. I j. r-f t.
?
P
. . . ,, . i, v., c.. c -
c.. - ,- O t
- t. . w.
0 ta u $ c: a c u 4 j
, c . ,,
.c,
- o - . - .
. e. o. e. . o. -
a . - - . ., - - . :.
.. . , ., e . . - . . .
D-y Q (1 O 4.3 CJ % $t-' . 9 T4
. .~ r , t I u -?
, e i y i
=
- n. .
3
< t : -c i t
? !
_ _a -
- n. e' -
, - t
- r.
^
,.0$4. _-
; c, s.- .
.. .. y , ,
. . n.
- i. . .
I 6
, .? -
?
e . .
-n. . : :,. .
h
-; . e. .. -
1 r
- d. a 3 i
...;;, .- 3 x r p
. s
;rt. . ;
, e. .., 7
- v. v y
,b +; -
1 I
# t 1
.s .. . .,- F
' f
- c. ,
.a.. .._-
-e o
1 2 i
..< 1
- w. -. ,
Figure 4.4 Event. Tree for HPSI Header B Discharge to RCS Cold Legs (SEQ 38) l t h 34 ;
+
?
i
,?
,.).. r 4,-y.-~-ae-s , .c..y c y ,-vw.
- . . - . . . . . _ .. . . - .. . . . - . . _ - . - . . . . . . . ~ ~ . . .-. .
/
O>
.I P
t I r W om n e . E
, e_4 L
, - , ,~. $
s F - 4 b
. . m _
a a
,, w w. _. - m ye
- u. -> .w ,1 a a a J ,
t
.q.s n
- o n o -
c3 - -
-o -- * ~, n, !
in e
,1 o. - ,
c.i o. o. . c. o i s w ; w w w w w -w w w w ty
- c) @ w O G Q ,
., o r . . m m m --
(% e-
. .f.}
n s w s t
., o ~ ., . c, e o - o - o ~ 2
+,,* : c' c. g
,. (
- t.
2 ,, , 5
- t. c.
a . r c
- .r s & I g* [,
s_ I t
- 9. ,
< i,
*,,e* * ' e f
y,
- _ = r c.
s - s 'A . > I m p
- q .
t-
% 9 L (1 D.a. -
I--a = 4 ci
- 4. i <
x .34 . t
+ :
.... < c.. . , ,
- 3 i r
I l
. , = -
. ..n- .
s o !P r
., v,. .
g +
,, ; r . .;, - s.
m ., 1 -- t 04- < .
+ -
r
?,=,,-.
, t C % e I c
Si y b 48i . c 4..,. e.e4 4;' y o . - i
*.c #
- l
.,..C- Cl ,
a - n+ z - 1 , 5 w v... - > n .. l' I figure 4.5 Event Tree for HPSI Header A Discharge to RCS Hot Legs (SEQ-4A) I t 35 :
.h
. y ..,,..-- . - . - . -
i ' l- : e I e i 2 t. - e . g !
- c. - a , a a a ,
$. ?
m. F> .; *. *e x e e e. a. r. i
, e, .
O a v- or o o . a . , , [
.t
. : a r
, e. ; ;
.. .~, .
r i t s 5 E F
;-, - . :+
. _ ,(( .
., .J
~ ..
r
' c, , 4 v 4 iH : : ;
19-7 i i
- T V 4 .
1
.:, "3-2,
. i.
1
' +
(, i v+ c h x
- e -
t 6 ag 5.:
**D
- . -s -;.
m
....3
'*. -t i
- ,2 :_ . ,
Figure 4.6 Event Tree for HPSI Header B Discharge to RCS Hot Legs (SEQ-48) 36 , r. l i b
- . - - . . . - - - . - ._ - . . -. . . . - - . - - . ~ . - . . - ~
e t O,!. 1 1
,b o
q a . ( - e - c- -
*J J --J 4 -
. . . - - -ed - .M ,d f
.a a .. a a a a a a >
i l C - m % 3 t*\ l*'> O O C
,f;y ,
e
- a. o. - e. o. . o. o. . o. . o. .
- .. ~ w w - w w - w .
2 o G e
- @8 o
O
- e. o CJ N
o 9 e o G 4 4El %' g j o d @ P' D O F4 O N C h t
- t o -
e , ' t.'n
.m , ,, m
.- - c. c -
3 r .r e : 3
+
c' r ; , t o- E
-n. >-1
_ 1_ .
, 6 !
.; .m e. .
o .
.. _ . , . s.- ;
i
;;s - -
m' c- ~
,P h
I. c -
. r
.vn a. s -
.i ..
- i C e -
t
.i t : 2- -
. i ;
t
; <* c. .
t
+
- r n o . :.--._. -
-. r. -
4
. i
- t i t.:e a e
i
;o.- .
w . :
. i, C C 2 **
. , . , . ,, , c
-,-e. c.
t-
... m
.c. .,, c.: ;
3 - 4 l Figure 4.7 Event Tree for RCS to LPSI During Shutdown (SEQ-5) ', t
- 37 i
- l. $
r i l
=
f L : b e _ _ m
i! l 4.2 Human Reliability Analysis This section summarizes the results of the ISLOCA HRA efforts. Appendix C provides detailed information regarding HRA fault trees, event trees, tabulated HEP values, and discussions of the HRA process. The reader is advised that HEPs presented as part of the HRA analysis are estimates based ' upon the best contemporary models and quantitative techniques. As in any HRA, , these HEPs are not intended to stand alone since they are multiplied by hardware failure probabilities in calculations of core damage frequency. s Therefore, individual HEPs should not be used in isolation since they must be considered in the context of a specific scenario, along with the hardware [ failure information contaired in this report. l HRA was used to model the predominant human errors for each significant scenario in the ISLOCA PRA. As discussed in Section 2.5, HRA is a methodological tool that involves the quantitative analysis, prediction, and evaluation of work-oriented human performance. The ISLOCA HRA diagnosed those factors within the plant's systems that could lead to less than optimal human L performance in the initiation, detection, diagnosis, and mitigation of ISLOCA ; scenarios. HRA was used as a diagnostic tool to isolate the error rate , anticipated for individual tasks and to determine where errors were likely to be most frequent. Because most of the human actions in this HRA involved the use of t# various written normal, abnormal, and emergency operating procedures, THERP-type HRA event trees were chosen for modeling most of the human actions in the detailed analysis. However, HRA fault trees were used in some areas to ; provide the best representation of the modeled events. Detailed analyses were i conducted using the fault trees and/or THERP event trees to estimate the error probabilities and uncertainty ranges of the dominant human actions, t Individual error branches for each of the HRA event trees (see [ Section 2.5 er Appendix C for details) were quantified using techniques from THERP and HCR. Specific human actions on each error branch were assigned an . estimate of the basic HEP. These basic HEP estimates were then modified using 38 f
W PSFs to realistically describ3 the work process at the plant. Finally, possible failure paths (i.e., sequences that included either single or multiple human errors leading to a failure of the acticn modeled by the HRA tree) were identified and combined to estimate the total failure probability for the HRA tree, in accordance with the THERP guidelines. Individual PSFs were derived from task analyses, time line analyses, evaluation of the human-machine interface, and direct observations of operator performance. The majority of these PSFs were presented in the ISLOCA insoection report for the - analyzed plant (12). Each PSF was seen as casting either a positive or negative influence on the basic HEP. that is, as either decreasing or increasing the probability of failure for a given human action. For example, [ some of the positive PSfs in evaluations of the CE plant included the following: 1- "The team did not identify any significant deficiencies in the man-machine interface that might significantly increase the probability of an operator error initiating an ISLOCA." [12] - 2- "The team found emergency operating procedures to be well written although they lacked some human factors considerations (see #2, negative PSFs)." [12) 3- "Although training :,pecific to ISLOCAs was not part of the licensee's training program, operators indicated, during walkthroughs and simulator exercises, that they were gfLnerally ] well prepared to cope with losses of RCS inventory."[12] Examples of negative PSFs were: 1- "
...the team identified weaknesses in the nan-machine interface that could adversely affect the ability of the operators to
- mitigate an ISLOCA because cf poor equipment labeling and the inaccessibility of some equipment." [12]
2- Even though E0Ps were generally well-written, the RCS Leak , Procedure, OP-902-002, does not provide relevant guidance with respect to requisite actions for the isolation of ISLOCAs. As a result, operators and supervisory personnel would be required to rely on knowledge based actions, outside of normal procedures. 3- Within the context of the prior finding, operator training (based on Three Mile Island scenarios) emphasized that operators should not override a safety injection signal occurring in conjunction 39 L
l with an unisolated RCS leak (see Sequence 2). This training could lead control room personnel away from the actions necessary in Sequence 2 to isolate a break in the safety injection lines (e.g., operators would have to sequentially close each HPSI and LPSI safety injection valve on the affected Si train). 4- Operators' ISLOCA diagnostic abilities were centered on Attachment 1 of OP-902-002, which verifies a LOCA outside containment but directs operators to a procedure (0P-902-002) which does not provide relevant guidance for the isolation of an ISLOCA. A detailed HRA analysis was conducted for each of the significant
, scenarios identified in the ISLOCA PRA. Tables 4.1 and 4.2 summarize the results of these analyses, which are extensively described in Appendix C.
These tables provide the identifier and description for each significant human error, as well as the mean HEPs. Table 4.1 Estimated Mean HEPs for Sequence 2 IDENTIFIER HUMAN ERROR HEAN HEP FTD-LOCA Control Room fails to detect LOCA 0.018 FTDGN Control Room fails to diagnose 15LOCA 0,02 FTl Control Room fails to isolate ISLOCA 1.00 Table 4.2 Estimated Mean HEPs for Sequence 5 IDENTIFIER HUMAN ERROR HEAN HEP FTD Ops fail to detect loss of coolant 0.0076 FTDGN Ops fail to diagnose system leakage 0.0076 FTI-A Fail to isolate (1 SDC in service) 0.0233 FTI-B Fail to isolate (Both SDC in service) 0.0233 40
E Inspection of these tables reveals that HEPs increase with time following an intersystem rupture, These increasing error rates reflect the following circumstances identified for the CE plant. First, procedures may not effectively lead operators to the control room indications which are most relevant for detection of an ISLOCA, and do not provide definitive guidance for necessary and sufficient actions to isolate an ISLOCA in the two sequences that were modeled in detail. Second, diagnostic abilities in the control room (e.g. , procedures and training) rely on the dicgnostic flor chart in - Attachment 1 of OP-902-002, the RCS leak Procedure. That flow chart can successfully diagnose a LOCA outside of containment, but also directs , operators to use OP 902-002, with the drawbacks mentioned above. Therefore, operator workload is increased and significant stress (threat level) is likely to be experienced by the operators at the time when ISLOCA isolation actions are required. 4.3 Quintification of ISLOCA Model Based on the event tree > described in Section 4.1 (and in more detail in Appendix B), the total mean ISLOCA core damage frequency (CDF) for the plant l is estimated at 2.0 x 10 4 per reactor-year of operation. Table 4.3 provides a breakdown of this frequency by sequence and release category. The dominant
)
scenario is hardware-dominated, involving failure of the pressure isolation check valves in the LPSI cold leg discharge to the RCS (SEQ-2). This scenario is egaivalent to the classical Event-V category of core damage sequences that has been examined in some past PRAs, Note, however, that this sequence could be eliminated by modifying the stroke test procedure to require the operators to check for pressurization of the header between the discharge check valves , prior to performing the stroke test. The relative insignificance of the human error-initiated sequences is due to the excellent administrative controls and safety culture present at the plant, for example, the practice of not - jumpering out equipment interlocks during normal operations and the tight control of keys needed to restore power to isolation valves. The likely failure locations for Sequence 2 are the Schedule 40 piping and the 10-inch, 300-psi flange at the discharge flow element. The flange ! 41 l l b
1I t
= failure probability was relatively high (0.69) because of the " soft" SA 193-B8 :
bolts that are used. Upgrading these bolts to SA 564 Grade 630 would eliminate flange failure from consideration in this sequence. Nata: As discuss:d in Appendix F, the probability of flange failure was partitioned into small leaks and large failures. The large failure probability of 0.12 ! was used in calculating the split fraction used in the event tree for this sequence. Small leaks were judged to be recoverable'by the operator (see
. Appendix C for more details) and were binned into the LK ncd end state on the event tree. l Sequence 5 was the major contributor to ISLOCA risk in the initial :
screening analysis because the frequency of pressurizing the low pressure ! system beyond its design pressure was approximately 10'3/y; however, detailed l analysis of the component pressure fragility showed that small flange leaks j are the only credible overpressure failure modes for this sequence, and the probability of even these small leaks is extremely small (< 10/ flange). The l components contributing to the rupture probability are the 150-psi flanges at t i check valves SI-107 (suction from RWSP) and SI-407 (suction from containment > sump). [ Refer to Appendix H for the details of the component pressure i fragility analysis.] This sequence would also appear to be driven by hardware i failures; however, the hardware failure of concern is the demand failure of ! check valves SI-108 A and B. A demand failure probability of 1.0 was assumed for these valves, based on their as-found condition at the plant and the t complete lack of testing or maintenance on these valves at the time of the [ inspection. Were these valves to receive regular leak-testing and some form of periodic maintenance (e.g., disassembly to inspect for boric acid precipitation and corrosio'n), a generic demand failure probability of 10'3 , [' could be justified. The Impell analysis of these flanges also showed that the I L leak rates will be far too small to threaten core cooling. However, the HRA i for this sequence was done before these results were available, so operator { response -to a small break was modeled. Even with this additical conservatism, the core damage frequency from this sequence is < 10.a/y. Had the flange ; failure probability been higher, the probability that the failure results in a l leak large enough to threaten core cooling would have had to be factored. into the core damage frequency calculation. ; 42 ,
'f 1 ;
i i
- i
E Table 4.3 ISLOCA Core Damage frequency (per reactor-year) Scenario CDF REL-lg REL-mit LOCA-ic LK-ncd OK-op , IA c c 0.0 e e c IB c c 0.0 e e c 2 2.0E-06 2.0E-06 0.0 0.0 1.4E-06 7.8E-07 3A e c 0.0 0.0 c 0.0 3B c c 0.0 0.0 c 0.0 , 4A c c 0.0 0.0 c 0.0 - 48 c c 0.0 0.0 c 0.0 5 e c 0.0 0.0 9.6E-08 1.0E-03 Totals 2.0E-06 2.0E-06 0.0 c 1.5E 06 1.0E-03 c - < 10's77 3 4.4 Risk Assessment ' As described in Section 2.6, the offsite consequences of ISLOCA core damage sequences were estimated utilizing ihe V sequence source term from the June 1989 NUREG-1150 analysis of Sequoyah (see Appendix G for details of the j consequence analysir,). The conditional consequences for the base case analysis are listed in Table 4.4. Based on information from the NUREG-ll50 program that estimated decontamination factors (DFs) for both dry and wet containment bypass releases, a DF of one (no decontamination) is assumed for the release from the auxiliary building (large dry release) in the base case. Additional work on estimating Ofs for the auxiliary building has been - sponsored by the Electric Power Research Institute (EPRI) using the Modular Accident Analysis Program (MAAP) code ' This work would seem to support DFs for a dry release in the range of 3 to 80, depending on the specific configuration of the auxiliary building. Wet release DFs, either due to a
' Electric Power Research Institute, Eva7uation of the Consequences of Containment Bypass Scenarios, EPRI-NP-6586-L, November 1989. This three-volume set of reports contains proprietary information that is not available to the general public.
43 , L
l! 4 flooded break location or scrubbing by general area fire sprays in the auxiliary building, ranged from 40 on up. However, the MAAP code, l particularly when the core flow blockage feature is used (as it was for the i EPRI work), tends to predict relatively little hydrogen generation in-vessel. f Hydrogen generated in-vessel, if released into the auxiliary building, could ' burn, pota '.ially opening pathways for free convective exchange with the l out;iae environment, thus reducing the effective auxiliary building 0F, The o effect of a credible range of DFs on the offsite consequences is examined in Section 4.5. i When reviewing the ISLOCA consequence and rit,k estimates, several f aspects of this calculation should be kept in mind. Many measures of risk are l available and have been used in recent studies. However, to produce these estimates, many sequence-specific and site-specific assumptions must be made, from the cost of land to the warning time available to activate the offsite j emergency response plan before a release occurs. These assumptions can have I significant effects on the consequences calculated with MACCS. The base case f ISLOCA risks are shown in Table 4.5. f Table 4.4 Base Case ISLOCA Consequences Conditional Upon Severe Core Damage ! t i ! Mean 50-Mile Dose i Mean Early Fatalities Mean Latent Fatalities (Person-Rem) -i 99.9 5.36 x 10 3 6.12 x 10' i
-f I . ;
l ; i f
?
~
44
- J
i E Table 4.5 Base Case ISLOCA Risk (per reactor-year) Mean 50-Mile Dose - Mean Early fatalities Mean latent Fatalities (Person-Rem)
- 2. 0 x 10 l.1 x 10'2 12.2 A.5 Uncertainty and sensitivity Study Results -
No uncertainty analysis was performed for the dominant ISLOCA scenarios because the core damage frequency is relatively low and almost all of the uncertainty is contained in the initiating event of Sequence 2, failure of the two series check valves. The error factor on this initiating event is 100; therefore, the core damage frequency distribution will have a large, positive skewness coefficient, indicating that the reported mean core damage frequency will be close to the 95" percentile value. Based on similar results obtained for the Westinghouse plant (17), the uncertainty in core damage frequency should span approximately four orders of ) magnitude. 4.5.1 Component Rupture Pressure Uncertainty. The base case analysis used a logarithmic standard deviation of 0.36 for the pipe rupture pressure distribution (which was modeled as lognormal), As - discussed in Appendix H, this value is derived by assuming that the probability of component failure is 10'3 when applied stress equals yield stress. This may be an overly conservative assumption; however, sensitivity cases were examined in [5] and [17) in which the probability of component failure at yield stress was taken to be 10 and 10'5 These values correspond to a logarithmic standard deviation for the pipe rupture pressure of 0.30 and 0.26, respectively. The rupture probabilities were recalculated, with the result that there was not a significant effect on core damage frequency. 45 l
.I
h Because the piping materials are the same in the CE plant as in the B&W and Westinghouse plants, this result should apply to the CE plant, also. Therefore, no detailed calculations were performed.- 4.5.2 Auxiliary Building 0F Uncertainty Lack of knowledge in estimating the auxiliary building 0F was treated via a sensitivity analysis which examined the effects of a range of credible auxiliary building DFs on fission product source terms and offsite consecuences. The details of this analysis can be found in Appendix G. The important aspects and results of this analysis are summarized below. For the dry ISLOCA sequences, the base case DF for all release classes had a uniform value of one and the release was at ground level. The sensitivity analysis involved calculating new fission product source terms with uniform-valued DFs of 5, 10, 50, and 100 for all release classes except the noble gases, for which the base case DF of I was retained. For the first two calculations, with DFs of 5 and 10, a ground level release was assumed. For the last two calculations, with DFs of 50 and 100, the release elevation was specified as 10 m. The reason for the change in release' elevation is that industry-sponsored analyses of auxiliary building DFs show that higher DFs, in the absence of water-scrubbing, are produced when there is a lack of-free convective exchange with the outside environment. This generally corresponds to having an opening high up in the auxiliary building, with a release from the reactor coolant system in the lower elevations of the building. Sensitivity ' cases were also run to examine the potential effects of auxiliary building fire sprays on the release (there are no such sprays at the plant analyzed in this report). In these so-called wet ISLOCA sequences, the base case DF was specified as a distribution that was sampled upon, as in the NUREG-ll50 analysis of Sequoyah. The distribution is shown in Table 4.6 for the base case analysis of the wet sequences. As was done for the dry sequences, sensitivity analyses were performed with uniform-valued DFs of 5, 10, 50, and 100 for all release classes except the noble gases, for which the DF remained at the base case value of 1. For the first two sensitivity
. 46
E calculations, with DFs of 5 and 10, a ground level release was assumed. For the calculations with DFs of 50 and 100, calculations were performed with the release elevation specified both at ground level and 10 m. . Table 4.6 Distribution of DF for the base case analysis of the wet ISLOCA sequences a. specified in the SE0SOR input 0% 1% 5% 25% 50% 75% 95% 99% 100% 5.lE+03 4.5E+03 4.lE+03 1.3E+02 6.2E+00 3.0E+00 1.8E+00 1,7E+00 1.6E+00 Tables 4.7 and 4.8 present the mean conditional consequence results for the dry and wet ISLOCA sequence sensitivity cases, respectively. These results are also presented graphically in figures 4 8 through 4.13. Comparisons of the dry and wet sequence consequence results are also presented graphically in Figures 4.14 through 4.16. i Table 4.7 Mean MACCS Consequence Results fer Each Dry ISLOCA Sequence Sensitivity. Sensitivity Cala Mean 50-Mile Release Mean Early Mean Latent Dose QE Elevation Fatalities Fatalities (person-reml
)
1.0 0.0 9.99E+01 5.36E+93 6.12E406 5.0 0.0 1.63E+00 1.82E+03 2.15E+06 10.0 0.0 4.03E-01 1.17E+03 1.55E+06 50.0 10.0 7,12E-02 5.16E+02 8.83E+05 100.0 10.0 6.10E-02 3.97E+02 7.24E+05 e 9 e
. 47 L
I-Table 4.8 Mean MACCS Consequence Results for Ea h Wet ISLOCA sequence Sensitivity. _ i Sensitivity Case Mean 50-Mile i Release Mean Early Mean Latent Dose Qf Elevation [alalities Fatalities 19erson-rem) Base
- 0.0 3.69E+00 1,71E+03 2.08E+06 5.0 0.0 9.92E-01 1.49E+03 1.79E406 ;
. 10.0 0.0 4.01E 01 9.85E+02 1.37E+06 t 50.0 0.0 1.76E-01 4.43E+02 7.78E+05 50.0 10.0 1.18E-01 4.51E+02 7.86E405 l 100.0 0.0 1.59E-01 3.51E+02 6.40E+05 i 'CC.: 10.0 1.05E 01 3.56E402 6.46E+05 1
- a. Wet sequence IGse case DF is a sampled distribution as given in Table 4.6. i b
b k [ i i i h l I 48 I L
E ___--_-_._______r4 m t r c . e 1 W F f j-m - t i 1 p._ c n O y--.. - p f li :
,L e l m lll x n-
?
i il O a 11 2
.D- ?
,- g v j e e
)
l- , : s u
,- 't
! - ~
o
. F t
n. u l a . i j
'/ -
- i. .-
m- l % ,
= .
= 0 9 9 a o a,, o, a o
.. 9..
~
o o - , - -
'D -* , iiCy ."' , G f t 1
- hi .<y, figure 4.8 Mean Early Fatality Consequence Results as a Function of Decontamination factor for the Dry ISLOCA Sequences.
49 L
.-4_ _ _ - _ . . ___.___.. _ . _ . _ __ , _ _
']. ;
1 i _ _ . . m o-r- 'r n I
- l. cc l ;
F-
- m. .
g"m I !.
. , u I n
/ -
=,
i
.e o -
i l - I e c i
/ a
/ -
e
,/ o n
i a - s r 9 c
^j .- t i
t-
,t
,' x Z
/
o '
< o u
$$ F l w u -
l ld
,. I L
e . A l' l o b I
? _~
-j _ o 8
L ! 1 I a , r-j v-
-[
-l g
+ * . ;- ,
a - e -en y , W - e : s c muesnou O SO?)i(Cled lu G 10 ') U G O+/ i Figure 4.9_ Mean Latent Fatality Consequence Results as a Function of i Decontamination factor for the Dry ISLOCA Sequences. ! 50 l I l' I i
- .. . . - ~ . - - . . . - - . _ _ . . _ . - . - . _ . _ . - _ . . - . ~
O a 7 --- 9i ,. m
- j.
- I
~=
i - l l _m l i l - i o M l l ~ I 7 4 A" i w - l _ b i -m - 1
~
U t e m i j a
.I -
1 0 C ;
; ,f - g i
, ./ '.
f s e
,/ 4 l m c i -
o
/ M n.
-L ~ ?.
g x W c :J, ) 1 s I i -. v i i
)
o i i ! i- m
- ~
i o ~
-l _- c
! i i i i g ,
n o e v m n - 0 (suoi;i r0 . l cwso-vosseo:) +soa ei m-o; urt.ra l' 1 Figure 4.10 Mean 50-Mile _ Population Dose Consequence Results as a Function , ! of Decontamination Factor for the Dry ISLOCA Sequences. 51 1
-- l '-
_, c 3p_ __ _
! ; 4 .
I ! c.
+
/
/ g*
- i -
/
/
h I 8
- i 3 l
- , .s 4
4 a w r
, c ;
/ r, ,
L t i j C a
~
.x Lm 5 i ,/ c y s
p.- g, r s a J c. ~ r ."- 2 j h L
! y Va I
L l i . .i i : i j
- I i i .
!C
~
~
o e n e o y m ca - a e o o a = c a a e a A i.203 upgq 59'l'1CiG3 Figure 4.11 Mean Early Fatality Consequence Results as a Function of Decontamination Factor for the Wet ISLOCA Sequences (all release elevations are 0.0 m). 52
O-
, _ _ . . . . - - -- , o a
F -
}m I
e l
/ l
/
I e t a-
,! r, - s.
/ !n
~
i i -l - E i u. i e i t' o t
! p r -
i : ' l I - E i c f, I
! /
x e. c
/ c v i 9 0 -
U o W' IC $
~ )
; e -
o i-
.>- ! a r_ ~
t f L - C i i i i I o
- e. o y m ra -
c , csevesnout? ss ! 11 ! Q10,3 lu el F'i v G sbN Figure 4.12 Mean Latent Fatality Consequence Results as a Function of Decontamication Factor for the Wet ISLOCA Sequences (all l release elevations are 0.0 m). 53 l 1 1
.l l 1
.:j-v m, _ _ _ _ _ _ - , _ _
, t-a
- e 1j ca l
I x 1 ,.
-' h
/ i I e F_
1
/ L
-I i
i ~
! i *
,/ . I~
- 5,
!" f l t i r 5
) -i
) 2 l r 5*
/
i i !
) .i u t e
i l M a_ j /
- I 5
C o-
$ p r:
- N' ,_
..=
;, L
~
.. F -
{C L x h ".. -
-i i I
t c i i 4 i i r- o o r m ca - e (suo , i i in) r.wa;-u c.s an +sco e i m-o; v een Figure 4.13 Mean 50-Mile Population Dose Consequence Results as a function of Decontamination Factor for the Wet ISLOCA Sequencer (all release elevations - 0.0 m). 54
O s-- o
- < 3,1_ ru .
!- t i L I
! lU L
r
-{
l 1 1 7 0-
/
.i/ l l*
l
</ [c <
/f.//
r ? - a <
=
it .. I a
,_ ,a i
m - . 11 + Y i u i c
'3 .
- c. -
/ _o-
/- ,~
A 0 _/' p ;$ t CD
,,'s- -
y y-' o u
-/
- I 6
w J_ r b .a
!o 3 - )
l'; r e r, e 5 1 s i o 5
.. a,,
a eu > F, , I , i 1 4 , i 1C -
=e n ea y -
n - - m .: ~ o v m o e a
, - - - - - - - - - c = ==a e = = aa a ,
se>21 :c2c3 c3 uean Figure 4.14 Comparison of Dry and Wet ISLOCA Sequence Mean Early Fatality-Consequence Results as a Function of Decontamination Factor (release elevation - 10.0 m for DFs of 50.0 and 100.0, otherwise elevation = 0.0 m). 55 L
- l.
- i
,. o
}
- t' cu s
/ f 4
/
l - w e q W. -
//
,- / e +
/ -/ ?- w
.x a j
, r y J; f
i
= ,
')
- i. .> !
3s i PJ W -1 i 4 - ue 1 e : a 1 r t ! f- 0+ t
; j - "
- p l d + -6
[- 9 u
- - E t c .
c h ? o i o v i c-
. - 3 ;
i w . l: = I C ;w. 1
$- e c i t !
v E ;
, e.
- I a 3-t L -5 4
! 0
; lo
= 1 w
-)- ,
-5 i 6 .i o s -e n e e r m a i > i > >
i , i , i i i ; i
} C
.l a e e n e e 7 m m -
c j n - ---r - - - - - ooa o o oo a e a s 1 (Sputsnowl) -! seiT: ic;Ud Tuolc'; uc:q . i. Figure 4.15 Comparison of Dry and Wet ISLOCA Sequence Mean Latent Fatality ! Consequence Results as a Function of Decor.tamination Factor -! (release elevation - - 10.0 m for DFs of ' 50.0 and 100.0, i otherwise elevation = 0.0 m). i
- 56 !
i
+
4 l [
- 0;
_.3r _,_ o _r > > j lN .: i l
/!
/I r ,
_c~
/
D - j/ l
/ iC +
i
/
p" I
/ l
/ I [
i I 2
, = ,a
~_
s --> - 5 s .. (N - l s ,.4 3 r r) l ./ . .
! / B+
i i. ; a
- C + r " E i i : s j - i l-e -
i El (y i a o. . I' a <- - ?, e i k g, o b,
- pi V
Io -i
-t
! e t o .
?
ul l {' ; I ca > j- ! c 1 i .. i = , i i , + > . , , i . . g , e a z : n. c c :c y a e c e y n a m m m n ; a - - - - - e c c e c ; r s ac i i i , n :. . Ce E* s -u C S M'_i e50Q 61 W -Og u G N, , Figure 4.16 Comparison of Dry and Wet ISLOCA Sequence Mean 50-Mile e Population Dose Consequences as a Function of DF (release > elevation = 10.0 m for DFs of 50.0 and 100.0, otherwise i elevation = 0.0 m). 57
- {'
- 5. CONCLUSION AND RECOMMENDATIONS The methodology for evaluating ISLOCA risk that was developed in-[5] has been applied to a CE plant with a dry, atmospheric. pressure containment. This methodology has been successful in providing insights regarding the relative contributions of both hardware faults and human actions to ISLOCA core damage frequency. The results indicate that human errors of commission, latent ,
faults of equipment, and normal procedural tasks can combine in an ISLOCA sequence to produce potentially serious consequences. However, the
. ^^odolmv ws alt ? used to idnnti fv octential means of reducing these ;
contributions to risk. Conclusions and recommendations are presented below, < followed by a preliminary discussion of the relationship of these results to the general population of nuclear power plants. 5.1 Plant-Specific Conclusions A PRA of the analyzed plant has not yet been completed by the licensee. Therefore, no comparison could be made of the results of thit analysis with results obtained by the licensee. t In the pressure fragility analysis of the interfacing systems, existing [ relief valves were found to provide very little protection against the dominant ISLOCA initiator (SEQ-2). Typically, ralief valves in the i interfacing systems are designed to mitigate the occasional pressure transient associated with routine valve realignments and pump starts and stops. The pressures generated in ISLOCA events simply overwhelm the relatively small .
. relief capacity of these valves.
l The HRA found that operator error could conceivably contribute to ISLOCA
- i initiators. However, it was determined that human error initiators were 1
I ! highly.unlikely during operations involving interfacing systems. This is due j to the existence of significant administrative procedures and related operator l training, as well as the presence of well controlled interlocks which prevent ' l the inadvertent operation of those pressure isolation valves under operator control. The HRA frand a higher probability for operator error during 58 l l
ol detection, diagnosis, and isolation of an ISLOCA. This results fram an interaction of the follouing variables: 1- A limited number of clear control room indications for ISLOCA 2- (mergency procedures which do not address isolation of a break outside containment 3- Limited amount of time in the dominant scenario for the detection, diagnosis, and isolation of ISLOCA before core uncovery
- 4- Operator exposure to high workload and threat stress at the time when actions to isolate an ISLOCA are needed. ..
5.2 ".eneral Conclusions Extreme caution should be exercised when attempting to extrapolate the results of a single sample to estimate the performance of the entire commercial nuclear power industry. The analysis of the CE plant in this ' report has identified some potentici ISLOCA issues, but the completeness and typicality cf the results, even for other CE plants, has not been determined. The analysis of this plant indicates that the most important concern regarding ISLOCA risk centers on the lack of procedural guidance for responding to an ISLOCA, rather than on the plant personnel, dwever, it is imprudent to 3 conclude that humtn errors, while not important ISLOCA initlators at the plant analyzrf in this report, will not dominate the ISLOCA risk for other plants. Therefore, a major emphasis in any evaluation of ISL0ct, should be the assessment of the potential for human error initiaiers. Specifically, this involves judgiag the adequacy of plant proceduros and personnel training and awareness of the potential for and consequences of an ISLOCA. To generalize, . the understandinq by the plant personnel of the importance of maintaining the pressure isolation boundary, and recognition of the potential for an ISLOCA and its consequences, can have a dramatic impact on ISLOCA risk. In the case ' of the CE plant analyzed in this report, the detailed HRA considering these effects eliminated humar. arror-initiated ISLOCAs from detailed consideration, whereas at the Babcock and Wilcox plant (see [5]), the effect was just the ' opposite; the dominant ISLOCA sequence was initiated by a human error of commission. 59
.I
I P
- 6. REFERENCES
- 1. U. S. Nuc1 ear Regulatory Commission, Reactor Safety Study An Assessment of Accident Risks in U.S. Commercial Nuc1 car Power Plants, WASH 1400 (NUREG/75 014), October 1975.
- 2. U. S. Nuclear Regulatory Commission, Severe Accident Risks: An Assessment for five U. S. Nuclear Power Plants, HUR[G ll50, June 1989.
. 3. G. Bozoki, et a1.. Interf acing Systems LOCA: Pressurized Water Reactors NUREG/CR 5102. BNL NUREG-52135, February 1989.
r 4 T-L. Chu. S. Stoyanov, R. fitzpatrick, Interfacing Systems t0CA: re!'ing Water Reactors. NUR[G/CR 5124, BNL NUREG-52141. F3bruary 1939.
- 5. W. J. Galyean, et a1., Assessment of ISLOCA Risks Methodology and Application: Babcock and Wilcox Plant, NUREC/CR 5604, to be published.
e
- 6. J. H. Griesmeyer and L. N. Smith, A Reference Manual for the Event Progression Analysis Code (EVNTRE), NUREG/CR-5174 (SAND 88-1607),
September 1989.
- 7. '
G. Ryan, A Task Analysis linked Apprnach for integrating the i numan factor in Reliability Assessment of NPP, EcLi&Jl]Ly Enaineerina -and System Safet y, vol. 22, 1988. ^
- 8. A. Swain and H. Gutman, Handbook of Human Reliabi?ity Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, August 1983. *
- 9. G. Hannaman and A. Spurgin, Systematic Human Action Reliability l Procedure (SHARP), EPRI NP-3583,1984.
i
- 10. R. Hall (ed.), A Guide for General Principles of Human Action Reliability Analysis for Nuclear Power Generation Stations, IEEE Draft Standard P1082/07, August 1989,
- 11. G. W Hannaman, A. Spurgin, and Y. Lukic, Human Cognitive Reliability c
.. Model for PRA Analysis, NUS 4531, Electric Power Research Institute, 1984, t
- 12. J. Ball, Interfacing System LOCA Inspection Report, Docket Number 50-382/30 200 September 14, 1990, U.S. Nuclear Regulatory
- Commission Washington, DC.
- 13. ETA-II, Version 2.0, Los-Altos, California, Science Applications International Corporation, 1990.
, 14. D.-1. Chanin, et al., MllCOR Accident Consequence Code System (MACCS),
NUREG/CR 4691, February 1990. 60 i
, , - . - - - - - . . -, _ . . . _ - , , , - . . . - . - . - - - , - _ , , , - - , . ~ _ _ - . , _ . . _ . - - - . -
I E
- 15. J. Gregory, et ai.. Evaluation of Severe Accident Risks: Sequoyah Unit
- 1. NUREG/CR-4551, Vol. 5, Rev. 1, draft report for comment, June 1990.
- 16. D. C. Aldrich et a1., Technical Guidance for Siting Criteria -
Development. NUREG/CR-2239 (SAND 81 1549), 1982.
- 17. O. L. Kelly, J. L. Auflick, and L. N. Haney, Assessment of ISLOCA Risks Methodology and Application: Westinghouse four loop ice Condenser Plant, NUREG/CR-5744, to be published.
1 e 1 G 61 1
APPENDIX A
' SYSTEM DESCRIPTIONS i
4 i s t i o a F b l t [ l 4 k l I I
. A-1 l
l l 1 I
.asu .
f o Appendix A System Descriptions The plant analyzed for this report is a single-unit site. The unit is a 3390 Hwt pressurized water reactor (PWR), with an NSSS supplied by Combustion Engineering (CE). The unit has a large dry containment that is maintained at atmospheric pressure and a separate reactor auxiliary building and turbine building. - The plant is similar to other CE plants in the number and type of , charging and safety injection pumps. A.1 Reactor Coolant Systeni d The reactor coolant system (RCS) transfers energy from the reactor core to the secondary water in the steam generators. The RCS pressure boundary . acts as a barrier (one of several) against the uncontrolled release of radioactive material from the reactor core and primary coolant. During power operation, primary coolant in the RCS is circulated by one reactor coolant pump in each of the four cold legs. Pressure is maintained within a prescribed band by the combined action of the pressurizer heaters and ) sprays. RCS inventory is maintained within a prescribed band by the chemical and volume control system (CVCS), otherwise known as the charging system. Component information d A. RCS 3
- 1. Volume: 10,300 ft excluding pressurizer and surge line
- 2. Nominal operating pressure: 2235 psig B. Steam generators (2)
- 1. Type: vertical shell and U-tube
- 2. Model: CE l
. A-2 i i
I i A.2- Interfacing Systems ! I I All interfacing systems were screened to identify those systems that needed further evaluation. The criterion used in screening was that any [ system with an interfacing pipe diameter larger than one inch should be f evaluated. The one-inch pipe size was selected based on an estimation of the [ discharge from a one-inch high pressure pipe break, which was about 200 gpm.
- A 200-gpm leak rate outside of the containment is considered to be critical based on: the capacity of the RWSP (Technical Specification minimum volume of ;
t 443,000 gal), the capacity of three charging pumps (132 gpm), and the normal makeup rate.to the RWSP (-150 gpm). Based on these cnnsiderations and the number of hours it would take for the plant to achieve cold shutdown-f (conservatively assured to be about 10 hours), leak rates of 200 gpm or less were judged not to be risk-significant. ,
.f i
The initial screening resulted in the selection of the safety injection l (SI) system, including the low pressure safety injection system, and the ! shutdown cooling system. Figures A.1 through A.6 are schematic diagrams I showing the hardware configuration of the safety injection system. f l
?
I l i I l y I f r s L : L A-3 l
- 1. i
- - i i
i L
O I 650 psig 2485 psig
-= :- {*[y -
h SI- 139A SI- 14 3A SI-336A , AN !~ w m 2A N LPSI Pump A a h 9~ N 9 ^ ~ Si-122A SI- 124 A SI- t29A _ N ' 2e . O SI- 1398 51-1438 SH335A
' m, LPSI Pump B SI- 1228 Si- 1248 51-1298 n
'Nd b 51-1388 58-142B
)
-[ SI-3350 a
r7 ,h, t
r-e Outside bside Conio.nn ent Contoinment Figure A.1 : RCS Cold legs to Low Pressure Safety injection Pump Discharge Schematic. ,
A-4 1
N 4! 6 I _ A ._ ,,v . 4e # $ s ee i ,
' ~~
f S-2= G-N--txi---- t y g' 5 w) S - ra S- 7.w .. . ,,.,. l b !
~;m s .tn :
I 1, w -2c' r, a ~ ~ ~ 6--V4 l ,.
; ;Nj_.4sj_.
S-im ; w-re n S-3m GHNJ . . mu, l .. i: :- N-dNJ--*
$tm 9-an S n.,,
n - - . _. Q _ o
! To RCS I+ m : Cold Leg s- m -----N,,-tq- . -
, Q '
9- a 4 9-ave
- ++a -e,,~m o
- w-n, v- ,.
T , s.t:ms , e, Q
,-mu-2
, N. s---4-4---
s.sw l l . . . , ,
%*I2 %
400 Dent thC q IM 2401 peg 9 i Sch ge f OW iag a on % A-5
l B-f i i i I l
=a-a N w ,
. . - - wu .... l ,, ,
0{ y,ac Loop
- sm !
~
- f. s..g
""A i _h_ _ ,
O W ><
*ma s-w W4 %.
u.s . : a,
,,,,,,, .-Sm j
~ ~~ ~
u -A-
=
jg 6. w
,,.-A -
r N
= Nm.* ,
G .N .w.i . m.. .-
=e * . n To RCS *
"JL , , , *T _ @% Cold Log n,
r
.~
g hw .
..w %. _ n3%. . ,. 2 i n
"*-* h 4.o , eso
>= ;
-e Ir IO RC$
Os g Loop 2 3 wra *. v. .. . .a. A A
--, ,, N N I
asegag_ 3,gg m i I Figure A.3 :- RCS Hot Legs to High Pressure Safety injection Pump Discharge L- Line Schematic A6 . L
t i i WN --N s!-sm U S-5t2A p s-.30 8 To RCS Loop 1
- sw sm um r,-
A_ r,-
.-= o-
. 550 peg vso pag outskie indde contannwnt conto!nment y s To RCS Gj g -302 Loop 2 4 SHi108 h S-5t2B a i - E\j Ehl Figure A.4 RCS Hot Legs to the Safety injection lanks Line Diagram A-7
n u Reactor Vessel , 2 . RCL Hot Loop 1 RCL Hot Loop 2 '
=
V D SI-4018 D SI-401A "9 " (} SI-4058 Q SI-405A 440 psig I' . l %- 51-4068 %- SI-406A ) In id
.... ....s...e...C.on
....t ..............
a.inme n t ....... .................. .... ................................... outode Containment Q $1-4078 Q SI-407A , 1 l 9 1 o 1 l l Figure A 5 Shutdown Cooling Suction Line Schematic. 1 A-8 L
l:
, Reactor Vessel A
RCL Hot Loop 1 RCL_ Hot Loop 2
=
y d SI-40 B d SI-40 % mopW Q'T SI-4058 -..- n
@P- SI-405A 440 @ n
%_ SI-4068 %-.- St-406A
. . g f.*g* g .....
j SI-4078 d SI-407A
- P "
P SI-4 08 St-410A [ SI-088 [ SI-108A "O N " [SI-078 [SI-07%
-r
[ SI-078 [ SI-07A Refue6ng wotor Storage Pool A Figure A.6 RCS Hot Legs to RWSP via the LPSI System A.9
_ _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ _ __ , _ _ . _ - . _ . . . _ . . _ . _. ._ _ .m. t D; A.2.1 -Safety injection System I The safety injection system provides high and low pressure coolant injection capability, as well as the ability to remove residual f. eat from the reactor core when the plant is shutdown and at low pressures.
*f There are two
{ low pressure safety injection system trains, each with one snfety injection pump, and two high pressure trains with three pumps. The s'fety a injection ; pumps are normally aligned for cold leg injection (to all four RCS cold legs), - i but are capable of supplying flow to the hot legs, also. The pumps start l automatically upon receipt of a safety injection actuation 5,ignal. During ' ' a injection, the RWSP supplies borated water which the safety injection pumps , deliver to the cold legs via a common discharge header that branches into four i lines, one for each RCS loop. f l The low pressure safety injection pumps also provide the motive furce f for shutdown cooling flow. In this mode of operation they take suction from , l the RCS hot legs and discharge to the cold legs through the shutdown cooling ! heat exchangers. ; The safety injection system also contains four cold leg safety insection [ tanks (SITS). Each SIT contains borated water with a pressurized c uer gas. The borated water is forced into the respective cold legs when RCS pressure I ! decreases below the cover gas pressure. i t Testing of the safety injection system is specified in the plant f Technical Specifications and in the in service testing (IST) program. The [ pumps are flow-tested on a quarterly basis. The normally closed discharge l HOVs are stroke-tested quarterly. Functional actuation tests of the safety injection system are performed during cold shutdown. I Table A.1 L.ow Pressure Safety injection Pump Data r t Type Single-stage, vertical, centrifugal i e Design pressure 650 psig i A 10 - 3 ; i
i ii l 1 I l t Design temperature 400' f. i Design flow 4050 ppm !
. 8 Maximum flow 5500 gpm f
Design head 342 ft j t Head at maximum flow 265 ft , i f a ! i t 5
. Table A.2 High Pressure Safety injection Pump Data h Type Multi stage, horizontal, centrifugal i i
Design pressure 1950 psig i Design temperature 400' F. ! t Design flow- 380 gpm j i Maximum flow 910 gpm i Design head 2830 ft ! Head at maximum flow 1275 ft i t 9 p I l i I i i l A Il ; { I _. ___.,._..._._._,--.-_._.m....,_ - . _ , _ .. . . _ . . _ _ . _ . . _ , . . . . _ _
i l t t t r 5 i APPENDIX B - ISLOCA EVENT TREES : i t 8 . 1
. I I
L I
?
I l l A b t e t i t . r i 1 f B1
,,e . _-, , - v -r --..7-,-.- - - ,- i-*w--+--- * -- ~
References C-1 F.G.Ryan,"ATaskAnalysisLinkedApproachforIntegratingtheHuman! factor in Reliability Assessment of NPP", Reliability Enoineerina and " System Safety, vol. 22, 1988 l [ vt C-2 A. Swain and H. Gutman, Handbook of Human Reliability Analysis with ! Emohasis on Nuclear Power Plant Acolications, NUREG/CR 1278, August, 1983, i ps e C3 G. Hannaman and A. Spurgin, lystematic Human Action Reliability l Procedure (SHARP), EPRI NP-3583, 1984. l C-4 R. Hall (ed.), A Guide for General Principles of Human Action *
*aitaailit,. Analysis for Nuclear Power Generation Stations, IEEE Cesit Standard P1082/D7, August, 1989.
l
. t rf C-5 U.S. Nuclear Regulatory Commission, Technical Specifications, Docket !
number 50-382 W3, SES FSAR, January, 1979. ! i el C6 U.S. Nuclear Regulatory Commission Inspection Report 50-412/90 10 and 50-414/90 10. ; C-7 J. Ball, Interfacing System LOCA Inspection Report, Docket number 50-382/90 2N, September 14, 1990. U. S. Nuclear Regulatory Commission, Washington, D. C. D. - a- C8 G. Har.naman, A. Spurgin, and Y. Lukic, Human Coanitive Reliability Model for PRA Analysis, NUS-4531 Electric Power Research Institute,1984. C-9 K. Russell,M.McKay,M.Sattison,N. Skinner,S. Wood,andD.Rasmuson,i integrated Reliability and Risk Analysis System (ver. 2.5), February, . : 1991. EG5G Idaho, Inc. Idaho Falls, ID. , of I C40 Technical Specification Change Request NPF (Draft), Docket number i 50-382. t 9
- i h
t I t t C - 91 l I
, - - . . . - .- - , , a- .
i LOCA-ic Identifies scenarios that produce a LOCA inside containment. Because these sequences are enveloped by the design basis analysis of the plant, they are not fully developed on the event trees and these scenarios are not considered to be core damage events. REL-mit An ISLOCA with core damage occurs but the radioactive release is mitigated through some means, such as scrubbing through an overlying water pool or general area fire sprays in the auxiliary building. REL-1 9 - An ISL0r , with core damage occurs and results in a large unmitigated radioactive release. Note that this does not necessarily imply inat the break size is large. B.1--Premature Entry Into Shutdown Cooling - SEQlA A risk significant scenario at the Babcock and Wilcox (B&W) plant (see (B 1]) involved premature entry into shutdown cooling, with RCS pressure and temperature above the open permissive set point of the decay heat removal (DHR) system suction isolation valves. This scenario was considered credible at the B&W plant becaue the plant procedures allowed operators to bypass the open permissive interlock for one of the two shutdown cooling isolation valves. This allowed an error of commission to be postulated in which, once the decision is made to enter shutdown cooling early, the operators will be led to bypass the interlock for the other valve, also, even though the procedure does not instruct them to do so. For the CE plant, the HRA did not reveal any circumstances that would lead to an analogous scenario. Therefore,
, this scenario was not deve'oped fut',her.
B.2 RCS To S1 System ISLOCA During Plant Startup - SEQlB In Sequence 18 the plant is undergoing a startup from cold shutdown. Thus, failure to close MOVs SI-401 and 40Vs S1 405 prior to raising RCS pressure above 396 psig is the initiating event. The event tree for this
-sequence is contained in Figure B.2, while the corresponding flow diagram is displayed in Figure B.1. Since startup is a " low-pressure" procedure compared B.3
C to normal full RCS pressure, it is assumed that any overpressurization that causes the relief valve to open will not cause an ISLOCA. The event tree models one flow line (out of two) on a mission time of one year. s PSUM. The initiating event for this sequence is a startup from cold shutdown. Such a startup is estimated to occur once every 18 months (cold shutdown does not necessarily occur at every shut down), the frequency of event PSUM is assutned to be 0.67/ year. MOVLO. Once the plant is in a startup mode, MOV SI-401 (A/B) and HOV SI- . 405 ( A/B) must both be lef t open af ter the RCS pressure exceeds 396 psig for 3 an ISLOCA to occur. Thus, event MOVLO represents the probability that both I
$1 401 and SI-405 are left open. The screening probability assumed for MOVLO wa s 1.0x10.
l AClf, if both valves SI-401 and SI-405 are left open, the automatic 5 closure interlock (ACl) is designed to shut both valves automatically when the
- RCS pressure exceeds 700 psig. Event AClf models the probability that the ACI i fatis. Compounding the evaluation of this event is the fact that the analyzed f plant is petitioning the NRC for permission to remove the ACI (this is being [
done because of concerns about losing SDC inadvertently due to valve closure), p' Thus, two separate probabilities for this event were used. With the ACI in place, the screening probability was assumed to be 1.0x10'3 For the case of removal of the ACl, the probability of failure for this event would obviously be 1.0. The Sequence IB event tree shows the sequence with the ACI in place.
*i l
?
h
. B4 i
s
( Reactor Vessel A RCL Hot Loop 1 RCL Hot Loop 2 e-
& SI-4018 D SI-40 %
"' 9 "
(} SI-4058 O{ si-405A 4 40 ps.g " .
%- SI-4068 %- SI-406A in d
........s...e.. .Co. .n t o.i ntnent.......
Outsee Contoinrrent
& SI-4078 D SI-407A o y Sequence 1 (A&B)
Figure B.1 : Shutdown Cooling Suction Line Schematic. B-5 k
h O e i
. ., r. . . .
.,4
.,t
,- ,- . .. , . _a ... , , . . . ... . . , ..
s s a ,i i,- .., <5 sJ 41 (1 ti e4 st 3 .J
.2 .A. . ,
,,m,. , . ,, r ., , . . , - . .
a
- w. ,
,T
.,. c . .,
..c.
W !4: T, %, fj W j 7{
$, - - ~ v . ., <. .
!!.,' 'T 7 W .,
l
@' f W o . T. - . u . o ,. P,'
, .# I.'
s . . - - -. - . . . . ,, .. . . . ,, ~ . ., ;;
- . t y y, y . -
y w
- 3. e,. * * . .
\
r i
,.. n. ,L.
4 es
+, 4, ,
~ ,. .
.o : t y :
r
. ,~ t,
. 9 .
+
.~.
p' n W ! 6 Y
. o _ _
.r ...-, .
o :., 6 ; 1
.A-
;; : a ::
a s.
. v t
- r. . .,
e b
. . i gyt e
e e u *^ 3 L 3-- e
,.t. .
.-...e,
. +
u ::
-. L< ,
l l Sequence IB Figure B.2 : Shutdown Cooling Suction Line ISLOCA Sequence Event Tree (plant in startup mode). ' I B6 . L :
( RVF1. This event models failure of relief valve Sl-40f; ta open on demand. The failure probability was taken to be 1.0 x 10'3 . OfDP. This event models failure of the oparators to detect the overpressure conditio in time to prevent damage. A screening probability of 0.5 was used for this and all other human error probabilities in this sequence. OFIP. This event models operator failure to isolate the SDC system from the RCS prior to darrage. A screening failure probability of 1.0 was used. ISR3. Event ISR3 models a break in the lew pressure portion of the SDC system outside containment. The conditional probability of a break is taken to be 1.0 for the screening analysis. FTD. Event FTD models failure of the operators to detect the loss of coolant and enter the correct emergency procedure. A screening failure probability of 1.0 was used. FTDGN. This event models failure of the operators to diagnose that the break is outside containment. A screening failure probability of 1.0 was used. FTI. This event models operator failure to isolate the break given thTt it has been detected and diagnosed. A screening failure probability of 1.0 was used. RNN. Based on the walkdowns performed during the plant visit, the probability that the release would not be mitigated by flooding or auxiliary building fire sprays was judged to be 1.0. B.3 RCS To 1. PSI Cold Disenarge - SEQ 2 Through the normal reactor operating year, MOVs SI-138 (A/B) and SI-139 (A/B) are stroke-tested quarterly. Thus, the accident sequence path for the
. B-7
O low pressure safety injection (LPSI) pump discharge is based upon the fact that the MOVs will be opened ont e each quarter. Figure B.3 illustrates the simplified flow diagram for the LPSI pumping path. The corresponding event tree for this sequence is contained in Figure B.4. The event tree evaluates = one flow path (out of four possible) for a mission time of one quarter. Thus, to get the failure frequency estimate for the complete system based on a one-year mission time, the sequence end state frequencies must be multiplied by
- 16. ,
Obviously, if the two isolation check valves (SI 335/336 (A/B) and SI- 7 142/143 (A/B)) protecting the M0Vs had failed, it would not be desirable to ' open the MOVs. But, for analyzing this sequence, it is assumed that no prior information (for example, a high pressure reading between the two isolation check valves) is known for the system. This assumption is made because the s stroke testing procedure does not direct the operators to check pressure between the PlV check valves before performing the stroke test. Therefore, for the model, it is postulated that internal failure of the two isolation check valves will automatically lead to an overpressurization of the interfacing system when the MOV is stroke tested. 1 6 B-8 L
i' 650 psig 2485 rsig
= *-
- cw =g l h I l l
7
/ 01-336A
$1- 133A l 01- 14 3 A Q ! 9. 'I' b ~f~1 YI *'"g 'N ,,13 Lf*1 Pump A J n
N N v -' si- 13FA si- 142A 51-336B si-122 A si.124 A Si- 129A A !,tw *
=
- 4 1
1 51-1398 ' 51-1430 st 335A N
- LPSIPump B SI- 122B S1-1248 S1-1298 ?
g N Sd b 51-1380 51-1428
-[ 51-3350
~
i g,Nest it Outside inside Ccotoinnent Contoinment Sequence 2 Figure 8.3 : RCS Cold Legs to Low Pressure Safety Injection Pump Discharge Schematic. B-9
1 0( ; i I L e 1 . , - = s s 4 ,,,.h
.a *
. . . ... .h . .. ,J
.- [g. J .J i,I O Il d .A_ 4 m .> w ts c. s2 e- '
- t)
- Q O
( O # 7
, L.) 4.J C. . .
a w aw w su a,u w so W t w 4
, w .
- , .u.
Ly i} W V' Q 19 Y Q 9% D r
,, , ,. c c, .- - -
t
& " 1
-a= . l
. .r i
$ h a T
,3
- 1. '. ). , .
.1
( l _ ,> :4 T;;; e . ,- i.,,. - r; E e rg
.. v.. c.
L: 4 4
- u. e . 1i .
.%- e_ .s _,. 4 < . .
.-=: , y
+
3 ,
.so* 3. .
v . . .r
' 4 "
.t , a S
2 +
.
- 1
~ .
, . s
. t
. t
.c - ,a, a .
c_, -
. o .
e - . e;e7 ; - x v w-a... v_., . y-Sequence 2 Figure B.4 : RCS Cold legs to Low Pressure Safety injection Discharge ISLOCA Sequence Event Tree. B-10 l l L
. e y
..----y, - , . , - ,e.- -
. r-,, -.,1 -,r -
, . --- -c-r,or,- -.-- , 7 ,. e _
i CHVfl. The failure of the two isolation check valves (S1-335/336 (A/B) and S1-143/144 (A/B)) is nodeled as the initiating event. Since it is assumed that both valves are closed and in a non failed state at the beginning of the mission time, only a time-dependent failure mode is presumed. Even though the two check valves are not the same size (S1335/336 are 12 inch valves, while SI-143/144 are 8 inch valves) and the environmental conditions are not identical for the two check valves, an assumption is made that the failure rate A is constant and the same for the two valves. This is-a conservative assumption that reflects the lack of detail available in the valve failure rate database, lhe failure rate is assumed to be lognormally distributed, with a mean value of 8.7x10'8/h and error factor of 10. The probability that one of the check valves fails in a time T is defined as P(Ts t) = l e-18de
. i . e- A t a At (for At<1)
Since the model for CHVfl assumes both check valves failure rates are identical, the underiving probability failure distributions for the two valves must be interchangeable, which leads to the assumption that the valves need to be treated as if the failures were correlated. Thus, for the two check valves in series, the probability that they both fall in the mission time is given by
. the probability of the first check valve failing intersected with the probability of the second check valve failing, or E(CA72) E((OST) 3 O (Olvr) 2l
= t*E(A2)
= T*( [E( A) ) * + var ( A))
8 11 l t
O Given that the mission time is 2190 hours, the probability of failure for the two check valves is calculated to be 2.58x10. This probability is multiplied by 16 (four quarters per year times four injection lines) in n calculating the end state frequencies for this sequence. P0. This event models the opening of MOVs 51-138 (A/B) and 51-139 (A/B). Since the HOVs are opened once each quarter for stroke-testing, the probability of event P0 in the mission time is assumed to be 1.0.
- ISR3. Event ISR3 models a break in the low pressure portion of the LPSI ,
system outside containment. This probability is calculated in Appendix f. The conditional probability of a break is found to be 1.0. FTD. Event FTD models faile'N of the operators to detect the loss of coolant and enter the correct eme.*4 uty procedure. The quantification of this event can be found in Appendix C. The mean failure probability is estimated - to be 1.8 x 10 2, FTOGN. This event models failure of the operators to diagnose that the break is outside containment. The quantification of this event is presented in Appendix C. The mean f ailure probability is estimated to be 2.0 x 10 2 , FTI. This event models operator failure to isolate the break given that it has been detected and diagnosed. In quantifying this event (see Appendix C for details), the flow of the plant's existing emergency procedures was strictly modeled. Because the emergency procedures do not contain steps that would direct the operators to isolate the break (by terminating LPSI flow), , and because the operators have received post TM1 training that cautions against overriding a valid safety injection signal, the failure probability of this event is 1.0. It is possible that the operators could take knowledge- ' based actions outside of the emergency procedures, but such actions were not modeled in the base case analysis. B-12 L
I i RNM. Based on the walkdowns performed during the plant visit, the l probability that the release would not be mitigated by flooding or auxiliary building fire sprays was judged to be 1.0. I B.4 RCS Cold 1.egs to High Pressure Safety Injection (Header A) - SEQ-3A [ This scenario is similar to Sequence 2. Once each quarter, MOVs SI 225 through 51-228 (A/B) are stroke tested while the plant is operating. Thus, - i the accident sequence path for the high pressure safety injection (HPSI) pump discharge is based upon the fact that the MOVs will be opened once each i quarter, figure 8.5 depicts the simplified flow diajram for the HPSI purrping ; path. The matching event tree for this sequence is in figure B.6. The event tree models one flow path (out of four) on a mission time of one quarter. l Once again, if the isolation check valves in the sequence protecting the H0Vs had failed, it woula not be desirable to open the MOVs. But, for this analysis, it is assumed that there is no prior knowledge for the system. ThJs, for the model, it is assumed that random failure of the two isolation ; check valves will automatically lead to a demand on check valve S1 216. CHVF2, The initiating event for this sequence is the failure of the two , isolation check valves (S1435/336 (A/B) and S1-241 through 51-244 (A/B)). j The event is modeled as a single event, similar to event CHVfl. It is assumed that both valves are closed and in a non-failed state at the beginning of the mission time, leading to only a time dependent failure mode for the check j valves. Although the two check valves are not the same size (SI 335/336 are 12-inch valves, while SI-241 through $1-244 are 8-inch valves) and the i B-13 1
m O m N l 9 - [? ?& I s
=es.i - ,
=sess.
l g ts,_e.: , 9,20'a 9-20h4 9-s E 9 - 2 844 !.
.* % e M" l y S-:m l f l *.
y-tos m i *6 e, n , l- N 2I N - d N N g.g;ts l b- 24 2 9-11's
<n w m I C,, 1+ =
l m.
.re .a - -+- N -N- -
W-?2e ! b-24' S.33sa n : To RCS H- 1 Cold Leg I ** '" s.un H >-1.<
%'-4%)-~
n : s .ma
- s._ l G .N,eJ ,---C,.=rn C -
= }*:W s.ne s,t;n t
aJ-v.+s u-e FA, : >- 2 s
. ..t . :
)
~~
9-12 M h
*o me g ;
l
- l l:" .
= m 2.as .
6 Sequence 3 (A&B) Figure B.5 : RCS Cold Legs to the High Pressure Safety Injection Pump Discharge Flow Diagram. B-14 I
1 I f 0 I I - i 2 ; - a-
- - m a a a a a 3.
c -
} ? ?
<, 5
*
- 5 a
5 5 :" $ r, s y . x - < u . . e , , -
- ~ ~ o . ., , . .
*: l ;
- J. t
< a
- e
'l
' A
- v; *
" , i :I
-l 9 7 S,
r ,. : . .
<a s -
tw . . 3 ,, - . w
- r-s s
8m I
.: t. e,.- .-
- r
- = .
1 _: , I e...: .-
.s .-
g-m , . . 1
%:b .. "
l s M t t
== --e . J'
. I'
.3
- e e
. . .r .
- .. 2 .i .'
s Sequence 3A Figure B.6 : RCS Co M Leps to the High Pressure Safety Injection (Header s A) ISLOCA Event Tree B-15
e O environmental conditions are not identical for the two check valves, it is assumed that the failure rate 1 is constant and the same for the two valves. The failure rate is assumed to be lognormally distributed, with a mean value , of 8.7x10 a/,h and an error factor of 10. Using the analysim from Sequence 2, the quarterly failure probability of event CHVF2 is found to be 2.58x10'7 . P0. Event P0 is similar to that for Sequence 2, except the MOVs that are opened during stroke testing are SI-225 through SI-228 (A/B). Since the MOVs are opened once each quarter, the event probability for one mission time , is assumed to be 1.0. .- CHVF3. Once the two isolation check valves fail, the interfacing system will become pressurized, putting a demand on check valve 51-216. Thus, event CHVF3 models the probability of the check valve S1-216 failing to close upon demand. This failure probability is taken to be 1.0x10'3/ demand. CHru ihis event is the same as CHVF4 except that check valve SI-207A m- ' + . The failure rate of CHVF5 is taken to be !.0x10'3/ demand, also. B 4C.' :old Legs to HPSI (Header B) - SEQ-3B 1 daquence 3B i comparable to Sequence 3A with the exception that Sequence 3B has one less check valve to protect the interfacing system. Whereas header A has check valve SI 216, header B does not have the ' corresponding check valve in the piping design, The piping diagram for this sequence is shown in figure B.5, the event + tree in Figure B.7. The only difference between the event tree for Sequence 3A and that for Sequence 3B is that event CHVF3 has been deleted in sequence 3B. As in Sequence 3A, the event tree analyzes one flow path (out of four possible) on a mission time of one quarter. After the deletion of event CHVF3, the remaining events in the event tree are identical for the two sequences. B-16 A
. 1-t.
- , _e s t
,rn, L L'
-d y iJ W ,j n N N d f$ O 5 . _ m ,, e - ,, - e e y g-
.a q g.s
. o. o.
c.b v D.
- 9' e
e .
=
=
x
. e. s, :
e s. : r s o . ., . . . .. . . - e m
?
- 4 3 o.
y*-
=
. a .
a
% 4
.. u. 3
~
G
* ?q
.e $... .
. . :.e. e*
i; e ,?f 7
. I; 4
..- i 6, e r
; ; b. -
W 6 m
- i.i.t
.1
.i ;- .
ie:. . i
+
+a. w t-v -
- s, :
E
.e -
t, ' ~ *
. .:.= .i ~f ~
v..-~. :
>n .
Sequence 3B Figure B.7 : RCS Cold Legs to High Pressure Safety injection (Header B) ISLOCA Event Tree B-17
O! i 1 B.6 RCS Hot Legs to HPSI (Header A) - SEQ-4A Once every quarter MOVs SI-502A and SI-506A are stroke-tested. .. Therefore, Sequence 4A is based on the opening of MOV SI-502A. Since valve SI-502A is opened and closed before valvo SI-506A is opened, the opening of h SI-502A is defined as the initiating event for the sequence. Once again, the assumption of no pricr knowledge of the condition of the system is used. The
, [
system flow diagram in shown in Figure B.8. The event tree for Sequence 4A is shown in Figure B.9. The event tree analyzes one flow path (out of four) on a - mission time of one quarter. - CHVF5. The initiating event is similar to event CHVF1 from Sequence 2, except the two check valves that are modeled are SI-512A and SI-510A. The modeling of the two check valves results in a quarterly failure probability of { 2.58x10'7 . l
.l P0. Event P0 models the plant operating at normal power and the MOV SI-502A being opened for stroke-testing. Since valve SI-502A is stroke-tested once a quarter, the probability of event P0 is assumed to be 1.0.
NOVF2. Event MOVF2 models the internal random failure of MOV SI-506A. ] The failure rate is assumed to be 1.0x10'7/hr. Thus, for a mission time of i 2190 hours, the probability of failure for the closed MOV is 2.19x10. > The remaining events are the same as for Sequences 3A and 38. i B.7 RCS Hot Legs to HPSI (Header B) - SEQ-4B *
^
Sequence 4B is similar to Sequence 4A except that check valve SI-216 is
- absent from piping header B. The flow diagram is contained in Figure B.8, while the event tree is contained in Figure B.10. As in Sequence 4A, the event. tree models one flow path (out of four) on a mission time of one i
-quarter. , t B-18 , i L
.I The initiating event for Sequence 48 is the opening of MOV S1 5028. The initiating event probability is identical to that of Sequence 4A, and is assumed to be 1.0, CHVF6. This event is similar to event CHVf5, except the two check valves that are modeled are SI-5128 and SI-5108. The quarterly failure probability is found to be 2.58x10'7 . P0. Event P0 models the plant operating and valve SI-502B opening. Since 51-502B is tested every quarter, the probability of this event is assumed to be 1.0. MOVF3. Event MOVF3 is like event MOVF2, except that tne valve that is modeled is SI-506B. The probability of failure for this event is 2.19x10. The remaining sequence events and event probabilities have previously , been defined. 5 m-e d B-19 e
D t e= A m -
~...
.. ,- .... l ,
To Res j s.mi Loop 1 j_ -- I n = J X, s ias
~-
wum
-G
. N. . ,( > ' , - ,
- N. ,R, .
s,-2 2 c,-
. ,gm a II it'ma 3 -20 9
= h.., .-
b sim /o N ma T s.au Sam
,%-. 2
;; Cold Leg Is,.:= 2 G ; y *E,
, -4Msm ww
,,. , - s,.,..- ..
-A ,
..o
, em m gm u
- v. s..
- wgs ,
3-me
.=~ oI l*mN
__ . .... s ...
?: ' ?; ., N =N
=m := m .
Sequence 4-(A&B) Figure B.8 : RCS Hot Legs to High Pressure Safety Injection Pump Discharge L Line Schematic l B-20 l i l L
'l ! a
- c -
i e e z o a a : ag : n z
, c, ~ . . n n c. - r - n - -
g a o
- e ij. u C;
- s v ?) *
- n 2
a ., 7 a w W o a W n ?, n n T, 0 e t e O N vt 0 -O O D
- O +- 3 *,
r
- q. 9 t'
. 3 3-a"; .
i I, l
. . I.
l
.u :c . -
- 3 s
- a
-e
.* .*. ,.-. . -*n.
. ul
..D-
- . .g.;. .
3 e :s
# 11 .
- C
. ..-.: . 1 p ; #*; V
. 2 e %
m
-. ~ ;
a::
.o.-
4 p- 3 .
;. :. n ,. .c, - a. ..
e c aZ o ." .
- e; 7 v :
Sequence 4A Figure B.9 : RCS Hot Legs to High Pressure Safety Injection Discharge (Header A) ISLOCA Event Tree. B-21
O
! c i e i e n j s 1
~ -
i i 1 i i I
. . - . . - c. -
2.. c. s, i i s s s, i
. t.
i I O o n e o a o e m - o ee f
. . ~
. . 1
- i e
a '
?
I::: t.
;; g# . .
r- ,
* .~. .
-a
. *,o * ,
a
- g.v .
- n:
2 -
.e;
]
2.. :. 5 .
"is ;
.
- m 2
Se.e: y e ;
- u- ; :
. . 3. ;. .
5
?.
- .:. :s
.. =
;- v "I. .i Sequence 48 Figure B.10 : RCS Hct Legs to High Pressure Safety Injection Discharge (Header B) ISLOCA Event Tree B-22 i
L
l B.8 RCS Hot Legs to the LPSI System During Shutdown - SEQ-5 When the analyzed plant enters shutdown cooling, the operators rely on f check valves SI-108 and 51-1071 closing when the RCS pressure exceeds the ! interfacing system design pressure, Thus, Sequence 5 is based upon failure of ; the two check valves. The simplified flow diagram for this sequence is contained in Figure B.11. The ISLOCA event tree is contained in Figure 8.12. PSM. The plant is assumed to enter shutdown cooling using the LPSI i system once a year on average. During the shutdown, MOVs SI-401, SI-405, and : 51-407 (A/B) are opened. Therefore, the probability of one initiating event in the mission time is assumed to be 1.0. CHVF10. This event models the failure of check valve SI-108. Due to the as-found degraded condition of valve S1-108, no credit is taken for this valve. Thus, the demand failure probability of event CHVF10 is assumed to be . 1.0. CHVFil. Event CHVFil models the failure of check valve SI-1071 to close on demand. The demand probability is assumed to be lx10'3 . L The remaining events have already been defined. The human error probabilities were calculated in Appendix C. The probability of a break in the interfacing system was calculated in Appendix F. F L b l I i t 1 B-23 i s - - -
~ . - - - _ . . . - . _ . - - - . - _ - .. . . . ~ . - . . . .
r_ _n _r.. O!, i s Reactor Vessel l o -* ; RCL Hot Loop 1 RCL Hot Loop 2 i
.v SI-40B SI-401A .
l
. , ~-;
2 0 p*9 h- SI-4058 7 SI-405A -,
,{
QL , 440 psh. p . _; i
%-- 51-4068 % SI-406A !
e cmt.nm.nt .....
.. .g.g..g . . . . . . . . . . . . . . . . , . . ..... . .. ............... .
i:
$1-4078 SI-407A ,
t t .
. SI-4 08 SI-41CA -
f i
] ;
[ _ SI- 088 ' [ SI-OaA f i
"O * "
-[. St. 07 e - .SI- 0 7 %
_ .]
.m -
[ SI-078 [ SI-07A n.tu. sag wot.r Storage Pool ;
,A, -T
. i Sequence 5 l 1
Figure B_.11 : RCS Hot Legs to RWSP via the LPSI System t
- B-24 i I
i
.L L i
1.1
. : , : e : ,
's q *
. .. a - , -
.. e, : ~
t s t : 1 1 4, . n , n a o, s
.e . . o e e - c - !
- h. , . . -
e 4 a y: s .r/. W
. .s a
~
d
~
??
M t
?
n . . . . o , e -. o -
,e 4 . * ) #
.r
- a "
i.
'I t
.. t
;.?' ,.
A
+
- .1,
., s - 2
.,s,.. e me g ~ .,
t
. .. g
-O w ,, * - * ;
- p.
se n-t
- c.
,, =_ .
t
.u,
. . .n
.e.. :: 2 e
i v _
.n. . ,.: :
, , . .I- .
. .. v !.
v . g- _a c., s . e_ 3. c EOg E Sequence 5 - Figure B.12 : RCS Hot Legs to RWSP via the LPSI System ISLOCA Event Tree. ! t B-25 ! 9 f
n-U References B-1. M. J. Ca1yean, et al., Assessment of ISLOCA Risks - Methodology and Application: Babcock and Wilcox Plant, NUREG/CR-5604, to be published. "" 9 e t 4
'1 9-L P
l B-26 1 I , i L i I
, I
'l-
)
1
~
i APPENDIX C HUMAN RELIABILITY ANALYSIS (HRA) FOR THE COMBUSTION ENGINEERING ISLOCA PR9BABILISTIC RISX ASSESSMENT J. L. AUFLICX L. N. HANEY Q C-1
O TABLE OF CONTENTS Pagg CE ISLOC A Human Rel i ab il i ty Analys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-4 Scenarios and Human Actions for the CE ISLOCA HRA. . . . . . . . . . . . . . . . . . . . . . . . .C-25 Sequence IA-Premature Entry into shutdown Cooling (SDC).............C-25 Sequence IB Startup with Shutdown Cooling Valves Lef t Open. . . . . . . . . .C-25 Sequence 2-RCS Cold Leg /LPSI Discharge Interfacing LOCA.............C-26 - Sequence 5 (A&B)-LPSI/RWSP Suction Interfacing LOCA Durin - Human Actions for This ISLOCA HRA... ........ .......... g Shutdown.C-26 .. ........C-27 Nodeling of Human Acticas & Estimated Error Probabilities.................C-28 FTD-Sequence 2....................................................C-28 FTDGN - Sequence 2.(Using FTI - Sequence 2 (Using Procedure)................................C-29 Procedure)..................................C 33 Sensitivity Analysis for Sequence 2 - FTDGN & FTI(Knowledge-based)..C-37 - FTDGN - Sequence 2 (Using Procedure & Knowledge-based Behavior).....C-37 FTl Sequence 2 (Using Knowledge-based Behavior)...................C-41 Small Break FTDGN (Using Procedure & Knowledge-based Behavior)......C-42 , Small Break FTI (Using Knowledge-based Behavior) . . . . . . . . . . . . . . . . . . . .C-42 FTD-Sequence 5....................................................C-46 FT DGN - S e q u e n c e 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C - 5 0 ..1 FT I- A - Sequence 5 ( 1 Trai n o f S0C) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C -54 FT I-B - Sequence 5 ( 2 Tra ins o f 50C) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-71 S u mm a ry o f C E I S L O C A H R A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C - 88 ' Cenclusions.................................... ..........................C-90 References...... .........................................................C-91 , h b C-2 L
I: List of Figures and.Related Tables figure 1: ISLOCA Data Collection Form, page 1............................C-12
. Figure 2: ISLOCA Data Collection Form, page 2............................C-13 ;
Figure 3: ilRA Fvent Tree for Sequence 2, FTD (Fail to Detect)............C 15 ; Table Cl: llE PS fo r FTD Sequ enc e ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C - 18 Table C2: Failure Paths & Total failure Probability (Seq.2,FTD)....C-19 Table C3: Revi sed HEPs for the CE ISLOCA HRA. . . . . . . . . . . . . . . . . . . . . . .C-24 ; Table C4: lluman Act ions for the CE I SLOCA HRA. . . . . . . . . . . . . . . . . . . . . . . . . . . .C-27 !
+
j figure 4: HRA Event Tree for Sequence 2, FTDGN (Procedure Only)..........C-30 Table C5: HEPS for Sequence 2, FIDGN (Procedure Only) . . . . . . . . . . . . . .C-31 Table C6: Failure Paths & Total f ailure Probability (Seq.2,FTDGN). .C-32 figure 5: HRA Event 1ree for Sequence 2, FTl (Using Procedure Only)......C-34 3 lable C7: HEPS for FTI, Sequence 2 (Using Procedure Only)..........C-35 - Table C8: Failure Paths & Total Failure Probability (Seq.2,FTI..)..C-36
- figure 6: IIRA Event Tree for Seq.2, FTDGN (Proc & Knowledge-based)......C-38 [
lable 09: _ HEPS for Seq. 2, FTDGN (Proc. & Knowledge-based) . . . . . . . . .C-39 ' Table C10: Failure Paths & Total failure Probability (FIDGN....)....C-40 Figure 7 HRA fault Tree for Sequence 2, FTl (Using Knowledge-based...)..C-43 ~ Table Cll: HEPs for Seq, 2, Fil (Knowledge-based Behavior)...... ..C-44 ! Table Cl2: Failure Paths & Total f ailure Probability (FTI, . .). . . . . .C-45 figure 8- HRA Faul t Tree for Sequence 5, FTD. . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-4 7 [ Table Cl3: HEPS for Sequence 5, FTD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C- 4 8 Table Cl4: Failure Paths & Total failure Probability (Seq.5,FTD)...C-49 , Figure 9: HRA Event Tree for Sequence 5, FTDGN...........................C-51 ! Table C15: HEPS for Sequence 5. FTDGN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C - 52 ' Table C16: Failure Paths & Total failure Probability (Seq.5,FTDGN).C 53 ' Figure 10: HRA Event Tree for Sequence 5, FTI- A (1 Train SDC) . . . . . . . . . . . .C-55 . Table C17: HEPS for Seq. 5, FTI- A (1 Train SDC) . . . . . . . . . . . . . . . . . . . .C-57 ; Table C18: Failure Paths & Total Failure Probability (Seq.5,FTI-A).C-59 i l Figure 11: HRA Event Tree for Sequence 5, FTI-B (2-Trains SDC)...........C-72 Table C19: HEPS for Seq. 5, FTI-B (2 Trains SDC) . . . . . . . . . . . . . . . . . . .C-74 Table C20: Failure Paths & Total Failure Probability (Seq.5,FTI-B).C-76 l-L =- Table C21: Summary o f Resul t s for CE ISLOC A HRA. . . . . . . . . . . . . . . . . . . . . . . . . .C-89 l I
- l. ,
C-3 l L ( I I l r
C CE ISLOCA Human Reliability Analysis This appendix describes in detail the methodology and results of the human reliability ' analysis (HRA) for the third ISLOCA probabilistic risk 9 assessment (PRA). HRA was used to model the predominant human errors for each significant scenario in the PRA. HRA is a methodological tool which .inalyzes, , predicts, and evaluates work-oriented human performance in quantitative, that is, probabilistic terms. As a diagnostic tool, HRA can be used to identify - those factors in the system which lead to less than optimal human performance and can estinate the error rate anticipated for individual tasks. In a given ,[ a stem, or sub-system, HRA can also be utilized to determine where human 3 errors are likely to be most frequent. Traditionally, HRA analysts model human performance through the use of event trees like those found later in this appendix. i The general methodological framework for this ISLOCA HRA was devised . using guidelines (under development) from the flRC-sponsored Task Analysis-l Linked Evaluation Technique (TALENT) Program (C-1] which recommends task analyses, time line analyses, and interface analyses as appropriate techniques for a detailed HRA, NUREG/CR-1278, the Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications (TH[RP) [C-2), was also l useful since it recommends using similar techniques and provides a data base which can be used to generate human error probabilities (HEPs). Finally, this HRA integrated the steps from the Systematic Human Action Reliability Procedure (SHARP) [C-3), and A Guide for General Principles of Human Action Reliability Analysis for Nuclear Power Generation Stations (draft IEEE l standard P1082/07 [C-4]). . This combination of approaches resulted in 11 basic steps, summarized below, which were used as guidelines for this HRA. Following this brief *; summation of the 11 steps is a detailed explanation of how each step was applied to the HRA process. The 11 basic steps are as follows:
~
- 1. Select and train the team on plant functions and systems.
(IEEE P1082) P I C-4 . I
m la
- 2. familiarize the team with the plant. (IEEE P1082)
- 3. Ensure that the many possible types of human actions and interactions are considered in the analysis. (SilARP) (IEEE P1082)
- 4. Build the initial plant model (model systems and interactions). (IEEE P1082)
- 5. Identify and screen specific human actions which are significant contributors to the safety and operation of the plant. (SHARP) (IEEE P1082)
- 6. Develop a detailed description of the important human Interactions and associated key factors necessary to make the plant model ccmplete. This should include the key failure modes; identification of errors of omission / commission, and review of relevant performance shaping factors. (SHARP) (IEEE P1082)
- 7. . Select and apply appropriate llRA technicues for modeling the important-human actions. (SHARP)
- 8. Evaluate the impact of significant human actions identified in Step 6. (SilARP)
- 9. Quantify the probabilities of the various human actions and interactions, determine sensitivities, and establish uncertainty ranges. (S'iARP) (IEEE P1002)
- 10. Review results (for completeness and relevance).- (IEEE P1082)
- 11. Document all information necessary to-provide an audit trail and make information understandable. (SilARP)
The following paragraphs provide a detailed explanation of hos each of
- the preceding steps was completed during the HRA process at this Combustion Engineering PWR. Since the PRA/HRA process is iterative in nature, the reader should. note _that several sections of this 11 step method were repeated to-refine the analysis.
The first two steps of this process required the selection of a PRA/HRA team and their subsequent training on the plant and its systems. The PRA/HRA C-5
O team from the INEL was composed of three members: a nuclear engineer (for the PRA), a human factors engineer (for the HRA), and an electrical engineer (with extensive experience in both the PRA and HRA approaches). To familiarize, or train themselves, the team members extensively reviewed the following: Mechanical and electrical descriptions of the plant's systems (e.g., the reactor coolant (RCS), residual heat removal (SDC), safety it:jection (SI), and nuclear volume control (CV) systems. ' Schematic drawings of this plant's systems. 1he final Safety Analysis Report (FSAR) for this specific PWR [ The Technical Specifications for this plant (C-5] Procedures (operating, abnormal, emergency, maintenance,
-administrative, etc.), station directives, and operational practices.
Piping and instrumentation diagrams (P&lDs). The types, capacities, and locations of check valves / motor- - operated valves idcntified as being pressure isolation valves. Training materials such as flow charts, lesson plans, etc. Crew composition (for control room and auxiliary building operators) and level of training / experience Significant precursnr information from general ISLOCA-related , LERs. This training / familiarization process for the plant's systems was enhanced by a two-week visit to the plant. Step #3 required that significant human actions and interactions be . incorporated into the ISLOCA PRA analysis. This was accomplished through an extensive data collection-process during the plant visit. As part of the data
~ . collection, the utility provided numerous written procedures, training materials, and P&lD drawings. This data was supplemented by the use of extensive interviews and detailed task analyses with both licensed and non-licensed nuclear operators in the plant. Observations of control room personnel, the use of the utility's simulator, and system walkdowns with licensed and non-licensed operators supplied additional information.
C-6 L
~
/
r I Additional'information was supplied through interviews and walkthroughs with a ; former shift supervisor ( with over 10 years experience) from this particular' . { plant. !
+
The initial plant models were constructed in the fourth step. Using the l plant-specific data gathered in' Step #3, the HRA analysts worked with the PRA ! analyst and systems engineering personnel to specify human actions related to l the postulated ISt.0CA scenarios. As a consequence of several findings from l the earlier ISLOCA pRA of the B&W plant, extensive attention was given to !
~
latent. or precursor, human errors during normal operations which could lead j
- to inoperable-equipment or_ misaligned valves, Examples of these precursor l
- actions included: jumpering of valves to defeat protective interlocks,- [
maintenance procedures, in-service testing practices, and administrative j t procedures governing the generation and completion of work packages. ; The llRA analysts also examined active, or initiator, failures which ! could lead to an ISLOCA, and post initiating human errors during responses to f abnormal situations. For the initiator failures, examples included violations j of Technical Specifications, procedural violations (such as early entry into ! decay heat removal), selection of the incorrect vent path, and reconfiguring plant equipment. For post-initiating errors, the HRA team examined operator responses after a significant break outside containment. Specifically, the l HRA analysts looked at operator actions involving detection, diagnosis, [ recovery, and isolation. ! Completing the fifth step required the HRA analysts to identify those !
,. human actions which are significant contributors to the effective operation j
--and safety of the plant. Using the data collected in. Step #3, in conjunction '
with;a review of operational procedures and training materials, the HRA team { screened the various human actions, identifying those which had a significant j impact on plant operations and/or safety with respect to ISLOCA. These { significant human actions-were included in the PRA event trees, and they l
' helped guide the activities in the next step. !
-I C-7 :
i e O y -
.- w .. s -- w e -
E The output from the preceding step (1,e., Step #5) was a group of important human actions, for specific ISLOCA scenarios, which were described in generic, functiona! terms (e.g., operators recover system). In the sixth step, the analysts expanded the description of each of these key human actions from their functional description into specific operator tasks and subtasks (e.g., operator opens SI-401A, or operator closes SI-4078). By breaking down the human actions into specific tasks and subtasks associated with individual equipment and procedures, the analysts began to identify specific failure ' modes, root causes, and f ailure effects. The description of each task / subtask , das enhanced by referencing significant performance shaping factors (PSFs) , which affected a given task. These PSFs were derived from the task analyses, time line analyses, evaluation of the human-machine interface, and direct observations of operator performance. Examples of PSFs included: 1- the quality of the human-machine interface 2- written procedures (emergency, abnormal, maintenance, etc.) > 3- Piping & Instrumentation Diagrams (P&lDs) 4- response times for systems and personnel 5- communication requirements 6- whether the operator actions were skill, rule, or knowledge-based
)
7- crew experience 8- levels of operator stress in different scenarios 9- feedback from the systems in the plant 10 - task dependence and operator dependence 11 - location of the task (e.g., control room, auxiliary building,etc.) . 12 - training for individual operator actions, including ISLOCA situations. Each PSF was seen as casting either a positive or negative influence on the basic HEP, that is, as either decreasing or increasing the probability of failure for a given human action. For example, some of the positive PSFs - found at the plant included the following: C-8 L
l . g ,: 1- "The team aid not identify any significant deficiencies in the man-machine interface that might significantly increase the probability of an operator error initiating an ISLOCA." [C-7] 2- "The team found emergency operating procedures to be well written although they lacked some humcn factors considerations (see #2, negative PSFs)." [C-7) 3- "Although training specific to ISLOCAs was not part of the licensee's training program, operators indicated, during walkthroughs and simulator exercises, that they were generally well prepared to cope with losses of RCS inventory."[C-7]
~
Examples of negative PSFs were: 1- "
...the team identified weaknesses in the man-machine interface that could adversely affect the ability of the operators to mitigate an ISLOCA because of poor equipment labeling and the inaccessibility of some equipment." (C-7]
2- Even though E0Ps were generally well-written, the RCS Leak Procedure, OP-902 002, does not provide relevant guidance with respect to requisite actions for the isolation of ISLOCAs. As a result, operators and supervisory personnel would be required to rely on knowledge-based ac; ions, outside of normal procedures. 3- Within the context of the prior finding, operator training (based on Three Mile Island scenarios) emphasized that operators should not override a safety injectina occurring in conjunction with an unisolated RCS leak (see Sequence 2). This training could lead control room personnel away from the necessary actions.in Sequence
-2, to isolate a break in the safety injection lines (e.g.,
operators would have to sequer.tially close each HPSI and LPSI
. safety injection valve on the affected SI train).
4-- Operators' ISLOCA' diagnostic abilities were centered around Attachment.l of OP-902-002, which verifies a LOCA outside
*- contaiament but directs operators to a procedure (0P-902-002) which does not provide relevant guidance for the isolation of an-ISLOCA.
For_ this HRA analysis, the majority of influences from specific PSFs were implicitly modeled as each HEP was identified and quantified using various THERP tables. A careful examination of these tables-will show how individual basic HEPs can only be identified after associated PSFs are C-9
O specified. Stress and dependence were-explicitly modeled (Using THERP) as two
-of the more significant PSFs. From a human performance perspective, high levels of stress lead to higher probabilities of human error. Generally, our short-term memories (STM) can retain from five to nine pieces of information for brief periods. However, as stress increases, this capacity shrinks to levels where STM can only hold three to five pieces. This well documented finding interacts with a phenomenon called cognitive tunnel vision where high levels of stress cause an operator's visual and perceptual abilities to begin '
shrinking into a limited focus so that only one or two salient aspects of his , environment are featured. As stress continues to increase, the human also ,. begins to retreat from current conditions, relying on previously learned (perhaps incorrect) patterns of behavior. in Sequence 2, for human M ions FID-LOCA (fail to detect LOCA) and FTDGN (fail to diagnose ISLOCA), stress levels were modeled as moderately high due to required procedural responses during a reactor-trip and/or safety injection. For Sequence 5, FTD (fail to detect loss of coolant) stress was initially modeled as optimal until entry - into OP 901-046, the' Shutdown Cooling Malfunction procedure, when it increased to moderately high. For FTDGN in-Sequence 2, stress remained at moderat m high levels, but was increased slightly (e.g., a PSF modifier of 3) in F"I-A/FTI-B. This slight increase was modeled to reflect this plant's fear of a loss of shutdown cooling (based on a significant past LER.
)
In several of the ISLOCA scenarios, low (LD), moderate (MD), and high (HD)- levels of dependence were assigned between-the control room supervisor (CRS) or shift supervisor (SS) and the licensed reactor operator (RO). As used in THERP, dependence refers to the level of interaction between two or more workers. Dependence is usually modeled on a scale which ranges from , complete dependence (where a second worker fails on a given task because of the. failure of a primary worker on the same task) to complete independence (zero dependence or ZD). ~ A detailed data collection form (see Figures #1 and #2 in this appendix) was developed as an aid in '.he HRA data collection, task analyses, and the ' decomposition and descriptien activity just mentioned. This data form served as a template which guided the collection of the requisite information, in C - 10 1. t
g sufficient detail, for each task or subtask in the dominant ISLOCA sequences. ! Additional pieces of information, for each. human action, were added to these : forms as new details-surfaced (i.e., details from follow-up telephone conversations with plant personnel, the ISl0CA inspection report for this [
-plant, and a comparisor. of procedural steps to PalDs). ;
i The output from the preceding step (#6) resulted in the generation of an j o extensive list _of operator tasks and subtasks (with their associated PSfs) for ; each human action in the dominent PRA sequences. These detailed tasks are the j re;;uired input for the seventh step, which selected and applied appropriate ! lira techniques for modeling the significant human actions. For each human ! action, the analysts selected an appropriate technique for its modeling and j subsequent quantification. Because most of the human actions in this HRA ! involved the use of various written procedures, THERP type HRA event trees were used in modeling a majority of the human actiens in the detailed analysis. However, not all ISLOCA scenarios were best represented by THERP -l event trees alone, in these cases, HRA fault trees were used in conjunction 1 k
?
with the typical THERP event trees. Detailed analyses were conducted using {
'the fault trees and/or THERP event trees to estimate the error probabilities ;
associated with the dominant human actions. Quantification techniques ! included THERP and Human Cognitive Reliability (HCR) [C-8]. For each human I failure, basic HEPs were calculated using THERP or HCR and were then modified ! using performance shaping factors (PSFs) to realistically describe the work I processes at the_ utility. i Prior to the quantification, or estimation of human error probabilities, f
, the PRA and HRA specialists: reviewed and evaluated the significant human :
actions, and their associated PSFs, for each of the dominant ISLOCA sequences . (Step #8). After this evaluation, the HRA analysts developed the HRA event l
. trees and fcult trees used to model the significant human actions in each !
sequence. Acmding to the SHARP method, the development and use of these HRA . t
- fault and event tres "provides a disciplined approach for explicitly l evaluating altarn:t' ve actions and, if properly interpreted,' may provide the l rationale for includng some human errors known as acts of commission in the event trees." This-HRA modeled errors of commission and omission, which are C - 11 ,
I i I r
n; . p 1
' . 3 p c: nc e iD lasN IO Sutst a sk )O wi i
(r om s i Ze & CoripOs i t 6 on Who CDes 1ask/SubtaskD Cree es per s enc
- ton _____ Cp t i rre i __ _ _ _ LOder a t e .,.__ _ _ High____,
a is t i rre femit in ertant for t h i s t MA d s ub t B Ek O TeS or tb m I e n-? tc per f y m t 3 r,). / s ul .t 3 ch. ( a f t sa r d i agoog, i G/ dec l 5 i on) _ _ I
+
. e. '
.,c-.
(*v _______ a 3, . c.x , *n:i tan __,.____ sta i
' 'l i e !Cl u__ce?Gfui1- jC 4
- g . l e t ,+ d , Mat is nsw( actlon7
# and type of et i or t'*3 competing for atten* ion Qual 61/ of plant a rit')r f ace E = c e l l e n t _ ,, _ Goot _ F a i r _ _ _ Poor ___ very poor CT>er a t or es Stren L o
- _ __ CM i rm I . tA,aer a t e_ H i @__
T,pn of instrunent<contret c li- no t eT, on controls Consequence of improper per f or mance High __ Ludlum___ t o w _ ,, _ t E=pIain' feedback / System resDonse to operator DCtton
~
r Craer s t i on r out i ne ier or ib Coera t ion / tr a ns i ent understoca' les or tb ' Oroc Recd' res or tb proc covers Case les or tb . or oc we i I wr4tten ros or t4o proc understood res or tio Proc practiced Yes o- ic How much pract ice / tra in! ng on task? Cognitive eehavior- Skill ____. Aule,____ r_nowleoge_____
- Tagging Yes or f6 Describe:
Accovery Actions Checklists _____ insDeClions_,,__ 2nd Person,__,_ FeeCDack f rom Annunc i a tor s ____ Alarms _____ Otsplays_____ Figure 1: ISLOCA Data Collection Form, page 1 C - 12 L
I ,
- l t
p 2 i t- m c.c n.,,,.. t . . . r.. , a t i on ? t.oinin . f.,5 c.r c ic t n ro ow ,,y ac t on : T a ss s or s ula t as6- n cion.* ster-ty-step., __., or Dy n o m 6 c , ,, _ _,_ pa .e n. ;. .n c e is in., oro.3r or tne tan s critical ves or to i
. +
t o. me s (n , i a e or < ,.. ac t ion avrect t ne s uc c e<.o r a i i ur e o r t r + ne ,: t ' t
,. ,. <.ou,, _
- y. .. .o u c; i
'I t i i. .!' 5 . - or 'D l'. i t t n i n
' t ? t. J C l* O2d < ?
- a t ti t t *. t 5 ( c f.<' _ _ _ _ _ Or' C on t I rivous per f or rie nc e,,,,,,,_7
- n: o .De r a n .- r am at ion saretv c.c caut.on for in+s ; ot.o ,es or to if yes, what a waga' ______ ____ nrem P!E C or'n*?nt 5 Q r fi l .at n t + 6 peC i f 4 C PSE S' t
_. r
~
=wm-~~
1 i
+ nf J i t 07 3i C Omt r.rnt s / OLc er ya t i Ong
.~ s.- -
h __ _ . . r 1 a 7
+
?
L t t t I 6
*. ?
P Figure 2: ISLOCA Data form, page 2 : C - 13 ' t
?
.i e
b-i
O identified on specific branches of the' event trees wesented below. Assigning HEP estimates to each of the subs ~. .s was the major _ activity in Step #9 - Quantification. Traditionally, HRA analysts model human -= performance through the use of an event tree like Figure 3, which represents FID, fail to detect LOCA for Sequence 2, Operator error is generally placed along the descending right branches of the event tree, and successful operator actions sequenced on the left side of the tree. For example, on the top left, Event "a" - Control Room (CR) Detects Dropping Presst 4,. . (PZR) Pressure, is the success path. Failure to accomplish this task is modeled as Event "A" - -' CR f ails to-Detect Pressurizer (PZR) Pressure Dropping. When a second "
-operator, or group of operators, is involved, such as in Event "B" . Control Room Fails to Detect PZR Low Pressure Alarms, the action of this second operator, or group, may be modeled in a recovery branch, as shown in Figure 3.
Event "b" models how the control room has an opportunity to detect the pressurizer low pressure alarms. If the control room does detect the alarm, this becomes a recovery action because it would bring the model back to the success path (via the dotted lines in Figure 3), i 1 For each individual failure, basic HEPs were calculated using THERP or HCR, These basic HEPs were then modified using PSFs to realistically _ describe I the work process. Each PSF either increased or reduced the likelihood of a given human error action. For-the event tree in Figure 3, the following PSFs 1f I were used in the modeling to modify the basic HEPu '
-t s
The control roem_is assumed to be in mode 1 operations with one R0 performing a quarterly stroke test on the safety injection (SI) l valves, ' l't is assumed that two PlV check valves have failed and i that as the RO opens the associated SI valve, there is an-immediate overpressurization and break, which results in a reactor t trip and safety injection actuation signal. . Stress levels were modeled as being moderately high following the break. j The crew was judged to be experienced, ! High Dependency (HD) was used to model the relationship between : t the CR's ability to detect decreasing PZR pressure (or level) and C - 14 , l !
. . ~ . .. .-.~a.-a.a..a +~ n. . . - . , . s, - . . .nn. .nn-a...-.- ..n.. +-nn,., - . - ~ ~ - ....nu -
I _f'
-f
.4 t
i V
.es i
!) t
-D. :f
** yi g 44
~n
(. l,
.,x. ~ ~ t M ?
4
- s . in - r
& y 9 e' .1
- p. . v ._ v i
. t) .
4 y' @
. v 0 ' Q
~
in m-0 g( 0 I a [ L =0 vb
. e* -m e
.,l Q W Osa
?
.. .V a _ ?
F i,s -
.,,. p i, -,
. m ,/ :p -
.+ $m -
+
1 4
. , =
t
- ,/ N,x ,'s
, cu
+:[ ' i's u
." ,? - i f u, .'
;; rt g .,Q C f.s V rw O
9 . - y , o a ; y v s- m o e 4 > > gb v O $ @ h i l N s c c:i.* tr di 9 o G-e-
. e-
?
n, i m o* N. U
> a -l .!
- O O 4 05 0
., [T O - d. v
,L; + - i *d g I v c n ,CE, -
e h -e*
** g. -I
.? m .? v LA . a t *y R5e v /'-- s'EhN s N
c o i 1 p; (n - 9*
,, 9 y- n lp
$- -S I
i o , yb D ,e g > t a u.
.,2,.
o ee v e
-i a , - $, P' -
3 .
.F; E o.q.
O
+
2 I-v e
- a .. 1
' ,8 5; Y &
.ld nD- ,
W u .
-g .
N i._o
- bnn x
W:- ta ()
.m OE
+ec9t *# *N >
-- t' OO c'
- L yoe o .
. . -o- 8Se.3 g gl =
v$
. v .r m .N o y l
Ci ub 5 . , t1c n, c
.U) 6 t
8 ! 1 5- - 4 - D v n- e u _1 v ,
' ?
c; e s si-Figure 3: HRA Event Tree for Sequence 2 - FTD !
-s C - 15 l
, t f
4 r I
G the CR's ability to detect the subsequent PZR alarms. High dependence was also modeled between the CilS and SS as they decide to enter OP-902-002, the RCS leak Reduction Procedure. Individual error paths were identified and failure probabilities were estimated using the HEPs and tables from THERP or estimates from HCR. (The , probabilistic values in the THERP tables are to be considered as median values from a lognormal distribution. The estimates from HCR are assumed to be point , estimates), for example, in Figure 3, path "A" leads to a failure (the first tyanch on the right side of the tree) where the CR fails to detect PZR i , pr m ure dropping. This particular failure had a basic median HEP of 0.006 (from Table Cl) and an error factor of 3. This information came from THERP lable 20-10 #3, item #2, and was modified by a PSF of 2, for moderately high stress. The basic median HEP is converted to a basic mean HEP which is modified by the same PSFs. This results in a Nominal Mean HEP of 0.015 and an error f actor of 3. Each event tree has several unique error paths, for example, event "A" and event "B" constitute an error path where the CR fails to detect droppine PZR pressure and the same CR crew fails to detect the subsequent alarms. In a similar manner, failure path "A-b-C-D" models a sequence where the CR fails to detect dropping PZR pressure, then detects the subsequent low PZR pressure I alarms, but fails to detect decreasing PZR level and the subsequent low level alarms. Probabilities for each unique error path were calculated by multiplying each nominal mean HEP on a given error path by any other nominal mean HEF on the same error path (see Table C2). For example, the error rate for path "A-B" would be calculated by multiplying the HEP of failure "A" (0.015) by the HEP for failure "B" (0.279) resulting in a nominal HEP for that ' path equaling 0.004 (0.C15 x 0.279 = 0.004). NOTE: the 6-digit accuracy for numerical values in the following tables is an artifact of the sof tware used - for quantification and does not imply 6-digit precision for the HEP estimates. Other examples of error paths for this event tree include: "A-b-C-D", "a-c-E-F", and "A-b-C-d-E-F". The failure probabilities for individual error paths were summed, to give the total failure probability for that event tree. The resulting error factor for the Total Failure Probability was calculated from C - 16
}
_.. _ ... - _ _ _ _ . - _ _ _ _ _ _ _ ..._. _ _ ..__..i___--- i:
'l l
[ i I ( an uncertainty analysis using IRRAS (the Integrated Reliability and Risk Analysis System (C 91). Table Cl lists the basic median llEPs and nominal lican llEPs for the event tree depicted in figure 3 (i.e., f10 LOCA, Sequence 2). This table enumerates the basic human actions / errors, the basic or unmodified ilEPs (median and mean) f i and tb r sources, from the table and item number in Til!RP, whether the action '
.. was p formed in a step by step mode or done dynamlully, PSF modifier values and the 'related illlRP source, level of dep'ndency, and finally, the nominal, l
or modified, mean llCP with its error f actor (derived from li!LRP HEPs or THERP
' l lable 20 20). !
I { t I) i I l s .
-l 3,
l
.I i
t I I I i C - 17 I I h
- p. 3
- wwwur Pww v'-r w eee r ramv-s 'w amme- mima.s-r-a.in-m-ap-- -
b i lable C1: li[PS for f10 Sequence 2 i W. U $ !*3 i 1 M *!
,, h f, k
,-- f, l
. k.
d-i
. = * .t * * . 3 .
i L l K I I II EI i a n{= b 1 1
.I .I .i ! .
e,. . PI a" h
-w a S 2 3 m 2 y =y g % = % * % a
,j
=., ."- _ _
_ - - ..t
- # J .1 i e
- J. J. = = .J .
.). a>
i I 2 2 3 4 2 % t t
- J-A A e
A A e e A A e > Q,
]
m j: t 23 C .. l F e4 Nl aze si HE 1 i: I d' - - - - i t 5 E 3kn i i n t t
- c t t
- u l
w 5 6( w- s*:3A e ,f: .A. j R
.A.
i r t-
)
J E% . . . t
- a d'ia * *
- 3 * *
};*
W .v
- 1 J a)i:n. 1
.I 1I. i. . }
r N 3 . i i !
=-
n e a et a, : h h ? y I ,i ,i 2 g% I i i 1, 1, 1,l r, i. n , ,-
< *D 'l 3 $ $ $ _ f- { q -
g j. l ll ; e, : I
., 0 I.
f I ! I C - 18 i I Ii; I
; _- .. , _ . . _ , - ._..._-.-__._._._,.-..____,,._,...a_,._,.._..._._.. . , _ . . _ , _ _ _ _ _ , _ _ _ . . . -.._...,...T
ii Table C2: failure Paths and Total failure Probabilities (Seq. 2. F10) _ t C
- 9 L' 9 L' C
*)
H i =! ? i V E U e 4 e .a , s o ei
.e .a .a . . . ,
%c -
.== -
2 I i a 3. C e . u 2 3 ,, 3 s er 3 y
- e m e D. i e 3 &0 si R 1
r : w
= m, .
C s P. 2 a a o .i i I e, I : : : n ': t, E I [ , e I I e 5 l l
= : : : : : :
i
+ ,! ,I I, ,I ,I i 1
i 2
.. . e e o e e e U
a
.=
5 L E 2
'El e Lt.
- g 4 5 I I 1 % y i m
C - 19 I
0 Table C2 provides a listing of the individual failure paths for figure 3, 11D LOCA, and the ensulting failure probabilities for each path, including how the failure probabilities were calculated (again 6 digit numbers does not ! imply 6 digit precision for llEp estimates). (As a note for subsequent tables, f ailure probabilitics of "*" on the tables signify negligible error rates which were less than 0.000001. Table C2 also lists a total failure I probability for each event tree, which is simply the summation of the failure probabilities from the individual failure paths. As indicated in Table C2,
- the total failure probability for the TTD t0CA event tree in figure 3 is >
e;timateJ to be about 0.018. As r point estimate, given the pSfs discusted [! carlier, an RO, or group in the CR, can be expected not to enter the correct i procedure after detecting a loss of coolant, about 18 times out of a thousand. As discussed in Section 4.2, the estimates of human error rates obtained from THERP are generally treated as polit estimates with a given error factor (which is used to calculate a confidence interval). Swain and Gutman (C-2) . indicate that there is insufficient data, at this time, to accurately f determine the true 5,:pe of the underlying probability distribution associated with these point estimates and that these distributions are unimportant. Quoting from Swain and Gutman (pages 7-6 through 7-8):
"Although we would like to have data clearly showing the distributions }
of human performance for various NPP (nuclear power plant) tasks, there is ample evidence that the outcomes of HRAs are relatively insensitive to assumptions about such distributions..." < 1hese authors then provide several examples to support a general conclusion: , i "the assumption of normal, lognormal, or other similar distributions i will make no material difference in the results of HRA analyses for Npp ' operations, in some r.ases, this insensitivity may result from a well designed system that has so many recovery factors that the effect of any [ one human error on the system is not substantial... for computational : convenience, one might wish to assume the same distribution for C - 20 l i L
l ! i probabilities of human failure as the one used for probabilities of equipment failure, as was used in WAsil 1400", { i l 10 summarize, Swain and Gutman "suggest' that ilRA analysts " assume" the point l estimates from lilERP are medians from a lognormal distribution, even though j such an assumption is " speculative" at best. ! l
, While Swain and Gutman's approach (treating the llEPs as median values from a lognormal distribution) has certain computational and interpretational !
a'Jvantages, it has one distinct drawback, with respect to_PRAs. In most PRAs,
* .{
hird.iare failure procacilities are assumed to be lognormally distributed. The ; litPs are multiplied by hardware failure probabilities when calculating core damage frequencies. This requirer a median to be multiplied by a mean, a { procedure which does not result in a mean value of the core damage frequency. ; A mean core damage frequency can be obtained by converting the median llEP f values (from an assumed legnormal distribution) to ELO llEP values, thereby allowing the necessary multiplications. ; 1his HRA adopted Swain and Gutman's recommendation to treat each llEP as a median _value from a legnormal distribution. Detailed flRA analyses were [ conducted for each of the significant scenarios identified in this ISLOCA PRA. l Tables C1 and C2 (presented above) summarize the results of these analyses, j i.e., by converting the median HEPs to mean HEPs using the following formulas: ! k i Nean #EP = exp (p + ); where R = the Hedlan HEP) I
. r p = 1nks and,
- In(ErrorFactor) i 1.645 i C
C - 21 I r r I
- , , - - - . - - - - - - _ - _ _ - - . . . -.- - __ =
O Converting median llEPs (from an assumed lognt mal distribution) to mean HEPs allowed uncertainties in human error to be included in calculations of the . uncertainty in core damage frequency. The actual conversions to mean llEPs ' were accomplished by inserting the basic, median ll[Ps in each event tree into the equations above. The resulting mean llEPs were then modified by , appropriate PSfs and returned to the appropriate error branch on specific event trees, where error path and total failure probabilities were then . ; calculated for each event tree. A careful review of Table rr wi.' show t'It the conversion frcm median j to mean llEPs can cause prnblems with 'he resi'iting confidence interval. The ! reader may recall that ir.dividual HC4: c', considered a point estimate with f some uncertainty, e.g., a confidence interv41, surrounding it. Generally, this confidence interval is defined oy calculating the upper bound (95th percentile) and lower bound (5th percentile) for each HEP. The upper bound is ,{ found by multiplying the nominal (modified median) HEP by its associated error ' factor (EF) and the lower bound results by dividing the nominal (modified- { median) IIEP by the same EF. For example, when the basic median llEP for event
*A" (Table Cl) is modified, it becomes a value of 0.012 (the nominal mean HEP
[ equals 0.015), the resulting upper bound is 0.036 (0.012 x an EF of 3), i Likewise, the lower bound is 0.004 (0.012 divided by the EF of 3). I ! However, when a basic ilEP is modified by several PSFs, including dependency, problems with the confidence interval begin to arise. For ; example, examine event "B" on Table Cl. The basic median HEP for this event I is 0.0001 with an EF of 10. When this llEP is converted to a mean value and . t modified for stress and high dependence, the resulting nominal mean HEP is 0.5 with an Er of 5 (from THERP Table 20 20, #5). If one calculates the upper bound for this HEP, by multiplying this value by the EF (or more correctly by - multiplying the modified median value, 0.5, by the EF), the result is a value l of 2.5. Since we are dealing with probabilities here, this value is an ) i anomaly, because the maximum value for a probability is constrained to be less than or equal to one (i.e., unity). To correct inis difficulty, the nominal i mean liEP and Ef were adjusted using a constrained lognormal distribution (see
- Appendix 0 for details). The resulting revised nominal mean HEP and EF are i C - 22 L j!
L
i l l l [ shown in Table C1 as the values with an "#", just below the old values for [ event "Ll". lhe revised mean ll[P is 0<279 with an EF of 2.5. Similar ! adjustments have been made for other events in Sequence 2, as well as for several human actions in Sequence 5. Table C3 presents a list of all of the llEP revisions for each sequence and individual actions in this llRA. lhis table lists the Sequence number and associated ilRA tree, the human action from j that tree and the following numerical values: I l 1 Basic Median ll[P with its (f; 2 t'ei!fied Medlan llEP (using associated PSfs) with suggested [f: 3 Man llLP and its Li (from legnormal distribution); j 4 - Revised mean HEP and Ef (from constrained lognormal distribution). 5 50th percentile value (constrained lognormal distribution); I 6 and 95th percentile value (constrained lognormal distribution); j t 1his example focused on the event tree for Sequence 2 T10 LOCA; a similar process was followed for each of the remaining human actions in the itRA. Specific details.-including event trees and ilEP tables are provided in ! the following section, i t I The steps #9 and #10 of the llRA process required the analysts to { extensively review the results of the llRA and to document all of the ! t information needed to provide an audit trail. As final llRA failure g probabilities.were generated for each ISLOCA sequence, the llRA analysts = [ consulted with the PRA analyst and a systems engineer regarding the validity, { completeness, and relevance of the results. During these reviews, several i i questions arose which required more information. Several telephone calls were j placed to operations personnel at the plant and detailed interviews or { walkthroughs were conducted with a past shift supervisor from the plant. { i The last step necessitated the documentation of the data, methodology, j
'and results from this llRA to provide an audit trail. This was accomplished by
'the creation of a data notebook, which contained the completed data forms, l i
pertinent procedures, working notes from the ISLOCA inspection, and the NRC ( ISLOCA inspection report. i C - 23 ! f 4 t
. - -,.- ~ ,. ._ .- ,. . _ . , - - . - - - _ . - - _ - . . - - - . . - - - -
i L ;;' p :: O. l HEP Revisions Using a Constrained Lognormal Distribution g Median . M6dified ~Mean 1 Revised ~50 %lle l 95 %Ile i Seq..# Human Action HEP (EF) Med (EF)- HEPfEF) Mean(EF) '( E l, 2-FTD B CR fads to detect PZR low press alarms 0 0001(10) 05(5) O 5 (5) 0279(23) 0237 O 6CS 5
, DCR fads to detect PZR lowlevelalems 0 0001(10) 0.5(5) O S (5) 0 279(2.5) 0237 0608 y F-SS fais to drect CRS to enter OP-902-OO2 0.1 (5) O 6 (5, O but (5) O 331(2.3) 0291 0672 0.1 (5) O 6 (5) 0091(5) 0 291 0672 '
2 FTDGN B-SS fads to detennne d SG pressee low / dropping 0 331(2.3) D-SS fads to determne contart. press. not nsing 0.1(5) O 6 (5) OtM1(5) O 331(2.3) 0291 0672 9 F-SS fads to detect no actnnty vi steam plant 0.1(5) O6(5) 0 (A i(5) 0.331(2.3) 0291 0672 H-SS fads to venfy entry into OP-902-OO2 0.1 (5) O 6 (5) O t:et (5) O 331(2.3) 0291 0672 M (m 6-FTD C-CR fads to detect PZR Lo-l.c level alarm 0 001(t0) O 5 (5) O 5 (5) 027925) 0237 0.608 G
- E-SS fads to drect CRS to enter OP-901-046 0 005(10) O 51(5) O 51(5) 0294(25) 0241 0614 5 6-FTDGN E-SS fads to drect CRS to enter Sec. 61(Op-901-046) 0 005(10) O 51 (5) 0 51t5) 0264(5) 0241 0.614 [
6-FTI-A B RO fads to remrid CRS to close S1401(A/B) 0.1(5) 0 65 (5) O 74(5) 0.354(22) 0.315 0697 h D-CRS fads to remrid RO to close S1401(A/B) 0.1(5) 0 4 (5) O $6(5) 029924) 0257 0633 F-RO fads to remnd CRS to check RCS not stabdrang 0.1 (5) 0.65 (5) O 7445) O3542 2) 0.315 0.697 H-CRS fads to iel Ro to check FICS not stabiliang 0.1 (5) 0.4 (5) O560) 029924) 0257 0.633 J-Ro fads to remnd CRS to place standby SDC 0.1 (5) O ES (5) O 7445) O 354(2 2) 0.315 0697 L-CRS fads to venty RO placed Standby SDC_ O.1(5) _ 0.4 (5) 0 Su(5) 0 299(2.4) 0257 0633 N-RO fads to remnd CRS to close S1401(A/B) on.._ O.1(5) 0 65 (5) O 74(5) 0354(22) 0.315 0697 P-CRS fads to verdy RO closed correct S!401.._ o1(5) 04 (5) O 56(5) 0 299(2.4) 0257 0633 a 6-FTI-B B-RO fJs to remind CRS to close S1401 (A/B) J 0.1 (5) O 65 (5) O 74(5) 0.354(2.2) 0.315 0697 DCRS fais to remind RO to close Sl401(A/B) 01(5) O 4 (5) OE6(5) 0 299(2.4) 0257 O633 l F-RO fads to remnid CRS to check RCS not stabdiang 0.1(5) O 65 (5) O 74(5) O 354(2 2) 0.315 0697 H-CRS fads to les Ro to check RCS not stabdiang 0.1(5) O 4 (5) OE645) 0 299(2.4) 0257 O633 J-Ro fads to rerrund CRS to place standby SDC . O.1 (5) O 65 (5) O 74(5) 0.354E2) 0315 0697 L-CRS fads to venty RO placed Standby SDC . 0.1(5) 0.4 (5) O 56(5) 0 299(2.4) 0257 0633 N RO fads to rerrand CRS to close S!401(A/B) on_ 0.1(5) 0 65 (5) O / 45) C 354(22) 0315 0 697 P-CRS fads to verty RO closed correct S1401.. O 1 (5) O 4 (5) O bH5) 0299(24) 0257 0633 I i i
,,-,,,.~~.,,,,,-,.-.,__..,..,..,,,rm., , - .
-,.,..,,-..-g r., - . , . ,, - - - , , , . . ,.,,,---,-.-,,.m..,..- -.%.. m---._.-- ,- -. - ,_ ,.- - ..I
II Scenarios and Human Actions for the CE ISl0CA IIRA This section describes the scenarios and summarizes the human actions analyzed in the CE ISLOCA llRA. Iluman actions for the sequences were initially identified in a cooperative effort by PRA and llRA analysts based on plant-specific information. The sequences were selected for analysis by the use of screening IIEPs in the PRA modeling to determine likely scenarios in terms of ISLOCA risk (i.e., core damage frequencies greater than 10.a/yr). A screening ilEp of 0.5 was used, except in some cases where a screening flEP of 1.0 was judged appropriate. following are brief descriptions of the selected xenarios from an llRA perspective and specific tables of the human actions relevant to the scenarios. Secuence 1A premature Entry into Shutdown Coolino (SDC) Dur.ing the plant shutdown process, the operators will open MOVs 51-401 and 51 407 (A&B) and HOV S1-405 (A&B) to bring both trains of SDC into service. Sequence 1A investigates the likelihood that the operators prematurely open the valves when RCS pressure is above SDC limits (396 psig and 350 F). To open the valves,-operators would have to override interlock permissives, disregard administrative barriers, and take actions beyond those specified by operating procedures. Further human actions for this scenario were not analyzed in the HRA, as premature opening of the SDC system suction isolation valves (the scenario initiator) was estimated by the HRA to be not credible, having a negligible probability. ELq1tence IB - Star, tun with Shutdown Coolina Valves Open Sequence IB is similar to Sequence IA, except that the plant is
.. undergoing a startup. In this sequence operators must fail to close MOVs SI-401 and SI-407 (A&B) and HOV SI-405 (A&B) leaving one, or both trains of SDC in service. 'An extensive review of administrative barriers, operating procedures,- and plant systems indicated that the plant has well defined procedural guidance in conjunction with redundant systems and multiple alarms which would warn operators about any of the MOVs or H0Vs being lef t open C ' 25
O' during plant startup and pressurization, in addition, the auto closure interlocks on the SI 401 and 51-405 valves (a feature which the utility .tants to remove) would automatically close both valves when RCS pressure exceeded ,l 700 psia, further human actions for this scenario were not analyzed in the ilRA, since startup of the plant with these valves left open was also estimated by the llRA to be not credible, having a negligible probability. EtqucE e 2 - RCS Cold lea /LPSI Discharae Interfacina LOCA In this scenario the reactor is operating at power and a quarterly I troke test is being performed on the LPS! discharge motor-operated flow control valves (l10Vs S1-138 [ALB) and SI-139 [A&B]). Two check valves protecting one of the four MOVs have failed. When the MOV is cycled open during the stroke test Lpsi piping is exposed to RCS operating pressure. This results in overpressurization of one LPSI train and a rupture of the system in one of the RAB safeguard pump rooms, cicating a large RCS leak outside of ' containment. A reactor trip and safety injection automatically occur with low pressurizer level before the MOV is stroked shut. LPSI components in either the overpressurized or remaining train may be adversely affected and fail due to their proximity to the leak. The leak may be isolated by closing the 110V , that was stroked open (which created the overpressurization). Operator
}
failure to detect, diagnose, and isolate the leak may result in core damage. Seauence 5 (A&B) - LPSI/RWSP Suction Interfacina LOCA Durina Shutdown In this scenario, the reactor is shut down and shut down cocling (SDC) is being brought into service to remove decay heat. _ Low pressure piping from - the refueling water supply pool (RWSP) is protected from higher pressure in the low pressure safety injection (LPSI) piping (used during SDC) by two check valves in each line, failure of both check valves in one line results in overpressurization and rupture _of the RWSP suction piping, thus creating a reactor coolant-leak in the auxiliary building (RAB), outside of containment. Version A of the scenario begins with one SDC train in service and one in i standby. Version B of the scenario begins with both SDC trains in service. The RCS leak can be-isolated by shutting one of the suction isolation motor i C - 26 i l 1 _ . _ . - - - - _ . ._ _ _ _ _ _ _ . . . _ _ _ _ _ _. ~--._ ._ _._ -,._- ._. _ _ ._ _ .._... _ _ __._ _ _..-.___
N 1 operated valves (MOVs- 51 401, 51-407, or il0V S1 405) of the affected SDC
. train. Failure of the operators to detect, diagnose, and isolate the break i
will lead to core damage. ; 1 10 man Actions for this ISLOCA HRA i l 1he following table lists the PRA identifier and a brief description of l
. cach relevant human action identified for analysis in this HRA.
i iable Cat Hvaan Actions for tne CE Hi'A I Seq . # IDENTiflER DESCRIPTION __ l i 2- fl0 Control room (or operators) fail to detect LOCA- ! 2 FTDGN Control room falls to diagnose ISLOCA ! 2 fil Control room / operators fall to isolate break { 5 TTO Control room / operators fail to detect LOCA I 5- FTDGN Control room / operators fall to diagnose-ISLOCA I 5- fil-A Control room falls to isolate break with one ; train of shut down cooling in service ! 5 fil-B Control room fails to isolate break with both [ trains of shut down cooling in service _ I j
. l a
.c I e
i h C - 27 i t
c-0' l tiodelino Of Human Actions And Estimated lluman Error Probabilities for the ISLOCA Human Reliability Analysis lhis section presents the HRA event trees and the HEP estimates for the , human actions identified as significant for this ISLOCA HRA. An llRA event tree (with any associated fault trees), subtask llEP tables documenting HEP estimation for each subtask branch on the tree, and tables providing failure path calculations and total failure probability estimates are presented for , each human action. Each set of trees and tables for a human action is creceded by a brief discussion relevant to the modeling and HEP estimation for - that action.
- fl0 - Seauence 2 fl0 for Sequence 2 models operator or control room failure to detect significant indications for a loss of coolant and enter OP-902 002, the Loss
~
of Coolant Accident Recovery Procedure. The critical subtasks, detecting symptoms of a LOCA, i.e., decreasing PZR level and pressure, for f1D are modeled according to step B.2 of this procedure. HRA modeling assumes that the control room is in Mode 1 operation with one R0 performing a quarterly stroke test on the safety injection (SI) valves, it is also assumed that two PlV check valves have failed and that as the R0 opens the associated Si valve, } there is an immediate overpressurization and break, resulting in a reactor trip and s&fety injection actuation signal (SAIS), furthermore, stress levels were modeled as being moderately high and the crew was judged to be experienced. High Dependency (HD) was used to model the relationship between the CR's ability to detect decreasing PZR pressure (or level) and the CR's ability to detect the subsequent PZR alarms. High dependence was also modeled between the CRS and SS as they decide to enter OP 902-002. The HRA event tree, subtask quantifications, and total failure probabilities for this event , have already been presented in figure 3 and Tables C1 and C2, As listed in Table C2, the total mean failure probability for FTD in this sequence is 0.0175 with an EF of 4.26. No credit was given to the CR for an alarmed pressure indicator (PI) between the two check valves because the CR generally disabled this annunciator by pulling its card, and because the stroke test C - 28 L
;I procedure does not direct operators to check the pressure on this PI before stroking the valve open.
F TDGN - Seouence 2 (Usina Procedure Only) TTOGN for Sequence 2 models the control room's (CR's) failure to correctly diagno:e an ISLOCA using the diagnostic flow chart from OP-902 000 (and Attachment 1 of OP 902-002) the Emergency Entry Procedure. The critical subtasks for fl0GN are modeled according to the requisite actions for the CRS anJ SS to correctly diagnose an ISLOCA. PRA modeling includes critical procedural steps from the diagnostic flow chart arid verification of entry into OP 902-002, the Loss of- Coolant Accident Recovery Procedure. Recovery paths are also modeled. Stress was assigned a PST value of 2. i.e., moderately _ high, and high-dependence was assessed between the SS and CRS during diagnosis of the event. The ilRA event tree, subtask quantifications, and total failure
--probabilities are presented in figure 4 and, Tables C5 and C6. As listed in Table C6 the total mean r ailure probability for FTDGN (Using procedure only) is 0.02 with an Er of 3.96.
I
= -
4 i f l C - 29 l
O a 3 eh 1
-a .
Ei 2 b t: . 0t [T P t a f E' @
!-8% :
%s 6y -
I f .'.o..,{"., g
,t >s t , t
, ,., , c e., * -
s
- , y i v
~
y : .: o >e ., r
! / t o,, '1: / t'
- 1. t t a -
h' d
; f(~,s
{Tu- }[
&. t .- o e
[ e b g r u v c
, e,N,3 p, e n
,e.,
c
- 3. BS - ..
o o
, s- ~! e g
, [g
< ~
- $y. '.
ga r [, ' iN fI'8!l< t;, f 3 ,5 t s. of.,+$$, v e $ ,' c - [& s v. o h,, a n-s 3 gY . gi ;c o e , 3 i sN sq r
,',<f?x v oc V,0 l<uh. hy
- t v m e +m
-w
- d. 3 6ho .
~, b ; ;q) r; ug -o g, g
- - t .
..., ,e eo jE s,,., .; .,Ny,I ,l,., ,,;
e . e
-~ --h t8
!e 5 g o.g .T. 3 Nd ,, a %<;\
na
.e oo"d n f ei -
o 1 d5- o 5 w *?! "o ' r08 a<o 2; ga c.
- cy 2 v Q g' f-i er il --
<+, &g 13 >l e FJ e b n ' 8 3, 9 k *C g g,e, 6c d knsto W W 73 e m g 5, S ;; ;
e v vo e
- UN -
e_s y.
,c 4,-
E y, m i D h3 w
.:,. .,. a.
@r v o vo e . -e t ;r N . .o. n p!
- g, .. ,avi g >
m+ a.a u o r v' vgc.
, p LT U *' g y -
On! WO , v!' u~) L. &
~
Q. -> i g Ot e a* t
,; . , s h ~, ~
, q s._ vaC
= -
U l.D n9g a rv VO V l H _; o
, cn. -
- LL U aS%
l , Figure 4: HRA Event Tree for Sequence 2 - FTDGN (Using Procedure Only) C - 30 L
I Table C5: HEPs for Sequence 2, fl0Gil (Using Procedure Only) ;
,k.
6 4 i
- a. a..,. . . .4 - , .. ;
- I.
gu . . . . . . . - 3~
'$w A 2
5 Ig1 R
; g R g F
.i i
. s i. . . s i. ;. .s .i .
yt gi=t ! E E E EE I E 1 ! 1 I. i. !. ! r
": A l
= = - . . . .
=
. , r. ; s c a s. : 3 ,
- J J J
.L
, ae .J . . . .J J. J. J.
g j$ 2 2 2 2 2 2 2 2 . a ;A A A A
- $ A
- .A. .A. r.
i y :
.= t x
u :p 9_ . . i y: 11 - x tt ! F. }A! z o _j i i i i i i ! 5 l 7 vg= t t ; i ; M C iw3 a 2 n 2 n a n n !
= J. : s -
A A A A
- A &. A A
i 5u tt er . . . .. . W .3 ,. w n e e a ~ e m n , z b .x JI .! s I. - I. 1 0 n L u 1 1 1 1! 1 {
~
.=
.a I LI t
j j! a .t. F
. i r- .4 s m , 3 ~
t a p . e g - I ~ $ i u n g * & T
< .g ; ,{ I
- I l
dj l j Nf .i I f fg
=
se a u e-' i s3 s1 as e, s 4 as s a a E - 4, J' J ,1 J & v 3 m 3 p $ e ay U" I' 5L $ v $ 55 E1 i
< . v e w 6 o :: .
f I C . 31 4 P
]
[ .u5C - nm.
,&_ C ; ,&g" . s " s. o&",. mw Os c a sy o=$ C **
- Q23 y0 ,
1 s l t e u s e R 3 4 t t 4 3 4 3 4 1 s 3 4 3 5 9 ne I W
)
= 7) t u
n nu % U 3 h nn 4 n g W um u k p h M t u . m n w W s= a 2 6 M J x e t> 3 3 u t s k 8 l u f e f n D p 3 0 9 _ O e 0
- e 0 a g 0 4 O e 0 o g 0 3 _
s i e 4 it ' t i l i y a l it h i r o 2 b a e b l' c o e n r r e P u u s l q e n o ? re ro i e u a S it w l t c F - a 3 a
)
l e ia . l y u e F Fr a l n l c e
+
l t a 7 7, 7 F a o . o o C *3 4
+
w w T e t o rr T e r t e 3 e D 3 T E d n d u e s e e e a u. : e e s g a e t e w *4 ~ 7, *
*4 7
e 7
- 9' 7, c
s i o r w 3 a s o e s 4 e e n s t e w 3 3 s t. e 4 t w w p e i t a g e e a e a e e e a e
- e. e, e o e
e e a e a e e a u. u. e P n ? v v = s
- w v, n
e, v F T "4 9 m t e n w e r is u D 3 S t e s a e t e 4 n s 4 s e s es a n e e 3 3 t e t e 4 e n w 3 e m 3 u ( s s e e e e e e. e a e a o e. a e e a e. e a
- m. e a
l i N e s e a s o e. e, e e e e e a s e s e w a G
- w a
, v e
9 s v 9 9
** 9' m n o
c F D 4 a o g 4 e s s e 4 s 4 ts a a s o 4 f e t 4 M s i e s e 4
.i t e
e.
- T-I e e e e s e ee e e e e s e e e 6
C l e b a T h
- t a
P e r l u ia
- F t
i i t J m a t s s t i l n n o t a t s r x c, 7 F c. t a t e t t f m B e c. r w e D d d a r t e A h a sA h a a s a b A r e ro C. c. t.. - m e i r 3 s 5 8 2 3 4 s s 7 e 9 a 1 t e i a n , wn r
- ' j j' , ]i t
__ ___m_.__.___ _ _ _ . _ . . _ i
~
i f fjl Stquence 2 (Usina Procedure) o An extensive review of Op-902 092, the Loss of Coolant Accident Recovery Procedure, and multiple interviews with a past SS from this utility indicate ; that this scenario is beyond'the scope of the appropriate procedure (which was i written to cover a design basis LOCA only). As a result, there are no f appropriate actions within this procedure to guide operators to isolate the
. leak in this scenario (fil - Sequence 2). Therefore HRA modeling only
-included one subtask, " Control Room fails to Isolate Break" with a failure l
[ rrobability of 1.0.
.f Since the procedure OP-902 002 does not provide guidance pertaining to the isolation of an ISLOCA, the question becomes: "What will an~ average l Control Room (55, CRS, Shift Technical Advisor, and Technical Support Center) l do to isolate this ISLOCA break?" figures 6 and 7, and Tables C-9 C 12, !
(following lable C 8) present a sensitivity analysis for Sequence 2 actions: fl0Gft and fil. The sensitivity analysis is based on extensive interviews with f a past shift supervisor from the CE plant, i t attempts to model the " average" ! CRS. :SS, and Control Room response using the diagnostic flow chart from OP- ! 902 002 and knowledge based hhavior, outside of procedural guidance. ! I i i l a h W C - 33 i i h _ , .__._m__._.______.. _ _ _ _ _ _ _ _ _ _a
O o (l1 p o g a g, m 6 G' t (- 1; .- 7, e n bsc -, . l t,/
/
\xx
\ .
\
,1
\s b>
_J v) L'l
'l' a
i^~, o b RJ ' -
'.D o
\ vs 1].)
O ~ _i U c-Tj _ u E
- n8 o q) ;'\.
cl
) n -
n - a O u
' 11 CL E U) o
.- u V) .
I c i g
'~
Ul f- ~> LL s_/ Egure5: lira Event Tree for Sequence 2 - FTl (Using Procedure Only) C - 34 l~
.1 l
i 1 . Table 07: HEPs for F11 Sequence 2 (Usit,g Procedure Only) ! t I 1 - ww 1 1
~
#5 i
^
lb
,g N i
e- I lM $
, n
.{
2 i5 .
'n> g
** b
% z e.
g .$. j > k. e = .."_-, ~ - ~ - . - i
*** 6 M k y sa i C l'l L 2a f tt
- a I e5 A e* '9 e
k c; bb . 252
+
At # E em
$75 4 I
*g b g W vz i N
s ddU ;: 4 ! U m .I. . 6 wEe -
*o 8 a
L
.it 3 A jl"d . '
W~ 2 - - r i
.. I si feJ # ',
m ,2 w ? a p g *
-l 1 ..
5 t
. $ t B
l * ! I l- c
- O I
4 s C - 35 i I I k i k
. . . . . , .-. ., .-.__ - - ._ . .. ~ . - . _ _ . . . . - -
1 Oi Tabic 08: failure Path and Total failure Drobability (Seq. 2, fil Procedure)
$ I C
ce q C. C I
*=+-
O N '*
.3
.* h'
~ o.
.T
~
~
3' C
"uw - ,
3 d' C SA L c C b C n Q *.5 E%
- b. 'Ti .a .
- E a :
M 3 2 - = ,
.p 9 3 b v U -
C F e g 6 W C
$ Io
" i 8
~
L U ~ G m e&m a km , e4 == as-
.3 C
h 5 4
.a s
E - d' C 36 L
Il ! i knsitiylty Analvs's for Seqyrnce 2 - f1DGfl and fil [
-L i
Given that the control room and operators will fall to isolate a break in Sequence 2 If they enter and follow OP-902 002, the toss of Coolant Accident Recovery Pr v ic e, the question becomes "what actions will the average SS and C'!, Dw # cide of procedural guidance, to isolate the , break?" To answ;F tho igga('su, $cveral detailed walkthroughs were conducted [
. with the past SS w m!', U (rt, pertaining to what the average crew would !
probably do- to isolah ich ;ca. The following ilRA event trees and i , cuantification tables reflect the new modeling for events flDGil and fil which in crporate operator u:,e of procedural guidance, training, and knowledge based
- behavior. I TTDGft - Seatttn.11._2JVsina Procedure and Knowledoe-based Behaviorl As can be seen in figure 6, event F10Gil is modeled in a similar manner j
- (compare _to figure _4) with the addition of subtask "G" - Control Room fails to !
Diagnose Location of Break. This particular subtask was quantified using the IlCR technique. It was assumed that: the operators had 3570 seconds available [ and it would take 1830 seconds to cc:plete the task; the crew had average. f (nominal) training; the situation was a grave emergency; and the quality of the man macitine interface was fair. The knowledge based non-response ; probability for this subtask was estimated to be .48 (i.e., .479). figure 6 ) presents the ilRA event tree for f1DGN Sequence 2 (using procedures and
-- knowledge based behavior). Tables C9 and C10_ provide the appropriate llEP values and subtask quantifications with an estimated total failure probability l
[
- of 0.39 and an EF of 2.02. !
M l l I C 37 l l i I. L - . . -- . - .
1iiilt1l,liti Ii l j!lJ;l 2 g ri 8 n <,. p - . c, r. . y~, , c -, ,3 r
)
v
' pS
.-y i r
s .
.m 3 t r a
~ a 4 3 t rt t . t
, e
. M es.
a.3 3 N ~. ss i 5 e t 4 y A-
** + ~ '. '
.d% - i
~
4 xj
- .t s
- P m 4
S r, , ete .3 t t c sg v [ e t cF e + 5 7 t t a er
- 5 ) o t
' 5 ce g c. h I.s_
- t - k oe t
?
. O s
C L 7, _ is M* C mDD t e C& e i ts at og to&c r s 3 t p . t c e 6 s s t e s r e ;e 4_. 5 F e i e' e f D C e- n e
'a ,w ,
C s t 3 y m (s 5 i f
- s 5 f a
w.y C 5 5 yes n' c E oI t b I - d' c' arm K V. t vI ts Y O
< "e k t
' t o**t P v
O e a W 9 t e ' t n f$ cn f c
+
- e t
M eM.(. s$ aD - e v,/ e f
, se se y
I e . C- st t L c<sN c s s S # S v a 6 a m o7
- S E ) oc M 5 e X'.f ns S 4 t lp /
0 r C vCW ie mr - c am e e n o
- as Fo f e e
v o os a y t t en g Mts c e r t t n c a
. 2 t, C eo C oo o
no f C S W' F s s /( t e it A ii C 3t r t n ci G c6 - nt t a y t n cC n O o a t n e 6- d ivlap 5 a y u < d D t
'L e t
C c m a[ & qd s - O 3 e e@ a en S ot a f S C b o s O - <
"r o .
m3 y
- O g : e o r f
C C r t N g e f Gnl too r w - t n Di 5 o no ev T V n - C t a F ( K D . < c gf
,c.c. 1 y$ <c3p 49CC %o ?
tOo.
/
y, "1*gCZeC" . D 5ongaC3o
?
J o De M L OK $mOeUwtGC eo .. <- Oh 3. (
~ a u7aC e,C =r,e g , moc* ? ,4oO? ce Ec 7,C&c G ,C P E Qo5 epo4=ya ? _s<*O, s l r
- r. u e e e 3 e e 3 . e 3_ .
r r a t s a s 1 3 s L 3 s : s u E t t s t n A=P r e n
- =
mu s e. s e 3 t r cEiI m e u a 4 3 s e s - s 3 t w ua s ,.
) SI s e u e s a
n e s . e s e r . r F o e a 4 e a e e e , e . i o \ v a nap e. s s 3 s s e t s i s a a 3 . s l e at eE o. ? a s s e m i f SI I
- n. w
. s c. n 7
7 b e e i e t e e e d ii e - s t d t a i. t e ,m s t n s t o n n i t b- g i n I s e i n i e il I' k e I t ll:' 1' !i ! litI
. i n r a u s s ~
i r e . e e , e G. ere s e o s m. 1 s a 4 a k n t S S a. T n N T M T xa T T r s c rc. M l I 2 z 2 2 2 2 a r, o t m r r % fo p . ri c n n i p pa
- em s 4 s s s s e m e . e e i
s u e rni s m s s s s s SSh t t f N 3 3 3
!e P# t t -
G tR e i, a a s - ; D rEh e s s r e 4 2 2 i 2 2 ai r ol - - T l cia SlT t a f a T e r T 3 T a2 T T s t o-. L 2 r
- r. e e rt r c e e e e . e s
e s c E a 3 s 3 s 3 n F e e i p ichP
>dE 6 e
i t tetI i m e i a a - a n a S e e 6 e . ( e S r e. f o n e e
- e. a.
S e .
. .,. e.
. s l' = e. 4 y 1 E . e I
I r o r
=_ :
p c _ .
- r . .
. E .
e t 9 , , y l C e
/
it n c a cs y % c. w h e. t h. e m. e w. a. b A . . . nsa . _ . a a we T e m m
*e e .-,.
- w, z,
d. e s L
~ .
f. l l e i n
- s. . n_ t a a.
s. e .
- s. .
d. s.
- m.
s
- a. f _
n4 n. e s s a-r i s-s 5 R ( , s" t S* 8 a c ss e ww t. A e C D e r c
"
- WC
Q e s Oa C ns=.o.
, E,o dro. y {
,e, ~C 7g[c * ,3*< n*oa* N. '4oE? -
2 L2 e yob oCLe __ a L _ en mCw _ t s l u s e R 3 4 : : I 4 , 1 3 4 il 9 3 9 2
) ) a m 7 m 34 4 J a w t 7
1 3 7 i 3
% 3 7 w O 4 4 6 w ow W w m n 5 r 5 2 n t.
a p o r. ( a S M D e s A W s
)
A w m i h A D 1 n3 0 36 0 9 2 3 0 . o 0 o o 0 O g O g O O 0 e o 0 2 lf , s . iet 2 ~ i e t c i i n l e y a u i t l i q l o S e i b r a l - b e
)
r o r r
. o P u i s l
i s a n o e r ro i h i u t F. a t a l i c l l a a e . l a d e u c F Fr . t o s l a n l a or a w a T l i C 3 w t o r d e T E n g a. e. a d e e 2 n 2 e ? n
- 7 7 t e
7 s l m e 4 6 2 9 p u s e s 6 2 h w s n e i e % 3 6 o a J e s. 3 e 3 e t n e. e. e. a k s e o a e n . 2 e a s 2 l' ? m w - 7 7 v v
- 7 un m e= m M 6 7
- 4 e
r &. c s t 4 s e e i s t e 4 l e 2 D' a t e t e 2 W 2 6 .
.e m 3 A 3 3 l
u o r n. e s e. e. e. t s . e. o s e a e e e, #
=
3 i p e o s e e e s e o e s e a m * *
"8 e n*
F g n n m mt w e e m m a t M 4 1
,. *t
'9 4
6 e t w s t w e s v e 2 i s e e e e e
- s e e e o e 1
e si s O u e e e e e e e e s e t a e e a I ( C N e G t i D l a T I T h t a P e r l u . ia F r m, c. u m m u e e e i 5 c. c r c, r. f ,
- c. D t a
t a a 7 3 a b c. s b s h e c. n a u u A A w A C. c. c. r. E.
. .c s e e a 2 3 e s e 2 3 e , s 9 s a a a i n , yo
l fl! _Srqqtnte 2 (Using Knowltslac-based Behavio.rl for FTI, Sequence C, using knowledge based behavior, outside of procedures, entry into this action assumes successful diagnoris of an ISLOCA (using Attachment 1 of OP 902 002), successful diagnosis of the break's most probable location (i.e., the safeguards pump ro:m on the 35 foot level of the RAB), SQ an unt rstanding that the break occurred when the RO opened one of the LPSI flow control valves (FCVs) on the affected safety injection train, during a quarterly stroke test. Successful isolation of the break depends on
, the rerat ers going outside of procedures, overriding their training (to not terminate S1 without meeting Si tertination criteria) and closing the correct LPSI TCV (S1-138, SI-139 (A er B]). This could be done by successively closing individual. LPSI TCVs, then monitoring the PZR to see if PZR level and pressure are stabilizing, figure 7 presents an llRA fault tree which models this sequential closing of the four LPSI FCVs. FP#1 (failure path #1) models the probability of a R0 failing to close the correct FCV valve by sequentially opening and closing each one: TCVI is the probability of a R0 failing to select the correct FCV on the first try (1 chance in 4 of being correct); TCV2 is the probability of a R0 failing to select the correct FCV on the second try (1 chance in 3 of being correct): FCV3 is the probability of a R0 failing to select the correct FCV on the third try (1 chance in 2 of being correct); and llEP, which is the probability of selecting the correct valve on the fourth try but incorrectly activating the controls for that valve. FP#2 models correctly selecting the proper FCV on the first attempt (/fCVI, i.e., the complement, or probability
, of success, for FCV1) and the human error probability (HEP) for incorrectly a:tivating the FCV controls. TPf3 models the probability of a R0 failing to select the correct FCV on the first try (FCV1), correctly selecting the valve on the second attempt (/fCV2, the complement _ of FCV2), and the human error probability (HEP). FP#4 raodels the probability of a R0 failing to select the correct FCV on the first try, the failure of a R0 to select the correct valve on the second attempt, selecting the correct valve of the third attempt (/fCV3
- the complement of FCV3) and the human error probability (HEP). The total failure probability for this action is 0.019 with an EF of 2.97.
C - 41 . 1
C Sp il Dreak iTDCf1 - Sequence 2 (Usina Knowledae based Behavior) f or a small break ISLOCA (flanges fall), event TTDCN is modeled in the same manner as before with the addition of subtask "G" - Control Roota f alls to " Diagnose Location of Dreak. This particular subtask was re quantified using the llCR technique assuming that the operators had 26970 seconds available and it would take 1830 seconds to complete the task; the crew had average (nominal) training; the situation was a pctential emergency; and the quality - of the man machine interface was fair. The knowledge based non-response probability for this subtask was estimated to be .001.
'1 ure ;:rebability was estimated to be .016.
The resulting total [ Small Break Fil - SLqutoce L(Usina Knowledae based Behavior) for fil (small break), Sequence 2, using knowledge based behavior, outside of procedures, entry into this action once again assumes successful . diagnosis of an ISLOCA (using Attachment 1 of OP-902 002), successful diagnosis of the break's most probable location (i.e., the safeguards pump room on the 35 foot level of the RAB), /dQ an understanding that the break occurred when the RO opened one of the LPSI flow control valves (FCVs) on the affected safety injection train, during a quarterly stroke test. As before, successful isolation of the break depends on the operators going outside of l procedures, overriding their training (to not terminate SI without meeting Si termination criteria) and closing the correct LPSI FCV (S1-138, 51-139 [A or B]). This could be done by successively closing individual LPSI FCVs, then monitoring the PZR to see if PZR level and pressure are stabilizing. The HRA event trees and total failure probability (U'9) for this action have already , been presented in figure 7 and Table C-Il ad C-12. C - 42 L
, . _ _ _ _ _ - - _ - - _. -- m
t i f% i
> f a ) ..; trTN t
w (1 t 1 ps f '. u n
, -#d i 0 w
~C j
O v
~ "<>
ggy+ o w , m t( s)t., , v. e, ,
# [u r;)
s
.J
- -t v o ) 1.a t
- y. :
- e. .,
e w'
,., ,- 1 o ,.,
t 9, vm ) r. o W e s
=
C)
- s. ,
w Q , n f^ , ;p , ,,
~.,
\.0;5,W' ca c
\
i
;h Q "'
i m 7 e w -... ,e, v. o
.e LL m.. r( w w - a ,,
u t _ ,j
's r,t ]%A.s <
e ,, r.s , - c . .,
'3' fa se i r
w g 4 7 g y , w ;* h ,'
-O 5$
a u t
- a. - f.
yt 3 @ $ ":' , gE-F n, r.. ' .;., o s o 4 fo
,u
' @ O .(;a,t e$ n w ?g '
w a l : '( 1... - g 2_ n.
. O V C /~s n ! f
,,_ ( u ) ., c ;- o -
c +u o . .o
- r .- _ w ,
@ C.p n L a, t. f
@ a
" . ~~ t C m W
t ' &3$ .n eb m w _th < e
+J ,~ i
- t
.a c
L,1: 'i
'] f u. ()
..) w c3 LL figure 7: ilRA fault Tree for Seq. 2, fil (Using Knowledge-based Behavior)
L C 43 i e t l i
.' - I li'i , i L j q . t t
o r,r.e t- nw
=r,w 3
p 5 (op
/ r o~ , .w. 2 u 5 O1oaCee eneoacr:c ro 1
i O: n3ra1od r r. . e e e e e e e . e rt e
- e e o E
rm : a 3 s s S . 3 t t t 3 I l . a i n s.eP 7 4 7 4 7 4 '4 ateE I 5 7 e s 5
?
s S n 7 s 5 7 7 s N. S I t t 7 . s s 2 e J 3 e 7
- 5 t
e e e e e a s e s e e e e r . 9 9 o o nmP at eE a 7 4 7 e 7 4
>s 1 4
7 a i T t I I s
- s e 5 . 5 n 3 w 5 7
6 m a f S i e e a s e 2 s e s 7 a s 7 S 5 e i 4 S e e e 4 e - l I e P d I R ay l E .c w u s t 0 i t i i
- e g
r z I 1 I _ e 1 a s a iIj1 b- r s t e 5 5 e r.e i r r e e a
- g i s s a m 4
- d m.e. e e 8
4 t. e l A S : : 2 9 2 l T T T T w r s o e n r. i" 5 F K f. t l r. s 5 5 S g S f. i n - yr c i g . s bp om s U- - et pa e n a s S R S S B S i s a t y l r 5SD F g. I P o e e n Ie WR #e a t a t a a 2 El l b z a 2 2 2 e 8 t 4 LTT i a E e E e c 2 T 2 T 2 n Y T e
- u w r. a q rt r r e e e e o 0 e . e e. e e e E a e a e.
3 a t 3 e i 3 8 3 e 3 S F r e f o *adE aP i eI I s 7 4 9 5 l e $ u 3 9 5 7 4 5 o Rl t a s = 2 m ? s S S a e e
- R e e . 9 8 7 e
6 e 5 e e n I' Et I
. 8
. . 4
- Y o- v v.
v. t e e T L T e I I H e u H _ t w- i H e.
- e. e. e.
, e 1, t C r o
w e e. e
- a. *e s
e v e. e T e r r _ _ u ei d: t e _. s e e e. e 6 a . t i E e e t e w w t v .c t r t
.e w w y . y . y e k
/
wr l : e y a a s rw w w le n te l e w wC t e T lt e c s a
. n a
. i m
. m
.e ,
m
- e. u e
w e r e 8 e e
- f. e w
r A s. r. so e c n. c f e
- r. .c f . f s n
s a
. n e a, s e
s e e w e _ a. a i e u . n e - e e. e e e s e s u a. r e h e a e e e. e w e r s e r e e c e e e l f > 4 p y 4y > p 4 7 p e p t e ee
- e. )
e p > 4 p c )p e
)
4 p
)
4 p
< )
e p T w, 2 w v d. C. v* s cd e r t s. t N ( 4 F V Cv e t I 2 4 P E I T C 2 V C 3 T L fe 4 H s. t 2 p 3 t a
< A a l F s f f t E A e t
4 s c o E F C is I J E I . M m , *a e
; iI Ll ' r !, t[i 2
4 o ccdC. n N. u E,O 7hS #onma
- P yN2c2 y O7p7 MmNN nWCD+N* 4 0E:sOEa CC0.C e t
,euwOc-
.i, s
~ t s .
. l u
s. e R 9 6 9 t M M Jt 4 M( 6 9 . MW M 1 L M u 1 7 (. W
- f. M t.
0 9 . ) 6 0 ( 0 0 2 s
. e
_ i it l i i l y a i i l t _ l o , i b r a l r b o o e r i r
. s P l
u a s e r i h r o a e u t F i l l c i a Fa Fr l d t e e t a_ s l o b-a l a a or ._ T e C t o r d g T E n d e a l s w 7 7 . e o 7 4 4 7 l t n 9 t e K 7 t
' a e e
?
4 e e 3 _ l g a 1 a S 5 e r i n S 7 4 0 6 .- s s 4 a s . l u U- 7 7 s t 3 1 7 i M. e 3 M a I e e # e F T I 5 m 5 m f a 5 s 7 2 7 7
. : e 0 8 6
_ 2 1 C -. e l . i l a T ht a P e r u li a _ F d
. ! l D t l
K C F ; j g B A t a de e r
. t 2 3 4 a u'
f]D - Seouence 5 FID for Sequence 5 represents operator f ailure to detect a reactor . 13 coolant leak resulting from failure of low pressure flanges in a st. t - i line from the refueling water supply pool (RWSP). The leak is a result o' . failure of two check valves protecting RWSP piping from higher pressure in the low pressure safety injection (LPSI) lines used during shutdown cooling, !!i A modeling includes detection by the reactor operator (RO) of decreasing
- pressurizer level and pressure, and subsequent entry into OP-901-046 (Shutdown ,
Co, ling fial function) at the direction of the control room supervisor (CRS). , i:ecovery credit for detecting decreasing PZR level is given to control rocu (CR) personnel for detection of Hi-lo and Lo-lo PZR level alarms. F.ecovery credit for entering OP-901-046 is given for the shift supervisor (SS) advising the CRS to enter the procedure. The llRA event tree, subtask quantifications, and total failure probability are presented in figure 8, Table Cl3, end lable C14 respectively, Table C14 lists the total mean failure probability for this -! event tree as 0,00758, t 1 k
. C - 4F 4
?
L f
a v (*
- b
~ o-r-3
-.he o- ;; _
'oE 6 @>
o a t
.C- , .e -@
e o
- e. .
- J, '
t .M .,
, v oo 8e 1, 2 b' en vu ,h - go o O ta a t. a
/
/
3,. T 2. ,
., 7,.
/
I
.,I o /e
/ \, s I
FJ u )
$n / $I*h ca y.
, ~.
./ ~c Ys 8g .
s- ;;
- S.o , c-o m
6 e t e-d-
.. om N.s .,
i ; 03
$ 3, ., v L.
a J, -y s -
. c, , t .-
.o :, 7 g IJ 6@
O E' o r- ?! j** x$j v B3 b8 s p', l to o,, b
-e c
-r t
, iI O C
@ s Q fft 4- *4 t'0 4' !
W OO e h x - _ g3 y s Ye N- .#
, . ,i a, y . ...
UJ Q-@ a -&c .,., p 8* - m4 /
- u-<1i - i [I CI w U O vV w
o a .4 LJ C h' .i
-o 1y A., .. pc,
- p. .
.$ y
'L-c pe~,o 1 a *rF e
og to u_i g d e,i v g E
.v m e c t o t W s -
l D c- E l TT- L o i (I) g 5
- tn o o Figure 8: HRA Event Tree for Sequence 5, FTD C - 47 i
if t ,i[iIi I 1 0 qD5w a aww.
. =r,v.
n o7 sn $* 7 mWo r r oe rt e e' s s o s 5 r c a 3 e s 5 i o t i 1 EF' l a 5 4 a n % n anP 9 6 a- 3 9 5 7 3 im1cE l 7 1 4 2 s 6 n-t r r 3 4 3 t 5 3 2 u a e e e
.t N3l 9 e
s e s. e a s 2 e 8 5 4 a n
.al cap 9.
4 3 ? 7 i 4 e 6 t t o s m eE 7 J 2 6 3 3 o n. B AI l I w m e 2 1 3 t 3 8 C e s s w e e e 8 4
- f o P d s R ny ) s ) t s E epnc I I tI t
t 3
- t i
l a 2 f
- o. l e ke l I i
t t r . . , t e i e e r 2 a 2 a 2 a s e d a f e f r 6 6 6 e e
) +mm 4 s s t t -
e s e 6 I e- S A S l 2 2 2 2 2
.o t T T T T T l r s i
ieF a f S i P F l
.u r 1 a i 2 2 s Sf o t
r . t o - y ri c
+
a r s 4p om 5 s s s s e e pm t e y 8 5 a s a s-e s s p t SSD
.O-D /reRP # #
4 z a
. 6 2
a i s 1 a r El e 9- 3 3 4 T, I
- u. ! a! t i
6 2 e 1 e 4 4 e 5 STT 7 2 2 T 2 7 2 T' T 2 e c r r o o n rt r c e e e s e e E a 3 e. s e s e e u F t S q n e c aP
- i. i S sdE a
)
e t. e s e e' 5 5 e r H eI I e m c s s o M a e e e e
.f S
g
.P a.
.. s.
E n e a 4 4 I t& e- s, I r
. t 4t e s t,- : u
- l
. r i
I w 9
. 3 w R a a r l Z Z z ts. O +
n r s C E
/ %n r
e r e 4 a t s e n n l e n o e e i, s e t e 9-e i t 4 t l it c a d. r S a A d s s o R h c T n e a w s
- h. -
t 4 r e n e n t w e r.. - n e r m . e s se.
. . . d u d.
s . e e l l be e nt e t s.. e ia . f . a.
, e.a n .
- i. n.
t st t H. r Oe n .g, .i . aa S R r r, c. cM S A a c a E a , b"
,e ;;t ' LI , t e
Iu M , e
- a. s m5m o a & u= ~._ o.
mD__'5 '
. m" '" E ,* m7O7m mm_MN nNL%.
3)
. 4O* ,
s t , l u s w e R 8 1 M 5 5 8 8 e w M C 0 6 0 1 M. f 1 m
* . 0 O 0 1 j
s i e t , i
. l t -
e bi n. s-e a l t e i b li o C b r f a l' o b e s o r s r u J
> s P a l l n e r r ,.,
i a t o u o c i t c a F e t a l t e l ia a e l a D u F Fr t c s l o t o l a s e a or T t d ia C l u e 3 o r T E n F s a a 4 5 , s 4 3 e - r 3 u l n s i o 7 9 l t 2 e M. t t a r e e e o a e a a 5 s s l' p M w 5 a
- 5 e O- 9 s u. M 1
r w . e u D e t. e t e H. 8 l i T 9 a a s 5 a a F 7 4 9 4 7 9 4 7 3 F 5
- 3 0
s e 3 0 M Z 4 o 0 e
- e e e e e w
4 c , 1 n * . m e C u q e e e l l i S . a +
~
T n e ht ~ a P e r l u i i a - F c + C o E D E B m L D A 4 A e s v i 2 3 4 - n
~
0 FTDGN - Sequence 5 FIDGN for Sequence 5 represents operator failure to diagnose that the reactor coolant leak is outside of containment (in the reactor auxiliary building - RAB) and enter the section of OP-901-046 (Shutdown Cooling Malfunction) relevant to the isolation of the leak. HRA modeling includes detection of safeguards room flood alarm by control room (CR) personnel, with recovery credit for detection of RAB radiation alarm (s) and increasing waste
- tank level by CR personnel. Step 2 of SUBSEQUENT OPERATOR ACTIONS (OF 901-
. 046) directs operators to Attachment 6.1, System Leakage, based on relevant CR , ,
indications. Sequence 5 HRA modeling for FTOGN includes entry into Attachment 6.1 on the direction of the, control room supervisor (CRS), and recovery credit for the shift supervisor (SS) advising the CRS to do so. The HRA event tree, subtask quantifications, and total failure probability are presented in Figure 9 and Tables CIS and C16 respectively. Table C16 also lists the total mean failure probability for this event tree as 0.00756. . 1 e a l C - 50 i l L
,i e L ; t I > ,
h. i T W T 9 t -@ cs
- ee t v 6
, ee dl e s o c
r t t rx a c e u e ist g t e e t e f d at v a f s S o a
- t mw e
9 W t c m og i e ls r A n P
.m te l
t e ae l is 4
. d f os r e 9
w t n t o rc n r c w t C< 6 t C on -y p G a i I i s a y W f
- b. %
C \. i '
- a -
m *
. o P -
' t
, x -
M 7y m - 4 C R N w 1 4 'r f g ,
- M' op O r e t t 6 n s 4 C
a s t 0 = a C g e -- w s: 1
- y t
c s e 0 N t rc o9 e e A t cein t C g e t S O d e A a c s C f k [ Q C ) . A v y. e
)
n io t o 3 P 1 C se r a / - r y r t c1 e . d1 e bg e v - e v c e r6 P+ L s o c o s fo n d g c r a g c A c e r ot o ' m um 9 e5 t t W e q gr ( ( t 4 c t ea n0 e - ts e g u f s a 1 i s M s S o0 a r - y d t 9 f e s ec T t S t sP 5 5 n 9 - co e tiO e Y e t eF tc af f o T' s o m E $ o S1 9 n n' A - s n R o C S ( C A c N g - - C '
~
-y G a a D s' D i t c#
T D
'g t e "4 0
n r - F ot e m s d
" 09 1
)
y
, S I n s S " -
"90 er y ,m j
y I i r - e O v 4 5 i a. ta t n eI fo co e e F n y f 1
- D( i y
e o t o 2 g c s r C t 1 c 6 T n o e r e6 4 r n - 0 g et d o c1 c6 0 u a i t 9 qr s S A eP c - epe t u C sC S O O o $ y m
= 5 m<mB+r q - e%k e o S w-
^
,.m]
- eoc)=
q e' r _ O
- w" a
_ e y g - N . M 7 y t
-1 ca e'
-.a
- o 1 ,.,
w w
=
m u en Tabic C15: IIEPS for Sequence 5, FFDGN-Operators Fail to I)ia;pinse ISLOCA , o s m fluman Actica / Efror P.asic Error S nurre, Step-by- Mmlifier M..difier illERP Itasic Nominal Error o Median Factor TIIERP Step or for1%IJs Source orgwnd- Mean Meme Facter f IIEP Table # Dynamic ,
, ency IIEP IEEP ,
n H C A Ceesrei reeso fa81s te detect Saf*teards Re au conos 60 0 T2e 23 #2m SBS 2 T24 t6 a4 Zit e tww124 e tNM)532 Ift e O ileeded starun ("3 8 Cenases reeen fails se desett RAS radiaties e OIM)t le e T2S-23 #2s SRS 2 T20-t 6 # 4 2D e sans2M e iMS32 to e steren m N C Cemee.1 resia falls se dese<t Iswr sg. se & 003 3e T249 a4 SBS 2 120-16 a4 2n e M 3749 e.807499 le tank level D CRS falls ta esser sect 1 a il of OP 908 446. e DOS toe T284 #3 SBS 2 T20-16 #4 Z1) e.es 3117 0.02M35 toe SDC Msitesuttom E SS tetti en dle=<t CR5 te enaar se<tten &t of 0F. 8 00$ 300 T204 a) SBS 2 T20-86 a4 lin set!)t? 9.5133t7 is 901446 a G.233505 15
, y
.. . . s ;
u 5 o a e* cn l ' i Table C16: Failure l'atlis and Total Failure l'rolialiilities E o Sequence 5: I"I DGN. Operators Fait to Diagnose ISI.O('A 2 e
- r Failure Path Calculations Results a l ABC e kWis32 s e mes32 s 0 007499 e H
2 As< DE e mes s2 s e sums 32 a e azuis a e.2sisos e o 3 AspE eer.ms32see2u ssae.2sises ODy*WM S 4 sLE o c2ais a e 2ssses 0007551 {
. Total Failure Prol> ability 0.008 7 C Error Factor 12.11 e
O er Os m.a. M
~
o T o O
=
i
O, l l l fIl- A - Seouence 5-(1 Train of- SDC) FTI-A for Sequence 5 represents operator failure to isolate the leak (see Sequence 5 description in Sequences and Human Actions section) by "l performing the relevant steps- of Attachment 6.1 (System Leakage) of OP-901-046 (Shutdown Cooling Malfunction), when one shutdown cooling (SDC) train is in service and one SDC train is in standby. The HRA event tree for FTI-A models-the critical steps, substeps, and actions represented in steps 9 and 10 of - Attachment i relating to isolation of the leak. Steps /substeps modeled include: closing the SDC suction isolation valve on the train in standby, ,} observation of RCS level for stabilization, placing the isolated SDC train in service (referencing 0P-009,-005, System Operating Procedure, Shutdown Cooling System), and closing the SDC suction isolation valve on the initially operating SDC train. The HRA modeling conservatively assumes that the leak is in the second train isolated. Omission and commission errors are modeled for each step /substep. Omission errors are modeled as errors by the control room . supervisor (CRS), with recovery credit for the reactor operator (RO). A high level of dependence was modeled between the two (CRS & RO), when the CRS was directing R0 actions. -Commission errors are modeled as errors by the R0, with recovery credit for the CRS. For these actions, a moderate level of
' dependence was modeled between the R0 doing the action and the CRS who would be concurrently performing other dynamic actions in the CR. The HRA event tree, subtask quantifications, and total failure probability are presented in figure 10, Table C17, and Table C18 respectively. Table C18 also lists the
- total mean- failure probability for this event tree as 0.0233.
=
C - 54 1 ,
.- .. _ . . - . _ . ~ . - _ _ _ . _ _ . - . _ . _ . _ . - - -.. ..- _ _._ ...- _ . _ . .
t
- M 1 t
-1
. .- g x -
o +
-F :
W # O m . gw o c t
- m, -
r e !
$B
--n a c u o ;
et -. , e ye- 3 'g $ W
- e. )
s vo !Y l 2
!+
os
. M 3, -
e 6 g -a t
+
f
,& s -
-y c-- ..
_a E p
- m*
, r- .9 3 c
-u ,,
-p .
93.5e- 1 "' z- -
. .. t ~ ,
.v a
;; i
-sv
- 24. o m n
- e. o m i, s_ S. F b
.-4 - E . t, i -p.
-g g i. !$' pu
- e j (e-W o o, u- -
-e v v<- .a m
-o e
n, v
!n.s tu u
8- .
~,*
i
; oo vn o -6 w uo g :
< [s
$- uY-n .
~*
. , 84
-o o* -
oS
#
- o
- g Qoeo ~( . .
."g
$ "* "0 -
c Q *g* f {
.e' 5 V :. , _ e i g- - "
.-?
b
,S a dni 19 ( - 3# -
3.g, -
's ~ ?- I .* v 4 g m,A> w .- -
om 9- - 6 ;; - e ! o x- o . sYS i- _u e v 4. m a x . . 4, , m Or h, -Q ,p $kg.~
-t 8 0" . - o, ,,
in , o u -
. .,o.
- dm e-o c v
-~y
_m a , b a, 8$~ $g U U v s
-se m y-y
' -O
~
-h b-- b m 1 2. . , . . { $.
+
s
,_ h, .- -
_O^o e--b A g
~$..i-=4 9
_ - dj *~f $$
.s
- i. .S W g mm >
e
* .t t
98: :
% " O_-
t m 1*5 L, -..;j $ N- v i 3" -! r 4 = i- o > . ,y o el. V
-m a u-o..
u a gos9h t t O- $ E* I -F W . '
'. ' \~ E 9
${ .
f-y
)V ;Kxi LU u
1 1 t.L ' ._ _ o -i \'i% ' rm e o y n .i W ,c. w a en 1 W 64 { 9: VI i I m-
- x- I g= oL ,
Uo_
-i
. o.
i- >
. t'
.n M' b* -
a ~2 i u Q. ' g- v d p 3 1 7 89 n i t7 e. . 1 oO -o in . o' ., i Figure 10: HRA Event Tree for Sequence 5, FTI-A (1-SDC Train) I i i l C --55 : E b i i
+
-,,.,,->,t ,- s ~ , - - - , - -
is ! :* }: 't - 1 ;1il u {l: 7t 1 51- ;.lWl f: !! , Its't h fi , 1, . ! n
<O.
y b d n e a n c t i ie ec s . p . n e f v n eo r, t oy. s i t S n e o n C, 0 A n O C e
) o S S oe et o dni s.
n a ge C A t s w e t-r in c, ci 1 e s ')n r a ,pr v 0 c - o ,p o o. x i r 4 i s t ) e v i t s - g s ) I S r i 3 s C n y n e s s 5 C o e s a 3 4 a S 3a 1 8 i s ) g
=
4a. 2 4 n ras s en g n isw1 n u + f , i is t -t c s - e i 3
- v. ,Ah, t n ,
t h0
)
. t v
t zC - oe C t C .a m a sc( 1 0 J
.N' ists ,
,S O n3 o
S D CE 3
, a r
s 0 C ) ee9 e1 ,
,tc ) 1 g n ,
t f c, P- ' c .i B d n io , f e C p ni C S A ,v Or -'c. x law pC- 3 r A e t ima t s 3 i, D p o . is S s u*in v
- o(
t e g c 1 0 s e r r e m c e YC
- 4 r e
r 'o n c , e oco o n o n s 0o6 0t se - ) asiv S t p t y C ( o rc yr n
. - St i te er ei ist t ) ,
cc v av sa B f , s i a 5 ,CCrA C a c o 0 4 i n n e lo tr ot f t C A , f . d Ss eA t eec c. c C 0 en '1 o d e ( - v oD 0'e 0 e t na r Sl D C aEre) p" t S lsg 4 t i e o s y n N $ , d es d .t omn r e lat i e . A o e i v f a s f t e r : 00r o r lo s c a to ce S e c' a a A p n . c c
- lo sA C o s lp s i
e( , emoB t o E T el C o e e t c seice u r cA O o1
)
y t s p O t . t si v c v H t 0 i a r a re 4 r e a a ceres f lps S v
- l r A t o O e
y n ) CS c R
- e s
- o mn l t i O
C A e es A s .r n ei cn ei A 1 ( 0
- t scM) a ao'B I
5 i r a 0 4 e r r 4 co1 v
-< r ot t 0 re t c )
e - 3 D C t S - pp o4 v o t _ : D S e A 6 5 eRc I
- s 1 o (
T i
'J k se 0
4 F i d o 8 5 a e t s s F u r e s 5 .n e a o si - m ec . e r ,t -. e y c n r t nto. e a co t S c A e C r r u r ( - o c q e m O ep A S O a u ik . O g
, ,r* .
nn O
- uc
. - ' d
. e M
cs 17 a e.
~ o
**=J'
=
m, en Table C17f 11EPS for Sequence 5, FTI-A; Fail to Isolate (1 SI)CTrain) o s m litsman Action / Error Basic Enor Sourre/ Slep-by- hfodifier ' hiodifier IIIERP Basic Nominal ' , Ener . bledian FSctor TilERP Step er forl$1s Seura Ikgend- hican bican factor g ilEr Table # - Dynamic y ency IIEP llEP s - n a w CRS felts se c8ene SDC by Sec. Im estee St. 0 901 3e T20 7 *3 SBS 3 T24 4 6 # 2 Zu e043749 eetI240 -30 -n A -"4 ' O Act A(8)(Ombnien) Y B RO feHe te remind CRS te stsee St-40t Ad B) 44 5.e T20-22 *t '555 3 T20-16 #2 IID RI6t303 E742675 Se > a n
# E353*f9 2J ***
N t/1 S eet Je T20-82 #3 585 3 T28-86 82 2D seet249 4 083749 3e C2 C RO fens se ctone st-401 A(B)(Cesswahalee) O
&I 5e T2e-12 #8 585 3 T28-t6 #2 heD e t64 3e 3 e557s*4 5e --4 D CRS tous to remaeul RO se < Bane $148 A(E) "T De
# E29tue5 14 -e-m w
8.003 le T28 7 83 SBS 3 T28-86 82 ED e.803749 0.481240 3,e E CRS fans ne desenatae le RCS leeef mee esebattdes (Ombstem) F RO tease es amend Ch5 4. deseeselme if RCS tt 5e T28-22 #I SBS ' 3 T2e-16 #1 IED El6t 303 e.742sts 5.0 lesel met samb4Hdag i
# 4353W9 22 C RO falls to coenetty deseen 6me if RCS level met S 483 3.8 T20-14 8i SBS 3 128 t6 #2 ZD e003749 0.01I24e 3e 1
esebilidag(C . = r) Il CRS fstis ee 8ett Ro se determine tf RC$ iewt at 5.0 no.22 88 SBS 3 T2*I6 #1 Mit e 168 303 e557844 5.e not stabattdng
# 0 2*h45 14 I CR9 fenn se place belated train an see=ke o en) le T28-7 # 3 SBS 3 129.16 #2 7D etwil749 eet1248 3e 1
w 'P ww mar rw<rr e- ,,y+,n--
. . _ . . - ~ - . ..- . - . _ - - .. .
f O. l 5
- Table C17 (cont.): .
t w ;.y e U w a 4 a e a w a a *
.j g a. p t
i E; g g n g3 g 3 i E3d A E
- d
. E 9 R r 4
'n Z"" A s s .E e h.
- A d .
8 :
. s W .r- x -
x :
- x !
O _a a -d ; - s 2 -
. .a . .
. .s . .
t
~P e ./, ;
o, x- a w i *g, _s a,
, E
, s a e
~ s
- 1 z -
e 3, eet e.n n. ~. n. . n. iy . : : - 2 : : v 2 e
=s 4 'i- -i ,n $.
i t i t
- m. - u ,,
-%k o
- sv.
5- _ , , , , . . ., t
- = !
.n
'.~6v a .
.T.
o 2 EE E a
.E 2 L
1.s*S ma g 3 ,., s . gx : : 8 eds : * : ! 5-
=
GF4 .5 88 8 8 6 8 t EI tt zg et . . . . . . . W ,a e m m m m d n
.]
E
- m. 3 5: ,, w - - -
8
- . . g3= _
. .s -
s - 8 - ., ,^ . o I o.a. j l L o
.. 8-
=
1c 5 g i
== 3W m
- I $
Q- j E - 3 $
$. 6 3 "% -
-.=
a .8 i 3 i i. i_
= 5 l
'= 3 8 i = 3. i 9 a .!
r ; 3 3
- 23 m~ j l
.3 t
E v 1 3 je [
.ma
$W s um 1
2 i 5 E e j3 a S tj j6 g ,y I' t a
- 3-. .
E l .'_ s 3 C 3 L 3 2 4.- 3 3 4 -c
$5 3
3 [ aJh,- 3-a j - 0 E I- g, 0 E8 l-C1
= = va E.e =c3 v = E' ' va +
1~ m W J I E O b r I I f C - 58 i
i _ t a Hc5C owc.o. ,u_ E C o n:r" ** y S o*- o r [ w C] o ,h o,y ] N w [ a- [ ma_7E 1 j t s l u s e R 2 8 l
)
9 W 3 N 0 s 0 0 0 0 e e e e e e e e e
- e 1
- e e . e e .
s 9 9 5 r 5 4 0 0 $ s 3 w 7 6 6 0 3 8 6 i e 5 3 W 2 9 8
- 8 9
2 t e e e e 2 i l s a s a e i 5 s s va
- a a i! a r sr p
+ . $
b < s 2 7
- e < r a
a 4 a I l 3 7 l s a, fa s ) 2 o f o W 5 w 9' i s l o n 8 e 9 9 3 8 M 9 2 e 5 3 e w2 s-2 n r i a a m a s m s s a e 6 9 9 9 s m s a P T r 0 9 7 4 4 7 7 9 4 9 7 4 8 4 8 4 9 4 5 0 8 4 5 4 9 4 s 9 5 e r C 3 5 3 3 0 0 3 0 0 3 0 0 3 3 2 11 2 fI 7 3 0 6 8 9 2 1 2 i 3 7 m 7 1 4
- 6 8
8 0 O 0 s 0 l u D s n e s e a e a 0 s G s 8 s 9 0 8 0 2 - 8 el et e 0 0 3 e 0 0 2 0 9 i S o 5 ea 8 4 8 s 8 8 8 8 a s s s s s s s s a 1 i 2 4 2 2 4 4 4 4 4 8 4 9 4 9 9 9 a 8 9 F ( t a 9 s i t t i i t f 2 8 2 I 2 i 12 2 7 3 7 3 4 7 3 4 4 7 3 2 4 2 7 4 9, l e l 2 8 e e O f O t e it e 0 0 0 0 n i 3 3 a t a u 6 s 9 e e 8 4 9 8 88 e 0 0 e 0 0 0 e e s 9 0 5 3 t l lc e 8 8 s s s a m s s s s s e s 8 e e e . o o a t
- 4 4 8
4 8 4 8 4 8 8 8 8 8 8 s s e a T I s C 3 5 2 i et 2 ti 2 i t 2 i 2 I 2 1 4 2 i 4 4 2 I 2 4 I 4 2 1 2 4 2 8 4 2 8 4 n 2 8 2 4 8 4 2 2
.s o 1 3 t 8 d e e O e e
e el $1 t e f O 08 8 0 1 0 8 l1 n I i t t 1 n l t s s 0 s a e s 6 s t e 9 9 4 0 0 e C 0 e. e e e e OI a ia 5 u 3 4 8 4 4 4 8 4 s 4 8 4 8 s 8 s 8 s 8 s 8 s 8 s m s
.s 8
a s F 6 s 2 1 2 1 2 i 2 2 2 4 2 2 4 2 4 4 1 2 4 4 1 4 8 4 1 s a 2 4
.s 4
n 9 1 s 1 1 i 8 i 8 2 2 2 2 2 2 i ; 2 8 2 t A 0 6 0 64 0 O 8 31 01 et 0t St 98 li e StI 8 8 e 8 t 01 n I f ti 8 a - s s s s 8 s 8 8 4 0 8 8 0 8 8 0 e e O e I P I 9 9 4 9 4 9 9 9 9 s 9 s 9 s 9 s s s s m s 8 a s 6 a e s s e T-1 3 9 7 3 7 7 4 7 4 4 7 4 7 4 7 4 4 9 4 9 4 9 4 9 4 9 4 9 9 9 9 3 7 4 r 5 0 6 3 0 3 0 3 c 3 e 3 3 7 3 7 3 7 3 7 3 7 7 7 w 4 7 7 4 7 4 l u 5
- J e 0 0 0 e O 0
0 0 e e 0 6 8 0 0 0 0 0 8 0 0 0 8 0 0 3 6 0 3 0 0 3 0 0 3 0 0 3 0 8 1 M i s s 6 9 8 ( i e s : a m s m s m 8 0 0 0 4 e 8 0 ' a c n 4 4 8 4 8 4 8 4 8 4 8 8 8 s 8 8 8 s s s s s s s s 4 s F e 2 i 2 I 2 1 2 8 2 i 4 i2 4 2 4e 2 6 I s 2 4 2 4 2 4 8 4 2 8 4 1 4 2 4 8 2 4 2 9 4 n 8 4 8 4 o
- u et Of f
o t e t e t 8l f 9 I I i i t I 8 2 2 2 r 8 q 0 0 0 e 9 e e e O2 f O O f e t e.t Si f O i e n n 1 3 3 t I e e Se G O 8 0 e Of e 6 01 1 9 O O e O O C S l e b a T s h t a P e r P lu N G u P P P . i a Os N Oe P O P P L M M Os N s ) P F J K I K t K l K a M M n L t 4 t A d n N O n O: L i t l h y h y ij lj y k lj y n K 1 K I K i K u s M a h b b b b l ak k F h b M h8 i b M
) t E
F K t E E K K E E K E E K C h ha u t 4 M d f t t F F J E E E K ,, ( f
'a r 4 C
d d d d d d f i t f e F f t t b b M C C C C C C d d J d d J A A A l b b b b C C C C C m A
-4 A A A A A b
A b A b A b b b b C, (J b A A A A t A l A A 1 2 3 4 5 6 7 8 9 e I 2 3 4 $ 6 I I I t 1 t 1 n B i 9 1 2 na gw I
;s
.!h{ l ,
Q I , scCTa o a *s >a $'"
- r
- ^
a t s-l . u s e R e o e e e e e e o e e e e e e . e e e e e e 5 ee 5 e6 s s 9 2 } 7 8 s 2 s. i e . e a 6 9 4 h o *. t 3 de
- o. 4 7 -
i l e e w 7 4 u e s _ 3 5 9 W vZ s 2 m i 3 3 s s
- 9 3 t e
b 5 m 9 2 2 2 e e e 4 a a ) 1 e ee 0 e s s 4 s s 9 s 9 9 8 n m : m s 9 9 5 s u 5 0 4 a 4 e 4 c i a 5 t 8 4 s 4 9 4 9 0 7 9 4 e e 9 9 4 7 0 6 e s 6 s 2 1 2 1 7 1 0 9 3 5 7 3 0 i 9 8 9 l P r ae s 2 1 2 a 7 3 3 3 s 1 5 3 0 9 9 1 t e e e 3 e 8 T 9 t t e e 3 n 5 0 8 9 2 3 e es 8 2 G 2 a e e e es $ a e r C 2 e e, e ee e 8 o e s s m s 9 9 9 9 9 8 s s s a s s s 9 9 5 4 4 4 4 u D n 9 9 9 9 8 4 s 4 9 4 5 a 8 4 8 4 2 9 4 7 U 9 4 7 8 6 U 9 4 7 3 4 7 3 7 1 7 3 2 t 2 i l i S o 7 4 4 7 7 4 4 7 1 2 t 7 3 8 6 2 1 t 3 0 3 5 3 0 8 9 3 5 e 4 8 0 e 0 8 t e t e 3 i 3, e a I ( i t a 3 4 3 6 e o 3 0 0 8 t e e e t 9 9 2 t e e t 0 J 8 e 2 0 e 6 es ea em es e s F e l 0 e e es es es es ea &: es es 4 s 9 s s s a 4 s 8 8 3 - l t u m 8 8 9 5 s 4 e 4 4 4 9 9 9 9 8 e 4 4 a l a l c 8 4 2 4 8 4 8 4 8 4 8 4 4 4 4 7 7 4 4 7 4 7 4 2 4 1 7 4 8 6 i t 2 I 2 1 l i 2 i 2 1 2 t t o o a 2 1 1i 2 2 1 2 i 2 1 3 3 0 3 e 3 0 1 t i i 3 0 9 t e t e 1 8 e t t e t e t e T I s C i te i t e t e 4t e t e t e i e 0 0 8 e 0 e 8 e e e e e 8 e 2 e e e G s e s e 0 s e s e e e e 0 s s s d o 0 e s e a s s s s s s : s s s 8 8 s 3 8 8 8 8 4 8 4 4 4 8 4 t s 4 4 8 8 4 4 n l 8 4 8 4 s 4 8 4 8 4 s 4 8 4 2 4 2 4 2 4 1 2 4 4 2 4 2 4 2 4 2 4 2 1 2 a 2 t 2 i 1 t 2 1 2 8 a i a 2 3 4 2 1 2 a 1 i 21 2 i i 1 1 t t 8 t 1 t i t e 1 8 1 e.t l e l e t e te t e t s t e s F i 1 t t t le l e te e. e e e 0 e e e S e e e e e te. 0 o e e 0 e S t e 4 s s s s ht : e 0 n e e a e a e s s e s e 9 9 9 A s a s s s m s a s 9 9 9 9 9 9 9 4 9 9 4 4 4 4 a I 9 9 9 9 4 9 4 9 4 9 4 9 4 9 4 9 4 7 4 4 7 4 7 4 7 4 7 4 7 3 7 3 4 7 3 7 3 7 3 7 3 1 l P 4 4 7 7 3 3 i 4 7 7 7 7 3 3 3 3 0 0 0 0 0 7 7 7 1 3 0 0 0 0 w T- 7 3 3 3 3 3 3 0 0 0 0 0 0 0 8 0 0 8 0 0 8 0 e a e I 0 0 0 0 4 e 8 tM 8 e. 8 0 0 e e 8 0 e 0 r : e e 0 e 8 8 e e e e e e e s 0 s e s e a s 8 s s s s a s s s 3
~
u 5 a s a s 8 s 8 a 8 s 8 a 8 s 4 4 8 4 s 4 8 4 8 4 4 4 5 4 8 4 8 4 8 4 8 2 4 a I l i e 8 5 s 4 4 4 4 4 4 4 4 4 2 2 2 2 1 2 2 2 2 i 11 i s 4 1 1 1 a c n 4 2 4 2 2 a 1 i 2 1 i 2 i 2 i 1 i t 1 l i t i t e i t e t t e t t e t t 0 te t e 1 e. t e t e F e i t i t t e t e ti e t e t e t e t e e e e e e e e e e 4 e e u e e e e e e e e 8 e
- 8 e e e e q
8 e 1 S C l e b a T ht a P e P P r P O P O u P P P N n Oe N e l O P On P Oe OF O P M MI m 4 M i M n Os N n O L a 3 a t N O N j yE yK yK yK ya t s k k t M n = y n O uhes KL oKtg MKts Ka M Mh nk f F LK o I i I t l h s t h h ta Kj Ky y y f h h h C Ge Ce Ce C CJe cd l y yg g tJ tg fg tg t g fg tce e g t g g g l J ! J u u J i E t t u e J C 4 Cd e i t Y t J t J t t t d t d t 4 J d d t 4 o d d-C GC C GR d C b GG I C d b A e Cb Cb CbA AC CbA AG CA CA C tA A A b t b b A AC b b b A b A b A t A A b t A A A >A A 9 0 1 2 4 5 4 7 8 4 4 9 0 1 1 3 3 3 3 3 4 8 1 2 2 2 3 2 4 2 5 2 6 1 7 2 2 2 3 3 3 3 _3 3 h CO
' r ,Il(,I{!ji ) , l } f il' , flj[jff!fIj ll(J '
s . . . Cs CF C n m Table CI8: Failure Paths and Total Failure Prol> abilities 5:s e+ Sequence 5: FTI-A; Fail to isolate (1 SDC Train) T Failure Patit Calculations Results 43 AhCdeChykmOP e.eti24a a e on1749 a e etI248 a e el1248 s e Ml749 a e 29s 05 e 44 AbC&ChtKL 6 On iT 48 s 0 003749 s 0.08 8 248 s 8 M 3749 a e 298eC5 , e 45 AbC&ChlKtMN O 881248  3749 s 0 et a 244 s 8.003749 s 8.08 R243 : e.353vue e de AlmCdeC h4K1%f nOP O 88 I248 s 6003749 s e eti248 s e 003749 e a 681244 s e 803749 s 0.2mo e 47 AbC&Ch1KisnOP 0 Of I243 8 063749 e o!124s s 0 003749 a eon 3749 m e 29 4a5 e 44 AbC&GhthMN 9 081248 s 8 M1749 s e Gt1248 s e eti144 s 13539us e e 49 AbCJeChaDisOP 6.08 l 243 s to03749 s ROII 248 : Ret t 244 a 0 00 3749 m 8.274605 e { 50 AbCJeChikssOP O eti248 s 6 003749 a e Ofi148 s 0 003749 : &298605 e 51 AbC&gfJ e eti248 s 4083749 m e et t 248 s 8J53999 e 52 AbC&gyKL 6.01l244 : a003749 a 0.011248 s 6 003749 &298405 o 53 AbCdegyKtMN &ct i 243 s 4003749 a 0 eti248 s 4.003749 m teli24s a S.353909 e
$4 AbCdetf jKIMnOP O OI8248 s 0.003749 s 0 08 8 248 s 0.033749 m det i248 s t00 3749 m e.29sa23 e 55 AbCa syKin:OF 0 eli 248 s 0.003749 s a et i148 s e 003749 : e 0u3749 s e 296605 e 56 AbC&gyLMN e.081244 s e h63749 m 6 of i248 e et i248 s e 3539e9 e 57 AbC&gyD4nOP G 68 8248 m e.003749 s e et i148 s 0 eti248 s 8 603749 s e 29se#5 e 5s AbC&gykasOP e Si t 243 s 9 003749 s 8 91l144 m 9 003949 s E298&85 e 59 AbC&glKL 5 Of1243 s 9.003749 s 9 003749 8 298605 e AbCdeglKIMN 60 O Sti248 s E.003749 s 0 003749 s S O!i248 s 8.3539e9 e et AhC&glKtMnOP 4.Gti248 s 0 003749 s 0 003749 s e et I148 m 0 003749 9.298ea5 e 62 AhCdegiKtmOP S Of 1244 a 0 003749 a 8.003749 s 0 NO 3749 s e.29s6e5 e 63 AlmCJeglLM N O 68 8248 s 6 h03749 m 9 68 8 244 s 9353909 e 64 AM'Agn MnOP O at i243 s O cG3749 s 0 et t 243 a e Du1749 s 0.29sw5 e
. --4. ,, -e , ,-- ww--e m -, - ~ , s,--- - -. .-,,. - - i
1 L 0 Table C18'(cont.): m
% e a
e u e 4 o e e e e e e e e e e e e o e . . . . . . w
.u.
f., ,
= .e. -y e y 3 2 t i ! :t ia j a p 4
= A A
^ . .E A. A.
.=_ C . . . s. . s.
C 'M '
- 2
- t * *
= 3 % t t o
-y 3 A
- =:::
E R f 2 $ A 1 R 9 E. lr, 3 A 1 E 2 E. E. 9 i u U . . .E . 4 4 . m :; e s. . . . . . . . . s. .
- = v2 8 ) t t t t * *
- g C * *
=
n , R R 4 2 3 E I 3 E , E 3 3 :=::
'A * -E E E E E A E E E E L 3 E
*- E. . .E .E . E. . w .E
- 4 . A. . *
- a ;e * *
. . . . . . . e. . . . m. .. . . e. .
IE
- - : : : : = t t t t : t t aa 3 :: :: : :: = n :: = =
F - 1 g : E :E : E E E E E E E E 8
=
E E A. .E .E 3 . E. . . E. . . . . . . .
- s. .E . .
_w . s. . . . . . . . . . . . . . . . . . . 5 = 3 g : : : : : 3 = : : : : : :
, -c = - :: : : : :: :: : 3_ ==3 3 ::: :: :: : :: : :
9 3 5 5 3 5 E E E 5 E E E. 5
.. E
._= < . . . . . E. . .E E. . . E. E. . .E . E.
n . . . . . . .. . . . . . . . . . . . . . . . .
- 3 : : : : : : 3 3 : : : : : : : : : : :
, p. a = :: :: : e :: : : 5_ :: :: : : :: : :: = = = :: ::
6 8 E E E E E E E E E E E E &
.=_ m,
. E. . . .E . . . . .E . E. . E. . E. . . . E. E.
- c;: = =
= 3_ :: :
- 3_ = ::
- : : : : : 1 5 E E E E E E E E E E E y $,. .E . E. E. . .E . . . E. . . . E. E. E. E. . E. . .
U A o SWIS 9
. .O.
.mo e.d b
3 L
" k
~
j k g b & L E *9- a y a E lia 5 5
^
] d 5
j 4 z x 3 x 1 I a 5 y 3 _ 3 o o a o o o a d- d d d g 2
? ? M ^ ^ ^ ^ ? 3 3, R 3 ? ? ? 3 a = =
.~4
. 4 4 .%
M
. w% %
4 4 .% .M 4 d 4 4 .# # . .# # .
. f* t W W G C - 62
.1
+
= 3 . . - . . , , _ .p
- i jl
[ j . _m 9
't w
au D c> = 5 ot. t e q w e s t l u r s g e R 7 3 L 1 M 8 0 --9 0 y e e e e e *
- e e e e 0 e e e e e e e e e e g g
j w s e i t -
, i s --
l u 4 i b m 9 e a ) 2 g b n : j or ia S 5 5 9 u 9 4 5 8 n 4 0 0 l' r M 4 6 9 7 6 6 e s w - T e v s 9 8 9 3 5 3 d 9 9 e - e r C f a 2 9 2 e 3 s 0 e 2 2 8 w
=
e s a s : u D n 9 s 9 9 5 9 9 s 5 , 5 8 8 9 9 w 9 $ l i S o 4 7 0 9 4 7 0 6 *t 4 7 9 6 0 0 6 4 2 4 2 4 7
- 4 7
0 6 M a I i t 3 0 3 5 3 8 8 9 3 5 3 8 6 9 s, 9 9 i t I i 3 0 3 5 3 8 8
?
3 5 F ( e a 6 3 0 2 3 0 a 2 e f 2 6 e e e e 8 e 3 e 8 e l e 3 e 9 g l u G e e 8 l a t a c s a a s a m s a. s a s s s m s 9 8 8 9 5 8 8 9 9 9 S 9 9 9 9 9 8 8 9 5 8 t l l 4 4 4 0 0 e 4 4 4 4 4 4 4 0 4 y o 4 4 4 0 e 4 o a 7 1 2 7 6 2 2 7 9 6
- 7 7 7 7 2 2 7 6 2 m.
s 3 3 3 3 9 C 3 3 9 3 3 i 1 i T 8 3 I E 3 i i ew t t 8 9 t t 8 5 9 s e 0 6 o t 1 9 t I t e e 0 2 e e 0 3 2 l e e e t e 0 (4 2 e. d o e e e e & e e e e e e a S s t s e s e s e a 0 s e s e a e s - t m s s s a s s s s s n l 8 4 8 8 9 9 9 9 8 8 9 5 8 8 8 8 8 8 8 8 9 9 N a i a 4 2 4 1 2 4 4 2 4 7 4 7 4 7 3 4 7 3 4 2 u 4 7 3 e s e 4 2 4 2 2 4 4 1 4 2 I 4 1 i 2 i 4 4 2 i 4 7 3 4 7 3 s F 8 t t i 1 t i t 3 8 3 0 8 e 6 1 l t t e 8 9 i t I el i i t e i e et t e l e 0 6 0 6 q v h ; e 0 e e 0 8 0 e. 0 2 e. e.t e e e e e e e e e e e e 8 S e e e e e e t A 6 8 m s e s g a I
- s 8
s 8 a 8 s 8 s 8 s 8 m 8 s 8 a 0 s 8 s 8 8 s 8 s 8 s 8 8 s 8 0 8 8 8 P 8 - 4 4 4 4 4 4 4 y T 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 2 2 2 2 g 1 2 2 2 2 2 2 2 e F 2 1 2 a I 2 8 t 2 i g 1 i t 2 i l 2 1 t 2 i t 1 i t u l i I i e i l t t i l 1 t 1 l i t t i i l 1 t i t g - r e t
- e. e o e e e G e G e o e e e e e e. e e e e y u
d e e e e t e & e & t t e e a e e 6 t e e e 5 i e. i l m a s m s s s a s s s s s s a s s s a a s s - i e 8 8 8 8 8 8 8 8 8 e 8 e 8 8 8 8 8 8 8 8 4 8 4 - a c 4 4 4 4 4 4 4 4 4 u 4 4 4 4 2 4 4 2 4 4 2 4 2 4 4 2 4 F n e 2 i 2 i t 2 i 1 I t 2 1 t 2 8 t 1 i t 1 i t 2 1 t t t 2 1 l 2 I 2 a t 1 i t a 1 2 i t 8 1 t t 2 i t 88 i 2i t g o t e e e e e e e e e et e
- u et e
o e e e e e t E e e S R e. 4 e. G e uI R t 4 9 e e e S 6 e e e S q t 4 e i q I S C 5' l e - b a 'a T y W i ht a P " e g r u x 4 P s g l P O F P o i P P P
. a Gu O P O P P P
N e Os N O n On N y F a N e O N e Os N O. Os L M M t i s M M a L M g l t S M m I t M M t i n M a K K I K K k k k K I K g K k k k K K K K k M. J y y y lj y y y Q y y y fk t l l a g ta g g Ig fg tg tg ig .. g I I b Cr b Cr b Ce b C h C h C h Ce h Ce h C h Ce g Hc f E c Dc uc D U Dc Dc Dc oc Uc C. c e e c e c e c e c c c e c g g 4 e w w b b b . b b b b b b b b b b b b g b b b b A A A A g A A A A tA tA A A A IA A A 'A A A A A A y 0 t 2 3 4 S 6 7 S 7 8 9 8 1 2 3 4 $ . 7 8 . 9 0 S 8 8 e S 6 8 S e y 9 9 9 _9 I 8 8 8 9 9 9 9 9 9 1 I 1 1 I i 1 e
"g p
a, g y n8 b . e g a" e _ w . w e e g _ g e y r
+
_ y e 1 4 i, I j J
11 , t I j ,i,!. ,* l l , *
~
] ._ -
- 'a7 c(- e o ca [ :s+c T~.
s l t u s g _ R e 4 4 2 1 4 4 I i
)
9 1 4 l
)
0 y) 0 I e e e
- e 0
)
D O e e e
- e e e t
)q A
g e e e 1 M D O . O D O 1 0 0 0 W M f 0 s _ i e t A _ i , l i b . a
> )
l n o ia 5 5 r r 0 8 l' 6 6 T 8 8 9 _ e r C 9 2 9 2 8 ~ u D s s s . l S n 9 5 5 9 9 5 5 5 ~ i o 4 0 0 e 9 4 0 0 0 a 1 i t 7 3 e 8 8 9 3 7 3 6 8 4 8 6 8 ,- F ( e a 0 0 9 2 9 2 5 3 8 8 9 2 9 2 9 2 e l S 0 4 0 8 E 8 4 l a t a u c s s s s s s s a 5 9 9 5 5 t l l 8 9 9 5 9 5 5 8 4 8 9 9 e 9 4 e 4 4 8 - o o s a 4 2 4 7 9 4 7 0 4 4 6 2 4 2 4 7 9 7 8 e 9 7 6 6 s . T I C t 8 9 3 8 0 3 5 3 3 8 9 8 9 2 8 9 2 I 8 8 i t S 3 8 8 3 5 3 3 8 9 8 9 2 3 5 3L 3 8 e 8 9 2 8 9 2 ,- d t o e 8 e 8 e 8 8 4 E a S L 8 8 t a e n l 9 s 9 s 8 s 8 a 9 s 9 9 a 9 a 9 s 9 8 s 8 9 s 5 8 s 8 s 9 s 9 9 5 a ia 4 7 4 7 4 1 4 2 4 7 0 9 4 7 4 7 4 7 4 7 4 2 4 2 4 7 4 6 4 2 4 2 4 7 0 9 4 7 0 6
'v D .
s F 3 8 3 8 t i t 3 8 3 5 3 8 3 8 3 4 3 8 R I i t 3 8 8 1 I 8 1 e 5 3 8 8 9 5 _ t i
; 9 8 90 e # 3 8 e. 8 9 S t $ 2 81 9 s 3 6 2 3 t A 8 8 8 8 4 4 8 8 4 e 8 E & 4 8 9 e e A e a _
a I
- a s s s
s s s s a s s s s s 9 s 9 s 9 s 9 s 8 s : 9 5 8 s . P T 8 2 4 8 4 2 8 4 2 e l 8 4 2 8 4 2 8 4 2 8 4 2 8 4 2 8 4 2 8 4 2 8 4 2 8 4 2 4 7 4 7 4 7 4 7 4 2 8 4 2 4 7 ee 4 2 . e F 8 8 I 8 3 t t 8 3 1 4 8 i t 8 1 8 4 i t i t 1 1 3 8 3 8 3 8 3 8 t1 I e 3 8 0 9 t t r : 9 f o 8 e 8 8 Oi e 9 8 t e. 0 9 8 8 8 e s 8 2 e _ u 5 e 8 8 8 8 S 8 8 S 0 a 8 8 4 9 S 8 e a a 8 0
~
l s a s s a s s s s s s s s s s s s s a a i e 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 s 9 9 8 a c n 4 2 2 4 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 1 4 2 4 2 4 2 4 2 4 2 4 2 4 7 4 7 h m F e I E i t l1 5 s t t 1 1 a 4 i I 8 8 i e 1 t 8 8 1 1 i t 1 1 8 i I t a s s 3 0 3 0 .
- u 6 S e 9 e $ 0 C 8 o e 8 9 e 85 9 8 e - e. e. 0 0 E
q 0 G 8 8 e e 4 $ G e t 8 S e 8 8 e e e e e - 8 e 1 S . C l e l - a , T h t a
- P .
e . r u l P ia O m P O P O P F O P P P P P F M N n 0v N m O Om P M On Os O P
- a M M M s a N Om N n 0v 1 l K M e L I I l I
A M M M a Kl k i na ki 5 K E K t k k s L I I l t a M o h W h t h J t lj fj y y ij y y K K K K mg nr k F . G e Ge G e G e G e s e g e g e g g e s e g e g e ts e ts e lg 4g e e e sa
, ) E r c c c c o c c e c c c c c c a c c c e t d .
b b b b b b b b b b b b b b b b b b b b Ce A A A A A A A A A A A A A A A A A A A A c. 9 o i 2 3 4 5 6 7 8 9 e 1 2 3 4 5 6 7 s 9 e - 0 t t i e t 1 8 1 t 1 2 2 2 1 2 1 2 2 2 2 3 1 I a t I t I 8 i i 1 I 8 a 1 1 1 8 8 t a n*$ *
' ;t
- L
..m - , , ,
w Cs
",., L n
s ,* : i o> i '
~
Table C18: Failiare Pattis and Total Failure Probaltilities 8
=2.
e Sequence 5: FI'l-A; Fail to I5olate (1 SDCTrain) r
- Failure l'aih Calculations Results e tus3749 s e etl248 s tot 8248 s e 299605 e 838 - eCdtKil I32 eCdFEhtj e.003749 s e et I 244 a e eti248 a e et i248 a e.353w9 ,
e
.i -
In eCJtKhyKt. e 6o3749 s e at i24s a o et i24s a e eit 24s s e 9e3749 : e 29s40', e
- 1 134 aCJtEbyK1MN ' e 803749 a e et t 24s a 401824s s e et i244 a tut 3749 s e 681248 s & M N*
e e03749 e et1248 s toti248 s e eti148 s e ers3749 m e eltaas a e ses t 749 a e.2vs645 e-135 eCdtK ktJK1MnOP e 803749 s e et 8248 s e et 8148 a e 84 t 248 a e 803749 a S.843749 e 0 2*ne 5 e n i36 eCdFE byKlenOP e 003749 s e et i143 s 4001148 : e et 8 248 a e et i148 a e.353W9 e
- B37 eCdFK bijutN 6803749 s e eti244 a tot 1148 s toti248 a e eti148 s e 803749 s e 9 e h 138 aCdtK byuteOP e 803749 tot i248 a 4.si1348 s tot 8248 s e 803749 s 6.298605 e t39 eCdfEbljkasOP e 803749 s toiI248 a e eti148 s e 983749 m $L298605 e t44 eCdfEb!KL 4963749 e tot 124s a See 124s a t007749 m e et1248 a 1353909 e t4R eCdEEhtK1MN
- 4 803749 s tot Blas a tot i14e s e 006749 s not 8248 s 6083749 s e 2*sw5 e 142 eCdFEb1K1MnOP b G.003749 s e eIli4e s tet i248 s 6803749 a e se3749 a &290605 e I43 aCJFEktKlasOP e.803749 s e eti2M a toti24s a e eti248 G.3539U9 e 144 eCdFKbtLMN .
e 063749 a 8.081248 s e et Blas s tet I148 s e 803749 s 1298*e5 e 145 eCdFK b6LMeOP e.003749 a e eti248 s e.eti248 s 4 8e3749 s E290ee5 e tde eCdFEkbecP r 847 eCdtJgtj e.00 5749 s e.et1148 s e et 1248 s 8.3539u9 e 4.003749 s e et i248 s 8.0t 8 248 a e 903749 s e 298605 ' s 148 oCdfJgyKL I49 eCdFJgtjKIMN e 003749 s e eiI248 s 4.488148 s e 803749 s e et t 228 a e.353w9 e 150 eCdFigtjKIMeOP G 603749 s e et1248 s e et124s a e 003749 e etI148 s e 003749 a e 2wees ' e 15t eCJFJefjKinnor 4 003749 e et i24s s e et i244 s e.003749 s e.ee3749 m 429ss45 e 152 - eCJFJgfjutN e 003749 s e eti240 s 0 eti24s a toti248 a 8353w9 e e l D
, .c.,+, u... .. .m,,...,..m, .,,,.,m,.,.-o . . , -,,-..py.%.,w .. .m,,ev -w o, yr+,,-em +.w.m.,,_e- , . . . , w.o-w e.,m w .s ye,r,.,,n, r-y.w w. , w n m h , u, a- c T r ar-
- e -' s +--m +- e t w w w-- w -- y e --
- v
.' : jIj\ l'liill)!lllllll lIi ljl;i)I\l1il
}1i i Q
/,
ace m 1 3 aco 5:ts e. T s n t l u s e R 2 1 0
)t f
0 0
. . . . . . . . . g . . . . . . . . - . . .
s 4 i e it S
- li t
t _~ um 9
~
as ) 2 i n a u i ,
. , 5 ,
9 r a r . e 4 . c P . 9 7 6 T _ . 3 1 9 5 9 9 e C 2 3 2 2 r u D s
.s
. . u.
l S n 9 s. 9 9 5 . 9 9 e 9
$. 9 9 5 i o .
0 4 2 4 2 7 9 4 7 e 9 4 a 7 m. 7 .= 1 it , 3 , . .e i 1 , 3 3 s 9 9 5 9
. + 9 9 5 1 F (
e a . 2 5 3 . 2 2 t t 3 M
.t J.
3 2 - l a t a l u c s s 7 9 u.
. , 9 s a.
9 9 s 9
.s 9 5 .s 9
t o l o l a o n a. 4 . 4 n 9 n
- 8 4 7
4 7 4 2 2 4 4 n
. 4 2 m n4 T I s
C I t
.o 2
t 2 1
.t m 9
1 5 3 -. -. s 7 3 3 3 m. t i t I G
.A 9
2 t I
. a. d i o a t .e . .t i
t n l t s u. 9 s 9
.s 9 5
- u. .s &
s t.
.s .s .s R
9 e 9 s
.s 9 s-a i a a 4 o 4 m c m 4 4 4 . 4 4 4 4 4 4 a m z 1 6 2 1 2 2 2 2 1 7 7 m 7 si F
t t
. n. n. .
7 3 7 3 i I. t
- i. m.
. 9 2
tt I I. i I. I t. 8 I. t t. t t. i t 3 3 3 t t A . . . . . . . . . t . . . . .
.e . M.
a -
.s
.s
.s .s s
.s .s .s s
.s P
e I T I 2 8 4 2 1
.s u
2 1 t 4 2 i 4 2 t m l
.s t
4 2 t m l 2 i 4 2 t 4 a 2 I m t 4 2 t 4 2 t 2 4 t 2 4 I 4 2 I m l 2 I 4 r : .I t e . . I t e .I t I i
. .t .I I
.t I
. i. .I t I
. .I t I u . . . . . . . . . . . . . . .
l i 5 e
. . s 9
9
. n 9
e 9 9 s 9 s 9 s 9 s 9 m 9 e 9 s 9 9 s '. 9 9 s 9 s
.s 9 a c 9 o a 4 o 4 4 4 4 4 4 4 4 4 4 4 n 7 7 7 m, 7 7
m. 7 7 7 7 m.m.. m... 7 F :3 _. n.
. 3 3 3 1 3 e n. n. . n. 3 3 3 3 3
. a
- u . a o
f
. . .e 8 q 1
e S C l e i l a T
-. t ht a
l' e r u P , l
. , , r P .
ia r r r N O. r o. o N o ,
- o. . N o. N O F o. M M o.w o.
_ N L M M M M i
. t
. M m s K
I K K m k k L ! a l M t s a, i i y y y y y y K K t K y
. ,. . K.
- t. K. ts t
h
- e. l i
Cr m h Cr h Ce h Cr U. h Ce h Ce h Cr f h k. I Cr I. 1 4 h Ce u e u a u o m uo ud u. e o A d d _ d d A C. d d
.C d C. C. C. C, C. C. C. C. C. C. C. C. C. C. C. C. C. C. C. . C.
, 4 , . 7 . 9 . 2 . 4 5 . , . 9 . 2 4 o
8
, 5 1
, s , s a
5 a
. 4 . 6 4 6 .
8 6 1 6 7 t 7 i 7 i m 7 8 t , i I t 1 8 8 I t 1 i! gn g e
,l ,\ljIj l ll t>l ! I ; ft ,l1, tII
q -- Table C18-(cont.): YJ U
% 2 2 2
- g R @
.3, A e -e e
?
o e e e e e e e a e e e o e a w A A o a e e
-z
.5 c
c j s .. E* 8 H O f
- ~ + e.
5a , @g -
- t A
t A + W = 3 ~ .
._ g -
z 6
- s. .
- s. .
. s.
Je E2 1 3 t a t
- t h
C
& U" E* E I2 l a a k.
- l A m;
8 I A k c E 8 3 ~ E 8 ~
= p, E. . * * .E . . w
.E
. e.
2 . g . . . . . . .
~ *
- a 4 4 $ t t 1 3 5 1 4 3 8 t 3 m
2 m R R R E : R R R I 2 I2 3 ::
.= .?. E E 8 8 E E 8 E E I 8
- < .E . .E w . . . .E .E . 2 . w .E E.
- . . . . . . . . . . . e. e. e. e. . . . e. . .
f.' '"
# 3
- 1 *
- C 4 3 %
}
o t : 3_ =3 = r. :: 3_ 3 =4 :: 3_ m% a a : - =4 :: 6 E E E E E E 3 $ I E E E E E 4;- . . E. . . E. E. . .E E. . e. e . E. e. e. e. w . E. E.
.=.
. . . . . . . . . . . . e- . . . . . =
'T 8. t t t t t t t t t t t t t t t t t t 4 4 4 4 4 6' c 4 : R E R R 4 m R R C 4 m R a n : :: ::
, $ 8 8 8 3 E 8 8 8 8 8 8 8 8 8 8 E E y .E .E *
- e ,e w . . .A . .E .E .
g W
. U'"
.O 3
t**
.- .c.
4 M b
.E
'E ' k e. a.
6 6
+ 6 z % r. 1 -
g g ,, I. 3 . m d. 3 3 . . s ,3 . } > l E e g'a _ E 5 s
.. 4 Y !
- C E R.
= = I.
E 3 2 3 2
. R. .E. :
- 2 * *
. C - 67 i
l
ij j Iji;ij)Il { l t*5e C n co nos#.v~ : - t s l u , s e R y g g e e e e e e . e e e . e e N G e e e e e e e p g s i e t ; i 5 l i w ,, b s v a ) 2 b n a o r i a 9 > s s 5 5 5 r r t - e 0 ee 8 P T 3 5 9 ', 3 e 6 3 9 9 9 6 0 9 9 9 e C 3 v 2 a 2 2 2 r e E & 1
- u. D s m s e s a s l .
S n 8 8 9 9 9 5 9 9 5 e 5
- e 9 5 6
s ee i o 4 4 4 9 4 0 9 4 0 6 9 4 7 6 a I i t 2 i 2 1 7 3 9 3 7 1 6 9 3 9 7 3 e . 0 3 3 6 9 9 s 9 ~., F ( a t e t e m 5 3 8 e 9 2 5 3 s 9 2 5 3 9 2 2 . l e l u e e e e e S 1 E u e e e & S t a a s m a a s s s s s s a a c 9 9 9 5 8 8 9 9 5 5 8 8 9 9 9 5 t l o l 9 8 4 0 4 4 4 4 o 9 4 0 e 4 4 4 9 4 8 o s a M 4 7 4 4 M 1 2 7 e. 1 2 n.
,9 7 6 6 1 2 7 9 7 1
6 C J 0 0 3 1 6 T 3 t t 3 9 I 8 t I . I u o o t t 8 9 t e t 5 0 s 9 9 t e S t 8 5 8 7 G s o e e 8 t 2 2 8 3 8 2 o a o e e & e d n t e s a e s e s e s e s s e s E .
- m. s 4
s 1 s m e s s G s a 1 a a. l i a 8 1 4 s4 2 s 4 2 8 4 2 8 2 4 8 2 4 9
,4 9
4 9 4 .s . 2 8 4 2 9 4 7
"' 9 4
1 9 7 4 7 9 4 7 9 4 8 2 4 2 8 4 9 7 4 5 8 6 s F , M M n. t 1 1 1 1 J 1 i 3 9
.e 1 I i i i i 8 l t t t t t 0 1 t 8 e 5' 8 e 8 8 t t s 9 ht ; e e e e e- s 9 e 9 e 3 8 3 8 0 e_ e e 2 e .s e. S e e e A- e e G e i e e e 8 6 e e G 8
- a. e s a s s s s s s a s s s a s s a s s e s 8 8 8 8 .a s 8 8 8 8 8 8 8 8 8 9 P I T-8 4
2 8 J 1 4 2 4 2 8 4 1 4 2 2 2 4 4 2 u m 2 4 4 2 4 2 4 1 4 2 4 2 4 1 4 2 4 2 2 4 7 4 3 e f i t I t t t 1 8 i d i t t s 1 t t t i i i t 8 t i t 1 1 i t t I t t i t t t i t i t e r : e. e e 9 e . e e . e e e 0 e. S e e e e e s u 5 e e e e e e . e e . . e e 4 e e e t e e e e l s s a s s a s e s s s s e m s s s a s i e 8 s s 8 4 8 .s 8 8 8 8 8 8 4 e 8 8 8 8 8 a c n 2 4 1 4 2 4 2 4 2 4 4 2 o 4 2 4 2 m . 2 4 2 2 4 4 2 1 4 4 2 4 2 4 2 4 2 4 2 4 1 4 2 u F e i g 1 t 1 1 1 l t t t t t t 1 4 t t i i t t t t i t i t 1 t t t e 3 t e i t e 1 t e i l e i t e i t e
- u o e 0 e o e e 0 e t e e. e e e q e e e 8 t e S C e e S e e t t e e e e e e e S e I
S C l
'e b
a T ht a
- P e
r l u P r P P i a O O P O P P P N e O N n O On F O P P F - N e O P M t K U> M1 K y l y A M L O M 4 y k y m u l
. M 1
K MI K o t k t M k l Os s k e L K N M I K M A K n O a K m N M L O M k n O n m s I. t h h b h h m W W w , h b U fj fj fj y y y lj K U G G c G g g g g g a g g 1g Hc E f EE E Dc Ef m E f Dc oc E , Dc E E U- D Dc Uc Dr r E Ur Hc f r c D. r o m - c e o e .c a a . _ a r e a s a s o a e o o o 7 8 9 e 8 2 , 4 5 , s o 9 e 4 2 3 4 5 6 7 9 9 9 o 0 2 8 2 e 0 2 e 2 = . J 0 2 1 2 1 2 1 2 8 2 1 2 1 2 I I 1 2 88 2 t 8 8 J 2 a nc $ r
? - *It }]r, l,.ll
_e#-
.= . s i
--t
. co
-5
< C' n , m
- ~
Talile C18: Failure l'attis and Total Failure Proisaltilities 8
- s .
" . i
- r Sequence 5: ITI-A; Fail to Isolate (1 SDC Train) .
i Failure Path . Calculations Results . k e , 219 ocDgiKIMN ES: 248 s e.co3749 a toti248 s 83$ 3909 j- 22e ' acHglKIMnOP e.eti248aee8376 s toti248seeG3749se299643 ja- * .(3 229 m HgfKimeOP eet1248se.co3749s8e03 49s &29e605 e '[! 222 met fgekMN - Set 8248 s 9 681248 s eJ5399' O.tW10044
)
*- j I 223 mDs ekMnOP e et i248 s e oii148 s e e83749 s e.29e605 124 ' m u sikad1P eeti248see85749s&29e605 0.000012 n :
e 225 == cit asas 248 s a2M5 0.003358 t 0.0fMMM4
$ 226 ocachU e et1248 s e et i248 s SL3539W e
227 meckljKL - e eti248 s 9 eti148 s te83749 e a290ee5 e et i248 s e et i248 s te83749 s e et i248 m t.333s09 e 228 acechijKIMM - tel1248 s e eti248 s e 883749 s e.048248 a tee 3749 m &29eee$ e / 229 aceckljKIMnOP ' Est:248 s 8 eti148 s e.083749 s &se3749 4296605 e g 138 - acuchtjKamd)P u s,9 .. ut m.ct.- . ett2 8 .c oll2 8s .st u .8 . 232 ocecMjkMeOP e eti248 s e et i248 s E01 e 248 s e e03749 a E29ete$ e aet 248 m e.sti248 s e ee374e a E29was e 233 acechtsh=OF U4 ocecwK1. toti248 e s.ee3749 s a2seees 0.fW10I2 e eti244 m 9.ee3749 s e eti244 s SJS3909 e 125 ocecwKIMN 236 ac cwKtM OP att t248 s e se3749 e act i148 s e se3749 s e 298685 e 137 ac cwKf==OF atti248 s e.ses?e9 : e eeJ749 s a29eees e 238 .cechskMN aat a 148 s e et t 248 s eas3'"' OMWM4 l 2 139 ==cwkMaor o et i248 s e ea i2s8 s 8 se3749 s e.29eees e I q 24e . meowkmoF aeti248 s e ee3749 e a 29enes . 0.08MMil2 O r f
n Table C18 (cont.): e m a m u
% 2 2 C C
. P g C C
> *, s g g ,e 9
6 6 . . . d . 5 5, 5 6 a d . 5 $ 6 6 6 6 5 k, a etN m
.5 5
I y 2 - ;=. c .
=.
u +=g n H -8 E u -
.=. =
- c . N L,
. W b n ..c. 3 = .o
'e
- 7, A = M
~
2 2 3
.2 2 g 6
e m m
$k u
. 5 V a A~ n[ ]' 3 3
" 2 F
=
E F A e. A A
@d
= = *
=g =3 = te at
; a g ; *
; e 3 l - 2 *3 3
.. E s 8 8 8 y 8 A A
.=.
. s A. . . . .f. . . .
s M e a e e a e a e u 3 e L p' } t t t 1 3 0
- 4 a
4 0 t t
- u a. . =t = = = :: :: : 3 : A : $
6 E 8 8 8 8 3 3 8 : 3 8 8 r. . G,3 e e . . . 4 . . e .E . e d . . 3
.=.us M N M M M M W M M M M N N N N s c 3
5 E
- : : =
3 3 8 9 8 8 8
~
3 5 8 E. .E . . n . s s 3 g . W U" v a.N. N b 3
..". e N &
4 a & A b a e & b b 7 ] d ed =4 y
= n s s s = s 5 y e 2 e 3 3 e e
a e a r a e a e a ra e a e a e a r a *i I [ ? a ra
~ ~
O
~ 3 4 4 0
W a t e 6 a- "n n 6 m C - 70 b
I FTI-B Seouence 5 (2 Trains of SDC) FTI-B for Sequence 5 represents operator failure to . isolate the leak (see Sequence 5 description in Sequences and Human Actions section) by performing the relevant steps of Attachment 6.1 (System Leakage) of OP 901-046 (Shutdown Cooling Mclfunction), when both shutdown cooling (SDC) trains are in service. The HRA event tree for FTI-B models the critical steps, substeps,
, and actions represented in steps 11 and 12 of Attachment 6.1 relating to isolation _of the leak. -Steps /substeps modeled include closing the SDC suction Molatien valve en ene SDC train.-observation of RCS level for stabili:ation.
placing the isolateo SDC train in service (referencing OP-009-005; Synem Operating Procedure, Shutdown Cooling System), and closing the SDC suction isolation velve on the opposite SDC train. The HRA modeling conservatively assumes that the leak is in the second train isolated. Omission and commission errors are modeled for each step /substep. Omission errors are modeled as errors by the control room supervisor (CRS), with recovery credit for the reactor operator (RO). A high level of dependence was modeled between the~two (CRS & R0), when the CRS was directing R0 actions. Commission errors cre modeled as errors by-the R0, with recovery credit for the CRS. For these actions,-a moderate level of dependence was modeled between the R0 doing the action and the CRS who would be concurrently performing other dynamic actions in the.CR. The HRA event tree, subtask quantifications, and total failure probability are presented in Figure 11, Table C19, and Table C20 respectively.
= Table C20-also lists the total mean failure probability for this event tree as 0.0233.
~
t l' f I C - 71 l f l, r
o O-- d e a o . s i a-_ .
' r n
w ._
i i o e a t r ) _ t r
- n. ) S n
5
" er oC nA C D
S eo s s n t c 'e e r is d C s n) ei s e orT e S 2 n .
- o%ie S
m( i s ims c eCS C A n e s. . C g f c e n , r r e o( o n i i s t e ' is n i 5 o6 ooa ce o t z e A e04 n C i t a, a
- r a n .
O t i
,s : ce cr n .
- r a p s m -
1 ut n L r, W ,, 5, e s LD C ve r i r. a a r e S 1 >- t
- 5
* + 2 -
g e s 1 . . r e i " + n
'n t c
. C o O v ? o i a' o1 9 S n j s /.
6 tev s s 5 g C r Ce e r v f 3 aoe e s) o t a 1
^
eeh e oe z n nr e C imi s c m.t. ' tos( f U 5( nt is r z
- m-s' cA 1 S '
P C 6 mo ea e i t t n _ o0 A 4 ei i
- a oB C S' 0 rt f cca el (
t 4 e-r 1 o s i s r cA ot 3 p o t 0 1' 0 i ae S tst 0 i0 e r 5 r - eP t t 0sc o in e t s O t i n a
~
4 7 f m A c r
.s D 2 J sv tO e
6 ee g r e t , 1
? a d f e t
_C5 Dw f v t g s se
/ e-s- o o Og e en e C D
c o o h. . C
- t S !v O' C )
t 2 s 1 A df ly i fz t o ev t S L ' D cA s o t e n C o1 e^i F t C i e at cea'o tsl t o D t 0 v f s r t ) i S S) G o0 4 oc S r o s n aC b e( sA : ) 1 t
.S P e
( A C p r e n e c ct iof D r o us n me onS i5C lo osGrx 1 o
- f c04 s( i eh t t A a r cev i p r E tsem- o et o>n
) vo -
v.ia os t oe y i eC H e d t sratr tood C O t l r e al ( l e a
- SS v f a C s S S d w'v A C o
- I C
D OS S e t e C B c e OC F R t s e. _ oS et v A ei c c t
- o eI w s sv et ia le ( - t B e. _
s r .wc se ov pr S G sR ne.e ) E I S c l o C C oi e y - c . r R r T D un ou e
- C Si Os e c s f - t S v O o
t
- P s n0C ao c _
1 a - n f 5 e
- t e k_
I
- n.
- _
T c e s g (_ F r e r i c ne ' o iz i t g iml a sef ri eb t 1 . e ta 5 F t wi l z ds e i e s eD mS By t o ' t c n r et r s' et ~ c n O S R t o r r e L O eu a r C e n C te USC f q e}}