ML20155E865: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
Line 14: | Line 14: | ||
| document type = CONTRACTED REPORT - RTA,QUICK LOOK,ETC. (PERIODIC, NUREG REPORTS, TEXT-PROCUREMENT & CONTRACTS | | document type = CONTRACTED REPORT - RTA,QUICK LOOK,ETC. (PERIODIC, NUREG REPORTS, TEXT-PROCUREMENT & CONTRACTS | ||
| page count = 332 | | page count = 332 | ||
| project = | |||
| stage = Request | |||
}} | }} | ||
Latest revision as of 20:55, 9 December 2021
ML20155E865 | |
Person / Time | |
---|---|
Site: | Indian Point |
Issue date: | 01/31/1986 |
From: | Bozoki G, Bozoki G, Fitzpatrick R, Fresco A, Hanan N, Hanan N, George Macdonald, Mazour T, Mazour T, Mitra S, Papazoglou I, Papazoglou I, Xue D, Youngblood R, Youngblood R ABB IMPELL CORP. (FORMERLY IMPELL CORP.), ANALYSIS & TECHNOLOGY, INC., BROOKHAVEN NATIONAL LABORATORY |
To: | Office of Nuclear Reactor Regulation |
References | |
CON-FIN-A-3725 BNL-NUREG-51872, NUREG-CR-4207, NUDOCS 8604180302 | |
Download: ML20155E865 (332) | |
Text
{{#Wiki_filter:~ NUREG/CR-4207 BNL-NUREG-51872 l Fault Tree Application to the Study of Systems Interactions at Indian Point 3 i Prepared by R. Youngblood, N. Hanan, R. Fitzpatrick, D. Xue, G. Bozoki, A. Fresco, l. Papazoglou/BNL S. Mitra, G. MacDonald/IC T. Mazour, A&T Brookhaven National Laboratory impull Corporation Analysis & Technology, Inc. Prepared for U.S. Nuclear Regulatory Commission D DOOk$h00Sbs6 P PDR
O
= .
NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither :he United States Government nor any agency thereof, or any of their l employees, makes any warranty, expressed or implied, or assumes any legal liability of re-I sponsibihty for any third party's use, or the results of such use, of any information, apparatus, l product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. NOTICE
~
Availabihty of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources: L The NRC Pubhc Document Room,1717 H Street, N.W. Wash ngton, DC 20555
- 2. The Superintendent of Documents U.S. Government Printing Oitice, Post Of fire Box 37082, Washington, DC 20013-7082
- 3. The National Tech'necal Information Service, Springfield, VA 22161 Although the hsting that follows represents the majority of documents cited in NRC pubhcations, it is not entended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and hcensee documents and correspondence. The following documents in the NUREG series are available for purchase from the GPO Sales Program; formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of federal Regulations, and Nuclear Regulatory Commission issuances. Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission. Documents available from public and special technical hbraries include all open hterature items, such as book s, journal and periodical articies, and transactions. Fe&ral Register notices, federal and state legislation, and congressional reports can usually be obtained from these hbraries. Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the pubhcation cited. Single copies of NRC draf t reports are available free, to the extent of supply, upon written request to the Division of Technical information and Document Control, U S Nuclear Regulatory Com mission, Washington, DC 20555. Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
NUREG/CR-4207 BNL-NUREG-51872 _ : 2__ ^:: _:
- z :-^ : -^- r_ z ---~--- ~
- - - - -- -~ ^ -
Fault Tree Application to the a Study of Systems Interactions at Indian Point 3 Manuscript Completed: March 1985 Date Published: January 1986 Prepared by R. Youngblood, N. Hanan, R. Fitzpatrick, D. Xue, G. Bozoki, A. Fresco, I. Papazoglou, Brookhaven National Laboratory S. Mitra, G. MacDonald, Impell Corporstion T. Mazour, Analysis & Technology, Inc. Brookhaven National Laboratory Upton, NY 11973 Subcontractors: Impell Corporation 225 Broad Hollow Road Melville, NY 11747 Anafysis & Technology, Inc. Technology Park P.O. Box 220 North Stonington, CT 06359 Prepared for Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555 NRC FIN A3725 P
1 ABSTRACT This report describes an application of fault tree methods to search for systems interactions at Indian Point 3. This project was carried out in sup-port of the resolution of Unresolved Saf ety Issue A-17 on Systems Interac-tion. Here, the methods are introduced, the findings are presented, and com-ments on the methods are offered. Findings are presented in the following manner. Sys tems interactions which may qualitatively violate regulatory requirements (regardless of their probability) are discussed; additionally, a probabilistically ranked list of system interactions it, provided. This study resulted in the discovery of a previously undetected active single failure causing loss of low pressure injection. After verifying this finding, the licensee took inmediate corrective actions, including a design modification to the switching logic for one of the safety buses, as well as procedural changes. 9 111
NRC
SUMMARY
The NRC staff has been evaluating methods that analyze for intersystems dependencies. The evaluations were both (a) toward resolving Unresolved Safety Issue A-17 (Systems Interaction in Nuclear Power Plants) and (b) toward improving the analysis for dependencies in Probabilistic Risk Assessments. Two methods, Fault Tree / Interactive Failure Modes & Effects Analysis and Digraph-Matrix Analysis, appeared effective although previously not applied on a large scale to nuclear systems. This report describes the demonstration of the Fault Tree / Interactive Failure Modes & Effects Analysis on a large fraction of the systems at one nuclear power plant. The demonstration of the Digraph-Matrix Analysis is described in NUREG/CR-4179. The objective of the systems interaction analysis was to provide assurance that the i Jependent functioning of selected safety related systu. was not jeopardized by components that cause faults to be dependent. The results reported here came from work beyond the routine criteria used by the NRC to license nuclear power plants. The report should be read as a technical evaluation by the laboratory performing the analysis rather than as a safety evaluation performed by the licensing staff of the NRC. The NRC resolution of USI A-17 will include both a safety evaluation and a regulatory analysis. The demonstration plant was selected primarily based upon the cooperation extended by the utility toward a resolution of USI A-17. A copy of the draft report was provided to the utility and placed in the Public Document Room on July 3, 1985. v
CONTENTS Page ABSTRACT................................................................. iii V NRC
SUMMARY
PREFACE..................................................................X H i ACKNOWLEDGMENTS.......................................................... xv
- 1. INTRODUCTION......................................................... 1 1.1 Background...................................................... 1 1.2 Sc o p e o f t h e P roj ec t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Scope of the Report............................................. 3 References........................................................... 3
- 2. METH0DS.............................................................. 5 2.1 Overvi ew o f the General Approach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Approach to the Search for Functionally Coupled Systems 8 Interactions.................................................. 8 2.2.1 Scope.................................................... 8 2.3.2 Me t hodol ogy a nd Impl emen ta t i on. . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Approach to the Search for Candidate Spatially Coupled Sy s t ems I n t e r a c t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3.1 Scope.................................................... 14 2.3.2 Me thod ol o gy a nd Imp l eme n tat i on. . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4 Approach to the Search for Induced Human Systems Interactions... 17 2.4.1 Scope.................................................... 17 2.4.2 Methodology and Implementation........................... 18 References........................................................... 24
- 3. F I N D I t !G S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.1 De fi ni ti on of Syst ems Interacti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.2 Functional ly Coupl ed Systems Interactions. . . . . . . . . . . . . . . . . . . . . . . 29 3.2.1 Qualitative Insights Regarding Discovered Functional l Sy s t ems I n t e r a c t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.2.2 Quantification of Discovered Functional Systems Interactions........................................... 37 3.2.2.1 Auxi l i a ry Feedwate r ( Event L) . . . . . . . . . . . . . . . . . . . 37 3.2.2.2 Transient and Loss of Auxiliary Feedwater (Event T*L)................................... 37 3.2.2.3 Failure of HPI Given Small LOCA (Event S 2 *U).... 40 3.2.2.4 Failure of HPI Given Medium LOCA (Event Si *U) ... 42 vii
Page 3.2.2.5 Failure of LPI in Conjunction with Medium LOCA. 42 3.2.2.6 Transient-Induced RCP Seal Failure [ Eve nt S 2( P ) ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 - 3.2.2.7 Transient-Induced RCP Seal LOCA and Failure l of Auxiliary Feedwater [ Event S 2 (P)*L]....... 43 3.2.2.8 Transient-Induced RCP Seal LOCA and Failure of HPI [ Event S (2P) *V] . . . . . . . . . . . . . . . . . . . . . . . 43 3.3 Findings of Search for Candidate Spatial Couplings........ 43 3.4 Induced-Humanly Coupl ed Systems Interactions. . . . . . . . . . . . . . 45 3.5 Re gul a t o ry Pe rs pec t i v e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 I References..................................................... 45
- 4. COMMENTS AND CONCLUSIONS............................................ 59 4.1 General Comments............................................... 59 4.1.1 Particular Strengths of the Present Approach............ 59 4.1.2 Where to Stop Modeling.................................. 59 4.2 Comments on Functional Phase................................... 60 4.2.1 Use of the SETS Code.................................... 60 4.2.2 Level of Detail......................................... 61 4.2.3 Logic Loops............................................. 62 4.2.4 Obtaining Minimal Cutsets From the Fault Trees.......... 63 4.2.4.1 Si z e o f P r o b l em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.2.4.2 Truncation..................................... 63 -
4.2.4.3 Modeling Assumptions........................... 64 4.2.5 Faul t Trees Used in Mul ti pl e Context s. . . . . . . . . . . . . . . . . . . 65 4.3 Comments on the Spatial Phase.................................. 66 4.3.1 In fo rmati on Gat heri ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.3.2 Screening Analysis...................................... 66 4.4 Comment on Search for Induced Human Interactions. . . . . . . . . . . . . . . 67 4.5 Conclusions.................................................... 70 References.......................................................... 72 APPENDIX A - SYSTEMS M0DELS............................................. 73 A.0 Introduction................................................... 73 A.1 Au x i l i a ry Fe edwa t e r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' 7 4 A.2 Ma i n Fe e d wa t e r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 A.3 Hi gh Pres s u re Inj ecti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.4 Low Pressure Injection......................................... 87 viii
1 i
)
i i Page A.5 RCP Seals...................................................... 91 r A.6 Pressurizer.................................................... 93 A.7 Component Cooling Water........................................ 99
, A.8 Co n d e n s a t e St o r a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 A.9 Chemi cal and Volume Co nt rol Sy stem. . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 A .10 El ec t r i c a l P owe r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8 A .11 He a t T r a c i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 A .12 I n s t r ume n t Ai r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 A.13 Refueling Water Storage Tank.................................. 116 A .14 St a t i o n Ai r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 i A.15 Sequencer..................................................... 118 A .16 S I Ac t u a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 l A .17 Se r v i c e Wa t e r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2 A .18 Tr a n s i e n t I n i t i a t o r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6 i
APPENDIX B - EVENT DEFINITIONS......................................... 129 I 4
; APPENDIX C - ANNOTATED MIN IMAL CUTSET TABLES. . . . . . . . . . . . . . . . . . . . . . . . . . . 150 APPENDIX D - PR IMARY EVENTS /0PERATOR ACT10NS. . . . . . . . . . . . . . . . . . . . . . . . . . . 151 i
APPENDIX E - ALLOCATION OF PROJECT EFFORT AND COMPUTER COSTS........... 298 i E .1 All ocati on of Proj ect Ef fort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 E.2 Computer Costs................................................ 298 APPENDIX F - SPATI AL ZONES AFFECTING MAJOR COMP 0NENTS. . . . . . . . . . . . . . . . . . 301
)
l 4 i 8 I I i i iX i _ _- - _ _ . _ . - _ _ - _ , _ - - - - - - - . _ - _ _ - - _ - - _ - = . - - __. ., _ __
_ . _ __ _ _ _ _ __ _ ._ __ __ . -~ _ _ ._ i LIST OF FIGURES 2.4.1 Summary of induced-human system interactions method. . . . . . . . . . . . . 21 3.2.1 Selected portions of IP-3 electrical power system. . . . . . . . . . . . . . . 35 LIST OF TABLES i 2.1.1 Approach to St udy o f Sy stems Interacti ons. . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Stages i n Present FT/ IFMEA Appl i cati on. . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.1 Fr o n tl i n e Sy s t ens St ud i ed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.2 System Top Event s and Accident Sequences . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.3 Sy st em/Su pport Sy st em Dependences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.1 Candidate Induced Human System Interactions . . . . . . . . . . . . . . . . . . . . . 22 3.1.1 Sequence-Specific Characterization of Systems Interactions...... 26 3.2.1 Prima ry Event Quanti fi cation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 j 3.2.2 Quanti fi ed Cutsets - S L2Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 3.2.3 Quanti fi ed Cutset s - T*L Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.2.4 Qu anti fied Cutset s - S 02 Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 j 3.2.5 Quanti fi ed Cutset s - S U Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 i 3.2.6 Quantified Cutsets - S D Sequence............................... 44 l 3.2.7 Quanti fi ed Cutset s - S ( P) Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.2.8 Quanti fi ed Cut set s - S ( P) 2
- L Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
- 3.2.9 Quanti fie i Cutset s - S ( P)*U 2 Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . 44 d
3.3.1 Zones Wittiin Which Top Events Can Potentially Originate......... 46
! 3.3.2 Examples of How Each Top Event Can Be Caused from within , ! the Indicated Zones........................................... 47 i
3.5.1 Cutsets Penetrati ng Regulatory Cri teri a. . . . . . . . . . . . . . . . . . . . . . . . . 56 l l 4 I i b i i t l 1 r Xi i
-_ m,_.. - _ . . . _ - _ _ - . . . - _ e _. -
_ - . _,~ _. . _ _ _ _ _ .
1, PREFACE This project was performed in support of the resolution of USI A-17 on
- Systems Interactions (sis ). The resolution of US1 A-17 involves deciding j whether SI studies ought to be required and, if so, what sort of study will
! best meet NRC needs in this area. This project represents a limited trial of a particular approach, carried out to illustrate strengths and weaknesses of I the approach. A major element of NRC's Task Action Plan for the resolution of USI A-17 was to compare the results of this project (which used fault trees) with results of a similar project carried out at LLNL (which used digraph- ! mat rices ) . Accordingly, the two projects were closely matched in scope and level of effort, and essentially the same documentation was supplied, under NRC control, to the two labs. ! It must be clearly understood that this project is not a full-scope SI study. Only certain accident sequences are considered; within these sequences, only certain interaction types are considered; and for these sequences and interaction types, only limited information was made available to the labs. For comparison purposes, these limitations were deemed accept-able by NRC, provided that the limitations were comparable between the labs. I Although this report is not a substitute for a full SI study, it has achieved a number of important successes, and has thereby contributed to the l resolution of USI A-17. In particular, by applying prescribed methods, BNL found a significant, previously undetected single active failure which causes , loss of LPI in medium or large LOCA sequences. Additionally, other situations l were found which warrant further review to establish whether regulatory requirements are met. This report discusses those strengths of the present I method which have contributed most directly to these results. f xiii l [. . - - - . .- . ----_. - .- - - -_- - - _.
ACKNOWLEDGMENTS We are grateful to the IP-3 personnel for their hospitality, cooperation, and helpfulness during our plant visit and in subsequent encounters. We also gratefully acknowledge the commitment and support of our NRC technical monitor, E. Chelliah. Perhaps, most importantly, we are indebted to Cheryl Conrad for the dedi-cation and expertise that have been required to complete this report in a timely fashion. XV i 1
1
- 1. INTRODUCTION This report presents the results of an application of fault tree tech-niques to a search for system interactions (sis) at Indian Point Unit 3, per-formed in support of the resolution of Unresolved Safety Issue A-17 on Systen Interactions. This first section describes the background of the project and the scope of this report and of the project as a whole.
1.1 Background
Unresolved Safety Issue A-17 (USI A-17)1 is concerned with what, if , anything, should be done about Systems Interactions. One possible resolution is to conclude that nothing needs to be done. Another possible resolution is ! to require plant-specific SI studies aimed at iaentifying sis at particular J plants. If studies revealed the existence of sis, any which were judged sig-nificant could of ccurse be addressed, and if no sis were found, a suitable basis for the negative finding could be made available. If a decision is made to perform SI studies, it is appropriate to ask what sort of study best serves these intended purposes. The answer to this will depend on the efficiency of the different methods and the degree of confidence that can be placed in the results. The project reported here addressed the above questions in support of the resolution of USI A-17. Several years ago, USNRC asked for recommendations regarding preferred methods for carrying out SI studies. BNL recommended 2a phased application of Fault Trees / Interacting Failure Modes and Effects Analy-sis (FT/IFMEA), in which a logical model of the plant is- developed iterative-i ly, in successively more detailed stages. Thisproject is an application by BNL of part of its own recommended method. Other laboratories have also made recommendations. In particular, Lawrence Livermore National Laboratory (LLNL) recommended a method using a logic model based on so-called " digraphs" rather ! than fault trees.3 i NRC therefore decided to compare these two methods (fault tree and di-graph) to demonstrate their strengths and weaknesses. It was decided to apply both methods concurrently to selected identical portions of Indian Point Unit 3, and to try to ensure that the same input was used in both studies. This
1 2 j might mean that the results obteined from the two projects would reflect di-rectly on relative strengths and weaknesses of the two methods. Additionally, although a major utility-sponsored PRA had already been performed on IP-2 and I IP-3,4 and although a separate utility-sponsored SI study had also been con- > ducted on IP-3,5 it was hoped that the results of the two applications would shed additional light on the extent to which sis are a problem. 1.2 Scope of the Project The topics addressed in this project were chosen by negotiations be- ! tween BNL, LLNL, and NRC. It was important to NRC to maximize the overlap in j the areas studied by the two laboratories so that the results could be scored 3 more easily. Early agreement was reached not to address containment systems or the reactor subcriticality function, and to emphasize "early" core melt se- ! quences. This led to development of a list of accident sequences and corres- )
- ponding frontline systems which is given it. Section 2.
i Certain areas of inquiry (addressed below) which might have been pursued here were eliminated in order to concentrate on other areas and to avoid over-
! lapping other NRC work. Several of these exclusions were spelled out in the I Statement of Work. One such exclusion is that of human error. By now, it is well established that human error is gererally an important consiaeration, but j it is also being addressed in other NRC programs and was therefore out of l
scope here. Maintenance errors are not modeled here, nor are control room operator errors. The only counterproductive human acts which are reflected in this project are based on misinformation due to display malfunction. These acts are not " errors," and as treated here do not involve human factors con-siderations; humans are treated as extensions of the hardware, which behave by procedures according to the information displayed. i Another excluded area is the effect of certain control system malfunc-tions. Events of this type appear in some of the sequences modeled, but have n t generally been emphasized. 4
i 3 So-called common cause failure effects have also been excluded. Thus, for example, no primary event on the fault tree corresponds to " failure of two diesels for unspecified reasons." Some studies incorporate such developments, using beta-f actor arguments based on operational data, but this has not been done here. The Statement of Work contemplated a fairly detailed analysis of spatial coupling, but because of the lack of documentation, a much reduced effort was carried out, as described in Section 2. 1.3 Scope of the Report Section 2 briefly mentions the method originally recommended by BNL for full-scope SI studies, and then describes how the methodology was tailored for the unique scope of this project. Section 3 describes the findings, and de-tails what constitutes a " finding" within the context of each sequence ana-lyzed in the study. Then " discovered systems interactions" are quantified so that their safety significance can be assessed. Section 4 offers comments on the method which was followed in order to address NRC's need to understand strengths and weaknesses of the method employed here. The Appendices provide information about the system models and compendia of results. The main body of this report contains " findings" which are f ail-ure combinations that satisfy a screening criterion for significance; the appendices contain a more exhaustive set of failure combinations, most of which are not judged to be probabilistically significant. References for Section 1
- 1. Task Action Plan for Resolution of USI A-17, January 1984.
- 2. A. Buslik, I. Papazoglou, and R. A. Bari, Review and Evaluation of Systens i Interactions Methods , NUREG/CR-1901,1981.
- 3. H. P. Alesso, I. J. Sacks , and C. F. Smith, Initial Guidance on Digraph-Matrix Analysis for Systems Interaction Studies, NUREG/CR-2915,1983. I i
- . . - - _ _.. , ,n.-_,-
4
- 4. Indian Point Probabilistic Safety Study, Power Authority of the State of New York, Consolidated Edison Company of New York, Inc., 1982.
- 5. Power Authority of the State of New York-Indian Point 3 Nuclear Power Plant Systems Interaction Study, Ebasco Services , Inc. ,1981.
! 5 i i
- 2. METHODS 2.1 Overview of the General Approach The method on which this project was based has been discussed elsewhere, and will not be extensively reviewed here.1 Its steps are summarized in Table 2.1.1. The method is intended to cover the full range of possible acci-
- dents; accordingly, the early phases of the process emphasize development of an overview. Owing to the special circumstances governing this project, im-portant steps in Table 2.1.1 were bypassed; the actual steps performed are given in Table 2.1.2. While the proposed method (Table 2.1.1) contemplates a full-scope study of a previously unanalyzed plant, this project was performed j as a limited scope application of fault tree methods for demonstration pur-poses, carried out on a plant which had already been extensively studied.
Noteworthy features of the method are (1) the emphasis on explicitly modeling the initiating event, in order to search for correlations between
! initiating events and f ailure of mitigating systems, (2) basing the searches '
for spatial and induced-human interactions on results of the functional model, ! (3) solving the model first at, say, the train level and scrutinizing the re- , i 1 suits of this development before proceeding to develop the model to a finer level of resolution, in order that sis can be discovered early in the process 1 and that the development of the model benefits from the iterative feedback process, and (4) linking the support systems to the frontline systems as well as the other support systems. In the first phase, a functional model was developed which prescribed the scope of the searches for spatial and induced-human interactions. Important interactions are those which link events that appear jointly in minimal cut-sets of the functional model; the results of the functional model therefore provide one way to set priorities in the search for spatial or induced-human ! coupling. Systems were resolved first to the segment level (a segment being a group of components in series, lying between two nodes of the system). For each i segment, functional failure was modeled as f ailure of supports to the segment or internal failures, i.e., failures not due to supports. For each segment, l all events internal to the segment were collapsed into a single event. For
6 example, a segment consisting of several valves in series would have a singl.e event corresponding to plugging of any of the valves, spurious transferring closed because of local faults, failing to open because of local f aults, etc. It is essential that analysis of mitigating systems' failure be properly conditioned on the character of the initiating events. A number of things were done to accomplish this:
- 1. A fault tree for transient initiators was developed. Transient accident sequence cutsets were displayed including the particular transient-initia-ting event for at least those transients which functionally correlate with support system faults.
- 2. Certain conditions were explicitly displayed on the fault trees as events:
presence of a safety injection (SI) signal, whether a LOCA was mediam or small, etc.
- 3. h0T logic was used to distinguish failure modes appropriate to different conditions. For example, at IP-3, the component cooling pumps are running or not depending on the availability of offsite power and on the presence of an SI signal. " Failure" of these pumps must be judged against the pre-vailing conditions.
Thus, in general, accident sequence cutsets contained explicit indication of all relevant conditions. Consider the example of a transient sequence ini-tiated by a service water failure leading to a turbine trip accompanied by failure of fast transfer and eventual f ailure of auxiliary feedwater pumps to start. The cutset will display the service water f ailure, the f ast transfer failure, and the failures causing the pumps not to start; since different com-ponents of the actuation logic come into play for non-LOCA scenarios, the pre-sence or absence cf a safety injection signal may show up explicitly. All essential support system fault trees were developed and linked, with certain exceptions which can be classed as environmental control systems. For each f rontline system, then, the resulting model explicitly displayed all sup-port faults as described above. At the indicated level of resolution (the segment level ) , it is still possible to survey cutsets out to, say, third order in a meaningful way. This is a logical necessity if cutset searching is to play any role in the search for spatial or induced-human interactions. l l
1 7 l Before this project was undertaken, a substantial utility-sponsored PRA2 (hereaf ter "the PRA" or "the IPPSS") had been performed, and a separate utility-sponsored SI study (hereaf ter "the PASNY study") had also been com-l pleted.3 Concurrently with the BNL application of its f ault-tree-based ap- ! proach, Lawrence Livermore National Laboratory (LLNL) was applying its own l method to a study of the same accident sequences, basing its development on digraph codes rather than fault tree codes. For purposes of a straightforward comparison, both labs were to have received essentially the same information and covered essentially the same ground. Accordingly, the PRA was to have been used by both labs as a source document (and the PASNY SI study was, for ' the most part, not made available to either lab). Priorities which had been established for this project and the circum-stances which governed the availability of information combined to dictate em-phasis of some portions of the search and deemphasis of others. Systems and sequences to be analyzed were chosen through a process of mutual agreement be-tween LLNL, NRC, and BNL in which documentation considerations were signifi-cant; this bypasses most of the early (thinking) steps given in Table 2.1.1. Ultimately, the sequences analyzed and the success criteria chosen were taken (where possible) from the PRA. A meaningful study of spatially coupled sis cannot be based solely on diagrams available to BNL, and must entail a good deal of physical inspection and analysis; accordingly, the iterations of steps i IIJ-IIN on Table 2.2.1, recommended in a search for spatial interactions, were deemphasized in favor of a reduced search for " candidate spatial sis" (CSSIs ) . In this study, CSSIs are essentially locations which are potentially critical by virtue of their linking different events in a cutset; here, how-ever, neither physical :nspection nor physical analysis has been performed, , i and the CSSIs are therefore simply candidates. l The search for induced-human interactions corresponds to a very re-stricted subset of the possibilities for operator involvement in accident se-quences. In this study, traditional " human factors" considerations were out of scope, as these are being considered in other NRC-sponsored work. Again, the method given in Table 2.1.1 is more general than that used in the current p roject. l
] 8 I In summary, then, this project is not a full-scope SI study. To focus f more directly on NRC needs, and to stay within the constraints imposed on the l project, BNL has developed a segment-level (see Section 2.2) functional model l of certain accident sequences, and has made a limited application of this l model to a search for candidate spatially coupled system interactions and dis-play-malfunction-induced system interactions. 2.2 Approach to the Search for Functionally Coupled Systems Interactiorg 2.2.1 Scope "Frontline" systems (FLS) to be analyzed are listed in Table 2.2.1. In
*his project, a "frontline" system is essentially a system which (a) is in-directly related to one of the safety functions being analyzed (protection of j RCS boundary, control of coolant inventory, removal of decay heat), and (b) j has been selected by consensus for study. On this basis, main feedwater (MFW) has been listed as a FLS, although it has been modeled here essentially as a transient initiator (reasons for this are given in Section 2 of Appendix A).
Support systems considered were those which support any of these frontline systems. As it turned out, environmental control systems were not modeled (fire protection, HVAC, etc.). Accident sequences considered are given in Table 2.2.2. These, too, were arrived at by consensus. Factors in the selection were: (a) a decision to emphasize certain safety functions (e.g., removal of decay heat) and not others (e.g., reactor subcriticality), (b) a decision not to analyze containment systems, ! (c) a decision to emphasize "ea rly" core melt sequences (and not i recirculation phase failures), and i i (d) a decision to avoid certain control systems failures which are being considered in other NRC-sponsored work.
,--.,___,,.-.,,m- . . _ , . , , -- . - . . . , . , - - . _ . ,.,.-_,3, . . . - - - - _ _ - . . - . , . , , , - - . . . , _ . . . , _ , ,--__ ,r-,- - _
9 1 Table 2.1.1 Approach to Study of Systems Interactions I. Selection of Systens for Detailed Evaluation
- a. Study Plant Design and Operating History l
- b. Develop a List of Accident Initiators 1 c. Develop a Functional Event Tree i d. Assign Frontline Systems to the Functions of the Event Yrees
- e. Assign Suppo'rt Systems to Frontline Systems
- f. Develop Dependence Tables or Diagrams for Front-Line Systems and Support Systems
- g. Develop Systemic Event Trees
- h. Develop Fault Trees for Accident Initiators
, i. Develop List of Secondary Ef fects of Accident Initiators II. Identification of Systems Interactions l (These steps are to be iterated at successively finer levels of resolution)
- j. Perform Cascade Failure Analysis
- k. Develop the System Fault Trees
, 1. Generate Minimal Cutsets
- m. Search for Interactions in the Minimal Cutsets 4
- n. Complete Search for System Interactions III. Evaluation Criteria for System Interactions
- o. Evaluation (Ranking) of System Interactions i
2.2.2 Methodology and Implementation l j The method (Section 2.1) calls for evaluating the model at successively finer levels of resolution. The reason for this is as follows. For purposes of illustration, consider the example of the three HPI pumps, which share a common location. Analyzing the few functional cutsets emerging from an early, low-resolution evaluation, one is led directly to ask whether the three pumps have anything in common, and to realize that there is indeed spatial commona- l lity; the observation does not havo to await the development of the full, l I i l _ . - ~ . _ . . _ __ _ _ . _ _ _ . _ - _.. _ _ -. _ ,_ _ .-_ . . . _ . . _
10 detailed model. Indeed, spatial interactions may be an area in which such high-level models are useful. In searching for functional interactions, how-ever, such train-level models are not likely to be useful in real applica-tions, apart from possible pedagogical considerations. In this project, then, an effort was made to construct a fairly accurate functional model at the seg-ment level. A " segment" is a group of elements (e.g., pipe segments, valves , pumps) in series, which can logically be lumped together in the development of the functional fault tree. The segmentation schemes for each of the systems studied are shown on the figures in Appendix A. (See also the IREP Procedures Guide 4.) This level of resolution is fine enough that the tree can faith-fully reflect the logic of the system, and coarse enough nct to generate unmanageably large numbers of cutsets. Frontline systems having been decided upon, it was necessary to develop a list of support systems. Frontline and support system dependences are listed in Table 2.2.3 . At this point, with frontline and support systems in hand, and particular top events in mind, it was necessary to establish success criteria. Where these existed in the PRA, they were adopted. For systems which BNL found to contribute to the frequency of transient initiation, and for which success criteria had not been defined in the PRA, the FSAR or plant personnel were consulted to define the normal operating status of certain support systems. The method calls for generating a top-oown model of the transient initia-tor. In the interest of efficiency, this approach'was modified in the present study. The purpose of studying the initiator is, af ter all, to search for correlation between initiating events and mitigating system faults; it is therefore inappropriate to consider the entire balance of plant in modeling ( the initiating event. Rather, as the development of support system fault trees progressed for analysis of mitigating system failure, the support faults were assessed for their transient-causing potential. The support faults which were found to contribute to transient initiation were combined into the Tran-sient-Initiator Fault Tree. This is further discussed in Appendix A (Section
- 18) under Transient Initiator.
.- - - -. . - - - _ - . - _ - . . =. - - _ - .
11 Table 2.1.2 Stages in Present FT/IFMEA Application
- 1. Initiation of Work Begin process of agreement on project scope between BNL, NRC, and LLNL. 1
- 2. Receipt of Documents Describing Systems and PRA i
Receive from PASNY the documents to be used as input for both labs.
- 3. Selection of Systems Combinations for Detailed Evaluation Develop consensus between BNL, NRC, and LLNL as to which f rontline systens to analyze and which accident sequences to consider. i i
i 4. Fault Trees Development - Cascade Failure Analysis for Functional Inter- l j actions This step corresponds to IIj-I:n (Table 2.1.1) for functional inter-acti ons . l S. Cascade Failure Analysis for Spatial Interaction a , This corresponds to Steps IIj - IIn for spatial interactions , where now l the functional model implicitly prescribes the components and locations j which (by virtue of being functionally important) are important areas to be searched for spatial interactions. ]! i 6. Revision of Fault Trees - Final Set of Minimal Cutsets for Spatial Inter-l action This task corresponds to steps IIk-Ilm (Table 2.1.1). ! 7. Cascade Failure Analysis - Induced Human Interactions j' This task was a search within the functional model for coupling between l failures which derived directly from display malfunctions.
- 8. Revision of Fault Trees - Final Set' of Minimal Cutsets for Induced-Human Interactions.
) Owing partly to the reduced scope of this portion of the project, no j induced-human couplings discussed here warranted modification of the ! model.
- 9. Evaluation of the Discovered Interactions The safety significance of each cutset is considered with regard to its j
- quantitative probabilistic significance and to acceptance criteria of the l Standard Review Plan / licensing basis for IP-3.
I i l 1 4
~. __ -_
12 Ta bl e 2. 2.1 Frontline Systems Studied High Pressure Injection Low Pressure Injection Auxiliary Feedwater Main Feedwater Pressurizer Valves RCP Seals Table 2.2.2 System Top Events and Accident Sequences Individual Top Events V , U2. S 2(P), S (Q), i 2 L, D Sequences T*L S2(P)U S2(Q)U S2 (P)L S2(Q)L SD i SU ii SP i T Transient Initiator V I ,2 High Pressure Injection (Med LOCA, Small LOCA) D Low Pressure Injecticn S Generic Small LOCA i S (Q) Small Pressurizer LOCA ' S2 (P) Small RCP Seal LOCA S i fiedium LOCA L Auxiliary Feedwater l l
~w H$ m N . " "<<MgBNMg E s+c M<<m*(B ogm3Qgna" D
g r n e i m w l r e o r o i t P e o g A s y t r C n l a i i t S a W A t c n c n a e t i e n e r m r r c o n T u o t .i i o r p c v t p S t t T S p e r a m T C a s S A M<m+r(B D u l e t o S V e n W I
< S E S S C C C H I R S " UM r* + *
- ZTM + + + *
- 1 D *T *2
+ * + + +
NOT + + + + T1DMmCM"~m,
- ( + + +
1* Z*T E
+ + + +
- 1 Tw(n+r*"n
( D 5. D OE* +
- 1 l' (-
D 5< a (nD EweD' (
+ +
- M +rwct ".O3 >"s
+ + + +
- OO3VO3D3( +c OO - _3 OMt.- +
O0OM =
+ + + *
- ZDut(Cc
- 1ua"3o 1
- C
+
t M3m+r~ 1 CBD3e ( >T + + + - %EMH + MM>M + E l
14 2.3 Approach to the Search for Candidate Spatially Coupled System Interactions 2.3.1 Scope The scope of the present search for candidate spatially coupled system interactions (CSSI) represents a balance which reflects the information made available to BNL and the limited end use (i.e., comparison of methods) antici-pated by NRC for the results. The purpose of this section is to describe this scope and how this part of the project was executed. The emphasis of the BNL approach was to set priorities for physical anal-ysis ; that is , rather than analyzing all possible spatial interactions , one analyzes those which
- couple pairs of events appearing in minimal cutsets of the functional model, - satisfy some screening criterion for susceptibility, e.g., a pair of objects may be considered susceptible to spatial coupling if the coupled objects share a common location (e.g., fire zone).
For present purposes, " potential significance" means the following. One is usually interested in interactions between event A and event B only if they appear jointly in at least one minimal cutset. Otherwise, they may con-tribute to each other's probabilities, but not usually in a way that dramati-cally changes any one cutset probability. If A and B are in the same minimal cutset, however, and if they are spatially correlated, the cutset probability may be much higher than if they were uncorrelated. Given a potentially significant candidate, there are grounds for invest-ing in physical analysis and/or visual inspection to determine the credibility of the candidate. This is appropriate in a full SI study and would have to be done before any conclusion could be drawn about the candidate's contribution to core melt probability. However, the scope and purpose of this project is to test the process of identifying candidates, not to perform the analysis necessary to elevate a candidate to the status of being a credible contributor to risk. 1 I i l
15 Therefore, BNL has identified multiple events which are candidate spatial systecs interactions (CSSI). A CSSI will
- couple pairs of events appearing ir one or more minimal cutsets - satisfy a screening criterion baset on common location of the coupled events It is crucial that the distinction between a real SI and a CSSI be borne in mind; a CSSI will not necessarily survive physical analysis, and a presumption to the contrary can lead to severely distorted conclusions.
2.3.2 Methodology and Implementation It was assumed in this study that the fire zones defined in the IP-3 Fire Hazards Analysis 5 represented an appropriate decomposition of the plant into common locations ; that is, these zones were taken to define the level of spatial resolution at which the search would be undertaken. This choice having been made, a full study would need to link every zone containing any component whose failure contributes to any of the purely func-tional top events, and further, to consider every component in each of those zones. This is true because components which do not appear on the functional fault tree may, nevertheless, cause an initiating event, and if they share location with a mitigating system, there is a potential for linking accident initiation with f ailure of mitigation. Some location information on major com-ponents of particular safety systems is tabulated in the IP-3 Fire Protection Analysis. This became a primary information source for modeling purposes. Walkthroughs would have been extremely valuable, but after an initial plant familiarization visit, they were not conducted. It has been assumed that within each zone, an adverse environment causes the following:
- Components in the affected zone which energize to perform their functions (motor-operated valves, solenoid-operated valves, and electric motors) fail to do so.
l I L
16 l J
- - Valves which are energized in the safe position are assumed to spuri-ously change state to the unsafe position if their control circuits are in the affected zone.
- Electrical components (bus es , transf ormers , circuit breakers, motor control centers, battery chargers , batteries, diesels , inverters , dis-tribution panels) in the affected zone fail to perform their func-tions. - Equipment (pumps, valves) which energizes to perform its function i fails, if its power or control cables are routed through the affected zone.
Electric heaters for the BIT fail because of fire in the zones con-taining them.
- Transmitters in the affected zene fail to transmit a signal, j Given this information, wherever any particular events on the functional
) fault tree are influenced by " fire in zone 17," say, an event F17 is defined l in the fault tree as implying those events. This straightforwardly leads to l new cutsets which are mixtures of F events and functional failures. For j some purposes, this is adequate. More revealing transformation of the func-tional events are discussed in a Sandia report 6; the simple prescription j given above leads to a result which is more condensed but less scrutable. j This approach has been taken here as a simplified first cut. f Some years ago, Sandia conducted a sys tems interaction study 6 which illustrated the logic of augmenting a functional model with " linking charac-teristics" correlating hardware failures, in order to produce a combined result. This was done using SETS. The present search for spatially coupled sis also uses SETS, and has benefited from the Sandia work. However, there is one difference. The Sandia report recomends obtaining the minimal cutsets for the functional model ("Run the SETS computer programs to obtain minimal 4
. _,. , ,,. _, , ,= - . . - - - - . - . , ..,v, - . - - - - . . - -,. - - - ~ . - - - - - , --- -
17 cutsets. Store these cutsets but do not review them [!]") and then transform-ing the cutsets by using the linking characteristics. This works if the cut-sets obtained initially are a reasonably exhaustive set. In the present study, however, functional results were obtained out to second order. These second-order results would be relatively uninteresting to transform, because some omitted triple might be the lowest-order cutset at which some common location factor could come through. Because of this, because the model is not burdened with excessive detail, and because low-order cutsets are of primary interest in this application, it is easy, inexpensive, and sufficient to rerun the calculation using the augmented fault trees. 2.4 Approach to the Search for Induce.d Human System Interactions 2.4.1 Scope Human actions play an important role in accidents. Maintenance errors or testing errors can render individual trains or even whole systems unavailable; , misdiagnosis of plant conditions, or procedural errors in dealing with acci-dents, can be crucial. None of these actions is the subject of this phase of the project, al-though the word " human" figures prominently in its title. Human f actors are studied extensively in other NRC prograns; this large area continues to devel-op. To avoid overlap with other programs, and in keeping with the overall project emphasis on mechanical coupling, this search was confined to linkages between hardware f ailures which are mediated by operators who are correctly following procedures but who are misled by display malfunctions or erroneous procedures. To see more concretely what is being sought, consider the hypo-thetical example of a bus fault which initiates a plant transient and also causes some instrument failures. If these instrument f ailures mislead the operator and cause him to do further harm according to procedures, then the coupling between the bus fault and the additional harm is the " induced-human system interaction."
. _-. _ ._ .___ .. _. ._ ~ _ _ _ _ __ _ __
18 i i The documentation used in completing this search included Indian Point 3:
- System Descriptions - Piping and Instrumentation Diagrams - Emergency Procedures - Of f-Normal Operating Procedures - Alarm Response Procedures - Operating Procedures 2.4.2 Methodology and Implementation I
j Figure 2.4.1 summarizes the method used to search for potential induced-
~
i human systems interactions. The functional fault trees defined the boundaries j of the search and the documentation noted above provided the input data. The original plan envisioned for this analysis was to search cutsets to see whether an induced-human linkage could be found that would reduce the order of any cutset. For reasons to be discussed in Section 4, this approach was not followed. Instead, a decision was made to proceed by individual analysis of each of the 750 or so primary failure events (PE) in the functional model, to see whether any given event could cause, or be caused by, some operator action relating to any other PE. The term " primary failure events," as used here, j means events at the limit of resolution of the present model, namely, basic or diamond events on the fault tree. The first step in this search was to categorize the pes with respect to , their potential for induced human interactions. A listing was obtained for j each frontline and support system of the pes that made up the functional fault tree for that system. This grouping of pes by system facilitated a categori-l zation of the pes. Five categories were defined: i I
19 Category 1: The PE has stimuli (e.g., a display malfunction) that could result in a rational operator action that causes the PE. Included in this category were pes where an individual display malfunction could in-duce an operator to take action that would cause the PE. Category 2: There are stimuli that could induce an operator action that causes the PE but the stimuli are highly unlikely to occur. Included in this category are pes where multiple independent display malfunctions would be required to induce the operator to cause the PE. Category 3: There are no reasonable stimuli that could induce the opera-tor to cause the PE. Inclu/? d in this category are passive f ailures such as pipe breaks or flow blockage in a pipe. Category 4: This category is reserved for identifying pes that are categorized under a different system. For example, an electrical f ault on bus 6A rey be one of the pes for the service water system, but it would also be included in the electrical distribution system fault tree. The PE would be shown as a Category 4 PE for the service water system and a Category 1, 2, or 3 PE for the electrical distribution system. This category was used to avoid unnecessary redundancy in searching. Category 5: The PE is the operator action. There are some pes in the functional fault tree that are failures of the operator to take some action (e.g., " Operator fails to actuate nitrogen backup"). Step 2 of the search (as shown in Figure 2.4.1) was to identify, for the Category 1 pes, the stimuli and human actions that could cause the PE. Step 3 of the search was a determination of the expected operator re-sponse(s) to the PE (f ault) occurring bastd upon a review of the appropriate plant procedures.* , l
- Note: For Category 4 pes, no operator response is shown. To find the human actions associated with Category 4 pes, refer to the system associated with the PE (e.g., for EPI 22-01 refer to the Electrical Power System).
; 20 j Appendix D of this report provides the results of these first three steps for all the pes of the functional fault trees.
l Step 4 of the search was a further screening of the Category 1 pes to l Identify " candidate induced human system interactions" (CIHSIs). The screen-ing criteria used for this step were the following: A. Do two or more Category 1 pes have the same stimulus? B. Is any PE the stimulus for any other Category 1 PE? C. Is the human response to any PE the same as the human action that I causes the Category 1 PE? Table 2.4.1 shows the Category 1 pes that met any of these three screen- , l ing criteria and were thus identified as CIHSIs. 1 Step 5 of the search was to consider whether any of the CIHSIs credibly leads to a reduction in the order of any functional cutset. This was accomplished by first reviewing the CIHSIs from Table 2.4.1 in the context of their respective cutsets, in order to identify whether the CIHSI would be valid under the given combinations of plant conditions (e.g., an operator might be induced to secure one train of a redundant system except when the other train is out of service). Any CIHSIs emerging as valid would , have been added to the appropriate fault trees, and the effect on the cutsets ! would have been studied. This latter step was not performed, as none of the items in Table 2.4.1 was found to be valid in the context of its cutsets. l i ! l i i 4 {
21 Step 1 Review Primary Events (pes) of functional fault trees and categorize them according to their potential for human interactions (Categories 1-5) l Step 2 Step 3 For Category 1 pes, identify Identify expected operator stimuli and human action that responses to the PE. could cause the PE. Step 4 Identify " Candidate Induced-Human System Interactions" by determining those pes where:
- 1. Two or more Category 1 pes have the same stimulus;
- 2. a PE is the stimulus for any other Category 1 PE, or
- 3. the human response to a PE is the same as the human action that causes any Category 1 PE.
Step 5 Evaluate the CIHSIs in the context of their cutsets/ sequences to determine their validity. Add any valid CIHSIs to the fault tree and solve to ascertain if any interactions were produced. Figure 2.4.1 Summary of induced human system interactions method.
Table 2.4.1 Candidate Induced Human System Interactions SCitEENING PE PE CillTERIA MET COMMENTS DESIGNATOR DESCillPTOR A B C AF012-A-INT Internal failure / A faulty high flow indication to SG 33 of Segment 12 FC (FT 1202) may he diagnosed by the operator as a pipe break downstream of the flow elment AFOl9-A-INT Internal failure of / This would cause tne operator to close FCV-405C Segment 19 FC and FCV-406C. (Ref: PEP-FW-1 and ONOP-ES-1.) A FOl 3-A-IN T Internal failure of / Segment 13 FC Same as above for SG 34 (FT 1203). This would cause the operator to close AFOl8-A-INT Internal failure of / FCV-405D and FCV-406D. Segment 13 FC A F014-A-INT Internal failure of / 14 FC Same as above for SG 32 (FT 1201). This would cause the operator to close < A FOl 7-A-INT Internal failure M / FCV-405B and -406B. Segment 17C A F015-A-INT Internal failure of / Segment 15C Same as above for SG 31 (FT 1200. This would cause the operator to close AFOl6-A-INT Internal failure of / FCV-405A and -406A. Segment 16A { A loss of power to instrument bus 34 (PE EPl24-01) A F012-B-INT Failure of FCV-406C / will cause FT 1202 (SG 33 flow indication) to fait low. In response to this indication, the operator may open FCV-406C fully, causing pump runout.
Table 2.4.1 (Continued) SCitEENING PE PE CitITEltlA MET COMMENTS DESIGNATOlt DESCitIPTOlt A B C Same as above except loss of power to instru-A Fol 3-B-INT Failure of FCV-406D / rnent bus 31 (PE EP121-01) will cause FT 1203 (SG 34 flow indication) to fait low. Operator will open FCV-406D. Same as AF012-B-INT except loss of power to A F014-B-IN T Failure of FCV-406B / instrument bus 33 (PE EP123-01) will cause FO FT 1201 (SG 32 flow indication) to fait low. Operator will open FCV-406B. El Same as AFol2-B-INT except loss of power to AFol 5-B-INT Failure of FCV-406A / instrument bus 32 (PE EP122-01) will cause FO FT 1200 (SG 31 flow indication) to fait low. Operator will open FCV-406A. A loss of power to FT 1113 (gland steam conden-ser flow transmitter) will result in a gland steam C D-7B- A NOlF from / condenser low flow alarm. This alarm would induce FCV-ll29 the operator to throttle down FCV-Il20 to restore gland steam condenser flow. This action rnay result in no or insuf ficient flow from FCV-Il20. (NOTE: The power source to FT 1113 was not deterrnined frorn the infortnation available.)
~ ..
24 References for Section 2
- 1. A. Buslik, I. Papazoglou, and R. A. Bari, Review and Evaluation of Systems Interactions Methods , NUREG/CR-1901,1981.
- 2. Indian Point Probabilistic Safety Study, Power Authority of the State of New York, Consolidated Edison Company of New York, Inc.,1982.
- 3. Power Authority of the State of New York-Indian Point 3 Systems Interac-tion Study, Ebasco Services , Inc. ,1981.
- 4. D. D. Carlson et al., Interim Reliability Evaluation Program Procedures l
Guide, NUREG/CR-1728, July 1982.
- 5. Review of the Indian Point Station Fire Protection Program, Consolidated Edison Company of New York and Power Authority of the State of New York, December 1976.
- 6. G. J. Boyd, W. R. Cramond, S. W. Hatch, J. W. Hickman, A. M. Xolaczkowski, and D. W. Stack, Final Report-Phase 1, Systems Interaction Methodology Applications Program, NUREG/CR-1321,1980.
l 1
25
- 3. FINDINGS In the course of this project, a logical model was constructed which gives system failure modes for certain top events. This list of failure com-binations is intended to be exhaustive (for the types of failures considered) for one- and two-element cutsets. One now asks about their significance:
which of them, if any, represents a " discovered systems interaction," and what is the probabilistic significance, if any? The next subsection (3.1) dis-cusses the notion of systems interaction, and in Subsection 3.2, " discovered systems' interactions" are quantified. 3.1 Definition of Systems Interactions This section considers definitions of " Systems Interactions." The lan-guage appearing in the following definitions is taken from earlier BNL workl and from a recent Task Action Plan for USI A-17 (January 1984).2 These definitions broadly governed the scope of the project as a whole. This sec-tion culminates in Table 3.1.1, which qualitatively indicates, for the systems and sequences analyzed, what sort of cutset would be considered to represent an SI at Indian Point 3. A formal definition of system interaction (SI) can be given as follows: An SI exists if two or more faults (in the same system or in distinct systems, these being associated with vital safety criteria) are dependent, and the dependence was not inttnded in the design. An example may serve to illustrate why intent is invoked, and what other considerations might substitute for it. Consider the case of the RWST supply-ing water to three HPI pumps through a single line containing one or more sup-posedly open valves. Plugging of these vaives will fail the HPI, but this is not an SI, because the designer was aware of it and, presumably, considered the plugging event to be a low probability one. " Intent," therefore, becomes involved because it is necessary to discriminate against trivial sis. More coi.cretely, an SI is an undesirable result deriving from a single credible failure within one system, component, or structure, which propagates to other systems, components, or structures by inconspicuous or unanticipated l l _, . _ - . - m - - - , ,, _-- _, _ , . . . _
l 1 26 Table 3.1.1 Sequence-Specific Characterization of Systems Interaction Event Design-Intended Examples (Refer to Table 2.2.1) Leading Cutsets of SI L a*a*a a*a T*L a *a *a *a a*a p *a p*a*a a *a *a Usmall LOCA a*a*a a*a P
'Jmedium LOCA a*a a P
D a*a a P S2 (P) p a *a a*a*a a *a *0 S2 (Q) a *a a p S2 (P)*U p *a *a *a a*a a *a *a . Key: a = active failure p = passive failure o = operator act a*a = cutset consisting of two active failures p*a = cutset consisting of one passive and one active failure h
)
27 , interdependences. " Undesirable results" of particular significance for this study are the following:
- 1. Degradation of redundant portions of a safety system, including con-sideration of all auxiliary support functions. Redundant portions are those considered to be independent in the design and analysis (FSAR, chapter 15) of the plant.
- 2. Degradation of a safety system by a non-safety system.
- 3. Initiation of an accident (e.g., LOCA) AND a) the degradation of at least one redundant portion of any one of J
the safety systems required to mitigate that event, 2E. b) degradation of critical operator information sufficient to cause him to perform unanalyzed, unassumed, or incorrect action.
- 4. Initiation of a transient (including reactor trip) AND a) degradation of at least one redundant portion of any one of the safety systems required to mitigate the event, 1 or b) degradation of critical operator information sufficient to cause him to perform unanalyzed, unassumed, or incorrect action.
! From the language of the foregoing (" intended in the design," "unantici- l pated interdependences"), it is clear that the notion of design intent is in- , volved. In some areas, assessment of design intent is less straightforward 1 than might be supposed. Demonstrating that a system will succeed in spite of
! an assumed single active failure does not imply that the designer was content i simply to make the system single-failure-proof. Thus, while Chapter 15 analy-i ses are generally required to postulate certain failures, these cannot be assumed to define the intended level of redundancy, which is frequently higher
, than one might conclude from such a conservative approach. 4 s 1 _ _ . _ , . _ . _ . - . _ _ _ _ . . . - _ . . . . _ _ , . . _ . . . . ~ _ _ _ _
i 28 l In this study, success criteria for frontline systems have been taken to l be those used in the IPPSS. For a specific scenario, then, a flow requirement is defined; considering the pumps which are available and their capacities, one arrives at a measure of how many independent active failures the system was intended to withstand. For example, consider the HPI system given a 4 medium LOCA. The HPI system has three pumps; two are required to operate to j mitigate a medium LOCA. Therefore, two pump f aPures imply HPI failure, but one pump failure does not (indeed, by the single failure criterion, cannot). j The design intent which pertains to HPI for medium LOCA is therefore essen-1 i tially the single-failure criterion. For small LOCA, however, one out of three pumps is enuugh. In this study, then, any two-element cutset for HPI corresponds to a systems interaction. i The case of RCP LOCAs calls for additional discussion. The event ana-i i lyzed here is failure of systems providing cooling to the RCP seals. One
; question is, what is the intended level of redundancy of the supports? Brief-
) ly , the argument is as follows. The two direct support systems are the I charging system which provides seal injection flow, and the component cooling system which provides cooling to the RCP thermal barriers and to the charging
- pumps. It can be assumed that both the thermal barrier cooling and the seal
- injection must be lost to cause a seal LOCA. .However, because the charging pumps depend on CCW, they can arguably be eliminated from counting towards the j " intended" redundancy. (City water can cool the charging pumps in lieu of j CCW, but this requires a manual act outside the control room.) Here, then, f the criterion for RCP is taken to be that applied to CCW. The CCW system has l three pumps; two are sufficient for any scenario, and one is sufficient for j critical loads under some conditions if the operator eliminates nonessential
- loads it. order to direct the single pump's flow to where it is most needed.
"RCP Seal Failure" is therefore either three active pump failures, or two active pump failures and one active operator failure. An adverse SI for the top event " seal LOCA" is therefore a double active failure which fails CCW or j a single active failure which f ails more than one pump's worth.
I 1 i } i
-.m_.- , _ . . ..-.-.-.m-.,_.,.-,m ,,m_,-,-..__,___-----.._.-_w. _ ..,m_ -.,, . .. _- , . .
29 Li nkage between initiating event and mitigating system is of special importance, as mentioned above in examples of sis. Since HPI is required to mitigate an RCP seal LOCA, any linkage between the seal system and HPI is of potential interest. It was indicated above that the design intent for HPI, given small LOCA, corresponds to triple redundancy and that the design intent for RCP seals would be taken to correspond to triple redundancy; the design intent for the core damage sequence "RCP seal LOCA and HPI f ailure" might therefore be argued to correspond to sixfold redundancy. This is excessive, because the emergency ac power system is itself a three-train system support-ing both HPI and CCW. Here, one comes up against an example of the "incon-spicuous" and " unanticipated" provisions in the definition of SI. It is clear that two active failures (for the sequence RCP and HPI) would surely corre-spond to an SI, and a sequence consisting of three active failures would also j i qualify because the initiating event is included. Since this exhausts the ! scope of the present study, we need not carry the argument further. , i 1 3.2 Functionally Coupled Systems Interactions This section presents cutsets which meet the following criteria: l
- 1. They meet the criteria given in Section 3.1 for sis.
- 2. They have two or fewer events.
- 3. They were not found by the IPPSS.
- 4. They contribute to the top event at a level greater than the cutoff chosen, which was a system unavailability of 10-8 or a sequence frequency of 10-8/y r , depending on the particular top event being evaluated.
This quantification has been performed in order to provide some perspec-tive on the cutsets. This project has not been carried out with any intention of requantifying the top events defined in the IPPSS; qualitative insights have been sought, and found, and the present exercise is simply a final cull-ing process, assigning a rough measure of significance to the cutsets. A com-plete list of the cutsets for each system / sequence is provided in Appendix C. Table 3.2.1 displays the events which appear in those cutsets which
Table 3.2.1 Primary Event Quantification Fal1Jre Rate A or Mission
, Prot >s bi l i t y Time Q of failure T (Unavall-'
Event Description on D.emand Source (hours ) ability) A FBL KG-BFD67 Backleakage of BF067 and other check valves in discharge. 2.6E-7/hr IPPSS 245 6.2E-5 A FBL KG-BFD68 Backleakage of BFD68 and other check valves in discharge. 2.6E--7/h r IPPSS 6.3E-5 AFELKG-BFD69 Backleakage of BFD69 and other check valves in discharge. 2.6E-7/hr IPPSS 6.3E-5 AFBLKCrBFD7 0 Backleakage of BFD70 and other check valves in discharge. 2.6E-7/hr IPPSS 6.3E-5 A F SEG4 8-NOA Failure of operator to align CW at AFw pump. 7.E-3/D IPPSS 7.E-3 w o AF001-A-lNT CT64 falls closed. 9.2E-8/hr IPPSS 2 58 2.4E-5 AFOIO-A-INT Motor-driven AFW pump 31 f ai lure. 1.51E-3/D IPPSS 1.51E-3 AFOll-A-H Operator f alls to bring AFW pump 32 up to speed. 7.E-3/D IPPSS 7.E-3 AF0ll-A-INT AFW pump 32 failure. 4.6 E-3/D IPPSS 4.61E-3 AF014-A-INT Failure of flow path f rom AFW pump 31 to SG32. 7.3E-4/D IPPSS 7.3E-4 AF015-A-INT Failure of flow path f rom AFW punp 31 to SG31. 7.3i-4/D iPPSS 7.3E-4 AF024-A-INT AFWS injection line fails to supply water to SG32. 7.11 -5/D lPPSS 7.1E-5 AF025-A-lNT AFws injection line falls to supply water to SG 31. 7.11:-5/D IPPSS 7.1E-5
Table 3.2.1 (Continuwd) Fallure Rate A or Mission Probability Time Q of Failure T (Unavall-Event Description on Demand Source (hours) ability) CC015-A-I NT HPI pump 31 oil or seal Hx f ailure. 3x 10- 5/hr IPPSS + 720 1.1E-2 NUREG/CR-2815 CC018-A-INT Manual valve 787 falls closed. 9. 3 x 10- 8/hr IPPSS 720 3.3E-5 CS015-A-ANT Segment 5 Internal failure. 9.2x10'0/hr IPPSS 258 2.4E-5 CWOG2- A-l NT Internal f ailure of CT-49 segment. 9.2x 10- 8/hr IPPSS 1.75x10 5 1.6E-2 w EPA-LATE-LOOP LOOP during mitigation (within 8 hrs of Initiator). 3.1E-5/h r IPPSS 8 2.5E-4 SPA-TR-I N-LOOP Transient-induced LOOP. 3.41E-4/D IPPSS 3.41E-4 ( P.1.6-217 ) EPA 08-I NT-F Local fault in DG31. 1.44 E-2/D IPPSS 8 2.2 E-2 FTS
- 9. 4 E-4 /h r FTR EPA 16-S-F Local f ault of tie breaker 2AT3A. 1.33E-3/D IPPSS 1.33E-3 EPD03-02-F Local f ault at de power panel 33. 3.25E-8/hr IPPSS 2.8E-4 (2.8E-4/yr)
EPD02-02-F Local f ault at de power panel 32. 3.2 5E-8/h r IPPSS 2.6E-4
Table 3.2.1 (Continued) Fallure Rate A or Mission Probabi l i ty time Q of Failure T (Unavall-Event Description on Demand Source (hours ) ability) EPD12-F Failure of battery 32. 1.1E-3/D NUREG 1.1E-3 EPD13-F Failure of battery 33. 1.1E-3/D NUREG 1.1E-3 EPD3132-U-F Fault in de power panels 31 & 32 associated with tie breaker. 6.0E-5/yr NUREG 6E-5 EPl21- 15-F Local f ault In inverter 31 or cable. 3.77E-6/h r 8 3E-5 HP002-A-INT HPl pump 32 Internal f ailure. 2.3E-3/D lPPSS 2.3E-3 N HP007A-C-INT Leakage past NC MOV 1852A. 9.87E-8/hr IPPSS 720 3.5E-5 HP0078-C-INT Leakage past NC MOV 18528. 9.87E-8/hr IPPSS 720 3.5E-5 HP0079-A-INT Internal f ailure segment 7E (plugging) (2 sections). 8.6E-9/hr IPPSS 1.5x10~4 1.1E-4 dach Section HP007 F- A-l NT Valve 1846 opens, diverts flow to CVCS hold-up tanks. 2.0E-8/h r. IPPSS 1.5 1. 5 E-8 HP011A-A-INT No valve 1862 or MOV 842 or $40V 843 f alls closed. 9.2E-8/hr IPPSS 360 9.9E-5 Each Valve LP016-A RHR min flow line plugged MOV 1873 or 743 PC. 9.15E-8/hr 720 6.6E-5 Each Valve SE-52-EGI-I NT Local f ault of DG31 breaker actuation scheme. 1.33 E-3/D IPPSS 1.33E-3
Table 3.2.1 (Continued) Faifure Rate A or 41 ss ion Probability time Q of Failure T (Unavall-Event Description on Demand Source (hours) ability) SWW- A-CONT SW pump 35 falls to restart. 1.36E-3/D IPPSS 1.36E-3 SWN2-A-INT-F Failures In NSW pump 35 segment. 4.68E-5/h r IPPSS 8 3.7 5E-4 SWM3- A-l NT-F Failures in NSW pump 34 segment. 4.68E-5/hr IPPSS 8 3.75E-4 w W
34 survive the culling process. For purposes of comparison between LLNL and BNL, it was agreed to use IPPSS failure data wherever these were available and applicable. 3.2.1 Qualitative Insights Regarding Discovered Functional sis Qualitative Insight Understanding the cutsets is much easier if a few key points are made clear. These are presented here. Each sequence is then discussed separately. The nomenclature applied to the events and logic gates within the BNL model is not that used in the IPPSS. The present methodology requires that the level of resolution be as coarse as possible while displaying all support linkages. The IPPSS resolution tended to be finer, and the IPPSS did not cover exactly the same ground as this study. It was, therefore, decided to create an independent nomenclature that would be self-consistent, would be directed toward the search for system linkages, and would provide the flexi-bility of coding more information into the event names as the need arose. Event names are restricted to 16 characters by the SETS code. Appendix B provides the listing of all primary events and their definitions. Dc Control Power (Battery 32) There is an important functional coupling between redundant trains of various systems taking power from 480-V buses 3A and 6A. The coupling is most telling in the medium LOCA sequence, wherein it leads to a single active failu.e mode for LPI; but it affects the cutsets of other sequences as well. Refer to Figure 3.2.1. Most of the present discussion revolves around the availability of ac to 480-V bus 3A. One secs that 3A is supplied from 6.9-kV bus 3. Ordinarily, power to bus 3 is coming from the unit auxiliary transformer, but following a turbine trip, a fast transfer should be made so that power to bus 3 comes from bus 6. If power to 3A is unavailable from bus 3, then 3A can receive power from 2A if breaker 2AT3A closes. However, this happens automatically only if 2A also loses offsite power and af ter diesel generator 31 closes on 2A. If 3A loses offsite power and 2A does not, 3A remains deenergized until an operator closes 2AT3A. One way to lose offsite power to 3A is by a failure o' bus 3 fast transfer following a turbine trip.
35 To Unit AUX To Offsite Transformer Power
^ "
To 6.9 kV ^ Bus 5 7--i l h---t i II , Bus 2 in Bus 3* gi Bus 6* gi i i SST2** SST3** SST6 M H H " Bus 2A Bus 3A Bus 6A* 480V 6 g 6 hO II O 2AT3A 3AT6A i RHR O DG32 DG31 RHR MCC 37 4BOV
! u Battery 32 ---Denotes fast transfer upon -
turbine trip Battery Q - l,
- Denotes Bus / Breaker control power Charger t'7
! derived from DC PP 32 l ONormally open circuit breaker DC Power I 125V DC ENormally closed circuit breaker Panel 32 sio u ir ,r v
! Loads of Interest:
! 6.9 kV Bus 6 l 6.9 kV Bus 3 480 V Bus 6A -i Figure 3.2.1 Selected portions of IP-3 electrical power system. l l l i l
36 Next, consider the causes of failure of bus 3 fast transfer. Cl ea rly , breakers could be involved, but for present purposes, the important failure mode is unavailability of dc. The dc power controlling the f ast transfer of bus 3 is derived from dc bus 32, which also serves 480-V bus 6A. Finally, consider the sources of power to dc bus 32. One source, of course, is its battery. Another is bus 6A via MCC 37. However, whenever an SI signal is present, MCC 37 is shed from 6A, and dc bus 32 is powered only by its battery. Given an SI, then dc battery 32 is responsible for controlling loads on 480-V bus 6A, and for fast transfer of bus 3 supplying offsite power to 3A. The SI signal directly (immediately) causes the shedding of dc bus 32 via MCC 37 and indirectly initiates fast transfer (30-second time delay for turbine trip following reactor trip), so that fast transfer following an SI depends on the battery. Now let us assemble this chain of events for a particular case, namely, large or medium LOCA. Assume that dc battery 32 is unavailable upon demand. An SI signal is generated, whereupon dc bus 32 is shed from 6A. Without dc control power, the LPI pump which ought to be picked up by 6A will not start. The fast transfer of bus 3 (delayed by design for 30 seconds) will not take place, leaving 3A without of fsite power. Since 2A is unaf fected, 3A will not automatically receive onsite power so the other LPI pump, which ought to be picked up by 3A, will not function. Therefore, battery 32 is a single failure for large or medium LOCA. How-ever, the effects are also significant in other sequences. The bottom line is that two supposedly independent 480-V buses are affected; LPI is special in that its two trains are powered by these buses, but it is clear that other systems are affected. Service Water to Diesels In this model, two out of three service water pumps are required for system success. This means that failure of two diesels in a LOOP sequence causes failure of the third diesel, because one diesel powering one service i water pump is not considered a success state. (There is insufficient service water flow to the diesel.) Many of the cutsets in the appendices reflect this
j 37 logic. Note that events other than TR-LOOP, EPA-TR-IN-LOOP, and EPA-LATE-LOOP cause loss of normal power to one or more 480-V buses, so that this coupling affects scenarios other than obvious cases of LOOP. Service Water Cooling of CCW Heat Exchanges The present model considers loss of conventional service water to imply a failure of component cooling. Ultimately, this is correct, but for short-time scenarios , it is likely to be a substantial conservatism. As an alternative to development of different logic for long and short terms, however, this con-servatism was left in place, with the attitude that manifestly conservative cutsets would not be taken at face value. This comment applies to spurious SI scenarios or LOOP scenarios, which interrupt conventional service water and thereby deprive CCW of a heat sink until operator action is taken to restore it. Note that operators, in this study, are assumed to take proper action unless instrumentation faults mislead them. 3.2.2 Quantification of Discovered Functional Systems Interactions Cutsets are presented and quantified for each top event considered which yielded cutsets meeting the criteria spelled out at the beginning of Section 3.2. 3.2.2.1 Auxiliary Feedwater System (Event L) Cutsets are shown in Table 3.2.2. Note that wherever EPD12-F appears , the effect discussed above under "Dc Control Power (Battery 32)" is being manifested. (The cutsets shown here are for the case of a LOCA, i.e., an SI signal is present, for some purposes.) The events appearing in conjunction with EPD12-F cause f ailure of the turbine-driven pump. Other cutsets are failures of suction to the AFWS pumps. 3.2.2.2 Transient and Loss of Auxiliary Feedwater (Event T*L) i Cutsets are shown in Table 3.2.3. Again, many of the cutsets are related to the discussion of "Dc Control Power (Battery 32)." Here, however, the bat-tery itself is not displayed explicitly. [In transient cases (except LOOP) I there is no signal to shed MCC 37 and thereby deprive de bus 32 of its normal 1 i 1 l l
38 Table 3.2.2 Quantified Cutsets - S L2 Sequence I S2= 1.11E-2/yr Contribution to AFWS Un-Cutset availability Cutset Quantification (Event L) Events /yr (1) AF011-A-H
- EPD12-F (7.0E-3)*(1.1E-3) 7.7E-6 8.55E-8 (2) AF011-A-INT
- EPD12-F (4.6E-3)*(1.1E-3) 5.1E-6 5.7 E-8 (3) CS015-A-INT
- CWOO2-A-INT (2.36E-5)*(1.6E-2) 3.8E-7 4.22E-9 (4) AF001-A-INT
- CWOO2- A-INT (2.36E-5)*(1.6E-2) 3.8E-7 4.22 E-9 (5) AFSEG4-6-8-NOA
- CS015-A-INT (7.0E-3)*(2.36E-5) 1.7E-7 1.9 E- 9 (6) AF001-A-INT
- AFSEG4-6-8-NOA (2.4E-5)*(7.0E-3) 1.7E-7 1.9E-9 (7) AFBLKG-BFD67
- EPD12-F (6.3E-5)*(1.1E-3) 6.9E-8 7.66E-10 (8) AFBLKG-BFD68
- EPD12-F (6.3E-5)*(1.1E-3) 6.9E-8 7.66E-10 (9) AFBLKG-BFD69
- EPD12-F (6.3E-5)*(1.1E-3) 6.9 E-8 7.66E-10 (10) AFBLKG-BFD70
- EPD12-F (6.3E-5)*(1.1E-3) 6.9E-8 7.66E-10 (11) EPI 21-15-F
- EPD12-F (3.0E-5)*(1.1E-3) 3.3E-8 3.66E-10 1
39 Table 3.2.3 Quantified Cutsets - T*L Sequence Initiating Event Enabling Event Sequence Frequency (Events /yr) (1) EPD02-02-F AF011-A-H (2.8E-4/yr)*(7.0E-3) = 2.0E-6 (2) EPD02-02-F AF011-A-INT (2.8E-4/yr)*(4.6E-3) = 1.3E-6 (3) EPD3132-U-F EPA 08-INT-F (6.0E-5/yr)*(2.2E-2) = 1.3E-6 (4) EPD3132-U-F AF010-A-INT (6.0E 5/yr)*(1.5E-3) = 9.0E-8 (5) EPD3132-U-F SWN2-A-CONT (6.0E-5/yr)*(1.4E-3) = 8.4E-8 (6) EPD3132-U-F EPA 16-S-F (6.0E-5/yr)*(1.33E-3) = 8.0E-8 (7) EPD3132-U-F SE-52-EG1-INT (6.0E-5/yr)*(1.3E-3) = 8.0E-8 (8) EPD3132-U-F EPD13-F (6.0E-5/yr)*(1.1E-3) = 6.6E-8 (9) EPD3132-U-F AF014-A-INT (6.0E-5/yr)*(7.3E-4) = 4.4E-8 (10) EPD3132-U-F AF015-A-INT (6.0E-5/yr)*(7.3E-4) = 4.4E-8 (11) EPD3132-U-F SWN3-A-INT-F (6.0E-5/yr)*(3.7E-4) = 2.2E-8 (12) EPD3132-U-F SWN2-A-INT-F (6.0E-5/yr)*(3.7E-4) = 2.2E-8 l (13) EPD3132-U-F EPA-TR-IN-LOOP (6.0E-5/yr)*(3.41E-4) = 2.0E-8 (14) EPD02-02-F AFBLKG-BFD67 (2.8E-4/yr)*(6.3E-5) = 1.8E-8 (15) EPD02-02-F AFBLKG-8FD68 (2.8E-4/yr)*(6.3E-5) = 1.8E-8 (16) EPD02-02-F AFBLKG-BFD69 (2.8E-4/yr)*(6.3E-5) = 1.8E-8 i ! l (17) EDP02-02-F AFBLKG-BFD70 (2.8E-4/yr)*(6.3E-5) = 1.8E-8 (18) EDP3132-U-F EPA-LATE-LOOP (6.0E-5/yr)*(2.5E-4) = 1.5E-8
40 l source of power without an additional failure. Further, it has been assumed that the dc bus functions normally even with no battery connected. Therefore, battery failures do not show up in leading order cutsets for transient sequences.] Rather, a fault of the associated dc bus occurs, causing a tran-sient (as modeled here) and then going on to have the additional effects previously discussed. The other initiating event showing up on Table 3.2.3 is EPD3132-U-F, which represents a fault of both dc bus 31 and dc bus 32. A single tie breaker links these buses. It is not clear that any event which would be con-sidered a single failure would lead to faulting of both buses (barring some external influence), and display of this event in a cutset is not intended to imply otherwise. Rather, the existence of a suggested frequency for the event " loss of two dc buses linked by a single breaker" indicated that it was appro-priate to model the event in this way. The effect of the event includes some of the effects discussed under "Dc Control Power (Battery 32)" but with some important differences. Loss of de bus 32 fails fast transfer of bus 3 as noted previously. Loss of dc bus 31 fails fast transfer of bus 2. This leads to a loss of offsite power to 480-V buses 2A and 3A, which signals the DG supplying 2A to start and pick up 2A and 3A. (Recall that the loss of dc bus 32 alone, which loses offsite power to 480-V bus 3A, does not call for automatic restoration of power to bus 3A.) The events seen here in conjunc-tion with EPD3132-U-F are, accordingly, failure of the AFW pump on 480-V bus 3A, or failure to supply diesel power to 3A via 2A, including a variety of breaker faults, diesel faults, or service water faults, or failure of one of the two flow paths leading from this AFW pump. EPD3132-U-F fails the turbine-driven pump by failing instrument bus 31. 3.2.2.3 Failure of HPI Given Small LOCA (Event S.,*U) Cutsets shown on Table 3.2.4 are failure of all miniflow protection, failure of CCW cooling to the HPI pumps, and failure of cooling to two HPI pumps in conjunction with failure of the third pump itself.
41 Table 3.2.4 Quantified Cutsets - S U2 Sequence S2= 1.1E-2/yr Contribution to HPI Un-Cutset Availability Cutset Quantification (Event U) Events /yr HP011A-A-INT 9.9E-5 9.9E-5 1.09E-6 CC015-A-INT *CC018-A-INT (1.08E-2)a(3.3E-5) 3.6E-7 4.0 E-9 CC018-A-INT *HP002-A-INT (3.3E-5)*(2.3E-3) 7.6E-8 8.4E-10 Table 3.2.5 Quantified Cutsets - S Ut Sequence Si= 1.17E-4/yr Contribution to HPI Unavailability Cutset (Event U) Events /Yr (1) HP007E-A-INT 1.1E-4 1.3E-8 (2) HP0078-C-INT 3.5E-5 4.1E-9 (3) HP007A-C-INT 3.5E-5 4.1E-9 (4) CC018-A-INT 3.3E-5 3.9E-9 (5) HP007F-A-INT 1.5E-8 1.8E-12 l t
! 42 l l i i I l 3.2.2.4 Failure of HPI Given Medium LOCA (Event Si *V) i j The cutsets shown here (Table 3.2.5) all have the property of failing all ! flow through one of the two injection lines (lines 16 and 56). One of these .i events (CC018-A-I NT) accomplishes this by failing two pumps directly; the
- others fail the BIT injection line.
3.2.2.5 Failure of LPI in Conjunction With Medium LOCA One of these cutsets (Table 3.2.6) has previously been discussed in Sec- ]' tion 3.2 under "Dc Control Power (Battery 32) ." The other is failure of mini-mum flow protection for the LPI pumps. This is expected to apply when, and j only when, depressurization of the RCS is slow enough for the LPI pumps to j need this protection. Such events may be only a subset of all " Medium LOCA" events. ] 3.2.2.6 Transient-Induced RCP Seal Failure [ Event S,(P)] Treatment of this event in this study differs from the treatment of other events. The RCP seals are protected by two normally operating support sys - tems. "Long-term" failure of both of these is assumed to lead to seal fail-ure, where "long term" probably means on the order of half an hour or more. I i At IP-3, there are certain transient conditions under which these support sys- ! tems are interrupted or degraded by design, and are to be restored by operator 1 ] action. Human error would appear to be an important topic in this area, but was specifically excluded from this project. Here, the event has been modeled initially with no credit for operator j action. The resulting cutsets are, for the most part, overconservative in j that they ignore the plant's design basis which clearly takes credit for l operator action in this area. These cutsets are given in Appendix C. They were then examined for recovery potential, resulting in a much shorter list of cutsets not clearly within the operator's ability to recover. ] Finally, these were measured by the criteria given at the beginning of j Section 3.2, and only the two shown on Table 3.2.7 remain. These are loss of multiple dc buses and loss of offsite power, either transient induced or 1 i i 4 f
43 within 8 hours. It is reemphasized that there may be numerous events involv- i ing human error which would probabilistically dominate these, but which have not been explored. 3.2.2.7 Transient-Induced RCP Seal LOCA and Failure of Auxiliary Feedwater [ Event 5,(P)*L] It suffices to note that the two cutsets shown on Table 3.2.8 show up separately as cutsets of T*L (Table 3.2.3) and S2 (P) (Table 3.2.7). 3.2.2.8 Transient-Induced RCP Seal LOCA and Failure of HPI [ Event S,(P)*U] The two cutsets shown on Table 3.2.9 are, as previously noted, cutsets of event S2 (P). They do not show up in Table 3.2.4 for S U2 because the indepen-dent simultaneous occurrence of EPD3132-U-F and a small LOCA is extremely unlikely. They show up here because EPD3132-U-F is modeled as (in part) causing the small LOCA. 3.3 Findings-of Search for Candidate Spatial Couplings The ' fire . zones defined in the IP-3 Fire Hazards Analysis in Section 2 have been adopted here as defining discrete locations within the plant for purposes of a screening analysis. As per Section 2, certain assumptions have been made concerning which components will fail and how they will fail. Here, for each top event considered, tabic; are provided giving those zones which individually contain enough vulnenble components that the top event can potentially be caused from within the zone in qiiestion. For most cases, this will be conservative; the purpose of such an analysis is screening, as described in Section 2. Appendix F provides a listing of the zones which were found to contain or affect major components addressed in this study. Of course, a given major component will reside only in one zone, but power and control cables may pass e qugh a number of zones, and an attempt has been made here to collect as nucn of this information as was made available. In Appendix F, for the table entry corresponding to (say) component A in zone N, an X means that some power or control cable of A passes through N, while X* means that A itself is lo-cated in N.
44 Table 3.2.6 Quantified Cutsets - S D1 Sequence S3 = 1.17E-4/yr Contribution to HPI Unavailability Cutset (Event D) Events /yr EPD12-F 1.1E-3 1.3E-7 LP016-A 6.7E-5 7.8E-9 Table 3.2.7 Quantified Cutsets - S (P) 2 Sequence l Cutset Quantification Events /yr
- EPD3132-U-F
- EPA-TR-IN-LOOP ( 6. E-5/y r)* ( 3.4E-4) 2.0E-8 EPD3132-U-F
- EPA-LATE-LOOP (6. E-5/y r) * ( 2.5E-4) 1.5E-8 Table 3.2.8 Quantified cutsets - S (P)*L 2 Sequence Cutset Quantification Events /yr EPD3132-U-F
- EPA-TR-IN-LOOP (6. E-5/y r) * ( 3.4E-4) 2.0E-8 EPD3132-U-F
- EPA-LATE-LOOP ( 6. E-5 /y r) * ( 2.5 E-4) 1.5E-8 Table 3.2.9 Quantified Cutsets - S (P)*U 2 Sequence Cutset Quantification Events /yr EPD3132-U-F
- EPA-TR-IN-LOOP (6. E-5/y r) * (3.4E-4) 2.0 E-8 EPD3132-U-F
- EPA-LATE-LOOP (6.E-5/y r) * (2.5E-4) 1.5E-8 ;
l
45 Table 3.3.1 provides a list of zones capable of " causing" each top event as described above. In Table 3.3.2, for each zone, an explanation is given of how this zone might cause the top event in question. Note that thes e explanations are generally not unique: there may be several ways in which a given top event could be caused from within a single zone. For some purposes , it is useful to ask how the results change if a loss of offsite power is assumed. It turns out that given a LOOP, zone 22 must be added to Table 3.3.1 for top events D, 0 , and U ,2 because the service water 3 pumps are vulnerable in this zone and the diesels' failure on loss of service water will lead to these top events. 3.4 Induced-Humanly Coupled System Interactions No induced-humanly coupled interactions were identified. This does not mean that none exists; as discussed in Sections 2 and 4, the search excluded certain important areas, and the search procedure actually e.nployed is not believed to be optimal. Certain linkages turned up by the search are identified in Appendix D, but are not considered significant. An operator misled by a single instrument i might, under some conditions, introduce multiple faults, until further reflec-tion and checking other instruments led to a more accurate understanding of plant conditions. These linkages have not been presented here even as candi-date induced-human sis because, in the context of the cutsets of interest, the operator is expected not to take those actions or is expected to recover quickly from those actions. As discussed in Section 2.4.1, this result should not be taken to imply that human action does not contribute to sye interactions; this result is considered to reflect the premises and scop. , ,his part of the study. 3.5 Regulatory Perspective I Cutsets for each of the top events considered in this study were reviewed to see whether any of them corresponds to a breach of regulatory require-ments. Two categories of requirements were considered.t
. - . . . - - . . _ . . . - . - - . - ~ . . . . . - - - . _ _-~~ .. . . ~ . - . - . . _ . . _ . _ - - - -- _- , - ~ . . . . . . _ - . - -. . . - .
l I i l 4 { 1 a Table 3.3.1 Zones from Within Which Top Events Can Potentially Originate l i i p bent 1 3 4A 7A 9 9A 11 12A 13 14 15 17A 22 23 30A 3/A 3FA 39A 41A 54A $5A $5A S') A CA t'A 7[ f- li f, F /f C (LEI f4IlerP) O O O O O O O O O O __. ._ . _~. - . - _n -.
- - . . _ ~-. _ . .
G (*1EI T4)I 49 0 0 0 0 0 1 9h vail 10tM l t;g M f a h a o o o o
! c: e, v A- L OC : o t ( Vi; fail.re) o o o o
,1 .-_- _. Te v.sient --. .,- 4 r.t-; c o 0 0 0 0 0 o c o d -
]*g O O O k
s,r n n ro , m.t-
;$ ;,- ed Ptr Seal l a i 0 0 0 0 l MP l l @
- i '
5,;r)*e, o *
; fo o o f i I
i l, i j, 5 (F)*L o o o 1 1 l 5 i I I 4 i
47 Table 3.3.2 Examples of How Each Top Event Can Be Caused i from Within the Indicated Zones Example of Component Combination Residing Top Event Zone in Zone, and Capable of Causing Top Event. D (LPI failure) F3 RHR pump 31 and cabling for RHR pump 32. F4A Cabling for RHR pumps 31 and 32. F7A Cabling for RHR pumps 31 and 32. F9A Cabling for RHR pumps 31 and 32. Fila Cabling for RHR pumps 31 and 32. F12A Cabling for RHR pumps 31 and 32. F14 Cabling for RHR pumps 31 and 32. FIS Cabling for RHR pumps 31 and 32. F13 Battery 32. F17 MCC 36A & MCC36B (power for LPI valves). U2 (HPI given F9 HPI pumps 31, 32, 33. small LOCA) F11 Cabling for HPI pumps 31, 32, 33. F14 F15 F17A U7 (HPI given All zones medium LOCA) applicable to U 2-F60A Cabling for HPI pumps 31 and 33. L (AFWS Failure) Fil Cabling for AFWS pumps 31, 32, 33. F14 Cabling for AFWS pumps 31, 32, 33. FIS Cabling for AFWS' pumps 31, 32, 33. F23 Location of AFWS pumps 31, 32, 33. T*L F11 Cable spreading room: cabling for SW & CCW pumps and AFW pump. F14 Switchgear room: transient (e.g. , Loss of CCW or SW) and cabling of AFW pumps. FIS Control room (transient and loss of pump l control) S2 (P) Fil Cable spreading room: cables for CCW pumps l and charging pumps. l F14 Switchgear room: cables for CCW pumps and charging pumps. FIS Control room (control of CCW pumps and charging pumps). F17A CCW heat exchangers and cabling for charging pumps. su
68 Table 3.3.2 (continued) Example of Component Combination Residing Top Event Zone in Zone, and Capable of Causing Top Event. S2 (P)*U2 Fil See table above for zones yielding S 2(P) I and zones yielding U2 F14 FIS F17A S2 (P)*L Fil See table above for zones yielding S2(P) and zones yielding L.) F14 F15 1
e
- 1. 10CFR503 and its requirements that sys tems successfully mitigate transients and accidents with or without loss of offsite power, given a single failure. " Single failure" was defined by 10CFR50, Appendix A, which basically states that all electrical failures and active mechanical failures should be considered " single."
- 2. The Standard Review Plan (SRP), NUREG-0800.4 This generally con-tains acceptance criteria which go beyond 10CFR50 requirements. An example is Branch Technical Position ASB 10-1, which requires that the AFWS be able to meet its requirement given a htjh energy line break concurrent with a single active failure.
Detailed Discussion In the following discussion, each of the major reference documents is identified and any specific considerations gleaned from them and used in this review are detailed. 10CFR50 The application of these requirements differed between the transient and LOCA sequences. In the LOCA sequences, all single active failure cutsets and all two-element cutsets that contained a transient-induced loss of offsite power (LOOP) were classified as single failures that did not meet the 10CFR50 requirement of being capable of mitigating accidents / transients with or with-out of fsite power available. In the transient sequences, doubles that con-tained a transient initiator and a single active failure, as well as all triples that contained a transient initiator, an active failure, and a transient-induced LOOP, were classified as single-failure events. All cutsets with two transient initiators were considered probabilistically incredible. In short, LOOP is potentially part of any initiator (transient or LOCA), for purposes of evaluating system failure modes. I
SRP 3.6.1 Plant Design for Protection Against Postulated Piping Failures in Fluid Systems Outside Containment In the transient sequences, only pipe breaks which initiated transients were considered. In the LOCA sequences, additional pipe breaks would consti-tute passive failures, and this consideration is not required by 10CFR50. Therefore, pipe breaks beyond the LOCA itself were not considered in this analysis. SRP 6.3 Emergency Core Cooling System Speci fic considerations applied to this review came from BTP RSB 6-1 l which addresses piping from the RWST to the safety injection pumps. The BTP requires the piping configuration to be able to withstand a single active failure. This criterion is met at IP-3 by locking or deenergizing open all the valves between the HPI pumps and the RWST. SRP 7.7 Control Systems The following guidance was used in this review of transient sequence cut-sets:
"Th e review should confirm that the failure of any control system component or any auxiliary supporting system for control systems do not cause i plant conditions more severe than those bounded by the analysis of anticipated operational occurrences in Chapter 15 of the SAR. (The evaluation of multiple independent failures is not intended.)" Although no control system interac-tions were found which led to an excursion beyond the safety analyses, an interaction was found within the Pressure Control Sys tem. This is fully described in Section A.6.1. In summary, depending upon the position of the PCS channel selector switch, a single pressure transmitter failing low can result in a high pressure transient and prevent both PORVs from responding.
l l
51 l l SRP 8.0 I Electrical Power Systems Specific guidance for this review came from the following passage and was applied in the consideration of the many single bus tie breakers within the l IP-3 design: "Regarding the interconnections through bus tie breakers, an ! acceptable design will provide for two tie breakers connected in series and
! physically separated from each other in accordance with the acceptance crite- ." The above acceptance i
l ria for separation of safety-related systems . . . criterion was formulated af ter the licensing of IP-3, but was included in the modeling. A failure mode causing a single tie breaker to fault two buses I would be extremely significant. However, no single-failure mechanisms were found that would accomplish this failure mode, and of the double failures , (e.g., bus fault AND spurious breaker operation), none made the probabilistic cutoff. SRP 9.2.1 1 Station Service Water System The service water system must be capable of withstanding a single active
. failure with loss of offsite power and still meet its functional requi re-I j ments.
SRP 9.2.2 ; Reactor Auxiliary Cooling Water J The component cooling water system must be capable of withstanding a ! single active failure with loss of offsite power and still meet its functional requirements. ] i
- ~
SRP 9.3.4 { Chemical and Volume Control System The charging and letdown systems must be able to sustain the loss of any active component and meet the minimum system requirements for plant shutdown or accident mitigation with or without a loss of offsite power. t l l l i l 1 l l l I l
.=. . . . - - - - - = - . __
I 1 52 ] I, SRP 9.5.1 Fire Protection (Appendix R, 10CFR50) 1 This review used the fire zones estblished by the IP-3 Fire Hazards Anal-ysis as applicable to define the spatial zones of the plant. These zones were considered in light of the criteria of Appendix R,10CFR50, which require at 4 least one train of shutdown equipment to be available following an assumed fire large enough to render inoperable all equipment within a given zone. I 1 Appendix R further states that the above criterion is not to' be applied in LOCA (design basis accident) sequences. An alternative criterion states that it is permissible for both trains necessary for achievi(g,a cold shutdown to l be damaged if repair to one could be made within 72 hours. This criterion was not considered here, because the focus of the modeled sequences is on early j core damage. Cutsets involving two independent fires were not analyzed further, nor were any cutsets that included a fire that was not the initiator of the transient. 1 i SRP 10.4.9 Auxiliary Feedwater System i The guidance of BTP ASB 10-1 was used in reviewing this system. Part 5 l 1 of that position deals with high energy line breaks (HELB) within the system itself. These were treated here as follows. It should be noted that the
- model was not developed to explicitly consider piping ruptures. For the LOCA sequences, HELBs within the auxiliary feedwater system were not considered, as j they are passive failures. For the transient sequences, major piping segments with failure mode 'A' (NOIF) were assumed equivalent to HELBs and the cutsets j were reviewed accordingly. In this limited investigation of HELBs, one cutset was found that violated this regulatory criterion. This is discussed in the following section.
. Results
{ Table 3.5.1 provides a listing of the functional cutsets, for each I sequence, that penetrate regulatory acceptance criteria. Those cutsets pene-1 trating SRP criteria are so labeled; all others are believed to be in f l J ~ l 3 h I i
53 potential violation of 10CFR50. The spatial analysis identified a number of candidate fi. e zones that could theoretically, of themselves, fail a given system or sequence. As these cutsets are only products of a screening anal-ysis, they are cited but not quantified here. See Section 2.3 for further discussion. Two cutsets of LPI were significant: EPD12 (battery 32) and EPD02-02 (dc bus 32). These two cutsets have the same effect, although their probability of occurrence is quite different. This particular failure mode is discussed in detail in Section 3.2. Upon verification of this finding, the utility immediately effected a design change. The single cutset for AFWS (transient) reflects the acceptance criteria of SRP 10.4.9 BTP ASB10-1. The first element (AF011-A-INT) is considered to be equivalent to an HELB in the steam supply line to the turbine driver of AFW pump 32. This event should cause a transient, and the SRP requires that AFWS be capable of withstanding a single failure and still meet functional require-ments. The second element (EPD02-02) represents a loss of dc bus 32. AF011-A-INT f ails the turbine-driven pump 32 and causes a transient. EPD02-02 pre-vents the starting of pump 33 on bus 6A and fails fast transfer of bus 3 which leaves bus 3A deenergized and thus f ails pump 31. For the sequence T*L, six basic groups of events have been identified. Group 1 consists of EPD3132-U (f ailure of dc buses 31 and 32 via their single tie breaker) and TR-IN-LOOP (transien'.-induced loss of offsite power). Loss of the two dc buses initiates a transient and prevents the starting of diesels 32 and 33. This would still leave diesel 3 powering AFW pump 31 on bus 3A, but the model requires at least two nuclear SW pumps to support even one I diesel; therefore, the third pump is assumed to be lost in a relatively short time. T*L Group 2 consists of F22 (fire in the SW pump zone which fails SW I pumps 31, 32, 33, 34, 35, and 36), EPD01-02 (loss of dc bus 31), and TR-IN-LOOP. F22 initiates the transient; per the model (given LOOP), lack of service water fails the diesels, which fails AFW pumps 31 and 33. EPD01-02 is the dc bus which feeds inverter 31 which in turn feeds instrument bus 31. The
- turbine controls for pump 32 require instrument bus 31.
l I
54 4 1 T*L group 3_ consists of a common initiator and four single failures. 1 EPD02-02 (dc Bus 32) deprives AFW pump 33 of control power and fails f ast j transfer of bus 3, leaving AFW pump 31 without motive power. The four single f failures all relate to failure of the turbine pump. EPI 21-15 is f ailure of Inverter 31. EPI 21-02 is failure of instrument bus 31. AF011-A-H is failure of the operator to regulate the turbine pump, and AF011-A-INT is failure of the turbine pump or its steam supply. T*L group 4_ provides two sets of ele.ments in conjunction with TR-IN-The first set of elements all have the effect of failing service water LOOP. and initiating a transient. Because of SW failure, the diesels will ulti-mately fail and AFW pumps 31 and 33 will be lost. The second set all have the effect of failing the turbine pump. EPD11 is battery 31 and its f ailure con-j tribution arises because the normal (ac) feed to dc bus 31 is shed upon bus SA undervoltage (LOOP) and this deenergizes Instrument bus 31. The other ele-I ments have already been discussed above. l T*L group 5 consists of EPD02-02 EPD11, and TR-IN-LOOP. EPD02-02 initi-I ates the transient and fails control power for bus 6A. In this case, AFW pump I 33 and NSW pump 36 are not available. EPD11, as discussed above, is the only 1 j power source for dc bus 31 (given LOOP), and for this cutset it represents the j loss of an NSW pump and of AFW pump 32 turbine control. This leaves AFW pump { 31 being powered by diesel 31, which will shortly fail because only one ser-vice water pump will be available and the plant as modeled requires two. I j T*L group 6_ consists of EPD01-02, a set of single failures and TR-IN-l LOOP. EPD01-02 initiates a transient, prevents the sequencing of an NSW pump, I i and fails AFW pump 32 turbine control. The single-failure elements all lead to failure of a second NSW pump and thus leave the remaining motor-driven AFW pump on a diesel which will shortly fail for lack of cooling. SE-52-EG2-INT is failure to connect diesel 32 to bus 6A (loss of AFW pump 33 and NSW pump 36). SE-52-EG1-INT is failure to connect diesel 31 to buses 2A and 3A (loss of AFW pump 31 and NSW 34). EPA 16-S is failure of automatic bus tie breaker 1 2AT3A which leaves bus 3A deenergized (loss of NSW pump 35 and AFW pump 31). l EPA 12-INT is failure of diesel 32 and EPA 08-INT is failure of diesel 31; their I respective consequences are the same as outlined above for buses 6A and 2A/
- 3A. EP013 and EPD12 are failure of batteries 33 and 32, respectively; again I
l '_~-___._, _ ._._ _, -
- _ _-,._.--.--_ _..~.___ ,~~ _
! 55 their respective consequences are the same as outlined above for Buses 2A/3A l
and 6A as they prevent energization and loading of the bus. References for Section 3
- 1. See Reference 2 Section 1.
- 2. See Reference 1, Section 1.
- 3. Code of Federal Regulations, Title 10, Part 50, Domestic Licensing of
! Production and Utilization Facilties ,1984.
l 4. NUREG 0800 Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, LWR Edition, July 1981. i 1 I
,- -yn- - - - - - - - - - - , + - < - - - - - , - -
m --
+-m,- r -~g 7.,, . -_,
1 56 Table 3.5.1 Cutsets Penetrating Regulatory Criteria D (LPI Failure)
- 1. EPD12
- 2. EPD02-02
- 3. See Table 3.3.1 for description of single fire zones.
U1 (HPI-Medium LOCA)
- 1. See Table 3.3.1 for description of single fire zones.
U2 (HPI-Small LOCA)
- 1. See Table 3.3.1 for description of single fire zones.
L (AFWSLOCA) failure given LOCA) None L (AFWS(TR) f ailure given transient)
- 1. AF011-A-INT (HELB)
- EPD02-02 (SRP 10.4.9)
- 2. See Table 3.3.1 for description of single fire zones.
T
- L (Transient and failure of auxiliary feedwater)
Transient Initiator Single Active Failure
- 1. EP03132-U --
- TR-IN-LOOP I *
- TR-IN-LOOP
- 2. F22 EPD02-02 EPI 21-15 j EPI 21-02
- 3. EPD02-02 AF011-A-H AF011-A-INT
- 4. F22 EPD11
! SWA06 EP!21-15 (Inverter) ! SWN4-A-1NT ,* , EPI 21-02 (I Bus 31) ,
- TR-IN-LOOP SWN6-A-INT AF011-A-H SWN7-9-INT AF011-A-INT
- 5. EPD02-02
- EPD11
- TR-IN-LOOP s
57 Table 3.5.1 (continued)
' SE-52-EG2-INT 3 SE-52-EG1-INT EPA 16-5 l
- 6. * *
~
EPD01-02 ( EPA 12-INT > TR-IN-LOOP l EPA 08-INT I EPD13 1EPD12 j
- 7. See Table 3.3.1 for description of single fire zones.
S2 (P) (RCP Seals)
- 1. See Table 3.3.1 for description of single fire zones.
S,(P)
- U (RCP Seal LOCA and f ailure of HPI)
- 1. See Table 3.3.1 for description of single fire zones.
S,(P)
- L (RCP Seal LOCA and failure of AFWS)
- 1. See Table 3.3.1 for description of single fire zones.
8 e
59
- 4. COMMENTS AND CONCLUSIONS 4.1 General Comments On the basis of experience gained in this project and in other projects, comments and insights are offered on the method described in Section 2.
Two general categories of comments are offered below which bear on the success of this project. In following subsections, comments are offered separately on the functional, spatial, and induced-human phases of the project. Finally, some overall conclusions are provided. 4.1.1 Particular Strengths of the Present Approach Scrutability and completeness of the modeling done here were materially enhanced by the following:
- 1. Explicit conditioning of mitigatino system status / failure modes on the character of the initiating event (e.g., shedding of MCCs on an SI signal).
- 2. Explicit conditioning of system / component failure modes on plant conditions (e.g., the availability of onsite power to bus 3A being affected by the availability of offsite power to bus 2A).
- 3. Explicit linking of all support system fault trees with frontline j system fault trees.
4 Working with primary sources of information (e.g., plant drawings as opposed to other studies), and understanding the operation of the l system. 4.1.2 Where to Stop Modeling The burden of this study is to identify the intersystem/intrasystem de-pendences, in order to ascertain whether the redundancy or independence of the given systems is compromised. Accordingly, for this study, it was decided to logically link all required support systems to frontline systems, in order to l obtain accident sequence cutsets entirely in terms of basic events. (Certain systems related to environment, such as HVAC, require special consideration, i because their failure does not immediately fail other systems.) For detailed j fault trees corresponding to the end product of a PRA, this might be extremely 1 i l
, - - , . . . . - . . . - - - - , - , ,, - - -- ,,-,. , - ---.n ,nw-- -r ,---~ - ----------.-----,-----,---------,---,,_,-,--,-,,---n---
60 i I l challenging, depending on the computer code being used. Here, because the { trees are not overburdened with detail and because the main interest is in j low-order cutsets, it is perfectly feasible. Moreover, as it turns out, it is j extremely desirable: for example, the finding of one single active failure j (battery 32 in LPI) emerged as a direct result of this systematic process.
- Neglecting the failure modes of fast transfer following a LOCA would have j hidden this failure mode. ;
The previous obscurity of this failure mode, together with the method of l its eventual detection, shows that it is necessary to explicitly model and link all direct functional support systems, unless these are suf ficiently i self-contained to be regarded as featureless black boxes. This is a simple matter of completeness. Once the cutsets have been reviewed, and the qualita-tive implications of the basic model are fully grasped, quantification can j proceed expeditiously. 4.2 Comments on Functional Phase j 4.2.1 Use of the SETS Code l It was decided to use the computer code SETSI to analyze the fault trees developed in this project. SETS is a flexible and powerful tool for use ! in fault tree analysis. Other codes exist, of course, and several might have ! been perfectly reasonable choices. Some of these enjoy th! reputation of I being easier to use than SETS. However, the generality of SETS is such that any logically definable transformation that is likely to be of interest can be l implemented within SETS (possibly at some human expense), while some other I codes appear to gain their relative user friendliness by sacrificing some gen-1 erality. This comment is not offered as an established insight; the point is simply that SETS appeared to be the least inherently constraining choice. Ul - timately, it may be found that the incapacities of some easier-to-use code manifest themselves only in areas which are useless anyhow; but at the outset
- of this study, this was a judgment that the team was unwilling to make.
- Other factors weighing in favor of SETS
. SETS was already up and running at BNL (9/82 versions).
) 1 l
.-.,,,.--,-,n-_-- - --- w ---~ . - , . , - - - - - - , - - - - - - - + - - - - - - , , -----,-------c,,-,, .-- ,- y,,e - , , ,---, -. - - - , - - . - - ,. - - - ~ , . ,- - , - . , - . - - - - - , ,
61 i
. SETS works in conjunction with a fault tree drawing code. The impor-tance of automated f ault tree drawing should be emphasized. Among the
) many benefits derived f rom use of this combination is that the tree j drawn by the code is derived from the SETS input, and therefore corre-sponds to the tree SETS is actually analyzing, whether or not this is the tree that the user thought SETS was analyzing. 4.2.2 Level of Detail It was decided initially to develop system f ault trees to the " segment" l j (or supercomponent) level.2 A segment is essentially a portion of the system consisting of one or more components in series. Defining segments is a j standard way to go about constructing a fault tree. In a normal PRA, the ] fault tree would show, for each segment, all support system faults leading to failures of components within the segment, all pertinent failure modes of all components within the segment, and probably a number of different maintenance errors. In the functional phase of this study, support faults are included as j above, but details of failures internal to a given segment are collapsed into a single event. The purpose of this, of course, is to prevent a pointless ex-plosion of the number of cutsets produced by the model, if segment A has 50 internal f ailure events, and segment B has 20, then segment A
- segment B has 1000. In later phases of the study, it is appropriate to transform the events
" segment A" and " segment B" to display some of this structure, in order to see whether there are interactions (e.g., spatially coupled) between the two, but in the functional phase this is logically unnecessary and basically undesir-able.
Earlier plans were to develop insights about the systems and sequences j first at the system level, then at the train level, and only then at the j segment level. This approach is probably desirable for one or two analysts I developing their own understanding of the plant, but for a sizable team the , j coordination required (e.g. , in assembling such high-level information and l then pausing to admire the view before proceeding to the segment level) was more trouble than it was worth. Formally, skipping these steps runs the risk of not finding a functional SI as early in the study as is theoretically possible, but the Itkelihood of this is believed to be small and the conse- , quences are not great. 1 E__ _ - - _ - _ _ _ _ _ __ _ - _ _ _ _ _ _ ---_
l 62 4.2.3 Logic Loops
- The occurrence of logic loops in complex fault trees is a well understood problem. For example, diesel generators generally depend on service water i af ter their first few minutes of operation, while the service water pumps i depend on the diesels immediately after a loss of offsite power. Blindly I
modeling the diesels' dependence on service water and service water's depen-dence on diesels creates a loop. In a sense, this can be viewed as an arti-fact of the neglect of time dependence in the construction of the loop. Some j approaches to the problem are based on recognizing this time dependence. It is typical to speak of " breaking" logic loops, and to treat such problems as having short-term logic and long-term logic.2 l In the present study, however, a somewhat different approach is taken. Consider the failure of power at a 480-V ac bus which supports an essential ] service water pump. Conceptually, one separates out those bus f ailure events which do not depend on service water, and feeds this subset into the tree for f ailure of service water. Thus, the tree for failure of service water will l include local faults of the diesel, but not failure of service water to the diesel. Similarly, service water failures other than diesel failures are i separated out, and fed into the tree for diesel failure. , i in this approach, partial replicas of certain subtrees appear in nore l 1 i l than one place. But while this increases the number of gates, it does not in-crease the number of primary events, and it allows the primary event defini-
- tions (internal diesel fault, etc.) to retain their general time-independent intuitively clear significance, while still providing an exhaustive set of cutsets for "f ailure of service water" and "f ailure of diesel generator out-put" within a single global fault tree.
Details of this approach must, of course, depend on the system to be ' modeled. 1 i
-_ _-,--,_m ...,,,,.-,.--y.,.._,.,,,,..--,--..-.--.._.,..--,-_--y -,,,,-.,--y -_,,._7y-.
63 ( i 4.2.4 Obtaining Minimal Cutsets From the Fault Trees i 4.2.4.1 Size of the Problem The prescription outlined above (proceeding to the segment level, showing < all support faults and a single " internal" fault for each segment) led to a substantial amount of fault tree development. Along the way, considerable en-ergy was spent in preventing unnecessary development of detail within segments. Even so, as dependences are followed from one system down into an-other and then into yet another, the number of cutsets grows explosively. A feature of SETS which proved particularly useful here is its ability to l
- gather events into " independent subtrees," which are essentially portions of
! the f ault tree which can (at least temporarily) be treated as diamond events. ] This feature is capable of compensating for certain possible lapses l- analyst
! discipline which might otherwise have resulted in overdevelopment of some f events (i.e., inclusion of detail that does not shed light on dependences).
l 4.2.4.2 Truncation i As support faults are developed and resolved into lower level support faults, the number of cutsets can easily become unmanageable, and it is diffi-j cult to avoid truncation while working at the segment level (let alone the componentlevel). j There is more than one type of truncation. One type involves assigning l probabilities to basic events and discarding cutsets whose probabilities are l less than some cutoff. As truncation methods 90, this has a good deal to rec- ] onnend it. For present purposes, one is interested in discarding cutsets j which are unlikely to bear fruit in a search for spatial or induced-human in- ] teractions, and while any truncation method is capable of throwing away a cut- ! set that should be searched, probabilistic truncation is less arbitrary than i ( truncation on number of basic events in the cutset carried out without regard l to their probability. Probabilistic truncation keeps apparently likely cut- ! sets even if they are high order, while rejecting presumptively unlikely ones; ! truncation on cutset order does not distinguish multiple pipe ruptures from multiple diesel failures. In spito of this, in the early phases of this pro-ject, truncation on cutset order is essentially written into the statement i I i
1 64 i i l l of work. Clearly, however, fundamental questions remain about the desirabil-ity of basing a cutset search on a body of cutsets derived using truncation on j cutset order. This issue is intimately connected with that raised in the next l subsection, which has to do with the effect of modeling assumptions. Initially, the goal in this project was to obtain cutsets out to fourth order (which seemed to be a substantial but not prohibitive undertaking), and search them for interactions which would reduce them to fi rst or second order. Early in the project, cutsets were actually obtained to fourth order for all top events except those involving RCP seal LOCA (which were carried
! out to third order). This operation confirmed the " substantial-but-not-pro-I hibitive" assessment, for the case of fully linked frontline and nonenviron-j mental support systems. Because it was a substantial ef fort, the need to do
! it again when the fault trees were completed was examined carefully. Reasons i for doing it again ranged from administrative (simply to deliver cutsets to ! some specified order) to technical (a serious intention of searching the cut-
- sets). NRC called for second-order cutsets, which turns out to be a usefully
{ revealing level of development. That is, for an ostensibly three-train sys-tem, a three-element cutset does not correspond to an SI, but a two-element l cutset may do so. For reasons specific to this project, which are discussed elsewhere in this section, higher-order cutsets were not sought, and cutsets were therefore developed only out to second order, with certain special events not counting in the length of the cutset. 4.2.4.3 Modeling Assumptions it is part of the essence of an 51 study that unexpected and obscure con-nections are sought. With this in mind, one may be inclined to make one's l1 j models as " complete" as possible. This may suggest, for example, modeling failures of heat tracing used on a suction line. However, this may involve thousands of cutsets, which, plugged into another system fault tree at a low level, may give rise to an astronomical number of cutsets for that system. 1 (If it is not clear why heat tracing would do this, consider that electric heat tracing calls power, which calls diesels, which calls service water, lI which calls dc . . . .) If heat tracing failure is arguably important, then I well and good, but in some cases it will not be, and in order to proceed, one l needs to fall back on either probabilistic truncation or a convincing physical l argument. I I l
65 l Apart f rom the dif ficulties of dealing with astronomical numbers of cut-sets, there is the more fundamental problem that a hard-won list of cutsets can easily be dominated (in terms of numbers of cutsets) by cutsets which are l inherently implausible. Thus, cutset searching schemes which weigh all cut-l l sets alike will tend to allocate effort to areas which happen to have large l numbers of cutsets, witilout regard to their probability; and from the above j discussion, it should be clear that " conservative" modeling assumptions can be crippling under these circumstances. 4.2.5 Fault Trees Used in Multiple Contexts i An essential feature of this project is that a f ault tree has been de-veloped for the transient-initiating event itself. The point of doing this is 4 to shed light on failures which link initiating events to unavailability of mitigating systems. Failures in the electric power system are obvious exam-ples of such events. A certain complexity can result from this approach, however, as different transients impose different demands on systems. For many reasons , the failure logic changes appreciably, depending on whether a safety injection signal is present, or whether offsite power is available. The present study differs q from some of its prt iecessors in that an attempt has been made to handle this complexity in a few large fault trees, within which certain events are toggled l by the analyst to handle different cases. This does not differ conceptually from simply running many different trees for dif ferent cases, which is closer j to the usual practice; it means simply that the task of assuring accuracy and completeness is carried out on a single complex tree, rather than piecemeal on l multiple trees which are individually simple. At this point, it seems that while the large-single-tree approach is taxing to review, it forces the j analysts to confront completeness in a single list of cutsets, rather than allowing a multiplicity of more nrrrowly defined cases to obscure the absence of an important one. A further side effect of this approach leads to seeming conservatism in some cases. For example, if a safety injection signal is present, certain loads are shed from emergency buses, among them conventional service water. j fhis leaves component cooling without a heat sink. This, in turn, conserva-tively applying binary logic, leads to an RCP seal LOCA. In brief, a spurious i
i l '! 66 i l t SI seems to lead to an RCP seal LOCA. In some contexts, it is presumably ; appropriate to model loss of service water as leading to failure of CCW; in l I others, it is not (at least, in the present case, not immediate failure of i CCW). The approach adopted here thus highlights failure modes which closer , I inspection may rule out. In this sense, all cutsets given here are strictly 1 + l provisional, and all primary events are to be regarded as having rather l l general meaning. 1 } 4.3 Comment on the Spatial Phase ! i 4.3.1 Infcrmation Gathering l l Previous descriptions of the method being surveyed here imply an emphasis l on searching functional cutsets for spatial intracutset coupling. In the - i j actual analysis, however, a different emphasis emerges. Cutset searching is f one approach, but information about parts of the plant which are not already j in the cutsets must be brought in. A zone may contain only one component ( which appears in a f rontline system fault tree or any of its support system f l fault trees; but if, in addition, the zone contains components which can cause l 4 transients, this needs to be known. Therefore, even before the cutsets are l f confronted, a list of zones containing all modeled components should be gener- I ) ated, and it is logically necessary to know all the components in these zones. } F
! In this project, the Fire Hazards Analysis and certain plant arrangement ,
i i j drawings were primary information sources. This means that only major compo-l
; nents and selected power cables could readily be located. The information t
! presented here must therefore be considered an example of how to proceed. It ! is doubtful that our inventory of any zone's contents is complete, and these ! results are therefore partial. Onsite inspection is necessary before faith i j can be justified in results of this type. 4.3.2 Screening Analysis Given a set of zones, components located therein, and susceptibilities, a simplified model can readily be generated which corresponds logically to further development of the events in the fault tree. It is feasible to pro- j vide cutsets in which only an explicitly delineated part of a zone is ; . i j l [
l 67 1 destroyed (by a fire, say), and other failures occur for other reasons. This
; should be the goal of the analysis; it becomes especially imortant when the individual zones are large. However, distinctions of this type begin to require physical analysis, which was not performed in this study.
4.4 Comment on Search for Induced Human Interactions Discussion of this part of the project is probably best carried out in light of a specific example. Suppose that there is a cutset for accident se-
- quence T*L (transient and failure of auxiliary feedwater) which contains an l instrument bus fault and failure of certain AFW flowpaths to the steam genera-l tors, along with other events as well. As developed under the present method,
! this cutset would reflect functional dependences and perhaps spatial coupling, l and the idea now is to see whether one event in the cutset can cause any of I the others by causing the operator to do something. If so, then the, causative
- event logically implies the others, and the true minimal cutset is correspond-ingly shorter. Suppose, further, that the instrument bus f ault causes certain j instrumelts to fail in a misleading way, causing the operator by some written procedure to close the AFW flowpaths in the cutset which prevents flow. Then l one element of the cutset will have induced the operator to cause others.
This is an " induced-human St." Actually, whether this would be classed as an j SI under the ground rules given here would depend on how many events the cut- ! set ended up with (see Section 3). If this intercction shortened a 7th-order ! cutset to a 5th-order cutset, it would not count as an St. If it shortens a 4th-order cutset to a 2nd-order cutset, it counts as an St. The essential } qualitative point is the shortening of cutsets. This part of the project was ! intended to search for such couplings. I l The Original Plan ! Ideally, one would construct a data base that contained an explicit index ! of all acts mentioned in written procedures, reflecting the cues that stimu-late each act. The data base would be used in the following way. Given the cutset in the example outlined above, one could call for a listing of all oro-cedural acts which have the effect of throttling the indicated flowpath , and a listing of all actions taken af ter the instrument bus fault. This informa- ! tion, placed in the context of the specific cutset under scrutiny, should lead l to identification of the coupling, i I ir
68 The data base was to have been constituted from information contained in IP-3 procedures and information contained in the INP0 Reactor Operator Task Analysis Data Base. This INP0 data base was developed to identify the train-ing needs of reactor operators by first determining the tasks performed by these personnel and then analyzing the cue conditions, standards of perfor-mance, and skills / knowledge associated with these tasks. This data base is resident on the INP0 computer and is accessed by member utilities through a telephone network. It is organized in such a way that data can be sorted in support of a variety of user needs. The Actual Implementation The actual implementation differed from the above in two essential re-spects. First, BNL was not given access to the INP0 data base. (While NRC has authorization to use the data t,ase for purposes related to training, the present application was not constoered to fall within the scope of that authorization.) This meant that generating a list of causes for flowpath throttling was done essentially by individuals with operator experience and { knowledge of IP-3, who reviewed IP-3 procedures and related information. Second, each primary event in the cutsets sas considered individually, not in l the context of any particular scenarios in which it appeared, and this tended to deprive the search of what should have been a useful focus. For example, returning again to the example given above, considering the event "AFW flowpath blockage" in isolation is less convergent than considering "AFW flowpath blockage" AND " instrument bus f ault." l T'. lack of access to the INPO esta base influenced the decision to search primary events rather than cutsets. This decision was also irfuenced l by the following considerations. First, the list of primary events is sub-1 stantially complete (never really complete) at a fairly early stage of the ! project, certainly before the trees have been debugged and the cutsets ob-tained at a useful level of correctness. Second, it had been hoped to obtain cutsets out to fourth order or so, and to establish priorities for the search for interactions between pairs (triple, etc.) of events by computing an impor-tance measure defined on pairs (triples, et' .) of events (i.e., how many times the pair / triple appeared in the cutsets), in order to focus the search on the most important (prevalent) pairs (triples, etc). However, af ter enmination
l 69 j i i ! of the preliminary round of fourth-order cutsets , it was felt that no reason-able importance measure could be defined without invoking probabilities. The number of cutsets containing a particular pair tends to be an artifact of otherwise relatively unimportant modeling assumptions. At the time, a commit-l ment had been made to proceed without explicit regard to probabilities until the findings were quantified; a mou"ation of this commitment appears to of fer j considerable advantages. I i The problems ment.uned up to now reflect on the basic approach. One sig-1 j nificant problem arose directly in connection with the content of the func-tional model. The example given at the beginning of this comment clearly 11-lustrates that instrumentation-related failures are expected to dominate the field of induced-human coupling. Ideally, then, one wants to relate basic l events in functional cutsets to instrumentation failures. Unfortunately, this
) is less straightforward than it might be. In practice, instrumentation fail-ures are reflected in functional cutsets only if they happen to contribute to j an actuation failure or perhaps an automatic control failure, so some hard work (and a good deal more information than wat made available) is necessary in order to explicitly relate a power failure to pertinent instrumentation. >
l Note that the PRA did not conduct much analysis at the low-voltage level, and i j was not any help in this area. In f act, there are instrument buses indicated ' i on recent wiring diagrams which are not reflected in the System Descriptions. We believe that these are recent modifications. j Sumary
. The functional model does not automatically contain instrumentation f ailure modes of the type that could straightforwardly be interpreted i
1 in the review for induced-human sis. A systematic approach to relat- ) ing functional failure modes to instrument malfunctions is essential. j
. This portion of the analysis has information needs w W n apparently go
] beyond those of traditional PRA; instruments which do not _directly ,
- f all systems tend not to show up in PRA fault trees. Instruments -
j which mislead operators, not control circuits, are the objects of study here. I 4
= - . . .- _ - ._. - - - . - _ . _ _ . _ - _ _
70 i j . This portion of the study should consider entire cutsets rather than 1 individual events. I I . Because a high percentage of precursors to potentially severe acci- ; f dents involve human error,3 broadening the scope of future analyses i to treat the operators as humans rather than machines is recommended. I Maintenance errors should also be included.
. The ability to search a data base in the manner indicated should prove to be a considerable strength, if the data base actually spans the set I of procedure-based operator acts and relates cues to responses. ! 4.5 Conclusions
, The approach used here has proved successful in finding significant in-l teractions which were previously missed. Important aspects of this approach { deserve consideration as guidance feveloped by NRC for performance of fu-ture studies of this type. Summari, d below are a few important highlights of l this project, which were fully developed in Sections 3 and 4. Major Findings ] Unavailability on demand of battery 32 leads directly to failure of low : pressure injection in large and medium LOCA sequences, and contributes to i f failure of other systems in other accident sequences as well (e.g., loss of I both notor-driven auxiliary feedwater trains). This particular finding moti-voted the licensee to implement an immediate modification of the plant. 1 Table 3.5.1 lists cutsets which, taken at face value, appear to violate i the plant's licensing basis. At this writing, the status of these other find-I j ings, with regard to the process of NRC/ licensee review, is unknown. ) 1 Lessons Learned i j The process of achieving qualitative insight into the systems' failure ] modes is greatly assisted by the following: i , l . Development of accident sequence cutsets by linking fully developed l support system fault trees to frontline system fault trees. I , 1 l. ] 1 .
71
. Explicit conditioning of events on the character of the initiator; explicit display of the initiating event in sequence cutsets, explicit display of the presence or absence of a safety injection signal, availability or otherwise of offsite power, etc. . Searching large numbers of cutsets for interactions would probably benefit from a priority setting scheme employing screening probabili-ties for certain basic events. . Once identified, an Si is usually easy enough to understand; the major task of an SI study is to manage a large amount of information in such I
j a way as to identify the system interactions as efficiently as possi-
- ble. Two coments are offered here regarding the use of computers in d
this area. It is particularly interesting in this case that the bat-tery 32 failure mode of LPI was actually found by computer; that is, the computer output came as a surprise to the analysts who had pre- > pared the fault trees which were linked to produce the finding. The fi rs t coment , accordingly, is that an apparently crucial gain in efficiency was achieved by having a machine systematically consider
- combinations of failures which had previously gone unscrutinized by humans working without the benfit of linked fault tree models. The i
second coment is that the use of a computer was not in itself partic-ularly expensive in this project. Of cou rs e, analysis of large Boolean expressions in the course of full-PRA quantitative accident sequence analysis can seem expensive, but computer costs will general-ly correspond to a modest fraction of the ef fort expended in getting l the information together. Additionally, if high-order terms are not pursued for whatever reason, the cost of obtaining only low-order { terms is relatively nominal. The proper perspective seems to be that computer costs are a) part of the information management problem, b) j not necessarily a substantial fraction of the project cost, and c) a bargain, in our experience.
- 1 l
l 72 i i References for Section 4
- 1. R. B. Worrell and D. W. Stack, A SETS Manual for the Fault Tree Analyst, l NUREG/CR-0465, 1978.
2 D. D. Carlson et al., Interim Reliability Evaluation Program Procedures l Guide, NUREG/CR-2728, July 1982, i 3. J. W. Minarick et al., Precursors to Potential Severe Core Damage Accidents: 1969-1970; A Status Report, NUREG/CR-2497, ORNL, June 1982. U j
.I i
i I i
._ _- . - ~ _ , _ _ . _ _ . - _ - __ . , _ . _ _ _ _ _ . - _ . _ , _ . _ _ _ _ , . _.._,__,.-_._.-_._-1_
73 APPENDIX A 4 SYSTEM MODELS I A.0 INTRODUCTION l The following descriptions are of fault trees developed in this project. j Most correspond to frontline or support systems; the two exceptions are the
- " Sequencer" tree, which contains most of the logic trea.ing control of pump breakers, and the Transient Initiator tree, which is essentially an "0R" gate
- top event with inputs from various other trees.
System descriptions are accompanied by figures showing how the systems > were broken down into segments. In most cases, primary fault tree events are named with these segment identifiers. Plots of the following fault trees can be found in a jacket at the end of this report. Each fault tree is plotted on a separate microfiche, and there-j fore, need not be placed in any specific order within the jacket. Each fault tree microfiche carries the name FITZPATRICK in the heading. l Auxiliary Feedwater Main Feedwater j HPI Medium LOCA HPI Small LOCA l LPI (Low Pressure Injection) ] RCP Seal LOCA j Pressurizer CCW (Component Cooling Water) CST (Condensate Storage Tank)
- Loss of Charging loss of Letdown
! Electrical Power l Heat Tracing Instrument Air
- RWST (Refueling Water Storage Tank) i Station Air i Sequencer Part 1 i Sequencer Part 2 j SIAS (Safety Injection Actuation System)
! Service Water Transient ] 4
74 A.1. AUXILIARY FEEDWATER A.1.1 Introduction The auxiliary feedwater (AFW) system serves to remove decay heat by sup-plying water to the steam generators in the course of mitigating transients or small LOCAs. Additionally, it serves along with the main feedwater system in startup or shutdown operations, or during hot standby. The AFW system includes two electric-motor-driven AFW pumps and one steam-turbine-driven AFW pump. Ordinarily, these take suction from the condensate storage tank (CST), but the city water storage tank is also available as a ~ backup source. Each of the motor-driven pumps normally supplies two of the four steam generators, while the steam-turbine pump supplies all four. Air to all AFWS A0Vs (city water suction PCVs , AFW pump discharger FCVs , and atmospheric S/G relief dump valves) is backed up by an independent nitro-gen supply system. The PCV 1139 A0V (AFWS turbine-driven AFW pump turbine-steam inlet governor valve) is not backed by the nitrogen system, but has its own control air supply. A.1.2 Top Events For this SI study, only one top event is of interest for this system: failure to remove decay heat through the steam generators. Scenarios in this study for which AFW is required are small LOCAs and transients. A.1.3 Success Criteria For all transients and for small LOCA, AFW mission success requires at least one auxiliary feedwater pump feeding to two steam generators. This corresponds to at least 200 gpm to each of at least two steam generators. AFW flow must be initiated within 30 minutes of the trip. At least one means must be available for removing steam from the SGs. Either the atmospheric steam generator dump valves or the steam generator
75 safety relief valves must open for each of the corresponding steam generators which is intact and receiving feedwater. The configuration assumes that the four steam lines are isolated from each other. A.1.4 Assu:nptions
- 1. Blowdown from a steam generator failing to be isolated constitutes sufficient outflow to result in a failure of that steam generator due to loss of steam generator inventory in the secondary side.
- 2. All steam generator safety relief valves must fail, in order to constitute a failure to remove steam from a steam generator. That is, one relief valve per steam generator suffices for decay heat removal.
- 3. A failure mode was considered for SG AFW injection header check val ves (BFD 69, 70, 67, and 68) in which they allow reverse flow leakage. This results in heated main feedwater entering the AFW dis-charge lines. High temperature water can result in a water hammer condition or steam binding of the AFW pumps. Failure of a single AFW injection header check valve, allowing reverse flow leakage, will affect two AFW pumps (one motor driven and one turbine driven), and the corresponding pump discharge lines.
I
- 4. For the steam generator atmospheric steam relief valves (ASRV),the i control loop power supply diagram was not available; here, it will be assumed that the SG ASRV requires this power for operation and that 0
loss of this power will constitute a failure of the SG ASRV.
- 5. The SG atmospheric steam relief valve modeling does not take credit
,for the N2 backup mode of operation because it is. only a local /manu-ally controlled means of operation.
- 6. The loss of air and backup N2 or the loss of de power to the sole-noids controlling the AFW FCVs to the AFW pump discharge segment A0Vs (FCV 405 A-D and FCV 406 A-D) is taken as a failure of the ability to control auxiliary feedwater to the steam generators, as it will l
76 result in these failing wide open. Although this does not lead to insufficiency of AFW, controlling the supply of feedwater is diffi-cult.
- 7. Individual AFW pump flow diversion by check valve backleakage of hot water through an idle AFW pump was not included.
- 8. The failure mode of the SG safety / relief valve and SG atmospheric dump valves (failure to reclose) has not been modeled. This condi-tion is akin to a main steam line break. There would be excessive heat transfer from primary to the secondary until a SG dryout condi-tion was reached.
- 9. AFW pump 32 turbine can be supplied with sufficient steam from either SG 32 or SG 33.
- 10. Freezing of water lines is not reflected in the present results.
Information on heat tracing was gathered and modeled, but the compu-tational burden associated with the additional complexity seemed out of proportion to the expected product. In other words, heat rracing j failures leading to freezing of large-diameter lines was considered, but generating cutsets for this was considered not worthwhile.
)
i I i ( 1 { l l I I i l
/ \. .
pu,:r cp V, II !
.;h @y,,, @ @ q @ , @ .u .c - -o-. ...,.,, -- m. . .. ..... . u... l l- .Va m -r u- > . _l , , . " ~ ' ,,,,u....,., t .i .. .m..
o., Ill' v lg_
'C 5Q /oo - A') f1 O' jO !
g_. $ @y _, [ - i.
,, . - .T. .s )----14.. . . . l 1 7 .e .,,. u... t..N.,,, .< .m....,
_.g+I I
- 1 q,ml .y, "* I pa 35) 'T Of @ 'g ..-.s g g y cp g I g- ~u g f. .T] O3 +. .a.>- . . . s.. .r. o. u n... > ,,,,,(yv , i ,- " . . 4 m .' I a .,. /s* .
v. o ,. unon. \ ( : u. " v a +. no. _1 O j t. 't W rW4-- 4.
..'.'l' -3 g )) i+
I i ,, -- w H gpyt;
^ t + - M, - U .. o v l - ._ (18 Jf) o.e l +F H+ -(+ @ -(-- ...., k11 v l .s, .s..,....m ..-..s.......
a i, g u...., "; "," . J 1 * " " ",',*,," , l$ j m..........
.g9,_, w< g) ) q. n g , .,
- q. g, , , , ,
n . _ .u . u s. . Id
) waa % , ,, p r.) - ,,,vi..no g .. ..o. .. c o ., .cv .= ..oiml no. l_-srf3 33) f!! . . . . . . .
u:-l g ,,,,,Ijv j l ta m .
....u.o ,,m,<.
g ao a. N -
. .c.xic.1 9.t. w.., . .-.
I I NOTE: THERE y
...m... ..+
m ,...:..~...,0
.......-,c...o...:,%, no. se I Mt s coor .'.'l,"Z '"' -f M4 @ r s>-41 'a + > -4.. W......4. . ,
g- l SMETy VAa,fs I $Y(([;c"' o
,, . . . . . . , , , , , . .u .m . .m. . . . .,p~I ,. , .. .a ....-a y L____.___ _] . .. uon y, ,, tp, m .s,s,_ <............c..,
g m oor-4 m o .. o. .m.- ccwocz. A- m r z-"> a
..e, --te /
s....
- 1. . ,
. . . m... . , _
l Figure A.I.1 Indian Point 3 auxiliary feedwater system segment diagram.
i 78 1 Table A.1 Electric Power Dependences for AFWS i Bus Event Name 1 SG31 ADV PCV1134 Inst Bus 33 EPI 23-01 i SG32 ADV PCV1135 Inst Bus 34 EPI 24-01
- SG33 ADV PCV1136 Inst Bus 34 EPI 24-01 SG34 ADV PCV1137 Inst Bus 33 EPI 23-01 i A0V CW to AFW Pump 31 Inst Bus 33 EPI 23-01 A0V CW to AFW Pump 32 Inst Bus 31 EPI 21-01 ,
- A0V CW to AFW Pump 33 Inst Bus 32 EPI 22-01
.; Pump 31 480-Volt Motive Power Bus 3A EPA 14-T Dc Control Power Dc Bus 33 EPD03-01 Runout Protection Ext (FCV 406A & FCV 406B) Inst Bus 33 EPI 23-01 Pump 33 480-Volt Motive Power Bus 6A EPA 11-T I' Dc Control Power Oc Bus 32 EPD02-01 Runout Protection Ext
! (FCV 406C & FCV 406D) Inst Bus 32 EPI 22-01 l
l Pump 32 Control Power HC1118 Inst Bus 31 EPI 21-01 3 l EHT HTG320-T* i
- Heat tracing related failure of Pump 32 suction line requires
- low ambient temp, no flow in line 1080, and loss of power to EHT FP-DP 32 from MCC 35 (EPA 28-T) l i
I
79 A.2. MAIN FEEDWATER A.2.1 Introduction This section briefly discusses the main feedwater system (MFW). It is not usual for this system to be discussed in any detail in studies of this type, and its role in the present study needs some clarification. Among the reasons the MFW might appropriately be studied are the follow-ing: .
- 1. Some PRAs take credit for use of the MFW system to remove decay heat.
- 2. Since loss of MFW initiates a plant transient, any significant linkage (interaction) between MFW and AFW might connect a challenge to the AFW system with some degradation of its performance.
Accordingly, at an early stage of the study, it was intended to study the NFW system with the goal of exploring both of items 1 and 2 above. However, information available to us indicates that it is difficult, at best, to use the MFW system immediately af ter a trip. In fact, procedures call fo.r a manual trip of MFW after a reactor, turbine or generator trip, and in any case, certain automatic actions following a reactor trip will lead to a MFW trip. Moreover, while the MFW system at IP-3 is being upgraded to permit practical operation at low flow, this modification was not in place when the present anlaysis was performed. Analyzing abnormal scenarios (such as MFW l operation af ter a total AFW f ailure) for the sake of realism is well beyond the scope of the present study, which is intended to shed light on existing ! and prospective regulatory practice, rather than on beyond-design-basis recov-eries. Consideration of MFW in this study was therefore limited to its possi-ble correlation with AFW failures. Correspondingly, development of the MFW fault tree was undertaken for the purpose of highlighting support system faults which would affect AFW operation as well. 4 A f ault tree was developed for the MFW system and included as part of ti.e transient initiator fault tree. i
80 l 1 A.2.2 Top Event The top event was taken to be loss of (or insufficient flow of) main feedwater to at least one out of four steam generators , with the plant initially at full power. A.2.3 Mission Success Success criteria do not apply to this system as it was modeled only as a transient initiator. A.2.4 Assumptions
- 1. The plant is initially at full power.
I 2. Failure of more than one circulating water pump leads to a trip. 1
BOILER FEEDWATER SYSTEM CONI AINMEH f (OW (LOW UyPA33 (dh-M MOI Of t 4~ ~k4 VE ri U 41 VALV 8 O ISOLAti)4 ALVE . ** ,,. ,, y'afy't g 3,,.,
,,,,li)s El{2 ~ -m -( + - .
iLLD Wh* FEEDW A IEle - (> ) fiE Gut '8 AIIO ', (" '} (gp_pp.3 @_'M- "E"8 p p - h,3 ->4( 'd Mf-3D)(gr.;p)_[. m runulNE OfHvite -{X}-- 30 A ) 5g DOIL Efl FEEDW A TLH EF#-S ; p rs .M 34 PUMPS lj - WM f BFP 1 N t i
=
HE puM F8
^lf" rs ^' -f*I~I#I' bl~ )**)N l
- _{x}- '
y {'l MF-2b - u
@r-7)-. =
0 sou) pi g < _ D ll H l Gir-p) Tb - so __.(sp{I) - s'*-5 p q n n*2s or> > f ,32 L_.h,,,,~ 32 --- (A)y,,nill f=3-N-ix]age l- m_, FEE 0WAT[n d 3 . HEAIERS -{x}-- acc ) (X) wgg -- (MT-PP-3h Y lti O (MF-3A)
~
X 2*^'L u Pt y l fn~r- (x3-- 4c) '
->4 ' ^
oeu-s (MF-lA)) so H) E-4 8 DFD-F 31 sIOnAGE M T AtlK N ki- l %doto-o I Fev l(x)) ( 4sr }' h_]-~ . { MF-4)- UFD-tI g 7,yg) III Ii I '
' l -. 33 9 3e g , 32 y
rtow coninot vALvre rW o( FI ( ( &Ftow& cT3 c?3 coninot -vALvts I I I AUXlLIARY FEED PUMPS Figure A.2.1 Main feedwater simplified P&ID. (sheet 1 of 3)
s q. MAJOR CONDENSATE FLOW PATHS (CA/- EbSR - 33) (cal- cas R - J2) , (cu. 9A (Cal-CD5R'di \ *
\% _
ff: acv-iiin
.g]~
w3 ((t/d5A)
,,i .., ... co o. .... 3,4 ) / -~ , ,, )
p-J -- 244 ) -(cy./A) eo ..u.
>> ) -
(c^/- 7Ah l~ ((A/ - (bs4 1) e r 4-k
? ;S.F[TLrF
[ l h I at ^* c E aE'" N-04
~
j 4) (h$M M 3' -
~
asa ((N- EbsR-3T-2g
,f /f/ E W33 '-~ /ll/
(c A/- CDS/d-32-7) 1 _..._ ___ _ [- ED p !(W~'o D (LN- lb5R-32-1) I -:
/ w_/ (c/Al-//) : ~ ' 22. ) ('ca-f3)
(lA/- Ch5R- 33-0 s 4,, , , c ,o ,
,,, 7 , , , f, ,,3 ?
qQ 3
*) gru-/) a (CA/- (dSR-33-2 --
__3 N j _j M UNIT __ Y __? u
' COND.NSa,E PUMPS h 7 =l = M O.
Q 2* ##-30 R-Do
- O
$ f", ,J::.~,.., !Na a"t$"va'a" 'U,Ed",I, s'E' (cAf-fo) l (NO~ )
[] (ca-8A) , _ (caf- pg.J2) J,owPaina ((4-FAT - *) w U ~
, 'cvg'2a 3c) ,,c ) -(fM-IC) ~~
nowrams I- . [ --
@^/7#]3)% gu.9g ,,e ) N ,,c 3 -i (cgf_73/ j' R g
x b4 D4 J, j .e.: < <u)_ .=q.w .=. -e~-n (CA/-63) Figure A.2.1 Main feedwater simplified P&ID. (sheet 2 of 3)
~
HEATER DRAIN TANK SYSTEM AND CONTROLS i ' (No-2) ~ N_ ...E.9?!l ,: , ::
=. .... =. t .:n ..... . ,
4 g-.--.,-_.. 3
.e a... .ases ,an.i klt .g. .y. .y. i.:. ..:.
t.:. n .... . . n , [j
.c.
D4 .. . . . . . . . . . . . . 3 .. ..X --X
. ' , .' '. , . ;45 ' . (ub-PP-32) _ . _ . . . . . . , l .. 4.4-M
- a. p e,......
4
.i. ....
6 5
; c ... ..... .. lg 2 g,4 .a"~
N 3 "ia . .. r , [. ,,,,,,,,,,,,,[ runee. Ca .. .t . asse (HD -PP-31)-e. .. .. .".
~
J = pg
.".. Z " .. .'. .. . o . . ..
3 1
.R. ! .... . .., c =. = ---.n.
J.I1. -
- ,ca :, y ,;,c~ ,,,
e -s .. .........m. n ,. . , _ , l 4i I ,... *
-.. ., { -
T
. yu .Plate . . .('JC . , ..ON... '
863 WBI l l , m .I Figure A.2.1 Main feedwater simplified P&ID. (sheet 3 of 3)
84 A.3. HIGH PRESSURE INJECTION A.3.1 Introduction The high pressure injection (HPI) system provides water to the RCS in the event of a loss-of-coolant accident (LOCA) or other depressurization events. In this study, two scenarios calling for HPI are considered; small LOCA and medium LOCA. Only the injection phase is considered. The HPI system includes three centrifugal electric-motor-driven pumps. These take suction from the RWST and inject into the cold legs of the RCS. One of the two paths from the pumps to the cold legs passes through the boron injection tank. The boron itself does not play a mitigating role in the sce-narios considered, but the flow path is, of course, necessary. This path must be kept heated or the highly concentrated boric acid will crystallize, block-ing the flowpath. A.3.2 Top Events The top events considered are failure to supply sufficient HPI flow for each LOCA scenario considered. A.3.3 Success Criteria These criteria are based on the IPPSS analysis. Small LOCA - at least one out cf three high pressure safety injection pumps capable of feeding at least one out of eight RCS cold leg injection paths. Medium LOCA - at least two out of three high pressure safety injection pumps capable of feeding at least two out of four RCS cold leg injection paths in each safety injection system discharge header. ; I A.3.4 Assumptions
- 1. It was conservatively assumed that the break incapacitates one cold leg.
1
85
- 2. For the small LOCA case, a flow diversion back to the RWST was con-sidered (through segments HP009 and HP011 or through segments HP010 and HP011). In the small LOCA case, wherein single operation of a safety injection pump constitutes success, it was assumed that enough flow through this path (full flow test line) would occur to result in insufficient flow to the RCS. In the medium LOCA case, with greater flow being delivered to botn headers from at least two high pressure safety injection pumps, this small flow diversion through the 3/4-inch full flow test line was not considered to result in insufficient high pressure safety injection flow.
- 3. Failure modes considered in the development of the HPI system func-tional fault trees were insufficient flow (failure mode A), reverse flow (failure mode C), and electrical power supply loss (failure mode T). Failure modes B (excess flow) and D (rupture) were not modeled into the HPI functional fault tree.
i i l
__ -.- - _ ._~ -- - . -. . _ _ . - _ - .. __ _ - - _. l
} l7 5LocA outy /* ,W ::S:4 y / . -A n
o-n'C e .s. [ up a IPA ts trete sf-ba)
/^
4 "C n m
** 2 M e.
w e420 n, ., c. ,s a 4gy, 5 i A _ "'* se se gpA o4.T (Sus DA) snw esoA S#O Ol* OI(BUS SI) RWQ 00N 1 o a' M hV- EPAts(Ntt sT4A) 4 ~/ NSI U see t o e MM es y es r ess
'sl essa y. . m , A EAA 07 - T (BUS 2A) fIE' RWG 001 A r, _ _A E#b 03-o/ st 32 (ADS 3O , Yll l? "
MF "
/p F g EPA 22-T (Mc J64 M s A
b ' ] _J^ SI- IlX
- i- VALVES e 2
W}-0)<}--\ l#A 22 r
%)%
A to
'[' " , ' 'o* , / ens se 3I l'X- 1 nisl'I \_l s. 33 fpA ff.r[M s
m s ews EM 027 gf,3,3 m S' t *l* , IPAZ3-T(Mu3ca 64 V r "**** SI2ix-i VAlwE5 '"/S2,$.y
'W ese my ese seogg U A~
so m in ne Sl tin- o
#CT LEG flEC9mCutAreom patw$ Ang Not Seeweg ON THt$ OlAGR AM IMG V AR( $NCO IIDf D Pg VME ntConcutA foom Sysee M ANALY$t$
S CG BORIC y ie5N I*Sb ACID TANK 5
'N M tvts IA HOLD UP TAMKS \
Figure A.3.1 Indian Point 3 high pressure injection system rimplified P&ID. i i
1 i 87 i
- A.4. LOW PRESSURE INJECTION l A.4.1 Intrcduction I The low pressure injection (LPI) system is designed to inject water into the core following a large or medium LOCA. The LPI system also performs other functions , but is analyzed here for the injection phase of large or medium f'
LOCA scenarios. . The system includes two pumps, each capable of delivering 3000 gpm when f primary pressure is 150 psig. During the injection phase, the pumps take suc-l tion from the RWST, and inject through four cold leg injection paths. Opera- ! tion of this system during the injection phase is, of course, required to be l completely automatic. A.4.2 Pertinent Top Event J j There is only one pertinent top event: failure to inject, following a i large or medium LOCA. A.4.3 Mission Success Requiremer.t i At least one of the two LPI pumps must inject through two cold leg paths ] (it being assumed that the break incapacitates one of the four existing cold ! leg injection paths). This is based on the IPPSS analysis. A.4.4 Ass umptions j The following failure modes were considered:
- 1. Insuf ficient Flow (f ailure mode A)
This failure mode includes plugging of pipe segments and valves, I I J valves failing closed, and pump failures. ' I 2. Flow Diversion (failure mode E) ~ l i The following flow diversion paths were considered:
. Flow diversion to the containment sump, given failure of MOV-885A a
- and MOV-885B in the open position (event LP015-El and LP015-E2).
i i I i i
-,-..-,----,-mee-,e...-2-- . . - . _ _-..m. , <--- -e-y---..----m .-,-y ----,-ww.w,,,m--,r.,v.,--,,.,-------wr- - -
r--- .~
88 l j . Flow diversion to the containment sprays (flow path used in the containment spray recirculation mode), given failure of MOV-889-A ] or MOV-889-B in the open position (LP014A-E and LP014B-E in the fault tree). It was assumed that: j a) With one LPI pump operating, and M0V-889A or MOV-8898 failed j open, sufficient flow is diverted to the containment spray to
- cause failure of LPI.
b) With both pumps and both heat exchangers providing normal j flow, opening MOV-889A and/or M0V-8898 will not divert suf-ficient flow to cause failure of LPI. I c) With both pumps and one heat exchanger providing normal flow, opening MOV-889A or MOV-8898 will divert sufficient flow to containment spray that LPI will fail. This assumption is based on the design flow rate (3000 gpm) of the heat exchang-
! e r.
i . Flow diversion back to the suction (upstream of M0V-882), given i f ailure of M0V-863 and BV-1863 in the open position (events LP003-
- El and LP-003-B2 in the fault tree).
l Note: The inclusion of these flow diversion paths as failure modes l of the LPI is considered very conservative and may, in fact, I be wrong. The following flow diversion paths were not considered: Flow diversion to the suction of the HPI pumps, given failure of
; MOV-888A or M0V-8888 in the open position. This flow diversion was not considered because part of this diverted water would be ) injected into the cold legs through the HPI pumps. However, if l CV-847 is also failed (reverse leakage), a portion of this l diverted flow would go back to the RWST and to the LPI pumps '
l suction. l t
4 89 i
. Flow diversion to the recirculation sump, given a failure of MOV-1802A or MOV-1802B in the open position AND (reverse fl ow through CV-886-A and recirculation pump 31 OR reverse flow through ; CV-886B and recirculation pump 32).
- 3. Loss of Minimum Flow Protection j It was assumed that if the minimum flow line is blocked the LPI pumps
! will fail. For a range of break sizes, t he LPI pumps will not inject l for some time until RCS pressure is below shutoff head; it is assumed here that there is a significant probability that this delay (between actuation and actual injection) is sufficient to fail the pumps. l 4. Failures of the following support systems were included: ]
. 480-V ac power to the pumps. ' . Dc control power to the pumps.
i j . SI actuation signal. l The following failure modes were not considered: ' l 1. Reverse flow (failure mode C) l The only path for reverse flow would require failure of LPI pump 31 l (32) and failure (reverse flow through) CV-738A (CV-7388), it is not 1 clear that even this combination would degrade the flow sufficiently to fail LPI. i j 2. Rupture (failure mode D) i
- 3. Human Actions j Operator actions were not considered in the fault tree. Maintenance
- errors, including misalignment, were not included.
l. I
_. -. - - . ~. -- -. _- __ -. -- - . . - - . l . . . ,. .- ..
- =...= ..
, :~ .
l v = 3-.
~ m.-
c
. l . . r, . .-- .. . , . ... . .
t t
. .i . n-- 1 ....=. -* . ! k -5f _:1, I..:~-jr---'-
15, , w.w c,n >
. s 3.._ mua vegy , ,1,,
G-
._c--- > .t , r t
(.
- t. . :. . . 1 l 3
-- i : ( ' -- .. > .. =, g\an{fz"--Qt e--,; R I e . -c.- ~ ~ ~~ ~ ~ ~-~, ,J; ---- p_ _ . .aj : -i -__ . u L:-'- J I _. . ,. r- -
t3 .,- x vns)
. r- )
((, --t-3 -{ r ll . - -i - - _p..y_ [ n. , l
-3 r ; i = ~l ~._t. = 1. I_ -~. -
J-: r.,. ,__ ____ ;j - l _ , ;_ _- _r_.] i m i l' l-.. r t. .--t ,ecueem 7 . - - _ _ . _ _
.,s t . . a .. y H - .-
g g,g e g ym g. D qg. = :^% . - -- hi
- s,Q; _ m.c;J y- -
~.& - g,,:.. a j- g gj.
i '
- ~-
t_,.. , g C_- c.. :__ . _ _._ __ u,g
- T
-~
t [ j . , -[ 2. .. . ) L 7{_
, ._ __ __. _ j q -. _v~ &r ,
e!} ' .
..m - _. __ .._l-;. T h- Gl r_ .- .._
f- ;. 1 , ry,y - c; c)
- Q; I eth~ ;,- 4_o_4 W. -. ' i c . o- -ySJ(.. l H e.> ---t,d. _T fgj --'*1=1.p..p_u %) y) . 1-g;o .- a u_gd__ ---- --- .. -+ .- :. - ) ~ .b l -
- _I 5 s *y 5 I _5
.e PS:--S} ' l q)- G}: egl ' Gl. y _. . . ; g,y ri _ , ri-m i I
Figure A.4.1 Indian Point 3 low pressure injection system simplified piping and instrumentation diagram. I L
91 i i A.5. RCP SEALS Introduction A.5.1 The reactor coolant pump (RCP) seals are potential LOCA sites. Possible i reasons for RCP seal failure are diverse. Among these reasons is loss of cooling to the seals. Cooling is provided by systems which can interact with
; HPI, which in turn would be involved in mitigating an RCP seal LOCA; there-fore, there is potential for correlating a LOCA event with a f ailure of HPI. i This is the main reason for including RCP seals in a study of this type.
. Ordina rily , the seals are cooled by seal injection flow, which is a portion of the flow provided by the normally operating charging pump. Fil-l tered seal injection flow passes through the seals and into the RCS; thus, the seals normally see clean and relatively cool water. Should scal injection i flow be lost, flow through the seals reverses direction, and the seals see l> relatively dirty primary coolant. If the primary coolant passes through the i
; seals at nc::nal RCS temperature, there is a potential for seal failure, which 1 increases with the passage of time. Normally, primary coolant flowing up the pump shaft to the seals will be cooled by the thermal barrier, a heat exchang-er whose tube side is provided with component cooling flow. This is intended i to compensate for loss of seal injection flow. If, however, both seal injec-tion flow and component cooling flow are lost, the RCP seals are without cool-l ing, and a LOCA is presumed to occur after some time under these conditions.
l Presumably, a few minutes without cooling can be tolerated, but times on the
, order of an hour cannot.
Some consideration of the time scale was applied to the results of the functional model . Here, the usual binary logic has i>een applied to hardware j failure modes which would lead eventually to an RCP seal LOCA. Having done this, one obtains cutsets which are extremely conservative in light of the
- premises on which the design was based (i.e., procedurally mandated interven-I tion by the operator). In particular, neither the component cooling pumps nor the charging pumps are considered essential loads during the injection phase j of a LOCA; presence of a blackout (LOOP) signal and/or an SI signal immediate-l ly eliminates seal injection flow, and presence of both signals further i
i j 92 J , ( eliminates component cooling. Moreover, presence of an SI signal or blackout signal interrupts SW flow to the CCW heat exchangers. In a sense, therefore, ,
! not much is required to temporarily interrupt cooling to the seals. However, l the operators are expected to restore these functions under most conditions.
i This is fundamentally different from, say, operator recovery of HPI during a LOCA, which ought to be unneccessary by design; in the case of the RCP seal j supports, operator action is necessary by design. Human factors 'are out of
; the '; cope of this study, and we have not assumed the burden of questioning the ! des!yn from a human factors standpoint; here, the operators are part of the l
j hardware. Therefore, the RCP two-element cutsets have been surveyed, and j where there was a basis for concluding that the operator was expected to { relieve the problem, the two-element cutsets were considered to have become i three-element, and passed thereby out of consideration. These nominally two-element cutsets appear in the final listings, but do not survive the culling
; process which yields the quantified " systems interactions." In other words, given this study's premise that the operator will follow procedures to the letter, no first- or second-order cutsets were obtained that were outside the scope of the procedures, j A.5.2 Pertinent Top Events The pertinent top event is RCP Seal LOCA. This is assumed to occur if seal injection flow and component cooling are lost; cutsets are then screened j to take operator recovery into account.
l A.5.3 Mission Success Requirement , t j Successful RCP seal cooling is assumed to require either CCW to the r thermal barrier or seal injection flow. Seal injection requires a single charging pump. The requirement assumed for CCW is characteristic of the CCW system itself, that is, success requires either two CCW pumps operating or a : single CCW pump carrying a reduced load. As mentioned above, the procedure of j taking the hardware alone into account, and ignoring time scales, gives rise l to a model which is conservative by the standard set by the design; CCW is "1' ailed" by a SI signal because conventional SW is shed. i l 1
- - , - , . . - _ - - , _ . - - _ . _ _ _ , , ,,_-nn m.,n,,, ,_ . - - - - -_-.--.-,..,..,.,.n , , - . ~ , - - - , , , - - , - . - . , . , - ,-,-
93 7'" . P, f (Ib r' - brs
%? l ; .2 > --p *- ,. - <a 2,3 3 *- .*
t a 9 ' .. -.--- .s es M-' %g ~ f,~ 2** ;,5 fn --
' W f;-*ks~~f,s . . ~
f h~, oms,,H i 7 NMN I d' f , l Nl I l I N.s \ l' r l 3-l 1 l
! j , , , .-- s -# ...
f r I %* *t s I le at l, i ; =x l l c i e Q M
<.,a'. , + ? **
d i
*I 54 <w e. I g '! m t *- 56 f -- f $
I 1 o3~ g ', t -
/
4:
=s =r ;)
i i I
, l h!
y ,
*: i $ h , e ?$
- O - ._._ -
_ I I , i N .. _ L
'VI'f. I [') .p % d , ;i ,
i i
! l --1, t - CL.
i N: : E r
- h ;.,...{ 3t --- ,_J '
' \ o ef C-n, l l !
c-
, +
I l -I'- , " t QJ p\.*4-~ = .e 2'. % e
- I + ,
. -l C %- A ,e', 4 e t
l b ,, i j 9
%! f og W '-- 5k + A- ,l .p. + fY l i
J.; E
- v. L .. c2,.
m ds e,. [ 3 [*J s r a , I i { * . 1 ;; ,- ,t E O
}'1; =r--
w J 4 ( ;' I O Q ? i; > N @ lI i i i l? - 4
'~'I ,
I i *l .;4. f , CD g I ' g
- [!
- 7*
*0 . ,-j e
Y_ te C v s} s l . e . t ,
*~
n ! 7 - s
. r-
- I ' O
$/{ ,u: -
g
; i I i j +_.
s< . c e TC
-u t,
2-I i i
.s . ;.
T'S. fg-( 75 l
, u -- -( = ] hO I .f t <
Ja se
;) g i-mn l ^
g i
*6 i s ~'
90 j *2 A A g5 , i . l I, i. YY- , A. 6e g% M
)
p% V '
,- eC et aI - W) + 4; > > ~ -yj .
3
' ,- , Y' ct ?; ," j :f ::: .
- e ,, i!oce * *;
- i - l u
'P f 6 '
I 7F ]? v: cr: h -- a-l y'
-Q b---Q.---( :.5 J ?,!
I' {? g 'if iI),,
- c , , , . -
d / },e ' i M -
~, ~] p if E, p/ ... en_
7:? 3s a - l ! p; 4 i < v/l f
$v_ i '_q CJ y / r m ___
s M'.r e
~
n
% .1 L,
Q 32 & E F .- s . m e. u. 1i f .: , _ __ . /
,,..a .w.--... .; ; l ~l ..:
a ~
.i. . = ,L , .,L_. <
e .,, ,- n ........e '. . ut,q m ~ ~ i l i V L_ . , O f <, w, 2 e, 1, e k .-
- e. ti
.r .. . I +- e Gl..o~
O , ,L+ %o:,c,3 , (d
, it i - .14 L I i ' :l * * // - _/ c ,p s N,~ (yI A i i l 5l.J . 9 l i ,pl
- 5. , t: 1
-n ?.* e-! '
g. 2
,( \ ,g, .q 4, J - s _,.~ t i i , , , 3- -i ; , 7 .*- p *' %g i , \-
f g l !* t v' > s i Q'~ % ), ' ' l , f ( (
% i !
c -+ t .- y ' h, 1 ay D C r ,- e. i A. 6 I, ~ r{Q b. _ _ , Y + ) - - T C
. ' , ' ~ ;g - ;g J - - -
vF ..:, .
.- g n '
a ;
- N a*j s.lg 4
- h
. . . _ _ - _. - . _ _ _ _ _. - . - - = _ _ , __. . . _
94 1 I l A.5.4 Assumpt ions It has been assumed in this model that the charging pumps require cooling. The possibility of intermittently operating the charging pumps without cooling for long enough to cool the seals has not been considered. 1 l I l I i i
95 A.6 PRESSURIZER A.6.1 Introduction The pressurizer was divided into seven major segments for the initial FMEA and fault tree. A schematic of the mo'el d with a listing of the segments ! and gate nomenclature scheme is shown on Figure A.6.1. The seven segments are
- 1) the pressurizer vessel, 2) three code safety relief valves, 3) two PORV &
block valve combinations (each PORV modeled independently within the segment because of differing control aspects), 4) spray, 5) heaters, 6) pressure con-trol system, and 7) level control system. The three SRVs , being independent of other segments and systems , were modeled as one valve with one failure mode, i.e., inadvertent opening with failure to reseat. (For quantification purposes, the failure / demand probabil-l ity was multiplied by 3.) The two PORVs and associated block valves were , modeled separately, as PCV-455C is controlled by the pressure control system i j and PCV-456 is controlled by a bistable with a fixed setpoint. Both PORVs
- have the same two failure modes, i.e., opening inadvertently and failing to open when signaled.
The pressurizer spray relies upon the driving head of either RCP 33 or 34, and is controlled by the pressure control system. The f ailure modes modeled were rupture of the spray piping, too much flow, and no or insuffi-cient flow. Auxiliary spray capability was not included in the modeling. The pressurizer heaters are controlled in a mandatory fashion by the pressure control system. The level control system has the capability of over-riding the pressure control system and turning on all heaters upon pressurizer ! high level or turning off all heaters upon pressurizer low level. The failure I nodes modeled were failure to supply heat to maintain primary pressure, and supplying too much heat, thus raising primary pressure. The pressure control system is a single-channel system which compares a reference pressure value to the actual pressure within the pressurizer. The control system controls both pressurizer spray valves, all four banks of pres-surizer heaters, and one of the two PORVs. The failure modes modeled were
I 96 s i , creating either a low pressure condition or a high pressure condition in the automatic (normal) mode of operation. I A significant SI was found within the pressure control system. The single channel of pressure control has a 3-position ganged selector switch by ; i which one of two pressure transmitters (PT-455 or PT-457) may be selected for providing the actual pressure input signal to the pressure control system I master controller in various combinations with one of the remaining two pres-l sure transmitters (PT-456 or PT-474) which supplies a signal directly to the
- second PORV (PCV-456). The modeled position of this selector switch was
1 chosen for PT-457 inputting to the pressure control system and PT-456 control- : j ling the second PORV. This combination of the three was felt to be the most l conservative one for the study, as it is the only one that allows a single j transmitter / sensor failure to initiate a high pressure transient and simultan-eously prevent both PORVs from responding. This occurs because independently ) } of the selector switch, PT-457 also provides an interlocking function to PCV-l 45c. According to the IP-3 System Description, to prevent a single failure , I from opening a PORV, each PORV requires two pressure transmitters to detect high pressure in order to open in the auto mode. Therefore, thould PT457 fail 1 low, the pressure control system would raise primary pressure in an attempt to j match the output of PT-457 with the reference pressure, and without human } intervention, the high pressure reactor trip setpoint would be reached. l 1 j The level control system is modeled in a manner similar to that of the i pressure control system. It is a single-channel system which compares a ref-erence level value (which is a function of reactor power level) to the actual level within the pressurizer. The control system controls the charging pump speed controller, isolates letdown, turns off the pressurizer heaters on low level, and turns on all heaters on high level. The failure modes modeled were creating either a low level condition or a high level condition in the auto-matic (normal) mode of operation. The single channel cf level control has a 3-position ganged selector i switch by which any two 6f the three level transmitters may be selected for l various control purposes. No obvious difference between switch positions was apparent. Therefore, the control switch was modeled as shown in Figure 13 of ; the System Description. This figure shows Channel III (LT-461) supplying i
97
'4^
3RV's - 9 J.k
- PRES 3URtz[8 UESSEL 1 PRr f
~~
L _ __ l PORVs l SPRAY (RCP 33 Aus 3f) l g Block Valves j l
! l ) L___ _______ ____ _ _ _ q ,I i
I I I t t (PRESSURE CCNTR00 ' I
, l 1 I flu /D LEVEL N I
_ __ _ _ yg (9g 7pg 3 l s I i i i
! I p______ _ ____ __ _ _______ ____. _ J HEATERS Sunra tampourur ID .sc.REME i
PZ l00 SERIES - PRESSURIZER YESSEL i 1 2. PZ 200 SERIFS - $Ry's (3) 1
~
- 3. PZ 300 SERIES - mrv's Ana Btocg YLys 300 - 349 - PCV- 46S C
\, 350 - 399 - PCV- 45h t
1 h PZ 400 SERIES - PRE.SSLIRtzfR SPRA l
) S. PZ 500 Serifs -PRESSURIZER NlAT[R.S -- Res
- 6. PZ /soo SERIES -PRESsuRC (CMTROL S15, i
I. PL 700 SERIES - LEVEL [CNTROL SY'S. l l Figure A.6.1 Pressurizer simplified P&ID. i l
98 input to the master level controller and Channel 11 (LT-460) being used for j isolating letdown and deenergizing the heaters on low level. j i A.6.2 Pretinent Top Events i '. The two top events modeled in the pressurizer f ault tree are LOCA and ', reactor trip associated with pressurizer malfunctions / failures. Included under reactor trip are the three RPS logics associated with the pressurizer, l 1.e., 1) two out of three high level, 2) two out of three high pressure, and l l 3) two out of four low pressure. i l A.6.3 Success Criteria l " Success" in the pressurizer model means that pressure and level are kept within bounds by the control systems and that the integrity of the RC boundary i represented by the pressurizer is not breached. I ) A.6.4 Assumptions i
- 1. The failure modes assumed are listed and discussed above.
t l 2. Assumed control switch positions and basis for selection are dis-l l cussed above. i
- 3. Control systems are powered from the same instrument bus as that of the selected input sensor / transmitter. This was assumed to be due to lack of specific details within the documentation provided for the i study.
- 4. Loss of control system power for the pressure control system renders
{ it inoperable, and all control actions are terminated. (IP-3 System l Description) 1 J 5. Loss of control power to the level control system sir.ulates a low l l level condition and the charging system responds to create a high j level condition. (IP-3 System Description) i l l I f l 1
t ! 99 l I l
- 1 I A.7 COMPONENT COOLING WATER SYSTEM I
A.7.1 Introduction The component cooling water (CCW) system is a closed loop cooling system which is designed to remove residual and sensible heat from various primary plant components during power and shutdown operations, and under accident and j transient conditions. The CCW consists of three pumps, two heat exchangers, { which are cooled by service water, two surge tanks, and two supply and returr. j headers (see Figure A.7.1). During normal plant operation, two of the three j pumps are required to supply the necessary flow for plant cooling loads. Pump 32 has been modeled as the standby pump. The three CCW pumps are always lined l up to the cocrion pump discharge header and pump return header. The pump dis-charge header cross-tie valves and the purp suction header cross-tie valves are normally open during power operation. Both CCW heat exchangers are fed
! from the common pump discharge header. Low discharge pressure on either heat i
exchanger supply header (which . indicates insufficient capacity) starts the j third CCW pump. j Three groups of loads are modeled in the study as requiring component cooling water: the charging pumps, the high pressure injection pumps, and the ! j reactor coolant pump thermal barrier. All other safety loads served by the CCW system do not require external cooling prior to the recirculation phase of an accident, and were therefore not modeled. 1 The two support systems required by the CCW system are service water and electrical power. Electrical power is made available to the three CCW pumps , except under the condition of a concurrent occurrence of bus undervoltage (or ) LOOP) and an SIAS actuation signal. Under this latter condition, the running l CCW pumps will be tripped and none will be automatically restarted. i 1 Modeling of this system was, for some purposes, conservative. Failure of conventional SW "f ails" CCW, for example, by depriving it of cooling for the
- short term; this is an oversimplification. In some scenarios, operator action 1 j is essentially built into the system, as when the operator is obliged to I
reduce CCW loads in order to ensure the sufficiency of a single CCW pump. 4 i . 1 1 t-_ _ _ _ _ . _ _ _ . _ - _ - - - - - - - - - - - -
100 It is evident that the design contemplates operator intervention, and it is implicit that the time available for operator action is adequate. A.7.2 Pertinent Top Events For the charging pumps, the top events are no-or-insufficient flow to the three charging pump oil cool ers . Beyond the individual manual isolation valves, the fault tree is common for all three pumps. Additionally, for the charging pumps, city water provides a backup source of cooling water. For the high pressure injection pumps, the top events are no-or-insuffi-cient flow in the CCW loops. The HPI pumps have booster pumps supplying CCW to themselves, and do not require that CCW pumps operate during the injection phase. Pump 31 is aligned to CCW loop 1 and pumps 32 and 33 are aligned to CCW loop 2. For the reactor coolant pump thermal barrier, the top gate is no-or-insufficient pumped flow in loop 2. This same gate is predominant in the CCW portion (i .e. , excluding city water) of the three charging pumps discussed above. A.7.3 Success Criteria The success criterion for SI pump cooling is to have water in the two CCW loops such that the shaf t-driven booster pumps have a suction source. The success criteria for the charging pumps and RCP thermal barrier are either two out of three CCW pumps running with normal flow, or one CCW pump and operator action to reduce other CCW loads. A.7.4 Assumptions
- 1. CCW pump 32 is assumed to be in the standby mode and pumps 31 and 33 are assumed to be running.
- 2. The HPI pumps are assumed to require both the oil and seal heat exchangers for operation.
- 3. The charging pump oil coolers are assumed to be required to support
' the operation of the charging pumps.
I I
1, 101 i n a ...
- *.a.u m
1
- li e2
.n -.- . -- .-._ , -, .. - ~ ... C' O '. , . _ - . . - . - ,. ' @ n \_ J J.
1 4 E
- r .
i m.:: 4 a 4 um TD _ E W s I e%s. 4 gU $ - 5 , J. I. !. E
, _ . - c 1
ou 2
-s- = E O ; , , 9.4 -o- i " ;, - -o- t y .e
__aI e ofA a o-n' 3-g@ u p a H% 1
< y:
i p 7N em j E8 33 1 *
@h "%
g .. *n 1.
. d >___.; f, ' ~ @# n;(s) Of ,
Ab et +e@ C
! "i- .&j s
ai i . .- ,: o _..g .g e
! ae ,N, [f.i2 % .
e
?
d, T dT P
~ W .n EIm , l c 1 "@ , $ 3 '3 '
me
/ $, Mg- +. - %) k ?l. - -
ab IM '_
;t @.
{' s !. y ,1 4 h. cm i, I x 4 3_? vt-f* e t I k4Pi@' r n
-. .+-
E$ ec
<o - , cO 1 ~ .e . m<
I
, ,j c0 -. e 1 , e
- g. i _ _ _ ._ - u -
- . L v s_
N_-
~
1 _Tul'17;i = . .; ?
-~ Da et i t; , - =O=Oe l
- 4 -O- e l 4@i . _ _A -._
m
-O 5- a '
n- -Qe- ,. 8 c i . ! ~ 7 T @,~~**'- ; ,
,g' :
o
@E-v hlt< ;,,;
b .._a_.lAST.!!j@ - 3 l l ] a
, . . - - ,- , - . . . - , - - - , . - - - . . - - - --e. - -- , . , - - , . , - - , - , , ,- - - . . - - - - - - - - . , . - - - . . - - - - - - , -- a w- -e-
102 au @ 756^ toop 2 now -.-
-Y -
m I 7:7A I 833A 7573 l-6333 I [~ 737c e333 5 6[m. ~ , c, g erry ,, '"$$b? v4rra o on. i 'r , o o cocicas 151D f 737tl 1577l
= y = : 5 li?c#" 756 6 CC WS INTERFA CE,5 WirH CHARGINQ PubfPS 3t,32, AND 33 Figure A.7.1 Indian Point 3 simplified schematic of component cooling system (sheet 2 of 2).
103 A.8 CONDENSATE STORAGE TANK A.8.1 Introduction The condensate storage tank segmentation scheme is shown in Figure A.8.1. It is the primary water source for the AFW system. The model includes possible flow diversion to the condenser and failure modes that lead to freez-ing of the outdoor lines. A.8.2 Pertinent Top Events The top event is failure to supply the auxiliary feedwater system with its primary water source. A.8.3 Success Criteria Success is delivering required flow to AFW suction. A.8.4 Assumptions NA
I 104 I A
$ '.?
T \ \ t;i;i
.i . ,
b)'~~gexg ll h js s e ef l e g,.. s
?, i $) h s p ~
- m 4
w
- '; *~
t c h I s a
, ~ ?
O e % 3,
~
g v
- 'a g a '--)bl 3 6 5 N r T,f} \ q, =
Ig! 5I : - - = 8 is *s a ll Q'4 ' - g
% o l'4 J~J I
do-l$5 l
~
k? ,.. s i!N _ e t 7 8 ,
*G s !
l8 Q ) hk f 13 .
=s n 1 e & - ;g S}I.- * -t t-egi ;~
vi
@e .. @,g gg y
l i i
105 A.9. CHEMICAL AND VOLUME CONTROL SYSTEM A.9.1 Introduction The CVCS was broken down into two fault trees for convenience purposes, one for charging and one for letdown functions. The charging function also includes seal injection fl ow for the RCP seals. There are three charging pumps and two charging lines. The charging pumps normally take suction from the volume control tank. The pump coolers are cooled by CCW with a city water backup. The remaining support systems for the charging fault tree are electri .al power and instrument air for control valves. Under normal operating conditions, one charging pJmp is suf ficient to support all charging and seal water flow requirements. The chargjng pumps are positive displacement type and have a speed control system to regulate charg-ing flow. On loss of control circuit output (i.e., internal failure or loss of power supply), if the pump has motive power (480 vac) available it will revert to its minimum speed, which is here assumed to be adequate for seal in-l jection but not for charging. The letdown function is divided into two parts, Normal Letdown and Excess Letdown. Normal letdown is under automatic control, whereas excess letdown is manually initiated. Letdown is isolated on low pressurizer level or SIAS. The support system for letdown includes instrument air, pressurizer level con-trol, electrical power, CCW, and safety injection actuation system. A.9.2 Pertinent Top Events Three top events for the CVCS system are loss of charging, loss of letdown, and loss of RCP seal injection. A.9.3 Success Criteria Each of these top events corresponds to a complete-loss of the indicated function.
106 l A.9.4 Assumptions It has been assumed that minimum pump speed on one charging pump (due, for example, to loss of control circuit output) is sufficient to meet RCP seal injection flow requirements but not to meet charging flow requirements. l i i l 1 l
_ar.r>, -<t _ n L% r " ""' - - - , * ~ ~ ~
@5Q ~l4>."- ='I @ W Y f l@ .. ; 6?) !EI[8>-4?ih -l- f") O' } II'" , ( md a .dg., gLo*
m., a> +%- i IL y~:': .f "
===.= .-5:n-RpT"Q:p"=u pKQ(i r#1$ : =~.
- 5N7)TIIW 3
.; ;.q ,~~ w'S 'q==. t % N]7dd , ,- 9 ~~ ._:.W( 57-N{f*di 3-a - J }'Ry11.2 4.~D . y u -c z,o .',, u m~ :~ ~ ,; w.,in 4 wn . .
- 1. . r- -
ii ~. :: ;r I u O I
~ -{ g g Lp . ., . g>Ss I- 8 F] ?-
di - 11 - k4% I $_Ih.y ktl J[54j.?f a u y_q g te c-< . . _
\\
w Q.ga o>- j, _ , y -~ - 9,7 -g n a y H 11 f C_ , uw, @_ c w-
.ylg _f y - ~
a y; ii .. _ li o # n a we 1 :-
=~
J m- " O,
*3 + Ysra I & _e> -- I n ~~. .v..-
g u Figure A.9.1 Chemical and volume control system simplified P&ID.
108 A.10 ELECTRICAL POWER A.10.1 Introduction The electrical power f ault tree is a model of most of the electrical power system of IP-3 (see Figure A.10.1). The exclusions f rom the model in-clude the main turbine generator, 345-kV switchyard, and the 13.8-kV system with its gas turbines. The model considers that transient events will trip the main turbine generator and thereby isolate the plant from the 345-kV system. The gas turbines are not modeled. There are five sources of ac power within the model: the 138-kV switch-yard, the unit auxiliary transformer, and the three diesel generators. The unit auxiliary transformer is the normal source for the 6.9-kV buses 1, 2, 3, and 4. Given a turbine trip, buses 1 and 2 and buses 3 and 4 f ast transfer to buses 5 and 6, respectively, as these last buses are always energized f rom the 138-kV system. Three of the four 480-V safety buses (SA, 2A, and 6A) have an emergency diesel generator to supply power upon the loss of offsite power to its respective bus. The fourth safety bus (3A) receives onsite emergency power f rom the diesel on bus 2A via a normally open automatic bus tie break-er. However, if bus 3A becomes deenergized and bus 2A does not, the inter-locks within the tie breaker will prevent the automatic reenergization of bus ! 3A via bus 2A. (Note: This feature of the plant was changed on July 10, 1984, because of one of the findings of the present study.) All 480-V MCCs are shed f rom their 480-V buses upon the occurrence of a bus undervoltage condition. The safety-related MCCs (36A, 368, and 36C) are 1 automatically reconnected following bus reenergization by their respective ' diesel generators. Upon the occurrence of an SIAS, only MCCs 34 and 39, along with the three safety-related MCCs noted above, remain energized; the others are shed an 1 no provision exists for their automatic reenergization. The various combinations of when a given MCC would be shed (i.e., become deen-ergized by design) were addressed in the model in the following fashion. Each 480-V safety bus was conceptually divided into three distinct sections; one for safety loads (i .e. , those which survive SIAS and receive diesel backup power), one for loads that are shed only on bus undervoltage (i.e., only re-ceive offsite power), and one for loads that do not survive either an SIAS or
109 a bus undervoltage condition (i.e., SIAS and bus undervoltages are modeled as
" failure" modes of those loads).
For the dc power panels, a division similar to that for the ac buses was performed. Each dc bus was divided into two parts. The fi rst part was modeled exactly as it occurs in the plant; the second part was modeled without any ac power input. This latter portion of each power panel was created to break the logic loop associated with dc power and the diesel generators. The diesel generators were modeled as having four distinct f ailure cate-gories. The first three categories are dc control power, diesel generator circuit breaker and actuation scheme (Sequencer FT), and service water for cooling the jacket water and lube oil cooler heat exchangers. These repre-sented all of the major support system interdependences. All other failures ! were combined into a fourth category labeled internal failures. The logic loop associated with the diesels and the service water system was broken ! within the service water fault tree. 1 Portions of the overall electrical power fault tree play a role in a transient initiation, and portions play a role in supporting the mitigating sys tems . This was accomplished by placing a number of flags (house events) within the fault tree so that only those portions appropriate for a given sequence would be included in the solution. An alternative approach would have been to develope separate trees for different scenarios. A final word about failure modes is in order for full understanding of the f ault tree model . All the normal failure modes associated with an elec-trical power system have been included (a.g., open circuits, breaker transfer-ring to wrong positions , etc.). However, we have selectively applied a fail-ure mode which we have referred to as an "unclearable fault." An unclearable fault is one in which an electrical fault occurs in such a place in the power system that more than one bus is deenergized in the clearing of the electrical fault. Specifically, it has been applied in six places within the fault tree. The first two places are normally closed circuit breakers ST5 and ST6, the feeder breakers to 6.9-kV buses 5 and 6 respectively. An electrical fault within either of these two breakers would result in deenergizing both
110 i bus 5 and bus 6. This is significant in that loss of these two buses means loss of two circulating water pumps, which gives a plant trip. It further means that offsite power is not available to mitigate the transient, as all offsite power given a turbine trip comes through buses 5 and 6 (as discussed above). The last four places where an unclearable fault has been modeled are the four normally open single tie breakers which connect redundant and otherwise independent safety buses together. Three of these (2AT5A, 2AT3A, and 3AT6A) connect the pairs of 480-V safety buses that are included in their names. The fourth breaker ties together dc power panels 31 and 32. The con-cern here is that any flashovers within these breakers (that have all poles on both sides of the breaker continually energized and most probably out of phase) would cause the loss of two safety buses. If the "unclearable faults" affecting multiple safety buses were credible as single events, they would be extremely significant. For this reason, hasty elimination of this failure mode has been avoided. However, no evidence has been found which lends credence to this failure mode as a single event, and in the reporting of results, unclearable faults in the 480-V tie breakers have been logically mapped into double failures. The tie breaker linking dc buses has been left as a single; there is no evidence for a credible single event faulting both dc buses either, but this event has been lef t in the results to represent scenarios in which both dc buses are lost. Previous work has estimated a frequency for this which would effectively reo; ire that the event be modeled, given its consequences. A.10.2 Pertinent Top Events The electrical power system is a support system within the study and, not unexpectedly, supplies the entire electrical needs of the plant. Therefore, all the other fault trees use varicus gates from the electrical tree, includ-ing the 120-V vital at buses ,125-V dc buses , 480-V buses and MCCs , and the 6.9-kV buses. l A.10.3 Success Criteria , NA i
i 111 4 A.10.4 Assumptions
- 1. No operator actions are allowed to be taken with respect to the power ,
l system. A few operator actions were included for completeness in the I model, but none were allowed in the solution of the sequences.
- 2. Everything within the power system is initially in its normal full i
power alignment / status.
- 3. The occurrence of any transients or LOCAs gives a reactor and turbine j generator trip, and removes the unit auxiliary transformer as a l potential source of power. (In this study, this essentially defines i "t rans i ent. ")
- 4. All LOCAs are accompanied by an SIAS.
1
!. 5. The battery chargers were assumed to be capable of carrying the 1
i entire de load profile in the absence of their accompanying bat-teries. In practice, this is not usually the case. However, given ; no documentation in this area, this was the assumption made. i i 1 i 1 l I I I i l 1 i l, l
-e'e---yw wy w me y,-w-> > peep weW ,c --t-pyy ypm--my-rg++Wgyp- --tt---ht ww-r w+3--,. hu-MN&,-egi~ e-pr ye-wyver-g-y-e--y-9,-e-,geye y-w +wv -m wtm g m g*
,i 112 i .[~ ~ h.
~i !i . I- ~l I~.~.7 l ii ' i
- l 1
l9 l
- i l "-
i 1
, ni g' i ; 4 3 l I
2_il;[-O-ll-! m;l L g s l
, I 21 j!: : 1 I I i f }l' i !! ' D- '
i i: I L___L J L J 4 H. -
! k, !Ill %. 'I
- t i L__J L---!
d s r _J. _7 i 2 lOi !. i j
- I
'! ; 'l i
1
! *i la -ill i
i
- -O 1I -4f- 'I"'i 3 g
' I i \
4 I ' 1 i-O I 4F ~ si- .l! , ei o "o f, !i [_ _'_ j $5 _ : U~h, .!; , -
$ !! d sm .h i ;1 s ! !O ' '!;- O C - "
n:
; 8 a 1 .. !; 0-hitws: 33'l~l*5 M E g ig . - !:q
_17 y;,- g Jrwi
. , y ,_ia g;t p
(g i k ! O, lll4 b D .
- e. i i <r n u ![n a 9 a a.
e- L- d $ il' $c@ 1, , u {n{. { ; i,e0-h8tw1 2 j, s g
$ zw i .G G- u i is -
a dQ u o
? -
C, - l C; O@n; ; . !y !g: j ,, ,'l'l' i c m 1 + - - a w ,
# 2 e c
y jC t ' l sf-G 5 p
! !!,a " 'ng ~
yj
~ g j
r-- _. ^2 5; c a _ ,o
.? C j :f-O e
f OJ" So w ; I i
-0 - .i -
i s
- ei is . -C j! ^. ,- . - - . g ; -y N ' $
- w n
?l a* n H : t r> o h;,g , N y:.dg, * '0 9E V4] u t 5
- c lt
!, ~
i!t- ' .
' 0.r-L 2"I 3 < ,-- - , , IL., h ! et us i, ,'!'
l [ ; e m t 0-h A h h I II' I! i i;$-. li e. O 6l $! D~- 1 l!J O a i e :ai" [
!!:l!Q .: (
L.., .t J l In
- c t t g
- 2 t:
% ,3 s
a -d;:=, I i T ,R t ' l g y ,
, - s o ~ l - O -;i .i % ;'g1 * -9 ? -
c is
- 1, I
l @. ( -
' i'l 'I !a +
E I l i n l 8: .
!l- :. m O -E . a '
- g
_N _1 x r~ a:t . d
;g l , I , .[ o L.i. s er ' .5.. .~A ,; y g s A
], :{ ;[. l 'f._i -g-
~ 9 O-a 3t w1 g3 .: L_ -' '
iO
, O ' !!- 25 d* o I . wg *q .n N= 'i:
H *.j0 " l io e i it
*3 g%
} <
113 A.11 HEAT TRACING A.11.1 Introduction The fault tree models both f reeze protection for some of the outdoor lines in the plant and those lines with concentrated boric acid solutions (BIT tank) in order to prevent boron precipitation. Discussion here is limited to the role of the heat tracing system in BIT protection as the potential signif-icance of HT failure was judged greatest in the RCP seal failure sequence. (See assumptions below.) All piping, valves, and pumps containing concentrated boric acid are pro-vided with double circuit (redundant but not independent) electrical heat tracing. Either of the two redundant circuits may be used; they are selected at, and are supplied from, the local control cabinets. The local control cabinets are supplied from one of four distribution panels (33A, 338, 33C, 33D). These distribution panels provide each circuit with overload protection and switchability by means of a molded case circuit breaker. The four distri-bution panels are supplied through individual 480/120-V transformers by panel
- 33. Panel 33 can be supplied from either MCC 36A or MCC 36B by means of a manual transfer switch.
A.11.2 Pertinent Top Events Each of the segments in the other fault trees that contain components with concentrated boric acid, as well as those requiring freeze protection, will contain a gate from this tree yielding many overall top gates. A.11.3 Success Criteria NA A.11.4 Assumptions it has been assumed that loss of redundant heat tracing circuitry does not immediately fail the segment that it supports. Therefore, the only sequence in which loss of heat tracing coupled with a relatively slowly developing transient is satisified is in the RCP seal failure sequence. I
114 It has further been assumed in the RCP seal failure sequence that failure of heat tracing (both redundant circuits) is failure of the heat-traced segment. A.11.5 Review of Leading Cutsets On the basis of the commonality of the heating circuits from their power sources to the control boxes, a number of single failures are found to result in loss of heat tracing for each of the heat-traced components. The signifi-cance of this is addressed in the analysis of the appropriate sequence (s). 1 I
_ _- .__ - . = - . _ . . = _- - - . - - -. -- -- 115 i A.12.0 INSTRUMENT AIR A.12.1 Introduction The instrument air (IA) system provides clean, dry air pressure to a ] 4 number of ccmponents, including many air-operated valves (A0Vs). The analysis given here is based on a system having two compressors; during the plant visit, BNL was told that a third is being added because maintenance of header pressure requires one compressor to run essentially all the time and the other j ccapressor to run some of the time, so that there is no real redundancy in the I existing two-compressor system. It should be noted that in many applications instrument air is backed up , by bottled nitrogen. Where this is the case, nitrogen backup has been cred-ited explicitly in the fault tree for the system being supplied by IA/ nitro- ! gen. Additionally, many valves fail to the " safe" position on loss of air. For these reasons, IA does not loom large in the cutsets. A.12.2 Pertinent Top Events Top Gate IAG01: NOIF from IA system to Nuclear Services, DGS, and out-side services. Top Gate IACPG1: NOIF from IA system to conventional plant services. A.12.3 Mission Success Criteria Availability of both compressors has been assumed to be necessary in !, order to maintain adequate pressure. Loss of either compressor is assumed to lead to a transient. I i 1 i i ) i
- , - ----.,--..,,-,-------r--- --------------...,.._r---- - - - - .
116 A.13.0 REFUELING WATER STORAGE TANK A.13.1 Introduction The refueling water storage tank (RWST) provides the water supply for the HPI, LPI, and CVCS systems. The fault tree for the RWST model includes the tank itself, the common suction line for the three systems mentioned above, and the heating systems provide for these two elements to prevent boron pre-cipitation. The tank itself is heated by auxiliary steam from the hotwell, and the bus suction line is heated by electrical heat tracing. A.13.2 Pertinent Top Event The top event of the fault tree is loss of the RWST source. The HPI, LPI, and charging system fault trees deal with the consequences of the loss. i A.13.3 Success Criteria NA 1 l A.13.4 Assumptions It was assumed in the development of the fault tree that failure of auxiliary steam to the RWST or failure of the electrical heat tracing for its discharge line would not fail the RWST unless very cold weather was also present. i j
. __ - . . . ~ _ _ - _ _ - _ - . . - _ _ _ , - _ _ _ _ - - - _
117 A.14.0 STATION AIR A.14.1 Introduction The station air system provides a backup source of air to the instrument I air system and only this role has been modeled in the study. The system con-sists of two possible air supplies and a header / distribution system. The primary air source is the IP-3 compressor. This compressor receives cooling ( from two closed cooling loops and requires only one to sustain operation. The cooling loops are in turn cooled by the service water system. The backup air source is the IP-1 station air system. This system is included but not devel-oped in the model. The only other support system required for station air is electrical power and this becomes unavailable because of bus undervoltage (or l LOOP) or SIAS actuation. A.14.2 Pertinent Top Events The top event in the fault tree is failure to supply station air to the instrument air system. A.14.3 Success Criteria The success criteria modeled into the fault tree are that either the IP-3 or IP-1 compressor provides sufficient capacity, and that either of the two IP-3 compressor cooling loops provide sufficient cooling. l
_ _ . . _ =- ._ . . - 118 A.15.0 SEQUENCER ! A.15.1 Introduction The Sequencer tree was developed to model the actuation of the major l active components (diesel generators and pumps) within the scope of the 1 study. There is no " sequencer" per se in the IP-3 design that would, for I example, sequence loads following a LOOP or SIAS. Each pump that was modeled has its own timer for actuating its breaker to close onto a bus. The scope of the modeling included all start signals (SIAS, undervoltage, and manual from I the control room) and included all intervening relaying up to, but not includ-ing, the actuated device (e.g., the circuit breaker itself). The only support j system required is dc control power and its failure prevents both automatic j and manual (from the control room) start capability for all modeled compo- ! nents, except for auxiliary feedwater pump 32, whose turbine driver is actu- ! ated by the loss of its dc supply, i The reason for grouping the actuation circuitry for these components in a separate fault tree, rather than incorporating each into its appropriate f ront-line or support system fault tree, is relatsd to the manner of its development. It was judged most efficient (in terms of time and manpower) to have one person develop all of the actuation logic (from a common set of draw-ings) and then to keep it togetner for ease of reference and review. l The basic structure of each actuation logic is quite similar, and a i general description of a typical actuation circuit follows. Specific differ- ! ences of importance for each of the actuation schemes will be addressed in the following section. j The logic model traces, by specific components modeled directly from the ! IP-3 electrical schematic diagrams, the actuation path from relay to relay , between the initiation signal and the actuated device. For example, response to bus undervoltage (or LOOP) and SIAS is developec at the bus level by relay-ing logic within the switchgear. Specific relays energize, depending upon the event detected, and these relays in turn actuate the time delay relays assoc-iated with each individual load (e.g., SI pumps 3 seconds, RHR pumps 8 sec-onds , etc. ). All pumps are sequenced whether or not a LOOP has occurred. Failure modes are therefore 1) failure of the initiating signal, 2) failure of
! 119 I i
- the appropriate bus level relays, 3) failure of the individual load time delay
{ relays, and 4) failure of dc control power. 1 i It should also be noted that loads on buses 2A and 3A receive SIAS initi-2
- i. ation signals from both SIAS trains, whereas buses SA and . 6A receive only train A and train B SIAS signals, respectively. The actuation scheme in the
! model also differentiates between the source of actuation initiation as does l the actual relaying logic within the switchgear. Certain relays will actuate I for a bus undervoltage (LOOP) condition and not for a safety injection signal l and vice versa. 'his situation is addressed by NOT logic. The NOT logic in i the model correspands to interposing relay contacts within the switchgear. For example, the "non-SI blackout" relays would be "ANDED" with a "NOT-LOCA" j event, so that during LOCA sequences ("LOCA" = 1 in the model) these relays - ) would'not be counted as their failure would not affect actuation of the pump.
- A.15.2 Pertinent Top Events The top events in the Sequencer fault tree are failure to actuate the following components
- diesel generators (DG) 31, 32 and 33; safety injection j pumps (HPI) 31, 32, and 33; auxiliary feedwater pumps (AFW) 31, 32, and 33; residual heat removal pumps (RHR) 31 and 32; nuclear service water pumps (SW) j 34, 35, and 36; and component cooling water pumps (CCW) 31, 32, and 33. The j three SW pumps are modeled twice each, once for applications other than cool-ing the diesel generators, and once to break the logic loops created by diesel
]. dependency on the SW system for the diesels themselves. The diesel generator actuation model differs in that the circuit breaker l l itself is included in the model and there is no intervening relaying, because bus undervoltage directly signals closure of the breaker as soon as the gener-ator has attained a given output voltage. !
) The HPI pumps, RHR pumps, and SW pumps all generally conform to the typi-l cal actuation circuitry discussed previously.
f 2 i u__..______._ _ . _ _ _ _ , ._._ _ ___ _ _
t 120 i i i 1 The major difference to be noted in the CCW pump actuation scheme is that l l these pumps will not automatically sequence onto their buses, given that an l SIAS signal and bus undervoltage signal both exist. 1 j The actuation of the auxiliary feedwater pumps (31, 32, and 33) was ex-l plicitly modeled with respect to LOCA sequences and transient sequences. In addition, the two motor-driven pumps have a common actuation circuit based i upon Lo-Lo steam generator level in any one steam generator (one out of ) four). The turbine-driven AFW pump (32) is actuated by deenergizing a dc-l controlled, air-operated valve which admits steam to the turbine. AFW pump 32 is also actuated upon Lo-Lo steam generator water level in any two steam generators (two out of four). j A.15.3 Success Criteria l
! NA f
A.15.4 Assumptions l No assumptions were made in the modeling of the actuation circuitry. The ! model was derived directly from the applicable electrical schematic diagrams 1 of IP-3 supplied for the study. 1 i i i f i i i 1 i l I i
121 l A.16.0 SI ACTUATION A.16.1 Introducton l The engineered safeguards actuati.n system is supposed to generate an SIAS signal under certain conditions. Failure to generate such a signal has been modeled here in the SI f ault tree. In this study, the sequences which require an SI signal are small LOCA and medium LOCA; HPI pumps, LPI pumps, AFW pumps, diesels, and certain valves are affected by this signal. A.16.2 Pertinent Top Events There are two redundant trains of SI actuation, and the two important top events are failure of the SI signal at relays SI11X and SI21X. A.16.3 Mission Success The top events correspond to complete failure of their respective SIAS
! trains.
A.16.4 Assumptions It was assumed (as per IP-3 procedure PEP-ES-1, p. 7) that for small LOCA, a containment high pressure condition might not exist; accordingly, credit for this signal was not taken. Operator acts were not credited in this area. 1 l l
I i 1 122 4
! A.17.0 SERVICE WATER A.17.1 Introduction The service water system (SWS) provides cooling to a number of components ; by supplying Hudson River water to their heat exchangers and returning the heated water to the river. One group of three SW pumps, designated " nuclear," ; is diesel backed and meets the cooling requirements of relatively critical components, including the diesel generators, the coritainment fan coolers, and j certain other components. Another group of three SW pumps is designated " con- ; ventional"; it is not automatically diesel backed, and meets the cooling j requirements of less critical systems, such as the component cooling water j system. A third group, the backup SW pumps, can be made available under cer-i tain conditions, but this group is neglected in the IPPSS, and for simplicity,
} will be neglected here also. 1 The segmentation scheme is illustrated in Figure A.17.1 ) j A.17.2 Pertinent Top Events I i Top events of interest for the SWS are failure to supply service water l; to various components. Some of these events contribute to initiation of tran-sients; some contribute to failure of mitigating systems; and some do both. 4 l For purposes of breaking logic loops, special events were defined in the j service water tree which can feed into the diesel-generator-failure events without leading to dependences either of service water on itself or of diesels l l on themselves. Names of these events contain the letters "DGS" to distinguish l them from other events. For example, event SMX14-A is " Insufficient Nuclear l SW from Segment NX-14"; it includes all failure modes of the diesels supplying l power to nuclear service water pumps, and would create a loop if fed into the
! diesel failure gates. SWNX14-DGS-A, on the other hand, is the same event i ; except that the supporting diesels' dependence on service water does not con-f tribute to this gate. Gates which manifestly supply only the diesels do not j all carry the appellation DGS, but the headers which supply these gates do.
i f j i
) 123 Service Water Top Events Descriptions SW034-A Failure to supply SW to DG 31. SWO35-A Failure to supply SW to DG 32. SWO36-A Failure to supply SW to DG 33. SWC18-A Failure to supply SW to CCW HX 31. SW37-A Failure to supply SW to CCW HX 32. SW51-A Failure to supply SW to Inst Air HX 31. SW52-A Failure to supply SW to Inst Air HX 32. SWA15-A Failure to supply SW to Circ. Water Pump 31 seals. SWA14-A Failure to supply SW to Circ. Water Pump 32 seals. SWA13-A Failure to supply SW to Circ. Water Pump 33 seals. l SWA12-A Failure to supply SW to Circ. Water Pump 34 seals. SWA11-A Failure to supply SW to Circ. Water Pump 35 seals. SWA10-A Failure to supply SW to Circ. Water Pump 36 seals. SWT16 Failure to supply SW to BFP & T Lube oil coolers. A.17.3 Success Criteria
! It has been assumed that SW flow requirements correspond to 2 out of 3 SW pumps on the nuclear header and 2 out of 3 SW pumps on the conventional header.
l The requirement on the nuclear header is the same as that used in the l IPPSS. However, the IPPSS defines a Special Case for the nuclear header, in
! which one NSW pump is able to supply SW to the DGS if diversion to the con-tainment fan coolers is prevented. According to the IPPSS ( 1.6.2.3.8.6),
i this is accomplished by the closing of TCU-1104 and TCV-1105. However, these valves fail open on loss of air or loss of power to the associated solenoid valve (p. 1.6-799 and p. 1.6-724), and the circumstances guaranteeing their closure under loss-of-offsite-power conditions have not been established. The 2/3 mission success requirement for the NSW header for all conditions has therefore been retained, though this may depart from the IPPSS. This has a noticeable qualitative effect on the results, and should probably be pursued. The approach taken here may be conservative. t I
. . . . _ . . _ , . ~ _
_. . .-. =. _ _ _ _ - -- _ _ l 124 4 i The success criterion for the Conventional header corresponds to the requirements of the transient initiator tree (2/3 CSW pumps available). The IPPSS states that af ter an accident, 1/3 is sufficient. The effects of this
" conservatism" are not very significant.
] A.17.4 Assumptions i j For purposes of this study, it was assumed that the SW system is aligned { so.that the usual nuclear header is supplying the usual nuclear loads, and !! shilarly for the conventional header. Mode switch mispositioning has been ! inkluded,however. It has also been assumed that NSW pump 36 is ordinarily on standby on the nuclear header and that CSW pump 31 is the standby pump on the conventional header. Adding options to the trees to consider alternative assumptions is straightforward; the present case was chosen for the sake of initial simpli-i city, with the idea of later assessing whether there is enough asymmetry in
! the system to justify explicit consideration of the other alternatives.
References j 1. IPPSS, Section 18.2.3.8 (Service Water) and Section 1.6.2.3.6 (Contain-I ment Form Coolers).
- 2. IP-3 System Description No. 24, Service Water Systems , August 1975.
4 i 1 t l i i i t 4
. _ _ . . - -. - - ~ . - - _ . . - _ . . _ . ._=. - .- ._ ,
I, 't
' 125 I
j i I 4 t .F 1 = l; k E.y_.' wt
,k iie '
i ..ay v. E sp !.< ] 7.IN: .
*"*F-*' 'l i>
f, N *A i
'-F ;,x ,.. '7 ',d . s f
l-- s m .. . . N O ' 1 a~ u , u t;.g , l . p i
=
t " l, k .l Ir* E~ -) Y, nu ~_,. c
-m-, Ap l
8 l f' 4, O. i 4 w.,ramsmw -m w+11 ..~~n l %
$1 ,gg .s i e b<q-ih g$.-- - ? c.- m 4 g_
. x &<j :? , c
.A n. -
4 I qa $s vmA, J., ; J <.
- EV p - d c .c :_.q -
Q.
. - % ,, l:.}q i ::., p n- y {,.; usg -;,u.c. e
[n mY gia) gf ""
) )q p,N -
i
'f. # '"Ti $ 5 g ! 7 Jl 7.
p .> g ) f' ; i1 - 1 "MY l
-,; d 1@I's. Q 42 4.g
[1- ,; 5-. 7. f
~v /
I, p~'1F. ij - 9 bt) .} 41) il M q, i h j
,jjj . . , f; fi'jhif) f!
! a kW i ..
*I e'.
- QS a_p'pt h k m;g~ :
L*;i ? w I W, g 3 -6 lI~.g, 'Jed f.h I{w'est: ;! .
"'" ,t,, y ,
Wig p 4
, e-mw w ig , .. e .~qt. --C9 Jg f:4 1' :t't!! to $ St 3
- g. l i
' 8- j ;g NhA p. --w. 'b if\ V' l g . _ _ . _ . _ . _ _ _ _ .
1 - $ k e
^
s . 'l; tr - -
- x , , .
, , fy { ! $ -- =
a i 1 A (o
! I ^ 5[q s i 1--
w q E . , l' ' l i'; l:
.) T h - ,
( ; m: rh h s > --- q.- '
- dl G
il s 3 t m .c
;l l' p I _,
n_ i r-
, t* [ --n /i i
y
.; I 't g og g, A4.M3 -
o j ,
,i
- h '
,: K s ! (ih Y f _'ihf- Tr,f i dh,;*,i hl i I '? Y. w y:
i !
- t. .el T'
- k. , [f?,9f' "'I d ;v: h.
M n-. ,o f-' b D e 5 i f M_a ---:%- m
; I *.
t a.., n j dpd, gI ; lq p-
~Q ,L_.p)3
- t. .C.i i - ~~
i .~ , . '2'0 ,
- s. -
t : c . M. wc e mgj : - - h 'T(I ' . . ' l '
. I! C J i ir;>, ' D Ef[I ,' ! N i l, II-* ,7 _ 7_ CJ% k,.h n ,$[7 . ' [e - ' 9
- ,', ,-m I PH h,f.l
- e . m..
e..D i 3
%,,, . .c \ 2 ji f.!m ^l ' f rt'.F/)=t*---
I V--'; Ij l de
- n.
- I
.lI j
a a tp j . E; ,, 8, { g l ~ . . " ' ' l @ j *t'-* 0- ? T~ ; ad j i rM; g-j
- e
-n g F;f~ ~ i G~., ,I ,s il l m[mi.n~ .Ac i
g
,e V. I J _ ,4 r, ht i 4
8 dI ' e I e*- ., " I pa m j [ j . f,' ' **- 4
--0l 1 +--W J -+--
g bg, , _ 8 r
~- l l
j ,a
- i. 6
}A 4' ] e i
'I
. . _ ' # ;._._..__J )!.g}, . j I .4 I
i 1 i l l I t I l
126 A.18 TRANSIENT INITIATOR A.18.1 Introduction
- In this study, the purpose of developing a fault tree for the transient initiator is to search for interactions which link transient initiation to failure of a mitigating system. For example, a bus f ault leads to a reactor trip, and simultaneously fails the offsite power path to one of the safety buses. The following was done in this study. The scope included the follow-ing transient sequences:
l
- 1. Transient and failure of AFW.
- 2. RCP seal LOCA sequences.
- 3. Transient-induced PZR LOCA sequences.
Events appearing in mitigating systems (including systems supporting the integrity of the RC pressure boundary), or their supports, were examined to see whether they would cause transients. A transient was taken to be an event which leads to a reactor trip or, in reasonably short order, to a shutdown. The Transient tree, then, is a large OR g?te whose inputs are mostly
; support system faults. In addition, a tree for loss of main feedwater to at >
least 1/4 SGs feeds into the Transient tree. Other transient initiators that are not somehow linked with the frontline systems, or their supports, have been excluded. A.18.2 Top Events The top event of the Transient tree is a Boolean OR of that subset of faults which a) have anything to do with the mitigating systems studied here j and b) lead more or less directly to a shutdown (usually, but not necessarily, by a trip). l Developed events which are fed into this top event are Itsted on Table l A.18.1. i i i i 1
127 i A.18.3 Mission Success Criteria NA A.18.4 Assumptions The defining characteristic of transient, as used here, is that the reactor shuts down and electric power is derivable only from the offsite source or from the diesels, not from the station generator. Table A.18.1 Developed Inputs to Transient Initiator Top Event Event Name Consequence MF-SG31323334 , Insufficient MFIV to 1/4 SGs CCGRETRN-A Insufficient CCW to at least 1 RCP CCG1000-A Insufficient CCW to at least 1 RCP CCGTBE01 Insufficient CCW to at least 1 RCP RCPM01-INT Insufficient CCW to at least 1 RCP RCPM02-INT Insufficient CCW to at least 1 RCP RCPM03-INT Insufficient CCW to at least 1 RCP RCPM04-INT Insufficient CCW to at least 1 RCP
; SIPHASEB Insufficient CCW to at least 1 RCP l EPA 24-T Loss of 6.9-kV Power to at least 1 RCP EPA 52-T Loss of 6.9-kV Power to at least 1 RCP EPA 55-T Loss of 6.9-kV Power to at least 1 RCP EPA 25-T Loss of 6.9-kV Power to at least 1 RCP i
i CD-VAC Loss of Condenser Vacuum CR-01-A Loss of 2/6 Circ. Water Pumps PZRX TRIP Reactor Trip on Pzr Fault TR-LOOP Loss of Offsite Power IAG01 Loss of Instrument Air TR-SPSI Spurious SI or Phase B signal CV-LOCH Loss of Charging Flow CV-LOLD Loss of Letdown Flow I ! 1 l 1 l
l LT v
~- ~-
3 __ s s
~L-~ m 141 1 m442 4 eI:: =
N:7 V" x -- 3 7- - - - - - - -s f, s& .
] l l- ,,,,, _ ~ 'I' *)
I
/ [. e
_pg.- . .are
~' & -va- 1a:'_:',,~,l.*":,
C}_'"1-a a W z., g (m x
,P w. s4=see re a* , -w - w.,
ea
***, aw g.,
sew a g es 8889 8884
~}
on. av see e.,,e M'b M*M
- 4e 64*!- H -
~~~~u. %
t v^ AW3r .%rge
- hr av=me.r e seway %
9 m asas m hette h tg 1'
~*
cy uses D susFasu,J g.3eq JF m} ser 38 0
~ ~u".,,. . H. -_ ~~
n' ty3 888 1-881 1 bene
- Figure A.13.1 Indian Point Unit 3 refueling water storage tank system simplified.
129 APPENDIX B EVENT DEFINITIONS 1 E 881-A-!NT CT 64 FA!LS CLOSED 2 E 883 + 1NT FAILURE F CST DISCHM6E PATH TO MD AFW Pipp 3 AF084 + 1NT FAILURE OF CITY MTER DISCHMEE SEBENT VALVES TO Plf@ 33 4 W885-A-!NT FAILURE OF CST DISCHMGE PATH TO MD WW PlpF 5 4886-A-!NT FA! LURE & CITY MTER DISCHMGE SEBENT VALVES TO Pupp 31 6 E887+1hT FAILURE OF CST DISCHMGE PATH TO TD WW Ptfp 7 W 888-A-!NT FAILURE F CITY MTER DISCHM6E VALVES TO TD WW Ptf@ 8 E 889 + 1NT MOTOR DRIVEN WW PtpF FAILUE 9 M 889-B-!NT DT4868 SIGNAL LNABLE TO CONTROL PU 33 DISCHMBE PRESSUE 18 W818+1NT h3 TOR DRIVEN WW PLI@ FAILUE
!! M 816-B-!NT PT486A S!ONAL LNABLE TO CONTR(L PU 31 DISCHMBE PRESSJE l 12 W 811-A-H OPERATOR FAILS TO BRING AFW PU 32 LP TO SPEED
- 13 E011-A-!NT SEEDOT 11 INTEltdL FAILURE 14 AF811 + NDA FAILURE TO MAN!PtLATE (LOCALLY) TRIP VALVE GIVEN LOSS T AIR 15 W 8ll-B-!NT INADVERTANT OPENING 7 RELIEF VALVE MS52 16 W 812-A-INT LOCAL F E T E8 MENT 12 17 W812-B-!NT LOCAL FALLT FCV-486C FAILS (PEN 18 AF812-C-!KT BACKLEAKAGE OF FCV486C 19 AF013 + 1NT LOCAL FALLT SEGMENT 13 29 M 813-B-!NT LOCAL FALLT FCV-4860 FA!LS (PEN 21 W813-C-!NT BACKLEAKAGE OF FCV486D 22 E014-A-INT LOCAL FALLT SE0 MENT 14 23 W 814 + 1NT LOCAL FALLT FCV-4868 FA!LS OPEN 24 W814-C-!NT BACKLEAKAGE OF FCV4868 25 W815 + 1NT LOCAL FALLT EGMENT 15 4
26 4815-B-!NT LOCAL FALLT FCV-486A FAILS 50 27 7 815-C-!NT BACKLEAKAGE & FCV486A 28 W 816 + 1NT LOCAL FALLT SEBMENT 16 29 W 817 + 1NT LOCAL FALLT SE9ENT 17 38 AF818 + 1NT LOCAL FALLT SEGMENT 18 31 W819 + 1NT LOCAL FALLT SEMENT 19 32 AF82S + !hT N0!F 0F STEAM FROM SE9ENT 28 33 4 821 + 1NT N0!F 0F STEM FI;0M SE8 MENT 21 34 W 822 + 1NT AFWS INJECT!(N LIE FAILS TO SUPPLY WTER TO S633 35 W822-D-ELDN R0WDOW FROM SG 33 NOT ISOLATED 36 4 823 + 1NT WWS INJECTION LINE FA!LS TO SLPPLY MTER TO 5634 37 W 823-D-BLDN BL(NDOW FROM SG 34 NOT IS(LATED l 38 M824-A-!NT WWS INJECTION LIE FAILS TO SLPPLY MTER TO $632 39 4 824-D-BLDN Bl0WDOWN FROM SG 32 NOT ISCLATED 44 V 825 + 1NT AFWS INJECTION LINE FAILS TO SLPPLY WTER TO SG31 41 W 825-D-BLDN BLOWDOW FROM SG 31 NOT ISOLATED 42 W 826-A-!NT ATM STM RLF VALVE PCVl!36 INTERNAL FAILUE 43 W827+1NT E SVS ASSOCIATED WITH SB33 FAIL TO CPEN 44 W 828 + !NT ATM SIM RLI RVE PCVil37 INTERNAL FA!LUE 45 W 829 + 1NT ALL SVS ASSOCIATED WITH SG34 FAIL TO Of(N 46 W 838 + 1NT ATM STM ILF RVE PCVil35 !NTERNAL FA!LUE 47 W 931-A-!NT ALL SYS ASSOCIATED WITH SG32 FAIL TO OPEN 48 W832-4-!NT ATM STM RLF VALVE PCV1134 INTERNAL FAILUE 49 W 833 + 1NT E SVS ASSOCIATED WITH SG31 FA!L TO OPEN 50 WBLKG-BFD67 BACKLEAKAGE OF BFD67 AND OTER CECK VALVES IN PU O!SC LIES
I 130 51 FBLK6-BFD68 BACKLEAKAGE OF BFD68 A2 OTER CHECK VALVES IN PU DISC LINES 52 AFBLKB-BFD69 BACKLEAKAGE OF BFD69 AND OTER DECK VALVES IN PU DISC LIES 53 AFBLKG-BFD70 BACKLEAKAGE OF BFD70 AND OTER DECK VALVES IN PU DISC LINES 54 FN2 LOSS OF N2 TO AFWS ADVS 55 WN2-HU-01 OPC'.1 TOR FAILS TO ACTUATE N2 BAD (LP - LOCAL 56 FSE64-6-8-NOA FAILUE OF DP TO ALIGN CW AT AFW PLMP SUCTIOMi
- 57 AUISTM---- FAILURE OF STM SlFPLY FROM AUX STM SYSTEM 58 CC-H [FEMTOR FAILS TO ADJUST CCW LDADS 59 CC001 + BLK CCW Pl p 31 TRAIN BLOCKAGE 60 CC00! + 1NT CCW PlN 31 INTERNAL FAILUE 61 CC00! + RSTRT CCW PUW 31 FAILS TO ESTMT- INT. FAILURE 62 CC002 + BLK CCW Ptp 32 TMIN BLOCKAEE 63 CC002 + 1NT CCW Ptp 32 INTERNAL FAILURE- INCLUDES FAILURE TO STMT 64 CC003+BLK CCW Ptp 33 TMIN BLOCKAE 65 CC003-A-INT CCW PU W 33 INTERNAL FAILURE 66 CC003 + RSTRT CCW PLN 33 FAILS TO RESTMT- INT. FAILUE 67 CC004-A-!NT MA M L VALVE 766A FAILS 0.0 SED 68 CC005 + 1NT MANUAL VALVE 766B FAILS 1 0 SED l 69 CC006 + 1NT MAML VALVE 759C FAILS 0.0 SED i
70 CC007 + 1NT MNUAL VALVE 7590 FAILS 0.0 SED 71 CC008 + !NT FAILURE OF CCW HI 32 LES 72 CC0094-!NT FAILURE OF CCW HI 31 LEB 73 Lt010 + !NT VALVE 766C OR 766D FAILS CLOSED 74 CC0!! + !NT LOOP 1 RETURN EADER FAILS 75 CC012-A-!NT LOOP 2 RETURN E ADER FAILS 76 CC015 + !NT @! PLMP 31 O!L OR SEAL HI FAILUE 77 CC016-4-!NT @! Pip 32 O!L OR SEAL HI FA! LURE 78 CC0174-!NT @! PLM 33 O!L DR SEAL HX FAILUE 79 CC018-A-!NT MAML CCW VALVE 787 FAILS CLOSED 80 CC033 + 1NT MANUAL VALVES TO CHG PU @ 31 O!L COOLERS FAIL 81 CC034-A-INT MML VALVES TO chi PtN 32 O!L OXLERS FAIL 82 CC035 + 1NT MAML VALVES TO CH6 PLN 33 O!L COOLERS FAIL 83 CC0364-INT MA M L VALVE 7564 FAILS CLOSED 84 CC037 + H OPERATOR FAILS TO ALIGN CITY W TER 85 CC037 + 1NT INTERNAL FAILURE OF SEGENT 37 86 CC0384-!NT MANUAL VALVE 7568 FAILS 0.0 SED 87CC61000-A N0!F CCW FR04 LOOP 32 88 C06601-A N01 CCW FLOW TO @! PLMP 31 89 CCG602-A N01 CCW FLmi TO $ 1 Pt p 32 90 CCG603-A N01 CCW FLOW TO @! PLMP 33 91 CC6800-4 N0!F CCW AW CITY W TER TO CH6 PU W 31 C00LERS 92 CC6804-4 N0!F CCW AND CITY WTER TO CH6 PLMP 32 COOLERS 93CCG845-A N0!F CCW AND CITY MTER TO CHO PU W 33 COOLERS 94 CCSRETRN4 MOV 784 OR 786 NOFC- CCW ETURN LINE FROM RCP MOTORS 95 CCGS1 CCW SUPPLY TO RCPUS MOV769,797 FAIL CLOSED DUE TO INT OR FIRE
% CCGTBEll VALVE 769 OR 797 FAIL Q.0 SED 97 CD-t-A N0!F FROM Cum 0N DISCHM6E CF EATERS 33 TO 35 % CD-10-A N0!F FROM C02ENSATE PlWS DISCHM6E HEADER 99 CD-ll-A N0!F FROM CO2ENSATE R mps SUCTION E ADER 100 CD-14-4 N0!F FROM KATERS 334, 344, 4 35A
131 101 CD-1B-A NOIF FROM EATERS 33B, 348, 8 35B 102 CD-1C-4 NOIF FR3M E ATERS 33C, 34C, 8 35C 103 CD-2-4 N0!F FROM EATER BYPASS LIE 104 CD-5-A NOIFF F D FLASH EVAP AND FROM ITS BYPASS 105 CD-5& A N0!F FROM LP EATERS 314 8 32A 106 CD-58-A NOIF FROM LP K A1ERS 318 8 32B 107 CD-5C-A NOIF FRm LP E ATERS 31C 8 32C 108 CD-6-4 NOIF FROM LP EATERS BYPASS LIE 109 CD-74-A NOIF FROM GLAND STEAM CO WENSER 110 CD-7B-A N0!FF FRm FCV-1120 - SLFPORT SYST NOT FOLN) 111 CD-8A-A NOIF FROM COWENSATE PtWS DISCHWIBE TO FLOW PATH A 112 CD-90-A NOIF F M CW DENSATE PLDPS DISCHARSE TO FLOW PATH B 113 CD-AEJCD313233-A NOIF FROM AIR EJECTOR C0WENSERS 31,32, OR 33 114 CD-CDSR31-1-A N0!F FROM E TERBOX 31-1 115 CINDSR31-2-A N01F FROM MTERBOX 31-2 116 CD-CDSR31-LF CONDENSER 31 LOCAL FAIWE 117 CD-CDSR32-1-A NOIF FROM W TERBOX 32-1 118 CD-CDSR32-2-A N0!F FRm ETERBOX 32-2 119 CD4DSR32-LF CCNDENSER 32 LOCAL FAILURE 120 CD-CDSR33-1-A NOIF FROM M TERB01 33-1 121 CD-CDSR33-2-A N0!F FROM WATERBOX 33-2 122 CD-CDSR33-LF COWENSER 33 LOCAL FAILUE 123CD-PP31-C-INT EV FLOW THAU C(30 Pl#9 31 DISCH-CV FAILLE (If) M OTERS 124 CD-PP31-LF4 CMENSATE PLDP 31 LOCAL FAILUE 125CD-9032-C-INT EV FLOW THRJ CO2 Pl#F 32 DISCMV FAILURE (RF) M OTERS 126 CD-PP32-tFf COMENSATE Pl p 32 LOCAL FALL! K 127 CD-PP33-C-INT REV FLOW THAU CO2 PtfF 33 DISCEV FAILURE (RF) M OTERS 128 CD-9P33-LF-F CONDENSATE Pts 33 LOCAL FAILUE 129 CD-VAC LDSS OF COWENER VAClifL 130 CL----LF N0!FF TURBIE HR.L CLDED C0(LING WATER SYSTEN LOCAL FAILURES 131 CR-01-A LOSS OF 2 OUT OF 6 CIRC 1LATING Pl#PS - ASSlWTION 132 CR031-LFf LOCAL FAILtX IN CIF.C Ptsp 31 OR LINE TO CWDDEER 133 CR032-LFf LOCAL FAILURE IN CIRC Ptp 32 OR LIE TO C0WENBER 134 CR033-LFf LOCAL FAILURE OF CIRC Ptsp 33 OR LINE TO CWDEMBER 135 CR034-LF f LOCAL FAILURE F CIRC Plw 34 OR LIE TO C010ENER 136 CR035-LF-F LOCAL FAILURE OF CIRC PLW 35 OR LIE TO C010ENSER 137 CR036-LF4 LOCAL FAILURE F CIRC Ptp 36 OR LIE TO COWDGER 138 CS001-4-INT INTE MAL FAILURC & CST 139 CS403 + 1NT INTE MAL FAILURE F LCVil58 140 CS004 + H (PERATOR FAILS TO CLOSE FL0lFATH ON ALAS 141 CS004 + 1NT INTERNAL FAILLE OF SElBENT 4 142 CS011-4-INT LIC1102-S Fall! K 143 CS0114 + 1NT CST ALAS FAILUE 144 C9015 + 1NT SEGENT 15 INTEMAL FAILIK 145 CS$29-LL LOW COWOER 10TELL LEVEL Cup 0! TION 146 CS6106-A FAILUE F CST SlFPLY TO AFWS 147 CV-LOCH LOSS OF CHM 61NE FLOW 148 CV-LILD LOSS OF LETD0lM FLOW. 149 CVD H & t! Op. FAIL TO ALIGN TE SJCTION TO RWST. 150 CVCH4&92 (P. FAILS TO START A SECM Ptp.
132 151 CVCH01-A CECK VALVES 2108 82100 FAIL CLOSED. 152 C O S2-A AIR OPEMTED VALVE 2948 FAIL CLOSED. 153CVCH03-4 CECK VALVES 210A 210C FAIL (10 SED. 154 CVCHH-A AIR (FEMTED VALVE 2944 FAILS TO OPEN ON DOIAND. 155 CVCH07 + 1NT VALVES 374 OR 142 FAIL CLOSED. 156 C 0 08-A WIF EAL FLOW FRON CHM 61E Pl0FS 157 CVCH09-A-INT LCV112C OR C E CK VALVE 292 FAIL CLOSED. 158 CVCHit-A-INT VALVE FCV 1108 FAILS TO OPEN OR VALVE 297(NO) FAILS CLDED. 159 CD12-A-INT BLEWER FAILS. 160 C D 13 + INT CV328 FAILS TD (PEN OR IV329 (NOFC) 161 CVCH14 + INT CV327 FAILS TD (PEN OR IV326 (MFC) 162 C D 15 + INT FCV 110A FAILS (10 SED. 163CVCH16-A-INT FCV 111A FAILS TD (PEN. l 164 CVCH17 + 1NT FILTER OR FLOW ETER PLLEED. 165 CVCH18 + INT BORIC ACID TRAMFER PL90 31 FAILS TO START. 166 CVCH19-4-INT BORIC ACID T N 31 FAILS TO SllPPLY. 167 CVCH20-A-INT FAILURE OF ELECTRIC EATER IN BAT. 31, 168 CVCE01 LEVEL TRANNITTER LT-112 FAILS. 169 CVDE01-1 LEVEL CONTit)L LC112A/I FAILS HI(N 170 CVCE 02 LEVEL CONTR(LLER LC-1128 OR CONTROL CIRCUIT FAIL 171 CVCE03 LEVEL CONTROLLER LC-112C OR CONTROL CIRCUIT FAIL. 172 CVCE 04 VALVE LCV112B FAILS TD (PEN. 173 CVLel + INT LETDOWN ISCLATION VALVES FAIL 174 CVL82-A-INT REGEN. HI. FAILS. 175 CVL83 + INT SLPERCD@0ENT FAILS ITSELF. 176 CVL94 + INT C(NT. IS1ATION VALVES FAIL 177 CVLOS + INT EN-REEN. HX. FAILS. 178 CVLOS + INT VR.VES PCV135 OR TCV149 FAIL 179 CVLS8-A-INT EACTOR C0(LANT FILTER PLUS6ED. 180 CVL89 + 1NT VCT RPTURE. I 181 CVL19 + INT IS(LATION VALVES 2134 OR213B FAIL TO OPEN. 182 CVL11 + 1KT EICESS LETDG01 HI. FAILS. l 183CVL12-A-INT VALVE EV123 FAILS (10 SED. 184 CVL13 + INT LCV112A INTERNAL FAILURE CAUSING FLOW DIVERSION TO H(LDlp TM 185 CVLD-001 W OP. ACTION FOR EI. LETD0 led IN SERVICE. 186 CVLE01 CONTROL CIRCUIT FOR VALVE PCV135 FAILS. 287 CW861-A-INT FAILURE (F CITY WATER Supply TO CT-49 188 CWIS2-A-INT INTERNAL FAILURE OF CT-49 SC9ENT 189 DC- LOSS OF DC POER AT LEVEL INST 8 CONTR.- SLFPLY N0i FDLND 190 EE-1989 NO FLOW IN LINE 1980 191EE-ATL AEIENT TD@ LOW 192 EE-CS015 NO FLOW IN SEIMENT 15 193 EE-ft.00A-RCSCL4 EDILM LOCA POSTtLATED IN RCS CCLD LE6 2. 4 194 EE-SELP LOW PRESS IN SGS 195 EE-SLOCR-RCSCL4 SMALL LOCA POSTLLATED IN RCS COLD LES NO. 4 1% EPA-LATE-LOOP L(ES OF BRID DURIN6 NITIGATI(N PHEE 197 EPA-TR-IN-LOCP TRANSIENT INDUCED LOSS OF 0FFSITE POER 198 EPA 02-S-F LOCAL FALLT AT EPA 02 (6.9 KV BUS 5) 199 EPA 02-U-F LN1EARABLE FALLT AT BUS 5 200 EPA 03-S-F LOCAL FALLT AT EPA 03 (SS IFMR 5)
133 201 EPAM -S LOCAL FALLT AT EPAS4 (BUS 5A) 202 EPAS4-S-F LOCAL FALLT AT EPAS4 (BUS 5A) 203 EPA 04-T LOSS OF 480 VOLT BUC 5A 204 EPAS4-T-LSI LOP AT 480V BUS 5A, OR LOIP, OR S! 205 EPA 05-INT LOCAL FALLT IN D6 33 206 EPA 05-INTf LOCAL FALLT IN DG NO. 33 207 EPA 06-INT 4 LOCAL FALLT IN FAST TRANSFER BREAKER SCEE 208 EPA 06-S f LOCAL F E T AT EPA 06 (SS IFMR 2) 209 EPA 07-S LOCAL FALLT AT 2A 210 EPA 07-Sf LOCAL FALLT AT EPA 07 (BUS 2A) 211 EPA 07-T LDSS F 480V BUS 2A 212 EPA 07-T-LSI LDP AT BUS 2A, OR LOOP, OR SI 213 EPA 08-INT LOCAL FALLT IN D6 31 214 EPA 06-INT-F LOCAL FALLT IN D6 NO. 31 215 EPA 09-Sf LOCAL FALLT AT EPA 09 (6.9 KV BUS 6) 216 EPA 09-Uf LMCLEARABLE F E T AT BUS 6 217 EPA 10-S-F LOCAL FALLT AT EPA 10 (SS IFNR 6) 218 EPA 11-S LOCAL FALLT AT EPA 11 (BUS 6A) 219 EPA 11-S-F LOCAL FALLT AT EPA 11 (BUS 6A) 220 EPA 11-T LOSS OF 480V BUS 6A 221 EPA 11-T-LSI LDP AT 480V BUS 64, OR LOOP, OR SI 222 EPA 11-T-LSI-V LOP AT BUS 6A(l@! VALVES) 223 EPA 12-INT LOCAL FALLT IN DG 32 224 EPA 12-INT-F LOCAL FALLT IN D6 NO. 32 225 EPA 13-INT-F LOCAL FALLT IN FAST TRAMFER BREAKER SCWE 226 EPA 13-S-F LOCAL FALLT AT EPA 13 (SS IFMR 3) 227 EPA 14-S LOCAL FALLT AT EPA 14 (BUS 3A) 228 EPA 14-5-F LOCAL FAILT AT EPA 14 (BUS 3A) 229 EPA 14-T POER SlFPLY FAILURE F 480V BUS 3A 230 EPA 14-T-LSI LOP AT 480V BUS 3A, OR LOOP DR SI 231 EPA 15-0 LOCAL FALL! AT EPA 15 (TIE BKR 2AT5A) 232 EPA 15-Uf LNCLEARAGLE FALLT AT EPA 15 (TIE BKR 2AT5A) 233 EPA 15-0-F1 FIRST FAILURE IN TIE BKR 2AT54 234 EPA 15-il-F2 SECD E FAILURE IN TIE BKR 2A13A 235 EPA 16-H OPERATOR DES ET 0.0SE 2AT3A 236 EPA!6-S LOCAL FALLT OF 2AT3A TIE BREAKER 237 EPA 16-5-F LOCAL FALLT (F TIE BKR 2AT3A 238 EPA 16-il LOCAL FALLT AT EPA 16 (TIE BREAKER 2AT3A) 239 EPA 16-U-F LMCLEARABLE FRT AT EPA 16 (TIE BKR 2AT3A) 240 EPA 16-U-F1 FIRST FAILURE IN TIE BKR 2AT3A 241 EPA 16-Uf2 SECDPS) FAILURE IN TIE BKR 2AT3A 242 EPA 17-U LOCAL FALLT AT EPA 17 (TIE BKR 3AT6A) 243 EPA 17-U-F LMCLEARABLE FALLT AT EPA 17 (TIE BKR 3AT6A) 244 EPA 17-0-F1 FIRST FAILURE IN TIE BKR 3AT64 245 EPA 17-0-F2 SECO2 FAILUE IN TIE BKR 3AT64 246 EPA 18-S-F LOCAL FALLT AT MCC 39. 247 EPA!B-T MCC 39 LOSS OF POER 248 EPA 19-S-F 10 CAL FALLT AT EC 36C. 249 EPA 29-S-F LOCAL FALLT AT MCC 32. 250 EPA 20-T LOSS OF PGER FROM 480V AC MCC 32
a
)
134 i 251 EPA 21-S-F LOCAL FALLT AT MCC 37, 252 EPA 21-T MCC 37 LOSS OF PGER 253 EPA 21-T-V LDP AT EPA 21(MCC 37)(@l VALVES) 254 EPA 22-S-F LOCAL FALLT AT EPA 22 (MCC 36A) 255 EPA 22-T LDSS OF POER TO MCC 36A 256 EPA 23-5-F LOCAL FALLT AT MCC36B (SE6 EPA 23) 257 EPA 23-T LOSS OF POER TO MCC 368 258 EPA 24-S 4 LOCAL F E T AT 6.9KV BUS 1 259 EPA 24-T LOSS OF POWER FROM 6900V AC BUS NO. 1 260 EPA 25-S-F LOCAL FAULT AT 6.9KV BUS 4 261 EPA 25-T LOSS OF POWER FRW! 6900V AC BUS NO. 4 262 EPA 26-S f LOCAL FALLT AT MCC 33 263 EPA 26-T LOSS OF POER FROM 480V AC MCC 33 264 EPA 27-Sf LOCAL FALLT AT MCC 34 265 EPA 27-T NO POWER AT MCC 34 - FROM EPS FT 266 EPA 28-S-F LCCAL FAULT AT MCC 35 267 EPA 28-T LOSS OF POWER FROM 480V AC NCC 35 268 EPA 29-S-F LOCAL F E T AT MCC 31 269 EPA 29-T MCC 31 LDSS OF POWER 270 EPA 30-S f LOCAL F R T AT MCC 38 271 EPA 51-S-F B.<R UT2 FAILS OPEN - DE-ENERGIZES BUS 2 272 EPA 52-S-F LOCAL FALLT AT BUS 2 273 EPA 52-T LOSS OF POWER FROM 6900V AC BUS NO. 2 274 EPA 54-5-F BKR UT3 FAILS OPEN - DE-ENERSIZES BUS 3 275 EPA 55-5-F LOCAL FAULT AT BUS 3 276 EPA 55-T LOSS OF POWE9 FRCH 69NV AC EAJS NO. 3 277 EPA 57-5-F FAILURE OF UNIT AUX XF.TR 278 EPA 58-S-F BKR UT1 FAILS OPEN - DE-ENERGIZES BUS 1 279 EPA 68-9-F BKR UT4 FAILS OPEN - DE-ENERSIZES BUS 4 280 EPA 611 LOP AT EPA 03 (SS XFMR 5) 281 EPA 612 LOP AT EPA 06 (6.9KV BUS 2 + SS XFMR 2) 282 EPA 613 LDP AT EPA 13 (6.9KV BUS 3 + SS XFF.R 3) 283 EPAB14 LOP AT EPA 10 (SS XFMR 6) 284 EPA 615 LOSS OF F0WER FROM 6900V AC BUS NO. 5 285 EPA 616 LDSS OF POER FROM 6900V AC BUS NO. 5 286 EPD01-01 LOSS OF DC POER REDD TO OPEN A0V 261A OR C 287 EPD01-02f LF AT DC POER PANEL 31, 288 EPD01-06-F LF AT BATTERY CHARGER 31,CB, CABLES. 289 EPD01-31 LDSS OF 125V DC DISTRIBUTION PAEL 31 290 EPD01-P1-F LF,FB16 OPENS. 291 EPD01-P3-F LF,FB13 OPENS. 292 EPD02-01 LOSS OF DC POER REDD TO DPEN ADV 261B OR D 293 EPD02-01-V LOP AT DC PP 32(@I VALVES) 294 EPD02-92-F LF AT DC POWER PANEL 32. 295 EPD02-03-V LDP TO DC PP 32(@I VALVES) 296 EPD02-04-V L(P FROM EPD22(HPI VALVES) 297EPD02-06-f LF AT BATTERY CHARSER 32,CB, CABLES. 298 EPD02-32 LOSS OF 125V DC DISTRIBUTION PANEL 32 299EPD02-32-V LOP TO DC DP 32(HPI VALVES) 300 EPD02-P2-F LF,FB12 0 FENS.
135 301 EPD02-P4-F LF,FB13 OPENS. 302 EPD0341 LOP AT EPD 03 (DC POWER PANEL 33) 303 EPD83424 LF AT DC POWER PANEL 33. 304 EP003-06-F LF AT BATTERY CHARGER 33,CB, CABLES. 305 EPD64-02f LF AT DC POWER PANEL 34. 306 EP004-06-F LF AT BATTERY CHARGER 34,CB, CABLES. 307 EPD11-A BATTERY 31 FAILURE 308 EPD11-F LDP AT EPD 11 (FAILURE OF BATTERY 31). 309 EPD12-A LOP AT DC PP 32 - BATTERY 32 S0bRCE ONLY 310 EP012f LOP AT EPD 12 (FAILURE OF BATTERY 32). 311 EPD13-A BATTERY 33 FAILDRE 312 EPD13-F LDP AT EPD 13 (FAILURE OF BATTERY 33), 313 EPD14-F LOP AT EPD 14 (FAILURE OF BATTERY 34). 314 EPD2- CONTROL POWER LOST TO SPRAY CONTROL VALVES - NO SPRAY 315 EPD3132-Of thCLEARABLE FALLT IN TIE BKR BETWEEN DC PPNL 31 AND 32 316 EP6ENTRAN FUTURE SPACE FOR GENERAL TRANSIENT TREE 317 EPI-AIX LF AT XER OR CB 36C , AC BUS 1. 318 EPI-A2X LF AT XER , CB 36B ,AC BUS 2. 319 EP121-01 LDSS OF INST BUS 31 320 EPI 21-02-F LF AT I BUS 31, 321 EPI 21-06 LF IN MANUAL SWITCH 31, TRANSFER FAILURE TO AC SOURCE 1. 322 EPI 21-15f LF IN INVERTER 31 OR CABLE TO IT. 323 EPI 21-SWf MAMjAL SWITCH 31 OPENS. 324 EPI 22-01 LOSS OF INST BUS 32 325 EPI 22-02f LF AT I BUS 32. 326 EPI 22-06 LF IN MANUAL SWITCH 32, TRANSFER FAILURE TO AC SOURCE 1. 327 EPI 22-15f LF IN INVERTER 32 OR CABLE TO IT. 328 EPI 22-SWf MANUAL SWITCH 32 OPENS. 329 EPI 23-01 LDSS OF INST BUS 33 330 EPI 23-02-F LF AT I BUS 33. 331 EP!23-06 LF IN MANUAL SWITCH 33, TRANSFER FAILURE TO AC SOURCE 1. 332 EPI 23-15-F LF IN INVERTER 33 OR CABLE TO IT. 333 EPI 23-SWf MAMJAL SWITCH 33 DPENS. 334 EPI 2441 LOSS OF INST BUS 34 335 EPI 24-02f LF AT I BUS 34. 336 EP!24-06 LF IN MANUAL SWITCH 34,TRANSER FAILURE TO AC SOURCE 1. 337 EPI 24-08 LF IN MAN. CB 34, TRAN IER FAILURE TO AC SOURCE 2. 338 EPI 24-15-F LF IN INVERTER 34 GR CABLE TO IT. 339 EPI 24-CBf LDP AT MAN.CB 34 (OPENS). 340 EP!24-SW-F MANUAL SWITCH 34 OPENS. 341 EPL01-02 LF AT DISTR PAEL FOR FAN HOUSE & TINNEL. 342EPLS1-06 LF AT BUS 33. 343EPL31-10 LF (F L XER OR CB 33. 344 EPL61-11 BREAKER (FB3)TO EPD 02 (PENS. 345 EPL61-12 CRTIE CB 3233 OR L BUS 32 IS NOT AVAILABLE . 346 EPLS1-SW SWITCH 37 DPENS. 347 EPL01-SWF LF IN SWIT01 37, TRANSFER FAILURE TD (E) SOURCE. 348 EPL82-02 LF AT DISTR PANEL FOR NUCLEAR PLANT. 349 EPL92-05 BREAKER (FB2) TO EPD 02 OPENS. 350 EPL92-SW SWITCH 34 OPENS. l
136 351 EPL82-SWF LF IN SWITCH 34, TRANSFER FAILURE TD (E) SOURCE. 352 EPLO3-92 LF AT DISTR PANEL FOR CONVENTIONAL PLAhi. 353 EPL83-06 LF CF XER,CB,(120VAC) BUS 31. 354 EPLO3-98 LF AT BUS 31 . 355 EPLO3-12 AUTO SWITCH FAILS. 356 EPLO3-15 BREAKER (FB2) TO EPD 01 OPENS. 357 EPLO3-SW SWITCH 31 OPENS. 358 EPLO3-S E LF IN SWITCH 31, TRANSFER FAILURE TO (E) SOURCE. 359 EPLM-62 LF AT DISTR PAEL FOR CONTROL R004 360 EPLM-86 LF AT BUS 32. 361 EPL84-10 LF 0F L XER OR CB 32. 362 EPL94-12 CRTIE CB 3233 UR BUS 33 IS NOT AVAILABLE. 363 EPLM-15 BREAKER (FB11) TO EPD 01 DPENS. 364 EPL84-SW SWITCH 33 DPENS. , 365 EPL84-SWF LF IN SWITm 33,TMNSFER FAILURE TD (E) SOURCE. 366 EPL86-96 15 0F XER,CB, (120 VAC) BUS,DIST9 PANEL 34. l 367 EPL86-08 LF AT BUS 33. 368 EPL86-12 SWITCH 34 IS INPVAILABLE. 369 EPL86-ia SWITCH 34 OPENS. 370 EPMITIGATE TOG 6LE SWITCH FOR MITIGATION CASE 371 EPTRANSIENT TOGGLE SWITm FOR TRANSIENT CASE 372 F1 FIRE IN ZOE 1 373 F10 FIRE IN ZDE 10 374 F101A FIRE IN ZWE tela 375 F102A FIRE IN 20E 192A 376 F10A FIRE IN ZOE 10A 377 F11 FIE IN ZOE 11 378 F12 FIRE IN ZONE 12 379 F12A FIRE IN ZOE 12A i 380 F13 FIRE IN 20E 13 ! 381 F14 FIRE IN ZOE 14 382 F15 FIRE IN ZONE 15 383 F17A FIE IN ZOE 17A 384 F19 FIRE IN ZONE 19 385 F19A FIRE IN 20E 19A 386 F22 FIRE IN ZOE 22 387 F23 FIRE IN ZDE 23 388 F27A FIRE IN ZOE 27A 389 F2A FIRE IN ZOE 2A 390 F3 FIRE IN ZDE 3 391 F30A FIRE IN ZOE 30A 392 F31A FIRE IN ZOE 314 393 F37A FIRE IN ZOE 37A 394 F384 FIRE IN ZOE 38A 395 F39A FIRE IN ZOE 39A 3% F3A FIRE IN 20E 3A 397 F4 FIRE IN ZOE 4 398 F40A FIRE IN ZOE 404 399 F41A FIRE IN 20E 41A 400 F42A FIRE IN 20E 42A
137 I l i 401 FM FIRE IN ZDE M ) 402 F5 FIRE IN ZONE 5 403 F52A FIRE IN ZOE 52A 404 F54 FIRE IN ZOE SM 405 F55 FIRE IN ZDE 55 406 F57A FIRE IN ZOE 57A 407 F58A FIRE IN ZDE 58A 40s F59A FIRE IN 20E 59A 409 F6 FIRE IN ZOE 6 410 F60A FIRE IN ZOE SOA 411 F66A FIRE IN 20E 66A 412 F68A FIRE IN ZDE 68A 413 F69A FIRE IN 20E 694 414 F7 FIRE IN 20E 7 415 F70A FIRE IN ZDE 70A. 416 F71A FIRE IN ZONE 71A 417 F73A FIRE IN ZDE 73A 418 F7 M FIRE IN ZONE 74 419 F75A FIRE IN ZOE 75A 420 F78A FIRE IN 20E 78A 421 F7A FIRE IN ZOE 7A 422 F8 FIRE IN ZONE 8 423 F86A FIRE IN ZOE B6A 424 F87A FIRE IN ZDE 87A 425 F9 FIRE IN ZDE 9 426 F9A FIRE IN ZONE 9A 427 FMCC311 LOC FIRE IN ZOE MCC311LO 428 FILZ-1 FIRE IN IRABEI. LED ZONE 1,PAB ELEV 32.5-41 429 FZEAR11 FIRE IN 20E ZEAR11 430 FIEAR55A FIRE IN Z(NE ZEAR55A 431 }@001-A-INT INTERNAL FAILURE OF SE6 MENT 1 432 }@t02-A-INT PtJ@ 31 INTERNAL FAILURE 433 f@003-A-INT PUPP 32 INTERNAL FAILURE 434 }@004-4-INT Pt.MP 33 INTERNAL FAILURE 435 l@005-A-INT NOIF 0F PUP @ 32 DISCHARSE EADER 436 l@005-C-INT SEGENT NO. 5 CKV 852A REVERSE FLOW 437F9006-A-INT FAILURE OF Pulo 32 DISCHARSE EADER 436 l@066-C-INT SEGENT NO. 6 CMV 852B REVERSE FLOW 439 }@007-HTR31-INT INTERNAL FALLTS OF BIT EATER 31 440 l@007-HTR32-INT INTERNAL FALLTS OF BIT EATER 32 441 l@007A-A-INT INTERNAL FAILURE OF SEGMENT 7A 442l@007A-C-INT LEAKAGE PAST NC MOV1852A 443 l@0078-A-INT INTERNAL FAILURE (F SEB*ENT 7B 444}@007B-C-INT LEAKAGE PAST NC MOV18529 445 l@007C-A-INT INTERNAL FAILURE OF SE6FINT 7C 446FF007D-A-INT INTERNAL FAILURE Oc SESMENT 7D 447 l@007E-A-INT INTERNAL FAILURE OF SE6 MENT 7E 448 l@t07F-A-INT F1.0W DIVERSION TO CVCS HOLD LP TANKS-VOLVE 1846 OCENS 449 l@0076-A-INT VALVE 1851B INTERNAL FAILURE 450f@007H-A-INT VALVE 1851A INTERNAL FAILURE
138 451 @ellA-A-INT MOV 842,MOVB43,0R VALVE 1862 NOFC 452 l@012-A-lhT COLD LE6 NO. 4 INJECTION PATH FAILURE 453 }@013+1NT COLD LEG hO. 2 INJECTION PATH FAILURE 454 @014-A-lhT C1D LES NO. 3 INJECTION PATH FAILURE 455 W 15-A-INT COLD LES NO. 1 INJECTION PATH FAILURE 456 @016-A-INT COLD LES NO.4 INJECTION. PATH FAILURE 457l@017-A-INT COLD LES NO. 2 INJECTION PATH FAILURE 458 l@018-A-INT C1 D LES NO. 3 INJECTION PATH FAILURE 459 l@019 + 1NT COLD LES NO. 1 INJECTION PATH FAILURE %8 HPG2A + 1NT VALVE 8494,8504,0R 848A FAILS CLOSED 41 l@e24-C-INT SEGENT 2A CKV 8494 REVERSE FLOW 462if034-A-INT MOV 887A,887B FAILS CLOSED 43 F@94A + INT VALVE 8498,8508,0R 848B FAILS CLOSED %4 @84M-INT SEGE NT 44 CKV 849B REVERSE FLOW %5 l@33A061-T-INT FAILURE OF LOCAL CNTRLS EHT PNL 33A CKT 6 %6 W33A062-T-INT EHT Pt33A CKT 6 PRIMRY TRACING FAILS 47 }@33A063-T-INT INTERNAL TAILURE OF EHT PNL33A CKT 6 REDUNDANT TRACING 48 l@33A063-T-0PER @EMTOR FAILS TD ALIGN REDlNDANT TRACING 469FF33A064-T-INT EHT PNL334 CKT 6 ALARM FAILURE 479 @ 33A111-T-INT FAIUjRE OF LOCAL CNTRLS EHT PNL 33A CKT 11 471f933A!!2-T-INT EHT PNL 33A CKT 11 PRIM RY TRACING FAILS 472}@33A113-T-INT INTERNAL FAILURE OF EHT PNL 33A CKT 11 REDUNDANT TRACING 473 FF33A113-T-0PER OPERATOR FAILS TO ALIGN REDUNDANT TRACING 474 }@33A114-T-INT EhT R 33A CKT 11 ALARM FAILURE 475 l@33A121-T-INT FAILURE (F LOCAL CNTRLS EHT PNL 33A CKT 12 476 FF33A122-T-INT EhT R 334 CKT 12 PRIMRY TRACING FAILS 477 W 33A123-T-INT INTERNAL FAILURE OF EHT PNL 33A CKT 12 REDUNDANT TMCING 478 t@33A123-T4]PER OPERATOR FAILS TO ALIGN REDUNDANT TRACING 479 l@33A124-T-INT EHT PNL 33A CKT 12 ALARM FAILURE 488 l@33A191-T-INT FAILURE OF LOCAL CNTRLS EHT PNL33A CKT 19 481FF33A192-T-INT EHT PNL33A CKT 19 PRIMARY TRACING FAILS 482FC33A193-T-INT INTERNAL FAILURE OF EHT PNL 33A CKT 19 REDUNDANT TRACING 483 FF33A193-T-0PER OPERATOR FAILS TO ALIGN REDUNDANT TRACING 484 @ 33A194-T-INT EHT R 33A CKT 19 ALARM FAILURE 485 }@33A221-T-INT FAILURE OF LOCAL CNTRLS EHT E 33A CKT 22 486 l@33A222-T-INT EHT K 33A CKT 22 PRIE RY TRACING FAILS 487 l@33A223-T-INT INTERNAL FAILURE OF EHT PNL33A CKT 22 REDUNDANT TRACING 488 }@33A223-T-OPER OPERATOR FAILS TO ALIGN REDLNDANT TRACING 489 l@33A224-T-INT EHT PNL 33A CKT 22 ALARM FAILURE 498 @33A231-T-INT FAILURE OF LOCAL CNTRLS EHT PNL 33A CKT 23 491F933A232-T-INT EHT PNL 33A CKT 23 PRIMARY TRACING FAILS 492 l@33A233-T-INT INTERNAL FAILURE OF EHT PNL 33A CMT 23 REDUNDANT TRACING 493 l@33A233-T-0PER OPERATOR FAILS TO ALIGN REDUNDANT TRACING 494 l@33A234-T-INT EhT PNL 334 CKT 23 ALARM FAILURE 495 HT-POWER-MATTERS COM)X ARE SUCH THAT PWR FAILURES TO HT CAN CAUSE SYSTEM FAILUR 4% HT901-T-INT SEGENT 1 IEERNAL FAILURE 497 HT982-T-INT SEGMENT 2 INTERNAL FAILURE 498 kT983-T-INT SESENT 3 INTERNAL FAILURE 499 HT883-T-0 OPERATOR FAILS TO MAKE TE TRfMFER 500 HT805-LBFT0 SEGENT 5 BRKR FTD
139 501 HT006-LBFTO SEGMENT 6 BRKR FTO 502 HT007-LBFT0 SEBENT 7 BRKR FTO 503 HT808-LEF TRANSFORER TO E 33A ELEC FALLT 56,HT808-T-INT SEGENTS 5,8,0R 11 IhTERNAL FAILURE
- 505 HT90 N.EF TRANSFORER TO PM. 33) ELEC FALLT 506 HT009-T-INT SEGENT 6,9,0R 12 INTERNAL FAILURE 507 Hielt-LEF TRANSFORER TO PNL 33C ELEC FAULT - 508 HT010-T-INT SEGENT 7,10,0R 13 INTERNAL FAILURE 509 HT021-T-INT SEGENT 21 INTERNAL FAILURE 510 HT022-T-INT SEGMENT 22 INTERNAL FAILURE 511 HT023-T-INT SEGENT 23 INTERNAL FAILURE 512 HT024-T-INT SEGMENT 24 INTERNAL FAILURE 513 HT025-LEF TRANSFORMER ELEC FALLT 514 HT025-T-INT SEGMENT 25 INTERNAL FAILURE 515 HT026-LEF TRANSFORMER ELEC FALLT 516 HT326-T-INT SEEMENT 26 INTERNAL FAILURE 517 HT027-LEF TRANSFORER ELEC FALLT 518 HT027-T-INT SEGENT 27 INTERNAL FAILURE 519 HT028-LEF TRANSFORER ELEC FALLT 520 HT028-T-INT SEGENT 28 INTERNAL FAILURE 521 HT029-T-INT SEGENT 29 INTERNAL FAILURE 522 HT038-T-INT SEGENT 30 INTERNAL FAILURE 523 HT031-T-INT SEGMENT 31 INTERNAL FAILURE 524 HT032-T-INT SEGMENT 32 INTERNAL FAILURE 525 HT033-LBFT0 ASSOCIATED FP DP 31 LDAD BKR FID 526 HT033-LEF LOCAL FP DP 31 LDAD FALLT 527 HT0351-LBFTD FP DP 34 LIE 155 CKT BRKRS FTO 528 HT0351-LEF ELEC. FAILURE OF LINE 155 HT CKTS 529 HT0352-LBFT0 FP DP 34 LIE 161 CKT BRKRS FTO 530 HT0352-LEF ELEC FAILURE OF LINE 161 HT CKTS 531 HT0353-LBFTD FP DP 34 RWST INST STRIP HTRS CKT BRKRS FTO 532 HT0353-LEF ELEC FAILURE OF RWST INST STRIP HTRS 533 HT0354-LBFT0 FP DP 34 NON RWST HT CKT BRKRS FTO 534 HT0354-LEF ELEC FAILURE F NON RWST hT CMTS 535 HT036-LBFT0 ASSOC BRKR FP DP 35 FTO ,
536 HT036-LEF LOCAL FP DP 35 LOAD FAULT 537 HT334-LBFT0 ASSOC LOAD BRKR FTO j 538 HT33A-LEF LOCAL LOAD ELEC FALLT ON PNL 33A j 539 HT33B-LBFT0 ASSOC LDAD BRKR FTD 1 540 HT33B-LEF LOCAL LOAD ELEC FALLT ON PM. 33B 541 HT33C-LBFT0 ASSOC LOCAL LOAD BRKR FT0 542 HT33C-LEF LOCAL LDAD ELEC FALLT ON R 33C 543 HT341-LBFT0 FP DP 32 CKT 9 OR 11 FALLTED ASSOC BRKR FTO 544 HT341-LEF ELEC FALLT OF EHT DP 32 CKTS 9 OR 11 545 HT341-T-INT INTERNAL FAILURE OF KT FP DP 32 CKTS 9 OR 11 546 HT342-LBFT0 FP DP 32 CKT 7 LOAD BRKR FTO 547 HT342-LEF FP DP 32 CKT 7 ELEC FALLT 548 HT343-LBFTO FP DP 32 LDAD BKR ASSOC WITH FAULTED CKT FTO 549 HT343-LEF ELEC FALLT OF ANY 10F EHT DP 32 CKTS 1 THRU 6 550 HT343-T-INT INTERNAL FAILURE F ANY 1 0F EHT DP 32 CKTS 1 THRU 6 l l 1
140 551 HT351-T-INT INTERNAL FAILURE OF LINE 155 HEAT TRACING 552 HT352-T-INT INTERNAL FAILURE 7 LINE 161 EAT TRACING 553 HTG320-T EHT FAILURE 7 FP DP 32 554 HT6339-T to PWR TO EHT Pt 334 555 HTG340-T EHT FAILURE 7 FP DP 34 556 HTSPSO-T NO POER TO SLPV PNL SO IN CR 557 IA005-A CO MON PIPE FR(M CO@ RESSORS TO RECEIVER 558 IA006-A RECEIVER ADN RV 559 IA00 M PIPE AND VALVE OWNSTREfel 0F RECEIVER 560 IA008-A PIPE PLUGGED - NOIF FROM COMPRESSORS AND BACKlP SERV AIR 561 IA009-A PIPE PLtfiGED - NOIF THRU DRYER 32 AND BYPASS 562 IA012-A C0 m 0N PIPE FROM ALT PATH (DRYER 31) AND BYPASS 563 IM13-A PIPE, VALVES AND CONTROLLER IN BYPRSS 564 IA014-A PIPE IN BYPASS 565 IM15-A C020N PIPE FROM REF DRYERS TO DESIC DRYERS 8 TO CCNV PLANT SE 566 IA016-A PIPE TO DESICANT DRYERS 567 IM18-A PIPES, VALVES, REGEERATIVE DRYERS - NORMAL FLOW PATH 568 IA014-A-F COWRESSOR, PIPE, VALVE LPSTREAM OF AFTERC00LER 31 569 IM18-A-F CO@RESSOR, VALVE, PIPE [PSTREAM Oc AFTERC00LER 32 570 IA025-4 PIPE, VALVES, CONTRCLLER, NONRES. DRYER-BACKUP PATH (4HR SUPPLY) 571 IA026-A PIPE FROM DESICANT DRYER TO AFTER FILTERS 572 19027-4 FILTERS, PIPES, VALVES - 573 IA02A-A AFTERC00LER 31 574 IA02B-A AFTERC00LER 32 575 IA03 H PIPE FROM AFTERFILTERS TO DISTRIBUTION 576 IA03 H PIPE AND VALVES DO M TREAM AFTERC00LER 31 - 577 IM3B-A PIPE AND VALVES DOWSTREAM AFTERC00LER 32 578 IA04 H PIPE DOWSTREAM OF SES IM3A 579 IA04B-A PIPE DOWSTREAM OF SES IA03B 580 IA10 H PIPE, FILTER, DRYER AND VALVES IN ALT PATH (DRYER 31) 581 IA100-A PIPE, FILTER, DRYER AND VALVES IN OPERATING DRYER 32 582 IA11 H PIPE IN ALT pprH DOWSTREAM OF DRYER 31 583 IA119-A PIPE DOWSTREAM OF OPERATING DRYER 32 584 IAC02-4 PIPE DOWSTREAM OF BOTH CW PLMPS 585 IAC04-A CW HX 32, INLET AND OUTLET VALVES AND PIPES 586 IAC05-A CW HX 31, IM.ET AND OUTLET VALVES AND PIPE SEGS 587 IAC06-A PIPE FROM CW HIS TO AFTERCOOLERS 588 IAC10-A COMMON DISCHARGE PIPE FROM MOTORS 31 AND 32 TO PUMP SUCTION 589 IACIA-A-F CW Pts 31, VALVES AND PIPE - OPERATING PUMP 590 IAC18-A-F CW Ptp 32, VALVES AND PIPP - STANDBY PU@ 591 IRC7 H VALVES AND PIPE TO AFTERC00LER 31 592 IAC7B-A VALVES AND P!PE TO AFTERC00LER 32 593 IAC9 H VALVES AND PIPES- FROM AFTERC00LER 31 T0/THRU MOTCR 21 594 IAC9B-A VALVES AND PIPES- FROM AFTERC00LER 32 T0/THRU MOTOR 32 595 IA601 NOIF FROM INST. AIRSYS. TO MJCL. SERVICE FROM I4 FT. 5% IAIRBYPASS FLOW RES BYPASS VALVE CO M ANDED DPEN (INST AIR HX SW OUTLET) 597 IAS01-A VALVES, PIPE,FROM SERV AIR TO INST AIR AND WELD CHANNEL BACKUP 5% IAG02-A PIPE FROM SERVICE AIR TO FILTERS 599 IAS07-A PIPE, VALVES AND CONTROLLER DOWNSTREAM 0F FILTERS 6M IAS$8-A VALVE AND PIPE FROM SERVICE AIR TO INST. AIR
141 601 IAS29-A VALVES, FILTER AN PI E 682 LC 48C-A BISTABLE FAILS 603 LOCA LOCA EVENT 664 LP001-A PIPE FROM XV8% TO MOV882 645 LP002-A MOV882 (DOFC), CV881 (FTO), PIPE 686 LP003-E FLOW DIVERTED, MOV883 (LCFD) OR BV1863 (N7 0) 687 LP903-El MOV 883(LCFD) 648 LP003-E2 BV1863 609 LP90 H MOV744 (DOFC),CV741 FTO),0R PIPE PLUGGED 610 LP006-A E V745A OR MOV745B FAILURE (NOFC) 611 LP908-A NOIFF THRU HIS CROSS TIE - MOV1869A OR MOV1869B (NOFC)
- 612 LPell-A CROSS TIE BLOO(ED 613 LP011-A COLD LES 1 PATH FAILURE 614 LP012-A C3.D LE6 2 PATH FAILURE 615 LP013-A COLD LEB 3 PATH FAILURE 616 LP015-E MOV885A AND MOV885B (NCF01-FLOW DIVERTED TO CONTAINMENT SUMP 617 LP015-El MOV 8854(NCFO) 618 LP015-E2 MOV 885B(NCFO) 619 LP016-A RHR PLNS MIN FLOW LIE PLUSGED-MOV 1873 OR 743 FC-ASSUMPTION 620 LPO4 H RHR Pt W 31, XV739A (NOFC), XV735A (LOFC), CV738A (FTO), PIPE 621 LPO4B-A RHR PUW 32, XV739B (LOFC), XV735B (LOFC), CV738B (FTO), PIPE 622 LP07 H EX 31 FAILURES OR XV742 (LOFC) 623 LP07 H EX 32 FAILURES 624 LP99H FAILURES OF VALVES AND PIPE FROM E X 31 TO CROSS TIE (EV 8998 625 LP999-4 FAILUES OF VALVES AND PIPE FROM EX 32 TO XTIE (MOV 8994) 626 LP144-E E V-889B (NCFD) 627 LP14B-E MOV-8894 (NCFO) 628 LT45 H F LOCAL F E T LT459 FAILS HI 629 LT460-A PZR LEVEL SENSOR FAILS L W - LT460 630 LT M O-W LOCAL F E T LT E8 FAILS HI 631 LT460-LF-F LOCAL F E T LT460 FAILS LOW 632 LT 41-A PZR LEVEL SENSOR FAILS LOW - LTM 1 633 LT 41-W LOCAL F R T LT % 1 FAILS HI 634 LTM 1-LF-F LOCAL FALLT LTM1 FAILS LOW 635 W-1 H N0!F FROM WIV BFD-7 CV BFD-6 OR FE-418 TO SG 31 636 W 4 NOIF FROM WIV BFD-7 CV BFD-6 OR FE-428 TO SG 32 637 W -1C-A NOIF FROM WIV BFD-7 CV BFD-6 OR FE-438 TO SG 33 638 W -1D-A NOIF FROM WIV BFD-7 CV BFD-6 OR FE-448 TO SS 34 639 W-2A-LF-F NOIFF MF RE6 FCV-417 DR M0!V BFD-5 TO SG 31 LOCAL FAILURES 640 W-2B-LF-F E IFF W RE6 FCV-427 OR MDIV BFD-5 TO SG 32 LOCAL FAILURES 641 W -2C-LF-F NOIFF W RES FCV-437 DR MOIV BFD-5 TO SG 33 LOCAL FAILURES 642 W -2D-LF-F NOIFF W RES FCV-447 OR M0!V BFD-5 TO SS 34 LOCAL FAILURES 643 W A NOIF FROM WW FP EATERS COMMON DISCHARGE EADER 644 W-4 H NOIF FRW W EATER 36A !
645 W-4B-A NOIF FROM 19 EATER 368 l 646 W -4C-A NOIF FROM FO EATER 36C l 647 W-5-A OPER FAILS TO OPEN BYPASS VALVE OR VALVE FAILS 648 W-6-A M IF FRW C0POION BFP DISCHARGE HEADER 649 W-61-C-INT BFP 31 DISCH REV FLOW -CV FAILS (If) AND MOV FAILS TD CLOSE 650 W-61-LF-F BOILER FEED PU W 31 LOCAL FAILURE
142 l 651 W-62-C-INT BFP 32 DISCH EV FLOW -CV FAILS (RF) AND MOV FAILS TO CLOSE 652 W LF-F BOILER FEED PU @ 32 LOCAL FAILURE ! 653 W-7-A NOIF TO BFPS 31 & 32 FROM C0fetDN SUCTION E ADER 654 W -5631323334 NO MIN FEEDWATER TO 1 OUT OF 4 STEAM SENERATORS 655 MS - -LF NOIFF MIN STEAM AND MSR SUPPLY TO BFPTS LOCAL FAILURES 656 MS-AEJ---LF LDSS (F MIN STEAM AIR EJECTORS - LOCAL FAILURE 657 NOTLOCA NOT A LOCA EVENT 658 WTLOOP-6A NO LOOP TO BUS 6A 659 NOTTR-SPSI NO SAFETY INJECTION SIGNAL PRESENT 660 PC45'E-NT E TRIP SIBIAL FROM PLP BISTABLE (PC 455E). 661 PC456E-NT NO TRIP SIGNAL FR@l PLP BISTABLE (PC 456E). 662 PC457E-NT E TRIP SIGNAL FROM PLP BISTABLE (PC 457E). 663 PC948D-NT NO TRIP S. FROM Of BISTABLE, PC 948D. 664 PC948E-NT NO TRIP S. F D 0@ BISTABLE, PC 948E. 665 PC948F-NT NO TRIP S. FROC DP BISTABLE, PC 948F. 666 PW--- NO PRIMARY MKE LP WATER GOES TO VALVE FCV111A. 667 POER NO POER TO 4-WAY VALVE - SUPPLY NOT FOLND 668 PT455 W LOCAL FALLT PT455 F,'!LS HI 669 PT455-LF 4 LOCAL FALLT PT455 FAILS LOW 670 PT456 M LOCAL FALLT PT456 FAILS HI (PCV456 SIGNALLED TO DPEN) 671 PT456-LF-F LOCAL FALLT PT456 FAILS LOW (PCV456 FAILS CLOSED) 672 PT457 M LOCAL FAULT PT457 FAILS HI UCS AND PRMSV TO PCV456) 673 PT457-LF-F LOCAL FALLT PT457 FAILS LOW (PCS AND INTLK PCV456) 674 PT474 W LOCAL FALLT PT474 FAILS HI (PRMSV TO PCV455C) 675 PT474-LF-F LOCAL FALLT PT474 FAILS LOW (INTLH TO PCV455C) 676 PT9484-NT NO TRIP S. FROM SENSOR + TRANSMITTER, PT 9484 . 677 PT9489-NT NO TRIP S. FROM SENSOR + TRANSMITTER, PT 948B . 678 PT948C-NT NO TRIP S. FROM SENSOR + TRANSMITTER, PT 948C . 679 PI200-CPN PIR SRV FAILS OPEN 680 PZ301-A-F LOCAL FALLT - PORY PCV-455C FAILS CLOSED 681 PZ301-B LOCAL FALLT (PENS PORY 682 PZ335-INT-F LOCAL FALLT OF BLOCK VALVE 683 PZ336-INT-F LOCAL FALLT OF BLOCK VALVE 684 PZ351-A-F LOOCAL FALLT - PORV PCV 456 FAILS CLOSED 685 PZ351-B LOCAL FALLT OPENS PORV PCV 456 686 PZ356-B LOCAL FALLT IN PRESSUE SENSOR CHANEL 687 PZ400-D RlPTURE OF PZR SPRAY LINE 688 PZ401-A LOCAL FALLT - SPRAY PIPING CLOSS LP 689 PZ401-B LOCAL FALLT - (ME OR MORE PZR SPRAY VALVES FAIL DPEN 690 PZ501-A-F LOCAL FALLT WITHIN PZR EATERS - ND HEAT DUTPUT 691 PZ501-B LOCAL FALLT PZR EATER POER/ CONTROL CO@0NENTS - RAISES PRESS 692 PZ601-A LOCAL FALLT WITHIN PZR PRESS CONTROL SYS - LOWERS PRESSURE 693 PZ601-B LOCR. FALLT IN PIR PRESSURE CONTROL SYSTEM - RAISES PRESSURE 694 PZ791-A LOCAL FALLT WITHIN PZR LEVEL CONTROL SYSTEM - LOWERS LEVEL 695 PZ701-B LOCAL FALLT IN PZR LEVEL CONTROL SYSTEM CAUSES HIGH LEVEL 6% PZBLKV4 DOR DPERATOR DOES NOT CLOSE BLOCK VALVE 697 PZLREF-A REACTOR CONTROL SYSTEM I@UTS LOW (LREF) LEVEL SIGNAL 698 PZLREF-B REACTOR CONTROL SYSTEM I@UTS HIGH (LREF) LEVEL SIGNAL 699 PIN 23-A MOTIVE NITROGEN SlPPLY LOST - PORV PCV-455C FAILS CLOSED 700 PIN 26-A MOTIVE NITROSEN SUPPLY LOST - PCV 456 FAILS CLOSED
l 4 143 l 701 PIRXTRIP REACTOR TRIP DN PIR FAULT 702 RCE01 LNDEFIED REASCNS 703 RCE03 OTER REASONS 704 RCE04 OTER REASOLS 705 RCPM01-INT MWAL VALVCS 771A,772A,773A FAIL CLOSED FOR RCP 31 MOTOR COOL 706 RG402-INT MNUAL VALVES 771B,772B,773B FAIL CLOSEl' FOR RCP 32 MOTOR COOL 707 RCPM03-INT MAMJAL VALVES 771C,772C,773C FC FGR RCP 33 MOTOR COOLING 708 RG404-INT MAUAL VALVES 771D,772D,773D FC FDR RCP 34 MOTOR COOLING 709 RCSIGI-A-INT INJECTION FILTER TRAIN FAIL. 710 RCSIO2-A-INT PIPE, VALVE, FLOW ETER FAIL. 711 RCS!06-A-INT SEAL N0.1 PLIEGED OR VALVE PIPE FAIL. 712 RCSI69-4-INT MOTOR V4.VE 222 FAIL CLOSED 713 RCSIl0 SEAL RETURN FILTER PLU6GED. 714 RCS!!! + INT SEAL WATER HX. FAILS. 715 RCSIE02 E OPERATOR ACTION. 716 RCSIE03 INTERNAL FAILU E OF VALVE OR CONTROL CIRCUIT. 717 RCTBel-A-INT VALVE OR PIPE FAIL 718 RCTB0 H -INT PIPE OR VALVE 781A FAIL 719 RCTB06 + 1NT FLOW ETER OR FCV625 FAIL. 720 RCTBE01 TERMAL BARRIER OF ANY PLMP RUPTURES 721 RCV01 + 1NT PIPE, VALVE,0MR61NS PUPP, MOTOR OF TRAIN 31 FAILS 722 RCV02-A-INT PIPE, VALVE, CHARGING Pt W , OR MOTOR OF TRAIN 32 FAILS 723 RCV03 + INT PIPE, VALVE, CHARSING PUMP, OR MOTOR OF TRAIN 33 FAILS 724 RCV05-4-INT VALVE 289 FAILS CLOSED 725 2001-A-INT INTERNAL FAILURE OF SEGENT 1 726 RWIS2-A-INT INTERNAL FAILURE OF SESENT 2 727 RW883-4-INT INTERNAL FAILURE OF SE6 MENT 3 728 REIG1-A RWST FAILURE 729 M6802-A NOIF THROUGH RWST LIE 155 730 SA01-A-INT-F CO@RESSOR LOCAL FAILS. 731 SA02 + 1NT SUPERCO@0EhT SA02 FAILS 732 SA03 + 1NT IP-1 STATION AIR BACK-UP FOR IP-3 STATION AIR FAILS. 733 SA04-A-INT SLFERCO@0ENT SA04 FAILS. 734 SA07-A NOIF SLPPLY FROM SERVICE AIR SYST - FROM SERV AIR FT 735 SA07 + INT SlFERCOMPOENT SA07 FAILS. 736 SACCSI-A-INT-F Pl # TRAIN 31 LOCAL FAILS. 737 SACCS2 + INT-F PU@ TRAIN 32 LOCAL FAILS. 738 SACCS3-A-INT E ADER PLU6GED. 739 SACCS4-A-INT HX. TRAIN 31 LOCAL FAILS. 744 SACCSS-A-INT HX. TRAIN 32 LOCAL FAILS. 741 SACCS6-4-INT NOIFF WATER SUPPLY TO CLOSED COOLING SYSTEM PU@S 742 SACCS7-A-INT NOIFF SUPPLY FROM CCS HXS EADER 743 SACCS601 FAILURE OF CLOSED COOLING SYSTEM- FROM SA FT 744 SE-1X-BFPT1-FD RELAY 1X-BFPT! FAILS TO ENERSIZE 745 SE-1X-BFPT2-FD RELAY 1X-BFPT2 FAILS TO DEENERGIZE 746 SE-2-lu iD-S LOCAL FAlLT OF RELAY 2-1-11D 747 SE-2-1-6D-E LOCAL FALLT F RELAY 2-1-6D 748 SE-2-CC1-2-S LOCAL FR LT OF RELAY 2-CCl-2 l 749 SE-2-CC2-2-5 LOCAL FAULT F RELAY 2-CC2-2 I 750 SE-2-CC3-2-S LOCAL FALLT OF RELAY 2-CC3-2 ! I i l l
144 751 SE-2-RHRI-S LOCAL FALLT F RELAY 2-RHR1 752 SE-2-INR2-S LOCAL FALLT OF RELAY 2-RHR2 753 SE-2-SW4-S LOCAL FALLT F RELAY 2-SW4 - 754 SE-2-SW5-S LOCAL FALLT OF RELAY 2-SW5_ 755 SE-2-SW6-S LOCAL FALLT F RELAY 2-SW6 756 SE-29-1-ABFP2-S LOCAL F E T OF RELAY 29-1-ABFP2 757 SE-27-2A-13-W BUS 2A W SCEE THINKS LOW VOLTAGE CONDITION EXISTS 758 SE-27-3AI3 BUS 3A (NDERVOLTAGE SCHEE THIES LOW VOLTAGE CONDITION EXISTS 1 759 SE-27-5A-I2-W BUS 5A W SCEE THINKS LOW VOLTAGE CONDITION EXISTS 760 SE-27-6A-I3-W BUS 6A W SCEME THIES LOW VOLTAGE CONDITICN EXISTS 761 SE-2S!!-S LOCAL FALLT F RELAY 2-S!! 762 SE-2SI2-S LOCAL FALLT OF RELAY 2-512 763 SE-2SI3-S LOCAL FALLT F RELAY 2-SI3 764 SE-3-1-2R-S LOCAL FALLT OF RELAY 3-1-2A 765 E-3-1-3A-S LOCAL FALLT OF RELAY 3-1-34 766 SE-3-1-5A-S LOCAL FALLT OF RELAY 3-1-5A 767 SE-3-1-6A-S LOCAL FALLT F RELAY 3-1-6A 768 SE-3-2-2A-S LOCAL FALLT OF RELAY 3-2-2A 769 SE-3-2-34-5 LOCAL FALLT F RELAY 3-2-3A 770 SE-3-2-54-S LOCAL FALLT OF RELAY 3-2-5A 771 SE-3-2-6A-S LOCAL FALLT F RELAY 3-2-6A 772 SE-52-EB1-INT LOCAL FALLT OF BREAKER / ACTUATION SCHEME 773 SE-52-E61-(PN BKR 52-E61 (DG 31) OPEN 774 SE-52-ES2-INT LOCAL FALLT OF BREAKER / ACTUATION SCEE 715 SE-52-EB2-IPN BKR 52-EB2 (DG 32) OPEN 776 SE-52-E63-INT LOCAL FALLT OF BREAKER /ACTURTION SCHEE 777 SE-52-E63-(PN BKR 52-ES3 (D6 33) OPEN 778 SE-6311-BFP1-5-F LOCAL F R T OF RELAY 63Il-BFP1 779 SE-63Il-BFP2-S-F LOCAL FALLT OF RELAY 63Il-BFP2 780 SE-AFP31-A AFW PL N 31 NOT ACTUATED 781 SE-AFP32-A AFW PU @ 32 NOT ACTUATED 782 SE-AFP33-A AFW PLMP 33 NOT ACTUATED 783 SE-AFW-NOA NO DPERATOR ACTION TO ACTUATE TEW PlWS 784 SE-BFP-L-S LOCAL FALLT OF RELAY BFP-L 785 SE-BFP-S LOCAL FAULT F RELAY BFP 786 SE-CCS2P-A FAILURE F LOW HEADER PRESSURE AUTO ACTUATION 787 SE-CCS2P-S LOCPL FALLT F LOW EADER PRESSURE ACTUATION SCEME 788 SE-CES31-A CCW PL N 31 NOT ACTUATED 789 SE-CCS32-A CCW PU@ 32 NOT ACTUATED 790 SE-CCS32-NOA MANUAL ACTUATION OF CCS32 FAILS (ALSO BLOCKED BY SI SIGNAL) 791 SE-CCS33-A CCW PU@ 3310T ACTUATED 792 SE-CCW-NOA NO [FERATOR ACTION TO ACTUATE CCW PUNPS 793 SE-ED631-A FAILURE F D6 BKR 52/E61 TO ACTUATE 794 SE-ED632-A FAILURE OF D6 BKR 52/EG2 TO ACTUATE 795 SE-ED633-4 FAILURE OF D6 BKR 52/EG3 TO ACTUATE 796 SE-i@031-A PL F 31 NO AUTO INITIATION SIGNAL 797 SE-if432-A PU@ 32 NO AUTO INITIATION SIGNAL 798 SE-@033-A Pts 33 NO ALITO INITIATION SIGNAL 799 SE-@l-NOR NO OPERATOR ACTION TO ACTUATE W I PUMPS 800 SE-RHR-NOA NO OPERATOR ACTION TO ACTUATE RWR PU$S
145 801 SE-RHR31-A FAILURE OF SI SIGNAL TO START R4R PUMP 31 802 SE-RHR32-A FAILURE OF SI SIGNAL TO START RHR PUMP 32 803 SE-S61234XfC NORMAL START SIGNALS NOT RECEIVED (LO LO 2004 SG 5) 804 SE-SGL(1.0-A STEAM SEERATOR LO LO LEVEL LOGIC (1994) FAILS 805 SE-SIM-NOA NO OPERATOR ACTION TO ACTUATE SWN PUMPS 806 SE-SlM-SWITCH SWITCH SELECTOR IN WRONG POSITION 807 SE-SieG4-A SW Pl#0 34 NOT ACTUATED FOLLOWING LOOP 808 SE-SlM34-D6S-A SW P90 34 NOT ACTUATED FOLLOWING LOOP - FOR DGS (NLY 809 SE-SlM35-A SW Pl#0 35 NOT ACTUATED FOLLOWING LOOP 810 SE-SlM35-DGS-A SW Pipp 35 NOT ACTUATED FOLLOWING LOOP- FOR DGS ONLY 811 SE-SlM36-A SW Pl#0 36 M)T ACTUATED 812 SE-SIN 36-D65-4 SW Pl#0 36 NOT ACTUATED - FOR DGS ONLY 813 SE-Si4G6-NOR MAMJAL ACTUATION CF SW PUPP 36 FAILS 814 SEDG-SIN 36-NOA MANJAL INITIRTION OF SEM 36 FAILS 815 SIGI-2FC BISTABLE (PC 948F) RELAY FAILS TO CLOSE. 816 Slal-3FC BISTABLE (PC 948E) RELAY FAILS TO CLOSE. 817 SI61-4FC BISTABLE (PC 948D) RELAY FAILS TO CLOSE. 818 SI61-5FC BISTABLE (PC 455E) RELAY FAILS TO CLTE. 819 SIO1-6FC BISTABLE (N 456E) RELAY FAILS TO CLOSE. 820 SI61-7FC BISTABLE (PC 457E) RELAY FAILS TO CLOSE. E21 SI01-DF0 MAN. DEFEAT SWITCH FAILS OPEN. 822 SIO1-FC AUTOMATIC MASTER R, SI-1, FAILS TO CLOSE. 823 SI61 4 F DC POER FUSES FAIL. 824 SI61-NOA NO (PERATOR ACTION. 825 SI61-PB SHORT ACROSS RESET P.B.2. (RESET P.EERGIZES.). 826 SI62-2FC BISTABLE (PC 948F) RELAY FAILS TO CLOSE. 827 SIG2-3FC BISTABLE (PC 948E) RELAY FAILS TO CLOSE. 828 Sle2-4FC BISTABLE (PC 948D) RELAY FAILS TO CLOSE. 829 SIG2-5FC BISTABLE (PC 455E) RELAY FAILS TO CLOSE. 830 SI62-6FC BISTABLE (PC 456E) RELAY FAILS TO CLOSE. 831 SIG2-7FC BISTABLE (PC 457E) RELAY FAILS TO CLOSE. 832 SI62-DF0 MN. DEFEAT SWITCH FAILS OPEN. 833 SIG2-FC AUTOMATIC MASTER R, SI-2, FAILS TO CLOSE. 834 S!02-FF DC POWER FUSES FAIL 835 SIG2-NOA NO OPERATOR ACTION. 836 SI62-9B SHORT ACROSS RESET P.B.2.(RESET R.EERGIZES.). 837 SIl0X-FC RELAY FAILS TO CLOSE. 838 S!!!X-1 RELAY S!!!! DOES NOT PROPAGATE SIAS SIGNAL ' 839 S!!!X-1-VALVES LOSS OF SIS FROM RELAY SI-11X 848 SI11X-FC RELAY FAILS TO CLOSE. 841 SI11XD6-1 LOSS OF SIS FROM RELAY SI-11X - FOR DGS ONLY 842 S!!2X-FC RELAY FAILS TO CLOSE. 843 SI!3X-FC RELAY FAILS TO CLOSE. 844 S!!4X-FC RELAY FAILS TO CLOSE. 845 S!!5X-FC RELAY FAILS TO CLOSE. 846 SI20X-FC RELAY FAILS TO CLOSE. 847 S!21X-1 RELAY SI21X DOES NOT PROPAGATE SIAS SIGNAL 848 SI21X-1-VALVES LDSS (F SIS FROM RELAY SI-21X 849 SI21X-FC RELAY FAILS TO CLOSE. I 850 SI21XDG-1 LOSS OF SIS FROM RELAY SI-21X - FOR DGS ONLY
146 851 SI22X-FC RELAY FAILS TO CLOSE. 852 SI23XfC RELAY FAILS TO CLOSE. 853 S!24X-FC RELAY FAILS TO CLOSE. 854 SI25X-FC RELAY FAILS TO CLOSE. 855 SIB 1-F0 R OCKING R. SIB 1 FAILS OPEN. 856 SIB 2-F0 BLOCKING R. SIB 2 FAILS OPEN. 857 SIBKi-LF SWITCH 1-SIB IN BLOCKING POSITION (SHORTS). 858 SIBK2-LF SWITCH 2-SIB IN BLOCKING POSITION (SHORTS). 859 SID14C RELAY FAILS TO CLOSE. 860 SID2fC RELAY FAILS TO Q.0SE. 861 SIM1-FC MAMJAL MASTER R, SIM!, FAILS TO CLOSE. 862 SIM2fC MANUAL MASTER R, SIM2, FAILS TO CLOSE. 863 SIPHASEA-INT CONT. ISOL. PHASE A INTERNAL FAILURE - RELAY FAILURE 864 SIPHASEB SIGNAL OF CONTAI E NT ISOLATION PHASE B 865 SITR1-SE TEST R. TRI-1 EPUR. EERGIZED. 866 SITR2-SE TEST R. TR1-2 SPUR. ENERGIZED. 867 SJ LF M)IFF BFP SEAL INJECTION WATER SYSTEM DE TO LOCAL FAILUES 868 SL-CT12-LF NOIFF SEAL WATER EADER TO CONDENSATE PUMPS LOCAL FAILURE 869 SL-CT1331-LF NOIFF SEAL MTER KADER TO CONDENSATE PUMP 31 LOCAL FAILURE 879 SL-CT1332-LF NOIFF SEAL MTER EADER TO CONDENSATE PU9P 32 LOCAL FAILURE 871 SL-CT1333-LF NOIFF SEAL WATER EADER TO CONDENSATE PUMP 33 LOCAL FAILURE 872 SW834-4 NOIF SERVICE E TER TO DG JACKET / LUBE DIL HX S , 873 SW834-A-INT BLOCKAGE IN D631 JACKET / LUBE DIL HX SEGNENT . 874 SW835-A NOIF SERVICE WATER TO D6 JACKET / LUBE OIL HX S L 875 SWO35 + 1NT ROCKAGE AT DG32 HX'S 876 SW836-A NOIF SERVICE WATER TO D6 JACKET / LUBE DIL HX S 877 SW836-A-INT BLOCKAGE AT D633 SW HX'S 878 SW839-A-INT BLOCKAGE AT SW RETURN FOR D6'S 314 32 879 SW942-A-CIhTROL FAILURE TO DEPRIVE FCV1176 CF AIR; CONTROL FAILURE 886 SW942 + INT FAILURE OF FCV1176 TO OPEN ON LOSS OF AIR 881 SW943-A-CONTROL FAILURE TO DEPRIVED FCV1176A 0F AIR; CONTROL FAILURE 882 SW843 + INT FAILURE OF FCV1176A TO OPEN DN LOSS OF AIR 883 SW944-A BLOCKAGE IN SW RETURN FROM D6'S 884 SW945-A BLOCKAGE IN SW RETURN FROM DG'S 885 SW946-A BLOCKAGE IN SW RETURN FROM D6'S 886 SW37-A NOIF SERVICE ETER AT DUTLET OF HX 31 887 SW37-A-INT LOCAL FALLT AT IMIT OF CCW HX 31 888 SW374-A-INT LOCAL FALLT GUTLET OF CCW HX 31 889 SW46-4 M)IF SW RETURN SES 46 890 SW7-A BLOCKAGE IN SW RETulN 891 SW48-A-!NT INT FALLT BLOCKINS FLOW RE6 BYPASS (INST AIR HI SW O' JTLET) 892 SW49-A-INT BLOCKAGE IN FLOW RE6 SEGENT (INST AIR HX SW OUTLET) 893 SW51-A NOIF SW TO COOLING WATER HI 31 - FROM SW FT 894 SW51-A-INT BLOCKAGE AT OUTLET OF INST AIR HX 31 895 SW52-A NOIF SW TO COOLING WATER HX 32 - FROM SW FT 8% SW52-A-INT LOCAL BLOCKAGE AT DUTLET OF IAIR HX 32 897 SW60A + INT SW BLOCKAGE IN CCS HI 31 898 SW6OB-A-INT SW BLOCKAGE IN CCS HI 32 SEGENT 899SM01-A-INT FAILURE IN SES SIPPLYING SW HEADER FOR CIRC WATER PMPS AND SCR 999 SWA02 + INT FAILURE IN EADER SUPPLYING CIRC WATER PUPOS AND SCREEN WASH
147 901 SWA96 INTAKE SCREEN PROBLEM INCLUDING FREEZING 902 SWAll-A FAILURE OF SES DELIVERING SW FROM EADER TO CIRC P=P 36 903 SWA10 + INT BLOCKAGE IN SES OR PCV 1186 FAILS CLOSED 904 SWA11-A FAILURE OF SES DELIVERING SW FROM HEADER TO CIRC PMP 35 905 SWA11-A-INT BLOCKAGE IN SES OR PCV 1185 FAILS CLOSED 996 SWA12-4 FAILURE OF SE6 DELIVERIM3 SW FROM HEADER TO CIRC PMP 34 907 SWA12-A-INT BLOCKAGE IN SE6 OR PCV !!84 FAILS CLOSED 908 SWA13-A FAILURE OF SES DELIVERING SW FROM EADER TO CIRC PMP 33 909 SWA13 + INT BLOCKAGE IN SE6 OR PCV 1183 FAILS CLOSED 918 SWA14-A FAILURE OF SES DELIVERING SW FROM HEADER TO CIRC PMP 32 911 SWA14-A-INT BLOCKAGE IN SE6 DR PCV !!82 FAILS CLOSED 912 SWA15-4 FAILURE OF SES DELIVERING SW FROM HEADER TO CIRC PMP 31 913 SWA15 + 1NT BLOCKAGE IN SE6 OR KV 1181 FAILS CLOSED 914 SWC85-A-INT BLOCKAGE OR VALVE CLOSURE IN SES C5 915 SWC1-A-INT-F FAILURES IN PUpp SE6 MENT ITSELF (SWP33) 916 SWC10-A-IhT LOCAL FALLT CON SW SE6 C10 917 SWC19A-A-INT LOCAL BLOCKAGE SEGMENT C10A 918 SWC19C-A-INT LOCAL FALLT CON SW SES C18C 919 SWC11-A-INT LOCAL FALLT CON SW SE6 C11 929 SWC13 + IhT LOCAL FALLT CON SW SES 13 921 SWC15-A-INT LOCAL BLOChAGE SE6 C15 922 SWC16-A-INT LOCAL BLOCKAGE SES C16 923 SWC17-A-INT LOCAL FALLT SEG C17 (BET. CCW HX'S) 924 SWC18-A NOIF SERVICE WATER AT OUTLET OF HX 32 925 SWC18-A-INT LOCAL FAULT SES C18 926 SWC18A + INT LOCAL FALLT DUTLET OF CCW HX 32 927 SWC2 + INT-F FAILURES IN Pupp SE6 MENT ITSELF (SWP32) 928 SWC3-4-CONT PUpp FAILS TO START - STAND-BY PLMP 929 SWC3 + INT-F FAILURES IN Pupp SEGMENT ITSELF (SWP31) 930 SWC4-A-INT LOCAL FALLT CON SW SLPPLY HEADR 931 SWC6-A-INT LOCAL FALLT CON SW SE6 C6 932 SWC6A-A-INT BLOCKAGE OR FCV1112 ALI6hED CLOSED 933 SWC7 + INT LOCAL FALLT CON SW SE6 C7 934 sic 8+1NT LOCAL FALLT CON SW SE6 C8 935 SWC9 + INT LOCAL FAULT CON SW SE6 C9 936 SiM1 + INT-F FAILURES IN PLMP SE6 PENT ITSELF (SWP36) 937 SIM13 + INT LOCAL FAILT IN NUC SW PIPING SEGMENT N13 938 Sl414-4-INT LOCAL FALLT IN NUC SW PIPING TO HX 31 939 SlN1H-INT LOCAL BLOCKAGE OF SE6 N15 944 Sl417-A-INT LOCAL FALLT NUC SW SE6 N17 941 SWN18-A-INT BLOCKAGE OF NSW TO DG33 942 SIM19-A-INT BLOCKAGE AT SEGENT SLFPLYING SW TO DG'S 31 & 32 943 SWN2-A-CONT Pulp FAILS TO RESTART EVEN THOUGH MODE OK 944 SIM2-4-INT-F FAILURES IN Plpp SE6 PENT ITSELF (SWP35)
- 945 SIM29-A-INT INTERNAL BLOCKAGE BETWEEN SUPPLY AND D632 H1'S 946 SWN21-A-INT BLOCKAGE AT SEBMENT SLPPLYING SW TO D6 31 947 SIN 3-A-CONT PUpp FAILS TO RESTART EVEN THOUGH MODE OK 948 Si43-A-INT-F FAILURES IN PLMP SE6'ENT ITSELF (SWP34) 949 SIM4-4-INT LOCAL FALLT NSW SUPPLY KADER 950 SlM6-A-INT LOCAL FALLT MJC SW SES N6
148 951 Slei7-A-INT LOCAL FALLT MJC SW SE6 N7 952 M S-A-INT LOCAL FALLT MJC SW SE6 NB 953 'M6+ INT LOCAL FAULT MJC SW SE6 W 95, 3MORMALIGN K)IF CON SW TO IMIT OF IAIR HX 32 955 SiNX14-A-INT LOCAL FAULT MJC SW SES NX14 956 SleiX15-A-INT LOCAL FALLT NiC SW SE6 NX15 957 SWT81-A-INT BLOCKAGE OR PERHAPS INAPPROPRIATE PRESSURE RELIEF 958 SWT02 + 1NT BLOCKAGE IN PCV!179 DR LOCAL VALVES 959 SWT12-A-INT BLOCKAGE IN SES 12 960 SWT13 + 1NT FAILURE IN SES SWT13 SUPPLYING BFPAT LUBE DIL EDOLERS
%1 SWT14-A NOIFF SW TO BFP AND TURB LUBE DIL COOLER - BFP 31 962 SWT14-A-INT BLOCKAGE IN HX C0(LER A OR VALVES 963 SWT15-A NOIFF SW TO BFP AND TURB LUE DIL COOLER - BFP 32 %4 SWT15+1NT BLOCKAGE IN HX C0(LER B OR VN.VES 965 SWT16-A-INT BLOCKAGE IN RETURN SEGMENT 966 SWT27-A-INT BLOCKAGE IN SES T27 %7 SWT52-A-INT BLOCKAGE IN SEB 52 968 SWT56 + INT BLOCKAGE IN SE6 56 %9 SWT58-A-INT BLOCKAGE IN SE6 T58 (SUPPLY TO CLOSED C00 LIM 3 SYSTEM HX'S) 970 SWT68 H NOIF SERVICE WATER FOR HX. 31.
971 SWT600-A NOIF SERVICE WATER FOR HX. 32. 972 SWT61 + !NT BLOCKAGE BEFORE FLOW E6 SEGENT 973 SWT62-A-CONTROL C0hTROL SI6 TO CCS SW FLOW RES VALVE FAILS TO LOW FLOW 974 SWT62-A-INT BLOCKAGE IN CCS SW FLOW REG VALVE 975 SWT63-A FLOW RE6 BYPASS CLOSED OR BLOCKED 976 SWT64-A BLOCKED SW RETURN 977 TZ FAILURE (F TURBINE GLAND SEALING STEAM CONDENSER 978 TR-LO(P LOSS OF 0FFSITE POER TRANSIENT 979 TR-SP SPURIOUS SAFETY INJECTION SIGNAL 900 TET10-0THER MISCELLMOUS CORE POER EXCURSION 981 THET194 BORON DILUTION ACCIDENTS. 982 TET196 CII.D WATER ADDITION 983 TRET10H EXCESSIVE LDAD I OIEASE 984 TET10I POSITIVE REACTIVITY INSERTI(N 985 TRET11A CLOSURE OF ALL MSIV'S 966 TET11B INCREASE IN FEEDWATER FLOW IN ONE STEAM BENERAT09 987 TRET11C INCREASE IN FEEDWATER FLOW IN ALL S6'S 988 TRET11F THROTTLE VALVE CLOSURE /EHC CONTROL PROBLEMS
% 9 TRET!!G GEERATOR FALLTS OR GEN TRIP 990 TET11H MISC TURB-BEN ACCIDENTS 991 TRETill TURBIE TRIPS 992 TRET12A C(NTR(L ROD PRCBLEMS 993 TRET12D SPURIOUS AUTO TRIP 994 TRET12E OPERATOR ERROR CAUSING TRIP 995 TRET12F MAMJAL TRIP ESULTING FROM FALSE SIGNAL 996 TET12S SPURIOUS TRIP-CAUSE LNKNOWN.
997 TRET12H PRIMARY SYSTEM PRESSUE, TEW, POWER IMBALANCE 998 TRET7A FEEDWATER BREAK 999 TRET7D FW FLOW INSTABILITY- OPERATOR 1999 TRET7E FW FLOW INSTABILITY- ECHANICAL i
- 149 1801 TRET7H OTER SECONOMY LEEA6E.
1982 TETM TRIP W WE MSIV. 1903 TET8B TRIP (F TWO OR TIMIEE MSIV'S. 10M TETBC PMTIAL CLORJRE OF (NE OR MORE MSIV'.. 1905 TET8D LOSSES OF STEAM FLOW OTER THAN MSIV TRIP j 1906 TET98f LDSSES OF C00UhT FLOW OTER THAN CCW- FROM TRANSIENT FT i l i ( 1 I 1 1 l i 4 1 l 1 L I 1
, , - ------n-- - . , , - - - , - , , , , , , - - - - - - - , , - - - - , -- , , , - - - - - - - - - , ,.n,
150 ; APPENDIX C ANNOTATED MINIMAL CUTSET TABLES Annotated lists of the leading minimal cutset for each of the following sequences / systems can be found in a jacket at the end of this report. Each sequence / system minimal cutset table is printed on a separate microfiche and therefore need not be placed in any specific order. Each minimal cutset table can be distinguished from the other microfiche as these all carry the name CHU in the heading. Transient Initiator (T) Auxiliary Feedwater System Failure Given Transient (LT ) Auxiliary Feedwater System Failure Given LOCA (LL ) Transient and Auxiliary Feedwater System Failure (T
- LT )
High Pressure Injection Failure Given Small LOCA (U2) High Pressure Injection Failure Given Medium LOCA (V i ) Transient-Induced RCP Seal LOCA (S2 (P)) Transient-Induced RCP Seal LOCA and Failure of Auxiliary Feedwater (S2 (P)
- LL)
Transient-Induced RCP Seal LOCA and Failure of High Pressure Injection (S 2(P)
- U )2 Pressurizer LOCA (S2(Q))
! Pressurizer LOCA and Failure of Auxiliary Feedwater (S2 (Q)
- LL)
Pressurizer LOCA and High Pressure Injection Failure (S2 (Q)
- U2 )
Low Pressure Injection Failure Given Medium or Large LOCA (D)
, _ - . . , - n. . - - suan---.-e, .a _n o nan., sw a - m uw. m .s - , ___,, ,
151 f r 1 i APPENDIX D PRIMARY EVENTS /0PERATOR ACTIONS i I ( i
- - - . , . - . . . .-... -.-. . - .- -..,. - -----. - ,.~. , .- - , - ., -.
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE i SYS1EM: Low Pressure Injection (LPI) PE PE REVIEW SilMULUS AND HUMAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY STIMULUS ACil0N OPERATOR RESPONSE TO PE RfMARKS EPA 11-T 4 EPA 14-T 4 d EPD 02-01 4 EPD 03-01 4 LP001-A Pipe from XV846 to 1 LT 920 fails low Shut 882 Assure water in con- RWST water supply MOV 882 Shif t to sump recirc if tainment sunp - shif t to LPI/RHR pumps. hater is available in to sump recirc PT 947 is redundant 3 sump (PEP ES-1A) (PEP-ES-1A) indication of RWST head if 1810 is I open [ LP002-A MOV 882 (DOFC) 1 Same as above Same as above Same as above Loss of RWST supply CV 881 (FTO), Pipe LP003-E Flow diverted, 2 None possible from con- Assumes both valves MOV 883 (LCFO) or trol rm. Manually open. Pumps will y BV 1863 (NOF0) override 883 and/or partially recircu-1863 closed - shift to late back to their recirc (PEP-ES-1A) own suction. No reason to open these valves during SI mode. LP005-A MOV 744 (DCFC), 3 Loss of LPI flow. No LPI flowpath. CV 741 (FTO), or Restore correct valve No reason for oper-pipe plugged line up. If not possi- ator to shut these ble, shift to use of valves during SI. recirc pumps if water is in recirc sump (PEP-ES-1A) i i I f 1
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: LPI (Cont'd) , PE PE REVIEW STIMlltuS AND HIMAN ACil0N CAUSING PE ACil0N OPERATOR RESPONSE TO PE RLMARKS DESIGNATOR DESCRIPIOR CAIEGORY STIMULUS j MOV 745A or 2 Restore proper valve Loss of flow to #32 LP006-A line up. RHR HX. MOV 7458 failure One RHR HX is suffi- On?y reason to shut (NOFC) cient. Otherwise no 745 A/o is due to action required. HX problem (leak) (PEP ES-1A) which would be con-firmed prior to t 4 isolation. t N0!FF thru HXS 2 If only one fails - no Only important in I LP008-A cross tie - effect. recirc phase with HP MOV 1869A or If both fall and RWST LPI or recirc pumps - MOV 18698 (NOFC) is dry, shut 882 & 846. supplying sump l ! Open 883 & 1863 and water to 51 pumps, i 4 pump containment sump Both valves would to SI suction - this have to fall to j gives no cooling (Lose cause any problem. RHR HX) Valves would not be l If cooling is neces- shut unless HP sary, open PORV. recirc was to be ~ i Depressurize system to terminated. ui 1 go on to LPI via RHR HX. W > j (PEPES-1A) LP010-A Cross tie blocked 3 If it is necessary to Passive - only i both spray containment important if HCV and pump to loops with 638 or 640 fall either 638 or 640 open during recirc ' failed open, the cross containment spray. , tie is necessary if Cross tie open is flow is to be supplied more serious to all 4 loops - only problem. , possible action is to pump sump to RWST and ; use normal spray pumps. (PEP ES-1A) l . I
1 PRIMARY EVENT (PE) - INDUCED IfUMAN INTERACTION TABLE l SYST[M: LPI (Cont'd) PE PE REVIEW
. SilMut'US AND IIUMAN ACTION CAUSING PE DESIGtA10R DESCRIPIDR cal [GURY STIMULUS ACil0N OPERAIDR RESPONSE TO PE REMARKS LP0ll-A Cold leg 1 path 3 No action possible due All components are failure to presence of cross passive.
tie if failure is a leak. No action necessary if failure is plugging l .i again due to presence l of cross tie. t LP012-A Cold leg 2 path 3 Same as above failure Same as above LP013-A Cold leg 3 path 3 Same as above Same as above .j fatture 4 LP015-E MOV 885A and 1 LT 920 falls low during Shift to recirc mode Shut 882 or 846. During normal line M0V 8858 (NCF0). 51. RWST appears (if sump level is above Then close 885 A & B up. This dumps empty. 47'2" elev) which opens and return to normal RWST into contain- t 885 A&B and dumps RWST line up (PEP ES-1A) ment sump. I to sump. (PEP ES-1A) [g Flow diverted to 2 Shut MOVs (number containment sump unknown) from hot leg 2 to RHR pump suction. ' Shut of f RHR pumps. (PEP ES-1A) i 8 t t t i
._ - ~ -.- .. -. - __._- .- .- - -- ___ - . , _ . . . .. _..-... - __- . _- - .-.. ~ _ - . - . . . - . . . ,- _
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE s SYSifM: LPI (Cont'd) PE PE REVIEW STIMULUS AND IklMAN ACTION CAUSING PE REMARKS S11MULUS ACTION OPERATOR RESPONSE TO PE DESIGNATOR DESCRIPTOR CATE GORY Shut down RHR pumps. During S! with RCS LP-016A RHR pumps min flow 3 pressure above RHR Repair problem. line plugged - Restart pumps as pump shut off head, MOV 1873 or 743 needed. If RCS press if min flow line is FC-Assumption drops below shut off blocked, pumps will g head before min flow rapidly overheat line is cleared, imme- and be damaged, diately restart pumps, (PEP ES-1A) Shut down affected pump Passive or locked LPO4A-A RHR pump 31, 3 open manual valves. XV739A (NOFC), (PEP ES-1A)
! Shut only to remove XV735A (LOFC), pumps from service CV738A (FTO), pipe for maint. or leak.
1 Same as above Same as above j LP-048-A Same, pump 32 XV739B (LOFR) - i XV 7358 (LOFC) ' ** I CV 7388 (FTO) m l Place HX 32 in service. High radiation on LP07A-A HEX 31 failures or 2 One HX is sufficient RE-017 would sug-t XV742 (LOFC) for ECCS loads. (PEP gest possible tube ES-3) leak. Operator would remove HX 4 from service after verifying. Same as above Same as above LP078-A HEX 32 failures
)
i d l
._ . . _ . . - - - - . . - --._. - -- _---_ _ -. . __-.- - _.- - - - - ~ . _ - _ . - . . . . - _ _ . . . - _ . - . - -- - . .. .
j PRIMARY EVENT (PE) - INDUCED IUMAN INTERACTION TABLE l l SYSTEM: LPI (Cont'd) l PE PE REVIEW SilMlltuS AND llOMAN ACIION CAUSING PE } DESIGNATOR DESCRIP10R CATEGDRY STIMULUS ACTION OPERATOR RESPONSE 10 PE REMARKS LP09A-A Failure of valves 2 FT 945 fatis low during Valve falls shut or Same on both sides, and pipe from RHR contain spray. leak resulting in valve These are cate-HEK 31 to cross closure. tie (MOV 8998) gory 2's because if No action required - the operator shuts all 4 loops are sup- any of the three plied by cross tie and valves on affected normal path, side - no increase Restore system to in spray flow will normal. (PEP ES-1A) suggest problem is not (je to low back-pressure.
- LP098-A Same as above, 2 FT 945A f ails low dur- HCV 638 (640) fails HEX 32, MOV 899A ing RHR containment open.
spray If containment spray is 4 required shut 747 or 8998 (746 or 899A). ! This provides back-
- i pressure required for spray and supplies all r.
4 loops via cross tie y[ and normal path. (PEP ES-1A) LP14A-E MOV-8898 (NCFO) 2 Valve fails open - Incorrect indica-assure HCV 638 (640) is tion of containment fully open to minimize conditions could undesired spray. Valve cause opreator to fails shut - redundant initiate or termi-spray system no action nate spray. How-needed. Spray from ever, redundant RWST and CS pumps if information makes RWST has water. this unlikely. (PEP ES-1A) i
, t i
I b k
I' , r !
- i ; Ig> - r! e !t it - l . ;
ltI, I' '. 5 ih [ fI: i l
-UN S
K e R v A o M b a E R s a _ ea r a S E P 0
- 1 E . 5 -
_ N O P e S v E o . R b a R O s T a A R e E m P a E O S L B A T N O
._ I
. T
- m. C A E
_ R P N E O T N GI N I I I SC N UA ._ A4 R t A C N 0 D l i E C U C A D _. N N I A M
- lU l )
E D P N ( A _ T S S N U U _. E L U L U MM V E l l i Y i R S S A M
. I
. R
. P
_ Y - WR EO G _ IVE ET 2 4 4 4 4 RA C I P rH
) o R O ,t o
F
. O C e )
I P N r Cn EI ( u F o
)
PR l Om. - d
't C
S E A 9 8 i f a L m ( oI cP n D 8 6 L o - T 4 e C V S 8 pd ( O W Vi n M R X pa P . L R A A O E A A - - _ I -
- - 1 2
- 1 2 3 3 M
_ 8 R R M Et 4 0 0 H E PG 1 0 0 H T I P G G R R S S L W W - - Y E R R E E S D S S l '!
. ;l j i i! ]: l ' ' ,) l; I , , i>
PRIMARY EVENT (PE) - INDUCED flUMAN INTERACil0N TABLE J SYSTEM: HPI Small LOCA PE PE REVIEW STIMULUS ANO littiAN ACTION CAUSING PE DESIGtMTOR DESCRIPTOR CATIGORY SitMULUS ACTION OPERAIOR RESPONSE 10 PE REMARKS CCG601-A 4 Note: HP... items are addressed under HPI medium LOCA (those listed as Review Category 4) CCG602-A 4 CCG603A 4 EE-ATt. Ambient low temp. 3 NA EPA 04-T 4 EPA 07-T 4 EPAll-T 4 EPA 22-T 4 EPA 23-T 4 g EPD01-01 4 EPD02-01 4 EPD03-01 4 HP001-A-INT 4 ' HP002-A-INT 4 HP003-A-INT 4 i a
PRIMARY [ VENT (PC) - INDUCf D llUMAti INTERACil0N Tant E SYS11H: llPI Small LOCA { Cont'd) PE l'[ H[ VIEW SilMillll5 AND l!IlfMN ACIlON CAtl5f NG PE DtSIGNA10R DESCHlPIOR CAIEGORY Silitit us AC l10tl DPERAIOR R[5P0fl5[ 10 PE lillMRKS IIP 005-A-INT 4 IIP 005-C-INT 4 llP006- A-It4 T 4 IIP 006-C-INT 4 IIP 007A-A-INT 4 iip 007A-C-INT 4 lip 0078- A-Illi 4 IIP 0078-C-INT 4 lip 001C-A-ItT 4 ilP0010-A-INT 4 IfP001[-A-INT 4 Y e llP007f-A-INT 4 ilP007G-A-INT 4 IIP 00/ll-A-INT 4 IIP 001-IITR31-INT 4 IIP 001-ilTR32-INT 4
PRIMARY EVENT (PE) - INDUCED lillMAN INTERACTION TAtlLE SYSTEM: HP! Small LOCA (Cont'd) PE PE REVIEW SilMllLUS AND HUMAN ACTION CAUSING PL IILSIGNATOR DESCRIPIOR CATEGORY ST!MULUS ACTION OPERATOR RESPONSE TO PE RfMARKS HP011A-A-INT MOV 842, MOV 843, 2 If during SI, RCS Mini flow recirc or valve 1852 NOFC pressure is >l600 psi line back to RWST - there will be no flow 1862 is manual through pumps which diaphragm valve, will damage them very These valves pre-quickly. Operator vent flow of sump must shut down pumps water to RWST dur-until recirc path is ing recirc mode, reopened or until RCS Procedural and pressure redundant instr. decreases to below the guidance prevent RO shut off head of the from shutting these pumps. (PEP ES-1A) in any mode other than sump recirc. HP013-A-!NT 4 HP014-A-INT 4 HP015-A-INT 4 5 o HP016-EESL4 Small LOCA in RCS 3 Initiate loss of pri Assumes that LOCA cold leg No. 4 mary coolant procedure. is small enough Assure SI system runn such that RCS ; ing and injecting if pressure does not ' RCS <1000 psi. If drop to accumulator
>1600 pst use charging discharge pressure.
system (PEP ES-1A) HP017-A-INT 4 HP018-A-INT 4 HP019-A-INT 4
PRIMARY EVENT (PE) - INDilCED litifMil INTERACTI0tt TAHLE SYSTEH: IIPI Smal' LOCA (Cont'd) PE PL REVIEW SIlttH US AND lillMAN ACil0N CAUSING PC DISI6tMIOR DESCRI PIOlt CAIEGORY Sill 11L US ACil0tl OPERAIOR RESPONSE TO PE RIMARKS IIP 02A-A-INT 4 IIP 02A-C-IN T 4 ilP03A-A-INT 4 tlPO4A-A-INT 4 ilPO4A-C-INT 4 HP33A061-T-INT 4 ItP33A062-T-INT 4 ffP33A063-T-INT 4 ilP33A063-T-0PER 4 ilP33A064-T-INT 4 IIP 33Alll-T-INT 4 5 IIP 33All2-T-INT llP33All3-T-INT 4 ilP33All3-T-0PER 4 HP33All4-1-INT 4 IIP 33Al21-T-INT llP33Al22-T-INT 4 IIP 33Al23-T-INT 4
PRIMARY IVf NT (PE) - IN!)UCf D lillMAN INIERACTION TABl E SYSIIH: iiPI Small LOCA (Cont'd) I'[ l'[ R[ VIEW STIMill115 AND IHIMAri ACI!ON CAtlSING PE
- Ut SIGilATult D[StitlP10R cal [ GORY Si lMlll tis ACl10N OPERA 10R RESPONSE 10 PE RIMAHKS IIP 33A l23-T-OPE R llP33Al24-T-INT 4 IIP 33A191-T-INT 4 ,
1 ilP33A192-T-INI 4 IP33A193-T-INT 4 i ilP33A193-T-0PER 4 IIP 33A194-T-I N T 4 IIP 33A221-T-INT 4 IP33A222-T-INT 4 ilP33A223-T-INT 4 IIP 33A223-T-0PER 4 h flP33A224-T-INT 4
!!P33A231-T-INT 4 IIP 33A232-T-INT 4 IIP 33A233-T-INT 4 IIP 33A233-T-OPER 4 IP33A234-T-INT 4 L
_. . . . ._ m . . _ . _ _ _ _ . _ _ . . . ._ . . _ _ _ - . _ _ . _ ._ . __ _ _ _ _ _ _ _ . _ _ . _ . _ . _ _ _ . _ _ - - _ _ _ _ _ . _ _ . . _ _ . . _ _ _ _ . _ _ PRIMARY EVENT (PE) - INi>UCf D llUMAN INTERACTION TABLE l SYSTEM: HPI Small LOCA (Cont'd) I, PE PE REVIEW STIMlllUS AND litfWe ACil0N CAUSING PE CATEGORY SilMut US ACIION OPERATOR RESPONSE 10 PE RfMARKS , DESIGNATOR DESCRIPIOR j HIG330-T No power to Erit 3 Restore power (PEP EL-1) CCR alarm indicates panel 33A failure ! HTG340-T EHT failure of FF 3 Institute maintenance CCR alarm indicates ! DP 34 repair (PEP EL-1) failure. l
- HT0352-LEF Elec failure of 3 Institute maintenance CCR alarm indicates I line 161 HT ckts repair (PEP EL-1) failure HT352-T-INT Internal failure 3 Institute maintenance CCR alarm indicates of line 161 heat repair (PEP EL-1) failure tracing
] I RWG001-A 4 RWG002-A 4 i SE-HP031-A 4 li SE-NP032-A 4 g w SE-HP033-A 4 SI 11X-1 4 i l SI 21X-1 4 4 l i j 4 1 l W r
PRIMARY EVENT (PE) - INDUCED HUMAff INTERACT!Off TABLE SYSTEM: HPI MED LOCA PE PE REVIEW SilMllLUS AND HUMAN ACil0N Call 5ING PE DESIGNATOR [)ESCRIPTOR CATEGORY SilMULUS ACTION OPERATOR RESP 0tiSE TO PE PEMAliKS CCG601-A 4 CCC602-A 4 CCG603-A 4 EPA-04-T 4 j EPA 07-T 4 EPA 11-T 4 EPA 22-T 4 l EPA 23-T 4 EPD01-01 4 EPD02-01 4 e-- EPD03-01 4 ! $ HP001-A-INT Internal failure 1 LT 920 fails low during Operator shuts 1810 and Shift to sump recirc if Either blockage or of segment 1 SI shifts to sump recirc water is available in leakage of seg 1 mode if sump level is sumps. If not depres- eliminates water above 47'2" elevation surize RCS via PORV and supply to SI pumps. (PEP ES-1A) inject with SI accumu- PT 947 provides SI lators and LP safety pump suct pressure injection using RCS and and could inform SIA volume discharged operator that RWST into containment sump level was normal (PEP ES-1A) 1
. _ _ _ _ _ _ . _ . . _ ._m_._.
i I l PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE i SYSIEM: HPI MED LOCA (Cont'd) l PE PE REVIEW STIMULUS AND lluMAN ACTION CAUSING PE
- DESIGNATOR DESCRIPIOR CATEGORY STIMULUS ACTION OfERATOR RESPONSE TO PE REMARKS HP002-A-INT Pump 31 internal 2 Shutdown affected pump Fluctuations in failure and initiate mainten- header flow or ance actions. Two pressure would not q
remaining pumps are identify any single capable of supplying pump, Operator full required HPI flow might secure one (PEP ESI-A) pump at a time to identify problem pump but would dis-cover the real problem during this process and restart pump. HP003-A-INT Pump 32 internal 2 Same as above Same as above fatlure HP004-A-INT Pump 33 internal 2 Same as above Same as above failure j HPDOS-A-INT NOIF of pump 32 3 Isolate pump 32 via Passive components i discharge header 85/A & B and supply flow requirements with pump 31 if flow is to a be via BIT or 33 if flow is direct to cold legs i l 4 i f 4 4 I i 1
PHIMARY t V[tli (PL ) - It3DOU D 1RNIAfi litI[HACilOrt Tant f sysitH: llPI MED LOCA (Cont'd) Pt PL REVlf W Silltit tl5 Af40 lH21Aff ACI!Orl CAllSlflG P[ DISIGNAIOR DL5CHIPIOR CAllGORY SillSHUS ACIlori OPfRA10R HESP0riSf 10 P[ DIMARKS HP005-C-INT Sego nt Na. 5 2 Shut 851B if pump 32 Assumes pump 32 is CKV s52A Reverse idle or shift to idle and 8518 is flow pump 32 and shuttiown 33. open, failure of a liard to diagnose this single injectino problem path flow element could Cause oper-ator to open recirc DaCk to RWST. Redundant data makes this unlikely, flP006- A-IN T f ailure of pung 32 3 Isolate punp 32 with Passsive components discharge header 851A and B and 887A or B HP006-C-!NT Segment No. 5 2 Shut 851A. This would Assumes puthp 32 is CKV 8528 Reverse be a difficult failure idle and 851A is I flow to diagnose since it open. Failure of a would appear as a single flow element l decrease in flow which in injection line m could be the result of could cause oper-several conditions. ator to open recirc back to RUST. Redundant data m4es this unlikely. HP007A-A-INT Internal failure 3 Parallel valve 18528 Assumes 1852A is of segment 7A makes no action neces- plugged - There is sary no reason to shut 1852A so RO is not likely to be induced to shut it.
PRIMARY EVENT (PE) - INDUCFD HtNAfl INTERACTION TABLE SYSTEM: HPI MED LOCA (Cont'd) PE PE REVIEW STIMill(15 AND litNAN ACIION CAllSING PE OLSIGt4AIOR DESCRIPIOR CATE G0ltY SI IMllt.US ACTION OPERATOR RESPONSE TO PE REMARKS HP007A-C-INT Leakage past NC 3 No action required Only occurs f 51 MOV ISS2A since injection flow in progress and BIT would go to cold leg is being bypassed. via Bli path HP0078-A-INT Internal failure 3 Parallel valve 1852A of segment 7B makes no action necessary HP0078-C-INT Leakage past NC 3 same as HP007A-C-INT MOV 1852B HP007C-A-INT Internal failure 3 Parallel valves make no Only reason to shut of segment 7C action necessary valves would be BIT recirc or leakage from bit during $1 HP007D-A-!NT Internal failure 3 Same as above Same as above of segment 7D w HP007E-A-INT Internal failure 2 If plugged or leaking This is a cate- ( of segment 7E bypass BIT via line #56 gory 2 rather than (this is an automatic a 1 since shutting action of PEP ES-1A) off BIT heaters puts you into a Tech Spec LCO HP007F-A-INT Flow diversion to 3 Manually shut 1846 if 1846 is a manually CVCS hold up radiation levels permit operated locked tanks - valve 1846 closed valve opens ,
'9 *e
_ - - - - . _ . _ _- - . - - . -- .. _ _ . _ . - - .- _ _ . - _ - , _ - . . - ~ _ - ._ _ ._- l t PRIMARY EVENT (PE) - INDifCED HUMAN INTERACTION TABLE SYST[M: HP! MED LOCA (Cont'd) i PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE ! DESIGtMIOR DESCRIPT0R CATEGOGY STIHutOS ACTION OPERATOR RESPONSE 10 PE PfMARKS HP007G- A-INT Valve 1851B inter- 3 Redundant valves. No Open only to recirc nal failure effect unless both fall BIT together. Both fail closed on loss of IA j No action necessary HP007H-A-INT Valve 1851A inter- 3 Same as above Same as above nal failure HP007-HTP31-INT Internal faults of 2 Restore heater With no BIT heat,
, BIT heater 31 (ON0P EL-1). If temp boric acid will drops below 145' tech solidify plugging specs require shutdown bit, of Rx to hot shutdown This is a Cate- ' within 48 hrs. If gory 2 rather than >l45' but one heater a 1 since shutting i is out hot shutdown off bit heaters is within 7 days a tech spec LCO.
i HP007-HTR32-INT Internal faults of 2 Same as above Same as above r. I BIT heater 32 l @@ HP013-A-INT Cold leg #2 injec- 1 High flow or low pres- Operator concludes that Most likely failure is This path bypasses tion path failure sure indication in one LOCA is in the injec- line break down stream BIT injection line during tion line itself down- of isolation valve and HP014-A-INT Cold leg #3 injec- 1 SI stream of FT. He iso- downstream of FT
; tion path failure lates the line to resulting in LOCA. A i
FT 981 = CL2 prevent loss of water high flow / low pressure HP015-A-INT Cold leg #1 injec- 1 980 = CL3 from SI out the sup- indication indicates tion path failure 926 = CLI posed break. (PEP such a leak. R0 shuts PT 922 = Line press ES-IA) isolation valve for I (press, not likely to affected loop and path cause problem) (PEP ES-1A) l i i l
_ _ - . _ ~ . . -- . - . .- . _ _ -- ._ . _ _ _ - - _ . _ _ _ _ _- . .. . . . _ . - _ _ _ _ _ _ PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE i SYSTEM: HPI MED LOCA (Cant'd) l PE PE REVIEW SilMtilUS AND Htf4AN ACil0N CAUSING PE DESIGNAIOR DESCRIPIOR CATEGORY SilMUL US ACI10N OPERATOR RESPONSE 10 PE REMARKS HP017- A-INT Cold leg #2 injec- 1 Same as above Operator concludes that Most likely failure is This path goes tion path failure LOCA is in the injec- line break downstream through BIT J FT 925 = CL2 tion line itself down- of isolation valve and HP018-A-INT Cold leg #3 injec- 1 926A = CL3 stream of FT. He iso- downstream of FT result-tion path failure 924A = CLI lates the line to ing in LOCA. A high PT 922 line pressure prevent loss of water flow / low pressure indi-HP019-A-INT Cold leg #1 injec- I from SI out the sup- cation indicates such a tion path failure posed break. leak. RO shuts isola-(PEP ES-1A) tion valve for affected loop and path (PEP ES-1A) HP02A-A-!NT Valve 849A, 850A, 3 No flow increase in Passive - valves or 848A fails response to SI pump 31 are locked open closed start. If 848A indica- manually operated tion of pump cavita-tion. If 849A or 850A indication of high flow on F1 950 (recirc to ' RWST). Shut off pump SI 31. Restore proper line up - restart pump m (PEP ES-1A) i HP02A-C-INT Segment 2A CKV 3 Operator may not diag- Assumes SI 33 not 849A reverse flow nose the problem running and dis-charge path is via BIT HP03A-A-INT MOV BS7A, 8878 2 Shut off SI 32 Only af fects SI 32 fatis closed Open 897 A and 8 pump cavitates (low Restart SI 32 (not suction pressure). addressed by ONOP or In recirc mode 887 i PEP) prevents water loss due to break down stream of 848A or B i
I PRIMARY EVENT (PE) - INDUCED HtlMAN INTERACTION TABLE i
! SYSTEM: HPI MED LOCA (Cont'd) 4 PE PE REVIEW SilMULUS AND IRPMN ACTION CAUSING PE DESIGNAIOR DESCRIPTOR CAIEGORY SilMULUS ACil0N OPERAIDR RESPONSE 10 PE RI MARKS l HPO4A-A-INT Valve 8498, 8508, 3 Same as HPO?A-A-INT for 14anual valves or 8488 falls pump SI 33 closed HPO4A-C-INT Segment 4A CKV 3 Operator may not diag- Passive components 8498 Reverse flow nose the problem i
j HP33A061-T-INT Failure of local 3 Institute maintenanca CCR alarm indicates controls EHT PNL repair (ONDP EL-1) failure 33A CKT 6 HP33A062-T-INT EHT PNL 33A CKT 6 3 Operator aligns redur>d- CCR alarm indicates Primary tracing ant circuit and insti- failure I fails tutes maintenance
; repair (ONOP EL-1)
HP33A063-T-INT Internal failure 3 Institute maintenance CCR alarm indicates of EHT panel 33A repair (ONOP EL-1) failure CKT 6 redundant tracing p.
~4 i
HP33A063-T-0PER Operator fails to 5 Align redundant tracing C3
. align redundant (0NOPEL-1) tracing I
4 I i 1
/
l l l i 8 i ,
... ~ . . - _.__ - - .- - .- -.- - - ._ . . _ - _ _ . - . . . _ . - . _ - __.. _ - . - . ~. . - -. _ _ _
l PRIMARY EVENT (PE) - INDtX[0 llUfMil INTERACTI0fl TABLE 4 SYST[H: HPI MED LOCA (Cont'd)
. PE PE REvitW SilaitOS AND lluf%fi ACTION CAUSING PE DESIGNATOR DESCRIPTOR CAi[GURY SilMULUS AC T IOil OPERAIOR RESPON5E TO PE RfMARKS HP33A064-T-INT EHT PNL 33A CKT 6 3 None - no indication I 1 alarm failure will tell the operator the alarm has failed j HP33A111-T-INT Failure of local 3 Institute maintenance CCR alarm indicates controls EHT repair (ONOP EL-1) failure PNL 33A CKT 11 l HP33A112-T-INT EHT PNL 33A CKT 11 3 Operator aligns redund- CCR alarm indicates primary tracing ant circuit and insti- failure j fails tutes maintenance repair (ONOP EL-1)
HP33A113-T-!NT Internal failure 3 Institute maintenance CCR alarm indicates l of EHf PNL 33A repair (ONOP EL-1) failure i CKT 11 redundant
! tracing j HP33A113-T-0PER Operator fails to 5 Align redundant tracing j align redundant (ONOP EL-1) ~
j tracing y , i HP33A114-T-INT EHT PFL 33A CKT 11 3 None - no indication i alarm failure will tell the operator the alarm has failed HP33A121-1-INT Failure of local 3 Institute maintenance CCR alarm indicates j controls EHT repair (ON0P EL-1) failure PNL 33A CKT 12 I i I i i 4 i I 1 l i
, _ _ . . . - _ - - . . - . . _ _ _ - - - _ _ - - - - _ - . _ . _ - - _, ... . . _ ~ . . - - - . - . - . . . . . - . - . _ _ - , . - . . .
j i 4 I PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: HPI MED LOCA (Cont'd) j PE PE RLVIEW StittitOS AND HurRN ACTION CMSING PE ! j DLSIG W OR DESCRIPIOR CATEGOR f ST IWLUS ACTION OPERATOR RESPONSE TO PE REMNTR S I I HP33A122-T-!!.T EHT PNL 33A CKT 12 3 Operator aligns redund- CCR alarm indicates l l primary tracing ant circuit and insti- failure
' ails l 1 tutes maintenance ,
repair (ONOP EL-1) f hP33A123-T-!NT Internal failure 3 institute maintenance CCR alarm indicates I i cf EHT PNL 33A repair (ONOP EL-1) failure !
! CKT 12 redundant j tracing g i
]4 HP33A!23-T-OPER Operator fails to 5 Align redundant tracing align redundant (ONOP EL-1) tracing f HP33A-124-T-INT EHT PNL 33A CKT 12 3 None - no indication. .
.) alarm failure will inform the oper '
I ator that the alarm has j failed _ i HP33A191-T-INT Failure of local 3 Institute snaintenance CCR alarm indicates ~ controls EHT PNL 33A CKT 19 repair (ONCP EL-1) failure U ' 1 I HP33A192-T-INT EHT P!L 33A CKT 19 3 Operator aligns redund- CCR alarm indicates
} primary tracing ant circuit and insti- f ai lure j fails tutes maintenance , repair (CNOP EL-1) 3 ^
HP33A193-T-INT Internal failure 3 Institute maintenance CCR alarm indicates of EHT PNL 33A repair (ONOP EL-1) failure j CKT 19 redundant tracing i E 1 d 4 . i
= _ _ _ _ . _ . . . . _ _ _ _ _ - . _ . _ _ _ . _ . - . , _ . __ _ _ _ _ _. _ _ _ _ _ _ . . . . _ _ _ . _ _ . . , _ _ _ . . . _ . _ . _ - -.._.____.m, _. _ _ _ _ _ _ _ .
I f ( PRIMARY EVENT (PE) - lNDUCED IREMN INTERACTION TABLE i l SYSTEM: HPI MED LOCA (Cont'd) PE PE REVIEW STIMULUS AND HUf4AN ACil0N CAUSING PE DESIGNAIOR DESCRIPIDR CATE GORY Si t ttn.US ACIl0N OPERATOR RESPONSE TO PE REMARKS HP33A193-T-0PER Operator fails to 5 Align redundant tracing I align redundant (ONOP EL-1) j tracing 4 HP33A194-T-INT EHT PNL 33A CKT 19 3 None - no indication will inform the oper-i alarm failure I ator that the alarm has failed HP33A221-T-INT Failure of local 3 Institute maintenance CCR alarm indicates controls EHT repair (ONOP EL-1) failure ]' PNL 33A CKT 22 i EHT PNL 33A CKT 22 3 Operator aligns redund- CCR alarm indicates HP33A222-T-INT i primary tracing ant circuit and insti- failure falls tutes maintenance repair (ONOP EL-1) HP33A223-T-INT Internal failure 3 Institute maintenance CCR alarm indicates of EHT PNL 33A repair (ONDP EL-1) failure tj CKT 22 redundant co j j tracing HP33A223-T-0PER Operator fails to 5 Align redundant tracing
; align redundant (ONOP EL-1) i tracing HP33A224-T-INT EHT PNL 33A CKT 22 3 None - no indication I. alarm failure will inform the oper-ator that the alarm has failed l
l 1 l i 4 i
_ _ _ _ _ _ __ . _ .__ .__ _ _ _ _ . - _ _ _. __. _~_ __ .m _ _ _ _ . = _ _ __ _ , . _ . _ _ _ _ _ _ _ _ __ . _ _ _ _ _ _ l PRIMARY EVENT (PE) - INDULED 1RIMAN INTERACil0N TABLE 4 SYSTEM: HPI MED LOCA (Cont'd) 4 PL PE REVIEW SilMlflUS AND liffiAN ACil0N CAlnlNG PE DESIGNAIOR DESCRIP10R CATEGORY SilMutOS ACTION OPERATOR RESPONSE 10 PE RIMAPKS HP33A231-T-INT Failure of local 3 In*titute maintenance CCR alarm indicates. j controls EHT repair (ONOP EL-1) failure PNL 33A CKT 23
$ HP33A232-T-INT EHT PNL 33A CKT 23 3 Operator aligns redund- CCR alarm indicates l primary tracing ant circuit and insti- failure fails tutes maintenance i
repair (0N0P EL-1) 4 HP33A233-T-!NT Internal failure 3 Inst'itute maintenance CCR alarm indicates i of EHT PNL 33A repair (ONOP EL-1) failure t CKT 23 redundant tracing ] HP33A233-T-0PER Operator fails to 5 Align redundant tracing i align redundant (0NOP EL-1) ., tracing HP33A234-T-INT EHT PNL 33A CKT 23 3 None - no indication
! alarm failure will inform the oper- -
.! ator that the alarm has y failed. t HTG330-T No PWR to EHT 3 Restore power (ONOP EL-1) CCR alarm indicates PNL 33A failure RWG001-A 4 j RWG002-A 4
- j. SEMP031-A 4 p
, SEHP032-A 4 l
i .i l 1
175 1 1 9 4 e e 5 e
- I h
a G c N+
. I d h =
C L M ts 5 N w ete
=
N N = = 0 W C
- s.*
A bw U C =
=_ ! . '9 .W = O< '
E
- s
- M b O <
C
= =
U
' = = ;
e- ~ l w < i W b.
= -2 ~_
M M w NZ l
> W = D*
L w_ b "d
> er er er kaa - l 3<
W
~
C I o ~- I U w1 L l I w-et l := U w Q f d W C W ene r#
- f. <.
I
** M q $ $ .d I m X M -w b .d. C M n m. rv / ,' ; m .* > w w w A / B
_ _ _ _ . . _ . ___ ... , _ . . . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _____. ____ _ _ . _ . . _ _ _ _ _ . . _ _ . _ _ _ _ _ . . . _ _ _ _ _ _ . . _ . _ _ _ . _ . . _ ~ . . _ _ I PRIMARY EVENT (PE) - INDUCED lluMAN INTERACTION TABLE SYSIEM: Pressurfrer(PZRL PE PE REVIEli STIMULUS ANO liit1AN ACTION CAU5ING PE DESIGP:ATOR DESERIPIOR CATEGORY STIMULUS ACil0N OPERAIOR RESPONSE TO PE R[ MARKS CCG1000-A No IFF in CCW 4 l Loop 2 EPA 04-T-LSI 4 EPA 07-T-LSI 4 EPAll-T-LSI 4 EPA 14-T-LSI 4 i 2 EPA 22-T 4 EPA 23-T 4 EPD01-01 4 EPD01-31 4 . t EPD02-01 4 - N EPD02-32 4 EPD2-- 4 IAG01 4 1 1
. . _ - - ..-------.___- .-. . _ . _ . _ - . - - _ - - ~ - . .. . ~_ - - . - _ . ..__ _ ._ - - . -._. .
II i i PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE i ! SYSilM: Pressurizer (P2R) (Cont'd) l + PE PE REVIEW SIIMlltOS AND lalMAN ACTION CAU5ING PE f ULSIGNAIOR DESCRIPIOR CATE GORY STIMULUS ACIION OPERAIOR RESPONSE TO PE REMARKS LT459-A Probably RPS level 3 Place L/460 in Defeat 1. LT 459 is Channel 1. i channel fails low Restore normal plant Automatic action
- conditions of letdown depends upon post-
! and charging. tion of L/460A. If , Take affected channel in Defeat I there i out of service - Trip is no auto action , all RPS trips from as a result of j affected channel (0NOP failure high or
; RPC-1) low.
Defeat 2 or 3 l LT 459 falls low
- 1) Low level i
alarm < 4
- 2) Prir heaters ;
) off
- 3) Letdown iso-
- lation
- 4) Max Chg Pump j Speed -
i
- 5) 1 Trip signal w N
needs 2/3 Defeat 2 or 3
- LT 459 falls high 4
- 1) High level .
alarm t { 2) All przr a heaters on
- 3) Charging i Pumps to min speed
- 4) 1 Trip sig-
! nal - needs j 2/3 i
1 1
! i i )
. - . . ~ . . _ . - . ~ . _ _ . - - . _ . _ _ - _ _ . .___~.... _..-.~ - . _ _ -. . _ . _ . . ~ . _ - . . - _ . - ~ . _ . . . . _ - -
l PRIMARY EVENT (PE) - INDUCED Htf4AN INTERACil0N TABLE t 1 SYSTEM: Pressurizer (PZR) (Cont'd) I . J PL PE REVIEW STIMutOS AND litMAN ACTION CAU$ LNG PE DESIGMTOR DESCRIP10R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS {
! LT459-B RPS Level channel 3 Switch to Defeat 3.
I fails High Restore normal plant conditions (ONOP RPC-1) , LT461-A RPS Level sensor 3 Switch to Defeat 3. LT 461 is channel 3 fails low Restore ncrmal plant in Defeat 1 LT 461 i -I ' conditions (ONOP RPC-1) low gives ] 1) Low level
! alarm !
- 2) Przr heaters l off i
- 3) Letdown isolation ,
- 4) Max Chg Pup Speed .
- 5) 1 Trip sig-nal - needs 2/3 4 LT 461 High gives
- 1) High level ~
alarm y
- 2) All przr heaters on
; 3) Charge Pumps to min speed
- 4) 1 Trip signal needs 2/3
; In Defeat 2 LT 461 low
- 1) Low level
{ alarn
- 2) All przr 1
heaters off } 3) Letdown iso-t lation li 4) 1 Trip signal k ,. i t l I L i
._._- _ _ __..-._ _ _ _ _ _. _ _.. _ ,._ _ _ .. _.__. . . _ , , _..__._mm___ _ . _ _ _ - . _ _ _ . . _ _ . _ _ _ _ _ . _ - _ . _ , . _
i 4 PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE I :
?
SYSILH: Pressurizer (PZR) (Cont'd) i PE PE REVIEW SilMil(US AND liif4AN AC110N CAllSING PC ULSIGimTOR DESCRIPlott CATEGORY STIMilt OS ACTION OPERATOR RESPONSE IO PE RtMARKS l } LT461-A (Cont'd) LT 461 high 'I 3
- 1) High level s
alarm
- 2) 1 Trip signal LT461-S RPS Level channel 3 In all cases defeat the fails high affected channel and i
restore plant condi- ] tions to normal. Take 1 channel out of service. 4 Trip all RPS trips for that E nnel, t Reactor trip and safety l injection functions are independent of switch ;
~
I position for all 1 channels. (0NOP RPC-1) ; } PT456-A RPS Pressure chan. 3 PT-456 is Channel 12
- nel fails low In Defeat 1-4 or 3-4 - l Fails High U I I 1) Open PCV 456 l t
(poev) signal * ! prevented by ; 3 Ch III j 2) High Press 4 Alarm .
- 3) One lip trip
, signal i 4) OTai setpoint j increases
- 5) Unblock safety I
injection 4 4 I i i j i ) 6 s s J i 4
. _ _ _ _ _ _ _ -w. +m.----* -,-.. -- -
f I l I s PRIMARY EVENT (PE) - INDUCED HtNAN INTERACTION TABLE SYSitH: Pressurizer (PZR1 (Cont'd) PE PE REVIEW SilMulUS AND IRNAN ACil0N CAllSING PE i DLSIGNATOR DESCRIPIOR CATIGORY SilMULUS ' ACil0N OPERAIUR ItESPONSE TO PC RLMAPKS , I* i PT456-A (Cont'd) f88 35 LOW ! i j 1) Low press
- 3 alarn j
- 2) One LP trip !
I signal
- 3) OTAT setpoint ,
; decreases
- 4) LP safety ,
l injection 1/4 l j needs 2/4 ' ? ! PT456-B RPS Pressure chan- 3 Same as above Same as above nel fails high i I' PT457-A RPS Pressure chan. 3 Same as above PT 457 is Channel 3 nel fails low In Defeat 1-4 (no
, function in any j 4
other switch position) l Fails High $ f } I) PCV 455C arms I
- 2) Spray valves i open j
- 3) High alarm ,
l 4) Back up Htrs off
- 5) Modulating i
! Heaters off
- 6) Unblicks SI :
t i I l l
___ _ _. _ .m .m..__._._.__ __ _ _ _ . _ _ _ _ _ _ _ . _ _ . _ m __ _ _ . . . _ . . _ _ _ _ _ _ _ _ __._ .. _ _ _ _ .._ - . - _ - . _ _ _ .- . I f PRIWARY EVENT (PE) - INIHKED itUMAN INTERACTIOH TABLE t i j SYSitM- Pressurizer (PZR) (Cont'd) PE PE REVIEW SIIMULUS AND ifMMAN ACTION CAtlSING PE 4 DESIGMIOR DESERIPTOR CAIIGORY SilMULUS ACIION OPERATOR RESPONSE to PE RIMARKS PT457-A (Cont'd) Falls Low
- 1) Low alarm
- 2) LP safety injection 1/4 - i needs 2/4 j 3) Back up heaters
) on 4 4) Modulating
- Heaters Max
, PT457-8 RPS Pressure chan- 3 Same as above Same as above 1 nel fails high - PT474-A RPS Pressure chan- 3 Same as above PT 474 i nel fails low Fails Hlqh I Arms PORVs f Falls low ~ ! oo Low press alarm 1 j PT474-8 RPS Pressure 3 Same as above Same as above channel fails high .' PZBLKV-NOA Operator does not 5 Same as above r j close block valve PZLREF-A Reactor control 2 Take manual control of ~. system inputs low PRZR level - Restore, I (LRef) level level to program level f signal (ONOP RPC-1) ,
+
j 1 1 i 3
. - - - - - _ . - . . . - - - - - . . . . - - - . - . . _ - . . _ . _ . - _ - . _ . - . _ _ _ _ _ . . -. --..~ -- - - -- - . . _ - .
i i i i l PRIMARY EVENT (PE) - INDUCED lRf4AN INTERACTION TABLE j i i ]; SYSTEM: Pressurizer (PZR) (Cont'd) t i ! PE PE REVIEW SIIMuttl5 AND IR#1A1 ACil0N CAUSING PE 4 DLStGNATOR DESCRIPIOR CAIEGORY STIMLfLUS ACTION nPERAIOR RESPONSE TO PE REMARKS l l PZLREF-B Reactor 2 4! control system ' t inputs high (LRef) level signal PZN23-A Motive nitrogen 1 Indication of leakage Operator shuts block Valve normally shut. . i supply lost - PORV due to acoustic monitor valve (ONOP RCS-2) No action required. ! j PCV-455C fails tail pipe temp or valve Failure of one leaves closed position one PORV operational. I
]
l PZ N26- A Motive nitrogen 1 Indication of leakage Operator shuts block Valve normally shut. I supply lost - due to acoustic monitor valve (ONOP RCS-2) No action required. ' PCV-456 fails tail pipe temp or valve Failure of one leaves closed position one PORV operational. l l PZOPI Overpressurization 2 Shut associated block This causes one or protection system valve (ONOP RCS-2) both PORVs to open inadvertent open
! signal ;
w
. PZ200-OPN PZR SRV fails open 3 Pressurizer steam space $ !
) LOCA initiate SI, Rx I j Trip (PEP ES-1A)
, PZ301-A Local f ault - PORV 1 Evidence of PORV Operator shuts block No action possible.
} PCV-455C fails leakage valve (ONOP RCS-2) PCV-456 provides r closed protection. i PZ301-B Local fault opens 2 Steam space LOCA shut Operator can open
- PORY PORV but would have block valve (ONOP RCS-2 and PEP ES-1A) ample redundant instrumentation and 4
procedur al guidance, a 1 ! i e f f f i
. 1 }
} ! 1
--- _ _ _ . _ _ .. -_._ m. ___ _.___.__._______.___.._--__.m _ . . _ _ _ _ _ _ . - . _ ~ _ . . -_ . . . - -
PRIMARY EVENT (PE) - INDUEED HUMAN INTERACTION TABLE i SYSILM: Pressurizer (PZR) (Cont'd) I j PE PE REVIEW SilMULUS AND lit #4AN ACil0N CAUSING PE ' DLSIGNATOR DESCRIPIOR CAIEGORY SilMutOS ACil04 OPERATOR RESPONSE TO PE REMARKS
~
i j PZ335-INT Local f ault of 1 Evidence of PORV Operator shuts block No action possible. Only important if : l block valve leakage valve (ONOP RCS-2) Valve normally open valve fall shut i i when PORV is needed ! or falls open when l l PORV also fails [ open f PZ336-INT Local fault of I Same as above Same as above Same as above Same as above ' block valve ! l 1 PZ351-A Local fault - PORY 1 same as 301-A same as 301-A same as 301-A same as 301-A i l PCV-456 fails i closed l
- PZ351-8 Local f ault opens 2 same as 301-B same as 301-B same as 301-B same as 301-B j PORV PCV-456 f PZ356-B Local fault in 3 Single channel failure PORV requires
! pressure sensor does not open PORV but ? channels to be j channel can prevent it from nigh to open
! opening. Other channel CD j remains operative. " ,
No action required. i I PZ400-D Rupture of PZR 1 LOCA from cold leg or } spray line steam space depending ] upon which side of the j spray valve 1 PZ401-A Local fault - 2 Control press using There are two spray piping clogs heaters. Use aux spray parallel valves up if AT not too great. (040P RCS-2) ! i [ i l I s I s
. . . , . - - .. -- , - - - - -- ----- .2
. - _ _ _ - . _ . _ . _ - . - _ - _ _ _ - - . - - - - - - ~ _ _ _ - _ _ . . - - . . . . - - _ _ _ _ . . _ . .
I t PRIMARY EVENT (PE) - INDUCED fluMAN INTERACTION TABLE i SYSTEM: Pressurizer (PZR) (Cont'd) PE PE REVIEW SilMULUS AND HUMAN ACTION CAUSING PE !' DESIGMAIOR DESCRIPIOR CAIEGORY STIMutOS ACTION OPERAIDR RESPONSE TO PE REMARKS PZ401-B Local f ault - one 2 Place controllers in Loss of RCS pressurlier t or more PZR spray manual and close. If control. .l valves fall open not successful, then I ' remove fuses (ONOP j RCS-2) ! PZ501A Local f ault within 2 Manually energize heat- Slow loss of PZR heaters - foo ers (ONOP RCS-2) pressure i heat output ! PZ501-B Local fault PZR 2 Take manual control of Spray can more than I J heater power / heaters. (ONOP RCS-2) keep up with heat-centrol compo- ! ers. ; j nents - Raises I pressure i j PZ601-A Local f ault within 2 Take manual control of All trips are I PZR press control heaters and spray. active sys - Icwers i (ONOP RCS-2) pressure sa . 1 00 i PZ601-B Local f ault within 2 Same as above Same as above 4 d PZR press control i i 4 sys - raises pressure , 1 l 1 PZ701-A Local f ault within 2 Take manual control of All trips active 9 PZR level control charging pump speed. [ system - lowers Maintain program level. level (0NDP RCS-3)
\
r , l l I 3 L l t s i I i, 1 : t i 4
i PRIMARY EVENI (PC) - INDUCED HlMAN INTERACil0N TABLE E SY5itM: Pressurizer (PZR) (Cont'd) PL PE REVIEW Si!MlftOS AND IRN4AN AC1!ON CAUSING PC i DE51GrmTOR DESCRIPIOR CAIEGORY SIIMtit us ACI10N OPERAIOR RESPONSE TO PC REMr#K5 PZ701-B Local f: ult in PZR 2 Take manual control of All trips active -
- level control sys- charging pump speed.
tem causes high Maintain program level. , level (ONOP RCS-3) RCPM03-INT Manual valves 4 Loss of CCW to RCP 771C, 772C, 773C Motor Bearings j FC for RCP 33 .
; motor cooling s RCPM04-INT Manual valves 4 Same as above i 7710, 772D, 7730 for RCP 34 motor cooling i
i TRET98-F Losses of coolant 4 4 flow other than a CCW .# rom transient, t i FT ~
- l 00 1 @
i ! j , 3 1 ; i i i k [ t t i
- l l
i 1 l 1 3 t e,
,%.p 1
i I
)
i
--e
_. . . _ . _ . . _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ . _ _ _ _ - _ . _ _ . . _ _ _ . . . _ _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ -__m m__._ l c PRIMARY EVENT (PE) - INDUCED IR#UtN INTERACTION TABLE 4 i SYSTEM: Charging (CV) l PE PE REVIEW SilMutU5 AND IR#iAN ACTION CAHilNG PE DE51GNA10R DESCRIPIOR CATEGORY SilMutus ACIl0N OPERATOR RESPONSE TO PE REMARKS CCG800-A NOIF CCW and city 4 water to CHG pump 31 coolers i CCGS04-A N01F CCW and city 4 water to CHG . l pump 32 coolers ! i CCG805-A NOIF CCW and city 4 l water to CHG j puxp 33 c5olers [
, CVCHE01 Level transmitter 3 Isolate charging and LT-112 fails,
! letdown. (DNOP CVCS-2) j CVCHE02 Level controller 3 Isolate charging and Operator cannot ! LC-112B or control circuit fall letdown. (ONOP CVCS-2) cause an action . l which would cause i the same effect as i i Transmitters / Controllers ; failing, g; CVCHE03 Level controller 3 Isolate charging and CD ! LC-112C or control I l circuit fall. letdown. (ONOP CVCS-2) I CVCHE04 Valve LCv1128 3 ! fails to open. Initiate boration via This failure makeup control or emer- assumes makeup from - gency boration valve. PWST is r.ecessary. )- (ONOP CVCS-2) There is no oper-i ator action the same as a valve not opening when called on to do so. I 2 4 I l f .l 4
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Charging (CV) (Cont'd) PE PE REVIEW SilMutuS AND IRPMN ACI!ON CAUSING PE DESIGrniOR DESCRIPIOR CATEGORY ST ! **" ' ' ACTION OPERATOR RESPONSE TO FC REMARKS CVCH01-A Check valves 2108 2 Shift charging to low failure of and 210D fail alternate path. FT-128 could cause closed. (ONOP CVC5-1) operator action but seal injection flow rates not changing makes this unlikely. CVCH03-A Check valves 210A 2 Same as above. and 210C fait closed.
- CYCH02-A Air operated valve 2 Shif t charging to low failure of 204 B fall closed. alternate path. FT-128 could cause (ONOP CVCS-1) operate action but position indication not changing makes this unlikely.
CVCH04-A Air operated valve 3 There is no oper- ;j 204 A fails to ator action the %a open on demand. same as a valve not opening when called on to do so. CVCH07-A-INT Valves 374 or 142 2 Instruct field operator Low failure of fall closed. to open HCV-142 bypass FT-128 could cause (227) (no procedural operator action but Reference, but addres- seal injection flow sed in CVCS System rates not changing Description) makes this unlikely. I
PRIMARY EUENT (PE) - INDUC[D IRIMAN INTERACil0N TABLE SYSTEM: Charging (CV) (Cont'd) PE PE REVIEW STIMULUS AND HilMAN ACTION CAtl5ING PE DESIGNATOR DESCRIP1DR cal [GDRY STIMutOS ' ACil0N OPERAIOR RESPONSE TO PE R[ MARKS CVCH09-A-!NT LCVil2 or check 3 valve 292 fail There is no oper-closed. ator action similiar. CVCH ll-A-INT Valve FCV 1108 3 fails to open or There is no oper-valve 297 (no) ator action fails closed. simliar. CVCH12-A-INT Blender fails. 3 If boration is neces-sary use suction from RWST. (ONOP CVCS-2/3) CVCH13-A-INT CV328 fails to 3 Open MOV-333 as needed open or XV329 If cause is FT-110 (N0FC) for boration. failure, operator (040P CVCS-2/3) might suspect FCV-110A failure. CVCH14-A-!NT CV 321 falls to 3 Instruct field operator open or XV 326 If cause is FT-Ill to operate manual valve failure operator >" (N0FC) 293 for dilution as might suspect @o necessary. (ONOP CVCS-2) FCV-Illa failure. CVCH15-A-INT FCV 110A fatis 3 Open MOV-333 as needed closed. Probable cause is for boration. FT-110 failure or (ONOP CVCS-2/3) diaphram separat ion. CVCH16-A-!NT FCVlllA falls to 3 Instruct field operator open. Probable cause is to operate manual FT-Ill failure or valvt 293 for dilution diaphram as necessary, separation. (ONOP CVCS-2)
PRIMARY EVENT (PE) - INDUCED IfUMAN INTERACil0N TABLE SYSilH: Charging (CV) (Cont'd) PE PE REVIEW SilMlltUS AND lillMAN ACIION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY silMULUS ACTION OPERATOR RESPONSE 10 PE RE MARKS CVCH17-A-INT Filter or flow 3 Instruct field oper-meter plugged. ators to operate manual valve 293 for dilution as necessary. (ONOP CVCS-2) CVCH18-A-INT Boric acid trans- 3 Start or ensure Both pumps norm-fer pump 31 fails #32 pump is running. ally running. to start. (ONOP CVCS-2) CVCH19-A-INT Boric acid tank 31 3 Borate using RWST as fails to supply. necessary. (ON0P CVCS-2) CVCH20-A-INT Failure of elec- 3 tric heater in Bat. 31 CVCH-HU-01 Operator falls to 5 When the oversight is actuate the suc- identified, actuate tion to RWST. suction to RWST. ** (ONOP CVCS-2) $3 CVCH-HU-02 Operator fails to 5 When the oversight is start a second identified, start a pump, second pump. (ONDP CVCS-2) CVLO2-A-INT Regen, HX falls. 4 CVLO9-A-!NT VCT rupture 4 CV-LOLD Loss of letdawn 4 flow i
PRIMARY EVENT (PE) - INDUCED IfuMAN INTERACil0N 1ABLE , SYSTEM: Charging (CV) (Cont'd) PE PE REVIEW SilMtHilS AND HttiAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CAIEGORY SilMilLUS ACil0N OPERATOR RESPONSE TO PE REMARKS 1 DC-- Loss of DC power 4 l at level inst. and controller (supply not found) EDA 04-T-LSI 4 EPAll-T-LSI 4 EPA 14-T-LSI 4 EPA 21-T 4 i EPA 22-T 4 1 EPD01-01 4 i EPD01-31 4 EPD02-01 4 m EPD03-01 4 O IA601 4 PM--- No primary make up 3 Check P.W. pumps run-water goes to ning and valving valve FCV111A aligned. Supply P.W. , to chg pumps via FCV 110A if possible. (0NOP CVCS-2)
PRIMARY EVENT (PE) - INDUCED IR#4AN INTERACTION TABLE SYSTEM: Charging (CV) (Cont'd) , PE PE REVIEW STIMULUS AND IRIMAN ACil0N CAU5ING PE DESIGNATOR DESCRIPIOR CATEGORY SilMilt VS ACil0N OPERATOR RESPONSE TO PE REMARKS RCV01-A-INT Pipe, valve. 3 Start #32 or #33 pump. charging pump or (ONOP CVCS-1) motor of train 31 fails. RCV024-INT Same, train 32 3 Start #31 or #33 pump. (ONOP CVCS-1) RCV03-A-INT Same, train 33 3 Start #31 or #32 pump. . (0NOP CVCS-1) RCV05-A-INT Valve 289 fatis 3 Ensure #31 charging closed pump is running or secure charging and letdown. (ONOP CVCS-1) RNG001-A No water available 4 from RWST RNG002-A NOIF through RWST 4 - line 155 $ 4 1 l
PRIMARY EVENT (PE) - INDUCID litlMAN INTERACTION TABLE SYSTEM: Letdown (C)L) PE ?. HEVi[W SilHittJS AND lillMAN ACTION CAtl5tNG PE DESIGNAIOR DESCRIPIOR CAltGORY SilHJLUS ACil0N OPERAIOR RESPONSE TO PE RIMAPKS CCG1000-A N0!ff in CCW Lo';p 4 2 CVLD-HU-01 No op. action for 5 ex. letdown in service CVLE01 Control circuit 3 Isolate charging and for valve PCV 135 fails letcown (0NOP CVCS-1)' CVL01-A-INT Letdown isolation 1 FT-128 falls low Close LCV-459 & LCV-460 Reduce charging pump valves fail Operator may sub-speed to min. Place sequently c hck RCP i excess letdown in serv- seal injection flow ice. (0NOP-CVCS-1) rates to confirm low flow and then reopen the valves that were closed. CVLO2-A-INT Regen. HX rupture 3 Secure charging and g letdown (ONOP CVCS-1) m CVLO3-A-INT Superccmponent 3 fails itself If failure obstru' cts letdown flow secure or reduce charging - use excess letdown. If failure is a leak iso-late letdown and pro-ceed as above. - (ON0P CVC$-1) CVLO4-A-INT Cont. isolation 3 Secure charging valves fall (ON0P CVCS-1)
PRIMARY Et'ENT (PE) - INDUCf D ifUMAN INTERACil0N TABLE SYSTEM: CVL (Cont'd) PE PE REVIEW SilMlllOS AND HINAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CAIE GORY STIMtnUS ACTION OPERATOR RESPONSE TO PE PfMARKS CVLOS-A-INT Non-regen. HX 3 Isolate charging and fails letdown. (ONOP CVCS-1) j CVLO6-A-!NT Valves PCV 135 or 3 Isolate charging and TCV 149 fail letdown (ONOP CVCS-1) CVLO8-A-INT Reactor coolant 3 Secure charging and filter plugged letdown shift to excess letdown and seal injection. (ONOP CVCS-1) CVLO9-A-INT VCT fails 3 Letdown to waste system as necessary. Charge from blender. Isolate VCT. (0NOP CVCS-1/2) CVL10-A-INT Isolation valves 3 Secure excess letdown 213A or 2138 fall operations to open (0NOP CVCS-1/2) g CVL11-A-INT Excess letdown HX 3 Same as CVL10-A-INT fails CVL12-A-INT Valve HCV 123 3 Same as CVL10-A-INT fails closed CVL13-A-!NT LCV ll2A mislead- 1 Conduct flow balance. ing letdown flow Assure blended makeup, to holdup tank. Set properly (ONOP CVCS-2) EPD01-31 4
PRIMARY EVENT (PE) - INDUCED llllMAN INTERACTION TABLE SYSTEM: CVL (Cont'd) PE PE REVIEW SilMULUS' AND litfiAN ACTION CAU5ING PE DESIGNAIOR DESCRIPIOR CATEGORY SilMULUS ACTION OPERATOR RESPONSE TO PE P(MARKS EPD02-32 4 IAG01 4 LC460C-A Bistable falls 3 Place control switches in open position. (ONOP CVCS-1/2) LT460-A 4 LT461-A 4 RCS!09-A-INT 4 PCSI 10 4 RCSI 11-A-INT 4 SIPHASEA-INT 4 SIPHASEB 4 e TR-SPSI 4 *
-_.m (_
- __
PRIMARY EVENT (PE) - INDUCED IRRiAN INTERACTION TABLE l SYSTEM: Component Cooling (CCW) PE PE REVIEW SilMULUS AND HtIMAN ACil0N CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMtit OS ACTION OPERATOR RESPONSE TO PE REMARKS CC001-BLK CCW pump 31 train 2 Start idle CCW pump Multiple alarms and blockage (ONOP CC-1) indications needed for stimulus CC001-A-INT CCW pump 21 inter- 3 Institute maintenance Entering into Tech nal failure procedures (ONOP CC-1) Spec LC0 could result in plant 1 load reduction CC001-A-RSTRT CCW pump 31 falls 3 Institute maintenance Entering into Tech to restait - procedures (0NOP CC-1) Spec LCO could internal failure result in plant load reduction , CC002-A-BLK CCW pump 32 train 2 Start idle CCW pump Multiple alarms and blockage (ONOP CC-1) indication needed for stimulus CC002-A-INT CCW pump 32 inter- 3 Institute maintenance Entering into Tech nal failure - procedures (ONOP CC-1) Spec. LCO could - includes failure to start result in plant load reduction. CC003-A-BLK CCW pump 33 train 2 Start idle CCW pump Multiple alarms and blockage (ONOP CC-1) indications needed for stimulus CC003-A-INT CCW pump 23 inter- 3 Institute maintenance Entering into Tech nal failure procedures (ONOP CC-1) Spec. LCO could result in plant load reduction
i i l PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE i SYSTEM: Component Cooling (CCW) (Cont'd) ; PE PE REVIEW STIMlRUS AND IRIMAN ACil0N CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY SilMutUS ACTION OPERATOR RESPONSE TO PE REMARKS CC003-A-RSTRT CCW pump 33 falls 3 Institute maintenance Entering into Tech to restart - procedures (0NOP CC-1) Spec. LCO could i, internal failure result in plant load reduction. CC004-A-INT Manual valve 766A 3 Operate pumps and head-fails closed ers split (ONOP CC-1) CC005-A-INT Same as above, 766B 3 Same as above i CC006-A-INT Same as above, 759C 3 Same as above CC007-A-INT Same as above, 759D 3 Same as above CC008-A-!NT Failure of CCW 2 Isolate affected HX 1eg Stimulus would { HX 32 leg and institute mainte- require increased i nance procedures. component tempera- ] (ONOP CC-1) tures (multiple) ! I and/or decreasing I surge tank level. g . CC009-A-INT Failure of CCW 2 Same as above Same as above i HX 31 leg CC010-A-INT Valve 766C or 3 Operate headers split 7660 fails closed (ONOP CC-1) CC010-EE 1 CC0ll-A-INT Loop 1 return 3 Loss of ore RHR HX.
- header fails Line up alternate HX as !
required. Investigate other lost loads and ! line up alternates. l (PEP ES-3) 4 i i I
._ _ _ _ - ~_
PRIMARY EVENT (PE) - INDUCED llUMAN INTERACTION TABLE SYSTEM: Component Cooling (CCW) (Cont'd) 14 PE REVIEW SilMULUS AND ftIN4AN AC110N CAUSING PE DLSIGNATOR DESCRIPIOR CATEGORY STIMutVS ACTION OPERATOR RESPONSE 10 PE RIMARKS CC012-A-INT Same as above, 3 Loss of one RiiR HX. Loop 2 Line up alternate HX as required. Investigate other lost loads and line up alternates. (PEP ES-3) CC015-A-INT HPI pump 31 oil or 3 Shutdown the pump if Seal HX failure continued operation is likely to damage the j pump (PEP ES-3) CC016-A-INT Same as above, 3 Same as above. pump 32 CC017-A-INT Same as above. 3 Same as above pump 33 CC018-A-INT Manual CCW valve 3 Same as above FIC-6348 indicating 787 rails closed low and alarming $ coulT induce the N operator to disable HPI pumps 32 and 33. 1 CC033-A-INT Manual valves to 3 Same as above FIC-634A indicating chg. pump 31 oil low and alarming coolers fail coulT induce the closed operator to disable HPI pump 31 CC034-A-INT Same as above, 3 Same as above FIC-6348 indication pump 32 low and alarming could induce the operator to disable HPI pumps 32 and 33. t
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE SYSIEM: Component Cooling (CCW) (Cont'd) PL PE REVIEW SilMULUS AND llVMAN ACil0N CAUSING PE DESIGNA10R DESCRIPIOR CATEGORY STIMULUS ACTION OPERAIOR RESPONSE TO PE RIMARKS CC035-A-INT Same as above, 3 Same as above pump 33 same as above CC036-A-INT Manual valve 756 A 3 Monitor temps on charg- Procedure not fails closed ing pumps and supply available, but city water if necessary addressed in System Description No. 29 CC037-A-H Operator fails to 5 Align city water align city water Same as above CC037-A-INT Internal failure 3 Alternately shutdown of segment 37 charging pumps as tem-perature limits are approached, and repair failure (ONOP CC-1) CC038-A-INT Manual valve 756B 3 Monitor temps on charg-falls closed Same as CC035-A-INT i I ing pumps and supply city water if necessary g CC-H Operator fails to 5 Adjust CCW loads adjust CCW loads CW001-A-INT Failure of city 4 water supply to CT-49 CWOO2-A-INT Internal failure 4 of CT-49 segment EPA 611 4 EPA 612 4
_. - _ _ _ .m__ - - __. _ _ _ . _ . _ l ) PRiftiRY EVENT (PE) - INDUCED hut %N INTERACTION TABLE SYSTEM: Component Cooling (CCW) (Cont'd) PE PE REVl[W SilMutil5 AND inriAN ACTION CAUSING PE DESIGNATOR DESCRIPIOR CAIIGORY SilitiLUS ACTION OPERAIOR RESPONSE TO PE R[MAiKS EPA 614 4 EPA 04-T 4 EPA 07-T 4 EPA 11-T 4 2 I EPD03-01 4 NOTTR-SPSI No Safety Injec- 5 Start HPI pumps tion Signal manually if necessary i Pr esent (PEP ES-1) SE-CCS2P-A 4 SE-CCS31-A 4 SE-CCS32-NOA 4 w SE-CCS33-A 4 $ SWC18-A 4 SW37-A 4 TR-SPS! 4
.- . . -_=- .-. . -. . . - _- .
PRIMARY EVENT (PE) - INDUCED IR*VJ: INIERACTION TABLE SYSTEM: Service Water PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DE$CRIPIOR CATIGORY SilMULUS ACTION OPERATOR RESPONSE TO PE RIMARKS SWA01-A-INT Failure in segment 3 Trip the reactor and Piping only - no supplying SW the circ water pumps active components header for circ (ONOP-RW-1) water pumps and screen SWA02-A-INT Failure in header 3 Same as above Only an actual pipe supplying circ break would induce water pumps and the operator to screen wash secure flow, because the valves are operated locally. SWA06 Intake screen 3 Check bypass gates from No logical operator problem including circ water bay open (no actions that can freezing procedural ref but cause intake screen addressed in system problem description) na SWA10-A-INT Blockage in seg- 2 Open bypass valve There is toth a low [j ment or PCV 1186 (SWN-23) to supply seal pressure alarm fails closed water (ONOP RW-2) (PC 1195) and a PI (PI 1270) that would have to fail to induce operator to this action. They are inde-pendent sensors. SWAll-A-INT Blockage in seg- 2 Open bypass valve Same as above ment or PCV 1185 (SWN-21) to supply seal except PC 1194 and fails closed water (ONOP RW-2) PI 1269
_ _ _ . _ _ _ _ _ _ _ ,. . _ _ _ _ _ . _._ _m PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE F , SYSTEM: Service Water (Cont'd) PE PE l HEVIEW SilMutus AND Hir1AN ACil0N CAUSING PE i SilMULUS ACil0N OPERA 10R RESPONSE 10 P[ REMAHKS DESIGNATOR DESCRIPIOR CATEGORY Blockage in seg- 2 Open bypass valve Same as above SWAl2-A-INT ment or PCV 1184 (SWN-19) to supply seal except PC 1193 and falls closed water (0NOP RW-2) PI 1268 SWA13-A-INT Blockage in seg- 2 Open bypass valve Same as above < ment or PCV 1183 (SWN-17) to supply seal except PC 1192 and fails closed water (ONOP RW-2) PI 1267 { SWA14-A-INT Blockage in seg- 2 Open bypass valve Same as above ment or PCV 1182 (SWN-15) to supply seal except PC !!91 and fails closed water (ONOP RW-2) PI 1266 SWA15-A-INT Blockage in seg- 2 Open bypass valve Same as above ment or PCV 1181 (SWN-13) to supply seal except PC 1190 and fails closed water (ONOP RW-2) PI 1265 SWC05-A-INT Blockage or valve 2 Open valve SWN-5 to There are multiple closure in Seg- supply water for circ independent indica-ment C5 water pump seals and tions that would screen wash fro 1 NSW have to fall to N' header and close SWN-4 induce the operator 8 (ONOPRW-2) to shut SWN-4 (circ water pump seal pressure alarms and indicators, and screen wash pres-sure alarms and indicators) SWC10A-A-INT Local blockage 3 Open valve SWN-70 to Piping only - no Segment C10A supply SW from NSW active components. head (r and shut SWN-27 Will result in loss (PEP ES-3 and ONOP RW-1) of ecoling to IA heat exchangers
t l l l PRIMARY EVENT (PE) - INDUCED lillMAN INTERACTION TABLE SYSi[M: Service Water (Cont'd) PE PE REVl[W SilMlllll5 AND ltHMAN ACIION EAtlilNG PE DLSIGNATOR DESCRIPIOR CAILGORY SilMutOS ACil0N Ol'f RAlfH RESPONSE 10 PE RIMARK". SWC10C-A-INT Local fault Con SW 3 Check open SWN-27. If Willresuit1[ loss Segment IOC that is open then of cooling to IA deduce that the segment heat exchanger 31. is blocked. Shut only an actual pipe SWN-27 and open SWN-70, break would induce to supply SW from NSW the operator to header. (PEP ES-3 and close SWN-27, ONOP RW-1) because it is oper-ated locally. SWC10-A-INT Local fault Con SW 3 Secure CSW supply to IA Piping only - no Segment 10 heat exchangers, CR air active components cond, units, and DGs, i and supply these SW loads from NSW header (PEP ES-3 and ONOP RW-1) SWC11-A-!NT Local f ault Con SW 3 Secure CSW supply to CR Piping only - no Segment C11 air cond. units and DGs active components. and supply these loads Results in loss of N from NSW header (PEP CR, NC and DG O m ES-3 and ONOP RW-1) cooling SWC13-A-INT Local f ault Con SW 3 Secure CSW supply to Segment 13 Results in loss of DGs and supply DGs from all DG cooling, no NSW header (PEP ES-3 and rational event ONOP RW-1) coald occur to induce an operator to close SWN-30 except an actual j pipe break, because ) the valve is locally operated.
l i PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Service Water (Cont'd) ! PE PE REVIEW STIMlHUS AND HUMAN ACi!0N CAllSING PE DESIGM10R DESCRIPIOR CAIEGORY SilMulOS ACil0N OPERAIOR RESPONSE 10 PE R[MAltKS SWC15-A-INT Local blockage 3 Secure CSW supply to Piping only - no Segment C15 CCW heat exchangers and active components, supply these loads from Results in loss of NSW header (ONOP RW-1) cooling to both CCW heat exchangers SWC16-A-INT Local blockage 3 Secure CSW supply to Results in loss of i Segment C16 CCW heat exchangers and cooling to both CCW supply them from NSW heat exchangers. header (0NOP RW-1) The only event that would induce an operator to secure this flow path is an actual pipe break, since the valves are operated locally. SWC17-A-INT Local fault 3 Blockage has no afice.t. Seg C17 (Bet. CCW Shut SWN 35 and 31. N HXs) Supply HX 31 via SWN 32 (ONOP RW-1) 8 SWC18A-A-INT Local fault outlet 3 If leak, continue to of CCW HX 32 pump, cor, trol flooding if blocked HX 31 will carry CCW system. ' 4 SWC18-A-INT Local fault 3 Isolate HX 32. Carry I Seg C18 CCW loads on HX 31 (ONOP RW-1) a l l I
o rQ W
- - rg n S nadon a ocl ti ce g S ciuan r n K dorn rul i e e e e R onweu osap v o
v v v A ni prdt nep o o o M t o naero b b b [ ema aar t a a a b a R roh n aot apppti eoss s s s s e r omo e a a a a set u r . rl nssp eoou
.kt cl op e e e e xeuf m m a
m m m h riaoWuh aeu a a a Ttt ctSacfbp S S S S E P O t P t P t P t P t P T f r O f r O f r O f r O f r O i a N i a N i a N i a N ia N E (t O (t O (t O (t O (t O S N sp( sp( sp( sp( sp( t n t m t m t m t m O ndu) nd u) ndu) nd u) ndu) P enp2 e n p1 e n p3 e n p5 e n p6 S E ma g g 3 ma g g 3 ma g g 3 ma 3 ma 3 g g g g R e)nr s yi o e)nr s yi o e) nr e) nr e)nr s yi o s yi o s yi o R rn rn rn rn rn O ean1 ean3 ean2 ean4 ean4 T t su3 t su3 t su3 t su3 t su3 A ) asr ) asr R lasr eP1 l eP1 l e P1
) asr ) asr )
E P ocnW seoSW
- ocnW -
seoSW ocnW - seoSW locnW seoSW eP1
- l e ocnW -
seoSW P1
._ E O I nn(R I nn(R I nn(R I nn(R I nn(R L
B A T N O I T C A E R P N E 0 T N Gl N I I IC S N UA A A M i C t i l N O D I E T C C U A D N N
. I A
1
- t i
l
. )
E D P N ( A T S S U N U L E ! V l U E l M M Il i Y I R 5 S A M I R P Y WR . EO iG 3 3 VL 3 3 3 _ EI RA C
)
d
't p p p p n m p o uf m m m m R uf uf uf uf C pl pl pl
( O e e pl pl I ns ns e e e r P it i t ns ns ns i t it i t e EI PR i t a C s et3
) s i) si ) s i ) s i )
S et2 et1 et6 et5 W E rn3 . n3 rn3 rn3 rn3 D lue ue ue ue ue e mP gW l mP l mP l mP l mP gW gW ic iaeS iaeS i gW aeS i aeS i gW aeS v F s( F s( F s( F s( Fs( r e S R T T T T T O N N N N N T I I I ! I
- A - - - - -
H LN A A A A A L PG - - - - - I I 1 2 3 1 2 S S C C C N N Y L W W W W W S D S S S S S
' > I
. __. _ _. ~ - _ _ ~ ~ . . - _ _ - - . _ . _ - - ._ . . ~
PRIMARY EVENT (P[) - INDUC[D llUMAN INi[RACTION TABLE SYSitM: Service Water (Cont'd) PE PE REVIIW SilHilUS AND lillMAN ACil0N CAUSING PE SilMul VS ACil0N OPERA 10R RESPONSE TO PE RIMARKS DESIGNATOR DESCRIPIOR CATLGORY Failures in pump 3 Isolate segment (if Same as above SWN3-A-INT necessary) and start segment itself non-running pump (SWP 34) (SWP 35 or 36) (ONOP RW-1) Pump falls to 5 When ta11ure to start The standby SW SWC3-A-CONT pumps will not start - standby standby pump is identi-pump fied (e.g., due to start automatic-additional alarms on ally. They must be equipment cooled by started by the service water), start a operator either standby pump (ONOP-RW-1) locally or remotely in the control room. SWC4-A-INT Local f ault Con SW 3 Shut SWN-98, stop CSW Piping only - no supply header pumps 31, 32 and 33. active components Start additional NSW pumps and supply CSW no ' loads with NSW (would E$ require a lot of valving) (ONOP RW-1) SWC6A-A-INT Blockage or 3 If segment is blocked - 1. Valve is manual FCV 1112 aligned supply loads from NSW local operation closed pumps by opening only. FCV-1111, 2. If supplying If valve is aligned the non-closed - attempt to essential open FCV-1112 (ONOP header, will not RW-1) jeopardize nuclear or essential SW. f 1 f f i I
-_ . - - _ _ _ _ _ _ _ _ . - - . _ _ . - .. - =_ _ - _-. . _ - _ _ - . _ .
PRIMARY EVENT (PE) - INDUCE D HUMAN INTERACTION TABLE SYSTEM: Service Water (Cont'd) PE PE REvitW SiiMHllf5 AND HUMAN ACilON CAUSING PC DLSIGNA10R DESCRIPIOR CAi[ GORY SilMHl0S ACil0N 4 OPERAIOR RESPONSE 10 PE RfMARKS SWC6-A-INT Local fault Con SW 3 Same as SWC4-A-INT Piping only - no 4 Segment C6 active components SWC7-A-INT Local f ault Con SW 3 Same as SWC4-A-INT Piping only - no Segment C7 active components SWC8-A-INT Local fault Con SW 3 Same as SWC4-A-INT Only real faults Segment C8 (i.e., pipe break) would cause aux ' operator to close SWN-98 because the indications are 4 local (in area of break if it occurred) SWC9-A-INT Local f ault Con SW 3 Shift CSW loads that Piping only - no Segnent C9 are lost to NSW header active components and isolate CSW supply. ro SWNORMALIGN N0!F Con SW to 4 o inlet of IAIR *
- fiX 32
., SWNX14-A-INT Local f ault NUC SW 3 Shutdown NSW and supply Piping only - no Seg NX14 its loads with CSW active components l SWNX15-A-INT Local fault in NUC 3 Same (NX14, NX15 and Piping only - no SW Seg NX15 NX13 all connected with active components no valve for individual isolation) i
. . . _ _ _ m _ m... _. ____ _ _ _ _ _ _ _ _ _ . _ _ ._._ _m _ . . _ _ _ _ _ _ . _ _ _ __ _ __._4__ .
PRIMARY EVENT (PE) - INDUCED IRIMAN INTERACil0N TABLE SYSitM: Service Water (Cont'd) PE PE REVIEW Silttil115 AND lillMAN ACTION CAUSING PE ()LSIGNATOR 1)ESCRIPTOR CAILGORY SilMil105 ACil0N OPERAIOR RESPONSE 10 PE RIMA 9KS , SWN13-A-INT Local fault in NUC 3 Same as SWNX15-A-INT Piping only - no SW Piping seg N13 active components SWN14-A-INT Local fault in NUC 3 Shutdown IA equipment SW Piping to HX31 cooled by HX31 - trans- . fer operations to other equipment (ONOP RW-1 and PEP ES-3) SWN15-A-INT Local blockage of 3 Shift DG and control Seg N15 room cc,oling to CSW 4 ' SWN1/-A-INT Local fault NUC SW 3 Shift DG cooling to CSW No reason for oper-Seg N17 neader (ONOP RW-1 and ator to close PEP ES-3) SWN-29 (NSW to diesels) for faulty indication. SWN18-A-INT Blockage of NSW to 3 Shift DG cooling to CSW The only time the DG 33 header (ONOP RW-1 and operator would y PEP ES-3) close cooling water y to DG would be real fault (HX tube leak) or maintenanc e SWN19-A-INT Slockage at seg- 3 Secure NSW to DG(s) and Piping only - no ment supplying SW line up CSW to supply active components to DGs 31 and 32 DG(s) (0NOP RW-1 and PEP ES-3) SWN20-A-INT Internal blockage 3 Same as above Same as SWN18-A-INT between supply and DG 32 I;Xs l
\ PRIMARY EVENT (PE) - INDUCED llUMAN INTERACil0N TABLE SYSILH: Service Water (Cont'd) PL PE REVIEW SilMlitus AND lillMAN ACIl0N CAUSING PE DESIGNA10R DESCRIPIOR CAIEGORY SIIMULUS ACil0N OPERATOR RESPON5E TO PE PIMARKS SWN21-A-INT Blockage at seg- 3 Same as above Same as SWN/8-A-INT ment supplying SW to DG 31 SWN2-A-CONT Pump fails to 3 Manually start the pump The only way an restart even (ON0P RW-1) operator could though node OK cause this PE is by leaving the pump controller in the
" pull to lock" position which would be a random human error.
SWN3-A-CONT Pump falls to 3 Manually start the pump same as above restart even (ONOP RW-1) though made OK SWN4-A-INT Local fault NSW 3 Shut SWN-99, stop NSW Piping only - no supply header pumps that are running. active components b3 Supply NSW loads with E$ CSW- Shutdown unneeded SW loads. (0NOP RW-1 and PEP ES-3) SWN6-A-INT Local f ault NUC SW 3 Shut SWN-99, stop NSW Piping only - no Seg N6 pumps that are running. active components Supply NSW loads with CSW. Shutdown unneeded SW loads. (ONOP RW-1 and PEP ES-3) SWN7-A-INT Local f ault NUC SW 3 Same as above Piping only - no Seg N7 active components t 4
PRIMARY EVENT (PE) - INDUCED If0 MAN INTERACTION TABLE SYSTEM: Service Water (Cont'd) . PE PE REVIEW SilMtllHS AND HINAN ACil0N CAUSING PE DLSIGNATOR DESCRIP10R CATEGORY SitMi1LUS ACil0N OPERATOR RESPONSE TO PE PEfWtKS SWN8-A-INT Local f ault NUC SW 3 Check SWN-99 open. If Only real faults Seg N8 cannot reestablish NSW, (i.e., pipe break) same as above (ONOP RW-1 would cause aux and PEP ES-3) operator to close SWN-99 because indications are in the area of the piping. SWN9-A-INT Local fault NUC SW 3 Shut SWN-99. Close Piping only - no Seg N9 FCV-Ill2 and open active components FCV-Illl to supply NSW loads with. Shift NSW loads to CSW at each individual load. (ONOP RW-1 and PEP ES-3) SWT01-A-INT Blockage or per- 3 Conduct a normal plant Operator has no haps inappropriate shutdown (ON0P-RW-1) control over relief ! pressure relief valve SWT-8 g SWT02-A-!NT Blockage in 2 Manually open SWT-2 Both P! 1185 and PCV 1179 or local (bypass around the " Service Water valves PCV-Il19) to attempt to to Lube 011 Coolers re-establish flow. If High Pressure" flow cannot be estab- alarm would have to lished, conduct a fall high to induce normal plant shutdown the operator to (ONOP-RW-1) block this flow-path. They are two independent sensors. q
_ . _ . _ ._ . _ . _ _ _ _ . _ . _ . _ _ .-- __ _ __ _ . _ _ _ _ _. . _ _ = _ _ _ _ .__.- _ . _ - - ___ ._ _ _ _ _ _ ._ _ . l j PRIMARY EVENT (P[) - INDUCf D HUMAN INTERACTION TABLE i SYSTEM: Service Water (Cont'd) . PE PE REVIEW SilMHlOS AND HUMAN ACil0N CAUSING PC DESIGNATOR DESCRIPioR CAi[GCHY silHIHUS ACI10N OPERAIOR RESPON5E 10 PE REMARKS
~
SWT12-A-INT Blockage in Seg 12 3 Conduct a normal plant Piping only - no shutdown (ONOP-RW-1) active components SWT13-A-INT Failure in Seg 3 Same as above Piping only - no SWT13 supplying active components BFP&T Lube 011 Coolers SWT14-A-INT Blockage in HX 3 Loss of one turbine Cooler A or valves lube oil cooler. Monitor turbine L.0.
- temps. Assure other HX line up normal. (0N0P RW-1)
SWT15-A-INT Blockage in HX 3 Same as above Cooler B or valves l SWT16-A-INT Blockage in return 3 Loss both turbine Piping only - no segment L.O. coolers. Shutdown active components U turbine. (ONOP RW-1) o a SWT27-A-INT Blockage in 3 Shutdown all equipment Piping only - no Seg T27 supplied through active components. FCV-1111 or FCV-1112 as would result in no it becomes necessary to cooling available avoid equipment damage to conventional (ON0P RW-1) i plant services SWT52-A-!NT Blockage in Seg 52 3 Shutdown systems cooled Piping only - no by conventional closed active components. cooling system, as No cooling availabe required to avoid to closed cooling equipment damage (ONOP system heat j RW-1) exchangers. i i l
,, , _. w , _ _ - - - - , - , . . . , . _ _ _ _ . , - . - . . y- .
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE 4 SYSIEM: Service Water (Cont'd) PE PE REVIEW SilMULUS AND HUMAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY SIIMul0S AC110N OPERAIOR RESPONSE TO PE REMARKS SWT 56- A-INT Blockage in Seg 56 3 Same as SWT 52-A-IhT Piping only - no active components SWT58-A-INT Blockage in 3 Same as above Piping only - no Seg T58 (supply to active components closed cooling system HXs) SWT61-A-INT Blockage before 3 Same as above Piping only - no flow reg segment active components SWT62-A-CONTROL Control Sig to CCS 3 Open bypass valve SWT-21 Locally operated SW flow reg valve (0NOP RW-1) system. False fails to low flow indications can be verified before ] action is taken SWT62-A-INT Blockage in CCS SW 3 Open bypass valve SWT-21' Same as above flow reg valve , (ONOP RW-1) ro SWT63-A flow reo bypass 3 Open it or take manual [ closed or blocked control of TCV-1109 and open it. (0NOP RW-1) SWT64-A Blocked SW return 3 Shutdown systems cooled Piping only - nc i by conventional closed active components e cooling system, as required to prevent equipment damage. (ONOP RW-1)
PRIMARY EVf NT (PE) - INDUCf D ltUMAN INTERACTION TABLE ! SYSILH: Service Water (Cont'd) , PE PE REVlfW STIMillHS AND lillMAN ACTION CAUSING PE OLSIGNAIOR DESCRIPIOR CATEGORY SilMutOS ACil0N OPERAIOR RESPONSE TO PL RfMAHKS SWO34-A-INT Blockage in DG 31 3 Shutdown DG 31 if run- 1. Piping only - Jacket / lube oil HX ning, as required, to no active com-segment prevent equipment ponents damage (ONOP RW-1) 2. If DG started on SI signal, then most equipment pro-tection trips (except over-speed, overcur-rent and reverse power) are inoperable. If damage to the core was not expected to result, the operator may " shut the DG down to save na the machine for ** i use when the SW fault is corrected. 1 SWO35-A-INT Blockage at DG 32 3 Shutdown DG 32, if Same as above . HXs running, as required, to prevent equipment damage (ONOP RW-1) SWO36-A-!NT Blockage at DG 33 3 Shutdown DG 33 if run- Piping only - no SW HXs ning, as required, to active components prevent equipment See remark 2 under , damage (ONOP RW-1) SWO34-A-INT 6
4 1 l PRIMARY EVENT (PE) - INDUCED llGMAN INTERACTION TAPLE I SYSTEM: Service Water (Cont'd) ! PE PE REVIEW STIMULUS AND littiAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CATLGORY SilMULUS ACTION OPERATOR RESPONSE TO PE RIMAHKS i SWO39-A-INT Blockage at SW 3 Shutdowr. DGs 31 and 32 Piping only - no return for DGs 31 if running, as required, active components l and 32 to prevent equipment See remark 2 under damage (ONOP RW-1) SWO34-A-INT SWO42-A-CONTROL Failure to deprive 3 Take manual control and There is no fault FCV 1176 of open valve (ONOP RW-1) that could cause air: control operator to close failure valve and deprive diesels of cooling SWO43-A-CONTR0t Failure to deprive 3 Same as above Same as above FCV 1176A of air: '
- control failure SWO42-A-INT Failure of 3 Take manual control and There is no fault FCV 1176 to open open valve (0NOP RW-1) that could cause r on loss of air operator to close valve and deprive diesels of cooling [3 ca
] SWO43-A-INT Failure of 3 Same as above Same as above FCV ll76A to open , on loss of air '
! SWO44-A Blockage in SW 3 Shutdown all three (31, Piping only - no i return from DGs 32 and 33) DGs, as active components required, to prevent See remark 2 under equipment damage (ONOP SWO34-A-INT RW-1)
I f 4
PRIMARY EVENT (PE ) - INDJCED HUMAN INTERACTION TABLE SYSTEM: Service Water (Cont'd) PE PE REVIEW STIMilttlS AND Ut#4AN ACil0N CAllSING PE DESIGhATOR DESCRIPIDR CATEGORY SilMilt US ACTION OPERAIOR RESPONSE TO PE RIMARKS SWO45-A Bleckage in SW 3 return from DGs Same as above Piping only - no active components See remark 2 under SWO34-A-INT SWO46-A Blockage in SW 3 Same as above Piping only - no return from DGs active components See remark 2 under SWO34-A-INT SW37A-A-INT Local fault outlet 3 Loss of one CCW HX. of CCW HX 31 HX 32 will carry all necessary loads. Assure proper line up s of HX 32. (ON0P RW-1) SW37-A-INT Local fault at 3 Same as above inlet of CCW HX 31 SW46-A NOIF SW return 3 Seg 46 Piping only - no [] active components 45 Same as SWO46-A7 SW47-A Blockage in SW 3 return Secure Inst. Air and Piping only - no supply inst. air system active components with service air cross connect (PEP IA-1) SW48-A-INT Int Fault blocking 3 Take manual control of No faulty indica-flow reg bypass TCV-Ill3 and manually tion will cause (inst air HX SW open (ONOP RW-1) operator to close outlet) bypass (SWN-47) if in use
PRIMARY EVENT (PE) - INDUCED Ht! MAN INTERACTION TABLE SYSTEM: Service Water (Cont'd) PE PE REVIEW SilMulOS AND fillMAN ACTION CAUSING PE DESIGNATOR DESCRIP10R CAltGORY Si!MIRUS ACTION OPERAIOR RESPONSE 10 PE REMARKS SW49-A-INT' Blockage in flow 3 Open bypass VLV SWN-47 No indications that reg segment (inst or take manual control would cause oper-air SW outlet) of TCV-1113 (ONOP RW-1) ator to close TCV-1113 TCV-1113 SW51-A-INT Blockage at outlet 3 Investigate cause of Locally operated of inst air HX 31 trip of IA Com- valves; no false pressor 31 (check valve indications would line.Jp,etc.). If IA induce operator to pressure reaches close these valves. 60 psig, trip the plant. If necessary open the station air tie valve. (PEP IA-1) SW52-A-INT Local blockage at 3 Same as above except IA Same as above outlet of IAIR Compressor 32 HX 32 SW60A-A-INT SW blockage in CCS 4 m HX 31 g SW608-A-INT SW blockage in CCS 4 HX 32 Seg EPAG11 LOP at EPA 03 (55 4 XFM15) EPAG13 LOP at EPA 13 4 (6.9KV BUS 3 + SS XFMR 3) l i l
PRIMitRY EVENT (PE) - INDUCED HUMAN INIERACil0N TfeLE SYSTEM: Service Water (Cont'd) PE PE REVIEW STIMULUS AND IRIMAN ACil0N CAUSING PE DESIGNATOR DESCRIP10R CATEGORY STIMULUS ACIION OPERAIOR RESPONSE TO PE RE MAltKS EPAG14 LOP at EPA 10 (SS 4 XFMR 6) EPA 04-S Local fault at 4 EPA 04 (BUS SA) EPA 04-T-LSI LOP at 480V AC 4 BUS SA, or loop, or SI EPA 04-T LOP at 480AC 4 BUS SA EPA 05-INT Local fault in 4 DG 33 EPA 07-T-LSI I" at 480V AC 4 iUS .A. or loop,
'i ro EPA 08-INT 'ocal is*lt in H
4 5 EPAll-S Local f auh at 4 EPAll (BUS 6A) EPAll-T-LSI LOP at 480V AC 4 BUS 6A, or loop, or SI EPAll-T LOP at 480AC 4 BUS 6A i
PRIMARY Et'ENT (PE) - INDUCED IR# TAN INTERACTION TABLE SYSIEM: Service Water (Cont'd) PE PE REVIEW SilMulOS AND lRIMAN ACTION CAUSING PE DESIGNAIOR DESCRIPTOR CATEGORY SilMULUS ACTION OPERATOR RESPONSE 10 PE REMARKS l EPA 12-INT Local fault in 4 DG 32 EPA 14-5 Local f ault at 4 EPA 14 (BUS 3A) EPA 14-T LOP at 480AC 4 BUS 3A EPA 15-5 Local fault at 4 EPA 15 (Tie BKR 2AT5A) EPA 16-5 Local fault at 4 EPA 16 (Tie BREAKER 2AT3A) EPA 17-5 Local fault at 4 EPA 17 (Tie BKR 3AT6A) ro EP001-01 LOP at DO PP 31 4 EPD02-01 LOP at DO PP 32 4 EPDll-A LOP at DO PP 31 - 4 battery supply only EPD12-A LOP at DO PP 32 - 4 battery supply only
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE SYSTEM: Service Water (Cont'd) PE PE REVIEW SilFtlLUS AND HUMAN ACTION CAUSING PE , DESIGNATOR DESCRIPTDR CAILGORY SI!Mut tl5 ACil0N OPERATOR RESPONSE TO PE RE MAliKS EPD13-A LOP at DO PP 33 - 4 battery supply only IAIRBYPASS Flow reg bypass 4 valve commanded open (inst air HX SW outlet) LOCA LOCA event 4 NOTLOOP-6A NO LOOP to BUS 6A 4 NOTTR-SPSI No safety injec- 4 4 tion actuation SEDG-SWN36-NOA Hanual initiation 4 of SWN 36 fails SE-EDG31-A Failure of DG 4 na breaker 52/EG1 to "" actuate 0 SE-EDG32-A Failure of DG 4 bkr 52/EG2 to actuate SE-EDG33-A Failure of DG 4 bkr 52/EG3 to actuate SE-SWN34-A SW pump 34 not 4 actuated following LOOP
_ - . _ . . _ - . _ ._. ._. . . _ . _ . ~ ._ . _ . - . PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE 4 SYSTEM: Service Water (Cont'd) PE PE REVIEW STIMuttJS AND lillMAN ACI!ON CAUSING PE DESIGNATOR DESCRIP10R CATEGORY STIMULUS ACil0N OPERATOR RESPONSE TO PE REMARKS SE-SWN34-DGS-A SW pump 34 not 4 actuated following LOOP - for DGS only SE-SWN35-A SW pump 35 not 4 actuated following LOOP SE-SWN35-DGS-A SW pump 35 not 4 actuated following LOOP - for DGS only SE-SWN36-A SW pump 36 not 4 actuated SE-SWN36-DGS-A SW pump 36 not 4 actuated - for DGS only ro SE-SWN36-NOA Manual actuation 4 of SW pump 36 fails TR-SPSI Safety injection 4 signal present
i PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE SYSIEM: Sequencing (SE) PE PE REVl[W SilMillVS AND HUMAN ACTION CAUSING PE DESIGNAIOR DESCRIPIOR CAIE GORY SilMULUS ACil0N OPERATOR RESPONSE TO PE RIMARKS EPAG12 4 GENERAL GENERAL EPAG13 4 The proper immediate Loss of the EPAG14 4 action to be taken by controlled com-the operator is always ponent(eg. pump) EPD01-01 4 the same: if a piece of due to operator equipment does not per- action is addressed EPD01-31 4 form its automatic under each individ-action, the operator ual system. Here EPD02-01 always verifies that we consider oper-4 correct automatic ator action that EPD02-32 4 actions have occured results in the con-and manually performs trol system PE those that have not, being induced. This EPD03-01 4 (Ref: immediate action is limited to j~ steps of PEPS) de-energizing the EPD11 A 4 power supply for 4 EPD12-A 4 this control sys-tem. In general ' pj EPD13-A 4 this would be the c3 result of operator error since the only reason to kill the power supply would be fire or bus fault. Both of these must be I independently veri-fled prior to removing power to the bus.
}
I
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Sequencing (SE) (Cont'd) 1 PE PE REVIEW SitMtitVS AND lhfiAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY SilMULUS ACil0N OPERATOR RESPONSE TO PE REMARKS LOCA LOCA EVENT 4 SE-AFW-NOA No operator action 5 to actuate AFW pumps SE-BFP-L-S Local f ault of 2 Operator manually Common Auto Start relay 8FP-L starts pumps as relay for all AFW (Common Auto Start required. (PEP FW-1) pumps. relay) AFW pumps 1
- SE-BFP-S Local fault of 2 Operator manually Auto Start for both l
relay BFP (AFP 31 starts pumps as motor driven AFW and 33 Auto Start required. (PEP FW-1) pumps. relay) motor SE-CCS2P-S Local fault of low 2 Operator manually CCW pump in auto header pressure actuation scheme starts STBY CCW pump will start when upon low CCW header PC-600 decreases to m " (component cooling pressure alarm. low CCW header N water) (0NOP-CC-1) press set point. 1~ SE-CCW-NOA No operator action 5 to actuate CCW pumps. SE-HPI-NOA No operator action 5 to actuate HPI pumps.
i l PRIMARY EVENI (PE) - INDUCED lutUul INTERACTION TABLE l SYS1[M: Sequencing (SE) (Cont'd) PE PE REVIEW STIMulut AND IKtVV4 ACI!ON CAUSING PE DLSIGNAIOR DESCRIPIOR CATE GORY SilMulus ACTION OPERATOR RESPONSE 10 PE R[ MARKS i SE-RHR-NOA No operator action 5 to actuate RHP pumps. SE-SGLOLO-A Steam Generator Lo 2 Lo level logic Note notor drive AFW lbtor driven AFW pumps have not started. pumps should auto (1004) fails (1 Manually start AFW out of 4 logic- start on Lc-Lo starts MD AFW pumps 31 and 33. Verify level in any one pumps). pressure and flow. steam generator. (PEP FW-1) ! SE-561234X-F0 Normal start sig. 2 Operator notes turbine 4 nals not received Turbine drive AFW driven AFW pump not pump (#32) Auto (Lo-Lo 2004565) started. Manually (2 out of 4 Starts on Lo-Lo a logic-starts TD start #32 AFW pump level in two out of AFW pump.
' verify pressure and four steam gene-flow and correct tur- rators.
bine parameters. Determine cause of na , start failure. h3 (PEP FW-1) SE-SWN-NOA ho operator action 5 to actuate SWN
; pumps.
SE-SWN-SWITCH Switch selector in 5 wrong position (selector switch for group of SW pumps).
PRIMARY EVENT (PE) - INDUCED IfUMAN INTERACil0N TABLE SyS;tg. Sequencing (SE) (Cont'd) PE PE REVIEW SilMtilOS AND IRPUtN ACTION CAUSING PE DE SIGNATOR DESCRIPIOR CATEGORY SilMutOS ACliON OPERAIOR RESP 0tiSE 10 PE RE MAHKS SE-IX-BFPTI-FD Relay IX-8FPTl 2 Operator note- that 3 fails to energize AFP 31 (33) has failed f-(AFP 31 auto start to Auto Start. Oper-ckt.) ator renually starts , pump. (PEP FW-1) SE-lX-BFPT2-FD Relay IX-BFPT2 2 Same as above except falls to deener- ATP 33. gize (AFP 33 auto start ckt.) SE-2SIl-S Local fault of 2 Operator notes that SI relay 2-511 (SI pump 31 has not started pump 31) in response to ECCS signal. Manually start y the pump. Note normal 4' flow, pressure, motor AMPS. (PEP ES-1) SE-2SI2-5 Local f ault of . no 2 Same as 2 S!!-S for 51 ro relay 2-SI2 (SI pump 32. 'd
- pump 32 starting).
SE-2SI3-3 Local f ault of 2 Same as 2511-5 for SI relay 2-513 (SI pump 33. pump 33 starting). I f l l [ i.
- __m._____m
f i PRIMARY EVENT (PE) - INDUC[D HUMAN INTERACTION TABLE SYSTEM: Sequencing (SE) (Cont'd) PE PL REVilW SilMUlUS AND HUMAN ACil0N CAUSING PE OLSIGtmIOR DESCRIPIOR CATLGURV SilMtR US ACil0N OPERATOR RESPONSE TO PE R[ MARKS SE-20-1-ABFP2-5 Local f ault of 2 If operator notices relay 20-1-ABFP2 With PCV 1113 fully PCV 1113 open on pump open steam pressure (deenergizes to start he will take man- to AFW pump turbine close PCV and) ual, control and regu- would be excessive, start AFP32 late steam pressure Most likely result manually. If not would be loss of ' noticed in time reset turbine on over-overspeed trip and speed.
- restart pump.
a (PEP FW-1) i SE-27-2A-X3-CV Bus 2A UV scheme 2 Operator may manually Prevents Auto Start thinks low voltage start all affected condition exists of SI 32 SW 32, (SI pump 32) pumps as necessary. CRF 32, CCW 32. (PEP ES-1)
*SE-27-3AX3 Bus 3A undervolt- 2 Same as above.
age scheme thinks Prevents Auto Start i Iow voltage condi- of CRF34, SW35, tion exists (RHR RHR31, AF31. y pump 31) A SE-27-5A-X2-UV Same, Bus SA (SI 2 pump 31) Same as above. Prevents Auto Start of CCW31, SW34, SW31. SE-27-6A-X3-UV Same, Bus 6A (SI 2 pump 33). Same as above. Prevents Auto Start of SW36, SW33, AF33 RHR3E,5133.CRF35, CS32, CCW33. I
. . ~- -- - . . - . . . ~ - - . ~ . _ . -- - . . . . .
1 l l l ', PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE l i SYSTEM: Sequencing (SE) (Cont'd) 1 , PE PE REVIEW STlHill115 AND INPtAN ACIl0N CAUSING PE j DESIGNATOR DESCRIPIOR CATE GORY SilMUlHS ACTION OPERATOR RESF0NSE TO PL REMAltKS SE-2-CC1-2-5 Local f ault of 2 Operator may manually Loss of these
- relay 2-CCl-2 (CCW start all affected relays prevents
- pump 31). pumps as necessary. Auto Start of their j (PEP ES-1) respective pumps.
SE-2-CC2-2-5 Same, 2-CC2-2 2 Same as above Same as above { q SE-2-CC3-2-5 Saue, 2-CC3-2 2 Same as above Same as above SE-2-luiR1-5 Local fault of 2 Same as above Same as above relay 2-RHR1 (RHR pump 31). SE-2-RHR2-5 Same, 2-RHR2 (RHR 2 Same as above Same as above pump 32). 4 SE-2-SW4-5 Local f ault of 2 Same as above Same as above , relay 2-SW4 (SW m ' pump 34) N SE-2-SWS-S Same 2-SWS 2 Same as above Same as above SE-2-SW6-5 Same, 2-SW6 2 SE-2-1-11D-S Local f ault of 2 Same as above. Same as above relay 2-1-11D (PEP FW-1) (AFP 33) I
}
i i 6
- _. __ ._ __ _ . _ _ _ _ _ _ . _ _ _ _ _ _ . . . - _ _ _ . _ . - _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ . _ . _ _ _ _ - - . . _ _ _ . _ _ __ _ .. . . - ~ m PRIMARY EVENT (PE) - INDUCED liUfWe INTERACTION TABLE
~f SYSIEM: Sequencing (SE) toont'd) FE PE REVIEW SilMlflUS AND If0 MAN ACil04 CAUSING PE DESIGNAIOR DESCRIPIDR CATEGOR Y SilMOLUS Acilon OPERATOR RESPONSE TO PE RfMARKS l SE-2-1-6D-S Same, 2-1-6D 2 Operator may manually loss of these > i (AFP 31) start all af fected relays prevents i pumps as necessary. Auto Start of their (PEP FW-1) respective pumps q SE-3-1-2A-5 Same. 3-1-2A 2 Same as above. Prevents Auto Start (fails to energize (PEP ES-1) of SW32, 5132, i causes relay 2-S!2 CRF32, CCW1?.
- to not energize I resulting in SI i
pump 32 not acti-I vated) 1 1 f SE-3-1-3A-5 Same 3-1-3A 2 Same as above CRF34, SW35, RHR31, AF31. SE-3-1-5A-5 Same, 3-1-5A 2 Same as above US31, CRF31, 5131,
- CRF33, SW34, SW31, S$
- CCW31. cn I
SE-3-1-6A-S Same 3-1-6A 2 SW36, SW33, AF33 I SI33, CRF35, RHR32, CS32, CCW33. 3 SE-3-2-2A-5 Same. 3-2-2A 2 CCW32, SW32. r SE-3-2-3A-5 Sace, 3-2-3A 2 SW35, AF31, BFP32, start. I SE-3-2-SA-S Same, 3-2-5A 2 CCW31, SW34, SW31. ? I I f I l i i
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE t SYSTEM: Sequencing (SE) (Cont'd) i PE PE REVIEW SilHLitUS AND HilMAN Acil0N CAU5ING PE DESIGrnIOR DESCRIPIOR CATEGORY SilMi!L US ACil0N OPERATOR RESPONSE TO PE PLMARKS SE-3-2-6A-5 2 SW36, SW33, AF33, Same. 3-2-6A CCW33, BFP32 start. 1 1 SE-52-EGI-INT Local f ault of 2 Operator manually Prevents auto breaker / actuation closes breaker and closure of DG out-scheme (DG31) loads affected diesel put breakers, generator. (PEP EL-1) SE-52-EG2-INT Same (DG32) 2 Same as above Same as above 4 SE-52-E G3-INT Same (DG33) 2 Same as above Same as above SE-52-EGI-OPN BKR 52-EGI (DG31) 2 This is not necessarily In event of a trip i Open (DG31) a fault and SI signal the position of the DG output breakers j will determine if 3 j the CCW pumps will - start. If the DG BKRS are shut the r0 i CCW pumps will not [j ' start as part of the loading sequence. SE-52-EG2-0PN Same, BKR52-EG2 2 Same as above Same as above (DG32) open SE-52-EG3-OPN Same, BER52-EG3 2 Same as above Same as above i (DG33) open i ~! I _ _ _ _ _ _ _ _ ~ _
t l i } PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE j SYSTEH: Sequencing (SE) (Cont'd) PE PE REVIEW SilMULUS AND IfuMAN ACTION CAUSING PE ' DESIGNATOR DESCRIPIDR CATEGORY SilMULUS ACTION OPERATOR RESPONSE TO PE REMARKS a SE-63XI-BFPI-5 Local f ault of 2 Operator will manually Both 63X1 BFP 1
} relay 63XI-BFPI initiate AFW upon loss and 2 must actuate 1 (relay controlling of both BFPs or oper- to start AFW on s contact in AFP 31 ator will secure AFW if loss of feed pumps.
and 33 Auto Start I one BFP is running. Contacts of one t j ckt.) (PEP EL-1 and PEP FW-1) stuck shut would prevent initiation j of AFW on loss of ! 4 both BFPs. Con-tacts of one stuck open would initiate AFW with one BFP
] still running.
SE-6311-BFP2-5 Same, 63XI-BFP2 2 Same as above Same as above SI21XD6-1 4 i S!21X-1 4 no TR-SPS! 4
.i j
i l i d i; i
_ . ~ _ - . .. _ . _ _ _ . _ . . . . _ _ . . _ _ . . _ . _ . _ - _ _ . . _ . . _. . _ _ _ _ _ _ - _ _ _ _ _ _ - _ - - _ . . _ - _ . _ l PRIMARY [ VENT (PC) - INDUCED HUMAN INTERACTION TABLE I SYSILH: Main Feedwater (LMFW) PC PE REVIEW SilMulVS AND InttAN ACTIUN CAUSING P[ DESIGNATOR DESCRIPIOR CAIEGORY STIMULUS ACTION OPERAIDR RESPONSE TO PE PIMARFS CD-AEJCD313233-A NOIF from air 3 Throttle down on Novalveshrother ejector condensers FCV-1120 to increase active components 31, 32, or 33. flow in path A CD-CDSR31-LF Condenser 31 local 3 Isolate condenser by failure shutting VLV CS-1 or both water boxes from that condenser and use r other condenser i sections. CD-CDSR32-LF Same, except con- 3 Same as above denser 32 CD-CDSR-33-LF Same, condenser 33 3 Same as above i CD-CDSR-31-1-A N0!F from water- 2 Other than investiga-box 31-1 tion and repair of fault at next shutdown, no response action Ej applies us CD-CDSR-32-1-A Same, water 2 Same as above box 32-1 CD-CDSR- 33-1-A Same, Water 2 Same as above Sox 33-1 , CD-CDSR-31-2-A NOIF from Water 2 Same as above i Box 31-2 CD-CDSR-32-2-A Same, water 2 Same as above box 32-2 l
. . - . - . - - . - - - - ~ - - ~ . . . . - _ _ - - . . , - - - , - - - . __- - - - - - - _ - - - - - -.. ..- -.- - - - . _ . .
i I
\
i PRIMARY EVENT (PE) - INDUCED HUMAN INTERACil0N TABLE
~
SYSitH: LMFW (Cont'd) j PE PE REVIEW SitMuttl5 AND HUMAN ACTION CAUSING PE DESIGmTOR DESCRIPIOR CAIEGORY Si!MllLUS ACTION OPERA 10R RESPONSE 10 PE REMARKS i CD-CDSR-33-2A Same, water 2 i box 33-2 ! j CD-PP-31-C-INT Reverse flow 3 Send aux, oper. to l ]' through cond, close Disch. Valves. pump 31 DISCH-CV CD-2 and its bypass ' failure (RF) and CD-3 of affected pump others (condensate pump
]
isolation) 1 CD-PP-32-C-INT Same, pump 32 3 Same as above i j CD-PP-33-C-INT Same, pump 33 3 Same as above 1 CD-PP-31-LF Condensate pump 31 1 Eratic condensate Operator trips conden- Use other pumps and There is no pro- . local failure pump 31 ammeter sate pump 31 have maintenance cedural reference ! indication investigate for these actions. They are postulated based upon the instrumentation N I configuration and operating experi-ence. j CD-PP-32-LF Same, pump 32 1 Same, pump 32 Same, pump 32 Same as above CD-PP-33-LF Same, pump 33 1 Same, pump 33 Same, pump 33 Same as above CD-1A-A NOIF from heaters 1 Faulty high level in Isolate heater (shut Open heater bypass VLV , 33A, 34A, 35A heater 33A or 34A indi- CD-16, CD-17 and CD-18 (CD-19) and isolate 2 cating leak (LT-1118, on appropriate string) string by closing
, LT1115) (SOP HDS-1) (CD-16 CD-17 and J CD-18) on appropriate
- string (50P HDS-1) 4 d
i i l 1 1 1
PRIMARY EVENT (PE) - INfHKED HUMAN INTERACil0N TABLE i SYSTEM: LMFW (Cont'd) l PE PE REVIEW SilMULUS AND HtHAN ACI!ON CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY SilMutOS ACil0N OPERATOR RESPONSE TO PE RE MARKS CD-18-A Same, heaters 338, 1 Same, heater 338, 348, Same as above Sane as CD-1A-A 343, 358 358 (LT-il19, LT-ll16) CD-IC-A Same, heaters 33C, 1 Same, heater 33C or 34C Same as above Same as above i 34C, 35C (LT-ll20,LT-Illl) l CD-10-A N0!F from cond 3 Check MFPs tripped and pumps discharge start MD AFWPs header
; CD-IIA N0!F from cond 3 Same as above pumps suction
, header CD-1-A N0!F from common 3 Open heater bypass VLV i discharge of CD-19 (50P HDS-1) heaters 33 to 35 l CD-2-A N0!F from heaters 3 Start MD AFWPs 31 for TML transient no bypass line and 33, open FCV-406A, one string of heat- 00 t 406B, 406C and 406D ers will provide (PEP FW-1) sufficient flow, so for an operator , response to the a bypass not opening you must assume all 3 f ailed so the , bypass is the only j remaining path. CD-SA-A N0!F from LP heat- 2 Open heater bypass line Not addressed by i ers 31A, 32A (C0-11) ONOP or PEP l i I 1 i i
. - . -- - . - - - - - . - - _ , _ - ~ _ . _ - _ _ . . -.. - . -- . . . - . _ _- . . ..- .__ ._ - - . _ . __ .. .. . . ~.
I i I
- PRIMRY EVENT (PE) - INDUCED HINAN INTERACTION TABLE 1
i SYSitM: tMFW (Cont'd) t PL PE REVIEW STIMILUS AND HlNAN ACTION CAtlSING PE 1 DLSIGtMTOR DESCRIPTOR CATEGORY STinftUS ACIION OPERATOR RESPONSE TO PE REMARKS i i CD-58-A N0!F from LP heat- 2 Same as CD-5A-A 1 ers 318, 328 4 CD-SC-A Same, LP heaters 2 Open heater bypass line Not addressed by 31C, 32C (CD-II) ONOP or PEP CD-5-A NOIF from flash 3 Total failure of con-EVAP and from its densate, use MD AFWPs. bypass. (PEP FW-1) , 1 l CD-6-A NOIF from LP heat- 3 Start MD AFWPs 31 For the TML transi-j ers bypass line. and 33, open FCV-406A, ent one string of 406B, 406C and 406D. heaters will pro-i (PEP FW-1) vide sufficient flow, so for an operator response to the bypass not opening you must assume all 3 strings failed so the bypass is the y tu j only remaining
! path.
1 CD-7A-A N0!F from gland 3 Close down on FCV-1120 l steam condenser to force flow through
! path A (ONGP C-1) l CD-78-A N0!F from FCV-1120 1 False gland steam con- Close down on FCV-Il20 Take manual control of denser low flow alarm to restore gland steam FCV-Il20 and open '
(FT-1113) condenser flow (ONOP C-1) (0NOP C-1) CD-SA-A NOIF from cond 3 Close down on FCV-1120 No valves in line pump dischg to to force flow through j flow path A path A (ONOP C-1) l 1 4
) )
.. -- ----- . - - _ ~ . _ -. _ _ - - - - . . _ . ~ . - - - - . - - _ - . - _ . . . . - - _ . ~ - . - - _ . - . - . - . _ - - - - . - . . - . .
] l PRIMARY EVENT (PE) - INDUC[D IRIMAN INif RACTION TABLE i f SYSi[M: LMFW (Cont'd) PE P[ Rf Vlf W STIMULUS AND Int 4AN ACTION CAUSING PE ACIl0N OPERAIOR RESPONSE TO PE R[ MARKS i Dt Sin.fM10R DESCRIPIOR CATEGORY SilMllLUS i CD-93-A N01F from cond. I False gland steam con- Close down on FCV-ll20 Open FCV-1120 in an j pumps discharge to denser low flow alarm to restore gland steam attempt to increase flow path B (FT-1113) condenser flow. flow through flow path 8 (ONOP C-1) (ONOP C-1) l CL----F N0!FF turbine hall 3 Restore in appox. 1/2 No control room closed cooling hr. or trip BFP and indication, local l water system local cond. pumps. Start operation by auxil-a ! failures AFW SYS. (ON0P RW-1 and tary operator j PEP FW-1) CR-31-LF Local f ailure in 2 Send maintenance to Circ pump 31 or investigate and monitor j condenser vacuum, line to condenser reduce power if needed a' (ONOP C-1) ro j w CRO-32-LF Same, Circ pump 32 2 Same as above t CRO-33-LF Same, Cire pump 33 2 Same as above CRO-34-LF Same, Cire punp 34 2 Same as above CRO-35-LF Same, Circ pu:rp 35 2 Same as above CRO-36-LF Sare, Circ pump 36 2 Same as above ; i EPAG-12 4 4 j EPAG-13 4
- EPAG-15 4 4
EPAG 4 i e I i t i
. _ . . _ . _ _ . _ . . . _ . ~ . . - - . - . _ _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ .
_ _ _ . - _ _ ~ . . .m_.- . i l'RIMARY EVf NT (PE) - INIHKID fulMAN INTE RACTION TABLE l SY5ltH: LMFW (Cont'd) ) PE PE REVIEW STIMULUS AND IRFiArt ACTION TAUSING PE D(SIGNA 10R DESCRIPTOR CATEGORY SI!Mitus ACfl0N OPERATOR RESPONSE TO PE REMARKS , IPA-20-T 4 j 3 } EPA-24-T 4 i EPA-25-T 4 EPA-26-T 4 EPA-28-T 4 i EPD-01-01 4 EPD-01-31 4 ' EPD-02-01 4 ' EPD-02-32 4 ru w I AG-01 4 # ' MF-IA-A NOIF from MFIV 2 BFO-7, CV BFD-6 or Start % AFWP 31 and open FCV-406A (PEP FW-1) FE 413 to SG 31 ,i MF-18-A Same, SFD-7, 2 BFD-6, FE 429, SG Start MD AFWP 31 and All of these faults 32 open FCV-406B (PEP FW-1) involve isolating MFW to SGs. For i 4 all transients of , i interest the reactor would trip and the operator is i directed to trip MFW and use AFW /\ i a t i t k
. ~ - - . - . . . . . - . . . - - - . - . - . - - - - - . . _ . - ~ . ~ . - . _ - - - . . - . - - . . - - - - - _ ~ . . . , . - - - -- . _ . .
1 i PRIMARY EVENT (PE) - INDtlCf D IBMAN INT [RACTION TABLE i I SY5itM: LPfW (Cor.t'd) l PE PE REVIEW SitMitus AND IRIMAN ACTION CAUSING PE l DLSIGNATOR DESCRIPIOR CAIEGORY STIMilLUS ACil0N OPERAIOR RESPONSE 10 PE REMARKS 4 l MF-IC-A Same, BFD-7, 2 Start MD AFWP 33 and ' open FCV-406C (PEP FW-1) BFD-6, FE 433, SG . 1 33 ]' MF-ID-A Sa"e, BFD-7, 2 Start MD AFWP 33 and Operator might be . BFD-6, FE 443 to open FCV-406D (PEP FW-1) induced to isolate SG 34 flow to a SG (the PE) based on faulty 1, high flow to SG j (suggesting a y leak). However, 1 multiple FTs and ) FIs exist in feed I line, so this j induced operator action is not w m i likely, FE-2A-LF ?4IF MF reg 2 Start MD AFWF 31 and These faults
; FCV-417 or M0!V open FCV-406A (PEP FW-1) involve isolating i BFD-5 to SG 31 PEW to SGs. For r i'
local failures all transients of I interest the reat-tor would trip and i the operator is directed to trip 4 PEW and use AFW FE-2S-LF Same, FCV 427, 2 Start MD AFWP 31 and Same as above j BFD-5 to SG 32 open FCV-406B (PEP FW-1) i I i 1
)
i
i i PRIMARY EVENT (PE) - INNKID lilNAN INTERACil0N TABtf a ] STsitH: __LP'JW (Cont'd) 1 P[ Pt REVIEW SilMILUS AND llINAN AC110N CAUSING PE DLSIGraIOR DESCRIPTOR CATIGORY Silnit us ACTION OPERATOR RESPONSE TO PE REMARKS MF-2C-LF Same, FCV 437, 2 Start MD AFWP 33 and Operator might be BFD-5 to SG 33 open FCV-406C (PEP FW-1) induced to isolate flow to a SG (the PE based on faulty high flow to SG (suggesting leak), However, multiple ] FTs and Fis exist feed line, 50 this induced operator action is not likely. MF-20-LF Same, FCV 447, 2 Start MD AFWP 33 and Same as above SFD-5 to SG 34 open FCV-406D (PEP FW-1) VI-4A-A t.0!F from HP 2 Open bypass VLV BFD-8 ro heater 36A Not addressed by W and close BFD-3, BFD-4 Ofe0P or PEP
- j and BFD-10 to isolate
{ string A MF-48-A Same, HP 2 Same, for string B heater 36C i MF-4C-A Same HP 2 heater 36C Same, for string C MF-4-A N0!F from MFW HP 3 Start MD AFWPs 31 No valves heaters common and 33, open FCVs-406A, dinnarge header 4068, 406C and 406D i i t i i ,
i; PRIMARY EVENT (PE ) - lNIMICf D fillMAN INTERACil0N I ABL E Sf5ILM: L?;fW (Cent *d) I 11 PE REVIEW STIMtitOS AND IRIMAN ACTION CAllSING PE 8 DESIGilAIOR DESCRIPIOR CATEGORY SilMilt OS ACI!ON OPERAIOR RESPONSE TO PE REMARKS t T-5-A Operator fails to 5/3 Operator opens bypass for the TNL transi-open typass valve valve when oversight is ent one string of or valve fails recognized heaters will pro-vide sufficient flow, so for an operator response
}
j to the bypass not opening you must assume all 3 strings failed so I that bypass is only remaining path, f1 C- ! *.T 3FP 31 disch 3 Send Aux Oper to manu- Not addressed by reverse flow-CV ally close MOV ONOP or PEP j f ails (FF) and MOV ro j fails to close y i T:f-62-C - l % T Sa e, BTP 32 3 Same as above MF-61-LF doiler feed 2 Restrict unit load per Multiple indica-purp 31 local PEP FW-1 tions of cavitation tailure needed to induce operator to shut down a BfP MF-62-LF Sane, pump 32 2 Same as above 1
- ___.- ._.- .- - - . - - - _ - .- . - ~ _ _ - ..-- - --- - - _ ~ - - _ . - - . _ - - - - - _ = = _ . . . - . _ - - .
l l PRIMARY EVENT (PE) - INDUCED IRjMAN INTERACTION Tant E i I SYSILM: LMFW (Cont'd) e ) PE PE REVIEW SitPULUS AND litHAN ACTION CAUSING PE DESIGMIO*. DESCRIPTOR CATEGORY SilMtJLUS ACIl0N OPERATOR RESPONSE TO PE REMARKS , i FE-6-A NOIF front common 3 Start MD AFWPs 31 No valves l BFP discharge and 33, open FCV-406A,
! header 4068, 406C and 406D
] (PEP FW-1) 1 MF-7-A f.0!F to 3 Same as above BFPs 31, 32 frota 8 comon suction y header ) MS-AEJ----LF Loss of main steam 2 Tave<540 indication Oper secures SJAE as Carry out subsequent
- air ejectors-Local (multiple indication) per trip procedure actions of DNOP C-1 failure (FEP-RPC-1) (actions vary depending upon source of failure) j MS-----LF N0!F main stea
- n 3 Start MD AFWPs 31 and MSR supply to m i and 33, open FCV-406A, w l BFPTS local 406B, 406C and 406D CO j
failures (PEP FW-1) SACCSG01 4 i SJ ----LF N0!F BFP seal 3 Trip BFP (not addressed Would appear to be i injection water .I in ONOP or PEP) large steam leak at systes due to BFP local failures i SL-CT-12-LF N0!F seal water to 3 Af ter some titre trip Pump would pull air ! cond pumps local cond. pump due to indi- in seal and get air , i failure cations of cavitation bound (not addressed in ONOP or PEP) i ] 1 l
. - . . - - - _ _ . - _ - . . _ , . . ---._-. ...._~_. - - _ . . - . _ _ _ . , . ..- -- - _ . - ,- . . . - . . - - . - _ _ . _ .
1 4 l l PRIMARY [ VENT (PE) - INDUC[D IRIMAN INIf RACTION TAliLE 1 SYSilH: LP7W (Cont'd) i Pt l'1 R[ VIEW SilHittiS AND IRetAN ACil04 CAUSING PE lit LIGinIOR DESCRIPIOR CAltGORY SilMill tf5 ACil0N OPERAIOR Rf5PONSE TO PE R[ MARKS ,
~ ~
St-Cil331-LF ?.0!F seal mater 3 Shutdown cond. pump 31 header to cond and repair (not addres-pw:rp 31 local sed in ONOP or PEP) i failure ] St-C71332-LF Sare, pump 32 3 Same pump 32 1 4 Same, pump 33 3 Same pump 33 St-CT1333-LF i SWA10-A 4 a 5.All-A 4 ) 5.Al2-A 4 4 y ) SwA13-A w j e 1 5.A14-A 4 i I 5 A15-A 4 l 4 SwT14-A i S.T15-A 4
- TGS Failure cf turbine 3 f40 actions identified 1 gland sealing l steam condenser
~i ,' TR-SPSI 4 i ) l i l i
PRIMARY EVENT (PE) - INDUCED IRIMAN INTERACTION TABLE SYSTEM: Auxiliary Feedwater ( AFWS) PE PE REVIEW SIIMllLUS AND HUMAN ACil0N CAUSING PE 1 DESIGNATOR DESCRIPIOR CATEGORY SilMut OS ACil0N OPERATOR RESPONSE TO PE Rf MARKS AFN2-HU-01 Operator fails to 5 Actuate N2 backup (not actuate N2 backup addressed in ONOP or PEP) AFN2 Loss of N2 to AFWS 3 Replace N2 bottles (not ADV addressed in ONOP or PEP) AF001-A-!%T CT-64 fails closed 2 Open CT-64 or Multiple level Open CT-49 and indication available. (PCV-Il89 and PCV-Il87 or PCV-ll88) (PEP FW-1) f AF003-4-INT Failure of CST 3 Open CT-49 and PCV-Il89 i dischg path to MD (PEP FW-1) AFW pump AF004-A-INT Failure of city 3 Lower SG pressure to *If city water is water discharge <500 psig and use con- in use, it is segment valves to densate pump * (PEP FW-1) assumed that CST is no open to pump 33 not available. j$ AF006-A-INT Failure of city 3 Same as above. water discharge segment valves to open to pump 31 AFD08-A-INT Failure of city 3 Same as above. I water discharge segment valves to open to TD pump i,
- - _ _ _ _ . _ _ _ _ _ . - - ~ . . .. . _ . . .____s.._ - - _. _ _ ___=___. _ _ _ _ _ _ _ _ . _ _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ . . _ _ - . _ _ _ _ _ _ . _ . _ _
PRIMARY EVENT (PE) - INDUCED IR#iAN INTERACil0N TABLE SYSTEM: AFWS (Cont'd) PE PE REVIEW 5TimtHS AND IR#1AN ACTION CAUSING PE DESIGraioR DESCRIPIOR CATEGORY STIMlltOS ACIl0t OPERATOR RESP 0tiSE 10 PE REMARKS AF005-A-INT Failure of CST 3 Open CT-49 and PCV-Il87 discharge path to (PEP FW-1) 2 MD AFW pump AF007-A-INT Failure of CST 3 Open CT-49 and PCV-Il88 discharge path to (PEP FW-1) TD AFW pump AF009-A-INT MD AFW pump 33 2 Start TD AFW pump 32 Multiple indica-1 failure (PEP FW-1) tions of pump cavi-tation needed for stimulus, therefore category 2. I AF010-A-INT MD AFW pump 31 2 Same as above. Same as above i failure AF009-B-INT PT 4068 signal 3 Start TD AFW pump 32 unable to control (PEP FW-1) PU 33 discharge pressure y , ~ -{ j AF010-8-INT PT 406A signal 3 Same as above.
, unable to control PU 31 discharge pressure AT0ll-A-H Operatcr fails to 5 Bring AFW pump 32 up to bring AFW PU 32 up speed (ONOP FW-1) to speed I
i i ]
_______m _ _ _ _ . _____._ _ . __ _ __._. __ . _ ___. _ ___ _ _ _ _ _ _ _ _ . _ _ _ - _ _ . _ _ _ _ _ _ _ _ . _ . _ _ . . _ _ _ . . _ . _ . PRIMARY EVENI (PE) - INDUCED in#WI INTERACil0N TABLE SYSTIM: ATWS (Cont'd) FE PE REVIEW SIIMutus AND HilMAN ACil0N CAUSING PE , DESIGNATOR DESCRIPIOR CATEGORY SitMutuS ACTION OPERAIOR RESPONSE TO PE PIMAPKS DuetoIbitiple AF0ll-A-INT TD AFW pump 32 2 StartMDAFWpumpU3 l failure and 32 indications for i or flow, speed, dis-Toker SG pressure to charge pressure,
<500 psig and use con- operator is not densate pump (PEP FW-1) likely to be induced to stcp TD i pump due to faulty indication.
AF012-A-INT Failure of seg- 1 Faulty high flow indi- Shut FCV 406C (PEP FW-1) Start TD AFW pump 32 Stimulus can also ment 12 FC cation to SG 33 (PEP FW-1) cause AF019-A-INT (FT 1202) AF013-A-INT Failure of seg- 1 Faulty high flow indi- Shut FCV 4060 (PEP FW-1) Same as above. Stimulus can also ment 13 FC cation to SG 34 cause AF018-A-INT (FT 1203) AF014-A-INT Failure of seg- 1 Faulty high flow indi- Shut FCV 4068 (PEP FW-1) Same as above. Stimulus can also ment 14 FC cation to SG32 cause AF017-A-INT no (FT 1201) g AFOIS-A-INT Failure of seg- 1 Faulty high flow indi- Shut FCV 406A (PEP FW-1) Same as above. Stimulus can also ment 15 FC cation to SG31 cause AF016-A-INT (FT 1200) AF012-8-!NT Failure of 1 Faulty low flow indica- Open FCV 406C (PEP FW-1) Close BFD-41 and start FCV 406C - FO tion tot 6 33 (FT 1202) TD AFW pump 3T TPEP FW-1) l l i
i PRIMARY EVENT (PE) - INDUCED IR94AN INTERACTION TABLE SYSTEM: AFWS (Cont'd) PE PE REVIEW SIIMULUS AND HINAN ACiloff CAU5ING PE DESIGNATOR DESCRIPIOR CATEGORY STIMutHS ACIlott OPERATOR RESPONSE TO PE RIMARKS AF013-B INT Failure of 1 Faulty low flow indica- Open FCV 406D (PEP FW-1) Close BFD-43 and start FCV 406D - F0 tion to 5G 34 (FT 1203) TD AFW pump 3 F
- AF014-B-INT Failure of 1 Faulty low flow indica- Open FCV 406B (PEP FW-1) Close BFD-36 and_ start i FCV 4068 - FO tion to SG 32 (FT 1201) TD AFW pump 32 1
1 AF015-B-INT Failure of 1 Faulty' low flow indica- Open FCV 406A (PEP FW-1) Close BFO-38 and start FCV 406A - FO tion toTd 31 (rT 1200) TD AFW pump 3 F AF016-A-INT Failure of seg- 1 Faulty high flow indi- Shut FCV 405A (PEP FW-1) Start MD AFW pump 31 or~ See AF012-A-!NT ment 16 - FC~ cation to SG 31 lower SG pressure to through AF015-A-INT (FT 1200) <500 psig and use con-densate pump (PEP FW-1) 1 AF017-A-INT Failure of seg- 1 Faulty high~ flow indi- Shut FCV 405B (PEP FW-1) Same as above. Same as above i ment 17 - FC- cation t'oo IG 32 I (FT 1201) AF018-A-INT Failure of seg- 1 Faulty high flow indi. Shut FCV 405D (PEP FW-1) Start MD AFW pump 33 o_r, Same as above nent 18 - FC cation to SG 34 lower SG pressure to % i (FT 1203) <500 psig and use con- w densate pump (PEP FW-1) l AF019-A-INT Failure of seg- 1 Faulty high flow indi- Shut FCV 405C (PEP FW-1) Start MD AFW pump 33 or- Same as above ment 19 - FC cation to SG 33 lower SG pressure to (FT 1202) <500 psig and use con-densate pucy (PEP FW-1) i i
PRIMARY EVENT (PE) - INDUCED IRfMN INTERACTION TABLE SYSTEM: AFWS (Cont'd) PE PE REVIEW SilttilUS AND IntMN ACil0N CAUSING PE DESIGNATOR DESCRIPT0R CAIEGORY SilMllLUS ACil0N OPERAIOR RESP 0flSE 10 PE R[ MARKS AF020-A-INT NOIF steam from 2 Use steam from MS-42 PEP-ES-12 SG Tube Rupturc segment 20 or start MD AFW Procedure, requires pumps 31 and 33 MS-41/42 to be ' or lower W pressure to shut with confirmed E 00 psig and use con- indications of tube densate pump (PEP FW-1) leak - SG 1evel increase M SG sample AF021-A-INT NOIF steam from Use steam from MS-41 Not likely operator segment 21 or start MD AFW would shut MS-41/42 pumps 31 and 33 on faulty SG 1evel or lower W pressure to indication only 300 psig and use con-densate pump (PEP FW-1) AF022-A-INT AFWS injection 3 Lower SG pressure to fine falls to sup- <500 psig and use con-ply water to SG 33 densate pump (PEP FW-1) AF023-A-INT, ATWS injection 3 Same as above. ro line fails to sup-ply water to SG 34 $ AF024-A-INT AFWS injection 3 Same as above. line fails to sup-ply water to SG 32 AF025-A-INT AFWS injection 3 Same as above. line fails to sup-ply water to SG 31
PRIMAR7 EVENT (PE) - INDUCED IUiAN INTERACTION TABLE SYSitM: AFWS (Cont'd) PE PE REVIEW STIMULUS AND fluMAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CAIEGORY SilMULUS ACil0N OPERATOR RESPONSE TO PE RIMtSKS AF022-C-INT AFW pumps 32, 33 3 Isolate SG 33 as per Several val d are fail due to main Steam Generator Tube operated for the feed leakage from Rupture Proc. response SG 33 PEP-ES-1B AF023-C-INT AFW pumps 32, 33 3 Isolate SG 34 as per Same as above fall due to main Steam Generator Tube feed leakage from Rupture Proc. PEP-ES-1B SG 34 AF024-C-INT AFW pumps 31, 32 3 Isolate SG 32 as per fail due to main PEP-ES-1B fecd leakage from SG 32 AF025-C-INT AFW pumps 31, 32 3 Isolate SG 31 as per fait due to main PEP-ES-18 feed leakage from SG 31 m AF022-0-BLDN Blowdown from 3 Shut PCV-121G or No feasible stimu- A SG 33 not isolated PCV-1216A or d5nstream lus would induce manual isolation valve the operator to (not addressed in ONOP leave the blowdown or PEP) valve open and drain the SG AF023-D-BLDN Blowdown from 3 Shut PCV-1217 or SG 34 not isolated PCV-1217A or dE nstream manual isoTition valve AF024-D-BLDN Blowdown from 3 Shut PCV-1215 or SG 32 not isolated PCV-1215A or dEnstream manual isoTatton valve
PRIMARY EVENI (PE) - INDUCED If0 MAN INTERACTION TABLE l SYSTEM: AFWS (Cont'd) PE PE REVIEW STIMull!S AND lurVUt ACTION CAUSING PE DLSIGNATOR DESCRIPTOR CATEGORY STIHutOS ACTION OPERAIOR RESPONSE 10 PE PL MAHKS AF025-D-BLDN Blowdown from 3 Shut PCV-1214 or SG 31 not isolated No feasible stim-PCV-1214A or downstream ulus would induce manual isoTation valve the operator to leave the blowdown valve open and drain the SG. AF026-A-!NT ATM STM RLF valve 3 Monitor pressure for PCV 1136 falls to operation of safety open valves AF028-A-INT ATM STM RLF valve 3 Same as above. PCV 1137 AF030-A-INT ATM STM RLF valve 3 Same as above. PCV 1135 fails to open AF032-A-INT ATM STM RLF valve 3 Same as above. PCV 1134 fails to open Q3 en AF027-A-INT All safety valves 3 Attempt to reduce SG33 associated with pressure through other SG 33 fall to open paths (not addressed in ONOP or PEP) AF-029-A-INT All safety valves 3 Attempt to reduce SG31 associated with pressure through other SG34 fall to open paths l 4 I 4 i
- . -_ . - . . __ . -- = - - - _ ~ _ - .-.
i PRIMARY EVENT (PE) - INDUCED lluMAN INTERACTION TABLE SYSTEM: AFWS (Cont'd) PE PE REVIEW SilMULUS AND lluMAN ACil0N CAUSING PE DESIGNA10R DESCRIPIOR CATEGORY SilMULUS ACil0N OPERATOR RESPONSE 10 PE PEMAPKS j AF-031-A-INT All safety valves 3 Attempt to recace SG32 ~ associated witn pressure through other SG32 fail to open paths , AF-033-A-INT All safety valves 3 Attempt to reduce SG31 associated with pressure through other SG31 fall-to open paths ' CSG100-A Failure of CST 4 supply to AFWS CWOO1-A-INT Failure of city 3 Lower SG pressure to If city water is in water supply to <500 psig and use con- use, it is assumed CT-49 densate pump (PEP FW-1) that CST is not available; hence, all AFW pumps become unavailable with these two faults N CWOO2-A-INT Internal failure 3 Same as above. Same as above. $ of CT49 segment EE-ATL Ambient Temp low . 3 N/A EE-1080 No flow in 2 Start a motor driven Due to multiple line 1080 AFW pump to maintain indications (flow, flow in recirc line speed, discharge (not addressed in ONOP pressure), operator i or PEP) is not likely to be . induced to stop TD pump due to faulty indication, t
o PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSIEM: AFWS (Cont'd) PE PE REVIEW SilMULUS AND InlMAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY STIMULUS ACil0N OPERATOR RESPONSE TO PE RIMARKS EPAll-T 4 EPA 14-T 4 EPD02-01 4 EPD33-01 4 EPI 21-01 4 EP!22-01 4 EP!23-01 4 EP...T...FLT 4 HTG320-T 4 HT343-!FF 4 N HT343-T-INT 4 IAG01 4 SE-AFP31-A 4 SE-AFP32-A 4 SE-AFP33-A 4
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Inst. Air PE PE REVIEk STIMliLUS AND llUMAN ACil0N CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY SilMutVS ACI10N OPERAIOR RESPONSE TO PE RIMAltKS IAC02-A Pipe downstream of 3 Loss of cooling to IA 1. Piping only-no both CW pumps compressors and after- active components coolers. Shut down IA 2. Lose cooling to compressors and supply both IA com-IA from SA. (automatic pressors. action) (ONOP IA-1) IAC04-A CWHX 32, inlet and 1 Level controller Isolate HX in service Shif t to Standby HX SW is at a higher outlet valves and LC-1130 for the cooling and put standby HX in (0NOP-RW-1) press than CW, so pipes water EXP tank falls to service (ONOP RW-1) if expansion tank fill and overflow tank, overflows the oper-ator may suspect failed HX tubes. IAC05-A CWHX 31, inlet and 1 Same as above Same as above Same as above Same as above outlet valves and pipe segs. IAC06-A Pipe from CW Hxs 3 Single line, if plugged 1. Piping only-no to aftercsolers or broken lose water to active components % IA compressors and 2. Lose cooling to e aftercoolers. Shutdown both IA compressors compressors and supply IA from SA (ONOP IA-1) IACIA-A CW pump 31, valves 2 Check start of standby Because of multiple and pipe-operating pump (not addressed in pressure indica-pump ONOP or PEP) tions (PI 1271 and PC 1173) the oper-ator would not be induced to secure pump on failure of a single instru-ment. l
A l'RIMARY EVENT (PE) - INDUCED ifuMAN INTERACil0N TABLE SYSTEM: Inst. Air (Cont'd) PE PE REVitW STIMutOS'AND llUMAN ACTION CAUSING PE DESIGNATOR DESCRIP10R CATEGORY SitMULUS ACil0N OPERATOR RESPONSE 10 PE REMNtKS IAC1B-A CW pump 32, valves 3 Pump not running-plug and pipe-standby has no effect and will pump. not be noticed. Leak will require isolation of pump. If pump not isolated system will drain requiring shut-down of IA compressors and IA will be supplied by SA. (ONOP IA-1) IAC10-A Common discharge 3 Leak will drain system Piping only-no pipe from heater requiring shutdown of active components drain pump IA comp and supply of motors 31 and 32 IA loads from SA. Plug to pump suction. has no effect as IA cooling will recircu-late through closed cooling Hxs. Valves and pipe to IAC7A-A aftercooler 31. 3 Leak in either drains system and must be iso-No feasible stimu- $ lus to close valves lated. If isolated or plugged the affected compressor will be shutdown and the unaf-fected compressor shifted to " hand" mode. (ONOP IA-1)
. _ _ _ _ _ - _ . - ~__ _ _ _ - _ . _ _ _ ._ - .-
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Inst. Air (Cont'd) PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNAIDR DESCRIPT0R CATEGORY SilMULUS ACTION OPERATOR RESPONSE 10 PE RE MARK S IAC78-A Valves and pipe to 3 No feasible stimo-aftercooler 32. lus to close valves. IAC9A-A Valves and pipes 1 TI 1160 falls to a Operater opens CC-44A Direct aux 11ary oper- , from after- tercerature less than to allow additional ator to determine the cooler 31 to/ 100*F. cooling water to bypass cause of the "Instru-through "otor 31. , ator 31 (Corpressor is ment Air Compresscr automatically tripped Auto Trip" alarm. If of f en overtemperature Aus11ary Operator at 150*F Ja:ket temp) determines that the (not addressed in ON3P auto trip was due to or PEP but in System high cooling water Description) temperature, he will check the valve lineup, i throttle down on CC-44A and restart the com-pressor. (ONDP 1A) IAC93-A Valves and pipes 1 TI 1182 fails to a Same as above Same as above ^3 from after- temperature less than E" cooler 32 to/ IDO*F thrcagh . motor 32. 1
PRIMARY EVENT (PE) - INDUCED IfUMAN INTERACil0N TABLE SYSIEM: Inst. Air (Cont'd) PE PE REVIEW STIMULUS AND IfuMAN ACTION CAUSING PE DESIGNATOR DESCRIPIDR CATEGORY STIMULUS ACil0N OPERAIOR RESPONSE TO PE PEHARKS IA501-A Valves, pipe, from 3 Direct NPO to determine Serv Air is station serv air to inst cause of low station air. All valves air and weld chan- air pressure. HP0 are local minual nel backup checks valve line up with ample local and system conditions. instrumentation Realign or repair as necessary. Note: valve closure e.g. IA-30 will provide no indica-tion of fault prijr to loss of IA and no back i up from SA (ONOP IA-1) IA502-A Pipe from service 3 Isolate IA 21, 56 siping only-no air to filters and 30. Repair pipe. active components (ONOP IA-1) plug not evident unless IA is being supplied by SA. IA507-A Pipe, valves and 3 Isolate and repair as Requires low instr h3 controller down- necessary. (ONOP IA-1) stream of filters, air concurrent with hS control room instr. Failure to cause operator to shut PCV 1142. Other-wise no active cua-ponent only con- l troller and equip- ' ment upstream of IA 21 can be repaired without removing all IA from service.
j PRIMftRY EVENT (PE) - INDUCED IU4AN INTERACTION TABLE SYSILM: Inst. Air (Cont'd). PE PE REVIEW SilMULUS AND HUMf& ltiiON CAU;14C PE DLSIGNAIOR DESCRIPIOR CAlEGORY STIMULUS ACT10N OPERATOR RESPONSE 10 PE RE mal?KS IAS08-A Valve and pipe 3 Isniate and repair as All valves are from service air necessary. (ONOP IA-1) manual with ade-to inst. air. quate local indica-tion. Local isola-tion should not be done without con-trol room permission. IAS29-A Valves, filter and 1 DPI-Il31 fails as is. NPO will not recognize Operator notes 6P or DP The only valves pipe. clogged filter if it between IA (low) and SA present are to occurs. If the on line (normal). Direct NPO switch from one u filter is clogged SA to check local indica- filter to another. cannot supply IA. With tion to determine com- Filters can be j failed as is DP Indica- ponent causing isola- expected to plug tion operator would be tion. Investigate after prolonged induced to take no filter bank. Switching operation. Nor-action, eventually filters will remove mally there is no leading to plugged problem. (ONOP IA-1) flow so plugging is filters. (Not going to take a tu W addressed in ONOP or long time. " PEP) IA005-A Common pipe from 3 Shut IA SA now Piping only-no compressors to supplies IA loads - active components. receiver. repair as necessary. (0NOP IA-1) IA006-A Receiver ADN RV 3 Receiver failure-repair, Relief valve-no (and relief receiver. Shut IA-6 operator action to valve?) and supply IA from SA open. Drain to repair all failures. valves - not nor-(ONOP IA-1) mally opened and left. Failure of RCVR. a
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Inst. Air (Cont'd) PE PE REVIEW STIMULU$ AND ifUMAN ACTION CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE RIMARKS IA007-A Pipe and valve 2 NPD to investigate loss Several indicators downstream of of receiver pressure. other than PI 120 receiver. Check pressure at dry- would show no loss ers verify PCV 1142 of system pressure. open to supply air from This in conjunction SA. (0N0P IA-1) with PCV 1142 remaining shut until IA 6 was shut indicates normal receiver pressure. IA008-A Pipe plugged - 3 Investigate, locate and Plug at this point NOIF from com- repair obstruction. results in loss of r pressors and Shut IA 6, 7, 8, 21, inst air .There is backup serv air. 70, 73 required to iso- no back up avail-late obstruction RX able. Operator trip. (ONOP IA-1) required by proce-dure to trip reac-tor if IA pressure drops to 60psig. ro t.n IA009-A Pipe plugged - 3 Place dryer 31 in No inst. air will " N0!F thru dryer 32 service. (ON0P IA-1) be available while and bypass. repairs are being . made. IA01A-A Compressor, pipe, 1 TI 1204 or TC 11045 Shutdown compressor 31 Place compressor valve upstream of fails high or low. due to temp out of string 32 in service if aftercooler 31, specs. (Not addressed not already running, in PEP or ONOP, but in (ONOP IA-1) System Description) ) i 1
1 PRIMARV EVENT (PE) - INDUCED llUMAN INTERACTION TABLE SYSTEM: Inst. Air (Cont'dl PE PE REVIEW STIMULUS AND llHMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACil0N OPERATOR RESPONSE TO PE REMARKS IA018-A Compressor,' pipe, 1 TI 1205 or TC 11055 Same as IA01A-A for Place compressor valve upstream of falls high or low, compressor 32. str;ng 31 in service if af tercooler 32. not already running. (ONOP IA-1)
. IA012-A Common pipe from 3 Remove inst air system Piping only. No alt path from service - repair alternate source of (dryer 31) and broken pipe. Reactor IA available during bypass. trip. (ONOP IA-1) repair. Pene and weld emerg are not affected.
IA013-A Pipe, valves and 2 No indication of plug- No reason to iso-controller in ging unless inservice late bypass unless bypass. refer dryer is also PCV 1542 fails i plugged. No action open. Failure of likely. On failure of PI 1144 low would 1144 the NPO notes possibly induce NPO PI 1207 reads normally to open bypass which could imply valve by suggesting $ m blocking of either set dryer might be of dryers. Redundant blocked. 4 instrumentation should
! indicate that this is not the case.
1 IA014-A Pipe in bypass. 3 Air leak due to pipe Pipes only. Leak break is isolated by only-plugged bypass shutting IA 70 and 71. would not be appar-(ONOP IA-1) ent unless in service dryer was also plugged. l
PRIMARY EVENT (PE) - INDUCED IfUMAN INTERACTION TABLE SYSTEM: Inst. Air (Cont'd) PE PE REVIEW SilHill0S AND lil##Ut ACil0N CAUSING PE DESIGNATOR DESCRIP10R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PC R[ MARKS IA015-A Common pipe from 3 Remove inst air system Emerg make up to ref dryers to from service, repair Pene. and weld desic dryers to broken or plugged pipe not affected. Pip-conv. plant SE. Rx trip. (ONOP IA-1) ing only-no active components. No alternate source of IA available during repairs. IA016-A Pipe to desicant 3 Remove IA system from Plug does not dryers service, repair broken affect conventional or plugged pipe Rx plant IA. All trip. (ONOP IA-1) loads affected by leak and by removal of IA from service for repair. Emerg make up to penetra-tion and weld channel is unaffected. na on IA018-A Pipes, valves, 2 Verify that non regen Non regen only good C' i regenerative dry- automatically placed in for four hours. ers - normal service. (Not - flowpath, addressed in ONOP or PEP) IA02A-A Aftercooler 31 3 Remove compresser 31 No active compo-from service. Assure nents. compressor 32 in " hand" mode. (ONOP IA-1)
_. _ - _- _ = - . _ _ _ _ _ .- . - - . --_ - _ , --__- .. - . . _ . __ - .. .- . PRIMARY EVENT (PE) - INDUCED IfUMAN INTERACil0N TABLE SYSILM: Inst. Air (Cont'd) i l'L PE REVi[W STitillUS AND llUMAN ACTION CAUSING PE l DESIGNAIOR DESCRIPIOR CATEGORY STIMULUS ACT10te OPERATOR RESPONSF 10 PE R[ MARKS IA028-A Aftercooler 32 3 Remove compressor 32 No active compo-j form service. Assure nents, compressor 31 in hand mode. (040P IA-1) IA025-A Pipe, valves, con- 2 If leak shut IA-11 Noq regen not nor-troller, nonregen, (double valve) and mally in service, dryer backup path repair leak. (ONOP IA-1) (4 hr. supply). IA026-A Pipe from desicant 3 Isolate and repair IA out of service dryer to after line. no alternate filters. available. No active components IA027-A filters, pipes, 1 DPI 1132 fails as is. NPO will not recognize Control room instrument valves. clogged filter and shows decreasing IA switch to alternate pressure with no auto-filter. Hence, taking matic actions occuring 1 no action would eventu-ally lead to plugged at desired setpoints. NPO investigates and u 1 filter. (Not addressed finds PCV 1143 still in ONOP or PEP) shut indicating normal pressure at discharge of dryer. Investigate pressure drop. Filters are most likely cause. Swap filters. Increase CR IA pressure. (ONOP IA-1) 1 t
4 PRIMARY EVENT (PE) - INDUCED HUMAN INi[RACTION TABLE SYSILM: Inst. Air (Cont'd) PE PE REVIEW STIMillu$ AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPIOR CATEGORY STIM 0tUS ACTION OPERATOR RESPONSE l0 PE RI MARK S IA03A-A Pipe and valves 3 Remove after cooler and Passive components j downstream after- compressor 31 from IA 3 shut only to cooler 31 service. Assure com- isolate air leak pressor 32 in " hand" upstream. mode. Isolate and repair af fected com-ponents. (0N0P [A-1) IA038-A Pipe and valves 3 Remove aftercooler and Passive components downstream after- compressor 32 from IA 2 shut only to cooler 32. service. Assure com- isolate air leak , pressor 31 in " Hand" upstream. mode. Isolate and repair affected com-ponents. (0NOP IA-1) IA030-A Pipe from after- 3 Broken or plugged - no Piping only - no filters to dis- source of IA - Rx active components. tribution. trip - repair. (0NOP IA-1) no en IA04A-A Pipe downstream of 3 Piping only - no O Seg !A03A. active components. IA048-A Pipe downstream of 3 Shift to alternate com- Piping only - no Seg IA038. pressor. Investigate active components. and repair as neces-sary. If leak IA 3, IA3, and IA 6 must be shut, the leak repaired. During leak repair IA loads sup-plied by SA. (0NOP IA-1) l
- - . ._ - . . ~ , . .- . _ , . . . - . -
l l l ! PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Inst. Air (Cont'd) PE PE REVIEW STIMULUS AND HUMAN ACIION CAUSING PE DESIGNATOR DESCRIPIDR CATI G-)RY SIIMULUS ACil0N OPERA 10R RESPONSE 10 PE RfMARKS IA10A-A Pipe, filter, 3 Manually shift to dryer and valves standby filter down-in alt path stream of dryer . (dryer 31). (ONOP IA-1) IA108-A Pipe, filter, 2 Remove dryer from serv- Redundant instru-dryer and valves ice establish flow mentation makes it in operating through alternate unlikely that a dryer 32, dryer. (ONOP IA-1) single instrument failure will cause inappropriate oper-ator action. IAllA-A Pipe in alt path 3 If leak, must isolate Piping only - no downstream of both dryers and bypass. active components, dryer 31. No source of IA avall-able. If plugged, no , action as dryer not in service. , IAllB-A Pipe downstream of 3 If leak, must isolate Piping only - no bS operating both dryers and active components. dryer 32. bypass - no source of IA will be available. Rx trip if plugged, bypass will open. Operator will shift to dryer 31. (ONOP IA-1) Power No power to 4-way 3 Verify non regen dryer Unlikely that a valve - supply not supplying IA. Trace false indication found, electrical fault and would cause oper-l repair - reenergize the ator to trip the { valve power supply. Buss supplying (ONOP IA-1) power to the valve. 4 i
PRIMARY I VENT (PI) - INDlKID IRJMAN INil RACTI0tl 1ABLE
$YSilM: lleat Tracing (11T)
PE PE REVi[W SIltilluS AND Inf1AN ACilota CAUSING PE lil SIGflAIOR DESCRIPIOR cal [ GORY Sill-tit uS ACT10N OPERAIOR R[SPorti[ TO PE RIMAltKS [E-ATL Ambient temp. 3 low, Note: Operator action There is never any throughout is to note reason for the the alarm and institute operator tu shut maintenance procedures off heat tracing to repair problem. and na failure Assure redundant system would induce him to is operating where do so, applicable. III021-T-INT Segment 21 inter- 3 nal f allute. IIT022-T-INT Segment 22 inter- 3 nal f ailure. IIT025-T-!NT Segment 25 inter- 3 nal failure. IIT026-T-INT Segment 26 inter- 3 nal failure. o itTG312-T No power to seg- 3 ment 29. IITG322-T No power to seg- 3 ment 30. lit 029-T-INT Segment 29 inter'- 3 nal failure. iiT030-T-INT Segment 30 inter- 3 nal failure.
1 FRIMARY [ VENT (PE) - INDUCED IRMAN INTERACTinti IAllLE SYSitH: lleatTracing(HT]_(Cont'd) I'E PE REVIEW STIMULUS AND inr1AN ACTI0tl CAUSING PE lit SIGMIOR DESEftIPIOR CATEGottY SIIMLit (15 ACI!ON OPERAIOR RESPONSE TO PE R[ MARKS ll1025-LEf Transformer elec. 3 fault. lit 026-LEf Sane as above 3 III033-LEF Local FP DP31 load 3 fault. IIT033-LBfTO Associated FP DP31 3 load BKR FTO. Ill-Power-Ma t ters Conditions are suc 3 that power fail-ures to HT can cause system failure. EPA 29-T MCC31 loss of 4 power. ro EPA-28-T HCC 35 loss of 4 cn power. I IIT341-LEf FP DP32 CKTS 9 or 3 11 Elec. fault. j llT341-LBfi0 FP DP32 CKTS 9 or 3 11 faulted associ-ated breaker FTO. III342-LEf IP DP32 CKT 7 3 E lec. f ault.
PittlMitY EVENT (PE) - INIRfCEI) lit #iAN INi[RACil0N IABLE SYSitti: Heat Tracing (ItT) (Cont'd) l'E l'E REVlfW SIlitil115 AND litMAN ACTION CAUSING PE IILSIGflAIOR DESCI(Irl0R CAIEGottY Sillult uS ACitori OPERATOR RESPONSE TO PE RIMARKS IIT342-LBfTO FP DP32 CKT 7 load 3 BKR fT0. IIT313-LEF FP DP32 any 1 3 CKIS 1 through 6 Elec. fault. IIT343-LBfTO FP DP32 load BKR 3 assoc. with faulted CKT FTO. HT023-T-INT Segment 23 inter- 3 nal failure. IIT027-T-INT Segment 27 inter- 3 nal failure. i HT031-T-INT Segment 31 inter- 3 nal failure. N llT027-LEF Transformer elec. 3 m fault. EPA 21-T MCC 37 loss of 4 power. HT0351-LEF Elec. failure of 3 line 155 HT CKTS.
!!IO351-L0fi0 FP DP34 line 155 3 CKT BriKRS fT0.
1
i PRIMARY [U[NT (PE) - INIHJCED llUMati lNif RACTI0ff TRnt f 2 SYSilM: lleat Tracing (HT) (Cont'd) PL l'E REVIEW SilMlllHS AND HilMAN ACTION CAllSING PE DISIGilA10R DESCitir10R cal [ GORY SilHilt !!S AC110rl OPERAIOR RESPONSE TO PE RtMARKS lit 0352-tEF Elec. failure of 3 line 161 HT CKTS. IIT0352-LBFT0 FP DP34 line 161 3 CKT BRKRS fT0. HT0353-LEf Elec failure of 3 RWST inst strip HTRS. H10353-LBFT0 FP DP34 RQST inst 3 strip HTRS CKT l BRKRS FTO: i HT0354-LEf Elec. failure of 3 non-RWST HT CKIS. HT0354-LBTTO FP DP34 non-RWST 3 HT CKT BkKRS FTO.
. , ro HT024-T-!NT Segment 24 inter-nal failure.
3 $ HT028-T-INT Segment 28 inter- 3 nal failure. HT028-LEf Transformer elec. 3 1 fault. EPA 18-T MCC 39 loss of 4 power.
i PRIMARY [ VENT (PE) - INDUCED lit #iAN INTERACIl0N TAllLE SYSil f t: lleat Tracing (HT) (Cont'd) PL PI REVIEW Silititils AND Ilt#iAN ACTION CAllSING PE Di SIGilA10ft DESCit lPIOR cal [ GORY SilHut us ACTIOri OPERAIOR RESPONSE TO PE R[ HARKS I1032-T-INT Segment 32 inter- 3 nal failure. HT036-LEF Local FP DP35 load 3 fault. HT036-tBFT0 Assoc. BRKR 3 FP DP35 FT0. IITOOD-T-INT Segments 5, 8, or 3 11 internal failure. IIT33A-LEF tocal load elec. 3 fault on PNL 33A. HT33A-LBFT0 Assoc. load BRKR 3 FTO. III003-T-INT Segment 3 internal 3 N failure. llTSPSO-T No power to SUPV 3 PNL 90 in CR. IIT003-T-0 Operator falls to 3 . make the transfer. 4 IIT002-T-INT Segment 2 internal 3 failure. EPA 23-T Loss of power to 4 MCC 368.
PRIMAltf Et![Ni (PE) - Iflh0CED lilR4AN INTERACil0N TADI E f 5YSilH: lleat Tracing (HT) (Cont'd) ., l't PE REVIEW SilMlllll5 AND lit #4Af4 ACil0N CAllSING PE
- DISIGilAIOR DESCRIPIOR CAT [GottY S TIMill lis Acil0N OPERATOR RESP 0f45E 10 PE RIMAltKS EPA 22-T Loss of power to 4 MCC 36A.
HT001-T-INT Segment 1 internal 3 failure. IIT008-LEF Transformer to 3 PNL 33A elec. fault, itT005-LBFT0 Segment 5'BRKR 3 FTO. IIT009-LEF Transformer to 3 PNL 338 elec. fault. IIT006-LBFT0 Segment 6 BRKR 3 FTO. ro HT010-LEF Transformer to 3 $ Ptil 33C elec. fault. IIT007-LBFT0 Segment 7 BRKR 3 FTO. IIT009-T-INT Segment 6, 9, or 3 12 internal failure. IIT338-LEF Local load elec. 3 fault on PNL 338.
PRIMARY EVENT (PE) - INDUCED 1RtiAll INIFRACTION TA11t E SYSilH: lleat Tracing (HT) (Cont'd) 11 PE REvi[W SilMlllHS AND In#1Aff ACIION CAUSING PE lilSIGilAIOR DEstitIPIOlt CAllG0ftY SilHtit IIS ' AC110?l OPERATOR RESP 0tiSE TO FE RfMARKS IIT333-LBfTO Assoc. load BRKR 3 FTO. IIT010-T-INT Segment 7, 10, or 3 13 internal failure. IIT33C-LEF Local load elec. 3 fault on PNL 33C. HT33C-LBfTO Assoc. local load 3 BRKR FT0. a m 1 i i I i
= _ . - _ - - _ . _ ..
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTICN CAUSING PE DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS DESIGNATOR
- EPA 01-S Local fault at 2 Procedure PEP-EL-1 to EPA 01 verify start & loading (switchya rd) of diesels. Then 50P-EL-S (as per PEP-EL-1) to restore 6.9kV with the gas turbine c$
Loss of grid 2 Same *a
- EPA 01-T
- EPA 02-S Local fault at 2 Check starting &
EPA 02 (6.9kV loading of diesel 33. Bus 5) Lower power as neces-sary to maintain plant without circ. water pump 35 (PEP EL-1)
- EPA 03-5 Local fault at 2 Open both 6.9 kV and EPA 03 (SS XFMR 480v breakers. Supply
- 5) Bus SA from diesel 33 (PEP EL-1)
I t
.. _= - - . .
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATDR DESCRIPTOR CATEGORY STIP'JLUS ACTION OPERATOR RESPONSE TO PE REMARKS
- EPA 02-U Unclearable 2 Follow loss of outside fault at Bus 5 power procedure PEP-EL-1 J
- EPA 04-S Local f ault at 2 Replace essential loads If faulty indication EPA 04 (Bus 5A) with equipment from of bus problem other 480V buses operator would look PEP-EL-1 Q3 for faulty loads to ao remove from bus, not deenergize bus
- EPA 05-INT Local fault in 2 Supply Bus 5A from Bus DG no.33 If false indication 5 if available, if not of fault operator supply essential loads would try to cure from redundant fault, not trip DG.
equipment on other 480V buses. Repair DG33 PEP-E L-1
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUf1AN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGOR Y STIMULUS ACTION OPERATOR RESPONSE TO PE RE MARKS
- EPA 06-INT Local fault in 2 Preform manual dead bus The only way the fast transfer t rans f er operator can defeat breaker scheme SOP-EL-5 the transfer is to put the breaker in pull-to-lock. No f alse indication could result in operator using pull-to-lock
- EPA 06-S Local fault at 2 Isolate Bus 2 8 SS If at power reactor EPA 06 (6.9kV Bus 2 transformer 2. Supply would trip due to and SS Xfmr 2) Bus 2A f rom DG31 (auto loss of RCP. (Low start on no voltage) Flow) no false PEP-EL-1 Indication could irduce operator to isolate the bus
- EPA 07-5 Local fault at 2 Same as EPA-04-5 $$
up EPA 07 (Bus 2A)
- EPA 08-INT Local fault in DG 2 Supply Bus 2A from Bus 2 50P-EL-5 No.31 if available, or through 2A/3A tie breaker if allowed. Repair DG31
- EPA 09-S Local fault at 2 Check starting and PEP-EL-1 EPA 09 (6.9kV Bus loading of diesels. If
- 6) at PWR. lower PWR to maintain vac. with circ. pump 36 ooc.
4
FRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SY STEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS
- EPA 09-U Hnclearable fault 2 Follow loss of power See note at EPA 02-U at Bus 6 procedure PEP-EL-1
- EPA 10-5 Local fault at EPA 2 Open breakers on both No faulty indicator 10 (SS Xfmr 6) sides of the former and that could simulate supply Bus 6A with the fault.
diesel 32 (auto start on PEP-EL-1, no voltage) 50P-EL-5
- EPAll-S Local fault at 2 Same as EPA 04-S Same as EPA 04-5 EPAll (Bus 6A)
- EPA 12-INT Local f ault in DG 2 Supply Bus 6A from Bus 6 If false indication No.32 if available, if not of fault operator supply essential loads would try to cure from redundant equipment fault, not trip on other 480V buses, diesel.
Repair Diesel 32 PEP-EL-1 p,
- EPA 13-INT Local fault in 2 Perform manual dead bus The only way the C$
fast transfer transfer operator can defeat breaker scheme 50P-EL-5 the transfer is to put the breaker in pull-to-lock. No f alse indication could result in operator using pul l-t o-l oc k .
- EPA 13-5 Local fault at 2 Isolate Bus 3 & SS EPA 13 (6.9kV Bus 3 transformer 3. Supply
& SSXfmr3) Bus 3A through 2AT3A bus tie.
50P-E L-5
PRIMARY EVENT (PE) - INDUCED MUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS
- E PA15 -U Unclearable fault 2 1solate Buses SA & 2A to PEP-EL-1 in tiebreaker repair fault. Supply 5A/2A essential 480V loads with Buses 3A & 6A, diesel 32 only would be available
- E PA16 -U Unclearable fault 2 Isolate Buses 2A & 3A to PEP-E L-1 in tiebreaker repair fault. Supply 2A/3A essential loads with Buses SA & 6A. Diesel 32
& 33 would be available
- EPA 17 -U Unclearable fault 2 1solate Buses 3A & 6A to PEP-EL-1 in tiebreaker repair f ault. Supply 3A/6A essential 480V loads with Buses 2A & 5A.
Diesels 31 & 33 would be available no
- EPA 18-S Local Fault at 2 Follow appropriate MCCA39 annunciator response procedures. Consult system description and datermine the equipment lost as a result of losing this MCC. Verify operation of redundant equipment as available.
Follow Tech. Spec. LCO's and procedures specific to the equipnent loss ( ARP's) .
- EPA 19-S Local Fault at Same MCC3BC 2 l
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW ST!MULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIFTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPA 20-5 Local f ault at MCC32 2 All of these PE's result in loss of an MCC action i is outlined in EPA 18-5 1
- EPA 21-S Local f ault at MCC37 2 Same Same as EPA 18-5 !
l EPA 22-5 Local fault at 2 Same EPA 22 (MCC36A) EPA 23-5 Local fault at 2 Same MCC368 (Seg. EPA 23) EPA 24-INT Local fault in 2 See EPA 06-INT fast transfer breaker scheme DJ EPA 24-5 Local fault at 2 This results in loss of 6.9kV Bus 1 several MCCs. Action for each is outline under EPA 18-5 EPA 25-INT Local fault in 2 Results in loss of MCC, General actions are fast transfer breaker scheme outlined under EPA 18-S EPA 25-5 Local fault at 2 All of these result in 6.9kV Rus 1 the loss of one or more MCCs.
- EPA 26-S Local fault at 2 General action is Same as MCC33 outline under EPA 18-5 EPA 18-5
- EPA 27-S Local fault at 2 Same same MCC34 i
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPA 28-S Local fault at 2 Same MCC34 EPA 29-5 Local f ault at 2 Same MCC35 EPA 29-S Local f ault at 2 Same MCC31 EPA 30-S Local fault at 2 Same MCC38 EPD01-P1 LF FB16 opens 2 Loss of 125VDC These. breakers are distribution panel 31 on 125VDC power resulting in loss of panel 31 control of several important plant systems. Refer to m individual emerg. proc. *4 for actions to cope with '# each EPD01-P3 LF, FB13 opens 2 Loss of 125VDC distribution panel 33. See EPD01-P1 above
*EPD01-02 LF at DC power 2 Primary concern would be Operator would panel 31 loss of breaker control never deenergize a power and breaker DC supply panel.
position indications. All battery charger Breakers would have to instrumentation is be operated locally. Go local. down the list of loads supplied and aeal with symptoms. for loss of DC/AC inverter use ON0P-EL-13 (loss of instrument bus)
1 PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: El ectric Power PE PE' REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DES 13NATOR DESCRIPTOR CATEGORY S'T IMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPD01-06 LF at battery 1 Charger output Remove charger Remove charger fran This and the charger 31, CB ampmeter fails to from service. service battery carries battery form an caoles zero (local at Battery carries load. Repair Charger. and gate on the charger, aux load If charger cannot be fault tree so operator would get repaired shutdown as per assume the cable control room Tech. Specs. problem does not concurrence) result in a loss of voltage on panel 31
*EPD02-U6 LF at battery 1 Same same Same Same for Panel 32 charger 32, CB cables *EPD02-F2 LF, FB 12 opens 2 Check the load list for Operator would deal DC distribution panel 32 with problems on and respond to symptoms the panel, not deenergize the panel *EPD02-F4 LF, FB 13 opens 2 Same for dist. panel 34 Same C3 4 *EPD02-02 LF at DC power 2 Same as for power panel Same as for power panel 32 31 above panel 31 above *EPD03-02 LF at DC pwoer 2 Same Same panel 33 *EPD03-06 LF at battery 1 Charger ammeter Remove charger Same as EDP-01-06 See notes from bat-charger 33. CB fails to zero from service and tery chargers on cables . (local at charger) use swing charger previous page (get control room (EP001-06) concurrence)
EPD04-02 LF at DC power 2 Only load is inverter 34 panel 34 which is standby supply for instr. bus 34. No action required other than repair of fault.
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNAT0k DESCRIPT0R CATEJORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPD04-06 LF at battery 2 Loss of charger-battery Only action charger 34. CB, carries load temporarily. required is repair cables Repair charger-DC bus 34 of charger since not normally loaded battery is passive
*EPD11 LOP at EPD11 2 Repair battery as soon As per Tech. Spec.
(failure of as possible follow a single battery battery 31) Tech. Spec. LCO's can be ooc for 24 hours if the charger is operable and carries its DC load
*EPD12 LOP at EPD12 2 Same Same (failure of battery 32) *EPD13 LOP at EPD13 2 Same Same ha (failure of '4 battery 33) *EPD14 LOP at EPD14 2 Same Same (failure of battery 34) i
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONai TO PE REMARKS
*EPD3132-U Unclearable fault 2 Take manual control of Plant is prohibited in tie breaker functions to cool core from ever using between DC pannels (atmospheric steam pump this breaker. This 31 and 32 and Aux.FW) Not addres- PE would result in sed in PEPS & ON0Ps loss of both DC power panels 31 &
32
- EPI 21-SW Manual switch 31 2 Upon loss of bus 31: No false indica-opens (1) defeat runback if > tion would cause 70% power (2) transfer an operator to rod control to manual deenergize an (4) identify f aulted bus instr. bus (5) manually transfer to alt source if alt not already in use by other I bus (6)may have to block HI-HI const press
(*7)take local control
- EPI 21-02 LF at I Bus 31 2 of turbine driven AFW as n3 required (*8) block relay *4 C'
PC-402AX if RHR to be used (*9)reenergize BA tank headers (10) restore power & reset instru-
- E P I21-06 LF at manual 2 ments (11) repair fault. Same switch 31, ONOP EL-3 transfer failure *These steps unique to to AC source 1 bus 31 all others common to all I bus failures
*EP!21-15 LF in inverter 31 2 Same , or cable to IT
- EPI 22-SW Manual switch 32 2 Next page Same opens l
l PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY ST!MULUS ACTION OPERATOR RESPONSE TO PE REMARKS
- EPI 22-02 LF at ! Bus 32 2 Same as for I Bus 31 No false indication except (7) NA (8) block could cause an relay PC403AX if RHR is operator to to be used (9) use local deenergize an pyrometers to read RHR instrument bus temps
*EP122-06 LF in manual 2 Sane Same switch 32, transfer failure to AC source 1
- EPI 22-15 LF in inserter 32 Same Same or cable to it
- EPI 23-06 LF in manual SW33 2 Same as for Bus 31 Same transfer failure except (7) take local to AC source 1 manual control of motor driven AFW as required [j (8) NA (9) NA %a
- EPI 23-15 LF in inverter 33 2 Same same or cable to it
*EP123-SW Manual switch 33 2 Same Same opens *EP123-02 LF in I Bus 33 2 Same Same *EP124-SW Manual switch 34 2 Same as for I Bus 31 There is no false opens except (7)(8)(9) NA indication that could result in operator isolating an instrument bus
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EP!24-02 LF at I Bus 34 2 Same Note: I Bus 34 is norwelly supplied EPI-24-CB LOP at man. CB34 2 Same by MCC 368 with (opens) manual transfer swtich 34 capable EP!-i4-06 LF in manual 2 Same of switching supply switch 34, to Inverter 34. In transfer failure addition CB34 to AC Source I transfers from whichever of these EPI 24-08 LF in man. CB 34, 2 Same sources is selected transfer failure by SW34 to McC36C to AC Source 2 which is the back 3 up source used by i EPI 24-15 LF in inve ter 34 2 Same all other I Buses or cable to it
- EPI-AIX LF at XER or 2 36C is the back up False indication of ha CB36C, AC Bus I source to all I Buses, ground f ault on 36C gj Loss of this bus with no might prompt concurrent loss of operator to isolate normal I Sus power only this bus but there requires repair of is adequate f ault, redundant data on bus condition to prevent this error EPI-A2X LF at XER, CB 36B 2 This is normal supply of False indication of AC Bus 2 I Bus 34 on loss of ground f ault might normal power shif t prompt the operator supply to sola trans on to shift to Bus 36C. Inverter 34 can inverter 34 but be manually switched to there is ample power the normal feeder redundant to I bus 34. Reenergize information to and repair f ault prevent this
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE l SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPL01-SWF LF in switch 37, 2 Upon loss of lighting Supplies E lignts transfer failure get out flashlights and to fan house & to (E) Source restore either normal or tunnel very emergency light power unlikely operator source. (Not addressed would deenerglie DC in PEP or ONOP.) power panel 32
< buses upon false indication EPL01-SW Switch 31 opens 2 Repair switch The only operator action that would simulate this would be to deenergize
- both DC panel 32 and Itg bus 33 which is highly unlikely LF at distribution 2 Repair panel Same-assuming f ault BJ EPL01-02 panel for fan is downstream of C$
house and tunnel transfer switch EPL01-06 LF at Bus 33 2 Lights transfer to E Possible false source after 10 sec. indication of locate and repair bus 33 ground f ault on bus f aul t 33 would cause operator to isolate bus however ample redundant indica-tion makes this unlikely e i
- - - - - - , = .IL __...-4_ ,.=&. B --**_ _ = 1 atb -. a+ + - 4g- u4-.4 2-A -- -Sh +,- LJ----<-*-.4- - - - -*4 I
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE l SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS i EPL01-10 LF at L XER or CB 2 Loss of normal power to Possible for 33 208/120 vac lighting Bus operator to
- 33. Bus can be cross deenegize 480 Bus tied to Bus 32 auto SA or Itg Bus 33 transfer to de Bus 32 but ample redundant will provide E lighting- infoamtion makes no action required. this unlikely Find and repair fault.
EPL01-11 Breaker (FB3) to 2 This results in loss of Ample redundant EPD 02 opem ~ r3 emergency supply to fan information would on DC Bus 3. house & tunnel emergency prevent operator lights normal supply from isolating DC from L Bus 33 still Bus 32 or opening available no action FB3 required other than repair ha EPL01-12 CRTIE CB-3233 or L 2 Repair only L Bus 33 has two OS
- Bus 32 is not sources of power.
3 available Bus 32 acts as the backup supply. If Bus 32 is not able to supply Bus 33, there will be no effect unless its
, normal source is lost.
a
PRIMARY EVENT (PE) - INDUCEL HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW SilMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS 4 EPLO2-SWF LF in switch 34 2 No energency lighting Switch 34 supplies transfer failure available darkness in power to E lighting to (B) source PAB. All operations in PAB (nuc. plant) conducted by flashlight transfer failure
& battery operated implies that normal lamps. Implies loss of source has been normal lighting prompted lost. It is shift to E lights which unlikely that an operator would j
were not available, Shift to standby source deenergize dc Bus does not occur due to 34 based upon a SW34 failure single error EPLO2-SW Switch 34 opens 2 With no failure in SW34 supplies all normal lighting no power to emergency action would be required lights in PAB. The I other than repairs operator would have to deenergize both hJ
' L Bus 33 & DC Bus SO
- 32. There is no reason to do this EP LO2-02 LF at distr. panel 2 Repair only-loss of Assumes loss of for nuclear plant emerg. lighting only emergency lighting significant if normal to PAB. Lighting lighting is lost normally supplied by non emergency system which is not affected ELP02-05 Breaker (FB2) to 2 This results in loss of Ample redundant EPD-02 opens emerg, supply to PAB info would prevent emergency lights normal operator from A supply is from lighting isolating DC power Bus 33 & is still source to E available no action lighting required other than
' repair )
. _ _ _ _ _ _ _ _ . _ . . . - - ~ _ . . _ . _ _ . . _ ~ _ . . _ _ . .~.
i I 1 : PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: El ectric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPLO3-SWF LF in switch 31, 2 Switch 31 supplies emerg transfer failure lights in conventional i to (E) Source plant otherwise same as i EPLO2-SWF EPLO3-SW Switch 31 opens 2 Same as EPLO2-SW Same as EPLO2-SW for conventional plant lighting i EPLO3-02 LF at distr panel 2 Same as EPLO2-02 for for conventional cnny. plant plant l EPLO3-06 LF of xer. CB. 2 Loss of lighting Bus 31 Ample redundant (120VAC) Bus 31 removes normal power for indications makes .; emergency lighting in incorrect operator j conventional plant. No action unlikely _; action other than repair gg
' na EPLO3-08 LF at Bus 31 2 Same as EPLO3-06 EPLO3-12 Auto switch falls 2 Loss of DC power to E This is transfer lights no action other switch 31-assume than repair that it fails in its normal position EPLO3-15 Breaker (FB2) to 2 Same as EPLO3-12 above DC power to EPD01 opens transfer switch 31 is supplied via this CB j
1 4 i 1
j PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE i SYSTEM: Elect ric Power 4 PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS DESIGNATOR EPLO4-5WF LF in switch 33, 2 Loss of emergency source Switch supplies DC transfer failure to control room power to control to (E) source 4 emergency lights no room emergency action other than repair lights if necessary Switch 33 opens 2 Loss of all power to i EPLO4-5W control room emergency lights no action other j than repair EPLO4-02 LF at distribution 2 Loss of control room panel for control emergency lighting room repair only d EPLO4-06 LF at Bus 32 Loss normal source of emergency lighting power for control room repair i only no tn
'd EPLO4-10 LF of L xer or CB 2 Same 32 EPLO4-12 CRTIE C83233 or 2 Repair only 33 is back up Bus 33 is not source to 32. 32 available and 33 not normally crosstied EPLO4-15 Breaker (FB11) to 2 Loss of DC power to Ample redundnt EPD01 opens control room emergency indication prevents lighting-repair only incorrect opening of FB11
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Electric Power PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS EPLO6-06 LF at mer. CB (120VAC) Bus. Distr. Panel 34 EPLO6-08 LF at Bus 33 2 Loss normal source of Ample redundant emerg. lignts in PAB indication prevents (nuclear plant) repair operator fran only needlessly deenergizing Bus 33 EPLO6-12 Switch 34 is 2 Loss of emerg. source of Ample redundant unavailable emerg. lights in PAB indication prevents repair only operator from i needlessly deenergizing DC Bus 32 or opening HFB2 EPLO6-14 Switch 34 opens 2 Loss of all emerg. Ample redundnt
, lighting power to PAB indications repair only prevents operator DO from needlessly 32 deenergizing all sources of power to emerg. light system for PAB SE-EDG31-A 4 SE-EDG32-A 4 SE-EDG33-A 4 SWO34-A 4 SWO35-A 4 SWO36-A 4 TR-LOOP 4 TR-SPSI 4
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: RCP Seals _ PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS CCGTBE01 Valve 769 or 797 4 fail closed CCG1000-A 4 CVCH08-A 4 IAG01 4 RCE01 Undefined reasons 3 RCE03 Other reasons 3 RCE04 Other reasons 3 RCSIE02 No operator action 5 RCSIE03 Irternal failure 2 Initiate maintenance ha of valve or request O centrol circle RCS!01-A-INT Injection filter 2 Shift to parallel If PIC 189 train failure standby filter (0NOP indicates high RCS-5) filter ap filters would be changed however if seal I flow was not affected filter would not be clogged RCSIO2-A-INT Pipe, valve, flow 2 If plugged-low seal flow Loss of seal flow meter failure slowly return seal flew is verified prior to normal if low bearing to taking action
> 225'F trip & trip RCP (0NOP CC-2) if leak isolute leak and proceed as above (0N0P CVCS-1) 1 l
1 PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: RCP Seals _ PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS 1 RCSIO9-A-INT Motor valve 222 2 Loss of seal return flow fail closed loss of some seal flow loss of excess letdown to VCT seal flow & excess letdown now go to PRT via relief valve 218 no action necessary RCSIl0 Seal return filter 2 Open bypass valve 221A Filter replacement plugged , replace filter take not addressed in action on low seal flow PEP or GNOP if necessary monitor lower bearing temp trip pump if > 225'F I. ONOP CC-2 RCS111-A-INT Seal water HX 2 Tube failure CCW leaks CCW pressure is fails to VCT isolate & bypass higher than seal HX monitor VCT temp line return pressure up return to PRT if excess letdown is no necessary (not addressed in same flow path 00 in PEP or ONOP) plugging U' results in same-bypass HX RCTBE01 Thermal barrier of 3 Trip reactor trip RCP Reverse ap and any pump ruptures prolonged operation with radiation in CCW RCS hot will destroy would indicate that pump seals go to cold this had happened shutdown & repair 0 NOD CC-2 RCTB01-A-INT Valve or pipe fail 2 Upon loss of CCW to RCP Loss of CCW to RCP restore flow within two considering the minutes or trip RX & consequences it is trip pump if motor unlikely that it bearing temp reach 200*F would isolate CCW trip RX & trip pump to RCP ONOP CC-2 1
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: RCP Seals _ FE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE
; DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS 1
RCTB05-A-INT Pipe or valve 731A 2 Plug or FC loss of CCW failure flow to thermal Carrier operation may continue if positive ap i indication of thermal I carrier seal flow exists RCT806-A-INT Flow meter or 2 FCv625 shuts loss of all FCV625 failure CCW flow to RCPs restore within two minutes or i trip RX & trip pumps SIPHASEs Signal of 2 Los of seal water and Operator may containment CCW to RCPs trip RX initiate phase B isolation phase B shutdown RCPs but redundant data makes inadvertant phase 8 by operator unlikely na RCSIO6-A-INT Seal #1 plugged or 2 See RCS102-A-!NT. Indications of high k3 valve, pipe fail- ONOP CC-2 #1 seal bypass seal return flow ure may be used to provide might lead opera-radial bearing cooling tor to isolate fl ow seal - but this would be verified first. 1 1 a l
l I i i FRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE 1 4 SYSTEM: Station Air PE PE HEv!EW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS
, EPA 04-T-LSI 4 l
EPA 20-T 4 EPA 26-T 4 SACCSI-A-INT Pump train 31 1 Local discharge Aux operator turns Ensure that pump 32 If other train was out i local fails pressure gage of f punp 31 starts of service, operator
) PI-1263 f ails low NA in ONOP or PEP SOP CC-2 would likely not take this action SACCS2-A-INT Same, train 32 1 Same, PI-1264 Same, pump 32 Same - pump 31 Same SACCS3-A-INT Header plugged 3 Shutdown SA system and open SA-3 to use IP-1 backup supply S0P SA-1 i SACCS4-A-INT HK train 31 local j fails 3 Put HX32 train inservice N 4
50P CC-2 l SACCSS-A-INT Same, train 32 @ j 3 Same, train 31 S ACCS6- A-I NT NOIFF water supply to closed cooling 3 Shutdown closed cooling 50P SA-1 i system pumps system pumps and SA system and open SA-3 to use IP-1 backup supply SACCS7-A-INT N0!FF supply from i CCS HXS header Same i SA01-A-INT Compressor local I fails 1 Local oil pressure Aux operator turns Open SA-3 to use IP-1 } gage fails low off compressor backup 50P SA-1 4 SA02-A-INT Super component 50P SA-1 I SA02 falls 3 Repair SA system (fault downstream of backup
] supply)
._..__.___._m.. _ _ _. . _ _ _ . . _ . _ _ _ _ _ . _ _ _ _ . . _ . . _ _ _ . _ . _ _ _ _ _ . . . . _ - _ _ . _ _ . _ _ _ . _ . . . _ . _ _ .m_ . . _ _. _ _ _. - _ _ . . _ . _ . _ _ . . _ _ . _ _ _ . _ _ _ _ _ . .
l l PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Station Air j PE PE REVIEW STIMULUS AND HUMAN ACTIJN CAUSING PE i DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS SA03-A-INT IP-1 station air 3 Repair IP-1 backup i backup for IP-3 station air system l station air fails SA04-A-INT Supercomponent 3 Repair SA system (f ault t i SA04 fails downstream of backup) SA07-A-INT Supercomponent 3 Same SA07 fails SWT60A-A 4 SWT60B-A 4 i N 1 CD
- l J
l J 1 i, J. .i .I a r
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: RWST PE PE REVIEW STIMULUS AND HUMAN CTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS Aux 5TM... Failure of steam 3 No backup-call , supply fran aux maintenance steam system EE-ATL Ambient tempera- 3 NA ture - Low HTG340-T EHT Failure of FP 4 i DP 34 HT0351-LEF Elec. failure of 4 line 155 HT CKTS HT351-T-INT Internal failure 4 of line 155 heat tracing I, RW001-A-INT Internal failure 3 Put reactor in cold ' [j of segment I shutdown as per Tech, c) Spec. RWOO2-A-INT Same, segment 2 2 Same RWOO3-A-!NT Same, segment 3 2 No backup-call maintenance l I
I 1 PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Condensate Storage Tank PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS I CS001-A-INT Internal failure 3 - Use city water to supply Not addressed in
, of CST AFW procedures - but in 4 System Description.
C S003-A-I NT LCV-1158F0 2 Close LCV-1128 and CR0 would likely i LCV-112BA have NP0 check hotwell sightglass i before taking action l C S004 -A -H Operator fails to 5/3 NA j close LCV-1158 on alarm C5004-A-I NT Failure of 3 Close LCV-1158 flowpath to hotwell C S011A-A-! NT CST alarm failure 3 NA CS011-A-INT CST level switch 2 NA The operator would i LIC-11025 fail probably not be Qj { high aware LIC-11025 had r. f ailed. Operator would likely have NPO check sightglass on
; hotwell before taking action l
C S015-A-I NT Failure of path 3 Use city water to supply Not in procedures - from CST to AFW AFW but in System De-scription. C5020-LL Low hotwell level 3 Open LCV-1158 EE-ATL Low ambient temp 3 NA 1 l l
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Condensate Storage Tank j PE PE REVIEW STIHULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS l EE-C5015 No flow in path 2 Start TD AFWP 32 The lack of flow from CST to AFW Not in procedures - but causes the flow in System Description. path to freeze, so, the lack of flow would have resulted from a failure to operate MD pump 31 or 33 HTG320-T 4 i HT341-LEF t 4 HT341-T-INT 4 1 b3 00 hJ t i i 1 i
PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Transient (TR) PE PE REVIEW STIMULUS AND HJMAN ACTION CAUSING PE DESIGNATOR DESCRIPT0R CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS CCGRETRN-A 4 CCGTBE01 4 CCG1000-A 4 CD-VAC 4 CR-01-A 4 . CV-LOCH 4 CV-LOLD 4 EPAG12 4 1 EPAG13 4 1 EPA 24-T 4 EPA 25-T 4 @ w EPG01 4 MF-SG31323334 4 PZRITRIP Reactor trip on 3 Reactor trip procedure There is too much PZR fault (PEP-RPC-1) instrumentation on PZR for operator not to know conditions also repsonse would be slow to operator induced transients, leaving time to correct
- - _ . _ - _ . _ - . . - _ _ _ . . .- - _ . - _ . -- . . - - . . . _ - - . _ _ . - . - _._ -- ___ _ __ - -_ , - - . . . . ~ . . . _ _ ---
i PRIMARY EVENT (PE) - INDUCE 0 HUMAN INTERACTION TABLE SYSTEM: Transient (TR) PE PE REVIEW STIMULUS AND HUMtN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS RCPM01-I NT 4 RCPM02 INT 4 RCPM03-INT 4 1 RCPM04-INT 4 SIPHASEB 4 TRET10A Boron dilution 2 Emergency borate in Operator could accidents accordance with respond to faulty PEP-CVCS-3 boron sample, but power and temperature l instruments would point out error I,
! TRETI'G Cold water no 2 Drive rods addition would be a minor u3 POP 2-1 reactivity addition, well within capability of control systems TRET10H Excessive load 2 Runback turbine load increase 50P TG-4 TRET101 Positive 2 Insert rods or borate Category 2 due to reactivity POP 2-1 ' backup indication insertion available TRET100THER Miscellaneous core 2 Insert rods or borate power excursion POP 2-1 TRET11A Closure of all 3 Reactor trip procedure MSIVs (PER-RPC-1) i
. . _ - . -_ . _ . _ _ . _ _ _ _ ___ . _ _ _ _ = . ._ _ _ _ _ _ __ ___ _ _
_ _ _ _ ._ _. . __ _ _ _ . _ _ _ _ _ - _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ .m. PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Transient (TR) 4 PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESCPIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE HEMARKS DESIGNATOR TRET118 Increase in 1 Level recorder Operator increases Reactor trip procedure Requirri " tunnel feedwate - flow in fails as is feed to raise if > 10% power vision" on a single one ste. slightly low level (PEP-RPC-1) level indication generator PEP FW-1 Increase in 2 Same TRET11C feedwater flow in all SGs inrottle valve 3 Same Turbine trip Indian TREil1F closure /EHC Point does not have control problems an EHC system. (loss of stop oil Equivalent f ault in pressure) " loss of stop oil pressure" iRET11G Generator fault 2 Same or generator trip no us un TRET11H Misc turbine gen 3 Same accidents TRET111 Turbine trips 1 Turbine vibration Operator trips Same monitor fails to > turbine 15 MILLS 50P TG-4 i TRET12A Control rod 2 Reactor trip procedure problems (PEP-RPC-1) TRET120 Spurious auto trip 3 Same TRET12E Operator error 5 Same Stimulus can only causing trip be identified if 1 know specific error 4
)
a PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE SYSTEM: Transient (TR) PE PE REVIEW Si!MULUS AND HUMAN ACTION CAUSING PE 2 DESIGNATOR DESCRIPTOR CATEGORY STIMULUS ACTION OPERATOR RESPONSE TO PE REMARKS l TRET12F Manwal trip 5/2 Same Redundant trip 4 resulting from indications needed false signal before operator l would trip turbine TRET12G Spurious trip 3 Same
; cause unknown TRET12H Primary system 2 Same pressure, temp, power imbalance ! TRET7A Feedwater break ' 3 Loss of feedwater procedure (PEP-FW-1)
TRET70 FW flow 5 Same instability operator h3 UD TRET7E Same mechanical Ch 3 Same TRET7H Otner secondary 3 Same leatage TRET8A Trip of one MSIV 2 Reactor trip procedure (PEP-RPC-1) TRET88 Trip of 2 or 3 2 Same MSIVs TRET8C Partial closure of 2 Same 4 1 or more MSIVs i TRET80 Losses of steam 2 Same flow other than MSIV trip
)
k T
- _ .- -. ~ . . . _ - - . . _ ~ . - - _ . . _ _ . ..- - - .. . - . . - . _ . - - - - . . - - . _ - . . _- -._. _. _ . . . .
) PRIMARY EVENT (PE) - INDUCED HUMAN INTERACTION TABLE I SYSTEM: Transient (TR) PE PE REVIEW STIMULUS AND HUMAN ACTION CAUSING PE DESIGNATOR DESCRIPTOR CATEGORY STIM'JLUS ACTION CPERATOR RESPONSE TO PE REMARKS i THET98-F Losses of coolant 2 Reactor trip procedure Procedure calls for flow other tnan (PEP-RCP-1) tripping reactor CCW before tripping Pump l i i TR-LOOP Loss of power to 3 Same emote possibility i necessary plant of operator
, systems securing power to !
i necessary equipment ! ] TR-SPSI Spurious safety 2 Same Parameters that
- injeciton initiate SI have i
redundant j indications 4 l N e l N 1 i 4 i 1 e i i
i 298 I APPENDIX E COMPUTER COST ACCOUNTING E.1 ALLOCATION OF PROJECT EFFORT L The following breakdown reflects the particular emphases of this project,
! and is not offered as a model. In particular, the emphasis on functional coupling reflects the particular methodological emphasis of this project.
Percentages quoted correspond to fractions of the total budget. Functionally coupled interactions 74% Spatially coupled interactions 7% 1 1 Induced-human coupling 9% Integration of results, ranking of discovered 8% { interactions, preparation of draft final i The balance of effort has been allocated to issuance of a final report. E.2 COMPUTER COSTS 1 This appendix is a comment on the computing costs incurred in this pro-ject. It has been suggested that fault tree codes are not particularly effi-1 cient in SI studies seeking only low-order cutsets, and that alternative j algorithms might offer advantages in situations where only single-element and l two-element cutsets are desired. The point to be made here is that obtaining low-order cutsets need not be particularly expensive using a fault tree code either. Table E.1 compares costs of obtaining cutsets to second order with costs of obtaining cutsets to fourtn order (third order in one case). The column labeled "CCUs" gives the cost. of obtaining minimal cutsets for the indicated top event. One CCU (computer charge unit) corresponds to approximatly $1.60. 1 l 1 i
299 The column labeled " level" indicates whether cutsets were obtained in terms of primary events (in which case the label is "S" for "s egment level") or in terms of " Independent Subtrees" (IST). In the latter case, the actual number of cutsets is much greater than indicated, because a typical " event" appearing in the cutsets may actually be a logical sum of several primary events. One sees that running sequences out to two-element cutsets costs typical-ly a few dozen CCUs or less. Running them out to fourth order costs substan-tially more. The second-order calculation is hardly prohibitive. These costs are not a measure of the computer budget. In this project, computer costs have been dominated by permanent file storage. 1
300 Table E.1 Computer Cost (CCUs) 4th order 2nd order System or Number of Number of Sequence CCUs Cutsets Level ** CCUs Cutsets Level Tr 68.7 647 IST. 38.6 753 S. 1921 S. AFWS (LOCA) 274.6 25391 S. 26.2 54 S. 5144 IST. AFWS (Tr.) 839.6 5577 IST. 41.1 292 S. RCP 569.1* 8125* S. 13.8 285 S. PZLOCA 35.5 3027 S. 10.7 90 S. LPI 58.6 1798 IST. 23.7 187 S. HPI (S) 134.1 15513 S. 15.1 154 S. HPI (M) 47.2 5784 S. 13.8 338 S. Tr-L 73.3 8431 IST. 6 684 S. RCP-L -- 1.9 84 S. RCP-U -- 2.3 250 S. PZ-L 6.3 2775 S. 1.9 5 S. PZ-U 25 12604 S. 2.0 90 S. l
*For this event, cutsets were obtained only to third order. **IST denotes results obtained in terms of Independent Subtrees (ISTs);
S denotes results obtained at the segment level. An IST corresponds to a Boolean expression whose elements are logically independent of the rest of l the problem. ' I
301 APPENDIX F SPATIAL ZONES AFFECTING MAJOR COMPONENTS Main Feedwater System Fire Zone Component ID and MCC 31 1 Event Name 17A 39A 41A 54A 55A L0 FCV 417 X* MF-2A-LF FCV 427 MF-2B-LF X* FCV 437 y, MF-2C-LF FCV 447 y, MF-2D-LF BFD SA MF-2A-LF X BFD 5B MF-2B-LF X BFD SC y MF-2C-LF BFD SD MF-2D-LF X MF Pump 31 X* MF-61-LF MOV BFD 2-31 X MF-61-LF MF Pump 32 MF-62-LF X* MOV BFD 2-32 X MF-62-LF Circ. Pump 31 CR031-LF X* i Circ. Pump 32 y, CR032-LF Circ. Pump 33 CR033-LF X*
- Denotes location of the component.
302 Main Feedwater System (Continued) Fire Zone Component ID and MCC 3f1 39A 41A 54A 55A LO Event Name 17A Circ. Pump 34 X* i CR034-LF
- Circ. Pump 35 X*
CR035-LF d Circ. Pump 36 y, CR036-LF Cond. Pump 31 X* CD-PP31-LF Cond. Pump 32 X* CD-PP32-LF Cond. Pump 33 X* CD-PP32-LF
303 High Pressure Injection Fire Zone Component ID and FULZ-Event Name 9 10A 11 12A 14 15 17A 59A 60A 1 SI Pump 31 X* X X X X HP002-A-INT SI Pump 32 X* X X X X HP003-A-INT SI Pump 33 X* X X X X X HP 001-A-INT M0V 1852A X* HP007A-A-INT MOV 1852B X* HP0078-A-INT MOV 1835A X* HP007 C- A-INT ! MOV 18358 X* HP007 D-A-INT BIT Heater 31 HP007-HTR31-INT X* BIT Heater 32 HP007-HTR32-INT X* MOV 843 X HP011A-A-INT M0V 842 X i HP011A-A-INT l M0V 856J X HP013-A-INT MOV 856H X HP014-A-INT MOV 856C X HP016-A-INT M0V 856E HP018-A-INT X' Vj
304 High Pressure Injection (Continued) Fire Zone Component ID and FULZ-Event Name 9 10A 11 12A 14 15 17A 59A 60A 1 M0V 887A X HP03A-A-INT M0V 884B X HP03A-A-INT i l _e - - - , - - - . - - - - e - - +
305 Low Pressure Injection Fire Zone Component ID and 60A 69A 3 4 4A 7A 9A 11 12A 14 15 17A Event Name RHR Pump 31 X X X X X X* X X LP04A-A X* X X X X X X X X X 48 A M0V 899B X LP09A-A MOV 747 X LP09A-A MOV "R X LP09;.-s MOV 899A X LP09B-A MOV 746 X LP09B-A MOV 640 X LP09B-A M0V 1869A X LP008-A MOV 1869B X LP008-A MOV 889A X LP14B-E MOV 889B X LP14A-E MOV 745A X LP006-A MOV 745B X LP006-A i' MOV 885A X LP015-E MOV 885B X LP015-E
l 306 Auxiliary Feedwater System Fire Zone Component ID and Event Name 7A 11 14 15 23 52A 57A 60A 73A 74A AFW Pump 31 X X X X X* X AF010-A-INT AFW Pump 32 AF011-A-INT X X X X* X X AFW Pump 33 AF009-A-INT X X X X* X X PCV 1134 X X X X* X X X X AF032-A-INT PCV 1135 X X* X X X X X AF030-A-INT PCV 1136 X X X* X X X X X AF026-A-INT PCV 1137 X X X* X X X X X AF028-A-INT i FCV 406A X* AF015-B-INT FCV 406B X* AF014-B-INT FCV 406C X* AF012-B-INT FCV 406D X* AF013-B-INT PCV 1187 X* AF006-A-INT PCV 1188 X* AF008-A-INT PCV 1189 X* AF004-A-INT
. 1 307 l t Component Cooling Water System Fire Zone ! Component ID and Event Name 1 4A 7A 11 12A 14 15 58A 60A CCW Pump 31 . X. X X A X X X X CC001-A-INT l CCW Pump 32 X* X X X X X
- CC002-A-INT
?.
! CCW Pump 33 X* X X X X X X i
CC003-A-INT 4 i i
308 Service Water System Fire Zone Component ID and Event Name 11 14 15 22 SW Pump 31 X X* X X SWC3-A-INT SW Pump 32 X* X X X SWC2-A-INT SW Pump 33 X* X X X SWCl-A-INT SW Pump 34 X* X X X SWN3-A-INT SW Pump 35 X X X X* SWN2-A-INT SW Pump 36 X X X X* i SWN1-A-INT l i I l
309 Instrument Air System Fire Zone Component ID and Event Name 14 Compressor 31 X* IA01A-A Compressor 32 y. IA01B-A Cooling Water Pump 31 X* IACIA-A Cooling Water Pump 32 X* IAC18-A l l i i
1 310 l Station Air System Fire Zone Component ID and Event Name 19 38A St. Air Compressor y, SA01-A-INT Closed Clg Water Pump 31 X* SACCSI-A-INT Closed Clg Water Pump 32 X* SACCS2-A-INT
~
i 1 1 l
311 RCP Seals Fire Zone Component ID and Event Names 17A 59A 70A 71A ADV 261A y, RCSIE03 A0V 261B X* RCSIE03 A0V 261C X* RCSIE03 a A0V 261D y, RCSIE03 MOV 769 X CCGTBE01 t MOV 797 y CCGTBE01 RIC 625 X* RCTB06-A-INT MOV 789 X RCTB06-A-INT RCV 625 X RCTB06-A-INT MOV 222 RCSIO9-A-INT l
312 Chemical and Volume Control System Fire Zone Component ID and Event Name 1 2A 3A 4A 5 6 7 7A 8 11 12A Charging Pump 31 X X* X RCV01-A-INT Charging Pump 32 X* X X X X RCV02-A-INT Charging Pump 33 X X X X* X RCV03-A-INT LCV 112B X* CVCHE04 LT 112 CVCHE01 Valve 374 CVCH07-A-INT RCV 142 CVCH07-A-INT FCV 110B CVCH11-A-INT FCV 111A CVCH16-A-INT BA Transfer Pump 31 X* CVCH18-A-INT BA Tk 31 Heater X* CVCH20-A-INT LCV 112C CVCH09-A-INT l
313 l Chemical and Volume Control System
- Fire Zone Component ID and 15 17A 19A 27A 30A 31A 58A 59A 60A 68A i Event Name 14 i
Charging Pump 31 X X X X X RCV01-A-INT i Charging Pump 32 X X X X X RCV02-A-INT Charging Pump 33 X X X X X ,- RCV03-A-INT I LCV 112B CVCHE04 LT 112 y CVCHE01 , Valve 374 y, j CVCH07-A-INT I RCV 142 y, j CVCH07-A-INT FCV 110B X* CVCH11-A-INT i FCV 111A X* CVCH16-A-INT j BA Transfer j Pump 31
- CVCH18-A-INT I
BA Tk 31 Heater CVCH20-A-INT I 1 LCV 112C X* CVCH09-A-INT ] 4 i 11 1 4 i l 1 i .
. __ _ ,.. , _ , _ ,, - ,, ......_ . ~. _ , _ . _ ,- , , _ , c,_- m.
314 Chemical and Volume Control System Fire Zone Component ID and Event Name 17A 59A 71A 87A A0V 213A X* CVL10-A-INT ! A0V 2138 X* CVL10-A-INT MOV 222 X RCSIO9-A-INT A0V 201 y, CVLO4-A-INT A0V 202 X* CVLO4-A-INT A0V 200A X* CVLO3-A-INT A0V 200B X* CVLO3-A-INT A0V 200C X* CVLO3-A-INT LCV 459 y, CVL01-A-INT
, LCV 460 y, CVL01-A-INT LT 460 y, LT 460-A LT 461 LT 461-A X* ! HCV 123 y, CVL12-A-INT i
I l .,
315 Pressurizer Fire Zone l Component ID and Event Name 7A 11 60A 70A 71A 73A 75A 78A 86A 87A i LT 460 X* l LT 460-LF LT 461 X*
- LT 461-LF PT 455 X*
PT 455-LF 4 PT 456 X* PT 456-LF PT 457 X* PT 457-LF PT 474 X* PT 474-LF MOV 535 X* PZ 335-INT i MOV 536 X* PZ 336-INT 4 i Przr. Htrs X* l PZ 501-A ! PCV 455C X X X X X X X X X* PZ 301-A l PCV 456 X X X X X X X X X* PZ 351-A 1 l
316 i Sequencer Fire Zone Component ID and Event Name 14 15 39A SI Cabinets X* (SI Relays) 480V Busses (480V motor X* Control Relays) Relay 63X1-BFP1 y, SE-63X1-BFP1-S Relay 63XI-BFP2 X* SE-63X1-BFP2-S t 1 i
317 Refueling Water Storage Tank Fire Zone Component ID and Event Name 17A MOV 885A X LP015-E MOV 885B X LP015-E I l
- -= - _-
318 l l Transient i Fire Zone Component ID and Event Name 17A , MOV 784 X CCGRETRN-A MOV 786 X CCGRETRN-A l I l I
]
I 5 4 l l l l l
l 319 Electric Power System Fire Zone Component ID and Event Name 37A Brkr 52/ST5 X* EPA 02 Brkr 52/UT1 X* EPA 58 Brkr 52/UT2 X* EPA 51 . Brkr 52/UT3 X* EPA 54 Brkr 52/UT4 X* EPA 60 Brkr 52/ST6 X* EPA 09 Tie Breaker 52/UT1-STS X* EPA 59 Tie Breaker 52/UT2-ST5 X* EPA 53 Tie Breaker 52/UT3-ST6 X* EPA 56 Tie Breaker 52/UT4-ST6 X* EPA 61 6.9 KV Bus 1 I 7 EPA 24 6.9 KV Bus 2 X* EPA 52 6.9 KV Bus 3 X* EPA 55 6.9 KV Bus 5 X* EPA 02 l l 1 1
320 Electric Power Fire Zone Component ID and Event Name 14 37A 6.9 KV Bus 4 X* EPA 25 6.9 KV Bus 6 x, EPA 09 Brkr 52/SS5 X* EPA 03 Brkr 52/SS2 X* EPA 06 Brkr 52/SS3 X* EPA 13 Brkr 52/SS6 X* EPA 10 St. Serv. Xfner 5 X* EPA 03 i St. Serv. Xfmer 2 X* i EPA 06 St. Serv. Xfmer 3 X* EPA 13 St. Serv. Xfmer 6 EPA 10 X* Brkr 52/5A X* EPA 03 Brkr 52/2A EPA 06 X* Brkr 52/3A EPA 13 X* Brkr 52/6A EPA 14 X* I
i 321
. Electric Power Fire Zone Component ID and Event Name 10 14 101A 102A 480V Bus 5A X*
EPA 04 480V Bus 2A X* EPA 07 480V Bus 3A X* 4 EPA 14 480V Bus 6A X* EPA 11 Tie Breaker 52/2AT5A X* EPA 15 Tie Breaker 52/2AT3A x* EPA 16 Tie Breaker 52/3AT6A )*
! EPA 17 3 DG Breaker 52/EG3 X' EPA 05 DG Breaker j
52/EG1 X* EPAn8 DG Breaker 52/EG2 X* EPA 12 DG 33 X* EPA 05
; DG 31 X* 1 EPA 08 ,
i DG 32 X* ; EPA 12 l i
322 Electric Power Fire Zone Component ID and ZNEAR 14 17A 38A 39A 40A 42A 37A 55A Event Name 11 MCC 39 y, EPA 18 MCC 36A X* EPA 22 MCC 38 X* EPA 30 MCC 36C X* EPA 19 MCC 34 X* EPA 27 MCC 33 X* EPA 26 MCC 31 X* EPA 29 MCC 32 X* EPA 20 MCC 35 X* EPA 28 MCC 36B X* EPA 23 MCC 37 X* EPA 21
323 i Electric Power Fire Zone Component ID and ZNEAR Event Name 10 11 12 13 14 55A Batt. Chg. 31 X* EPD21 Batt. Chg. 32 X* EPD22 Batt. Chg. 33 X* 4 EPD23 Batt. Chg. 34 X* EPD24 Batt. 31 X* EPD11 Batt. 32 y, EPD12
- Batt. 33 X*
EPD13 Batt. 34 X* EPD14 125V DC Pwr. Pnl. 31 X* 1 EPD01 ! 125V DC Pwr. Pnl. 32 X* EPD02 125V DC Pwr. ! Pnl. 33 X* EPD03 i 125V DC Pwr. Pnl. 34 X* FPD04 125V DC Pnl. 31/32 Tie Brkr X* EPD3132. i I
v 324 Electric Power Fire Zone Component ID and Event Name 11 15 66A 12SV DC Dist Pnl. 31 X* EPD01-31 125V DC Dist Pnl . 33 X* EPD01-33 125V DC Dist Pnl. 32 X* EPD02-32 125V DC Dist Pnl 34 X* EPD02-34 Inverter 31 X* EPI 01 Inverter 32 X* EPIO2 Inverter 33 X* EPIO3 Inverter 34 x, EPIO4 118V AC Inst. Bus 31 X* EPI 21 118V AC Inst. Bus 32 X* EPI 22 11ov AL inst. Bus 33 X* EPI 23 118V AC Inst. Bus 34 X* EPI 24 Unit Aux Xfmer X* EPA 57
NRC FOKM 135 U $ NUCLEAR REQUL ATORY COMMISSION 1 HEPORY NUMhE R , Ass faed ey rIDC add Ver N@ , af 88'F, O',"37 BIBLIOGRAPHIC DATA SHEET NUREG/CR-4207 BNL-NUREG-51872 SEE INSTRUCYlONS ON Tw6 REVERSE 2 TIT Ls AND SUSTITLE 3 LE AVE BL ANK Fault Tree Application to the Study of Systems Interactions at Indian Point 3 , . oarE REPORT COM,a1EO
, EAR \ j MON 1- l . Avi OR.s, x Match 1985 R. Youngblood N. Hanan, R. Fitzpatrick, D. Xue, / . oati aEPOar issuto G.Bozoki,AhFresco,I.Papazoglou/BNL; oN l "^a S. Mitra, G. MacDonald/IC; T. Mazour/A&T / anua*ry'-
J 1986 7 PE R6 0RMiNG ora ANIZ At ION N Alf E AND MA*UNG ADDRE SS #swway le Coa.* 8 PROJEC T.Y A$R vtrOR A UNe f NvMet R Laboratory, Upton, NY 11973 BrookhavenNationa(g
, Subcontractors: * "N Oa ca A~" uMa a j Impell Corporation \ Analysis & Technology, Inc.
225. Broad Hollow Rd \ Technology Park, P.O. Box 0 Melville, NY 11747 % North Stonington, CT 063 % A3725
- ,o sponsor,Na ora Au Ar 0% N.ME ANo Um,N. Am.,E ss ,, <, c-., ,,,r.,EO.RE.ORr Division of M ty Technology .
Office of Nuclear Reactor Regulation Technical
! U.S. Nuclear Regulatory Commission *"*"'*"3""' " - ~ ~ * '
Washington, DC 20555 -
] 'h ,2 SUP'LEME NT AR v NOT t5 Pertains to Docket No. 50-286 This report describes an applicat' h.of fault tree methods to search for systems interactions at Indian Point 3. This. ro3ectwascarriedoutinsupportoftheresolu-tion of Unresolved Safety Issue A-17 on Systems Interaction. Here, the methods are introduced, the findings are presentled, and c^omments on the methods are offered.
, Findingsarepresentedinthefollowingmanner. Systems interactions which may qualitatively violate regulatory requirements (re.gardless of their probability) are discussed; additionally, a probabijistically ranked list of system interactions is provided. / . This study resulted in the discovery of a previously undetected active single j failure causing loss of low pres 4ure injection. After verifying this finding, the licensee took immediate corrective actions, including a design modification to the switching logic for one of the[ safety buses, as well as\ procedural changes.
\
u l
\
14 DOCUME NT AN AL v5'S - . K E YWORDS DESCR PTOR$ IS AV AILA86 Lei v Indian Point 3 Fault Tree Single Failure Cr'.terion Unlimited Multiple Failures e sicuaavcLassmc*T.ON
, r. . ,
b #CENTiFIER$'OPEN ENOED TERV$ \ UDClassified
\ ,r..,.,,,
a U S GOVERNMENT PRINTING OFFICE. 1986 - 499-489 REGION NO 8 17 NUMOER OF PAGE5 18 PMiCE 7
. _ _ ~ - _ - - + ~ ~ - - - - - - ^--J-_^- wo----.-~~~-. . . __ __
UNITED STATES sncut nunn. ctAss mare l l NUCLEAR REGULATORY COMMISSION *T^$4l[ES '^'D WASHINGTON, D.C. 20666 ga,sp,og;,, OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300 120555078877 -1 1Ah US NRC ) ADM-DIV 0F TIDC POLICY & PUB MGT BR-PDR NUREG W-501 WASHINGTON DC 20555 l 1
)
l
..me be -* :. L .
I
- a. . -
i U}}