ML20085N670

From kanterella
Revision as of 07:45, 16 April 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Non-Proprietary Probabilistic Risk Analysis of RPS & ESFAS Test Times & Completion Times
ML20085N670
Person / Time
Site: Ginna Constellation icon.png
Issue date: 05/31/1995
From: Andrachek J, Andre G, Haessler R
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML17263B094 List:
References
WCAP-14334-NP, NUDOCS 9506300278
Download: ML20085N670 (124)


Text

, _ . . . _ _ _ _

  • . .. g..'**...*, ' . :.

,r> , , . *C'. * -

. ..*a ,.,,..':.,

it

..a  ; ,

.,\

?.,' ., ;1'*. , . . .s } .. ,, *%, ' . * .i* ,, , ,. , ,;j: ...g.1**_.s.,,n..4.s.,,...(J1,,..

. . - . .,l,- .ts  : f.s ,,...

,. . f ~ _'L:' f ~ . , f. ll ' *l *, :, ,., .' . ,n,- b ~ *j.;, f {. .s* q * :,' : '

c

.3  : y.  ;.l k*. .' ) . ' k ] ):, :. . ., , *.: .'.;,~ l , . y. . . F . pij:.

. \ ; _ l.,.,fJ,.... .,T,d,,l? , p.,&", , h., 7,3%. . O. [. f,,J.3, 7. ., . , .,' ,I l. ,t?. .ye.

. . :f .",

. u..n( ,.,'......y.

. ' .. '.l.3 .S." ' . ., ,... . ,J;j, ....'.','7, l, ^ 'l :' ~, ,';h . ,

l,' l l ls *...i,.,,,,~l.4...'.,.?.

._a l.S

. ~ ,

s..'...*+ .ve :, .

4 <

.I

  • 7. .

.,3..-

d. ,'i.s Y .* c. p. . ' ,,,

a.

..v.. 's-

.t.o. . .. t ..<,* n

,..- . , 3. .- s.e ,g . e. : ; * ~ . < ,. . .

.  : .. . . - .. r

' c
. .. .
! . '. .y . n .. g. .. . ..c v-* ': :; :l.s. .y,.;

..t -

a 9  % -  ;  ;. :. .; : ,, x . .O s, > : ae , . :

. .y , . , r ;;,' A . ', . . ;.,.4. ;z. y:.. .2: ... ,, ;.'. 3 . , ; . , ..+ }..s.,. ...,

,,.. s s .. .

.,[ s y. . :.'_y ; . l* ., .. _, ,.,. ... y 4 - y:; : -

, *s .*: S

, ;e ; .;, . ';. ,l ,.c.n.....,.,...,., .. ;. ,

s

, . ,e 9,,, . % u,. '9t %r . <e.c.,. o ~-. u . .,. *.. .- ~ . . g ,,,, , , & . s *:V .. , . . .. ,.

. . pa . ..:, * . .. .., . ,

. ,: :.e, ",n,n . ,j *. . (:. ' ,-, ,_ , q: ,:., . a. : , ;n;... , . .,,.:.~ .' .;<...: . .*, ;g ' 4.: .% : . ,.:.c , , . {<.. ~,r R.ni..,.y

, t., .. : *c yr.

ft M ,W , . . , . .

? .:

.e..:. m . - r %. . .,.

. . : .* ..  : 9 .;' ..:. -. ; ' .: .:(_y . c.: :,,',:. . /y.*hs . ; . N _ . . .: . y. ;: . ,. 'f. 1 -

...t. > . y. . a, ,

. , . . y ' r:. *}. - * ,- .a - ";l .e,,-. 4. ,,.p,  :. . .

,. ',e,k. ' . ;.

, . s

,,v,n.,- '; : * , sf..' , . . , . * ;3.. . , 3 ,..)..(....' .; "r ~ . ,; . .; ,;, , , f:. s- - : , ,

~..,..s:

.u-

. . ,. , - .. -. .- a, ;- . . . . , ,, ,. , ..,; . *

.: .g

. yr...'s~ g:.o. . . .,, y; , s y . . ~ gh. . . .,, , j p,.

., ~r. -e . : .,r .. . ,, , -

,.- . t . ,,d .. .s .

. . , u f, y'. p,. y .JP . ..,_...'s'. 1 .C l, .; , '_, . , . '. -
s.Q'; ye .

i IH,; '.;

  • - s, .,,

' , ' -s. .'.'_' ,g Q .&lff_

:. , l- Q' .',.:.Y.;;e.,,,,e:f .. %p ,'; C.M ..,;: .\.y, *
  • jz'%' x). . 't.",..*;lc. .y'.n N., ;t,' r .r . *

,* .i.;., . ,  ; 1 . . ..!

! .:.',.,:' 4.. . ...:: r W l]L">,l. ":l* c . 1 . . ., .

.. ,;,f',. ' k;'., . .M. 's ,'.'g....

A. Y.;t sv: - *f.? V'- diT &. 9s'L 'W.

.l x:. :: .:w* m. [

3py.r. . . ,z.  : , ., ';.):'?,W:'!.

,9.'., p,?!'.. * { ~.

.  : -<Y!* *.

i  ;'.  :::':V . .. l.Q*'b

,.3, (:[ .l. ' .Vl. : u, .k . ,F

4 '

' - . ':w.[s 4 . .

'. , .c s

4. . 's ,k, .

.f

.jo..s 1.; ,

y. , , >.m, y :.f.):a:y. y _ ,.s.9.

3

. , ,.. y { Mil.

, ,lq.* :k;*

..,a,.f*pT:f  : = ".p;

,y.g

. .
j':d.,. JGy..;;:

y s:.y;q,'.y

. ,9 . .

,' ';y.,  : '. }.*39 : . , z': ,..

[:h' :j om):;'. .' k.n .;.y,,

.r, .*.i..s...... ,;

t,, _

., '3.v  :.  : .:Q' ,, $f;;..:  :.. :sp:

. . v;;

}
  • . ) .; i .. . u -.p

- .~ .>% . . ,' , . : % ;... V$w& Z. s.:(: g;p.-,13 y*f,?. '.,%,'. , '.. .,: .-

. ./,c: d:._l*. . . .r ge. t7, t . - 'i , j. -.,.v ;  : . ,e ;y ,  ; q g.J.; .

.a

.- i . .- , ' ' ,;.. \.-:'n:. 't* n .**2,.s. . .. . . . 3. . . - ..s,.. -. . ':' ...  ;. u.:

s . : me or ss***.-

,y tt.

s,..,1,1.,.'... . . t'. .. . f. : 7.~s.'

  • 5 -
  • ;'l,..,, t . %s .y .* * .,;,,.:s .-  ; : . ,. . . . ;.,  : *. . '.".,.....L.%.'.*:.,. <;.g.'*..

. ,, . .. *% .. ; G;s - y. ,.:; e ~. . - *t -h"....,

. . . 1 s8 .

a-. .y - -

,[ .h:f ' . s%, ..T lf0 h..,Q.,:, ,h:(.h;,- k,,.4.'." ..?)s h;'.,y , k h.ih.s.,.,;, .[:(.,,.$ ,;b. ?.l.: . . , , ,,'.3. . .fh . '$ . :: .

..~, .. .' l.

.;- . y. -..[.::. . h ,- ). . " yh..

k-

. , , . - ip:dh. . , ; .f.h h.s. lfll)'hc d,i.*f.

Af

\ ,', .h..h'; . ,. n : r ,. .  ;. (

. F.h

'k. u rs  !.

A .

.,.p' , e'.e'f. ' $ ".'O*l'*y b;[ .[ [f 5 .'f .h l '.* i.',h l;. b.'.r. , l"'\ p' ( ...Y .:':, h.v h

. . as .m .*. .

.I'

.~q r.

.~;. h..:

~,,

..,'.?,'f. : .I- $ , ' . ) E,. .. ' ,' .3, O~ .* I.

8

' .4. .co.*,
i".;s
. . :..~  : ' .. '. . t. ~ 4, , U;,. 4 $.. .:<w:v.y: ?y b [' ..* , . t. . ;.,,, e *w, J:'.:s .k:.

lI  : <, .

3-'.s*-  ! .(. ~ *. (- '.. .,' . ,-

< S 'M ' ' '

. . .*..s.i :,...:... 4l ...

  • t .:

3 a. 4.s Y. ; : w.., t. - *

.* i n..

~; ..

, ,,e*

. ...\'t.

' g ......t!*. v.;,.&y; ;%,;,;f.$,p. e c...; . ;,. . * ::y t.gj',.i li,:o,3 ,?? ;,i- *J :snf 3 . ' p 'l \....

,.:,. ...,L.g, C

...<,t* -

a3' Q.y? mq. .q. :.g;Q< .;; '. .. .y'.;_;.'l

. . g .

[ .tSr.; ; J y ;~.iel [.g. f,.~-}ly, f. . .?,.:.:1Yj jjj, A p _.. '.:t.';.Qg,W%%$p.Q,

- > p .

.. . r .s.. -

fs , ' . . ,.@,".;..[*'..'s'.',.:....v.>;! . "

i. . i. . . . - , .G c.b r .

' . :. ,,' }... /" : . ., , , [ . .

,..c..,.>, .g..,, y'.,.+t. ,..' , [,.

-': ; ' &,.... ._*.: ' ',-. y' s

'9' ;. , eQ ;";. .,

' . ,?&,'. s . , - :::. ',f .) . yfy _f . Q*L . _ , ,

h . 5. ?r ,~. , . :' _ .,

'# ; .., dy .y, R, ,._$.'f. *s ._  ;'.'-l:.j, .a,'..G. . , : ;

. .' .; . n..s.

.. ,s ;

. :. a  : :,:. ., - - .

. Q. ... . -l. ,..'.:. .-*<.

^...

? ' !. :. '.'t .' y.Y..,, *e .her,: :+:  : p .p{. .V{*^.,y,'..*.'..'.h s

,. .. : n

7. :: tfs ' N *- - .,  : . . ,:.:.:* . .~. :: ....[::e./:.,.- ,

i :e.1 .,  : . .e ., s. .

y. ~ . . *s

.. . . . , *.* : :,:"...l....' l r, . .,'i'**,,'J .s ",* Y.

- ,4

  • q

.......',;d.,'*2. ...l.n. ,:

'.; / . .t 'y y p, . .g

ms y

. . , . , . , ,f!.'

, .. . A ': .s.. ,,yc.

.', : .g '.-ll - .,

': .,.. ..\... 1.'# .i.'

-( .. <~rb, "e.?.>>, . ty . ) a;.,

..  ?.;.l;.

', %., - r i , . y. -~.:.~.,.

~W

. +

..C r. . J -

n.

.c.. :.~.',..... , .; . . .. ', 3 - : s. ga ,- . ,.-., .. -

  • l h A. .*: ' .:
y
. ..:. '- '"1 a"... 't
    • 7 . .;g, . . ...o. ;;m.

_a..g.* n. ;, ;;:. +-;- ; yt;$;. qy; Q,.:;": :. + n . 'N .".%,..: . . '!

.;..s .

.. , . ;. .> ~ .:F : . .

w ;3:#.::l; . > :. .. . ,

' 'n .4"; .+;;

' av .. .; . J

.a .;., .7.% y;+;.< E'.;;n.n; ,.s -

It *.**,., ,i* 4. .:q.e>.%.r,* ,,

.g , t.;7.t.

, ,.; *l;i.z :p:< ,f.:

5.-

c. %

V e.. . . *;v,

,.,.)1.- 4, e,:/ ...r.- . .- .

s,.,..,'e,..,. .'.,r.-

p
  • '.',g*i,*4'*:.y....,,. .. . : .6:<,!;. . . , '..}g e ,.9,,.

, .>a

. s .s.3. v.;,,., ;q . . .:c. . .

h*l'- *:;

- =:.~ . .- . ...tg.y,. .f.be .'h l..;.'?,s ;,, .

f,::

...f. ,h.s p.,,*- *

'p...*,. .~.;-g

.*.f..

e b. . % <

.*,. t, \ * *

"'^.'.'k',3.y' 1,.* :b. . .? ;

Q . & ,., ' t. . ; y *.- ' ;

U '. ~,.,.,1 />;, *. d:,.k

  • :' t) s '.p '; a :.s . ls.. ./ ; -

~;

.s... , .* .j:l:::, . . : ~. * ;

..e .b' 7:, ; u

% ,. ' c. ' ;,, .f~.  :- su .. C.'.: ? 3..,

y .:; -

'_: '  ;...e . ..4. .,ll

( * ; f. ;' ' :. Ql";,, ; .- ': '^ . ' - . Q,;'p? 'y ., ll . ':. p,.: y

.ll.'1,

, M ., :.,, ;, 7.5 . '*,,..y'.- .' 1. , . ; .

. ,. l,L,S[. . g -u.. '] . . : .,. . '.,y',['.,._

" ,, .U'i. . :'.a.,jg'}.['*[g;@*/p. .*'. g,

.. s . . e ..s. . .

g"':Q . ., .6 ,y.. , gja/,?.g, m a, j p . . f .. .7<.,.

.(..,l' ; .g ,, - l , .. p. . , . , ...';, ,

Y {,, , '

". . ,.l'M ' ' ~.5 7.'.: r

.# (g:g A . . . . ., . " .. { . } ' e , .. ;. .  ; : ; p .

,.': l f* f, . ..Yl'. l ;5.?bkh.:?.\ l ,

$k . .h.ff ff

_ ffffQ'jE $$,& Q.h:.^b:,:Y',f*;f l' V * ' ; : ? f l,.1. ,

.T . , / / ,, ,.

. l* # * . ; f ,

.1 [. '; ' . . :. . i.  :

f

  1. - 1 l l " S l k, 4..y yq. k.:;.m. ..;.;. ;1 .~,g.w.Lgg.f;p,.n. g l \}

. g..,0 =. a n .,;::g}:,yg; "pV-. p;; :.

. : x *:. :=. .,v::.. .: :,; ,;n: . .

. . V. :.. y t.;',s .'.,"j .&::b :m,;p}??.".'4'..:

y f',:.1*$

..,. .g);.  : :Ql. :,.-)

' ' ' *  ; U 'O v ? ':'. .j h.,.Y,:. ! ;, ::, "-l: Yl*'g,'. ':D.- ; V . 9,3;. '. W. i '.'.?~. ?;j. ,*/,,,':??. y;.

.  ; :o t f .', . :t . e...

..Y., ' hlAj .':yyfl.M - :'j:,}:;fy;,::,f,[

' /t {/ Oi - :' *f ,, JM  ;. - ' A% y

  • W, ;? Ql:W&z . Z;e,r.;: M&.% yf1.L.:

. -  ??:N.\f?%', fi.. !?' -ll%.s.,2%J:(} -

!$ Y

  • h .

-%  : . f l l .i .?.; *

' f Uc ' S4.. g i .t g. ;:;f,.,: , g . . t, . .,

%.1 .'ljk,,7J? ': L * -i,

,;, . ..t, N..% gl$ ' . ;.,q;;f. .,.. .i gf' ,, y ugf'^4 25*,,

j . I'

'

  • I ,' Y : ' # -'i lY ?T' b':
N Q *. ,,. ' (.Yh .9 0.;0 , -' ]'{ 4 pf/J. h, ;.,;g 3 . , -
  • fs . r .h
  • Mt,* '-f8V.: I '# ' T,'' .[ l ^ l 'b 'll' #

j

'},ilQE&'h . i: t*,r.'

. . -) \? *e,' C thq rV'  :, , y . 3f A ' .,.'! '. f.' ..:.'. *?;-\ s '!l .(l(".,* ;,.g...  ? .9,,:h.jy,\.'l'y.t.n u ,gr

?,',,,'*,^..;.;*'.;* . ' : t -ey ?E. g

?f> l , ** { ,  :* ^l* 1's' Ii os '$ e 1 :sl..s*.*;e :'

W *: >.. ;' .' .p* . rs,ap t .:-t y;f  :.- .e.., h.* ?. ^

y :.

c 5 n:  ;:. .

". W

y. ' .d.* u. . r. c < ~. . . ,

~* ..e.

<~..n.... ..

.M. ,p o i .. I.y

. . v. g' * :'i ':.7..i.".

  • - .s,

.*ji: . .;. j'. r';.s e:; r.'yQ; ' ,l;%: s

'e f, ._ f.. .i. a

'  %  :.;k ,- .,f ,v.. .<*:.* . :' .

e. vYP:' CJ.  ::t (p.$ .. .  ; . .. ,.,,..>. .l N' ' J; , j: A'D y .  :'.. e ',,.

L  :.'

i O O g . < T.( _ *: ,

{ * t* .;j .,,. ' '8

  • h, . *$:."' '4l@ ,1,4 ' , , q  ?

',y. ,3 4..f.** : ; , 3 . , 9 7 : ;. . . ./ A'.j. -). f% *

.# l",Y. "J'

t', . , Q  ;.
.e *; -

g, .

. ...; 7..: .... :,; .'.':: 9,,;,;, ; a .n* ', . .. ' . '.

.:,.v.., .f,;*. ., , . > .

, . ,4. ' .' .: ' , . eej ".'4 . . , .*: , 'f, _ .,,;r *. ;.g. " , M . ' , * .

. .: *mq,. ,y . , s ;. . *g. ,m l,:

- , ,.;. ,, . -:-;r ,. . .,,..r.,:s.... . . . .;;, , : .; r,.,., : .g's 9 .p..

4 yJ s t. f, q,:. g;,,. _, , . . . . . . '..e. . r.a s

s. r;, ,.f.

.: . 4 ,:_. t .,c . .

>-c ., 'y,.6. e ,, ,, > . q.. . .. .. .: , .

% C [l f '.. e,; q ' e - . *...

2c h  ;^  !  ::',i

'A

{

'f."'

: ' '.p -: s'..,hv . . g - . S'*G ;. ..
  • s. : . *;

~. ,;,,m:;*Y. q(...' .,

I .*:. . \ . - M. ' '3M ,. '.,, %:. l l* ? ' :r. ~ . ..f 7 ', *. ~ , - [

i.!,;;;.f.. ,%, :J ;.f:::A  : .

.q:T ;_ C*'y :n ,.7,,,'

, ~ y n , ,; ;- . c-.l%l.,'.

.&,;v. y \ . ; p:,:6..g:  ;.:.l;,,. '0,a, 7.y.9'. ". , ;..H:

}

'.:.lL,r 1.7'1 ' ;1, :; ', k.: . .; >:,,.%. ,e* ! '., ,.  ; . . .;?:;.y;f,h .;4:. a s;.n' *.-l,.  ; . . . , . '; #, f.ys :.':.  :: '.;,.:

.- , , t. A - r 0s ? -

1 . -y.- ,,;.; ,;;..:,,.

. ' LM. : .': ; ..

. h< ;;;- &

$"ll.. ','h.; s' h lj.l?.,'; .(*' 0.r, y 'N l, \. ', .*.h. . N ,;'.$ ^ ;',,*,, * .'-1.. $ - r.. _f'N ' $ l* '~f ' l Nk '.'l -

.- :;- ' ,:*.: :f. :., ,Y' ?.,'4: ;f b' 1e.  ;. ..A < ' h.'.?: 4:h,? *: ,,,Y'l} h.** .l,:*'l,e& ,: '.

'?~ *

.". ;m.n f.'.:::.  ! !{ .dfv',

%,,.i f.e....i

). ,h.; . a.%. y*t . %!, :p(,3. -

. 5 v . i.

C

.y*

. r .f%, g. Al;: ;,:.:

" * ' :- .R'p :.

>.1 * - .. >.,p: . . . v' V . - Q;.c...:

Q. '5 , ,,, . .;i n . . . ' . .,.' - .. .. . s .'::.: u s

, p.:::r ;r  ; G;. ;<. ., ,. ;

'. . . y:.T*,.,~u......'

.- 4 t; a 9~:;pl. . .. ,;. f : .n:' ".4 . S.3 s. m .v::.  %:.$;;,,3 p . ..ra. : : r ,Ml,gls .% ;T; p. f:y

. i

. .y .y.ya. w.. ;P, . .vl:Q. .:.. ',;;:p%g;x.::  ? .,Q:

-. ; . ,"i.l'..?

p ,. e ;,? c.y,f.:g;:: .:-v.,  :), :h'::' .:.':f

.. ..q::%  : .;  %,. .'..:...  :

.  : (. ._Q ...^ ; *^.{., ,. g:, . ; .'.g.,,:;uC  ;:.q; >. x :g.%;; :,- ;:*;q,! i, s, . ,.

"; ;.;- l . * . 4: '. . * #

^

^

' ; , ' y ..';.',,*,lq.:

...,.g;.,z.'.. . . [ . . , ' ' . . .' : , - ) W . / * :,  ?. .' . , . .;  :. , - - . . .

? .f.:. '. . ', , , ,

.>: . w: s :, zJ: c..s * * ^ g s,J . :: . . . '

' .: : - r ,*s.~'.- *~c'.'l*

.+ . t s'-

. ; .l*.: ,y, . ..,, p(.l. , .}:s; , t..*,v* . ,s'.:; ,.,. .. . sr. ,, .' .%*.<'- . ' . :.

  • :. .* ;s(*.' . .s ' ,: try'N,3 [3.Q u;c t , ~ r ' ,, .';. ::

. , * , , ' .[...',. ; : : c,' '.t y? .* .-Q, .y i.; e ,: }, ..*K. 's,,', .,*r-f t. ', .1 ; : _

,'.C,,. .-%s'%,fl . . s .*[ 4l ( ,...~y.**: .s :~ r . . . s.y , ' , . . . .:.e - .=.%s c'- *.L e. V- . * %_ . '

oy ml*. r:? ':. ylr

.- .,.;r. .\ . . -

' Q Y, '; : *

' ^ '

~ '

.,,v.' l:5 c.

^ ^

',.$,c*.'* . . + :q ;.,' \,'fr ? ., e'.p.{l. M:i.b'*

p'  : s%),: ly' ,*., .! (, .(. '.y , .f. i. ,q. .{e  :.I *

.i,. .y. .,,'h..,.N.  ! -... y;: . .x%..-h.: . ,' .l \ '. .?

'.&. .  ?. N ':. . ',.. f.. i l, (' l ' ?",. 's.

.;. ; .,.": . : .l . ".' .' .{

e

.{,"r is -r):. *. .' o;..ci y/ . :d . . + . -.. e N, ',',,.Y, 'N My:.n.'l' g,.:p .,,,??

. , . ./: ., ..p 3;n.

?..: .p.:  ;;;' - . .

(

...1....-- (..  : .. f*,. .. ..

, . tr ,,v. f '*; - .* .- .  % " .::  ; <.. ' .. .

. . . . k .

, :,'&l  ?. . .e,o. O h.%. lJh' .

  • pg  ;

' 5'& A, .,'f .? ?. . '.': ~.gl .f

' . v.t. . j , ~ ,f.v.ar..,;,~ p; . ...W. ': )W:. _*T. l7. .f.?~.n f.xIW.'C.  : '. l. ?: v. '.-. j"jL'h. . t; .',:0:.1*" N. . . .' '::Q'.. C '.I

.G " . '.N cs r,.,:. ,;::.. . y?.  :". , ..5;

, r  ;

, ,.: .. c.n . ;; . ~s

..c: .: .-

ay

.y , r m. . :.:,.1 ,5 .. 3. si  % .e .- .  : n; ..

. r ...,.: 4m .a .<

a. .? p. . -

n

.. . n.. . r .:.s..., a ,m:.. ,. , Q'y.. w,; .;;.u.,nu. ,,,.p

,, , ,.s. .

u m> %,: s. ....v g i.. . *. , :, , ;;, . . . :. . . .. .;. y%

..,i

- :?- c.. ,,;:;u.

. . , r.yv ,r;:-..

s,

.u.: :;,,..;. .. ;

.\

. Lt .: . .c. . . ::,:....*

4 ; a. L ,-

.,,..'i.q.....s,...:...  ;.  :; .

. , - . . . . . . . . e-

.,. .: M?:%+'r *;

U: . ':. .'; f.:,. Q.,:*jx..; ft. ,:,:,%lp ., j ?.: ?.: \ s.;.3/f.f.q),..

z . :ll i .' y n. ?,,. .M.: ^ ;U.f. ,'$ :4 *:  ; 'l,L. ::. " . . . :. f '.  :

" .r .:

'
;.fl. 't ,. ,] , . q;, '. l. . ,
  • ,??.;]:.f$$ l. h . . j.lg.2:

.gf ,' .!};* .I '(:{,l'

-[, ',:;. '5
  • jj' ':: D ?'g.: -

^

'\ ' ^

. 'l' :s,  ; llll: .. 'f, \ :: (*  : $j. .':f'.,A('.: b ' S) :' Q::%" :L; ': . :$' .,l \,

'.:' *: .: .: , ,;W;. ' LjlY..?.  :) .'*.l ?  %.. l . _~ s t.f'. -.' ' -: &. .:*l'."? ,,& ,'.j','.): . :'i \ .

' G- ~ ..>- .* . ',?!'

?.
I L Y, 's

' l /.;

..., y; .. Q, f n. s q . ,,,.r, ':m.: ss 3. ,,'. ...n. ly '.: f, *:,r.. '. . y. . : 'l '.> ~ -d. ! e"- . ,i l .: , , . .. . :;. :!.

^ '

,n.. , , . ' . .i

l. ' . '

'- ^.;. .:. : . .*:;.:..< ' *,;. . . ,

....;u...

y. ; . j. '- ; :,t. e. *, a .* : A>*~,-:. . .. ,...* .. .v4;..'....'.......?..i'..,'.'

- . .u... . ..

~.: .. .~ .

 ?: s .  :.. . ..

. M.*h,: a '.:y; O?  ; *

.': ': ;.m;....: *: . -l:;;, ..l:;q

  • f: : v. ,.9,.

-. :,.'. *: . . .J 5,,. ' ' : .; f *',. ' . : i . ; ' . -

,w.~. s. s ...; .a  : . 4. ,. . , . ,

..w.n.,..' ,.... z..

  • . . . ..u  : ..
v. . . ' , v .1. . . . . . ..: . s . z. . . . .

. :*....,O. " a ,, ,s a

s . ;.. . ". c ,,: e.v 8 .

y:~.  :.... .;.. v...u. ' .J. .,-  ;. g. . . .. mC ^. .- .,. ,.. . ;, f, .. ?

. . . .~;.'+... J,...y...,. / ..? . . ., . ' s .

,,:. 8 : 9 . , - ,

.e. v. :.a . y c.J-, . .. ,.* :::. - 1 1;. :pwa . %.4',4 '.....:..r..

3 .~.g. . . 'a,j:; '/. . ;t.f:. ' .,,:

3.s;;...  %. Y ' g. ; . .t.f;.y . . y . :. ., : %z. ~ .;. .. .:

v. w.

?.:.:.s,'.4. p : ~

i. 9", . . . ,

,y

..e

' . 7 ,- .:;-  :.

2 -

^

.y _R " ! ', ;'.{','- l ' . .;

g[', ,*:. ch; y:ie.p:s. g?fY;0)

'W : ' J J. ;r '.- :. .:. ;.'..l}; - . :f..' . *:). . .

.b. ${r: p. . .n ',,: l'.h. .~ .n;)';[::'.' Ql','_.,,'

lr
Q. .:e: i.T.I..d:y : Ew f. .* ' [ ) f.- " .

c:: r.;' :}-

y. e 's: 9 e
.'iy: . ? r. . '! ,

'l:. '.,' *' ,:'!* . ' . '.. .'h', . . ')'- :. "'. " n n

. . : .l ., . > :. Y,: *

% ~ ': v.g@y ~l4: .:' L WW . .:e  ;.n;p; .5.ps,?;,::~.  ::vV./:.v y?:k <.'%.J:  % ll;X; ..-

?;*:: ;M; .:s .:h % "- :. ..a..

n 9.

'h-A :a . . .:. :tr*.: :*&..+': M ~ ::% ".;. .." p..T. :d ; ";. >4 s W.. .. ... ;, . ., , , .;. .':

y,j n % o v ' % zhQ.:\.\ ,%vg,.

?A.;; n' L. ./. :. r'i. .

c V-; -y ?l;~, .. j . : k,.v:<T , t<

.'. ', . .'..A

, k;;,C  ;, .<7. ,l-Me&'M;,; . s:s

, a s Q'u ;s: ?p&.h m,. y

'.:,;K .

gw?;;*?:[?. r J p>c,M. 5,e fr;4 ::.+;:;-* f.. Q.: :(3 );y ' .^ > Q.

.s p4.#a W. . ; Q.:

. , ,s.yl, . .:VV v%:

p,':. yds . W:p% pr f q&m. $.c p 3:9:"q. &p. . .. %;r: _stp.rp%w.e.4: ._,. :s y. .:et T:

;i.

%;;;j:; ' .M; <;;W;  :; .9l2,n cX 4 .

e >p. ':.;tp@c:

?f .,,: p . n y ' p .

a:;:
  • M.

h';

n..xM .hk' Q % &. h~.

h .

~

hh@h{h (py .$.;ng;;.:f ;;5 7 .Q.:n.:Q k.v M hl.h$

u.M, ,W &- @ %.%nM;W.w%.-,B.~W.w%..iWMM?;%

1hh;*7 m,a h h.{hbh'$ fhff:k', b.g:f^'

. - . ~ ~ . +

5 kh  ;

  • i e, :.: ge': ; ..w, :rw e

a,q.:..- ;..

,1&. o.t;f.
e. m.. . m.> W9;y;.b:y!,+ %o.., DYlG.%.p x9 ,. m ..  :: .
u
. : i . .,: .i..
  • 4. n * , ,

.c.

g

...t, :.n, . .,m .x..g.. w my:..: . m ...p c .u.. .

., ,. . , . . ....ns...

ga, ..A:

.g%

, ; y..-t#g.y a.. 9.,:.. , t .W .y j,x .a.1:b .

,.; a . v, ':'g!:w.:.%

. y:. . y..;. *m,

. . . . ,.s

?;}%:

. c.; . -:2cA.:.:+.g ; .. 3 ..-;, .

Myd,... , .- q:

.i A... .. .: . . '. ,

,m . .ymn1 . wm,s v, pm7.m,mmmwm=~, n rn erw w r~m ywv.m w > . .. .

q- nw

- . : . n wy . u

w n' ' e um
p , . nmw  ;

N;W s ~-q: .#

+c i ,

m  ;% 4 v 3 % "' o '7 @ , i T ,

p; gen?w Tf c

, t a

w , 6 - '
y ,;s.
+ , ..

.m\

ge 1 ..a a 4 s 4 .

y

%} ;

a_

..s il, ,

,. s ~

t

~ * ~

- v ;_ I.i '

n:l f. o'%$5h ~

v

jffN

- ?e , , ,

u Y;b a; w m).cmk' ? ,w, _ , . .

':% g n -n;

,Q}.

g<

agf  % c. , -~r %~ q% ;;. , ,

[h \ f k N[sM~$auI[c kl ft,4 y

9. ,

pb v, m g)' HmmmmwD f 4-4

~ *

. ~.  ; 4 w m. . .>%g Y..

e. ]w V

+ %;

1 7; i c u n Ja

f. +

- > ;s %. +

4 y; n. , s

' m..

M.N d

['[! k @, - . ,

y s

/, VL d

s j

L a

i o, )v

L n : .,

Wf ,

,d .

o-2 t

x -

qr h; 'a

--4 f v. , t .. .+ i4 Q.,

N; . y s

'[

4

- #p p ida.khi&'n.4M MMd bWu >&&a r.w  :  %%. [.fe ,, ,

67

,.A kp ' '% s- '

q:'

q  ; t py

.9 } , ,

n y. -

+

V y' ,

g; 'M&

t

. ., . ] g ]

3 g.

(,.-, s-A sJ\t ,c L i s f k ,-}:  ;

.< J d 3 ) g 4

8

-ep .-.- I y 1.

f Ji ' ' MC '

$:l. ,,- " i. o.?? < ; hp b

L@c +y a-a, v.-

t 1,4t,. 3

/.4,-

g"y ' '

  • , tu . , 3

)m. .Ur m

~q e e#

3 5 .;6,?  %~

m 4 ,

s v ,, ,,3 -

_-_ m Lf y :

+

p.*gf.

g- . "

f.

.:p ,

- a.u y- <

u  ::p , _ k., .

r

~ .

a

~,

,w f , s m. --

.)- 2 q; g a

.c

t. ,

' f',

'. x ,~

.q l

u s

.y

\  %;

_' , 1 i

r m  ;

,- u, ,

a

?.Ag s I i ... .".#a:N

s. , ,

, s a -- ' >

i V

/a K.. ~ Q' y

L r ,

+

~ ,

s ps

,. yf,> > ' "

>w res . ,x y m7m" w aq^ :y'v*6,'

+ ,

r

, ar

, " c.;p .m gn pyp.g- s

  • 1r y w sy.s '

s , t 3, Fe ,

8 q% g +&.

p ., ms. a.,m a  ? a 1

.'s~ ~a a t.qs , y s

'l i

s s i J 4

1 j b* 4 " i b

. s n.

's e

e

-. ,n

's

< s

.n' F

  • { ,- . 4 m, ,

9 . I

].,

i /'_. - ,,

+ o g. ,

(, ,p.

4

-f- ,,y v ,

me m-4 p

s n

(

I t'

., -Tk. f. .

g L

_r,s,. E,- 4

,,.s h ['1 ,

.y;' .;r b  ? - sp#. ( .

~ys. +

1 y

, y; . ,

s,  :.,.

n '

as ,

] L E

p#

p n

y . _,

[ s.  ; f , ', ,

.. . ,.r f

v'. e -

g .,y%g:: -

c , . . . .

T A , . ,

,,g el,

~,

4_,

, y-~

n,:. ,

t ?6'

.a

,a o g . ,

,p., }.-

.g s

, s l f. n 4 -

-. g,  ;;.{ x

- - , .]

, , , t e

& n.p.  %

< , 1 p

' ? t$-y i 3s n , ^9 I'-

,p 4 .'7' #.

.h,I, . a - ...k., -

) p 5

-i . n >

~ >

c,1v:-

f w 4. ,, ,

e ..k =, h kl.

4 '

.s, ,, ; '4 ,

vg, ,

+ , ' 'x.. J ' C; >- + x.

e y e i. j g ^1 e5 %Q~ +

[t

.[

' " - e ~5

,3 ,

5

{h S t + '; ' g.

'? ' "

l * *

\ g.

,s,,.c.

e ;m y ) 4.

i ,, ~ 3

^ - v , t ' '),. E(u'- > t N I

% h.; 3 *

, ~ . . .

5. ^ , e, ,~p~. = s

'a,cn , , c.,

y

, o , ,

s

-y A s t.')_.-

,i j ' 1-

  1. :n,a g . .

%, t -r q+0 u ;

& a, . . * <

,, s

_d t

,e sy >- - s i

.N.

.;1,

. ..c-9.,., -e m, u

.;+ y; .

,y; - uu . '.

+x v.

n

'w @s, gs an ,. ,,~ N O '+1 _

-' x ,

- 4 gj '

y~.g; 4 ,,

y&, .,. [m ,

' ' 11 y% l ,

+

' l}

~g r. m 1,

e -

y ~,-

~.

,3 < .,~u'x ; .

Q ,

w

. ;{ _,' 4 t s .

s.

,,f ,}

4 ._.

"9. j '

.o

,4' d _h .3 h, ,p_'r.-k, .

3

., , , ,. 1 ' ' ' . , .,, gr hv 4 , s. <

- . +

4 w. u . ' '

3 - y -

' s 1

?

r

. .s a-

%~ . . . -nu

~

D4 .

x.

r 3

s +. > , ,

nu .

w~ n o

' N, -

> w~v y

s

. > .t~

?1 z .c

. ;ygrJ ,

1. sw a

, . ' a u, ,r

_m. , t , s ,

, *j>y.

2',

v r  ;

  1. f

',, -.y

  1. 4^ i L

s(.j

' ,1. L

'  :) ; -

'; 4

~

r y

y I

' d.g e s p t u , 3. t v - .e 5 e  : e

' s < 17 s ., n 7.. ,t 4

,I ',

4 7-4 4

en . y fm~, <<

, f i <. 1 , f

/ 1' h # ',

x g

  • N

/.

.p.., /i a. t

  • " W ,.r} .3 -

4 f ." #' [l

, l i,pwk;b1A,iQwdhu,. Add,ihd[4 Z.mdMQLyd';[ Q 3 h a v

d 9506300278 9506'20 4 ,

cu i ~

y PDR ' ADOCK 05000244 4* . ,

' a.m .

YMM 4

^ '

u  ; p - PDR h- s w y. w m g_g y__ _m m__ m w w w m m m_w _. _ __ _ _ _ _

g, m, -

y >

.q. ,

b 7 ,,

'I -

WestinghousiNon'-Propriettry Class 3 :

p ,

- WCAP-14334-NP' l

~'

F r. -- l i

I I

r i

s i

PROBABILISTIC RISK ANALYSIS OF y THE RPS AND ESFAS TEST TIMES AND COMPLETION TIMES l

i May 1995 '

l 4

e i

J.D. Andrachek G.R. Andre' R.L. Haessler i R.C. Howard f f

1 Westinghouse Electric Corporation Nuclear Technology Division

. P.O. Box 355 Pittsburgh, PA 15230-0355 ,

C1995 Westinghouse Electric Corporation All Rights Reserved i l

mM999w.wpf;1d-060595

~ _ -

..A

q H l

)

i l

LEGAL NOTICE .

"This report was prepared by Westinghouse as an account of work sponsored by the Westinghouse Owners Group (WOG), Neither the WOG, any member of the WOG, Westinghouse, nor any person acting on behalf of any of them: ,

(A) 'Makes any warranty or representation whatsoever, express or implied, (l) with respect [

10 the use of any information, apparatus, method, process, or similar item disclosed in .

this report, including merchantability and fitness for a particular purpose, (11) that such l use does not infringe on or interfere with privately owned rights, including any party's i intellectual property, or (111) that this report is suitable to any particular user's ,

circumstance; or (B) Assumes responsibility for any damages or other liability whatsoever (including any  !

consequential damages, even if the WOG or any WOG representative has been  !

advised of the possibility of such damages) resulting from any selection or use of this ,

report or any information apparatus, method, process, or similar item disclosed in this  :

report."

l l

l i

(

I l

l I

.I l

l l

1 m:\2099w.wpf.1d-000595 i

. - . . -- .- ~~ . - .-

i FOREWORD l

This document contains Westinghouse Electric Corporation proprietary information and data f which has been identified by brackets. Coding associated with the brackets sets forth the -  !

basis on which the information is considered proprietary. These codes are listed with their meanings in WCAP-7211.  !

The proprietary information and data contained in this report were obtained at considerable l Westinghouse expense and its release could seriously affect our competitive position. This l information is to be withheld from public disclosure in accordance with the Rules of Practice j 10 CFR 2.790 and the information presented herein be safeguarded in accordance with -

10 CFR 2.903, Withholding of this information does not adversely affect the public interest. i I

This information has been provided for your internal use only and should not be released to persons or organizations outside the Directorate _of Regulation and the ACRS without the J express written approval of Westinghouse Electric Corporation. Should it become necessary to release this information to such persons as part of the review procedure, please contact l

Westinghouse Electric Corporation, which will make the necessary arrangements required to  !

protect the Corporation's proprietary interests.  ;

The proprietary information is contained in the classified version of this report l (WCAP-14333-P).  !

1 l

l 1

I l

l i

m:\2099w wpf.1d 060595 jj

ABSTRACT The objective of this program is to provide the justification for the following changes to the Technical Specifications for the reactor protection system (RPS) instrumentation and engineered safety features actuation system (ESFAS) instrumentation:

1. Increase the bypass times for testing and the allowed outage times (AOT), or completion times.
2. Change the action for an inoperable slave relay to "following expiration of the slave relay allowed outage time, the component affected by the inoperable slave should be declared inoperable and the Technical Specification action for this component should be followed."

Application of this is limited as discussed in the report.

In addition, the program provides the justification for completing channel calibration activities  :

at-power.

These improvements will allow additional time to perform maintenance and test activities, enhance safety, provide additional operational flexibility, and reduce the number of forced outages related to compliance with the RPS and ESFAS instrumentation Technical Specifications. Industry information has shown that a significant number of trips that have occurred are related to instrumentation test and maintenance activities, indicating that these activities should be completed with caution and sufficient time should be available to complete these activities in an orderly and effective manner.

l

)

l I

l i

l l.

mA2099w wpf:1d-060595 iij

i I

TABLE OF CONTENTS i Section Paoe l 1.0 Introduction .... . .............. ....... ................. .. 1-1  !

t 5

2.0 Background information . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . 2-1 j i

2.1 RPS and ESFAS Design . ................... ............ ... 2-1 j 2.2 Test and Maintenance Activities .... . ... . . . . . . . . .. . .. ... 2-3 l f

3.0 NRC Meeting ........... . ... ... . .............. ........ 3-1  ;

4.0 Plant Survey . . . . . . . .............. ..... .. ...... .. ..... 41  !

-t 5.0 Technical Specification Changes to be Evaluated .... ........... ..... 51 i c

5.1 Test Frequencies and Durations . . . . . . . . . . ..... ............... .5-1 5.2 Maintenance Frequencies and Durations . . . . . ... . ... .... ... 5-2 l i

i

- 6.0 Representative RPS and ESFAS Signals ...... ... . .... . . . . . . . 1  :

6.1 Representative Engineered Safety Features Actuation Signals . . . ....... 6-2 l 6.2 Representative Reactor Trip Actuation Signals ........... ..... .... 6-3  !

6 7.0 RPS and ESFAS Signal Unavailability Analysis . . . ..................... 7-1 i 7.1 Unavailability Analysis Approach . . . . .... ... ... ..... . . . . . . . . . 7-1 ,

7.2 Assumptions _ ............................... .......... ... 7-4  ;

7.2.1 Analog Channels . . . . . . . . . . . . . . . . . . . . . ...... .............. 7-4  !

7.2.2 Solid State Protection System ................ .. .............. 7-5  :

7.2.3 Relay Protection System ... ....... .... . . . . . . . . . ........... 7-6  ;

7.3 Fault Tree Models . . . . . . . . . . . . . . ........... .. ....... . . . . . 7-6 j 7.4 Results of the Signal Unavailability Analysis ......... ............. 7-7  :

7.5 Technical Specification Changes for Slave Relays . ..... . ......... 7 21 l r

t 8.0 Risk Analysis ............... .. ........................ ..... 81 8.1 Risk Analysis Approach .. .. .. . ... ........ . . . . . . . . . . ... 8-1 l 8.2 Event Reactor Trip and Engineered Safety Features Actuation Signals . . . . . 83  :

8.3 Results of the Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 8-4 8.4 Risk Associated with a Plant Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 I t

?

9.0 Program Benefits ... ......... ........ ........ .. . . .... .9-1  ?

10.0 Conclusions ...... . ...... ........... . ............ ..... 10-1 11.0 Implementation of the Proposed Technical Specification Changes ........ 11-1 12.0 References .. .. . .. . . ... . . . .. ........ 12-1 i

I i

mA2099w.wpf.1d-060595 iv b

a',

p, n TABLE OF CONTENTS (Cont'd) r Section page

Appendix A: Proposed Changes to the Standard Technical Specifications (NUREG-1431, NUREG-0452) ........ ....................... A1

. Appendix B:- No Significant Hazards Evaluation .............................. B-1 Appendix C: Plant Survey .......... ................................. C-1 Appendix D: Fault Tree Diagrams ....... ...............................'D-1 Appendix E: Event Sequence Quantification Results ... ..................... E-1 i

i l

1

-1

'i i

m \2099w.wpt:1d460595 y

LIST OF TABLES Table Pace Table 4.1: Survey Summary ...... ... .. .. .... .. . . .. . . . . 4 -2 Table 4.2: Survey Summary - Analog Channels ....... .. . . .. .. . . 4-3 Table 4.3: Survey Summary - Logic Cabinets .......... ... .. ... . . . 4-5 Table 4.4: Survey Summary - Reactor Trips . .. .. . ... .... ... .. ..... 4-6 Table 4.5: Survey Summary - Shutdowns and Discretionary Enforcements .. .... 4-9 Table 4.6: Survey Summary - Miscellaneous ... .......... ........ . 4 10 Table 5.1: Summary of AOTs and STis for the RPS and ESFAS (Solid State Protection System) . . . . . . .. ...... . 5-3 Table 5.2: Summary of AOTs and STis for the RPS and ESFAS (Relay Protection System) .. ..... . .. . . .. . . .. . ... 5-4 Table 6.1: Summary of Signals Being Considered .. . .... . . . ... 6-5 Table 7.1: Summary of Safety injection and Auxiliary Feedwater Pump Start Signal Unavailabilities - Solid State Protection System .. ....... . . . . . 7-8 Table 7.2: Summary of Safety injection and Auxiliary Feedwater Pump Start Signal Unavailabilities - Relay Protection System ... ........ ... ... ... 7-9 Table 7.3: Summary of Reactor Trip Signal Unavailabilities - Solid State Protection System ... .. . .. .. . ... ......... ... .... . 7-10 Table 7.4: Summary of Reactor Trip Signal Unavailabilities - Relay Protection System .. ..... .. ... ..... .... ... ...... . . .. .. . 7-11 Table 7.5: Breakdown of Signal Unavailability Contributors - SSPS Safety injection: Pressurizer Pressure Low (2/4) interlocked with P 11 ....... 7-14 Table 7.6: Breakdown of Signal Unavailability Contributors - SSPS Safety injection: Pressurizer Pressure Low (2/4) interlocked with P-11 with Operator Action . .. . . . . ... . .... .. . .. . 7-15 Table 7.7: Breakdown of Signal Unavailability Contributors - SSPS Auxiliary Feedwater Pump Start: Steam Generator Level Low-Low in One Loop (2/4) . 7-16 Table 7.8: Breakdown of Signal Unavailability Contributors - SSPS Reactor Trip:

Pressurizer Pressure High (2/4) . ... . .. .... . .. . . 7-17 I

m:\2099w wpf.1d460595 yj

1 l

LIST OF TABLES (Cont'd) i Table Page Table 7.9; Breakdown of Signal Unavailability Contributors - SSPS Reactor Trip:  !

Pressurizer Pressure High (2/4) with Operator Action ............... . . . . . 7-18 ~ I i

Table 7-.10: Breakdown of Signal Unavailability Contributors - SSPS Reactor Trip: '

Pressurizer Pressure High (2/3) or Overtemperature delta T (2/4) . . . . . . . . . . . . . . 7-19 Table 7.11: . Breakdown of Signal Unavailability Contributors - SSPS Reactor Trip; -[

Pressurizer Pressure High (2/3) or Overtemperature delta T (2/4) with i Operator Action .......... .... .................... .. . . . . .. . . . 7-20 )

Table 7.12: Dominant Cutsets for Signal Failure, Proposed Case - SSPS Safety j injection: Pressurizer Pressure Low (2/4) Interlocked with P-11 ......... .... 7 22 1

Table 7.13: Dominant Cutsets for Signal Failure, Proposed Case - SSPS Auxiliary FW Pump Start: Steam Generator Level Low-Low in One Loop (2/4) ....... . . 7-23 Table 7.14: Dominant Cutsets for Signal Failure, Proposed Case - SSPS Reactor  !

Trip: Pressurizer Pressure High (2/4) ......................... . . . . . . . 7-24 I Table 7.15: Descriptions of Basic Event identifiers Listed in Tables 7.12 to 7.14 . . . . 7 25 l Table 8.1: Sources of Reactor Trip Actuation Signals ....., . . ......... ... . 8-5  !

Table 8.2: Sources of Engineered Safety Features Actuation Signals ............. 8-6 l Table 8.3: Summary of Human Error Probabilities for Operator Actions l Backing Up Actuation Signals .... ...................... . ... . . . 8-7  !

Table 8.4: Summary of Results by Core Damage Frequency ........... . ... 8-8  !

Table 8.5: System (Top Event) Importance Summary: SSPS with 2 of 4 Logic . . . . . 8-10 i Table 8.6: System (Top Event) Importance Summary: SSPS with 2 of 3 Logic ..... 8-11 i

i m32099w wpt.1d460595 vji j

LIST OF FIGURES Fiaure Paae Figure 2.1: Simplified Diagram of the Reactor Protection System ......... .. . . 2-2 m:\2099w wpt.1d460595 vijj

l ACRONYMS ~

AC- Altemating Current AFW . Auxiliary Feedwater AFWPS Auxiliary Feedwater Pump Start AMSAC - ATWS Mitigating System Actuation Circuitry AOT- Allowed Outage Time ATWS- Anticipated Transient Without Scram i

'CCF- Common Cause Failure i CDF-' Core Damage Frequency ESF- Engineered Safety Features ESFAS - Engineered Safety Features Actuation System FW- Feedwater HEP- Human Error Probability

'1 HVAC - Heating, Ventilation, and Air Conditioning IPE- Individual Plant Examination

'LOCA- ' Loss of Coolant Accident )

MGL- Multiple Greek Letter NA- Not Applicable or Not Available (as noted in text)

NAR- Not Applicable Response NEAP- Not Evaluated At-Power NR- No Response NRC- Nuclear Regulatory Commission OA . Operator Action PRA- Probabilistic Risk Analysis PORV- Power Operated Relief Valves RPS- Reactor Protection System RT- Reactor Trip SI- Safety injection SSPS- Solid State Protection System STI - Surveillance Test interval TOP- Technical Specification Optimization Program TS - Technical Specification

'V- Volts VDC- Volts Direct Current VEGP- Vogtle Electric Generating Plant WOG- Westinghouse Owners Group l

1 m.\2099w wpt1dNS95 ix j

i

1.0 INTRODUCTION

The objective of this program is to provide the justification for the following changes to the Technical Specifications for the reactor protection system (RPS) instrumentation and engineered safety features actuation system (ESFAS) instrumentation:

1, increase the bypass times for testing and the allowed outage times (AOT), or completion times.

2. Change the action for an inoperable slave relay to "following expiration of the slave relay allowed outage time, the component affected by the inoperabia slave should be declared inoperable and the Technical Specification action for this component should be followed."

Application of this is limited as discussed in Sections 7.5 and 11.

In addition, the program provides the justification for completing channel calibration activities at-power.

These improvements will allow additional time to perform maintenance and test activities, enhance safety, provide additional operational flexibility, and reduce the potential for forced outages related to compliance with the RPS and ESFAS instrumentation Technical Specifications. Industry information has shown that a significant number of trips that have occurred are related to instrumentation test and maintenance activities, indicating that these activities should be completed with caution and sufficient time should be available to complete these activities in an orderly and effective manner.

The Westinghouse Owners Group Technical Specification Optimization Program (WOG TOP) evaluated changes to surveillance test intervals and allowed outage times for the analog channels, logic cabinets, master and slave relays, and reactor trip breakers (References 1,2, 3). The NRC approved increasing the surveillance test intervals (STI), bypass test times, and AOTs for the analog channels, as well as the AOTs for the logic cabinets, master relays, and slave relays. A probabilistic risk assessment approach was used in these analyses which included assessing the impact of the changes on signal availability and plant safety. The justification for the acceptability of the changes was the small impact the changes had on plant safety. It was also demonstrated that increasing the surveillance test intervals for the analog channels leads to a decrease in inadvertent reactor tiips since fewer test activities will be performed with a channel in trip. This provides a safety benefit.

The approach used in this program and presented in this WCAP is consistent with the approach established by WOG TOP. This includes the fault tree models, signals, component reliability database, and most of the test and maintenance assumptions. Several changes in modeling were implemented to enhance the approach or to remove unnecessary cor'servatisms, such as, the common cause modeling approach for analog channels and the freq Jency of maintenance activities. The plant specific model used for the risk analysis was mw99rwpr.id osoi95 11

also changed. The WOG TOP work used the Indian Point Unit 2 and the Millstone Unit 3 models that were available in the early 80's. This current work uses a plant specific PRA model that was recently completed to meet the Individual Plant Examination requirement (Generic Letter 88-20, " Individual Plant Examination for Severe Accident Vulnerabilities"). All of these changes are discussed in more detail in the following sections.

Important to understanding the analysis and approach is a basic understanding of the RPS and ESFAS designs, and also the performance of test and maintenance activities on these systems. This information is provided in Section 2.

The program was initiated by a meeting with the NRC to discuss the approach and to identify information the NRC would require in a submittal. This is discussed in Section 3. A survey was provided to all WOG members to determine their needs with respect to instrumentation test times, maintenance times, and maintenance frequencies, in addition to information regarding plant operation, such as, reactor trip and spurious safety injection events. This is discussed in Section 4. From this information the Technical Specification changes that were evaluated were identified as discussed in Section 5. Sections 6 through 8 provide the probabilistic risk analysis. The benefits of the program and conclusions are discussed in Sections 9 and 10, respectively. Section 11 provides the recommended Technical Specification changes along with an explanation of the connection between the Technical Specification changes and the analysis. Appendix A provides the proposed changes to the Standard Technical Specifications for Westinghouse Plants (NUREG-1431 and NUREG-0452) and Appendix B provides the "No Significant Hazards Evaluation". The remaining appendices contain supporting information.

i mT099w wpf.1d-060195 1-2

2.0 BACKGROUND

INFORMATION The purpose of this section is to provide the background information necessary to understand the basis for the analysis. Additionalinformation is provided in References 1 and 3.

2.1 RPS and ESFAS DESIGN The typical reactor protection system circuit consists of analog channels, combinational logic units, and trip breakers. The typical engineering safety features actuation system circuit consists of analog channels, combinational logic, and actuation relays. The analog channels, part of the process instrumentation system, provide signals to each of two logic cabinets which in tum provide signals to their respective reactor trip breakers and the actuation relays.

The actuation relays consist of master and slave relays, with the master relays being controlled by the logic cabinet and the slave relays being controlled by the master relays. The slave relays actuate the required equipment. Figure 2.1 shows a simplified diagram of the overall reactor protection system.

Any particular protective feature, such as safety injection on pressurizer pressure low, will have either 2,3, or 4 separate analog channels with each providing input to the logic cabinets.

Actuation of the trip breakers or master and slave relays will require a combinational logic of 1 of 2,2 of 3, or 2 of 4, as appropriate.

A typical analog channel consists of a sensor, loop power supply, signal conditioning circuits, and a comparator which is the output device to the logic cabinet. The sensor measures physical parameters such as temperature, pressure, level, etc. The measurement is converted to an electrical signal and transmitted to the protection racks for signal conditioning.

The signal conditioning modules perform a number of functions including amplification, square root derivation, lead / lag compensation, integration, summation, and isolation. A signal comparator, usually a bistable device, compares the conditioned signal to a predetermined setpoint and tums the output off or on if the voltage exceeds the setpoint. Each bistable controls two relays; one for train A logic and the other for train B logic.

The combinational logic is performed in the logic cabinet. Each logic cabinet consists of three bays; the input bay which contains the input relays, the logic bay, and the output bay which contains the master and slave relays. Two types of logic bays are used; solid state logic or relay logic.

I The solid state cabinet, or solid state protection system (SSPS), receives inputs from the 4

analog channels via the input relays. This is accomplished using relays in either an energized or de-energized state, as determined by the output of the comparator. The relays operate l grounding contacts in the SSPS circuitry. When a comparator senses a trip condition the m:\2099w.wpf Id 060195 2-1

Figure 2.1 Simplified Diaaram of the Reactor Protection System l

-~ .

N .

= ===

==

_ ""=

-. m StAISE.L .. ..

\

. . . ====

"' Ma "Ei-9 '""

' ~ '

, \,t ,. '"'

,' -r , t /.. == ,' .

P-m e-b man. I b O I I

]h- {Ml i muun

== 8 I

J @L J I 1

l I

new I i 1 1 l

=

De r

eE1_!

iL l=rl J

i 3

@f I I I -

b..

-a' n'_T L M '.

I e--

3 I i i i

l I g asvrauw i i

' F] 1 1 r-d3"

'+

O{_}--i L

%.a sp_ __.y

" " "" M

.".""." ,l==l=, E- a'." -

l w an D S-p ,

f' + .,,x,,.,

, =_.

8 8

__^ , _em M. ,,,,,,,,, M.

m42052w wpf.1d453095 2-2

corresponding input relay will energize as appropriate, applying a ground ta a specific logic input. The logic inputs are applied to universal boards which are the basic circuits of the protection system. These boards contain 1 of 2,2 of 3, or 2 of 4 logic circuits. Grounding of the appropriate number of universal board inputs will cause a signal to be generated. Output signals from the universal boards are connected to other universal boards, undervoltage ,

output boards, or safeguard output boards as desenbed:

1. Connection to other universal boards enables additional logic combinations. For example, auxiliary feedwater may be started by low level in one steam generator as sensed by 2 of (

3 channels. Each of the three steam generator channels for one steam generator would l input to a 2 of 3 universal board. For a three-loop plant there would t.1 three such circuits. !

The output of each of these universal boards would input to a 1 of 3 universal board to achieve the desired logic.

2. Connection to undervoltage output boards drive the undervoltage relays to trip the reactor trip breakers.
3. Connection to safeguard output boards drive the master relays which in tum drive the slave relays.

The relay logic consists of contacts in a series-parallel arrangement which energize a master relay when appropriate combinations of contacts are closed, or de-energize a master relay when the appropriate combinations of contacts are open, depending on the function. The series-parallel contacts are operated by tne output relays of the analog channels and are l arranged to initiate appropriate protective functions when the required number of analog j channels sense an out-of-limit condition.

The master and slave actuation relays function to start the safeguards equipment which is used to mitigate events. This is accomplished by a combination of relay operations initiated by the output of the logic circuit. Each master relay energized by the logic circuit closes contacts which energize one or more slave relays. The number of master and slave relays is dependent on the particular protective function. The more complex the function, the greater the number of relays energized. Each slave relay when energized, closes contacts in the actuation circuits for one or more pieces of equipment. Typically each slave relay causes several components to operate.

2.2 TEST AND MAINTENANCE ACTIVITIES This program is concemed with test and maintenance activities related to the analog channels, logic cabinets, reactor trip breakers, master relays, and slave relays in the RPS and ESFAS. The protection system is designed to allow online testing. An overlapping test sequence is used, with each test within the testing scheme adequately testing a portion of the mT2099w wpf.1d-060195 2-3

I protection system. Satisfactory completion of all tests provides assurance that the system will perform as assumed in the safety analysis when demanded. Typically, testing of the protection system involves verification of the proper channel response to known inputs, proper comparator (bistable) settings and proper operation of the combinational logic and associated -

trip breakers, master relays, and slave relays. Details of RPS and ESFAS testing are provided in References 1 and 3.

With regard to the following analyses, the impact of test and maintenance activities on the RPS and ESFAS are important. Of specific interest is the impact on the availability of protection system signals. That is, how the individual components of the protective functions are degraded during test and maintenance activities.

Analog channels: The channels can be tested and maintained in either the bypassed or tripped state depending on the specific plant hardware capability. If tested in the bypassed state, the channel is unavailable and actuation logic changes from 2 of 3 to 2 of 2 or from 2 of 4 to 2 of 3 depending the initiallogic requirement. If tested in the tripped state, the channel is providing a trip signal to the logic and additional logic then required for actuation changes from 2 or 3 to 1 of 2 or from 2 of 4 to 1 of 3. Most plants do not have the installed bypass test capability (Eagle 21 process protection system or the bypass test panel) so the tripped state is used.

Logic cabinets: The logic is tested and maintained in the bypassed state. That is, the cabinet is unavailable during these activities.

i Master relays: The master relays are tested and maintained in the bypassed state. That is, j the relays are unavailable during these activities.

Slave relays: The slave relays are tested and maintained in the bypassed state. That is, the relays are unavailable during these activities.

Reactor trip breakers: The trip breakers are tested and maintained in the bypassed state, but the bypass trip breaker for the main trip breaker being tested or maintained is used to provided reactor trip function from two breakers. During such activities, the bypass breaker is j controlled by the available (opposite train) logic.

With regard to maintenance activities, two types can be done; corrective and preventive.

Corrective maintenance, or repair activities due to component failures, are those that are done after a component failure is identified through either a test or by some other means, such as i through visual control room board scans. Preventive maintenance activities are pre-scheduled i maintenance activities done to maintain the component in operable condition. Both types of I activities impact the component availability.  ;

l m:\2099w wpf.1d460195 24

I 3.0 NRC MEETING A meeting to discuss the program with the NRC was held on July 11,1994. The NRC was represented by personnel from the Office of Nuclear Reactor Regulation and the WOG was represented by personnel from several utilities and Westinghouse Electric Corporation. The purpose of the meeting was to discuss the following areas of the program:

overall program approach instrumentation allowed outage times and bypass times being considered use of WOG TOP RPS and ESFAS instrumentation signal fault tree models as opposed to IPE instrumentation signal fault tree models acceptance criteria representative plant for the risk analysis information the NRC expects to see in the submittal report The following summarizes the important points from the meeting:

1. The NRC was receptive to the approach.
2. The RPS and ESFAS instrumentation signal unavailability models from WOG TOP should be used, as opposed to models from the iPE programs, to facilitate the NRC's review.

The WOG TOP models have already been reviewed by the NRC.

3. The impact on risk related to the AOT and bypass time changes should be inconsequentially small and not significantly increase the level of importance of the RPS and ESFAS.
4. The PRA for the " typical" plant used in the risk analysis does not need to be from the lead plant.
5. The NRC requested that the risk level corresponding to the new AOTs and bypass times be compared to the risk corresponding to the AOTs, bypass times, and STis for the instrumentation prior to WOG TOP and corresponding to the AOTs, bypass times, and STis justified by WOG TOP.
6. The NRC requested that actual plant RPS and ESFAS instrumentation configurations be provided in the report. Of particular interest is the time multiple channels are inoperable.
7. The NRC stressed the importance of discussing the positive impact of the changes on plant safety, such as, reduced number of trips, reduced number of shutdowns, etc.

m'\2099w wpf.1d460195 3-1

These seven items have been incorporated into the analysis and are discussed as appropriate in the following sections.

1 i

I l

l

'I m:\2099w.wpt.1dW** 3-2

l 3 u j

4.0 PLANT SURVEY j j

A survey was provided to all domestic WOG member utilities to obtain information regarding test and maintenance activities related to the RPS and ESFAS, and information related to plant operation. The survey also included questions on the impact of the extended AOTs on test and maintenance practices, that is, will the analog channels or logic cabinets be unavailable more often due to additional test or maintenance activities that may be performed

~

or will they be unavailable for longer periods of time due to changes in personnel response to j completing test and maintenance activities. In addition, information on the number of plant ]

trips and controlled shutdowns that may be averted due to these changes was also requested.

A copy of the Survey is provided in Appendix C.

l The survey is divided into two parts. The first part is divided into three sub-sections. The first (

sub-section requests information on plant specific implementation of the WOG TOP Technical  !

Specification Improvements. The second sub-section requests information on channel and j logic cabinet unavailability, and how longer AOTs willimpact unavailability of these components. The third sub-section requests information on how these activities impact plant availability with respect to reactor trips and required plant shutdowns. Responses to the third sub-section were limited to the latest five years of operation. The second part of the survey was used to determine the availability of detailed histories of the unavailability of instrumentation logic and analog channels.

The survey was returned by 17 sites representing 24 units. Tables 4-1 to 4-6 summarize the survey information. One site is not yet in commercial operation, their responses to the survey were not included in the following summary tables.

Table 4.1 provides a summary of the plants responding to the survey and the type of protection system (logic cabinet), solid state or relay, in the plant. Also indicated on this table are the plants that have implemented WOG TOP Technical Specification changes, and if so, the date of the implementation, and the mode in which analog channels are tested; tripped or bypassed. Most plants do not have the installed bypass test capability, so testing is done in the tripped state. Approximately half of the plants have implemented TOP.

Table 4.2 provides a summary of the typical and maximum times to perform test and maintenance activities on the analog channels. This table also provides the utility response to what the anticipated impact of extended AOTs would be on the times to complete test and maintenance activities on analog channels. As seen from Table 4.2, the typical time to perform analog channel tests varies from 0.75 hour8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br /> to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and the maximum time varies from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. This table also shows that the typical time to perform maintenance l activities varies from 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> and the maximum time varies from 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to l 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With the extended AOTs, most utilities responded that no impact on the time to 4

mA2099w wpf:Id-060195 4-1  !

1

. .:E ', .

M Table 4.1 Survey Summary

~4

{6 Plant TOP Implementation Test in Trip / Bypass . ~ Type of Logic Cabinet .

8 Plant A (2 Units) yes (9/94) - trip SSPS Plant B (1 Unit) yes (9/86, RT & 10/91, ESF) trip SSPS Plant C (2 Units) yes (8/94) trip SSPS Plant D (1 Unit) yes (2/90) trip SSPS Plant E (1 Unit) no trip Relay Plant F (2 Units) no trip SSPSI Plant G (1 Unit) no- trip Relay Plant H (2 Units) no trip SSPS.

0 Plant I (2 Units) yes (8/94) trip Relay Plant J (1 Unit) yes (10/86)  : trip SSPS Plant K (2 Units) yes (5/90) trip SSPS.

Plant L (1 Unit) no trip SSPS Plant M (2 Units) NR trip SSPS Plant N (2 Units) no trip Relay Plant O (2 Units) .no trip Relay Plant P (1 Unit) no trip - SSPS Note: RT - reactor trip _

ESF - engineered safety features SSPS - solid state protections system Relay - relay protection system

R Table 4.2 l

E Survey Summary - Analog Channels 4

$ Time to Perform Tests Time to Perform impact of AOT Extension 6 Plant .

Maintenance (Typical / Max.imum)

[o (Typical / Maximum) Test Time Maint.' Time e,

Plant A (2 Units) 0.75 hr/3 hr 12 hr/24 hr- no impact : no impact 4 hr/12 hr

~

Plant B (1 Unit) '4 hr/12 hr - no impact no impact -

Plant C (2 Units) 8 hr/10 hr 3 hr/6 hr no impact 25% iners.

Plant D (1 Unit) 4 hr/8 hr 6 hr/8 hr no impact  : no impact Plant E (1 Unit) 1.5 hr/3 hr 6 hr/8 hr no impact . no impact '

Plant F (2 Units) 1 hr/2 hr 6 hr/10 hr no impact no impact .

Plant G (1 Unit) 4 hr/4 hr 4 hr/8 hr no impact no impact Plant H (2 Units) 6 hr/9 hr NR NR NR Plant I (2 Units) NAR 8 hr/48 hr no impact no impact Plant J (1 Unit) 0.75 hr/3 hr 4.5 hr/8 hr - no impact no impact Plant K (2 Units) ' 3 hr/7 hr 40 hr/72 hr . no impact no impact Piant L (1 Unit) 2 hr/5 hr 6 hr/8 hr. no impact no impact Plant M (2 Units) .1 hr/4.5 hr 4 hr/10 hr no impact no impact' Plant N (2 Units) NAR NAR ' no impact no imp.- 1 "

Plant O (2 Units) 3 hr/6 hr 4 hr/8 hr no impact no impact Plant P~(1 Unit) ' 3 hr/4 hr. 2 hr/4 hr no impact 25% incrs.

Notes: NR - no response NAR - not applicable response

I perform test or maintenance activities is expected, although several indicated the time could l increase by 25%

With regard to the frequency of maintenance activities, a significant number of utilities responded that such maintenance activities are performed every 18 months, indicating these activities are completed during refueling and are routine (preventive) activities. This was j confirmed with followup phone calls to several utilities. The purpose of this question was to determine the frequency of maintenance activities that would cause an analog channel to be )

unavailable while at-power. Several utilities provided additional information over the phone to i more appropriately respond to this question. These responses indicate that maintenance on I the analog channels while at-power occurs relatively infrequently, in the range of once every l 2 years up to once every 5 years.

Table 4.3 provides a summary of the typical and maximum times to perform test and maintenance activities on the logic cabinets. This table also provides the utility response to j what the antispated impact of extended AOTs would be on the times to complete test and maintenance ' activities on logic cabinets. As seen from Table 4.3, the typical time to perform <

logic cabinet tests varies from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and the maximum time varies from 1.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. This table also shows that the typical time to perform maintenance activities l varies from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> and the maximum time varies from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. With the extended AOTs, most utilities responded that no impact on the time to perform test or maintenance activities is expected, although several indicated the time could increase by up to 50 %

With regard to the frequency of maintenance activities, a significant number of utilities responded that such maintenance activities are performed every 18 months, indicating these activities are completed during refueling and are routine (preventive) activities. This was confirmed with followup phone calls to several utilities. The purpose of this question was to determine the frequency of maintenance activities that would cause a cabinet to be unavailable while at-power. Several utilities provided additional information over the phone to more appropriately respond to this question. These responses indicate that maintenance on the logic cabinets while at-power occurs at a frequency greater than once every 2 years.

Table 4.4 provides a summary of reactor trip information for the utilities that provided the requested information. The information includes the total number of plant trips, the number of trips that have occurred during plant startup and shutdown, and the number of trips related to instrumentation test and maintenance activities. The total number of plant startups and shutdowns are also provided on this table. The information on this table indicates that a significant number of trips that have occurred are related to instrumentation test and maintenance activities (>20%), indicating that these activities should be completed with caution and sufficient time should be available to complete these activities in an orderly and effective manner.

mM099w wpt 1d-060195 4-4

3 Table 4.3 l

a Survey Summary - Logic Cabinets 4

E Time to Perform Tests Time to Pedorm Impact of AOT Extension 6 Plant Maintenance

$, Fyp.icaWaximum) w (Typical / Maximum) Test Time Maint. Time :

Plant A (2 Units) 1.25 hr/2 hr 2 hr/4 hr no impact no impact Plant B (1 Unit) 1 hr/3 hr 4 hr/8 hr no impact no impact Plant C (2 Units) 4 hr/6 hr - 4 hr/6 hr 50% incrs. 50% incrs.

Plant D (1 Unit) 4 hr/6 hr 6 hr/8 hr no impact no impact Plant E (1 Unit) 1.5 hr/3 hr 3 hr/5 hr no impact no impact Plant F (2 Units) 1 hr/2 hr 8 hr/24 hr no impact no impact Plant G (1 Unit) 4 hr/6 hr 4 hr/4 hr no impact no impact Plant H (2 Units) 1.5 hr/2 hr ' NR NR NR-Plant I (2 Units) 4 hr/10 hr 4 hr/10 hr no impact 25% iners.

Plant J (1 Unit) 2 hr/2 hr 4.5 hr/8 hr 25% incrs. 25% incrs.

Plant K (2 Units) 3 hr/6 hr 4 hr/6 hr no impact no impact Plant L (1 Unit) 1.5 hr/2 hr no failures no impact no impact Plant M (2 Units) 1.5 hr/1.5 hr . not done at-power no impact not done at-power Plant N (2 Units) 3 hr/4 hr 10 hr/12 hr no impact - no impact Plant O (2 Units) 2 hr/2 hr 1 hr/2 hr no impact no impact-Plant P (1 Unit) 2 hr/3 hr 2 hr/4 hr no impact no impact Notes: NR - no response

3 Table 4.4 Survey Summary - Reactor Trips 4

Reactor Trips g Plant No. Due to No. Due to Startups Number No. During No. During Shutdowns

$ Instru. Test instru. Maint.

of Trips Shutdown Startup Activities Activities Plant A (2 Units) 16 1 6 3 1 32 16 Plant B (1 Unit) 11 1 1 1 3 17 7 Plant C (2 Units) 17 0 0 1 1 NA NA Plant D (1 Unit) 19 0 0 4 1 27 7 Plant F (2 Units) 16 2 0 1 3 32. 16 Plant G (1 Ur.it) 7 0 1 0 1 20 13 1

? Plant I (2 Units) 11 1 0 2 0 26 15 cn Plant J (1 Unit) 15- 0 0 5 1 18 3 Plant K (2 Units) 24 -4 8 6 6 32 7 Piant L (1 Unit) 9 0 0 0 2 16 5 Plant M (2 Units) 42 0 10 6 1 67 25 Plant N (2 Units) 15 0 3 2 1 39 24 Plant P (1 Unit) 7 .1 1 0 1 10 to Total 209 10 30 31 22 342 148 Notes: NA - not available

Tab!e 4.5 provides a summary of the total number of plant shutdowns, and the number of shutdowns due to Technical Specification related requirements and Technical Specification instrumentation related requirements. This table also provides a summary of the total number of discretionary enforcements required to avoid shutdowns and the number of discretionary enforcements required to avoid shutdowns specifically related to Technical Specification instrumentation issues.

Followup phone calls were held with the utilities that indicated they had to shut down the plant due to Technical Specification instrumentation issues or avoided a shutdown related to Technical Specification instrumentation related issues through discretionary enforcements.

The purpose of these followup calls was to determine if an extended AOT for either the logic cabinets or the analog channels would have helped in avoiding either the shutdown or the discretionary enforcement. The results from these calls showed that none of the shutdowns would have been avoided with longer instrumentation AOTs and two discretionary enforcements may have been avoided.

Table 4.6 provides a summary of miscellaneous information including: 1) the response to the question conceming multiple channels measuring the same parameter being in either test or maintenance simultaneously,2) the percentage of test activities that result in (corrective) maintenance activities for analog channels and logic cabinets, 3) the time period considered in response to the survey, and 4) percent time the plant was at-power during this time period. It is noted from this information that for the vast majority of plants multiple channels measuring the same parameters are not unavailable simultaneously due to test or maintenance activities.

In addition, the utilities typically responded that 10% or less of the test activities on the instrumentation lead to corrective maintenance activities.

Information was also requested in the survey on the number of spurious safety injections that have occurred, if they occurred at-power, during plant startup or plant shutdown, and if they were related to instrumentation test or maintenance activities. For the 14 sites that responded to these questions, there have been only six spurious safety injections over the time period of interest and all have occurred at-power. Four of these six were related to instrumentation test or maintenance activities, but none would have benefited from extended AOTs.

As discussed in Section 3, the NRC requested that information regarding the , tctual plant RPS and ESFAS instrumentation configurations be included in the report. Of partic ilar interest, is the time multiple channels are inoperable. Detailed information regarding spt ;ific l instrumentation configurations is limited, but some general information was collected and is l summarized as follows:

(

Utilities perform test activities on the majority of the analog channels in the tripped state.

Therefore, even though the channel may be unavailable, it is performing its required safety function and piant safety is not degraded.

l m?2099w wpf-Id-060195 4-7

.- l l!.

Typically, test activities in bypass are limited to containment spray.

Currently, few utilities have the capability to test in bypass. Several utilities will have the l capability to routinely perform test and maintenance activities in bypass in the near future i Therefore, very limited data is currently available conceming instrumentation configurations .  ;

with channels unavailable.

{

l-

'It is not common practice to have multiple channels measuring the same parameter out of -

. service simultaneously. The Technical Specifications address this situation and require a plant shutdown.

f L

l l

l }

i l

l l

1 l l

l I

l l

l muo99w wpusosoies 4-8 1

1

h 3

Table 4.5 l Survey Summary - Shutdowns and Discretionary Enforcements d .

TS Instrumentation Shutdowns '"'Y" " *""

Plant Controlled TS Required Avoided due to'-

$ - Required Avoided Discret.

Shutdowns Shutdowns ,

is e m t.

  • Shutdowns Enforcement Enforcement Plant A (2 Units) .16 7 0 7 1 Plant B (1 Unit) 7 1 0 7- 0-Plant C (2 Units) NA 2 0 3 0 Plant D (1 Unit) 7 2 .1 1 0 Plant F (2 Units) 16 0 0 2 0 Plant G (1 Unit) 13 3 1 1 1 g Plant I (2 Units) 15 1 0 1 1-Plant J (1 Unit) 3 0 0 4 2 Plant K (2 Units) 7 ~3 0 6 0 Plant L (1 Unit) 5 0 0 0 0-Plant M (2 Units) 25 10 0 NA NA Plant N (2 Units) 24 2 0 6 0 Plant P (1 Unit) 10 2 1 4 2 Total 148 33 3 42 7 Notes: NA - not available

, a 3 Table 4.6 Survey Summary - Miscellaneous k Multiple Channels Out Percentage of Tests Time Span included in E Plant of Service At the that Lead to Percent Time Plant Same Time Maintenance Sumy - AWwer .

$ Plant A (2 Units) no < 10% 5.0 yr Unit 1 - 71% -

Unit 2 - 86%

Plant B (1 Unit) no 10 % 5.3 yr 91 %

Plant C (2 Units) very rare 10% 4.7 yr 90 %

Plant D (1 Unit) no 10% 4.0 yr 80 %

Phnt E (1 Unn) NR 5% NR NR Plant F (2 Units) no 10% 5.0 yr Unit 1 - 80% -

Unit 2 - 82%

9 Plant G (1 Unit) no <5% 4.8 yr 84 %

E Plant H (2 Units) NR 1% NR NR Plant I (2 Units) no 10% 5.7 yr 90 %

Plant J (1 Unit) no 4% 3.8 yr 80 %

Plant K (2 Units) no 10% NA 30*4 Plant L (1 Unit) NA 25 % 5.0 yr 75 %

Plant M (2 Units) no 1% 6.0 yr 50 %

Plant N (2 Units) no 2-3% 5.7 yr 76 %

Plant O (2 Units) no (channel trip only) 10% 5.0 yr. 80 %

yes (transrnitter work)

Plant P (1 Unit) no < 10% .5.9 yr 82% '

Notes: NA - not available NR - no response l

. _ - _ _ . . . . _ - - _ . _ _ _ _ _ _ - _ . . _ = _ _ - _ _ _ - _ _ _ . _ _ . _ . - _ _ _ . - _ _ _ _ _ . . . _ - _ _ _ _ . _ . - . . . - _ _ _ - . _ - - _ _ _ _ - - . _ _ _ _ - _ . - - . . - _ _ .

i 5.0 TECHNICAL SPECIFICATIONS CHANGES TO BE EVALUATED i Original discussions with the WOG indicated interest in extending tha AOTs for the analog l

channels, logic cabinets, master relays, and slave relays up to 72 hrs and bypass times up to 72 hrs. As discussed in Section 3.0, a pre-meeting was held with the NRC to discuss the program approach and changes being considered. Based on this discussion, it was decided l to change the AOTs being considered for the logic cabinets, master relays, and slave relays to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Based on the results of the plant survey, discussed in Section 4.0, and additional discussions with the WOG, it was further decided to leave the test time (or bypass time) for the logic cabinets, master relays, and slave relays at the current (WOG TOP) values. The current times appear to be adequate in most cases. ]

l To model these AOTs in the fault trees to determine the impact of the changes on signal unavailabilities, several parameters need to be specified for component test and mairitenance unavailabilities. These are the test and maintenance frequencies, and the time to complete the test and maintenance activities. These are discussed in more detail in the following  !

I paragraphs.

Changes to the reactor trip breaker test and maintenance parameters are not being addressed in this analysis. These were addressed in the previous WOG TOP analysis, but were not )

approved by the NRC.

I 5.1 TEST FREQUENCIES AND DURATIONS l

The test frequency is specified by the Westinghouse Standard Technical Specifications, I therefore, the frequencies required by the Technical Specifications are used. The test frequencies are listed on Tables 5.1 and 52 for the SSPS and relay protection system, respectively. The actual test times (time to complete a test) are plant specific. The only I control over the length of tests is provided by the AOTs in the Technical Specifications or by l the length of time the component is allowed to be in a bypassed state, also as specified in the Technical Specifications. For logic cabinets, master relays, and slave relays, the AOT is the maximum time the cabinet can be unavailable or bypassed. For analog channels, the AOT is the maximum length of time the channel can be unavailable or bypassed prior to being required to place it in the trip state. Plants that do not have installed channel bypass  !

capability (most plants) cannot take advantage of this feature for testing. Due to these l hardware limitations, testing of analog channels in most plants is performed with the channel in the tripped state.

4 From Table 4.2 it is seen that the maximum times to perform tests on the analog channels j range from 2 hrs to 12 hrs and the typical times range from 0.75 hr to 8 hrs. Responses to the survey also indicated that with extended times, the times to complete analog channels tests are expected to be unaffected. Based on this infom1ation, a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> analog channel 3 79w wpf.1d-060195 5-1

bypass time was evaluated in this study. This envelops the maximum time provided in the survey.

From Table 4.3 it is seen that the maximum times to perform tests on the logic cabinets range from 1.5 hrs to 10 hrs and the typical times range from 1 hr to 4 hrs. Responses to the survey also indicated that with extended times, the times to complete logic cabinet tests are expected to be unaffected. It was decided to use a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> logic cabinet bypass time in this study. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time envelops all of the typical times required to completed logic cabinet tests and envelops many of the maximum times. Note that this is the same value that was evaluated in the WOG TOP Program. It should also be noted that the results of some preliminary sensitivity analyses, not documented in this report, indicatec' that extending the test or bypass times had a greater impact on the signal unavailability than extending the AOT or maintenance time. The WOG was particularly interested in extending the AOT, so it was decided to maintain the bypass time at the current value.

Note that in most Technical Specifications, the logic cabinet AOT and bypass time also apply to the master and slave relays, so a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> bypass or test time will also be used for the master and slave relays. The test times are summarized on Tables 5.1 and 5.2.

5.2 MAINTENANCE FREQUENCIES AND DURATIONS Preventive maintenance is usually completed on analog channels and logic cabinets during ]

refueling outages. Corrective maintenance is done at-power when required. There is no set  !

interval. Any maintenance activity that causes a channel or cabinet to be unavailable while at- '

power is of interest in this analysis. The previous WOG TOP study assumed that channel and logic cabinet maintenance occurred while the plant was at-power once per year. The results of the survey indicate at-power maintenance occurs significantly less frequent than this (see the discussion in Section 4.0 and Table 4-6). Table 4.6 shows that typically 10% or less of the tests lead to mairitenance; so if the test interval is 3 months, then maintenance activities would typically be done every 30 months, which assumes that the majority of component failures are usually found via tests. WOG TOP assumed that maintenance activities that render the component unavailable while at-power occur once per year. This is a conservative assumption that leads to conservative results which may be misleading; it provides an unrealistically large increase in risk. The maintenance intervals, or frequencies, in this study will be based on the following:

Slave Relays: Maintenance activities will be performed when the relay is found to be inoperable, following a test or an event that would cause an actuation. Preventive maintenance is not performed on these relays at power. Therefore, the maintenance interval is related to the probability of a slave relay fa3ing on demand. The calculation for maintenance unavailability is based on the relay failure rate. This value is significantly less than the maintenance unavailability based on a maintenance frequency of once per year m:\2099w wpf 1d 06019s 5-2

Table 5.1 Summary of AOTs and STis for the RPS and ESFAS (Solid State Protection System)

Component Pre-TOP TOP Proposed Analog Channels

- Maint. Time' 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 6+6 hours 72+6 hours

- Maint. Interval 2 years 2 years 2 years

- Test (bypass) Time 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />

- Test Interval 1 month 3 months 3 months

- Calibration Interval NEAP NEAP 18 months

- Calibration Time NEAP) NEAP 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Logic Cabinets

- Maint. Time' 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 6+6 hours 24+6 hours

- Maint. Interval 18 months 18 months 18 months

- Test (bypass) Time 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

- Test interval 2 months 2 months 2 months Master Relays

- Maint. Time' 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 6+6 hours 24+6 hours

- Maint. Interval see Note 2 see Note 2 see Note 2

- Test (bypass) Time 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> j

- Test interval 2 months 2 months 2 months Stava Relays  !

- Maint. Time' 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 6+6 hours 24+6 hours

- Maint. Interval see Note 2 see Note 2 see Note 2 Test (bypass) Time 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

- Test interval 3 months 3 months 3 months Reactor Trip Breakers Maint. Time 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />

- Maint. Interval 1 year 1 year 1 year '

- Test Time 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />

- Test Interval 2 months 2 months 2 months Notes:

1 - The "+ 6 hr" is the time provided in Tech Spec to enter the specified mode if the component l isn't retumed to operable status. l 2 - Maintenance interval is based on the component failure rate.

3 - Not Evaluated At-Power (NEAP), in the past this activity has typically be done while shutdown.

m \2099w.wpf 1d460195 5-3

i Table 5.2 Summary of AOTs and STis for the RPS and ESFAS (Relay Protection System)

Component Pre-TOP TOP Proposed Analog Channels Maint. Time' 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 6+6 hours 72+6 hours

- Maint. Interval 2 years 2 years 2 years

- Test (bypass) Time 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />

- Test interval 1 month 3 months 3 months

- Calibration Interval NEAP' NEAP' 18 months

- Calibration Time NEAP' NEAP' 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Logic Cabinets

- Maint. Time' 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 6+6 hours 24+6 hours

- Maint. Interval 1 year 1 year 1 year

- Test (bypass) Time 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />

- Test Interval- 1 month 1 month 1 month Master Relays

- Maint. Time' 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6+6 hours 24+6 hours Maint. Interval see Note 2 see Note 2 see Note 2

- Test (bypass) Time 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Test interval 1 month 1 month 1 month Slave Relays.

- Maint. Time' 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6+6 hours 24+6 hours

- Maint. Interval see Note 2 see Note 2 see Note 2

- Test (bypass) Time 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />

- Test interval 3 months 3 months 3 months Reactor Trip Breakers-

- Maint. Time 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />

- Maint. Interval 1 year 1 year 1 year

- Test Time 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />

- Test Interval 2 months 2 months 2 months Notes:

1 - The "+ 6 hr" is the time provided in Tech Spec to enter the specified mode if the component isn't retumed to operable status.

2 - Maintenance interval is based on the component failure rate.

3 Not Evaluated At-Power (NEAP), in the past this activity has typically be done while shutdown.

m'\2099w wpf Id460195 5-4

i l

indicating the relays fail significantly less than once per year. This is supported by the reliability assessment of AR and MDR relays used in the SSPS provided in WCAP-13877 and WCAP-14117 (References 4 and 5). Section 9 of WCAP-13877 shows there have been only 6 relay actuation failures in approximately 43,000 demands for AR relays. Section 9 of WCAP-14117 shows there have been only 4 relay actuation failures in approximately 50,000 demands for MDR relays, j l

Master relavs: Maintenance activities will be performed when the relay is found to be inoperable, following a test or an event that would cause an actuation. Preventive maintenance is not performed on these relays at power. Therefore, the maintenance interval is related to the probability of a master relay failing on demand. The calculation for maintenance unavailability is .

based on the relay failure rate. This value is significantly less than the maintenance unavailability based on a maintenance frequency of once per year indicating the relays fail significantly less than once per year. Although detailed data collection on the master relays has not been performed, their failure history is not expected to vary greatly from the slave relay experience.

Loaic cabinets: Maintenance activities will be performed when the cabinet or a portion of the cabinet is found to be failed, following a test or an event that would cause an actuation, which leads to a repair activity that requires the cabinet to be declared inoperable. Therefore, the maintenance interval is related to the probability of a component in the cabinet failing to function when demanded. A detailed data collection has not been performed on the cabinets and no similar data is available to easily justify an alternate maintenance frequency. From the discussion ,

in Section 4.0, the frequency of maintenance is reported to be at most once every two years j based on the limited information available.- In Table 4.6 it was reported that 10% or less of the tests on the instrumentation systems lead to maintenance activities. Since the logic cabinets are tested every two months, a failure would be expected approximately every 20 months per cabinet based on the percentage of tests that lead to maintenance activities. For this analysis, the maintenance interval will be 18 months.

Analoa channels: Maintenance activities will be performed when a channel is found to be inoperable, following a test or an event that would cause an actuation. Therefore, the maintenance interval is related to the probability of a channel failing to function on demand. A detailed data collection has not been performed on the channels and no similar data is available to easily justify an altemate maintenance frequency. From the discussion in Section 4.0, the frequency of maintenance is reported to vary from once every two years to once every 5 years based on the limited information available. In Table 4.6 it was reported that 10% or less of tests on the instrumentation systems lead to maintenance activities. Since analog channels are tested every three months, a failure would be expected approximately every 30 months per channel based on the percentage of tests that lead to maintenance activities. For this analysis, the maintenance interval will be two years.

l I

l muo99..wpe.idoso19s 5-5

)

I i

The maximum time allowed for maintenance activities, in which the component is unavailable or prior to being placed in a tripped state, is limited by the Technical Specification AOTs. The actual time in most cases is significantly less than the AOT value. The survey results discussed in Section 4.0 confirm this (see Tables 4.2 and 4.3). In addition, with increased AOTs, utihties l responded in the survey that the time to complete maintenance activities is not expected to increase, although a minority indicated the times may increase as much as 50% But, for the purposes of conservatism and since utilities may change maintenance practices / philosophies once the longer AOTs are implemented, it will be assumed the total AOT will be used for j maintenance activities. Therefore, the analog channel AOT will be 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and the AOTs for the logic cabinets, master relays, and slave relays will be 24 houis.

From the survey, several of the utilities indicated that completing channel calibrations at-power j would be useful. These are required on an 18 month interval and require approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> I

to complete. An additional 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> unavailability every 18 months will be added to the test unavailability value to account for this.

i l

Tables 5.1 and 5.2 provide summaries of the AOTs and STis for pre-TOPS, WOG TOP, and for the values being evaluated in this assessment for solid state protection systems and relay protection systems. The values used for the SSPS and relay protection system differ due to the different test and maintenance approaches required for each type of system. These differences are discussed in more detailin Section 7.2.

m \2099w wpf Id-060195 56

l 1

6.0 REPRESENTATIVE RPS AND ESFAS SIGNALS i i

The WOG TOP analysis evaluated all the RPS and ESFAS signals specified in the Technical Specifications that are common to most plants. These are provided in Tables 3.2-2 and 3.2-3 of Reference 2 for reactor trip signals and in Tables 3.1-2 and 3.1-3 of Reference 3 for ESFAS signals. During plant specific implementation of WOG TOP, justifications were provided to show the applicability of the TOP changes to several additional signals. These are listed in Section i 11.0. In addition, through the implementation process, utilities also provided the justification of the l applicability of these changes to other signals not analyzed in WOG TOP. The analysis and results discussed in the following sections are applicable to all these signals.

Not all the fault trees developed and quantified in the original WOG TOP were used in this current analysis; only those considered representative of the results for most of the other fault tree analyses. Only evaluating representative trees is adequate since many of the fault tree analyses provided similar results in terms of signal unavailabilities and changes in signal unavailabilities.

Table 6.1 provides a summary of the signals that were used in this evaluation. The following paragraphs provide the justification for using these signals.

One of the conclusions from the WOG TOP work was that the ESF actuation signals can be grouped, for signal unavailability type analyses, according to the nurnber of master and slave relays, logic cabinet type (relay or solid state), and actuation logic (2 of 3 versus 2 of 4). This l conclusion is from the ESFAS unavailability results in Reference 3. l l

Reactor trip actuation signals can be grouped, for signal unavailability type analyues, according to logic type (relay or solid state) and actuation logic (2 of 3 versus 2 of 4), although for reactor trip actuation signals it is necessary to consider signals from diverse sets of actuating sources (diverse sets of analog channels) as well as from single sets of 2 of 3 and 2 of 4 logic. This can be seen from reviewing the signal unavailability results in Reference 2.

Even though this program only considers analog processing of data (analog channels), the analysis is applicable to digital systems as justified by utilities implementing WOG TOP with the Eagle 21 process protection system. Only changes to AOTs and bypass times are being evaluated in this study and these affect the signal availability similarly between the two types of process protection systems, as opposed to changes to surveillance test intervals or changes to system designs which may impact component reliability differently between the two system types.

mM099w wpf.1d-060195 6-1

6.1 REPRESENTATIVE ENGINEERED SAFETY FEATURES ACTUATION SIGNALS From Table 3.3-1 in Reference 3, ESF actuation signals developed from the solid state protection system model the following master / stave relay combinations:

1. safety injection, and containment spray and containment phase B isolation included two master relays per train with each master actuating three slave relays
2. steamline bolation, main feedwater isolation, and auxiliary feedwater pump start included one master relay per train actuating two slave relays The signal unavailability analysis results for safety injection with a solid state protection system (see Reference 3, Table 3.6-6) and for containment spray and phase B isolation with a solid state ,

protection system (see Reference 3, Table 3.6-10) show that the signal unavailability values, with common cause failures included, range from 9.7E-04 to 1.4E-03 for the Pre-TOP case and from 4.8E-03 to 6.6E-03 for Case 1. Case 1 is defined in Reference 3 on Table 3.1-1. These signals are represented by the safety injection on pressurizer pressure low interlocked with P-11 which has typical signal unavailabilities for this group of safeguard actuation signals.

The signal unavailability analysis results for steamline isolation with a solid state protection system (see Reference 3, Table 3.6-7), main feedwater isolation with a solid state protection system (see Reference 3, Table 3.6-8), and auxiliary feedwater pump start with a solid state protection system (see Reference 3, Table 3.6-9) show that the signal unavailability values, with common cause failures included, range from 5.0E-04 to 8.8E-04 for the pre-TOP case and from )

2.2E-03 to 3.6E-03 for Case 1. These signals are represented by the auxiliary feedwater pump j start on steam generator level low-low in one loop signal which has typical signal unavailabilities for this group of safeguard actuation signals.

From Table 3.3-2 of Reference 3, ESF actuation signals developed from relay protection systems use the following master / stave relay combinations: ,

1. safety injection included one master relay per train actuating six slave relays
2. steamline isolation, containment spray, and containment phase B isolation included one master relay per train actuating three slave relays
3. auxiliary feedwater pump start and main feedwater isolation included only one master relay per train - the master relay directly actuates the equipment
t. The results for safety injection with a relay protection system (see Reference 3, Table 3.6-1) show that the signal unavailability values, with common cause failures included, range from 6.7E-07 to 8.1E-04 for the pre-TOP case and from 3.9E-03 to 4.5E-03 for Case 1, Case 1 is defined in m:\2099w wpf Id460195 6-2

s Reference 3 on Table 3.1-1. These signals are represented by safety injection on pressurizer pressure low interlocked with P-11 which has typical signal unavailabilities for this group of safeguard actuation signals.

The results for main feedwater isolation with a relay protection system (see Reference 3, Table 3.6-3), and for auxiliary feedwater pump start with a relay protection system (see Reference 3, Table 3.6-4) show that the signal unavailability values, with common cause failures included, range from 4.8E-05 to 1.3E-04, depending on the channel logic, for the pre-TOP case and from 2.1E-04 to 3.9E-04 for Case 1, agah depending on the channel logic. These signals are represented by auxiliary feedwater pump start on steam generator level low-low in one loop which has typical signal unavailabilities for this group of safeguard actuation signals. l I

The signal unavailability results for steamline isolation, containment spray, and containment isolation fall between the results for the above two cases, and therefore will not be specifically evaluated. j 6.2 REPRESENTATIVE REACTOR TRIP ACTUATION SIGNALS The results in Table 3.2-2 (Reference 2) for reactor trip with solid state protection systems show that the signal unavailabilities, with common cause failures included, generally range from 9E-05 to 3E-04 for the pre-TOP case and from 1E-04 to SE-04 (with a few as high as 8.9E-04) for Case

1. Case 1 is defined in Reference 1 on Table 4.3-2. The reactor trip signal on pressurizer pressure high, with pre-TOP and TOP unavailability values of 9.5E-05 and 1.5E-04, respectively, for 2 of 4 logic and pre-TOP and TOP unavailability values of 1.6E-04 and 3.2E-04, respectively, for 2 of 3 logic, is used as the signal to represent reactor trip signals generated from solid state protection systems.

The results in Table 3.2-3 (Reference 3) for reactor trip with relay protection systems show that the signal unavailabilities, with common cause failures included, generally range from 8E-05 to 3E 14 for the pre-TOP case and generally range from 1E-04 to 6E-04 for Case 1. The reactor trip signal on pressurizer pressure high, with pre-TOP and Case 1 unavailability values of 9.2E-05 and 1.4E-04, respectively, for 2 of 4 logic and pre-TOP and TOP unavailability values of 1.6E-04 and 3.0 E-04, respectively, for 2 of 3 logic, is used as the signai to represent reactor trip signals generated from relay protection systems.

When signal diversity is considered, two or more signals (sets of analog channels) that actuate reactor trip in response to an event, the source of the signals and the logic required (2 of 3 vs. 2 of 4) are not important contributors to signal unavailability. This is not evident from the information provided in References 1 and 2, but can be seen by examination of the cutset results from evaluations presented in this document (see Section 7). The representative signal for diversity evaluations is the reactor trip signal on pressurizer pressure high (2 of 3) or overtemperature detta T (2 of 4),

m32099w.wpl1d-060195 6-3

lt is also necessary to consider the impact of the AOT and bypass time changes on the signal

. unavailabilities with credit for operator actions to initiate reactor trip or actuation of the safeguard features. This is particularly important when assessing the impact of the changes on plant safety.

Typically, the automatic actuation signals are backed up by operator actions to perform the same function, as in manually initiating reactor trip or safety injection. Thereforo, the signal unavailability analyses also considered the impact of the changes with credit for operator actions.

Operator action credit was only considered for signals generated from the solid state protection system since these will be used in the risk analysis and will be generally representative of the impact on the relay type protection systems if crediting operator actions. This is discussed in more detail in Section 8.0.

l l

l l

1 m:\2099w wpf.1d 060195 g.4

l Table 6.1 Summary of Signals Being Considered ,

Logic Channel Operator '

Function Cabinet Logic Action SI (1) SSPS 2 of 3 no I

SI (1) SSPS 2 of 4 no SI (1) SSPS 2 of 3 yes  !

SSPS 2 of 4 yes  !

SI (1)

SI (1) Relay 2 of 3 no ,

SI (1) Relay 2 of 4 no AFWPS (2) SSPS 2 of 3 no AFWPS (2) SSPS 2 of 4 no AFWPS (2) Relay 2 of 3 no AFWPS (2) Relay 2 of 4 no RT (3) SSPS 2 of 3 no RT (3) SSPS 2 of 4 no i RT (4) SSPS Diverse no l

RT (3) ' SSPS 2 of 3 yes RT (3) SSPS 2 of 4 yes RT (4) SSPS Diverse yes i RT (3) Relay 2 of 3 no RT (3) Relay 2 of 4 no RT (4) Relay Diverse no Notes:

1. SI signal is from pressurizer pressure low interlocked with P-11.
2. AFWPS signal is from steam generator level low-low in one loop.
3. RT single source signalis from pressurizer pressure high. )
4. RT diverse source signal is from pressurizer pressure high or overtemperature delta T. j i

l m:\2099w wpf.1dO60195 6-5 I

7.0 RPS AND ESFAS SIGNAL UNAVAILABILITY ANALYSIS As discussed in Section 1.0, the approach used in this analysis is consistent with that used in WOG TOP (References 1,2,3). A fault tree analysis was used to assess the impact of the AOT and bypass time changes on the unavailability of reactor trip and engineered safety features actuation signals. These unavailabilities were then used in a risk analysis to determine the impact on plant safety.

This section of the report presents and discusses the signal unavailability analysis. It includes a discussion on the approach, assumptions, fault tree models, and the results.

7.1 UNAVAILABILITY ANALYSIS APPROACH The approach used in this analysis to determine the impact of the changes on signal unavailability is based on fault trees. The fault trees used are based on those previously developed for WOG TOP. These fault trees model the unavailability of the signal given a particular signal demand.

The assumptions (see Section 7.2) and data are also consistent with WOG TOP (References 1 and 3). Several changes were made to the details of the approach and these are discussed in l the following paragraphs. Additional fault trees were developed as necessary to model the addition of operator actions to either manually trip the plant or initiate safety injection. Each fault tree specifically models and is unique to a particular RPS and ESFAS signal. Fault trees were developed for each signal noted in Table 6.1. The fault tree models are discussed in Section 7.3.

The analysis included contributions to signal unavailabilities from the following sources:

1. random failures of components
2. common cause failures of components
3. unavailability of components due to testing
4. unavailability of components due to maintenance
5. human error included in the fault tree models are the hardware failures, operator actions, and test and maintenance activities which can lead to signal failure. These are discussed in detail in Section 4.1 of Reference 1.

For the most part, the fault trees oo not specifically include component common cause failure contributions to signal unavailability. This is added by hand calculations after quantification of the fault trees. The Multiple Greek Letter and Beta Factor common cause approaches are used in this analysis. This is consistent with the common cause approach used for the trip breakers, master and slave relays, and logic cabinets in WOG TOP, but is a change in approach for the analog channels. This change was implemented to improve the approach to account for the impact of changes in testing frequency on the common cause contributions of combinations of mn2099w wpf.1d-060195 71

~ .. . . - _ -- .

failures greater than two components and to remain consistent with approaches used in Individual Plant Examinations.

The common cause failure approach and the approach to assess the unavailability of components l due to maintenance activities are discussed further in the following paragraphs. The approaches I in these two areas have been changed to provide a more representative analysis. I Common Cause Failures i The Multiple Greek Letter (MGL) method was used to determine common cause failure  !

contributions to signal unavailability in this analysis. This does not impact the common cause {'

contributions from the reactor trip breakers, master relays, slave relays, or logic cabinets, since the MGL approach reduces to the Beta Factor approach when considering failures of a two train system. This change does impact the contributions from analog channels since these  ;

components require failure of 2 of 3 logic and 2 of 4 logic.

In applying the Beta Factor approach to multiple failures of the reactor trip breakers, master i relays, slave relays, and logic cabinets, the following Beta factors were used:

4 4,C i

L These are consistent with the values used in WOG TOP. i l

In applying the MGL approach to the analog channels, the following equations are used:

Failure of 3 of 4 components: O x p x y x (1-6)/3 x no. of common cause cutsets Failure of 4 of 4 components: O x p x y x 6 x no. of common cause cutsets Failure of 2 of 3 components: O x p x (1-7)/2 x no. of common cause cutsets Failure of 3 of 3 components: O x p x y x no. of common cause cutsets where: _ O - component failure probbility

...e ,

The p, y, and 6 values are for electronic type components.

In determining the common cause contribution of the analog channels it is necessary to determine the detection interval for component failures. Failure of some of the components that comprise mM099w wpf.1d-060195 72

- - . , ~ - . .-. -- - .

. i i

the channels will be detected within a shift, while others will only be detected during the channel I

operability test (monthly for Pre-TOP implementation, and quarterly for TOP implementation and the assumptions currently being assessed). Component failures that can be detected during a shift are those that can be observed by control board scans. These include sensor and loop power supply failures. Component failures that are only detectable by the channel operability test are for comparators, output relays, and signal conditioning circuitry.

, i Component Unavailability Due to Maintenance Activities in WOG TOP it was assumed that maintenance activities on the reactor trip breakers, master relays, slave relays, logic cabinets, and analog channels occurred once per year. This is a conservative assumption as discussed in Section 5.2. Section 5.2 established another approach

. for determining maintenance intervals. This approach is based on the component failure rates for master and slave relays, and for instrumentation (analog channels and logic cabinets) it is based on the response to the survey that 10% of the test activities lead to maintenance activities. The maintenance interval for reactor trip breakers was left at once per year. Using the component failure rate to determine the maintenance unavailability for the master and slave relays results in relatively small component unavailabilities due to maintenance. This is supported by information in References 4 and 5. These reports show that there have been few slave relay failures and that only after a failure is identified is maintenance performed on the relays. Therefore, a small contribution to relay unavailability from maintenance is expected. The following calculations demonstrate the component maintenance unavailability approach.

Logic cabinet unavailability (TOP AOTs)

= 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> / activity x 1 activity /1.5 years x 1 year /8760 hours = 9.13E-04 where: 1 activity /1.5 years is from Section 5.2 (where the jus;ification is provided for assuming a maintenance interval of 18 toonths) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the AOT (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) plus 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to enter next specified mode if the component is not returned to service Analog channel unavailability (TOP AOTs)

= 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> / activity x 1 activity /2 years x 1 year /8760 hours = 6.85E-04 where: 1 activity /2 years is from Section 5.2 (where the justification is provided for assuming a maintenance interval of 24 months) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the AOT (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) plus 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to enter next specified mode if the component is not returned to service 6

4 mM099w wpf;1d460195 7-3

Slave relay unavailability (TOP AOTs)

= 5.29E-07 failures / hour x 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> / failure = 6.35E-06 where: 5.29E-07 is the relay failure rate (Reference 3) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the AOT (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) plus 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to enter next specified mode if the component is not returned to service Master relay unavailability (TOP AOTs)

= 5.29E-07 failures / hour x 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> / failure = 6.35E-06 where: 5.29E-07 is the relay failure rate (Reference 3) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the AOT (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) plus 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to enter next specified mode if 1 the component is not returned to service l

7.2 ASSUMPTIONS  !

l The following presents the key assumptions for developing the fault tree models with regard to  !

test and maintenance activities. Most of these are presented in References 1 and 3, but are  !

repeated here for convenience.

)

l 7.2.1 ANALOG CHANNELS l

These assumptions are applicable to the analog channels as they are used in both the relay protection systems and solid state protection systems.

1. Analog channel testing and calibration activities are performed in the bypassed state. All plants do not test in bypass, but for those that do this is representative and for those that do not, this is conservative.
2. Simultaneous testing or calibration of more than one analog channelis assumed to occur on a random basis. This is not a standard practice, but simplifies the fault tree models and is conservative.
3. Maintenance of the analog channels is performed in the bypassed state. This represents actual plant practice. Only corrective maintenance is performed at-power.
4. Simultaneous maintenance activities on more than one analog channelis assumed to occur on a random basis.
5. Bypass times for test and calibration activities and allowed outage time for maintenance activities used in the analysis are discussed in Section 5.0.

mT099w.wpf.1d460195 7-4

i l

l i

7.2.2 SOLID STATE PROTECTION SYSTEM '

The following assumptions are applicable to the logic cabinets, reactor trip breakers, master relays, and slave relays in a SSPS.  ;

1. Testing of the logic prohibits automatic actuation of the entire associated train. This is j consistent with hardware design and is necessary to allow at-power testing. The redundant j train remains operable and capable of providing all protective features. j
2. Maintenance of the logic cabinets is assumed to prohibit actuation of the entire associated train. This is consistent with actual practice or conservative. )

)

3. Testing of the reactor trip breakers prohibits actuation of the breaker in test. The bypass breaker corresponding to affected breaker is placed into service and will be actuated by the i logic cabinet in the unaffected train. This is consistent with actual practice. )

1

4. Maintenance of the reactor trip breakers prohibits actuation of the breaker in maintenance.

The bypass breaker corresponding to the affected breaker is placed into service and will be actuated by the logic cabinet in the unaffected train. This is consistent with actual practice.

5. Testing of the master relays prohibits actuation of the entire associated train. This is consistent with the test circuitry provided for the master relays and represents actual prac' ice,
6. Maintenance of the master relays makes the affected master relay and all associated slave relays inoperable. This is consistent with the design of the actuation relays. l
7. The ESFAS signal is assumed to be unavailable if the equivalent relays, either master or slaves, in the redundant trains are unavailab!e. That is, if the relays that actuate the high head safety injection pumps in each train are unavailable, the ESF function is assumed to be unavailable. This is conservative since partial system failures are equated to total system failures. A less conservative approach, while appropriate, would require a significant increase '

in the complexity of the fault trees. I i

8. Testing and maintenance of slave relays was modeled assuming that only the affected relay is ,

inoperable. This is consistent with actual practice or conservative. In many cases the test actuates the associated components, therefore, the components remain available. However, in some cases actuation of the components is blocked rendering the components unavailable  ;

for automatic actuation. Since the latter test scheme represents the limiting case, it was used for the model.

i m:WO99w wpf.1d-060195 7.$

1

9. The number of master and slave relays actuated by an ESFAS signal varies from signal to signal and is a function of the number of components required to be actuated. Based on a  ;

review of several SSPS plant specific designs, the following is included in the models:

Safety injection, and Containment Spray and Phase B isolation: two master relays each driving three slave relays

. Steamline Isolation, Main Feedwater isolation, and Auxiliary Feedwater Pump Start: one l master relay. driving two slave relays I

7.2.3 RELAY PROTECTION SYSTEM j The hardware design varies for the relay protection system as discussed in Reference 3. A bounding configuration was identified by a review of several designs. The following assumptions l are applicable to the logic cabinets, reactor trip breakers, master relays, and slave relays in a relay protection system. l

1. Items 1 to 7 in Section 7.2.2 for the SSPS are applicable to relay protection systems also.
2. Maintenance of the slave relays was modeled assuming that the affected relay is inoperable.

This is consistent with the SSPS modeling. Testing of the slave relay was modeled as to j prohibit actuation of the entire associated train. This is consistent with pracjce or I conservative. i 1

3. The number of master and slave relays actuated by an ESFAS signal varies from signal to ]

signal and is a function of the number of components required to be actuated. The following is included in the models:

Safety injection: one master relay driving six slave relays

- Steamline Isolation, and Containment Spray and Phase B isolation: one master relay driving three slave relays Auxiliary Feedwater Pump Start and Feedwater Isolation: one master relay directly driving the required components (no slave relays) j 7.3 FAULT TREE MODELS Signal specific fault trees were used for each signal evaluated. These were discussed in Section 6.0 and are listed on Table 6.1. Most of the fault trees used in this analysis came directly from References 1,2 or 3, but several were developed specifically for this analysis. The fault trees required to be developed were for signals that credited operator action to initiate reactor trip or safety injection. These included: 1) safety injection with the SSPS and 2 of 3 or 2 of 4 channel logic,2) reactor trip with the SSPS and 2 of 3 or 2 of 4 channel logic, and 3) reactor trip with the m A2C99w wpf.1d 060195 7-6

SSPS and diverse actuation signals. It was also necessary to develop the fault tree for reactor trip with the SSPS and diverse actuation signal without operator action. j The fault trees for' safety injection and reactor trip with 2 of 3 or 2 or 4 channel logic and operator !

action were simply developed by adding an operator action under an "and" gate with the automatic signal generated by the SSPS. The reactor trip tree with diverse actuation signals was developed by adding a second set of logic and analog channel components under an "and" with l the first set of logic and analog channel components. The reactor trip fault tree with diverse l actuation signals and operator action was developed by adding an operator action under an "and" l gate with the diverse actuation signals. A human error probability of 0.01 was used for these )

actions. This is consistent with the values used for identical operator actions in several IPEs.

The fault trees developed for WOG TOP formed the basis for these newly developed trees. All j the fault trees used in this analysis are included in Appendix D.

l The fault trees were quantified with the WesSAGE Computer Code (Reference 6). WesSAGE is a software tool used to develop and quantify fault trees. The output of the code provides the ,

mean probability of failure and cutsets for the requested gate (s). The gates of interest were l typically the top gate, safety function unavailable, and the gate corresponding to the signal generated by the logic cabinet.

7.4 RESULTS OF THE SIGNAL UNAVAILABILITY ANALYSIS The signal unavailabilities for the representative safety injection and auxiliary feedwater pump start functions are provided on Tables 7.1 and 7.2 for the solid state and relay protection systems, respectively. The signal unavailabilities for the representative reactor trip function are provided on Tables 7.3 and 7.4 for the solid state and relay protection systems, respectively. On these tables, unavailability values, with and without common cause contributions, are given for the Pre-TOP, TOP, and Proposed cases for failure of the signal given both trains are supported and given only a single train is supported. The AOTs, bypass times or test times, surveillance test intervals, and maintenance intervals that correspond to these three cases are provided on Tables 5.1 and 5.2 for the SSPS and relay protection system, respectively. As discussed in Section 6.0, the following representative signals were used in the unavailability evaluation:

Solid State Protection System:

1. Safety injection on pressurizer pressure low interlocked with P-11: representative of the safety injection, and the containment spray and phase B isolation signals.
2. Auxiliary feedwater pump start on steam generator level low-low in one loop: representative of the auxiliary feedwater pump start, steamline isolation, and main feedwater isolation signals.
3. Reactor trip on pressurizer pressure high; representative of all single source reactor trip signals. j
4. Reactor trip on pressurizer pressure high or overtemperature delta T: representative of all i diverse source signals.

m:\2099w wpf 1d460195 7-7 l

I

l Table 7.1 Summary of Safety injection and Auxiliary Feedwater Pump Start Signal Unavailabilities - Solid State Protection System Signal Pre-TOP TOP Proposed Si - 2/4 logic w/CCF 1.18E-03 1.40E-03 1.43E 03 SI - 2/4 logic, w/o CCF 1.52E-04 2.38E-04 . 2.73E-04 SI - 2/4 logic w/OA, w/CCF 6.88E-04 7.36E-04 7.42E-04 SI - 2/4 logic w/OA, w/o CCF 4.72E-05 9.41 E-05 1.00E-04 SI - 2/4 logic,1 train, w/CCF 2.15E-02 2.75E-02 2.89E-02 _

SI - 2/4 logic,1 train w/o CCF 2.14E-02 2.73E-02 2.87E-02 Si - 2/4 logic,1 train w/OA, w/CCF 1.84E-02 2.42E-02 2.57E-02 SI - 2/4 logic,1 train w/OA, w/o CCF 1.84E-02 2.42E-02 2.57E-02 SI - 2/3 logic, w/CCF 1.47E-03 2.24E-03 2.92E-03 SI - 2/3 logic, w/o CCF 2.64E-04 5.57E-04 1.23E 03 SI - 2/3 logic w/OA, w/CCF 6.91 E-04 7.45E-04 7.57E-04 SI - 2/3 logic w/OA, w/o CCF 4.83E-05 9.73E-05 1.10E-04 SI - 2/3 logic,1 train, w/CCF 2.18E-02 2.83E-02 3.04E-02 SI - 2/3 logic,1 train, w/o CCF 2.15E-02 2.76E-02 2.97E-02 SI - 2/3 logic,1 train w/OA, w/CCF 1.84E-02 2.42E-02 2.57E-02 SI - 2/3 logic,1 train w/OA, w/o CCF 1.84E-02 2.42E-02 2.57E-02 AFWPS - 2/4 logic, w/CCF 5.91 E-04 7.01 E-04 7.24E-04 AFWPS - 2/4 logic, w/o CCF 5.98E-05 9.57E-05 1.19E-04 AFWPS - 2/4 logic,1 train, w/CCF 1.00E-02 1.43E-02 1.57E-02 AFWPS - 2/4 logic, I train, w/o CCF 1.00E-02 1.42E-02 1.56E-02 AFWPS - 2/3 logic, w/CCF 7.64E-04 1.14E-03 1.66E-03 AFWPS - 2/3 logic, w/o CCF 1.36E-04 2.50E-04 7.72E-04 AFWPS - 2/3 logic,1 train, w CCF 1.02E 02 1.47E-02 1.66E-02 AFWPS - 2/3 logic,1 train, w/o CCF 1.01 E-02 1.45E-02 1.64E-02 SI: Safety injection AFWPS: Auxiliary Feedwater Pump Start CCF: Common Cause Failures ~

OA: Operator Action m2099w wpf IdO60195 7-8

I Table 7.2 l Summary of Safety injection and Auxiliary Feedwater Pump Start Signal '

Unavailabilities - Relay Protection System Signal- Pre-TOP TOP Proposed l

SI 2/4 logic, w/CCF 7.12E-04 9.84E-04 1.02E-03 SI - 2/4 logic, w/o CCF 8.96E-05 2.23E-04 2.55E-04 l

)

SI 2/3 logic, w/CCF 1.00E-03 1.82E-03 2.49E-03 SI 2/3 logic, w/o CCF 2.01 E-04 5.39E-04 1.20E-03 )

AFWPS - 2/4 logic, w/CCF 7.19E-05 1.51 E-04 1.61 E-04 AFWPS - 2/4 logic, w/o CCF 3.87E-06 8.70E 06 1.88E-05 AFWPS - 2/3 logic, w/CCF 2.45E 04 5.85E-04 1.09E-03 AFWPS - 2/3 logic, w/o CCF 8.00E-05 1.62E 04 6.65E-04 SI: Safety injection AFWPS: Auxiliary Feedwater Pump Start CCF: Common Cause Failures l

l I

m:2099w.wpf:IdM0195 79

Table 7.3 Summary of Reactor Trip Signal Unavailabilities Solid State Protection System Signal Pre-TOP TOP Proposed RT - 2/4 logic, w/CCF 1.20E-04 1.99E-04 2.13E-04 RT - 2/4 logic, w/o CCF 6.47E-06 1.10E-05 2.47E-05 RT - 2/4 logic w/OA, w/CCF 1.79E-05 1.93E-05 1.98E-05 RT - 2/4 logic w/OA, w/o CCF 9.06E-07 1.59E-06 2.08E-06 RT - 2/3 logic, w/CCF 2.94 E-04 6.34E-04 ' 1.14E-03 RT - 2/3 logic, w/o CCF 8.31 E-05 1.65E-04 6.68E-04 RT - 2/3 logic w/OA, w/CCF 1.96E-05 2.37E-05 2.91 E-05 RT - 2/3 logic w/OA, w/o CCF 1.67E-06 3.13E-06 8.61 E-06 RT - diverse signals, w/CCF 3.01 E-05 3.13E-05 3.23E-05 RT - diverse signals, w/o CCF 1.19E-06 2.42E-06 3.37E-06 RT - diverse signals w/OA. w/CCF 1.70E-05 1.76E-05 1.80E-05 RT - diverse signals w/OA, w/o CCF 8.72E-07 1.52E-06 1.89E-06 RT: Reactor Trip CCF: Common Cause Failures OA: Operator Action 1

m299w wpf:1d460195 7-10

Table 7.4 ,

Summary of Reactor Trip Signal Unavailabilities Relay Protection System Signal Pre-TOP TOP Proposed RT - 2/4 logic, w/CCF 7.78E-05 1.57E-04 1.69E-04 RT - 2/4 logic, w/o CCF. 4.01 E-06 8.87E-06 2.16E-05 RT - 2/3 logic, w/CCF 2.51 E-04 5.91 E-04 1.09E-03 ,

RT - 2/3 logic, w/o CCF 8.02E-05 1.62E-04 6.65E RT - diverse signals, w/CCF 2.29E-05 2.73E-05 2.89E-05 ,

RT - diverse signals, w/o CCF 3.65E-06 8.10E-06 9.70E-06 RT: Reactor Trip CCF: Common Cause Failures mW99w wpf:1d-060195 7-11

-,m -

l Relay Protection System:

1. Safety injection signal: representative of the safety injection signal.
2. Auxiliary feedwater pump start signal: representative of the auxiliary feedwater pump start signal and the main feedwater isolation signal.
3. The signal unavailability results for steamline isolation, containment spray and containment isolation signals fall between the results for the safety injection and auxiliary feedwater pump start signals, so they were not specifically evaluated. It will be conservatively assumed that the representative safety injection signal represents these signals also.
4. Reactor trip on pressurizer pressure high: representative of all single source reactor trip signals.
5. Reactor trip on pressurizer pressure high or overtemperature delta T: representative of all diverse source signals.

From Tables 7.1 through 7.4, the following general conclusions are reached. Several of these conclusions were previously provided in Reference 3.

1. The unavailabilities of engineered safety features actuation signals and the reactor trip actuation signals with 2 of 4 logic are lower than those corresponding signals with 2 of 3 logic.
2. The unavailabilities of engineered safety features and the reactor trip actuation signals with credit for an alternate actuation by operator action are lower than those corresponding signals without the operator action.
3. Common cause failure contributions account for a considerable part of the total signal unavailability.
4. The increase in signal unavailability, with common cause failure contributions included, from the TOP Case to the Proposed Case is significantly less than the increase from the Pre-TOP Case to the TOP Case.
5. The signal unavailabilities and changes in signal unavailabilities between the three cases for the relay protection system are comparable to or less than the corresponding solid state protection system signals.
6. The unavailabilities for the auxiliary feedwater pump start signal are lower than the unavailabilities of the safety injection signal (without operator action). As seen in the discussion below, this is primarily due to the number of master and slave relays modeled in each of these signals.

Tables 7.5 through 7.11 provide a breakdown of the signal unavailability by contributors. The contributors, or components, listed separately are the 1) random failures, test, and maintenance of the relays (masters and slaves) and logic cabinets,2) random failures, test, and maintenance of ms2099w wpf.1d460195 7-12

the analog channels,3) common cause failures of the slave relays,4) common cause failures of  ;

the master relays,5) common cause failures of the logic cabinets, and 6) common cause failures i of the analog channels. This information is primarily provided only for signals generated by the SSPS with 2 of 4 logic. In addition to the signal unavailability, the percent contribution for each )

contributor to the total signal unavailability is provided.

i From this information it is concluded that the contribution, or importance, of the analog channels 1 and logic cabinets is sigriificantly reduced when an operator action to actuate the protective feature is included in the model. The reason for this is that the operator action provides an alternate path, separate from the analog channels and logic cabinets, to actuate the master and slave relays or the reactor trip breakers. This is evident by comparing the results provided on  ;

Table 7.5 with those on Table 7.6 for safety injection signals and by comparing the results l provided on Table 7.8 with those on Table 7.9 for the reactor trip feature. It is also concluded l from this information that when diversity of signals to generate a reactor trip is considered, again the contribution, or importance, of the analog channels and logic cabinets is significantly reduced. l This is related to the additional analog channels or logic trains that need to fail for the signal to l fail. This is evident from a comparison of the results provided on Table 7.8 with those on Table 7.10. It is further concluded that when diversity of signals to generate a reactor trip is considered along with an operator action to generate the same trip, the components of primary importance are the reactor trip breakers. In this case multiple analog channels or logic trains need to failin addition to the operator action, and since the operator action, for the most part, is a backup to the l logic cabinets and analog channels, these components are reduced to small contributors to signal unavailability. This can be seen by reviewing the results provided on Table 7.11 and comparing them with the results on Tables 7.8,7.9, and 7.10. j lt is also concluded from these tables that the primary dikence between the unavaibbility of the safety injection signal and the auxiliary feedwater pump start signal is related to the number of master and slave relays required for success of the protective feature. As noted in Section 6.1, the safety injection function includes two master relays per train with each master actuating three slave relays and the auxiliary feedwater pump start signal includes one master relay per train actuating two slave relays. Due to the additional master and slave relays required for the safety injection signal, there are more component failure combinations that will lead to failure of the signal. This can be seen hm a comparison between the contributor breakdown provided on Table 7.5 for the safety injection signal and the breakdown provided on Table 7.7 for the auxiliary feedwater pump start signal. In particular, this is illustrated by a comparison of the common cause contributions for the master and slave relays.

Similar conclusions would apply if the detailed signal unavailability contributors were provided for signals generated from 2 of 3 logic or from relay protection systems. These conclusions are independent of the type of logic cabinet and analog channel logic.

muo99w wpf id-060195 7 13

A-3 Table 7.5 l

a Breakdown of Signal Unavailability Contributors SSPS Safety injection: Pressurizer Pressure Low (2/4) Interlocked with P-11 Unavailability Contributions 5 Contributor Pre-TOP Case TOP Case Proposed Case Unavailability Percent Unavailability Percent Unavailability Percent Random failures, test, and maint.

- Relays and logic cabinets 1.51 E-04 12.8 2.33E-04 16.6 2.49E-04 17.4

- Analog channels 9 21 E-07 0.1 4.50E-06 0.3 2.37E-05 1.6 .

- Subtotal 1.52E-04 12.9 2.38E-04 16.9 2.73E-04 19.0-Common cause failures

- Slave relays 5.21 E-04 44.3 5.21 E-04 I 37.2 5.21 E-04 36.3

- Master relays - 1.16E-04 9.9 1.16E-04 8.3 1.16E-04 8.1

- Logic cabinets 3.15E-04 26.8 3.15E-04 22.5 3.15E-04 22.0

- Analog channels 7.1SE-05' 6.1 2.10E-04 15.0 2.10E-04 14.7

- Subtotal 1.02E-03 86.8 1.16E-03 83.0 1.16E-03 81.1 Total 1.18E-03 (1) 1.40E-03 (1) 1.43E-03 (1)

Notes: 1 - The total may not equal 100% due to round off.

..e

,+

4 '*I' i .

M Table 7.6 - v

{

a

. Breakdown of Signal Unavailability Contributors SSPS Safety injection: Pressurizer Pressure Low (2/4) Interlocked with P-11 with Operator Action I

g Unavailability Contributions 8 Contributor Pre-TOP Case - TOP Case Proposed Case Unavailability Percent Unavailability - Percent . Unavailability Percent Random failures, test, and maint.

- Relays and logic cabinets 4.72E-05 6.9 9.41E 12.8 1.00E-04 13.5

- Analog channels 9.21 E-09 0.0 4.50E-08 0.0 2.37E 0.0

- Subtotal 4.72E-05 6.9 9.41 E-05 12.8 l 1.00E-04 13.5-Common cause failures ' '

y - Slave relays 5.21 E-04 75.7 5.21 E-04 70.8 5.21E-04 ' 70.2

- Master relays .- 1.16E-04 .16.9 1.16E-04 ' :15.8 1.16E-04 15.6

+ ,

- Logic cabinets 3.15E 0.5 3.15E-06 0.4 3.15E-06 0.4 -

- Analog channels 7.16E-07 0.1 2.10E-06 ' O.3 2.10E 0.3

- Subtotal 6.41 E-04 93.2 6.42E-04 -87.3 6.42E-04 86.5 Total 6.88E-04 (1) 7.36E-04 . (1). 7.42E-04  : (1)

Notes: 1 - The total may not equal 100% due to round off.

1

)

l

. . - . . . - - - . ~ - ~ , - . - - . ~ ~ .-.m'. . , , . , . . - - . ~ , , . . . . . . . - . .- .-_m.. c w ,s.--..mm--_-~ - . . , - - -,..~.,,4..

i R Table 7.7

-f Breakdown of Signal Unavailability Contributors

.a SSPS Auxiliary Feedwater Pump Start: Steam Generator Level Low-Low in One Loop (2/4) -

I d

g Unavailability Contributions 5 Contributor Pre-TOP Case TOP Case Proposed Case Unavailability Percent Unavailability Percent Unavailability Percent Random failures, test, and maint.

- Relays and logic cabinets 5.93E-05 10.0 9.42E-05 13.4 1.06E-04 14.6

- Analog channels 5.21 E-07 0.1 1.49E-06 0.2 1.32E-05 1.8

- Subtotal 5.98E-05 '10.1 9.57E-05 13.6 1.19E-04 16.4 Common cause failures y - Slave relays 1.74E-04 29.5 1.74E-04 24.8 1.74E-04 24.0

- Master relays 5.79E-05 9.8 5.79E-05 8.3 5.79E-05 8.0 l - Logic cabinets 2.60E-04 44.0 2.60E-04 37.i 2.60E-04 35.9 l - Analog channels 3.90E-05 6.6 - 1.13E-04 16.1 1.13E-04 15.6

- Subtotal 5.31 E-04 89.9 6.05E-04 86.3 6.05E-04 83.5 Total 5.91 E-04 (1) 7.01 E-04 (1) 7.24E-04 (1)

I I

Notes: 1 - The total may not equai 100% due to round off. j l

l l

  1. Table 7.8 6

Breakdown of Signal Unavailability Contributors

f. SSPS Reactor Trip: Pressurizer Pressure High (2/4) k_

8 Unavailability Contributior.s -

5 Contributor Pre-TOP Case TOP Case

~'

Proposed Case :

Unavailability Percent Unavailability Percent Unavailability Percent ~

Raridom failures, test, and maint.

- Trip breakers and logic cabinets 5.95E-06 4.9 9.51 E-06 4.8 1.15E-05 5.4 -

- Analog channels 5.21 E-07 0.4 1.49E-06 0.7 1.32E-05 6.2

- Subtotal 6.47E-06 5.3 1.10E-05 - 5.5 2.47E-05 ' 11.6 Common cause failures

- Trip breakers 1.60E-05 13.3 1.60E 8.0 1.60E-05 7.5

- Logic cabinets 5.90E-05 49.0 ' 5.90E-05 29.6 5.90E-05 27.7

- Analog cabinets 3.90E-05 32.4 1.13E-04 56.8 1.13E-04 53.1

- Subtotal 1.14E-04 94.7 1.88E-04 94.4 1.88E-04 88.3 Total 1.20E-04 (1) 1.99E-04 ' '(1) ' 2.13E-04 (1)

Notes: 1 - The total may not equal 100% due to round off.

__ - - _ _ - _ _ - - _ - - - - - __--------_----------------------------------------=M

3 Table 7.9 l

a Breakdown of Signal Unavailability Contributors SSPS Reactor Trip: Pressurizer Pressure High (2/4) with Operator Action 4

{ Unavailability Contributions 5 Contributor Pre-TOP Case TOP Case Proposed Case Unavailability Percent Unavailability Percent Unavailability Percent Random failures, test, and maint.

- Trip breakers and logic cabinets 9.01 E-07 5.0 1.58E-06 8.2 1.95E-06 9.8

- Analog channels 5.21 E-09 0.0 1.49E-08 0.1 1.32E-07 0.7 '

- Subtotal 9.06E-07 5.0 1.59E-06 8.3 2.08E-06 10.5 Common cause failures

- Trip breakers 1.60E-05 89.5 1.60E-05 82.8 1.60E 80.8

  • - Logic cabinets 5.90E-07 3.3 5.90E-07 3.1 5.90E-07 3.0

- Analog cabinets 3.90E-07 2.2 1.136-06 - 5.9 1.13E 5.7

- Subtotal 1.70E-05 95.0 1.77E-05 91.8 1.77E-05 89.5 Total 1.79E 05 (1) 1.93E (1) 1.98E-05 (1).

Notes: 1 - The total may not equal 100% due to round off.

1 e

- -- - . - . - - . - -- - --.--..-.-.u- .-..~.._.a- -...- - -o--.- a- ~ _ - . ...._,n ,w ,--,,n,.,.n .m -,,_n..m,, -w., , um~. .a , + , , . ,.m w- - .- ,, ,-&

L. __--

A Table 7.10 l

a Breakdown of Signal Unavailability Contributors SSPS Reactor Trip: Pressurizer Pressure High (2/3) or Overtemperature Delta T (2/4)

Unavailability Contributions

?,

Contributor Pre-TOP Case TOP Case Proposed Case Unavailability Percent Unavailability Percent Unavailability Percent Random failures, test, and maint.

- Trip breakers and logic cabinets 1.13E-06 3.8 1.92E-06 6.1 2.36E-06 7.3 -

- Analog channels 2.19E-08 0.1 .1.81 E-07 0.6 6.96E-07 2.1

- Subtotal 1.15E-06 3.9 2.10E-06 6.7 3.06E-06 9.4 Common cause failures y - Trip breakers 1.60E-05 53.2 1.60E-05 51.1 1.60E 05 -49.6

  • - Logic cabinets 1.29E-05 42.9 1.29E-05 41.2 1.29E-05 40.0

- Analog cabinets 3.67E-08 0.1 3.15E-07 1.0 3.15E-07 1.0

- Subtotal 2.89E-05 96.2 2.92E-05 93.3 2.92E-05 90.6 Total 3.01 E-05 (1) 3.13E-05 (1) 3.23E-05 (1)

Notes: 1 - The total may not equal 100% due to round off.

? Table 7.11 l

a Breakdown of Signal Unavailability Contributors SSPS Reactor Trip: Pressurizer Pressure High (2/3) or Overtemperature Delta T (2/4) with Operator Action i

Unavailability Contributions 3 Contributor Pre-TOP Case TOP Case Proposed Case ,

Unavailability Percent Unavailability Percent Unavailability Percent Random failures, test, and maint.

- Trip breakers and logic cabinets 8.72E-07 5.1 1.52E-06 8.6 1.88E-06 10.4

- Analog channels 2.19E-10 0.0 1.81 E-09 0.0 ~6.96E-09 0.0

- Subtotal 8.72E-07 5.1 1.52E-06 8.6 1.89E-06 10.4 Common cause failures

- Trip breakers 1.60E-05 94.1 1.60E-05 90.7 1.60E-05 88.8

- Logic cabinets 1.29E-07 0.8 1.29E-07 0.7 1.29E-07 0.7

- Analog cabinets 3.67E-10 0.0 3.15E-09 0.0 3.15E-09 0.0

- Subtotal 1.61 E-05 94.9 1.61 E-05 91.4 1.61 E-05 89.5

, Total 1.70E-05 (1) 1.76E-05 (1) 1.80E-05 (1)

Notes: 1 - The total may not equal 100% due to round off.

l l

l The conclusions regarding diversity of signals and operator action backup to initiate the protective function are important when assessing the impact of the changes in the signal unavailability on plant safety. It is important to realize that all of the reactor trip signals are backed up by either a diverse signal or an operator action, and in many cases by both. This is also true for engineered safety features actuation signals. Many of these signals, dependent on the specific event being considered, can be generated by diverse sources or by operator actions. This is further discussed in Section 8.

The cutsets leading to failure of the signal for a sample of safety injection, auxiliary feedwater pump start, and reactor trip signal.s are provided in Tables 7.12,7.13, and 7.14. Table 7.15 l

provides a key to the basic event identifiers used in these tables. These identifiers correspond to those in the fault trees in Apper dix D. The cutsets provided for the safety injection signal are for pressurizer pressure low with 2/4 logic interlocked with P-11. The cutsets provided for the l auxiliary feedwater pump start signal are for steam generator level low-low in one loop with 2/4

! logic. The cutsets provided for the reactor trip signal are for pressurizer pressure high with 2/4

! logic. These cutsets represent more than 90% of the total signal unavailability in each case. It is seen from these tables that failure of the master relays, slave relays, logic cabinets, and analog channels by common cause are the major contributors to signal unavailability.

Based on the results of the unavailability analysis it is concluded that the Technical Specification changes being considered in this assessment have a minor impact on the availability of the reactor trip and engineered safety features actuation signals. This is particularly evident for functions that are backed by either diverse actuation signals or operator actions. It is further concluded that the impact of the changes on signal unavailability for the SSPS can be used to represent the impact of the changes on signals generated by the relay protection system. This is based on a review and comparison of the signal unavailability results for the relay protection system with the results for the SSPS. Such a comparison indicates that the change or difference in unavailability values from the Pre-TOP Case to the TOP Case and from the TOP Case to the Proposed Case are nearly the same for both types of protection systems. In addition, the signal unavailability values for the relay protection system are consistently smaller that those for the SSPS. Based on this, it is concluded that the SSPS results are representative of the relay protection system results.

7.5 TECHNICAL SPECIFICATION CHANGES FOR SLAVE RELAYS Current Technical Specifications with TOP implementation require a plant shutdown if the slave relay is not returned to service after the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AOT for maintenance (6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AOT plus 6 additional hours for the mode change). It is proposed that this AOT be increased to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> AOT plus 6 additional hours for the mode change) in this current study. The failure, or l unavailability, of a slave relay will disable a portion of an automatic actuation of one train of a f safety function. Typically, it will not disable the complete function of the train.

l l

m:\2099w wpf IdO60195 7-21

s Table 7.12 Dominant Cutsets for Signal Failure - Proposed Case SSPS Safety injection: Pressurizer Pressure Low (2/4) Interlocked with P-11

1. 5.21 E-04 CCF: SLAVE RELAYS
2. 3.15E-04 CCF: LOGIC CABINETS 3.' 2.10E CCF: ANALOG CHANNELS
4. 1.16E-04 CCF: MASTER RELAYS
5. 1.44E-05 SSPSB -TAT TBT'
6. 1.44E-05 SSPS1 TAT -TBT
7. 9.45E-06 MRDM -MRFM TAT TBT
8. 9.45E-06 MRCM -MREM . TAT TBT
9. ~ 9.45E-06 -MRDM MAFM -TAT -TBT
10. 9.45E-06 -MRCM MREM TAT -TBT
11. 5.93E-06 AC1 AC2 AC3
12. 5.93E-06 AC1 AC2 AC4 13.' 5.93E AC1 AC3 AC4
14. 5.93E AC2. AC3 AC4-
15. 3.52E-06 SRD3MB TAT TBT
16. 3.52E-06 SRD2MB -TAT TBT
17. 3.52E-06 SRD1MB -TAT TBT
18. 3.52E-06 SRC3MB -TAT TBT
19. 3.52E SRC2MB -TAT TBT
20. 3.52E-06 SRC1MB -TAT TBT
21. 3.52E-06 SRF3MB TAT TBT
22. 3.52E-06 SRF2MB TAT -TBT
23. 3.52E-06 SRF1MB TAT -TBT
24. 3.52E-06 SRE3MB TAT TBT
25. 3.52E-06 _ SRE2MB TAT -TBT
26. ' 3.52E 06 ' SRE1MB TAT 'TBT
27. 3.23E-06 SSPSB -SRD3T SRF3T
28. 3.23E-06 SSPS1 SRD3T -SRF3T
29. 3.23E-06 SSPSB -SRD2T SRF2T 30, 3.23E 06 SSPS1 SRD2T -SRF2T
31. 3.23E-06 SSPSB -SRD1T SRF1T
32. 3.23E-06 SSPS1 SRDIT -SRF1T 33, 3.23E-06 . SSPSB SRC3T SRE3T 34, 3.23E-06 SSPS1 SRCST -SRE3T
35. 3.23E-06 SSPSB 'SRC2T SRE2T 36, 3.23E-06 SSPS1 SRC2T -SRE2T
37. 3.23E-06 -SRC1T SSPSB SRE1T
38. 3.23E-06 SRC1T -SRE1T SSPS1
39. 3.13E-06 SSPSB SSPS1
40. 2.35E-06 MRDMB -TAT TBT
41. 2.35E-06 MRCMB TAT TBT
42. 2.35E-06 MRFMB TAT -TBT
43. 2.35E-06 MREMB TAT TBT See Table 7.15 for descriptions of basic event identifiers.

m \2099w wpf:15060195 7-22

+

l

.. Table 7.13 '!

Dominant Cutsets for Signal Failure - Proposed Case '  !

SSPS Auxiliary FW Pump Start: Steam Generator Level Low-Low in One Loop (2/4)?

1. ' 2.60E-04 ~ CCF: LOGIC CABINETS - i e 2. 1.74E-04. CCF: SLAVE RELAYS -  ;

E ' 3. 1.13E-04 . CCF: ANALOG CHANNELS. 1

) 4.- 5.79E CCF: MASTER RELAYS

-- 5. 1.25E-05 . -MRCM -MRDM -TAT - TBT-
6.- - 1.25E-05 -MRCM MADM TAT. TBT
7. 6.59E-06 SSPS TAT TBT
8. 6.59E SSPSB TAT -TBT .
9. - - 4.19E-06 MRCM -MRDM -SRC2T- SRD2T l
10. 4.19E-06 -MRCM - MRDM SRC2T. -SRD2T -)
11. 4.19E-06 -SRC1T MRCM SRD1T -MRDM 'i
12. 4.19E-06 SRC1T- MRCM SRD1T MRDM i
13. 3.31 E-06 AC1 AC2 ~AC3- -I 14, 3.31E-06 AC1 AC2 AC4 -l
15. 3.31 E-06 AC1 AC3 AC4 16~ . 3.31E-06 AC2 AC3 AC4
17. ' 2.78E-06 -MRCM -SSPS 'MRDM
18. 2.78E-06 MRCM MRDM SSPSB l
19. 2.35E 06 SRC1MB -TAT TBT  !
20. 2.35E-06 SRC2MB -TAT TBT
21. 2.35E-06 SRD2MB TAT -TBT-
22. 2.35E-06 SRD1MB TAT - -TBT - 1 231 2.21E-06 SSPS- -SRC2T 'SRD2T' l
24. . 2.21 E 06 - SSPSB SRC2T SRD2T j

.-SRC1T

25. 2.21 E-06 -

SSPS SRD1T' '

26. . 2.21 E-06 SRC1T SRD1T- SSPSB .!
27. 1.57E MRCMB -TAT. TBT-  !
28. 1.57E-06 'MRDMB TAT TBT.
29. .1.46E-06 SSPS. SSPSB
30. 9.91 E-07 . MRCM -MRDM . SRD2MB
31. 9.91E-07 MRCM MRDM 'SRC2MB
32. 9.91 E-07 MRCM SRD1MB -MRDM
33. 9.91E-07 SRC1MB -MRCM - MRDM
34. - 7.89E-07 SRC2T SRD2MB' -SRD2T -
35. 7.89E-07 SRC2MB SRC2T SRD2T

' 36. 7.89E-07 SRC1T SRD1MB- SRD1T

37. 7.89E-07 SRC1MB -SRC1T SRD1T See Table 7.15 for descriptions of basic event identifiers.

mMO99w wpt1d460195 7 23

- , , a

~

m ll i

Table 7.14  :

Dominant Cutsets for Signal Failure - Proposed Case -l SSPS Reactor Trip: Pressurizer Pressure High (2/4) 1 q

1. 1.13E-04 CCF: ANALOG CHANNELS  ;
2. 5.90E-05 CCF: LOGIC CABINETS j
3. -- 1.60E-05 ' CCF: REACTOR TRIP BREAKERS 4.' 3.31 E-06 Bl456 Bl457 - Bl458 i
5. 3.31 E-06 Bl455 Bl457 Bl458 {
6. 3.31 E-06 B1455 Bl456 Bl458  !

t 7. 3.31 E-06 Bl455 Bl456 Bl457 i r 8. 5.88E-07 -TBT --TBM BMZ4 TAT

9. 5.88E-07 -TBT -TBM 815DC - -TAT
10. 5.88E-07 TBT -TAT . -TAM 88MZ4 - 2
11. 5.88E-07 -TBT -TAT TAM 8815DC  !
12. 4.25E-07 -TBT . -TBM 8MZ4 TAM l
13. 4.25E-07 -TBT -TBM 815DC - TAM i
14. 4.25E-07 TBM -TAT -TAM - 88MZ4  !

15, 4.25E-07 TBM TAT TAM 881500: {

16. 2.94E-07 -TBT -TBM BGZ1 TAT j
17. 2.94E-07 . -TBT -TBM 8GZ2 TAT
18. 2.94E-07 -TBT -TBM BGZ3 TAT i 19, 2.94E-07 TBT -TAT -TAM BGGZ1 f
20. 2.94E-07 TBT -TAT TAM 8GGZ2 1
21. 2.94E-07 TBT -TAT -TAM . BGGZ3
22. 2.81 E-07 TBT 52AM. ~-TAT TAM ,
23. 2.81 E-07 MM52B -TBT -TBM . TAT l
24. 2.55E-07 ~TBT 52AC -TAT -TAM - i
25. 2.55E-07 CONTS -TBT -TBM TAT
26. 2.12E-07 -TBT -TBM 8GZ1 TAM
27. 2.12E-07 -TBT -TBM BGZ2 TAM i 28, 2.12E-07 -TBT -TBM BGZ3 TAM ')
29. 2.12E 07 TBM -TAT TAM- 8GGZ1 i 30, 2.12E-07 TBM- -TAT -TAM ' BGGZ2 31, 2.12E-07 TBM -TAT -TAM BGGZ3
32. 2.03E-07 TBM 52AM -TAT - -TAM
33. 2.03E-07 MM52B TBT TBM TAM'
34. 1.85E-07 TBM' 52AC -TAT -TAM
35. 1.85E-07 CONTS -TBT -TBM TAM
36. 1.44E-07 BMZ4 OPER1
37. 1.44E-07 815DC OPER1
38. 1.44E-07 OPER2 88MZ4
39. 1.44E-07 OPER2 8815DC See Table 7.15 for descriptions of basic event identifiers.

i m \2099w wpf Id460195 7-24 l 1

1

V Table 7.15 Descriptions of Basic Event identifiers Listed in Tables 7.12 to 7.14 ACx - analog channel x Blxxx - analog channel xxx .

i CCF - common cause failure CONTS - reactor trip breaker B contacts shorted MRxM - master relay x in maintenance -

MRxMB - master relay x mechanically bound  ;

i

l. MM52B - reactor trip breaker B mechanical malfunction OPER1 - operator error in aligning bypass trip breaker A .

OPER2 - operator error in aligning bypass trip breaker B

, SRxxMB - slave relay xx mechanically bound SRxxT - slave relay xx in test i SSPSB - solid state protection system train B SSPS1 - solid state protection system train A TxM - train x in maintenance TxT - train x in test -

52AC - reactor trip breaker A contacts shorted j 52AM - reactor trip breaker A mechanical malfunction  !

8GZx card A416X gate Zx failed open (train B) 8GGZx - card A416X gate Zx failed open (train A)  ;

8MZ4 - card A416Z multiplex IC Z4 failed short (train B) J 88MZ4 - card A416Z multiplex IC Z4 failed short (train' A) 815DC - loss of 15V DC to card A416X (train B) 8815DC -loss of 15V DC to card A416X (train A)

-- not symbol (example: -TBT = train B not in test) l l

mMO99w.wpf.1d-060195 .7-25

1 l

The function " lost" by the slave relay failure in that train can still be established by operator actions specified in the plant's emergency operating procedures, i

This AOT is inconsistent with the AOTs for the system or components being actuated by the l failed slave relay. In many cases, the AOrs for the components being actuated by the slave  !

relays are significantly longer than the current 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and even the proposed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Many fluid safety systems that are actuated by the ESFAS have AOTs of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, when the system is unavailable for this period of time, one train of the function is lost, but when the slave is unavailable, the function is still available and can be initiated by operator action. This inconsistency is particularly evident when it is considered that the system remains available for operator actuation if the slave relay is unavailable, but shutdown is required in a shorter time than if the syctem itself is unavailable.

To resolve this inconsistency, it is proposed to change the Technical Specification requirement on the slave relays to require that the component actuated by the slave be declared inoperable and the appropriate system Technical Specification action statement be followed if the slave relay has not been restored within the specific instrumentation AOT (currently 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> '4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> proposed).

This applies specifically to 1) slave relays that actuate single components,2) r ave relays that actuate multiple components providing the slave relay failure affects actuation of only a single component (relay contacts, for example), and 3) multiple slave relays or slave relays that actuate multiple components providing the affected components are allin the same train of a single system. To implement this, the high head, intermediate head, and low head subsystems of the emergency core cooling system must each be considered a single system. The technical justification for this, which follows, is based on the small impact this will have on the avaliability of the actuated system.

As noted in Section 5.2 and documented in References 4 and 5, the slave relays are highly reliable components when used within the assumptions of these references. The information presented in References 4 and 5 indicates that only a limited number of failures of these components have occurred. The failure probability for the slave relays is estimated to be in the i range from 7.0E-05/ demand to 3.5E-04/ demand, depending to some extent on the type of relay; Westinghouse type AR or Potter & Brumfield MDR. The data does not show a strong correlation between the failure probability and test interval. For the following calculations, the failure probability is assumed to be 1.0E-04/ demand.

Repair activities involving slave relays typically involve replacing the contacts or replacing the complete relay. In most instances, conservatively assumed to be 90% of the activities, slave relay repairs can be completed within the AOT. That is. only 10% of the slave relay repair activities extend beyond the AOT, which will result with the actuated components being declared inoperable with the proposed action statement in effect. Therefore, the additional train or component unavailability related to a failure of a slave relay is calculated as follows and assumes i the actuated component will be unavailable for a full AOT of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

m \2099w wpf.1d460195 7-26 I

Probability of a test leading to'the unavailability of the actuated system via the proposed action statement:

1.0E-04/ demand x 1 demand / test x 0.1 = 1.0E-05/ test Additional train or component unavailability:

1.0E-05/ test x 1 test /3 months x 1 month /730 hours x 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />

= 3.3E-07 This has a negligible impact on train or component unavailabilities for systems which typically have unavailabilities greater than 1E-03. It should also be noted once again that under the proposed action statement, the train or component r/ill still be available for actuation by an operator.

i l

l mMO99W wpf:1d-060195 7 27

I 8.0 RISK ANALYSIS As discussed in Section 1.0, the risk analysis is used to determine the impact of the changes to the AOTs, STis, and bypass times on plant safety The results from the unavailability analysis j presented and discussed in the previous section are used as input to the risk analysis.' It is t necessary to assess the impact of the changes on plant safety to establish a measurable baseline +

impact. The unavailability analysis provides the impact of the changes on signal availability, but it I is not possible to draw conclusions from this since it is not known how important the signals are ,

to plant safety. Larger changes would be allowed for a system not important to safety as opposed to a system that is important to safety. For this reason, the risk analysis is necessary.

This section of the report presents and discusses the risk analysis. It includes a discussion on the approach, risk model, impacted parameters in the risk model, and results.

8.1 RISK ANALYSIS APPROACH l

The WOG TOP analysis used the Indian Point Unit 2 and the Millstone Unit 3 PRA models that were available in the early 80's for the risk analysis. This current work uses the Vogtle Electric Generating Plant (VEGP) PRA model (Reference 7) that was completed to meet the individual i Plant Examination requirement (Generic Letter 88-20). Use of a PRA model from a recently.  ;

completed IPE, instead of the older models used in WOG TOP, was necessary to obtain more realistic results regarding the impact of the AOT and bypass time changes on plant safety. The IPE models provide more realistic results for two primary reasons:

The IPE models more accurately reflect current plant operation; the system models represent current plant design, the event evaluations more accurately represent current plant and operator response to initiators, and the initiating event frequencies are representative of recent ,

I industry experience and plant operation.

- The IPE is based on recent PRA technology. Because of improvements to PRA modeling  !

techniques, common cause methodology and human reliability analysis for example, and j additional operating experience providing improved databases, component failure rates for example, the IPE will provide results more indicative of the impact of the proposed changes on plant safety. I The VEGP PRA model uses a support system approach and examined the full complement of l internal events. VEGP is a 4-loop plant with a solid state protection system. The VEGP PRA l included a detailed assessment of representative reactor trip and engineered safety features  !

actuation signals. In the VEGP PRA model, the following is the basis for the signals used:

m:\2099w wpf.1d 060195 81

l The reactor trip signal for condition 11 and lli events is initiated from either one of two sets of functionally d. verse analog channels or operator action. The operator action models tripping the reactor from the main control board trip switches.

The reactor trip signal for condition IV events is initiated from either one set of analog channels (no functional diversity is available) or operator action. The operator action models tripping the reactor from the main control board trip switches.

The representative ESFAS signal is based on the safety injection function. Several signals were considered. Those of interest in this analysis are signal generated from 1) a single set of analog channels (no functional diversity) and 2) a single set of analog channels with an I

operator action to initiate SI from the main control board switches.

In the VEGP PRA, the ESFAS signals are included as part of the support systems model, primarily for safety injection actuation, or within some of the fault tree models for systems requiring automatic actuation by the ESFAS, such as auxiliary feedwater systern and steamline isolation. The reactor trip signals were included in the event tree models as appropriate.

The approach used in this analysis simply substitutes the unavailability values calculated based on the WOG TOP signal unavailabihty models in Section 7 for the corresponding values in the VEGP PRA model. These substitutions occur in the support system model, event trees, and fault trees as necessary. After the substitution, the modelis re-quantified with the WESOT Computer Code (Reference 8) to dctermine the core damage frequency (CDF) and accident sequences.

WESOT is a software tool used to quantify event trees, summarize the event tree quantification results, and provide the results in terms of total core damage frequency, frequency by initiator, accident sequences, end state frequencies, and event tree top event importances based on contribution to core damage frequency. This importance function is defined as:

Importance = (E(CDF of sequences with top event failure)/ total CDF) x 100 The baseline case was initially quantified with the signal unavailabilities corresponding to Pre-TOP allowed outage times, bypass times, and STis. These were followed by quantifications with the signal unavailabilities for the TOP Case and Proposed Case. The pre-TOP case was quantified at the request of the NRC (see Section 3.0) and is used as the baseline value for assessing the impact of the changes on plant safety. The measure used for plant safety in this analysis is core damage frequency.

In the WOG TOP risk analysis for the reactor inp signals, credit was taken for a reduction of 0.5 trips / year / plant associated with implementing the AOT, bypass time, and STl changes recommended in TOP. This is documented in Section 5.1 of Reference 1. Programs have been implemented since the time the WOG TOP analysis was completed directed at reducing the number of plant trips. Based on these programs, and with the additional RPS and ESFAS test mT099w wpf:1d 060195 82

and maintenance experience utilities have developed since then, a plant implementing the TOP changes at this time may not necessanly realize a 0.5 trip /yr trip reduction, although some reduction would still be expected. Therefore, the TOP Case and Proposed Case quantifications conservatively did not credit the potential trip reduction. But sensitivity cases were quantified for the TOP Case and Proposed Case to show the potentialimpact on plant safety for a trip frequency reduction of 0.5/yr.

The risk analysis only evaluated the impact of the changes for signals generated from the SSPS.

A review and comparison of the signal unavailability results for the relay protection system with the results for the SSPS (see Section 7.4) indicates that the change or difference in unavailability values from the Pre-TOP Case to the TOP Case and from the TOP Case to the Proposed Case are nearly the same for the both types of protection systems. In addition, the signal unavailability values for the relay protection system are consistently smaller that those for the SSPS. Based on this, it was concluded in Section 7.4 that the SSPS results are representative of the relay protection system results. Therefore, the risk analysis was completed only with the SSPS results and is considered to be representative of the results expected for the relay protection systems.

This approach is consistent with the approach used in WOG TOP.

Finally, the approach includes evaluations of the impact of the changes on risk for signals generated from 2 of 3 logic and 2 of 4 logic. The signal unavailability results presented in Section 7.4 are not significantly different for signals generated for 2 of 3 logic verses 2 of 4 logic when diversity or additional operator actions to trip the plant or actuate safety features are considered. This difference is primarily important when the signal is generated from a single set of analog channels (one 2 of 3 set or one 2 of 4 set).

8.2 EVENT REACTOR TRIP AND ENGINEERED SAFETY FEATURES ACTUATION SIGNALS in assessing the impact of the change in unavailability of the reactor trip and engineered safety feature actuation signals on plant safety, it is necessary to consider the possible signals that will be available to actuate reactor trip and the safety functions (safety injection, auxiliary feedwater pump start, etc.) for each event. WOG TOP (Reference 1, Appendix H. Table 2.b-1) provides this information for reactor trip signals. In addition to the signals listed in this reference, the plant can also be tripped by the operator 1) from the main control board trip switches,2) by interrupting power to the control rod drive mechanisms from the motor-generator sets from the control board, and 3) by manually inserting the control rods into the core.

Diversity of signals is not as prevalent for initiating ESF protective functions, but backup actuation signals do exist, depending on the particular event. In addition, backup operator actions to initiate safety functions are also possible. For example, the operator can initiate the safety injection function from the main control board SI switches or by individually starting and/or aligning, as necessary, each required components by following the appropriate emergency operating procedures. Operator actions can also be used to actuate other protective features, e.g., auxiliary m42099w wpf Id 060195 8-3

l l

l feedwater pump start, main feedwater isolation, steamline isolation, by following the appropriate emergency operating procedures. The ability of the reactor trip and safety features to be actuated  ;

by more that a single set of signals or by an operator action is one of the strengths of the protection system.

These backup signals need to be considered when assessing the impact of the signal unavailability increases on plant safety. Table 8.1 provides a summary of the sources of signals, in terms of diversity and operator action availability, for reactor trip actuation for each initiating event considered in the risk analysis. Table 8.2 provides a summary of the sources of signals for each safety function considered in the risk analysis. Table 8.3 provides the human error probabilities for the operator actions required to trip the reactor or actuate a safety function used i in this analysis and the source of the probability.

8.3 RESULTS OF THE RISK ANALYSIS The results of the risk analysis are provided in several forms in this section. The primary measure of the impact on plant safety is core damage frequency. The total core damage j frequency from intemal initiating events, the accident sequences that comprise the core damage l frequency, and the top event or system importance factors are all discussed to varying degrees in the following for the Pre-TOP Case, Top Case and Proposed Case. In addition, similar l inforrnation for the two sensitivity cases involving the TOP Case and Proposed Case is provided.  ;

As noted Section 8.1, the sensitivity cases involved reducing the transient initiator frequency by 0.5 trips / year This is based on the expected benefits as determined in WOG TOP for implementing the AOT, bypass time, and STI changes provided in WCAP-10271.

Table 8.4 provides a summary of the core damage frequency values calculated for the Pre-TOP Case, TOP Case, and the Proposed Case for signals generated from 2 of 4 logic and 2 of 3 logic requirements. Values are also provided for the sensitivity cases. Percent changes are given for the Proposed Case referenced to the Pre-TOP and TOP cases. Note that when crediting the reduction in transient frequency, there is a reduction in core damage frequency for the TOP Case compared to the Pre-TOP Case because the AOT and bypass time changes have a smaller effect than the decrease in initiating event frequency. As expected, there is a smaller change in core damage frequency for signals generated by 2 of 4 logic as opposed to signals from 2 of 3 logic.

The increase in core damage frequency for the AOTs and bypass times included in the Proposed Case are equal to or less than 1% for signals generated for 2 of 4 or 2 of 3 logic when compared to the TOP Case.

The WOG TOP analysis documented in WCAP-10271, Supplement 2, calculated an increase in core damage frequency of 2.7% and 3.6% for 2 of 4 and 2 of 3 logic, respectively, when changing from Pre-TOP parameters (AOTs, bypass times, and STls) to the TOP parameters. These values are broken into contributions from reactor trip signals and engineered safety features signals as follows:

m A2099w wpf:1d-060195 8-4

Table 8.1 Sources of Reactor Trip Actuation Signals

' P Event . Operation Action Ac at on Si nal  ;

Large LOCA Not Required -

Medium LOCA Not Required --

Small LOCA Nondiverse Yes Steam Generator Tube Rupture Nondiverse Yes interfacing Systems LOCA Not Required . -

Reactor Vessel Rupture Not Required -

Secondary Side Break - Nondiverse Yes l Inside Containment Secondary Side Break Nondiverse Yes ,

Outside Containment Positive Reactivity insertion Diverse Yes Loss of Reactor Coolant Flow Diverse Yes Loss of Main Feedwater Flow Diverse Yes Partial Loss of Main Feedwater Flow Diverse Yes Loss of Condenser Diverse Yes Turbine Trip Diverse Yes Reactor Trip Generated by RPS --

Spurious Safety injection Signal Diverse Yes inadvertent Opening of a Steam Valve Diverse Yes Primary System Transient Diverse Yes Loss of Offsite Power Not Required by RPS --

Station Blackout Not Required by RPS --

Loss of instrument Air Diverse Yes Total Loss of Nuclear Service Cooling Nondiverse Yes Water Loss of 125 VDC Bus Diverse Yes Loss of Two 120V Vital AC instrument Diverse Yes Panels m.W99w.wpf Id460195 8-5

i.

f f f f o o o o A A A A .

O O O O _

dr d, r

d.

r d,

r d,

r _

a a a a a o

o o o o _

b b b .

b b _

lo lo lo l

lo r r r o

r _

e t t r

t t t c

r n n n n n n u o c

o c

o c

o c

o c

o n n n n n S ia ia ia ia n _

n ia o m m m m m it o c s i t n n n n n a l

a a o o o o o r _

n t u h h h h h t o

g c c c c c it c a r

i S A it w

it w

it w

it w w e p

n l

a s s s s s o _

o n g

i S

i S

i S

i S

I S la ,

nC i .

t a i S y y y y y gA _

t u b b b b b iSs c A As As t As As iM ._

A O One On t

One On S A t t s .e .e n , _

la. n la n la, on la n e la la ola la la la r

u n g

n g npo g np g

o np g np g

o nn oig n

g n

g n

g t

a is is is m ims ims ims is is is la la _

is n n eco eco eco eco t

2 e e e a e e e e g g 8F s s sl sl sl sl u t s s s s is is _

ey r r r e a r

e a r

e a r

e a cr r r r l t e e v v u v u iv du v u ae e v

e v

e v

i S

I S

pdiv be iv i id id id i i i af d d di v di di v di d d d TaS d N n

o N

n o

ni od Ni n ni od Ni n v ni od Ni n ni od Ni n v

PN mn uo N

n o

N n

o N

n o

F m

o r

F m

o r _

e r _

e _

e _

n s s s ig k k k .

n a e

i S

a e

a e

E s r r r _

f m e B g B B o ns _

t e r u e e e s n t s it t n

A a r ie e e y t

p d i id d _

C i

c v A A S u S es S S r E C O C g R y nn y y u O L n r ea r r s s s o O e a gr a a t n

t n

t n

S L m L ic b u d n s T d n

d n e e e e iu l aA T o na t l o o v v v g

r d la f eC r

c en c c e e e a e m t O G e vg e e l l

l l

l l _

l M S InL S S Es i

S S A A A p

m n u o it n P la n g o r o y o n i

t e Is n a it a

i c t a o r lo n n w r

e it a p lo o u o d S is C F it e t

a lo t t t y c e w Is n n n t e F d e e e e e j n y e mn m m f

a i r e in inio ia n n S y ia F t

n lm a a t

ia e l i r x a t

a t nt u t n

t n

f a ut i

a t e oc o o S AS M S CA C C Mla 4g 8 8

  • _ . . _.- _ ~ _-- _ _

-s

~

M M

Table 8.3 l

Summary of Human Error Probabilities for Operator Actions Backing Up Actuation Signals 4

{ Operator Action HEP (1) Source ,

@ Reactor trip from the main control board trip switches 1 E-02 Conservative estimate based on several 8 IPEs Reactor trip by interrupting power from the motor-generator SE-01 VEGP IPE (2) sets given that the operator failed to trip by the control board switches Manually insert the control rods into the core given the SE-01 VEGP IPE (2) previous operator actions to trip have failed Safety injection from the main control board switches 1 E-02 Conservative estimate based on several IPEs Safety injection by manual actuations of individual components 2E-03 VEGP IPE (2)

$ Auxiliary feedwater pump start 2E-02 VEGP IPE (2)

Notes: 1. HEP - Human Error Probability

2. VEGP IPE - see Reference 7

si Table 8.4 l

a Summary of Results by Core Damage Frequency 4

g 2/4 Logic 2/3 Logic

@ Case Change: Change: Change: Change:

8 CDF (per year) Referenced to Referenced CDF (per year) Referenced to Referenced Pre-TOP to TOP Pre-TOP to TOP Pre-TOP 5.706E-05 - --

5.717E-05 -- -

TOP 5.800E-05 1.6% -

5.832E-05 2.0% -

Proposed 5.835E-05 2.3% 0.6%' 5.893E 05 3.1% 1.0%"

TOP - Sens. 5.651 E-05 -1.0% -

5.683E-05 -0.6% -

Proposed - Sens. 5.683E-05 -0.4% 0.6% 5 5.741E-05 0.4% 1.0% 5

$ Notes: 1. CDF - core damage frequency

2. It was necessary to present four significant digits in the core damage frequency values to highlight the small changes between cases.
3. The sensitivity cases (denoted by Sens.) credit a 0.5 reduction in transient frequency which is consistent with the WOG TOP analysis.
4. Change with respect to TOP Case core damage frequency.
5. Change with respect to TOP-Sens. Case core damage frequency.

2 of 4 logic: . ESF signals = 2.4% (Reference 3, Appendix N)

RT signals = 0.3% (Reference 3.' Appendix D)

Total = 2.7%

2 of 3 logic: ESF signals = 3.3% (Reference 3, Appendix N)

RT signals = 0.3% (Reference 3, Appendix D)

Total = 3.6%

Note that credit is taken for a reduction of 0.5 transients / year in the TOP analysis for reactor trip signals.

The difference in the results between the TOP analysis in WCAP-10271 and the current analysis can be attributed to two primary analysis differences; realistic assumptions on maintenance intervals and crediting AMSAC to start auxiliary feedwater pumps. With regard to maintenance intervals, as previously discussed in Section 5, the WOG TOP analysis conservatively assumed a yearly maintenance interval on the components of the protection system. This current analysis used more realistic intervals based on industry data for the master and slave relays, and based on the pl ant survey responses for the analog channels and logic cabinets. See Section 5.2 for additional information. The AMSAC signal provides a signal, diverso from the reactor protection system, for actuating the auxiliary feedwater pumps. Crediting this signal, in addition to the normal signals from the reactor protection system and operator actions to start the pumps, significantly reduces the risk importance of pump actuation signals.

Tables 8.5 and 8.6 provide the importances, as defined in Section 8.1, for the top events in the event trees used to model plant response to initiators. Table 8.5 provides the importances for the cases with signals generated by the SSPS with 2 of 4 logic and Table 8.6 provides the importances for the cases with signals generated by the SSPS with 2 of 3 logic. The top events used in the event trees typically refer to systems, operator actions, or split fractions that represent some other parameter, such as, system recovery, power level, etc. These tables provide the importance values for the top 25 systems as ranked by importance. Importance measures for other top events (operator actions, power recovery, etc.) were removed from the list.

The importances of interest here are those for reactor trip actuation signals (reactor trip), safety injection actuation signals (engineered safety features), and auxiliary feedwater. The AFW importance is of interest since the AFW top event includes the actuation signal, in addition to the mechanical equipment. From these two tables it is seen that the importances for these three systems, or top events, change insignificantly from the TOP Case to the Proposed Case, and the change for the Pre-TOP Case to the Proposed Case is also small. For the reactor trip and engineered safety features top events, the importance value increases by 0.2% from the TOP Case to the Proposed Case. This means that the increase in the percent of core damage frequency related to the increase in unavailability due to the AOT and bypass time changes for either of these top events, or systems, is significantly less than 1%. This also shows that the mM099w wpf 4060195 89

j 1

i Table 8.5 System (Top Event) Importance Summary: SSPS with 2 of 4 Logic importance Measure

. System Pre-TOP TOP Proposed 4160 VAC Power 55.9 % 55.1% 54.7 % -

Auxiliary Feedwater 20.5% 20.6% 20.7% .

Nuclear Service Cooling Water 15.5% 15.4% 15.4%

CB ESF Electrical Equipment Room HVAC 15.4% 15.2% 15.1%

Reactor Trip 14.2 % 14.5% 14.7 %

Condensate Feed 11.0 % 10.9% 10.8%

Essential Chilled Water System 9.1% 9.0% 9.0%

Turbine Driven Pump 7.3% 7.2% 7.2%

PORVs and/or SVS Open 6.5% 6.6% 6.7%

High Pressure Injection 6.4% 6.8% 6.8%

High Pressure Recirculation 6.3% 6.2% 6.2%

Containment Cooling Units 6.0% 6.3% 6.4%

Engineered Safety Features 5.0% 6.2% 6.4%

Component Cooling Water 4.3% 4.4% 4.5%

Centrifugal Charging Pumps 3.2% 3.3% 3.3% '

Low Pressure injection 3.0% 3.4% 3.5% .

l Safety injection Pumps 2.7% 2.7% 2.7%

]

Low Pressure Recirculation 1.9% 2.0% 2.0%

RWST Failure 1.6% 1.6% 1.6% l Normal Chilled Water System 1.5% 1.5% 1.5%

480 VAC Buses Train A 1.4% 1.4% 1.4%

Hot Leg Recirculation 1.2% 1.2% 1.2%

Normal Charging 0.9% 0.9% 0.9%

125 VDC Buses 0.8% 0.8% 0.8%

Pressurizer PORVs 0.7 % 0.7% 0.7%

ms,099w wpf.1d460195 8-10 i

Table 8.6 System (Top Event) Importance Summary: SSPS with 2 of 3 Logic importance Measure System Pre-TOP TOP Proposed 4160 VAC Power 55.8% 54.8% 54.2 %

Auxiliary Feedwater 20.5% 20.6% 20.6%

Nuclear Service Cooling Water 15.5 % 15.4 % 15.2 %

CB ESF Electrical Equipment Room HVAC 15.4 % 15.1% 15.0%

Reactor Trip 14.1 % 14.5% 14.7%

Condensate Feed 11.0 % 10.8% 10.7%

Essential Chilled Water System 9.1% 9.0% 8.9%-

Turbine Driven Pump 7.3% 7.2% 7.1%

High Pressure injection 6.5% 7.2% 7.6%

l PORVs and/or SVS Open 6.5% 6.6% 6.7%

High Pressure Recirculation 6.3% 6.2% 6.1%

Containment Cooling Units 6.2% 6.8% 7.1%

Engineered Safety Features 5.2% 6.6% 7.2%

Component Cooling Water 4.3% 4.4% 4.4%

Low Pressure injection 3.2% 3.8% 4.2%

Centrifugal Charging Pumps 3.2% 3.3% 3.3%

Safety injection Pumps 2.7% 2.7% 2.6%

Low Pressure Recirculation 1.9% 2.0% 2.0%

RWST Failure 1.6% 1.6% 1.6%

Normal Chilled Water System 1.5% 1.5% 1.5%

480 VAC Buses Train A 1.4% 1.4% 1.4%

Hot Leg Recirculation 1.2% 1.2% 1.2%

Normal Charging 0.9% 0.9% 0.9%

125 VDC Buses 0.8% 0.8% 0.8%

Pressurizer PORVs 0.7% 0.7% 0.7%

1 .

mT099w.wpf.1d-060195 8 11

change in the signal unavailability for auxiliary feedwater pump start has essentially no impact on the importance of the auxiliary feedwater system. In addition, by their absence from this list, it is concluded that the ESF actuation signal unavailabilities modeled for other mitigation features, steamline isolation of example, are of low importance, and that with the AOT and bypass time changes, they remain of low importance.

The accident sequences leading to core damage for the Pre-TOP Case, TOP Case, and Proposed Case, with the SSPS and 2 of 4 logic and the SSPS and 2 of 3 logic, are provided in Appendix E. Only the sequences, from the top 100 sequences, related to ESF or RT actuation signal failures are provided. The specific top events in these sequences are RT (reactor trip actuation signal), ESF (safety injection actuation signal), and AFW. A review of these sequences also confirms the low significance of the changes being considered in this report. It should be noted that the unavailabilities for the AFW top events in the sequences do not always change between the cases. This is due to the AFW unavailability values being dominated by the mechanical components and not the signals.

8.4 RISK ASSOCIATED WITH A PLANT SHUTDOWN One of the benefits of longer AOTs that can be quantified is the risk associated with avoiding a plant shutdown and the ensuing startup. Longer AOTs will help utilities avoid plant shutdowns by allowing additional time to complete component repairs, and will also help avoid utility requests for discretionary enforcements to remain at-power when the time to complete the repair activity exceeds the current AOTs.

The risk associated with shutting a plant down can be considered to be comprised of two parts; l the power reduction phase that occurs in mode 1 and the changes in operating modes after the reactor is tripped. The risk associated with restarting the plant can also be considered to be  ;

comprised of two parts; the changes in operating modes prior to achieving criticality and the power increase that occurs in mode 1 after the control rods are pulled. For this analysis, only the risk associated with the power reduction and power increase are considered.

Information collected in the survey indicates, for the time period examined, there have been 349 plant startups and 152 controlled plant shutdowns (see Table 4.4). This information also indicates that 30 reactor trip events have occurred during plant startups and 13 have occurred during controlled shutdowns. Based on this, the probability of a reactor trip occurring during a startup or a controlled shutdown can be determined:

Probability of reactor trip during a startup

= 30 reactor trip events during startup/342 startups = 0.088 Probability of reactor trip during a controlled shutdown

= 10 reactor trip events during controlled shutdown /148 controlled shutdowns = 0.068 wuo99w wpf id460195 8-12

' I I

L The risk, as measured by core damage frequency, associated with a reactor trip while shutting down or restarting a plant can be obtained from the VEGP IPE For a transient event, such as -

partialloss of main feedwater, the probability of core damage given that the event has occurred is approximately 3E-06. Therefore, the probability of core damage due to one shutdown and restart is:

CDF = 3E-06 x (0.088 + 0.068) = 4.7E 07 This value is comparable to the increase in core damage frequency for the Proposed Case, as compared to the TOP Case, for both the 2 of 4 and 2 of 3 logic configurations. Therefore, the risk that can be avoided due to a potentially avoided plant shutdown and startup related to the extended AOTs is comparable to the risk increase associated with the higher signal unavailability due to the extended AOTs. Including the risk for the other phase of shutdown and startup, when the control rods are in the core, further increases the averted risk values.

l l

mA?099w wpf.1d-060195 8-13

l l

9.0 PROGRAM BENEFITS ,

1 The benefits to utilities for the AOT and bypass time changes proposed in this report are disossed in this section. These include additiona! time to complete test and maintenance activities, additional operational flexibility, and reduced number of forced outages and discretionary enforcements. These are discussed in the following:

1. The longer AOTs for the master and slave relays, logic cabinets, and analog channels will promote improved maintenance practices that will provide improved component performance, improved availability of the protection system, and a reduced number of spurious reactor trips and spurious actuations of safety equipment.
2. The longer AOTs and bypass times for the analog channels will provide additional time before being required to place the channelin trip. With the channelin trip, the logic required to cause a reactor trip or a safety system actuation is reduced to 1 of 2 (for 2 of 3 logic) and to 1 of 3 (for 2 of 4 logic). With the reduced logic requirement, the potential for a spurious actuation is increased. Leaving the channel in the bypass state for additional time does reduce the availability of signals to initiate component actuation for event mitigation when required, but as shown in this analysis, the impact on plant safety is small due to the availability of other signals or operator action to trip the reactor or cause component actuation.
3. The longer allowed outage times will provide plant operators additional flexibility in operating the plant. There will be additional time available before an action needs to be taken to shut i down the plant or place a channel in the tripped state. This additional flexibility will facilitate l I

pnoritizing component repairs. Equipment considered more risk significant than that generating the RT E;.d ESF actuation signals can be repaired prior to repairing the  !

instrumentation system. .

l l

4. Extending the AOTs for the instrumentation begins to address an inconsistency in the Technical Specifications related to AOTs between the ESF actuation signals and the components the signals actuate. In many cases, the systems actuated by the ESFAS signals have AOTs significantly greater than those for the ESFAS. The unavailability of a single train of the ESFAS does not necessarily cause the system the signal actuates to also be l unavailable. For most events, these systems can still be actuated by operator actions to I mitigate the event or by an attemate signal. With a slave relay unavailable, the current Technical Specifications with TOP implemented requires the slave relay to be repaired within l 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, even though the component the relay is required to actuate could be allowed to be l out of service for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
5. Extending the AOTs will result in fewer discretionary enforcements related to inadequate time to complete component repair activities. This will result in a cost savings for both the NRC and utilitics. j

)

m \2099w wpf Id-060195 g.1 ,

i l

1

10.0 CONCLUSION

S Conclusions were provided in Section 7.4 specifically applicable to availability of RT and ESF actuation signals. Conclusions were provided in Section 8.3 specifically applicable to the impact of the proposed changes on plant safety. In addition, a discussion of the results in Section 4 also lead to several relevant conclusions. The following is a summary of the conclusions that specifically support changing the AOTs and bypass times to the proposed values listed in Tables 5.1 and 5.2. These conclusions are based on those previously presented and discussed. It is recomrnended based on these conclusions, that the AOTs and bypass times be increased to those in the Proposed Case, that at the discretion of the individual utilities, channel calibrations be performed while the plant is at-power, and that the slave relay action be modified as noted in item #11,

1. The proposed changes to the AOTs and bypass times have an insignificant impact on plant safety. This conclusion applies to signals generated by the solid state and relay protection systems, from either 2 of 4 or 2 of 3 logic. As seen from Table 8.4, the increase in core damage frequency is 0.6% in comparison to the TOP Case for 2 of 4 logic and 1% in comparison to the TOP Case for 2 of 3 logic.
2. The risk averted by eliminating a potential plant shutdown and restart due to the proposed AOT changes, can offset the increase in risk of the proposed changes due to increased signal unavailability while at-power.
3. The proposed changes being considered have a minor impact on the availability of the RT and ESF actuation signals. This is particularly evident for functions that are backed-up by either diverse actuation signals or operator actions.
4. The impact of the proposed changes on signal unavailability for the SSPS can be used to represent the impact of the changes on signals generated by relay protection systems.
5. One of the strengths of the reactor protection system is the ability of diverse signals and operator actions to cause reactor trip and system actuations to mitigate initiating events. This diversity has been credited in this study.
6. The importance of the reactor trip and engineered safety features actuation signals are relatively low, and remain low with implementation of the proposed AOT and bypass time changes.
7. Completing analog channel calibrations at power once every fuel cycle has a negligible impact plant safety, mMO99w wpf Id-060195 10-1
8. This analysis calculates a significantly lower increase in core damage frequency than the TOP analysis calculated. This is attributed to more realistic maintenance intervals used in this current analysis and crediting the AMSAC system as an alternate method of initiating the

! auxiliary feedwater pumps.

9. A significant number of reactor trips have occurred related to test and maintenance activities. l This indicates that these activities should be completed with caution and significant time should be available.
10. Utilities typically do not have multiple channels that measure the same parameter out of service simultaneously. j
11. Slave relay repair activities that cannot be completed within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> AOT should not '

necessarily lead directly to a plant shutdown. After the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period has expired, the component that is impacted by the slave relay of interest should be declared inoperable and the Technical Specification action corresponding to this component should be followed.

Applicability of this is limited to 1) slave relays that actuate single components,2) slave relays that actuate multiple components providing the slave relay failure affects actuation of ony a single component (relay contacts, for example), and 3) multiple slave relays or slave relays that actuate multiple components providing the affected components are allin the same train of a single system. To implement this, the high, intermediate and low head subsystems of the emergency core cooling system must each be considered a single system.-

s fM2099w.wpf:1d 060195 10 2

I r ,

1 11.0 IMPLEMENTATION OF THE PROPOSED TECHNICAL SPECIFICATION CHANGES The analysis presented and discussed in the previous sections recommends the following:

1. The AOTs and bypass times provided in Tables 5.1 and 5.2 be incorporated into the RPS and I ESFAS instrumentation Technical Specifications.
2. Channel calibration while at-power is acceptable from a risk standpoint and should be left to the needs of the utility (no Technical Specification impact).

l 3. Change the action for an inoperable slave relay to "following expiration of the slave relay I allowed outage time, the component affected by the inoperable slave should be declared inoperable and the Technical Specification action for this component should be followed".

This applies specifically to 1) slave relays that actuate single components,2) slave relays that actuate multiple components providing the slave relay failure affects actuation of only a single component (relay contacts, for example), and 3) multiple slave relays or slave relays that actuate multiple components providing the affected components are all in the same train of a single system. To implement this, the high head, intermediate head, and low head subsystems of the emergency core cooling system must each be considered a single system.

Implementation of these proposed changes into the Standard Technical Specifications for

Westinghouse Plants (NUREG-1431, NUREG-0452) is shown in Appendix A.

I These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems. See Tables 3.2-2 and 3.2-3 in Reference 2 and Tables 3.12 l and 3.1-3 in Reference 3 for a complete listing of the signals evaluated in WOG TOP. The I results are also applicable to those signals not specifically evaluated in the TOP analysis, but shown to be applicable through subsequent evaluations These include:

Reactor trip on steam generator level low-low with time delay Auxiliary feedwater pump start on steam generator level low-low with time delay Auxiliary feedwater suction transfer on suction pressure low Feedwater isolation on main steam valve vault room water level high Feedwater isolation on low reactor coolant system Tavg coincident with reactor trip Automatic switchover to containment sump on refueling water storage tank level low-low

}

Semi-automatic switchover to containment emergency sump on RWST level low-low I coincident with SI Automatic switchover to containment sump on RWST level low-low coincident with Si and containment sump level high mW99w.wpf:1d-060195 11 1

~ - -

l 1 i l

l In addition, these results are applicable to any signals utilities have independently shown to be encompassed by the WOG TOP evaluation during plant specific implementation of the WOG TOP Technical Specification changes.

As noted in Section 6.0, this program only considers analog processing of data (analog channels),

but it is also applicable to digital systems as justified by utilities implementing WOG TOP with the Eagle 21 process protection system and approved by the NRC.' Only changes to AOTs and bypass times are being evaluated in this stud / and these effect the signa.! availability similarly l

between the two types of process protection systems.

There are several important analysis details that need to be considered in propedy applying the proposed changes to plant operation. These are in addition to the assumptions that form the basis of the analysis as discussed in Section 7.2. The following discusses these additional details:

1. Maintenance on the master and slave relays, logic cabinets, and analog channels while at-power is assumed to occur only after a component failure, that is, preventive maintenance does not occur. This does not preclude preventive maintenance activities. Preventive maintenance can be done providing the total time the component is unavailable due to maintenance activities (corrective and preventive) does not exceed, on a consistent basis, the values assumed in this analysis (see Tables 5.1 and 5.2). This analysis does not support continually exceeding the total time " allocated" for maintenance activities. This is not important for master and slave relays where preventive maintenance is not done, but could be important for analog channels and logic cabinets where a utility may want to start doing preventive maintenance at-power instead of during shutdown,
2. It is assumed that the total test time is used to complete all test activities. If a component is found to be failed during a test activity, the remainder of the time allocated to perform the test activity can be used to repair the component, prior to entering the action statement. For example, if a master relay in a SSPS is found to be inoperable during a test 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after the test started, then the remaining 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> bypass time period allowed for the test activity can be used to repair the relay prior to entering the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> AOT in bypass to complete the repair (corrective maintenance activity).
3. With respect to the analog channels, the analysis assumes that channels measuring the same plant parameter, such as pressurizer pressure, will only randomly be unavailable cua to maintenance simultaneously. It is assumed that utilities will not knowingly remove multiple channels performing the same function from service at the same time unless the channels ,

have failed.

4

4. It is assumed in the analysis that the AOTs and bypass times for the logic cabinats and reactor trip breakers are separate and independent. It is also assumed that the logic cabinets m A2099w wpf.1d460195 11-2 ,

I

1 cv and trip breakers both cause their train to be unavailable when in test or mainteriance.  :

.Therefore, this analysis supports a bypass time for the trip breakers equivalent to the bypass j time for the logic cabinets provided both are tested at the same time.

l l

S. The change to the action statement for inoperable slave relays that recommends "after the .

AOT for an inoperable slave relay has expired, the action should be to declare the affected  !

component of the system the slave relay actuates inoperable and follow the appropriate system action statement" is limited as previously.noted. This is necessary since PRA models  !

credit backup mitigation systems that perform similar functions to primary mitigation systems if.  ;

the primary mitigation system has failed. A slave relay that actuates both the primary and l backup systems would have a larger impact on plant safety than a slave relay that actuates ~ j the primary or the backup system. Therefore, it is necessary to limit the use of this action as y previously noted. I mT099w.wpf 16460195 11-3 i 1

,1

12.0 REFERENCES

1. " Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection instrumentation System", WCAP-10271-P-A, May 1986. i
2. " Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection instrumentation System, Supplement 1", WCAP-10271, Supplement 1-P-A, May 1986. ,
3. " Evaluation of Surveillance Frequencies and Out of Service Times for the Engineered Safety Features Actuation System", WCAP-10271-P-A, Supplernent 2, Revision 1.
4. " Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays, WOG Program MUHP-7040", WCAP-13877, January 1994.
5. " Reliability Assessment of Potter & Brumfield MDR Series Relays", WCAP-14117, June 1994.
6. "WesSAGE Code System User Manual", WCAP-14041, May 1994.
7. " Individual Plant Examination Report in Response to Generic Letter 88-20", Vogtle Electric Generating Station, November 1992.
8. " Event Tree Development and Quantification System User Manual", WCAP-13199.

m2099w wpf.1dO60195 12-1

e

'i b

APPENDlX A Proposed Chances to the Standard Technical Specifications (NUREG 1431. NUREG-0452)

-- to be provided --

l l

I l

i l

l l

1 l

mM099w wpf.1d460195 A-1

1 I

APPENDlX B No Sionificant Hazards Evaluation

-- to be provided --

l-l I

f I

m w 99 ,wpe.ie.oso,95 _

l.

p- . _ . . . _ -

i APPENDIX C Plant Survev I

I 4

m.\2099w wpf.1d 060195 C.j

F i

a Attachment -

WOG Tech Spec Instrumentation Chapter Optimization Program -

Plant Survev: Introduction 8 One of the objectives of the Technical Specification Instrumentation Chapter Optimization Program is to evaluate longer allowed outage times (AOTs) for the analog channels and the logic cabinets of the reactor protection system (RPS). Outage times of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> will be -

evaluated for the channels and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for the logic cabinetsc The evaluation will use a probabilistic approach to determine the impact of the changes _ on plant safety. The unavailability of reactor trip and engineered safety feature actuation signals, and the impact on plant risk will be evaluated. Both the safety benefits and detriments will be included in the evaluation.

The survey is divided into two parts. The first'part starts on the following page and is requested to be completed by all utilities. The second part, as discussed below, will be provided to a limited number of utilities after reviewing the results of the first part of the Survey. The utilities that receive the second part will be based on the feedback provided by you as to the assessibility of the information required.-

To property conduct this program some information is required from utilities regarding test and maintenance activities related to the RPS including the impact of these activities on plant -

operation. This includes information on how the increased AOT will be used in RPS test a maintenance activities, that is, will the channels or logic cabinets be unavailable more often due to addibonal test or maintenance activities or will they be unavailable for longer periods -

of time due to changes in personnel response to completing test and maintenance activities?

l In addition, information on the number of plant trips and controlled . shutdowns that will be '

averted due to these changes is also required. Part 1 of the survey is subdivided into three sections. The first section requests information on plant specific implementation of WCAP-10271 (WOG TOP), the second section requests information on channel and logic cabinet unavailability and how longer AOTs will impact unavailability of these components, and the third part requests information on how these activities impact plant availability _with respect to 1

reactor trips and required plant shutdowns.

The second part of the survey, which will be sent out to a limited number of utilities in the j

y future, requests a history of the unavailability of instrumentation logic and channels for the j previous three fuel cycles. Since this may be a significant effort for some utilities, we aj requesting utilities identify whether this type of information can be obtained rather easily.'i The information is required for five different plant sites. Page 6 of this survey shows the type R of information that will be required. At this time only indicate on page 6 if you will be able to provide this information if asked to do so at a future date. Do not fill out anything else on page 6 at this time. l

- Thank you in advanced for your cooperation. If you have any questions, please contact -

either Jerry Andre' (412-374-4723) or Jim Andrachek (412-374-5018).

C2

-- - - - - _ ._.. _ . _ __, " " * * *  % & --' -w----uw,v. ,,

i

-I I

I WOG Tech Spec Instrumentation Chapter Optimization Program  !

Plant Survey: Part 1 i

Utility / Plant: ,

Utility

Contact:

Phone Number:

l General Questions:

1. Have you implemented the Technical Specification AOT and STI changes justified in i WRAP-10271 (Evaluation of Surveillance Frequencies and Out of Service Times for the ,

Reactor Protection System and Engineered Safety Features Actuation System, WOG- l' TOP)?

yes/no (circle one); if yes, date implemented:

2. Do you test the channels in trip or in bypass? trip / bypass (circle one)

Instrument Channel and Looic Cabinet Unavailability Questions:  !

l

1. How long does it take to perform channel test activities? i estimate of typical or average time in hours:

estimate of maximum time in hours:

How long does it take to perform channel maintenance activities? ,

estimate of typical or average time in hours:

estimate of maximum time in hours:

2. How long does it take to perform logic cabinet test activities?  ;

estimate of typical or average time in hours:

estimate of maximum time in hours:

How long does it take to perform logic cabinet maintenance activities?

estimate of typical or average time in hours:

estimate of maximum time in hours:

3. What percentage of test activities lead to maintenance activities (circle one)?
1. 0%

li 10%

iii. 25 %

iv. 50%

v. 75 %

vi. 90%

vii. 100 %

viii. other (please specify)

C-3

- - - . . . . . , ~.. ..

r .

i i

)

4. How often are maintenance activities on logic cabinets required? (estimate as once per. l year, once every five years, etc.) l

'1 i

5. How often are maintenance activities on a typical analog channel required? (estimate as  !

, once per year, once every five years, etc.) ~'

6. If the allowed outage times were extended to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />'for the analog channels how would this impact the time to complete test activities (circle one)? l i
1. test time would not be impacted I ii. test time would increase by 25% '

iii. test time would increase by 50% ..

)

iv. - test time would increase by a factor of 2

v. test time would increase by a factor of 4 vi. test time would increase to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> vii. Other (please specify)
7. - if the allowed outage times were extended to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for the logic cabinets, how would this impact the time to complete test activities (circle one)?
1. test time would not be impacted ii. - test time would increase by 25%

iii. test time would increase by 50%

iv,. test time would increase .by a factor of 2

v. tect Sme would increase by a factor of 4 vi. test time would increase to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> vii. other (please specify)
8. If the allowed outage times were extended to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for the analog channels, how.

would this impact the time to complete maintenance activities (circle one)?

1. maintenance time would not be impacted ii. maintenance time would increase by 25% =

iii. maintenance time would increase by 50%

iv. maintenance time would increase by a factor of 2

v. maintenance time would increase by a factor of 4 vi. maintenance time would increase to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> vii, other (please specify)

.l J'

C-4 i

l

,- - . . - , _.._. . . . . ~ . , , . ,, . . , . . . .

- . .. . . - - . . . . ~ . . - - - -

x i

.i ;

l t

i i

-(

1 l

9. If the allowed outage times were extended to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for the logic cabinets, how would -

l this impact the time to complete maintenance activities (circle one)? ,

l

i. maintenance time would not be impacted j

, ii. . maintenance time would increase by 25% 1

' iii. maintenance time would increase by 50% -  !

iv. maintenance tirne would increase by a factor of 2 'l

v. maintenance time would increase by a factor of 4 vi. maintenance time would increase to 24 hcurs ,

vii. other (please specify)

10. If the allowed outage times were extended to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for analog channels, would additional test or maintenance activities be performed at power (such as channel ,

calibrations)? If yes, please describe the activity, and provide the frequency of '

occurrence and estimated time to complete the activity (if necessary, attach an  ;

additional page providing the information).  !

?I

\

i 1

')

i

11. If the allowed outage times were extended to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for logic cabinets, would additional test or maintenance activities be Whir.ed at power? If yes, please describe the activity, and provide the frequency of occurrence and estimated time to complete the activity (if necessary, attach an additional page providing the information).

l Plant Startup and Shutdown Operatina Information (Please limit this to the latest five years of operation. If WOG-TOP AOT and STI changes have been implemented during this five year period, please divide the number in to pre- and -

post TOP operation.) -

l

. 1. Number of controlled plant shutdowns: -1 I

2. Number of Tech Spec required shutdowns:
3. Number of (Tech Spec specified) instrumentation related shutdowns:
4. Number of shutdowns avoided due to discretionary enforcement:
5. Number of shutdowns related to (Tech Spec specified) instrumentation avoided due discretionary enforcement:  !
I i

l C-5 j

..~ . . .- . ..- , . . .

.I t

l i

6. Number of startups:

. 7. Number of reactor trips: j

~

8. Number of trips that occurred while in a controlled shutdown:
9. Number of trips that occurred during startup:

1

10. Number of reactor trips related to instrumentation test or maintenance activities:-

number related to test activities:

number related to maintenance activities:

11. Number of spurious safety injections (please break down as follows):

number at power: .

number during a controlled shutdown: ]

number during startup: i

12. Number of spurious safety injectbns related to instrumentation test or maintenance activities:

number related to test activities:

1 number related to maintenance activities:

13. Hoo multiple channels measuring the same variable (e.g., pressurizer pressure, steam generator water level on the same steam generator, etc.) been in either test or maintenance at the same time? If so, please provide a list that identifies the channels involved, the number of channels required to trip, and the time history (when the channels _ wore placed in trip or bypass and when they were retumed to service - if necessary, attach an additional page providing the information).

l 1

14. Time period examined to respond to the above questions on plant startup and shutdown i operating information (divide between pre-TOP and post TOP if applicable):
15. Estimated percentage of time the plant was in modes 1 or 2 during this time period:

i l

C-6

z!

t l

WOG Tech Spec _ instrumentation Chapter Optimization Program Plant Survev: Part 2  !

Would you be able and willing to provide the following information (do not provide it at this ,

time, only answer this question)? yes/no (circle one) l l

THE INFORMATION BELOW IS NOT REQUIRED TO BE PROVIDED AT THIS TIME  :

Please provide a history, for the previous three complete fuel cycles divided between pre. )

and post TOP implementation if applicable, of the unavailability of instrumentation logic and  !

channels. This history should identify when the logic cabinets arid channels were taken out  !

and retumed to service for either test or maintenance activities. . Note if the test or  !

maintenance activity was performed in bypass or trip. If possible, provide this in  ;

chronological order. ,

If the channels are identified by a plant specific identifier, please provide a key that defines - __

the identifier in general terms (e.g., pressurizer pressure channel #1). A suggested table to  :

capture this information follows. .

J i

'l Suaoested Table for Channel and Loaic Unavailability History i

.Q.gmoonent Time and Date Time and Date Activity Trip or Remove from Retumed to Performed Bvoass Service Service (test or ment)

PZR P1 1/5/91,1:15 PM 1/5/91,2:00 PM test trip i

SG1 L1 1/6/91,8:00 AM 1/6/91,9:30 AM test trip j etc.

l Please retum the completed survey to:

Mall to: Fax to: (412) 374-5099 Mr. G.R. Andre' ECE MS 4-28 1 Westinghouse Electric Corporation  !

P.O. Box 355  !

Pittsburgh, PA 15230-0355 Due Date: Friday September 16,1994 i

C-7 I I

- ,~

').-

") - -

)

L- ,  !

l

'i V r. ,

l L.f i k~ .

)

'4.

'y a I

I y

l APPENDIX D _.

Fault Tree Diaarams The information provided in this appendix is proprietary to Westinghouse Electric Corporation.

Due to the volume of information, it has not been bracketed. The coding associated with this

'information is "+a,c".

i i

i m:uo99w.wptid-060295 D.1

l~

i t

i i.

APPENDIX E Event Secuence Ouantification Results I

l 1

l l

l 1

i

)

i I

j m:2099w wpf.1d460195 E-1

This appendix provides a summary of the sequences leading to core damage from the accident sequence quantification. Only the accident sequences that contain failures of reactor trip or engineering safety feature actuation signals out of the top 100 sequences are provided. These sequences are provided for the following cases:

- Pre-TOP Case: Solid State Protection System,2 of 4 Signal Logic

- TOP Case: Solid State Protection System,2 of 4 Signal Logic

- Proposed Case: Solid State Protection System,2 of 4 Signal Logic

- Pre-TOP Case: Solid State Protection System,2 of 3 Signal Logic

- TOP Case: Solid State Protection System,2 of 3 Signal Logic

- Proposed Case: Solid State Protection System,2 of 3 Signal Logic Note that in some sequences neither RT (reactor trip actuation signal) nor ESF (engineered safety features actuation signal) shows as a failure. In these sequences, the ESF actuation signalis included in the auxiliary feedwater (AFW) unavailability value.

For each sequence in each case, the following information is provided:

Number Sequence number Frequency - Sequence frequency (per year)

Percent - Percent contribution of the sequence to the total core damage frequency Sum - Summation of all the sequences up to that sequence number Event - Top event in the event tree Value - The value (system unavailability, operator action failure probability, etc.) associated with the top event Description - Description of the top event l

l l

l I

l m:\2099w.wpf.1d-060195 E-2

n

% _ " ,9 A

y.

4 '

i Pre-TOP Case: Solid State Protection System. 2 of 4 Loaic i Total ~ plant damage state frequency = 5.706E 005 J P NUMBER FREQUENCY PERCENT. SUM l EVENT VALUE DESCRIPTION

5. 1.204E 006 '2.11% 9.179E 006 PMF '1.500E+000 Partial Loss of Main Feedwater Flow .

l RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT'  !

PLL' 6.610E 001' INITIAL POWER LESS THAN 40% l OMG 5.000E-001 OA TO TRIP MG SETS  ;

OCR PPR

' 5.070E 001 OA TO INSERT CONTROL RODS j

.2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL' i

6. ' 1.148E-006 < 2.01% 1.033E 005- .,

LOSP1 4.100E 002 Loss of Offsite Power (Single Unit)  !

4, '4KAC 5.470E-002 4160 V AC POWER SUS A FAIL (WITH DGs'* LOSP)  ?

-AFW - 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS- TR B SPRT (WO TRA). J CON 1.000E+000 1/3 CON PMP3-1/4 SGS Fall-* NO SUPPORT: _J

' HPR 2.800E-002 1/2 CCPs 1/2 RHR TR A SPRT FAILS '{

9. 1.004E 006 1.76%- 1.346E 005 '

LOSP1J 4.100E-002 Loss of offsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITN DGs

AFW 2.000E-002 MDP TO 2/4 SGs FAIL- 5 HRS TR 8 SPRT (No TRA)  ;

CON 1.000E+000 1/3 CON PMPa-1/4 SGs FAIL

  • NO SUPPORT  :

j NPI 2.430E-002 1/2 CCPs- 3/4 CLEGS- TR R SPRT AVAIL LOSP j 17, 3.902E-007 1.03% 1.904E 005 SGR 2.500E-002 Steam Generator Tube Rupture 1 AFW 2.510E 003 2/2 MDPs & TDP- 3/3 SGs FAIL 5 HRS ALL SUPPORT-OAS 1.000E 002 04 TO ESTABLISH BLEED AND FEED COOLING

18. 5.859E 007 '1.03% 1 %2E 005 TT 7.300E 001 Turbine Trip . .

RT 1.700E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% j OMG 5.000E-001 0A 70 TRIP MC SETS 1 OCR 5.070E 001 OA TO INSERT CONTROL RODS '

PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAll l

24 4.840E-007 0.85% . 2.274E*005 PMF ' 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITN DA) ? ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E 00104 To TRIP MG SETS '

OCR 5.070E 001 OA 70 INSERT CONTROL RODS Ost 1.550E 0010A 70 ESTABLISM EMERGENCY 80 RATION

25. 4.658E 007 0.82% . 2.321E 005 ,

r PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) ALL SUPPORT-PLL 8.610E 001 INjflAL POWER LESS THAN 40% .1 ONG 5.000E 001 OA TO TRIP MG SETS  ;

OCR 5.070E 001 OA 70 INSERT CONTROL RODS. j AFW 8.850E 002 2/2 fePs % TDP TO 4/4 SGs FAILt 5 HR$ - ALL SUPPORT .l 1

26, 4.434E 007- 0.78% 2.365E-005 . .

)

MLO 8.000E-004 Medhan Loss of Coolant Accident - lj ESF 6.880E 004 ENGINEERED SAFETY FEATURES TRAINS A&B FAIL (MLD)  ;

HPl 1.000E+000 2/4 MPIs- 2/3 CLEGS MLO- NO SUPPORT j AFW 1.000E+000 AFW - NO SUPPORT AVAILABLE  !

CCU 1.000E+000 CCUs Fall TO PROVIDE COOLING 24 HRS N0 SUPPORT .l CCW 1.000E+0001/2 CCW TRAINS NO SUPPORT '

27. 4.404E 007 0.77% 2.409E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITN 04) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS AFW 8.850E 002 2/2 sees & TDP TO 4/4 SGs FAIL- 5 HRS ALL SUPPORT E3

Pr'e-TOP Case: Solid State Protection System. 2 of 4 Loaic (Cont'd)

29. 4.253E 007 0.75 % 2.495E 005 LMF 5.300E 001 Loss of Main feedwater Flow l RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA)
  • ALL SUPPORT f PLL 8.610E 001 INITIAL POWER LESS THAN 40%

! OMG 5.000E 001 OA 70 TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

31. 4.172E 007 0. 73 % 2.579E 005 LOSP1 4.100E-002 Loss of offsite Power (Single Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A Fall (WITH OGs LOSP)

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS- TR B SPRT (No TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL ** NO SUPPORT OAB 1.000E 002 OA TO ESTABLISH BLEED AND FEED COOLING START SI

33. 3.882E-007 '0.68% 2.657E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow AFW 2.710E 005 2/2 MDPs & TDP 2/4 SGs FA!L* $ HRS- ALL SUPPORT CON 1.000E+0001/3 CON PMPs*1/4 SGs F AIL h0 SUPPORT OAB 1.000E-002 CA To ESTABLISH BLEED AND FEID COOLING -$ TART SI
37. 3.589E-007 0.63% 2.802E 005 .

SGR 2.500E 002 Steam Generator Tube Rupture AFW 2.510E-003 2/2 MDPs & TDP 3/3 SGs FAIL

  • 5 HRS ALL SUPPORT OAR 6.090E 003 OA 70 ESTABLISH HIGH PRESSURE RECIRC W/O SPRAT

!$. 3.422E 007 0.60% 2.836E-005 LLO 3.000E 004 LarBe Loss of Coolant Accident ESF 1.180E-003 ENGINEERED SAFETT FEATURES TRAINS A&8 FAIL (LLO)

LPI 1.000E+000 1/2 RHR PMPs TO 2/3 COLD LEGS LLO No SPRT HP1 '1.000E+000 2/4 HPIs- 2/3 CLEGS LLO- NO SUPPORT-CCU 1.000E+000 CCus FAIL 10 PROVIDE COOLING- 24 HRS- NO SUPPORT 42, 2.809E 007 0.49% 2.954E-005 LOC 3.500E-001 Loss of Condenser

! RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITM OA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E-001 OA 10 INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

43. 2.799E 007 0.49% 2.982E-005 LOSP2 1.000E 002 Loss of Of fsite Power (Dual Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP)

AFW 2.000E-002 MDP 70 2/4 SGs FAIL 5 HRS- TR S SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL - NO SUPPORT HPR 2.800E 0021/2 CCPs 1/2 RHR- TR A SPRT FAILS 47, 2.512E-007 0.44% 3.088E-005 LOSP1 4.100E 002 Loss of of fsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DCs LOSP)

AFW 2.000E 002 MDP T0 2/4 SGS FAIL- 5 HRS TR B SPRT (No TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL

  • NO SUPPORT OAR 6.090E-003 OA 70 ESTABLISM HIGN PRESSURE RECIRC (INCLLDES OLP) 49, 2.448E 007 0.43% 3.137E-005 LOSP2 ' 1.000E 002 Loss of of f site Power (Dual Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A Fall (WITH DGs - LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL 5 HRS- TR B $PRT (N0 TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL

  • ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

(MG 5.000E-001 OA TO MIP MG SETS OCR 5.070E-001 OA TO INSERT CONTROL ROOS OBR 1.550E 001 OA 70 ESTABLISM EMERGENCT BORATION E-4

.)

m l

s 3

I Pre-TOP Casei Solid State Protection System 2 of 4 Loaic (Cont'd) 1 54 2.343E 007 0.41% 3.256E 005  :

PMF 1.500E+000 Partial Loss of Main feedwater Flow i AFW- 2.710E 005 2/2 MDPs & TDP- 2/4 SGs FAIL- 5 HRS ALL SUPPORT '

CON 1.000E+000 1/3 CON PMPs*1/4 SGs FAIL- NO SUPPORT OAR 6.090E-003 OA 70 ESTABLISH HlGH PRESSURE RECIRC (INCLUDES OLP) l

55. 2.267E 007 a.40% 3.279E 005 TT 7.300E 001 Turbine Trip .

l RT- 1.700E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT *

! PLL 8.610E-001 INITIAL POWER LESS'THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS

- OCR - 5.070E-001 OA TO INSERT CONTROL RODS .

AFW 8.850E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HRS - ALL SUPPORT

57. 2.143E 007 0.38% 3.323E-005  ?

TT 7.300E-001 Turbine Trip .

RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH 04) ALL SUPPORT .

PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 04 TO TRIP MG SETS .

AFW 8.850E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ ALL SUPPORT 64 1.809E 007 0.32% 3.45 7E-005 .

i

- 4.100E 002 Loss of of fsite Power ($1ngle Unit)

LOSP1 4KAC 5.47DE-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL- 5 HRS TR B SPRT (NO TRA) '

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL NO SUPPORT PZR 4.490E-003 1/2 P2R PORVs4 BLOCK VLVS FAIL To OPER* TR B SPRT

70. 1. 710E-007 0.30% 3.564E-005 LMF 5.300E-001 Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH 04) - ALL SUPPORT l PLL 8.610E 001 INITIAL POWER LESS THAN 40% i OMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA 70 INSERT CONTROL ROOS '

OBR 1.550E-001 OA 70 ESTABLISH EMERGENCY BORATION

71. 1.646E 007 0.29% 3.580E 005 tMF 5.300E-001 Loss of Main Feedwater Flow RT 1.700E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT I

PLL 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E-001 OA 70 TRIP MG SETS ,

OCR 5.070E 001 OA 70 INSERT CONTROL RODS  ;

i

'AFW 8.850E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT

75. 1.556E 007 0.27% 3.644E-005 LMF 5.300E-001 Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) ALL SUPPORT PLL B.610E-001 INITI AL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS AFW 8.850E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HR$

  • ALL SUPPORT
77. 1.482E-007 0.26% 3.674E 005 <

SGR 2.500E 002 Steam Generator Tube Rupture l AFW 2.510E-003 2/2 p@Ps & TDP* 3/3 SGS FAIL 5 HRS ALL SUPPORT j HPR 2.530E 003 1/2 CCPs .3/2 RHR- ALL SUPPORT  ;

81. 1.429E 007 0.25% 3.732E 005 l SLO 6.600E 003 Smett loss of Coonant Accident i ESF 9.200E 004 ENGINEERED SAFETT FEATURES TRAIN A FAILS (OTHERS) l CCP 2.550E-002 1/2 CCPs 3/4 CLEGS- TR 8 SPRT AVAll .l LPI 1.000E+000 LPI 1/2 LPIs- 3/4 CLEGS- NO SUPPORT q
86. '.372E 007 0.24% 3.801E 005 LMF 5.300E-001 Loss of Main Feedwater Flow AFW 2.710E 005 2/2 IOPs & TDP 2/4 SGs FAIL 5 HRS ALL SUPPORT CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL- NO SUPPORT CAB 1.000E-002 OA TO ESTABLISH BLEED AND FEED COOLING -START 51 .

j E5 .l

y'

=

. v.

d r

' Pre-TOP Case: Solid State Protection System 2 of 4 Loaic (Cont'd)

87. 1.364E-007 , 0.24% 3.815E- 005 -

SIS 1.700E 001 Safety Injection Signal (Inedy) . . .

RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS DCR 5.070E 00104 70 INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL. SUPPORT AVAIL

89. 1.330E 007 . 0.23% 3.842E*005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT OMG 5.000E+001 DA 70 TRIP MG SETS.

OCR 5.070E-001 OA TO INSERT CONTROL 2005 der 1.550E 001 OA TO ESTABLISH EMERGENCY BORATION-Li 97. 1.168E 007 0.20% . 3.941E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E-005 REACTOR TRIP F AILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA 70. TRIP MG SETS OCR 5.07DE D01 OA TO INSERT CONTROL RODS

AFW 6.130E 002 TDP TO 2/4 SGs FAILS 5 HR$ ALL SUPPORT PPR 3.62DE-001 PARTI AL AFW AND NO CRI ALL SUPPORT AVAIL
98. 1.129E 007 - 0.20% 3.952E 005 LOC 3.500E-001 Loss of Condenser RT 1.70DE 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40%

OMG 5.000E 001 04 TO TRIP MG SETS DCR 5.070E 001 OA 70 INSERT CONTROL RODS Ost - 1.550E 001 OA TO ESTABLISH EMERGENCY 80 RATION 6-1 E-6

7~ t-r

-TOP Case: Solid State Protection System. 2 of 4 Loaic p

Total plant damage state frequency = 5.800E-005' .

NUMSER FREQUENCY PERCENT SUM EVENT VALUE DESCRIPTION

5. 1.239E-006 2.14% 9.213E-006 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT '

1.760E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH OA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

0MG 5.000E 001 OA TO TRIP MG SETS' OCR 5.070E 001 OA 10 INSERT CONTROL RODS  !

PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

6. 1.147E-006 1.98% 1.036E 005 .
f LOSP1 4.100E 002 Loss of offsite Power (Single Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A Fall (WITH DGs - LOSP) -

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS TR 8 SPRT (NO TRA)  !

CON 1.000E+0001/3 CON PMPs 1/4 SGS FAIL-- NO SUPPORT '

HPR 2.800E 002 1/2 CCPs 1/2 RNR TR A SPRT FAILS

9. 9.990E-007 1.72% 1.348E 005 LOSP1 4.100E-002 Loss of Offsite Power (Single Unit)  !

4 TAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP)  !

AFW 2.000E 002 MDP TO 2/4 SGs FAIL- 5 HRS- TR S SPRT (NO TRA) l CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL- NO SUPPORT 'l MPI 2.430E-002 1/2 CCPs 3/4 CLEGS TR B SPRT AVAIL- LOSP

16. 6.030E-007 1.04% 1.846E 005 TT 7.300E-001 Turbine Trip RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% l OMG 5.000E-001 OA TO TRIP MG SETS !l '

OCR 5.070E-001 OA TO INSERT CONTROL ROOS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

18. 5.899E 007 1.02% 1.965E-005 SGR 2.500E 002 Steam Generator Tube Rupture l AFW 2.510E 003 2/2 MDPs & TDP. 3/3 SGs FAIL 5 HRS- ALL SUPPORT OAB 1.000E 002 OA TO ESTABLISH BLEED AND FEED COOLING
24. 4.981E-007 0.86% 2.27BE 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) - ALL SUPPORT PLL 8.610E 001 INIT!AL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS DBR 1.550E 001 OA TO ESTABLISH EMERGENCY BORATION

25. 4.825E 007 0.83% 2.326E-005 PMF 1.500E+000 Partial loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL $UPPORT. i PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS DCR 5.070E 001 OA TO INSERT CONTROL RODS AFW 8.560E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HR$ + ALL SUPPORT

26. 4.742E 007 0.82% 2.373E-005 MLO 8,000E-004 Meditan Loss of Coolant Accident ESF 7.360E-004 ENGINEERED SAFETY FEATURES TRAlWS A&B FAIL (MLO)

HP! 1.000E+000 2/4 HPIs- 2/3 CLEGS- MLO- No SUPPORT AFW 1.000E+000 AFW - No SUPPORT AVAILABLE CCU 1.000E+000 CCus FAIL TO PPovlDE COOLING 24 HRS- No SUPPORT CCW 1.000E+0001/2 CCW TRAINS NO SUPPORT 27 4.561E-007 0.79% 2.419E-005 PNF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E 00104 TO TRIP MG SETS AFW 8.860E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT E-7

- ~

p = j V .\

r

.. .j i

l

. i

. TOP Case: Solid State Protection System. 2 of 4 Loaic (Cont'd) .  ;

j

28. 4.378E-007.. 0.75% '2.663E-005-

'LMF 5.300E*001 Loss of Main feedwater Flow 3 RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) ALL SUPPORT  :

PLL- 8.610E 001 INITIAL POWER LESS THAN 40% 1 OMG 5.000E 001 OA TO TRIP MG SETS-0CR 5.070E 001 OA TO INSERT CONTROL RODS .

j E 1 PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL H 31, 4.153E 007 0.72% 2.590E 005 Y LOSP1 4.100E-002 Loss of Offsite Power (Single Unit) ,

(:

4KAC - 5.470E 002 4160 V AC POWER BUS A Fall (WITH DGs LOSP)

'- AFW 2.000E-002 MDP TO 2/4 SGs FAIL 5 HRS- TR B SPRT (N0 TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL - No SUPPORT 7 1.000E-002 OA TO ESTABLISH BLEED AND FEED COOLING -START SI  ;

OAB

32. 4.059E 007- 0.70% 2.631E 005 . . . ,

LLO 3.000E 004 Large Loss of Coolant Accident .

ESF 1.400E 003 ENGINEERED SAFETY FEATURES TRAli.i A&B FAIL (LLO)  ;

LPI 1.000E+000 1/2 RHR PMPs TO 2/3 COLD LEGS- LLO NO SPRT HPI 1.000E+000 2/4 HPIs 2/3 CLEGS LLO NO SUPPORT CCU 1.000E+000 CCUs Fall TO PROVIDE COOLING ' 24 HRS- NO SUPPORT 34 3.879E-007 0.67% 2.708E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow AFW 2.710E 005 2/2 MDPs & TDP- 2/4 SGS FAIL 5 HRS ALL SUPPORT CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL HO SUPPORT OAB 1.000E-002 OA TO ESTABLISH BLEED AND FEED COOLING -START SI ,

37. 3.587E 007 0.62% 2.817E 005 SGR 2.500E-002 Steam Generator Tube Rupture AFW 2.510E-003 2/2 MDPs & TDP 3/3 SGs FAIL 5 HRS- ALL SUPPORT i OAR 6.090E 003 OA 70 ESTABLISH HIGH PRESSURE RECIRC W/0 SPRAY
42. 2.891E 007 0.50% 2.971E-005 LOC 3.500E 001 Loss of Condenser i

RT 1.760E 005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITH OA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% ,

CMG 5.000E 001 04 TO TRIP MG SETS-OCR 5.070E 001 OA TO INSERT CONTROL RODS  :

PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

43. 2.799E-007 0.48%- 2.999E 005- '

LOSP2 1.000E-002 Loss of offsite Power (Dual Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A Fall (WITH DGs LOSP) ,

t AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS. TR B SPRT (N0 TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL-* NO SUPPORT '

HPR 2.800E-002 1/2 CCPs 1/2 RHR- TR A SPRT FAILS

47. 2.511E-007 0.43% 3.104E 005 LOSP1 4.100E 002 toss of Offsite Power (SinBle Unit) 'I i

4KAC 5.470E-002 4160 V AC POWER BUS A FA!L (Wi1H DGs LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL 5 HR$* TR B SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs*1/4 SGs FAIL- NO SUPPORT OAR 6.090E-003 OA TO ESTABLISH HIGH PRESSURE RECIRC (INCLUDES OLP) ,

50. 2.437E 007 0.42% 3.178E-005  !

LOSP2 1.000E 002 Loss of Offsite Power (Dual Unit)  !

4KAC 5.470E 002 4160 V AC POWER BUS A Fall (WITH DGs - LOSP)

AFW 2.000E 002 MDP To 2/4 SGs FAIL 5 HRS TR B $PRT (No TRA)

CON. 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL

51. 2.424E 007 0.42% 3.202E 005  :

TT 7.300E-001 Turbine Trip .

RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) - ALL SUPPORT  !

PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS  !

OCR 5.070E-00104 TO INSERT CONTROL RODS j OBR 1.550E-001 OA TO ESTABLISH EMERGENCT BORATION ,

i E-8

.j

r.

TOP Case: Solid State Protection System. 2 of 4 Loaic (Cont'd)

54. 2.348E 007' O.40%' 3.274E-005 TT .7.300E 001 Turbine Trip-RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL $UPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E-001 OA TO INSERT CONTROL RODS AFW 8.860E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HR$ - ALL SUPPORT 55, 2.342E 007 0.40% 3.297E 005 PMF ' 1.500E+000 Partist Loss of Main feedwater Flow AFW ' 2.710E-005 2/2 MDPs & TDP 2/4 SGS FAIL- 5 HRS- ALL SUPPORT CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL-- NO SUPPORT DAR 6.090E-003 OA To ESTABLISH HIGH PRESSURE RECIRC (INCLUDES OLP) 57 2.220E-007 0.38% .3.342E-005 TT 7.300E 001 Turbine Trip .

RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE S!GNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40%

OMG 5.000E-00104 TO TRIP MG SETS AFW 8.860E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HR$ - ALL SUPPORT

63. 1.879E 007 0.32% 3.458E-005 SLO 6.600E-003 Smatt Loss of Coolant Accident ESF 1.210E-003 ENGINEERED SAFETT FEATURES TRAIN A FAILS (OTHERS)

CCP 2.550E-002 1/2 CCPs- 3/4 CLEGS- TR 8 SPRT AVAIL LPI 1.000E+000 LPI- 1/2 LPIs 3/4 CLEGS- NO SUPPORT

66. 1.801E-007 0.31% 3.513E 005 LOSP1 4.100E 002 Loss of of fsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL- 5 HRS- TR B SPRT (NO TRA)

CON 1.000E+0001/3 CON PMPs 1/4 SGs FAIL- No SUPPORT PZR 4.490E-0031/2 PZR PORVs& BLOCK VLVS FAIL TO OPER TR 8 SPRT

70. 1.760E-007 0.30% 3.584E 005 LMF 5.300E 001 Loss of Main Feedwater Flow RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS DCR 5.070E-001 DA TO INSERT CONTROL RODS OBR 1.550E-001 OA TO ESTABLISH EMERGENCT 80RAfl0N

72. 1.705E 007 0.29% 3.619E-005 LMF 5.300E 001 Loss of Main Feedwater Flow RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS DCR 5.070E 001 OA TO INSERT CONTROL RODS AFW 8.860E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ ALL SUPPORT

76. 1.612E 007 0.28% 3.683E 005 LMF 5.300E-001 Loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SICNAL WITH DA) - ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS AFW 8.660E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT

78. 1.481E 007 0.26% 3.713E 005 SGR 2.500E 002 Steam Generator Tube Rupture ~

AFW 2.510E-003 2/2 MDPs & TDP- 3/3 SGs FAIL- 5 HRS- ALL SUPPORT HPR 2.530E-003 1/2 CCPs 1/2 RHR- ALL SUPPORT

83. 1.404E 007 0.24% 3.785E 005 SIS 1.700E 001 Safety injection Signet (Inadv)

RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL JITH GA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS DCR 5.070E-001 OA TO INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL E-9

4

' TOP Case: Solid State Protection System. 2 of 4 Loaic (Cont'd) l

87. 1.376E 007 ' O.24% ' 3.840E 005 ..

PNF 1.500E+000 Partial Loss of Main Feedwatsr Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT

. OMG 5.000E 001 04 TO TRIP MG SETS DCR 5.070E 001 04 70 INSERT CONTROL RODS 08R 1.550E 001 OA TO ESTABLISM EMERGENCY BORAfl0N

88. 1.373E 007' O.24% 3.854E 005 MLO'- 8.000E-004 Medium Loss of Coolant Accident l ESF 2.420E-002 ENGINEERED SAFETY FEATURES TRAIN B FAILS (MLO) i LPR 8.040E-0031/2 RPMPs CLEG REC 1/3 CL- MLo TR A SUPPORT AVAIL
89. -1.371E-007 0.24% ~- 3.867E 005 LMF 5.300E-001 Loss of. Main Feedwater Flow AFW ' 2.710E-005 2/2 MDPs & TDP 2/4 SGs FAIL- 5 HRS
  • ALL SUPPORT +

CON 1.000E+000 1/3 CON PMPs 1/4 SGs Fall - NO SUPPORT j 0A8 '1.000E-002 OA TO ESTABLISH BLEED AND FEED COOLING -START 51 i

90. 1.370E 007 'O.24% ' 3.881k 005 -

MLO 8.000E-004 Medium Loss of Coolant Accident ESF 2.420E-002 ENGINEERED SAFETY FEATURES TRAIN A FAILS (MLO)

LPR 8.040E-003 1/2 RPMPs CLEG REC 1/3 CL- MLO- TR 8 SUPPORT AVAIL l

94 1'293E 007

. 0.22% 3.934E 005 ~ -

PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) - ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40% >

j OMG 5.000E-001 OA TO TRIP MG SETS l DCR 5.070E-001 OA TO INSERT CONTROL RODS AFW 6.560E 002 TDP TO 2/4 SGs FAILS 5 MRS - ALL SUPPORT PPR 3.620E 001 PARTI AL AFW AND NO CRI ALL SUPPORT AVAIL 100. 1.162E 007 0.20% 4.006E 005 LOC . 3.500E 001 Loss of Condenser' RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS '

DCR 5.070E 001 OA 70 INSERT CONTROL RODS '

DBR 1.550E-00104.T0 ESTAstlSH EMERGENCY SC1Afl0N l

E-10

1 Pro'oosed Case: Solid State Protection System. 2 of 4 Loaic Total plant damage state' frequency = 5.835E 005 NUMBER FREQUENCT PERCENT SUM  !

EVENT VALUE DESCRIPTION

5. 1.265E 006 2.17% 9.238E*006 PMF 1.500E+000 Partial Loss of Main feedwater Flow-RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS i- OCR 5.070E-001 OA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

6. 1.147E-006 1.97% 1.039E 005 LOSP1 4.100E-002 Loss of Offsite Power (Single Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP) ,

AFW 2.000E 002 M0P To 2/4 SGs FAIL- 5 HRS TR B SPRT (NO TRA) '

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL NO SUPPORT HPR 2.800E-002 1/2 CCPs '1/2 RHR TR A SPRT FAILS

9. 9.975E 007 1.71%- 1.350E-005 LOSP1 4.100E-002 Loss of Offsite Power (Single Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP) ,

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS TR 8 SPRT (NO TRA) 4 CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL-= NO SUPPORT l HPI 2.430E-002 1/2 CCPs 3/4 CLEGS- TR B $PRT AVAIL- LOSP 14 6.155E 007 1.05% 1.728E-005 TT 7.300E-001 Turbine Trip RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH OA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% ^

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAll l l

18. 5.898E-007 1.01% 1.968E-005 j SGR 2.500E 002 Steam Generator Tube Rupture 1 AFW 2.510E-003 2/2 MDPs & TDP 3/3 SGs FAIL 5 HRS- ALL SUPPORT  !

OA8 1.000E 002 DA To ESTABLISH BLEED AND FEED COOLING -l

22. 5.084E 007 -0.87% 2.182E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS j OCR 5.070E 001 OA To INSERT CONTROL RODS j OBR 1.550E-001 OA TO ESTABLISH EMERGENCT BORATION I

25. 4.939E-007 0.85% 2.331E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow I RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%-

OMG 5.000E-001 OA TO TRIP MG SETS l OCR 5.070E-001 OA TO INSERT CONTROL RODS AFW 8.870E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HR$ - ALL SUPPORT

26. 4.781E-007 0.82% 2.379E-005 I MLO 8.000E 004 Medium Loss of Coolant Accident  !

ESF 7.420E-004 ENGINEERED SAFETT FEATURES TRAINS A&B FAIL (MLO)  !

HPI 1.000E+000 2/4 HPIs 2/3 CLEGS MLO- NO SUPPORT AFW 1.000E+000 AFW - No SUPPORT AVAILABLE CCU 1.000E+000 CCus Fall TO PROVIDE COOLING- 24 HRS NO SUPPORT CCW 1.000E+000 1/2 CCW TRAINS NO SUPPORT

27. 4.669E-007 0.80% 2. C E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS AFW 8.870E 002 2/2 IOPs & TDP TO 4/4 SGs FAIL 5 HR$ ALL SUPPORT E-11

, q i

i Procosed Case: Solid State Protection System. 2 of 4 Loaic (Cont'd) fi ~ 28. 4.469E 007 ~ 0.77% 2.470E 005 .

3

.LMF . 5.300E 001 Loss of Main Feedwater Flow I RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) '* ALL SUPPORT

,PLL' 8.610E-001 INITIAL POWER LESS THAN 40% j OMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL ROOS l PPR 2.690E 001 FULL AFW AND NO CRI ALL $UPPORT AVAll

31. 4.146E-007 0.71% 2.598E-005' l LOSP1 4.100E 002 Loss of offsite Power (Single Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP)-

AFW '2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS- TR B $PRT (NO TRA)-

CON 1.000E+000 1/3 CON PMPs-1/4 SGS FAIL - NO SUPPORT OAB 1.000E 002 OA TO ESTABLISH SLEED AN0' FEED COOLING START SI- .

32. 4.146E 007 0.71% 2.639E-005 LLO 3.000E 004 Large Loss of Coolant Accident ESF 1.430E 003 ENGINEERED SAFETY FEATURES TRAINS A&B Fall (LLO) '!

LPI 1.000E+000 1/2 RHR PMPs TO 2/3 COLD LEGS- LLO - NO SPRT  !

HPI 1.000E+000 2/4 HPIs 2/3 CLEGS- LLO NO SUPPORT' CCU 1.000E+000 CCUs FAIL To PROVIDE COOLING- 24 HRS NO SUPPORT

34. 3.879E 007 0.66% 2.717E 005 .

PMF 1.500E+000 Partial Loss of Main Feedwater Flow ]

AFW 2.710E-005 2/2 MDPs & TDP- 2/4 SGs FAIL- 5 HRS- ALL SUPPORT '

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL NO SUPPORT j OAB 1.000E-002 OA TO ESTABLISH BLEED AND FEED COOLING -START SI -j 1

37. 3.586E-007 0.61% 2.825E-005 l SGR 2.500E 002 Steam Generator. Tube Rupture AFW 2.510E 003 2/2 MDPs & TDP- 3/3 SGs FAIL- 5 HRS- ALL SUPPORT OAR 6.090E-003 OA TO ESTABLISH H]GH PRESSURE RECIRC W/0 SPRAY
41. 2.951E-007 0.51% 2.950E-005 LOC 3.500E-001 Loss of Condenser ,

RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH OA)

  • ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E-001 OA TO INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAll 43, 2.798E 007 0.48% . 3.007E 005 J LOSP2 1.000E 002 Loss of Of fsite Power (Dual Unit) 4GC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP)

AFW 2.000E 002 MDP TO 2/4 SGs FAIL- 5 HRS TR 8 SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL- NO SUPPORT HPR 2.800E-002 1/2 CCPs 1/2 RHR- TR A SPRT FA!LS

47. 2.511E-007 0.43% 3.113E 005 LOSP1 4.100E 002 Loss of Offsite Power (Single Unit) j 4KAC 5.470E 002 4160 V AC POWER BUS A Fall (WITH DGs

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS TR s SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPS 1/4 SGs FAIL NO SUPPORT CAR 6.090E-003 OA 70 ESTABLISH HIGH PRES $URE RECIRC (INCLUDES OLP) 48, 2.474E -007 0.42% 3.138E-005 TT 7.300E 001 Turbine Trip RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS OSR 1.550E-001 OA To ESTABLISH EMERGENCY BORATION

51. 2.433E-007 0.42% 3.211E-005 LOSP2 1.000E-002 Loss of Offsite Power (Dual Unit) 4uC 5.470E-002 4160 V AC POWER BUS A Fall (WITH DGs - LOSP)

AFW 2.000E 002 PCP To 2/4 SGs FAIL

CON 1.000E+000 1/3 CON PnPs 1/4 SGS FAIL-- No SUPPORT HPI 2.430E-002 1/2 CCPs- 3/4 CLEGS- TR S SPRT AVAIL LOSP E-12 1

l

1 a v -!

.-. i 1

I y

Proposed Case: Solid State Protection System. 2 of 4 Loaic (Cont'd)'

[.7 54, 2.404E-007 0.41% 3.283E-005 TT 7.300E 001 Turbine Trip i RT 1.800E 005 REACTOR TRIP FA!LS (DIVERSE SIGNAL WITH CA)

  • ALL SUPPORT  ;

PLL 8.610E-001 INITIAL POWER LESS THAN 40% 1 OMG 5.000E 001 CA TO TRIP MG SETS OCR 5.070E 001 OA 70 INSERT CONTROL RODS AFW 8.870E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL-'$ HR$ - ALL SUPPORT i

55. 2.342E-007 0.40% 3.307E 005 PMF AFW 1.500E+000 Partial Loss of Main Feedwater Flow -

2.710E 005 2/2 MDPs & TDP- 2/4 SGs FAIL- 5 HRS- ALL SUPPORT i CON 1.000E+0001/3 CON PMPs-1/4 SGs FAIL-- NO SUPPORT DAR i 6.090E 003 OA TO ESTABLISH NIGH PRESSURE RECIRC (INCLUDES OLP) i

56. 2.272E + 007 0.39% 3.329E 005 j TT 7.300E-001 Turbine Trip j RT . 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) i ALL SUPPORT PLL' 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS AFW 8.870E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HRS - ALL SUPPORT

]

i

59. 2.003E-007 0.34% 3.393E-005  !

SLO 6.600E-003 Small Loss of Coolant Accident ESF 1.290E 003 ENGINEERED SAFETY FEATURES TRAIN A FAILS (OTHERS)  ;

CCP 1.550E 002 1/2 CCPs- 3/4 CLEGS TR S SPRT AVAIL LPI 1'000E+000

. LP! 1/2^LPIs 3/4 CLEGS* NO SUPPORT

66. 1.798E 007 0.31% 3.524E-005 LOSP1 4.100E 002 Loss of Offsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs

AFW 2.000E-002 MDP TO 2/4 SGs FAIL 5 HRS- TR B SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL-- NO SUPPORT PZR 4.490E-003 1/2 PZR PORVs& BLOCK VLVS FAIL TO DPER TR B SPRT 69 1.796E 007 0.31% 3.578E-005 i LMF 5.300E 001 Loss of Main Feedwater Flow j RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH OA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS OBR 1.550E-001 OA TO ESTABLISH EMERGENCY BORATION

71. 1.745E 007 0.30% 3.613E 005 LMF 5.300E 001 Loss of Main Feedwater Flow RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA)
  • ALL SUPPORT PLL 5.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 04 TO TRIP MG SETS OCR 5.070E-00104 TO INSERT CONTROL RODS AFW 8.870E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 NRS ALL SUPPORT

73. 1.650E 007 0.28% 3.647E-005 LMF 5.300E 001 Loss of Main Feedwater Flow . '

RT .1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) . ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA 70 TRIP MG SETS AFW 8.8701-002 2/2 MDPs & TDP TO 4/4 SGs FAIL + 5 HR$ ALL SUPPORT

78. 1.481E*007 0.25% 3.726E-005 SGR 2.500E 002 Steam Generator Tube Rupture AFW 2.510E 003 2/2 MDPs & TDP 3/3 SGs FAIL- 5 HR$* ALL SUPPORT HPR 2.530E 003 1/2 CCPs* 1/2 RHR* ALL SUPPORT
80. 1.458E 007 0.25% 3.755E-005 MLO 8.000E-004 Medium Loss of Coolant Accident ESF 2.570E-002 ENGINEERED SAFETT FEATURES TRAIN B FAILS (MLO)

LPR 8.040E-0031/2 RPMPs CLEG REC 1/3 CL- MLO TR A SUPPORT AVAIL E-13

i 4 i U

k: )

J Procosed Case: Solid State Protection System. 2 of 4 Loaic (Cont'd)

81. . 1.455E-007 0.25%~ 3.770E 005 MLO 8.000E-004 Medium Loss of Coolant Accident

-ESF 2.570E-002 ENGINEERED SAFETY FEATURES TRAIN A FAILS (MLO)

LPR 8.040E 003 1/2 RPMPs CLEG REC 1/3 CL* mig- TR B SUPPORT AVAIL

83. 1.4!3E 007 'O.25%' 3.798E 005 . .

SIS 1.700E 001 Safety injection Signal (inadv)-

RT 1.800E 005 REACTOR TRIP FA!LS (OlVERSE SIGNAL WITN CA) ALL SUPPORT

'PLL 8.610E 001 INITIAL POWER LESS THAN 40%  !

OMG 5.000E 001 OA TO TRIP MG SETS .

OCR 5.070E 001 OA 10 INSERT CONTROL RODS 1 PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL ]

85. 1.407E-007 0.24% 3.826E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow .  ;

11 RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT OMG '5.000E 001 OA TO TRIP MG SETS OCR 5.070E G01 OA TO INSERT CONTROL RODS

- OBR 1.550E 001 OA 70 ESTABLISH EMERGENCY BORATION

90. .1.370E 007 0.23% 3.896E-005 LMF 5.300E 001 Loss of Main Feedwater Flow I AFW 2.710E-005 2/2 MDPs & TOP- 2/4 SGs FAIL- 5 HRS ALL SUPPORT CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL
  • NO SUPPORT-CAB ' 1.000E-002 OA To ESTABLISH BLEED AND FEED COOLING -START 51-
92. 1.351E-007 0.23%: 3.923E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS 1 OCR 5.070E 001 tsA TO INSERT CONTROL RODS )'

AFW 6.700E-002 TOP TO 2/4 SGs FAILS .5 HR$ - ALL SUPPORT PPR 3.620E 001 PARTIAL AFW AND NO CRI ALL SUPPORT AVAll

98. 1.215E-007 .0.21% 3.998E-005 MLO 8.000E 004 Medlun Loss of Coolant Accident .

ESF 2.570E 002 ENGINEERED SAFETY FEATURES TRAIN A FAILS (MLO)  !

LPI 6.660E-003 1/2 RPMPs 2/3 CLEGS MLO TR A SPRT FAILS i

j E-14

1 4 -j l

i Pre-TOP Case: Solid State Protection System 2 of 3 Loaic total plant damage state f requency = 5.717E-005 NUMBER .FREQUENCT PERCENT. SUM EVENT VALUE DESCRIPfl0N'

5. 1.203E 006 2.10% 9.177E 006 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) - ALL SUPPORT c'v -

PLL 8.610E 001 INITIAL POWER LESS THAN 40%.

DMC 5.000E 001 CA TO TRIP MG SETS OCR 5.070E 001 DA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

6. 1.148E 006 2.01% _1.032E 005 LOSP1 4.100E 002 Loss of Offsite Power ($1ngle Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs .LOSP)

AFW 2.000E 002 MDP 70 2/4 SGs FAIL 5 HRS- TR 8 SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL - NO SUPPORT HPR 2.800E 002 1/2 CCPs 1/2 RHR TR A SPRT FAILS.

9. 1.003E-006 ' 1.76% 1.346E 005 LOSP1 4,100E-002 Loss of Offsite Power ($1ngle Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL 5 HRS TR B $PRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL- NO SUPPORT HPI 2.430E-002 1/2 CCPs 3/4 CLEGS TR 8 SPRT AVAIL- LOSP

17. 5.902E-007 1.03% 1.903E-005 SGR - 2.500E 002 Steam Generator Tube Rupture AFW 2.510E 003 2/2 MDPs & TDP 3/3 SGs FAIL
  • ALL SUPPORT OAB 1.000E 002 DA 70 ESTABLISH BLEED AND FEED COOLING
18. 5.855E 007 1.02% 1.962E-005 TT 7.300E 001 Turbine Trip RT ~ 1.700E 005 REACTOR TRIP FAILS (0! VERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

DMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA 70 INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

24. 4.83?E 007 0.85% 2.274E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E-005 REACTOR TRIP FAILS (DIVERSE S!GNAL WiiH DA) - ALL SUPPORT l PLL 8.610E-001 INiil AL POWER LESS THAN 40%

DMG 5.000E 001 OA TO TRIP MG SETS DCR 5.070E 001 OA TO INSERT CONTR0t RODS DBR 1.550E 001 OA TO ESTABLISH EMERGENCT BORATION

25. 4.668E-007 0.82% 2.320E DC!

PMF - 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E-005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITH OA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

l OMG 5.000E 001 OA 70 TRIP MG SETS l' OCR 5.070E 001 OA 70 INSERT CONTROL RODS AFW 8.870E 002 2/2 MDPs & TDP TO 4/4 SGs FAILa 5 HRS ALL SUPPORT

26. 4.452E 007 0.78% 2.365E 005 MLO 8.000E-004 Medlun Loss of Coolant Accident ESF 6.910E 004 ENGINEERED SAFETT FEATURES TRAINS A&B FAIL (MLO)

MPI 1.000E+000 2/4 HPIs- 2/3 CLEGS- MLO No SUPPORT AFW 1.000E+000 AFW

  • NO SUPPORT AVAILABLE CCU 1.000E+000 CCus FAIL 10 PROVIDE COOLING 24 HRS No SUPPORT

.CCW 1.000E+0001/2 CCW TRAINS No SUPPORT 27, 4.413E 007 0.77% 2.409E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WliH DA) - ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

ONG 5.000E 001 OA TO TRIP MG SETS AFW 8.870E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HRS ALL SUPPORT E 15

p.-,..

- i r Pre-TOP Case: Solid State Protection System. 2 of 3 Loaic (Cont'd1

29. 4.262E 007 0 . 75 % -2.495E 005 LLO 3.000E 004 Large toss of Coolant Accident ESF 1.470E 003 ENGINEERED SAFETT FEATURES TRAINS A&S Fall (LLO)

LPI 1.000E+000 1/2 RHR PMPs TO 2/3 COLD LEGS LLO NO SPRT i- HPl 1.000E+000 2/4 HPIs 2/3 CLEGS- LLO- NO SUPPORT-

.CCU 1.000E+000 CCus Fall TO PROVIDE COOLING 24 HRS- NO SUPPORT

30. 4.251E 007 0. 74 % 2.538E 005 LMF 5.300E-001 Loss of Main Feedwater Flow RT 1.700E-005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITH DA) - ALL SUPPORT '

PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA 70 TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAll 32, 4.171E 007- 0.73 % 2.622E-005 LOSP1 4.100E 002 Loss of Offsite Power ($1ngle Unit) 4KAC 5,470E-002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP)

AFW 2.00DE-002 MDP To 2/4 SGs FAIL 5 HRS- TR B SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL-- NO SUPPORT CA8 1.000E-002 OA 70 ESTABLISH BLEED AND FEED COOLING

34. 3.881E 007 0.68% 2.699E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow AFW 2.710E-005 2/2 MDPs & TDP 2/4 SGs FAIL 5 HR$* ALL SUPPORT CON 1.000E+000 1/3 CON PMPS 1/4 SGs FAIL-- NO SUPPORT OAS 1.000E 002 OA 10 ESTABLISH SLEED AND FEED COOLING -START SI
38. 3.589E 007 0.63% 2.844E-005 SGR 2.500C-002 Steam Generator Tube Rupture AFW 2.510E 003 2/2 MDPs & TDP 3/3 SGs FAIL 5 HRS ALL SUPPORT OAR 6.090E-003 OA TO ESTABLISH HIGH PRESSURE RECIRC W/0 SPRAT
42. 2.807E-007 0.49% ' 2.962E 005 LOC 3.500E 001 Loss of Condenser RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40%

ONG 5.000E-001 DA TO TRIP MG SETS DCR 5.070E-001 DA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

43. 2.799E-007 0.49% 2.973E-005 .

LOSP2 1.000E-002 Loss of Of f site Power (Dual Unit) l 4KAC 5.470E 002 4160 V AC POWER SUS A Fall (WITH DGs - LOSP)

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HR$* TR B SPRT (No TRA)

CON 1.000E+000 1/3 CON PMPs*1/4 SGs FAIL-* NO SUPPORT HPR 2.800E-002 1/2 CCPs 1/2 RHR TR A SSRT FAlis 47 2.512E-007 0.44% 3.096E 005 LOSP1 4.100E 002 Loss of of fsite Power ($1ngle Unit) 4KAC 5.470E 002 4160 V AC POWER SUS A FAIL (Wl1H DGs - LOSP)

AFW . 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS- TR B SPRT (No TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL *- NO SUPPORT DAR 6.090E-003 OA TO ESTABLISH HIGH PRESSURE RECIRC (INCLUDES OLP)

49. 2.448E 007 0.43% 3.145E 005 LOSP2 1.000E-002 Loss of Of f site Power (Dual Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITE DGs LOSP)

AFW 2.000E-002 HOP TO 2/4 SGs FAIL 5 HRS- TR B SPRT (No TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs Fall-- NO SUPPORT HPI 2.430E 0021/2 CCPs 3/4 CLEGS- TR B SPRT AVAIL- LOSP

53. 2.354E 007 0.41% 3.241E 005 TT 7.300E 001 Turbine Trip RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E-00104 TO INSERT CONTROL RODS Ost 1.550E 001 DA TO ESTABLISH EMERGENCY SDRATION +

E 16

S Pre-TOP Case: Sohd State Protection System 2 of 3 Loaic (Cont'd)  !

i

$4. 2.343E-007 0.41% 3.265E 005 PMF 1.500E+000 Partial Loss of Main f eedwater Flow -

AFW 2.710E 005 2/2 MDPs & TDP 2/4 SGs FAIL 5 HRS- ALL SUPPORT CON 1.000E+0001/3 CON PMPs-1/4 $Gs Fall- ho SUPPORT t CAR 6.090E-003 OA 70 ESTABLISH HIGH PRESSURE RECIRC (INCLUDES'OLP)

55. 2.272E -007 0.40%' 3.287E 005 l TT 7.300E 001 Turbine Trip RT 1.700E-005 REACTOR TRIP F AILS (DIVERSE $1GNAL WITH DA) ALL SUPPORT PLL 8.6)DE 001 INITIAL POWER LESS THAN 4G%  !

DMG 5.000E-001 OA TO TRIP MG SETS -

OCR 5.07DE 001 OA 70 INSERT CONTROL RODS AFW 8.870E 002 2/2 MOPS & TDP TO 4/4 SGs FAIL 5 HRS - ALL SUPPORT 57, 2.148E 007 0.38% 3.331E-005 TT 7.730E 001 Turbine Trip RT 1.700E 005 REACTOR TRIP FAILS (DIVEWSE SIGNAL WITH DA) - ALL SUPPORT  ?

PLL 8.610E-001 INITI AL POWER LESS TMAN 40% ')

OMG 5.000E-001 OA To TRIP MG SETS AFW 8.870E 002 2/2 MDPs & TOP TO 4/4 SGs FAIL 5 HR$ ALL SUPPORT I 64 1.809E-007 '0.32% 3.466E-005 ,

LOSP1 4.100E*002 Loss of Offsite Power (Single Unit) 4KAC 5.47DE-0C2 4160 V AC POWER SUS A FAIL (WITH DGs - LOSP)

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS TR 8 SPPT (NO TRA) >

?. CON 1.000E+000 1/3 CON PMPs 1/4 SGs FA!L- NO SUPPORT '

PZR 4.490E-003 1/2 PZR PORVs& BLOCK VLVS FhlL TO OPER* TR B SPRT

70. 1.709E 007 0.30% 3.572E 005 ,

LMF 5.300E-001 Loss of Main Feedwater Flow  !

RT i,700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 6.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.07DE 001 OA TO INSERT CONTROL RODS 4 OBR 1.550E-001 OA To ESTABLISH EMERGENCT 80 RAT 10N j

71. 1.649E 007 . 0.29% 3.588E 005 LMF . 5.300E 001 Loss of Main Feedwater Flow RT 1.700E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) - ALL SUPPORT 1 PLL 8.610E 001 INITIAL POWES LESS THAN 40% <

DMG 5.00DE 001 OA TO TRIP MG SETS l OCR 5.07DE 001 OA TO INSERT CONTROL RODS .

AFW 8.870E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HRS - ALL SUPPORT

75. 1.559E 007 0.27% 3.653E-005 LMF 5.300E 001 Loss of Main Feedwater Flow
  • RT 1.700E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40%

DMG 5.000E 001 DA TO TRIP MG SETS AFW 8.870E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HRS - ALL SUPPORT

77. 1.482E-007 0.26% 3.683E 005 SGR- 2.500E 002 Steam Generator Tube Rupture AFW 2.510E-003 2/2 MOPS & TDP 3/3 SGs FAIL $ HRS ALL SUPPORT HPR 2.530E 0031/2 CCPs- 1/2 RHR* AL'. SUPPORT
81. 1.429E 007 0.25% 3.74DE 005 SLO 6.60DE 003 Smelt Loss of Cootont Accident ESF 9.20DE 004 ENGINEERED SAFETT FEATURES TRAIN A FAILS (OTHERS)

CCP 2.55DE-002 1/2 CCPs- 3/4 CLEGS TR 8 SPRT AVAIL ,

LP1 1.000E+000 LPI 1/2 LPIs* 3/4 CLEGS NO SUPPORT I

86. 1.371E 007 0.24% 3.810E 005 LMF 5.300E-001 Loss of Main feedwater Flow AFW 2.71DE 005 2/2 MDPs & TDP 2/4 SGs F AIL- 5 HRS- ALL SUPPORT CON 1.000E+000 1/3 CON PMPs-1/4 nGs FAIL-- NO SUPPORT DAB 1.000E-002 DA To ESTABLISH BLEED AND FEED C00LikG -START S!

I l

E-17

((, '

Pre-TOP Case: Solid State Protection System. 2 'of 3 Loaic (Cont'd) .i 87,'.. 1.363E-007 0.24%- ~3.824E-005~ .

, SIS 1.700E 001 Saf ety injection Signet (inadv) .

i RT 1.7DDE 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT- ,

PLL.. 8.610E-001 INITIAL POWER LESS THAN 40% . I DMG 5.000E-001 OA TO TRIP MG SETS OCR 5.07DE D01 OA TO INSERT CONTROL RODS l PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL  ;

r89. 1.330E 007 0.23% 3.850E 005 ._

i;;

PNF . 1,50DE+000 Partial Loss of Main Feeduster Flow RT 1.700E-005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITH OA) ALL SUPPORT j DMG 5.00DE-001 OA TO TRIP MG SETS I'

OCR 5,07DE-001 OA TO INSERT CONTROL RODS f 084 1.550E 001 DA To ESTABLISH EMERGENCY BORATION

97. 1.172E 007 0.20% ' 3.949E-005 .

PMF ,

1.50DE+000 Partiet Loss of Main Feeduater Flow i RT 1.700E 005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITH DA) ALL SUPPORT i PLL 8.61DE 001 INITI AL POWER LESS THAN 40%

r DMG 5.000E 001 OA TO TRIP MG SETS ';

OCR 5.070E 001 OA 70 INSERT CONTROL RODS  ;

AFW 6.150E-002 TOP 70 2/4 SGs FAILS- 5 HR$

  • ALL SUPPORT PPR 3.620E 001 PARTIAL ArW AND NO CRI ALL SUPPORT AVAll
98. 1.129E 007 0.20% 3.96DE 005  !

LOC 3.50DE 001 Loss of Condenser i RT 1.700E 005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITH DA) ALL SUPPORT  !

PLL 8.61DE 001 INiflAL POWER LESS THAN 40% .}

OMG 5.000E 001 OA TO TRIP NG SETS  !

OCR 5.07DE-001 OA TO INSERT CONTROL-R005 '

Det 1.55DE 001 OA 70 ESTABLISH EMERGENCY BORATION 100. 1.089E-007 0.19% 3.962E 005 LOC 3.50DE-001 Loss of Condenser RT 1.700E-005 REACTOR TRIP FAILS (OlVERSE SIGhAL WITH DA) - ALL SUPPORT ,

PLL 8.61DE 001 INITI AL POWER LESS THAN 40% i OMG 5.000E 001 DA TO TRIP MG SETS i.

OCR 5.07DE 001 OA TO INSERT CONTROL RODS {

AFW 8.87DE 002 2/2 MDPs & TDP TO 4/4 SGs FAIL = 5 HR$ ALL SUPPORT I 4

i h

I

}

.)

l 1

l 1

~!

i J

I I

s E 18 i

t

Wdstinghoush PFopristary Class 2C -l p

ic j C l J

TOP Case: Solid State Protection System. 2 of 3 Loaic  ;

o ,

e Total plant damage state frequency a 5.832E 005 ,

c NUMBER FREQUENCY PERCENT SUM EVENT VALUE DESCRIPTION .

I

5. 1.237E -006 . 2.12% 9.208E 006 -,

l PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT '1.760E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH 04) - ALL' SUPPORT PLL- -8.610E-001 INITIAL POWER LESS THAN 40% .j OMG 5.000E-001 OA TO TRIP MG SETS j J

OCR 5.070E-001 OA TO INSERT CONTROL RODS ig PPR 2.690E-001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

6. 1.147E 006 1.97% 1.036E-005  ;

LOSP1 4.100E 002 Loss of Offsite Power ($1ngle Unit) i 4KAC 5.470E 002 4160 V AC POWER BUS A Fall (WITH DGs - LOSP) -  !

AFW 2.000E*002 MDP TO 2/4 SGs FAIL- 5 HRS- TR B $PRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL

  • NO SUPPORT HPR 2.800E-002 1/2 CCPs* 1/2 RHR TR A SPRT FAILS
9. 9.986E-007 1.71% 1.348E 005 ,'

p LOSP1 4.100E 002 Loss of Offsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP)

AFW 2.000E 002 MDP TO 2/4 SGs FAIL- 5 HRS TR S SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs*1/4 $Gs FAIL. NO SUPPORT i HP! 2.430E 0021/2 CCPs- 3/4 CLEGS- TR B SPRT AVAIL LOSP

14. 6.492E 007 1.11% 1.729E 005 .

j LLO 3.000E-004 Large Loss of Coolant Accident ESF 2.240E-003 ENGINEERED SAFETY FEATURES TRAINS A&B FAIL (LLO)

LPI 1.000E+0001/2 RHR PMPs TO 2/3 COLD LEGS LLO + NO SPRT  ;

HPI 1.000E+000 2/4 HPIs 2/3 CLEGS- LLO- NO SUPPORT CCU 1.000E+000 CCus Fall TO PROVIDE COOLING- 24 HRS- NO SUPPORT ,

. 1

17. 6.021E-007 1.03% 1.910E 005 "

TT 7.300E-001 Turbine Trip RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% ,

OMG 5.000E 001 OA TO TRIP MG SETS ,

OCR 5.070E-001 OA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL 4

19. 5.899E-007 1.01% 2.029E 005 )

SGR 2.500E 002 Steam Generator Tube Rupture l 2.510E 003 2/2 MDPs & TDP 3/3 SGs FAIL 5 HRS ALL SUPPORT j AFW OAB 1.000E 002 OA TO ESTABLISH BLEED AND FEED COOLING j l

25. 4.974E -007 0.85% 2.342E-005 PMF 1.500E+000 Partial Loss of Main Feedwater flow RT 1.760E 005 REACTOR TRIP FAILS (0! VERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E 001 OA 70 INSERT CONTROL RODS I i

OBR 1.550E 00104 TO ESTABLISH EMERGENCT BORATION

26. 4.850E 007 0.83% 2.390E-005 +

PMF 1.500E+000 Partial Loss of Main Feedwater Flow i i

RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITN 04) - ALL SUPPORT PLL B.610E 001 INITI AL POWER LESS THAN 40%

ONG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E-001 OA TO INSERT CONTROL RODS I AFW 8.910E-002 2/2 @Ps & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT

27. 4.798E-007 0.82% 2.438E 005 MLO 8.000E-004 Medium Loss of Coolant Accident ESF 7.450E 004 ENGINEERED SAFETY FEATURES TRAINS A&B FAIL (MLO)

HPI 1.000E+000 2/4 HPIs 2/3 CLEGS- MLO- NO SUPPORT AFW 1.000E+000 AFW - No SUPPORT AVAILABLE CCU 1.000E+000 CCus Fall TO PROVIDE COOLING 24 HRS- NO SUPPORT  !

CCW 1.000E+000 1/2 CCW TRAINS

  • NO SUPPORT l

l E-19 I

l

p )

TOP Case: Solid State Protection Systemi 2 of 3 Loaic (Cont'd) I l

28. 4.585E 007 0.79% 2.484E 005.~

PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITM CA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS TMAN 40%

ONG 5.000E-001 OA TO TRIP MG SETS AFW S.910E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 MRS ALL SUPPORT

29. 4.371E 007 0.75% 2.528E 005 LMF 5.300E 001 Loss of Main feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITM OA) - ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS - .,'

OCR 5.070E 001 OA 10 INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND h0 CRI ALL SUPPORT AVAIL i

0.71%- 2.655E 005 i

32. 4.15tE 007, '

LOSP1 4.100E-002 Loss of offsite Power (SinBle Unit) 4KAC 5.470E 002 4160 V AC POWER SUS A FAIL (WITH DGs - LOSP)

AFW 2.000E 002 MDP TO 2/4 SGs FAIL 5 HRS. TR S SPRT (NO TRA)-

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL- NO SUPPORT DAB 1.000E 002 OA TO ESTABLISM SLEED AND FEED COOLING START SI 34 3.892E 007 0.67% 2.733E 005 '

PMF 1.500E+000 Partial Loss of Main Feedwater Flow AFW 2.720E 005 2/2 MDPs & TDP- 2/4 SGs FAIL 5 HRS- ALL SUPPORT CON 1.000E+0001/3 CON PMPs 1/4 SGs FAIL NO SUPPORT OA8 1.000E 002 OA To ESTABLISH BLEED AND FEED COOLING

  • START $1
37. 3.587E-007 0.62% 2.842E 005 SGR 2.500E-002 Steam Generator TLhe Rupture '

AFW 2.510E 003 2/2 MDPs & TDP. 3/3 SGs FAIL 5 HRS- ALL SUPPORT .

DAR 6.090E 003 OA TO ESTABLISH MIGH PRES $URE RECIRC W/0 SPRAT )

42. 2.887E 007 0.49% 2.995E 005 I LOC 3.500E 001 Loss of Condenser i Ri 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT l l

PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS -l OCR 5.070E-001 OA TO INSERT CONTROL RODS I

PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAll

43. 2.799E-007 0.48% 3.023E 005

'; LOSP2 1.000E 002 Loss of offsite Power (Dual Unit)  !

4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP) i AFW 2,000E 002 MDP TO 2/4 SGs FAIL 5 NRS TR S SPRT (No TRA) i CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL-- NO SUPPORT MPR 2.800E 002 1/2 CCPs 1/2 RMR* TR A SPRT FAILS

47. 2.511E-007 0.43% 3.129E 005 LOSP1 4.100E 002 Loss of Offsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER SUS A FAIL (WITH DGs LOSP) l i

AFW 2.000E 002 MDP To 2/4 SGs FAIL 5 HRS. TR 8 SPRT (No TRA)

CON 1.000E+0001/3 CON PMPs-1/4 SGs FAIL

  • NO SUPPORT OAR 6.090E-003 OA TO ESTABLISM MIGH PRESSURE RECIRC (INCLUDES DLP)
50. 2.436E 007 0.42% 3.202E-005 LOSP2 1.000E 002 Loss of Of fsite Power (Dual Unit) 4KAC 5.470E-002 4160 V AC POWER SUS A FAIL (WITH DGs - LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL- 5 HRS- TR S SPRT (NO TRA) i CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL - NO SUPPORT MPI 2.430E-002 1/2 CCPs 3/4 CLEGS- TR S SPkT AVAIL LOSP

51. 2.420E 007 0.42% 3.226E-005 TT 7.300E-001 Turbine Trip RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITM OA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% I DMG 5.000E-001 OA to TRIP MG SETS DCR 5.070E-00104 TO INSERT CONTROL RODS OBR 1.550E-001 OA TO ESTABLISM EMERGENCY SORAfl0N j E-20 l

c

'i TOP Casef Solid State Protection System. 2 of 3 Loaic (Cont'd) '

54 2.360E-007 0.40% 3.29BE-005 TT 7.30DE 001 Turbine Trip RT 1.760E-003 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH OA)

  • ALL SUPPORT PLL P.610E-001 INITIAL POWER LESS THAN 40%

DMG 5.000E-001 CA TO TRIP MG SETS OCR 5.070E-001 OA TO INSERT CONTROL RODS AFW 8.910E-002 2/2 MDPs & TOP TO 4/4 SGs FAIL- 5 HeS

  • ALL SUPPORT
55. 2.351E-007 0.40% 3.322E-005 E PNF 1.500E+000 Partiet Loss of Main Feedwater Flow AFW 2.720E-005 2/2 MDPs & TDP- 2/4 SGs FAIL- 5 HRS- ALL SUPPORT CON 1.000E+0001/3 CON PMPs-1/4 SGs FAIL-- NO SUPPORT CAR 6.090E-003 OA TO ESTABLISH HIGH PRESSURE RECIRC (INCLUDES OLP)
57. -2.231E-007 0.38% 3.366E-005 TT 7.300E 001 Turbine Trip RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.61DE 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS AFW 8.910E 002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT

63. 1.879E 007 0.32% 3.483E-005 SLO 6.600E-003 Small Loss of Coolant Accident ESF 1.210E 003 ENGINEERED SAFETY FEATURES TRAIN A FAILS (OTHERS)

CCP 2.550E 002 1/2 CCPs 3/4 CLEGS- TR 8 SPRT AVAIL LPI 1.000E+000 LPI- 1/2 LPIs- 3/4 CLEGS NO SUPPORT

66. 1.800E-007 0.31%- 3.538E 005 LOSP1 4.10DE 002 Loss of Of f site Power (Single Unit) 4KAC 5.47DE 002 4160 V AC POWER BUS A FAIL (WITH DCs - LDSP)

AFW 2.00DE-002 MDP TO 2/4 SGs FAIL 5 HRS TR 8 SPRT (No TRA)

CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL NO SUPPORT PZR 4.490E 0031/2 PZR PORVs& BLOCK VLVS F All TO OPER TR B SPRT

70. 1.757E 007 0.30% 3.609E 005 j LMF 5.300E 001 Loss of Main Feedwater Flow  !

RT 1.76DE 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT I PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS DBR 1.550E 001 OA TO ESTABLISH EMERGENCY 80 RATION 72, 1.714E 007 0.29% 3.643E 005 LMF 5.300E-001 Loss of Main Feedwater Flow RT 1.760E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA)

  • ALL SUPPORT 3 PLL 8.61DE-001 INITI AL POWER LESS THAN 40% i OMG 5.00DE 001 OA TO TRIP MG SETS l OCR 5.070E-001 OA TO INSERT CONTROL RODS .

1 AFW 8.91DE-002 2/2 MDPs & TDP TO 4/4 SGs FAIL 5 HR$ - ALL SUPPORT

75. 1.620E 007 0.28% 3.692E-005  !

LMF 5.300E 001 Loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) ALL SUPPORT PLL 8.61DE 001 INITIAL POWER LESS THAN 4D%

OMG 5.000E-001 OA TO TRIP MG SETS AFW 8.910E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT l

78. 1.481E 007 0.25% 3.738E 005 4 SGR 2.50DE 002 Steam Generator Tube Ruprare  !

AFW 2.51DE-003 2/2 MDPs & TDP 3/3 SGs FAIL 5 HRS ALL SUPPORT )

HPR 2.53DE-003 1/2 CCPs 1/2 RHRa ALL SUPPORT l

83. 1.402E-007 0.24% 3.809E-005 SIS 1.700E-001 Safety injection Signal (!nedy) j RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT !

PLL 8.61DE-001 INITI AL POWER LESS THAN 40%  !

OMG 5.000E-001 OA TO TRIP MG SETS I OCR 5.07DE 001 DA TO INSERT CONTROL RODS PPR 2.690E-D01 FULL AFW AND NO CRI ALL SUPPORT AVAIL E-21  :

I f

~

p .i

{)-

ut .~

t i

TOP Case: Solid State Protection System. 2 of 3 Loaic (Cont'd) 87, 1.376E 007 0.24% 3.865E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.760E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) - ALL SUPPORT OMG 5.000E 00104 TO TRIP MG SETS L ,

OCR 5.070E-001 OA TO INSERT CONTROL RODS .

-t 08R 1.550E 001 OA TO ESTABLISH EMERGENCT 80 RATION

88. 1.375E 007 0.24% 3.878E 005 _ _

LMF 5.300E-001 Loss of Main Feedwater Flow . ,

AFW 2.720E 005 2/2 MOPS & TCP- 2/4 SGs FAIL- 5 MRS ALL SUPPORT  :

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL-* NO SUPPORT OAS 1.000E 002 DA 70 ESTABLISH BLEED AND FEED COOLING .-START SI 89 1.373E-007 0.24% 3.892E-005 I MLO 8.000E-004 Medium Loss of Coolant Accident -i ESF 2.420E 002 ENGINEERED SAFETY FEATURES TRAIN 8 FAILS (MLO).

LPR 8.040E 0031/2 RPMPs CLEG REC 1/3 CL- MLo- TR A SUPPORT AVAll

90. 1.370E 007 0.23% 3.906E 005 MLO 8.000E 004 Medium Loss of Coolant Accident ESF -2.420E 002 ENGINEERED SAFETY FEATURES TRAIN A FAILS (MLO)

LPR 8.040E 003 1/2 RPMPs CLEG REC 1/3 CL- MLO TR 8 SUPPORT AVAIL ,

94 1.300E-007 0.22% 3.959E-005  !

PMF 1.500E+000 Partial Loss of Main Feedwater Flow  !

RT

  • 1.760E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPORT PLL 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG BETS OCR 5.070E 001 OA TO INSERT CONTROL RODS AFW 6.600E 002 TDP TO 2/4 SGs FAILS 5 HRS - ALL SUPPORT '

PPR 3.620E-001 PARTI AL AFW AND NO CRI ALL SUPPORT AVAIL 100. 1.161E-007 0.20% 4.031E 005 .

LOC 3.500E 001 Loss of Condenser RT 1.760E 005 REACTOR TRIP FAILS (OlVERSE $1GNAL WITH DA) - ALL SUPPORT I t

PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E 00104 TO TRIP MG SETS ,

OCR 5.070E-001 OA TO INSERT CONTROL RODS OBR 1.550E 001 OA TO ESTABLISH EMERGENCY SDRATION l

b i

t E-22 b

3

~

2 l I

Procosed Case: Solid State' Protection System. 2 of 3 Loaic Total plant damese state frequency = 5.893E-005 l

' NUMBER FREQUENCY PERCENT SUM EVENT VALUE DESCRIPTION

5. 1.261E 006 2.14% 9.229E-006 PMF 1.500E+000 Partial Loss of Main feedwater Flow RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT ~ -j PLL 8.610E 001 INITIAL POWER LESS THAN 40% i OMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND No CRI ALL SUPPORT' AVAIL l
6. 1.147E 006 1.95% 1.038E-005 J LOSP1 4.100E-002 Loss of Offsite Power (Single Unit) l 4KAC 5.470E 002 4160 V AC POWER SUS A FAIL (WITH DGs - LOSP)  ;

AFW 2.000E 002 MDP To 2/4 SGs FAIL 5 HRS- TR B SPRT (NO TRA) i CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL - NO SUPPORT HPR 2.800E-002 1/2 CCPs- 1/2 RHR- TR A SPRT FAILS

9. 9.966E-007 1.69% 1.349E-005 LOSP1 4.100E 002 Loss of Of f site Power (Single Unit) I 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP)

AFW 2.000E 002 MOP TO 2/4 SGs FAIL

  • 5 HRS- TR B SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL- NO SUPPORT HPI 2.430E-002 1/2 CCPs- 3/4 CLEr$- TR 8 SPRT AS4lL LOSP

11. 8.459E 007 1.44% 1.533E 005 LLO 3.000E 004 Large Loss of Coolant Accident l ESF 2.920E 003 ENGINEERED SAFETT FEATURES TRAINS A&B FAIL (LLO)

LPI 1.000E+0001/2 RHR PMPs 70 2/3 COLD LEGS LLO

  • NO SPRT l HP1 1.000E+000 2/4 HPIs 2/3 CLEGS- LLO- NO SUPPORT  !

CCU 1.000E+000 CCUs FAIL TO PROVIDE COOLING- 24 HRS- NO SUPPORT l

15. 6.136E 007 1.041 1.811E-005 TT 7.300E-001 Turbine Trip RI 1.800E 005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH OA) - ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

DMG 5.000E 001 04 TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS PPR 2.690E 001 FULL AFW AND NO CRI ALL SUPPORT AVAIL

19. 5.898E 007 1.00% 2.051E-005 l SGR 2.500E-002 Steam Generator Tube Rupture i

AFW 2.510E-003 2/2 MOPS & TDP- 3/3 SGs FAIL 5 HRS

  • ALL SUPPORT '

OAB 1.000E 002 OA TO ESTABLISH SLEED AND FEED COOLING

23. 5.069E-007 0.86% 2.265E-005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow I RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH CA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40% i OMG 5.000E 001 OA TO TRIP MG SETS I OCR 5.070E 00104 TO INSERT CONTROL RODS OBR 1.550E 001 OA TO ESTABLISH EMERGENCT SORATION j
25. 4.985E 007 0.85% 2.365E-005 PMF 1.500E+000 Partial Loss of Main feedwater Flow 1 RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) ALL SUPPORT I PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS OCR 5.070E 001 OA TO INSERT CONTROL RODS AFW 8.960E-002 2/2 MDPs & TDP TO 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT 27 4.873E -007 0.83% 2.463E-005 MLO 8.000E-004 Medlun Loss of Coolant Accident ESF 7.570E-004 ENGINEERED SAFETT FEATURES TRAINS A&B FAIL (MLO)

HPI 1.000E+000 2/4 HPIs 2/3 CLEGS MLO- No SUPPORT AFW 1.000E+000 AFW - No SUPPORT AVAILABLE CCU 1.000E+000 CCUs Fall TO PROVIDE COOLING- 24 HRS- No SUPPORT CCW 1.000E+000 1/2 CCW TRAINS - No SUPPORT I

l 1

E-23 i

Prooosed Case: Solid State Protection System. 2 of 3 Loaic (Cont'd)

28. 4.712E 007 0.80% - 2.510E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT '

1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITN OA) - ALL SUPPORT-PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 OA TO TRIP MG SETS AFW 8.960E-002 2/2 MDPs & TOP TO 4/4 SGs FAIL- 5 HRS - ALL SUPPORT 29.' 4.455E-007 0.76% 2.555E 005 '

LMF 5.300E 001 Loss of Main feedwater Flow '

RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS OCR 5.070E 001 OA 70 INSERT CONTROL RODS PPR 2.690E-001 FULL AFW AND WO CRI ALL SUPPORT AVAIL i

32. '4.143E 007 0.70% 2.682E 005 l LOSP1 4.100E-002 Loss of Offsite Power (Single Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP)

AFW 2.000E 002 MDP 70 2/4 SGs FAIL 5 HRS. TR B $PRT (NO TRA) s CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL - NO SUPPORT DAS 1.000E 002 OA 70 ESTABLISH OLEED AND FEED COOLING -START $1  ;

33, 3.903E 007 0.66% 2.721E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow AFW 2.730E-005 2/2 MDPs & TDP. 2/4 SGs FAIL 5 MRS ALL SUPPORT CON 1.000E+000 1/3 CON PMPs-1/4 SGs FAIL NO SUPPORT OAS 1.000E-002 CA TO ESTABLISH BLEED AND FEED COOLING START SI

37. 3.586E-007 0.61% 2.869E-005
  • SGR 2.500E-002 Steam Generator Tube Rupture AFW 2.510E-003 2/2 MDPs & TDP. 3/3 SGs FAIL- 5 HRS- ALL SUPPORT OAR 6.090E-003 04 TO ESTABLISM MIGH PRESSURE RECIRC W/0 SPRAY
42. 2.942E-007 0.50% 3.023E 005 LOC 3.500E 001 Loss of Condenser- l RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITM OA) ALL SUPPORT '

PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS

43. 2.798E 007 0.47% 3.051E 005 LOSP2 1.000E 002 Loss of offsite Power (Dual unit) I 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP)

AFW 2.000E-002 MDP To 2/4 SGs FAIL- 5 HRS TR S SPRT (NO TRA)

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL NO SUPPORT HPR 2.800E-002 1/2 CCPs- 1/2 RNA TR A SPRT FAILS

47. 2.511E 007 0.43% 3.156E-005-  ;

LOSP1 4.100E 002 Loss of offsite Power ($1ngle Unit) l 4KAC 5.470E 002 4160 V AC POWER BUS A FAIL (WITH DGs LOSP) l AFW 2.000E 002 @P TO 2/4 SGs FAIL- 5 HRS TR B SPRT (No TRA) i CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL- NO SUPPORT OAR 6.090E-003 OA TO ESTABLISH NIGN PRESSURE RECIRC (INCLUDES OLP)

48. 2.467E 007 0.42% 3.180E-005 )

TT 7.300E 001 Turbine Trip  :

RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE $1GNAL WITH DA) - ALL SUPPORT l PLL 8.610E 001 INITIAL POWER LESS THAN 40% '

OMG 5.000E-001 OA TO TRIP MG SETS l I

OCR 5.070E 001 OA TO INSERT CONTROL RODS OBR 1.550E-001 04 TO ESTABLISH EMERGENCT BORATION 1 I

51. 2.431E-DCT 0.41% 3.254E 005 LOSP2 1.000E-002 Loss of Of fsite Power (Dual Unit) 4KAC 5.470E-002 4160 V AC POWER BUS A FAIL (WITH DGs - LOSP) i AFW 2.000E-002 M P TO 2/4 SGs FAIL- 5 HRS- TR S SPRT (NO TRA)  !

CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL-* NO SUPPORT .

NPI 2.430E 002 1/2 CCPs= 3/4 CLEGS TR B SPRT AVAIL- LOSP I l

E-24 i

i

J

' Procosed Case: Solid State Protection Systemf 2 of 3 Loaic (Cont'd)

52.  : 2.426E 007 0.41%. 3.278E 005 LTT 7.300E 001 Turbine Trip RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) - ALL SUPPDAT PLL . 8.610E 001 INITI AL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS OCR - 5.070E-001 04 TO INSERT CONTROL RODS . . . .

AFW 8.960E 002 2/2 MDPs & TDP TO 4/4 SGs Fall'- 5 HRS - ALL SUPPORT s 55, 2.359E 007 0.40% 3.350E 005 PMF 1.500E+000 Partial Loss of Main Feedwater Flow AFW . 2.730E-005 2/2 MDPs & TOP- 2/4 SGs FAIL- 5 HRS- ALL SUPPORT CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL NO SUPPORT DAR 6.090E 003 OA TO ESTABLISH HIGH PRESSURE RECIRC (INCLUDES OLP)

56. 2.293E-007' O.39%' 3.373E-005 -

TT 7.300E 001 Turbine Trip RT- 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITIAL POWER LESS THAN 40%

DMG 5.000E 001 OA TO TRIP MG SETS AFW B.960E-002 2/2 MDPs & TDP TO 4/4 SGs FA!L 5 HRS ALL SUPPORT

59. 2.003E 007 0.34% 3.436E-005 SLO 6.600E-003 Small Loss of Coolant Accident ESF 1.290E-003 ENGINEERED SAFETT FEATURES TRAIN A FAILS (OTHERS)

CCP 2.550E 002 1/2 CCPs- 3/4 CLEGS TR 8 SPRT AVAIL LPI '1.000E+000 LPI- 1/2 LPIs* 3/4 CLEGS- NO SUPPORT

68. 1.797E 007 - 0.30% 3.604E-005 LOSP1 4.100E 002 Loss of Offsite Power (Single Unit) 4KAC 5.470E 002 4160 V AC POWER BUS A Fall _(WITH DGs a LOSP)

AFW 2.000E-002 MDP TO 2/4 SGs FAIL 5 HRS TR 8 SPRT (NO TRA) i CON 1.000E+000 1/3 CON PMPs-1/4 SGs Fall NO SUPPORT P2R 4.490E 0031/2 P2R PORVSS BLOCK VLVS Fall TO OPER TR 8 SPRT L 69. 1.791E 007 0.30% 3.621E 005 LMF 5.300E 001 Loss of Main Feedwater Flow RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E-001 04 TO TRIP MG SETS DCR 5.070E 00104 TO INSERT CONTROL RODS DBR 1.550E 00104 TO ESTABLISH EMERGENCY BORATION

71. 1.761E 007 0.30% 3.657E-005 LMF- 5.300E 001. Loss of Main feedwater Flow RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA) ALL SUPPORT PLL 8.610E 001 INITIAL POWER LESS THAN 40%

OMG 5.000E*001 OA TO TRIP MG SETS OCR 5.070E 001 DA TO INSERT CONTROL RODS AFW 8.960E 002 2/2 MDPs & TDP TO 4/4 SGm FAIL 5 HR$ ALL SUPPORT

73. 1.665E 007 0.28% 3.691E-005 LMF 5.300E 001 Loss of Main feedwater Flow RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA) ALL SUPPORT PLL 8.610E-001 INITI AL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS AFW 8.960E 002 2/2 MDPs & TDP 10 4/4 SGs FAIL- 5 HR$ - ALL SUPPORT

78. 1.481E 007 0.25% 3.769E-005 SGR 2.500E-002 Steam Generator Tube Rupture AFW 2.510E-003 2/2 MDPs & TDP- 3/3 SGs FAIL- 5 HRS- ALL SUPPORT HPR 2.530E-0031/2 CCPs 1/2 RNR ALL SUPPORT
80. 1.45BE 007 0.25% 3.799E-005 MLO 8.000E 004 Medium Loss of Coolant Accident ESF 2.570E-002 ENGINEERED SAFETY FEATURES TRAIN 8 FAILS (MLO)

LPR 8.040E-0031/2 RPMPs CLEG REC 1/3 CL- MLO- TR A SUPPORT AVAIL E-25

~

F i

. a k L '

x i

Pronosed Case: Solid State Protection System. 2 of 3 Loaic (Cont'd):

81, 1.455E-007' ~ 0.25% ' ' $813E-005 . ..

MLO - ' 8.000E-004 Medium Loss of Coolant Accident-

'ESF 2.570E-002 ENGINEERED SAFETY FEATURES TRAIN A FAILS (MLO)

~ L PR . 8.040E 0031/2 RPMPs CLEG REC 1/3 CL- MLO TR S SUPPORT AVAll . -

83. 1.429E-007 'O.24% 3.842E-005 .

$15 1.700E-001 Safety injection Signal-(Inadv)..

.i RT .

'{'

.1.800E-005 REACTOR TRIP FAILS (OlVERSE SIGNAL WITM OA)-- ALL SUPPCRT-1PLL 8.610E-001 INITIAL POWER LESS THAN 40%

OMG ' - 5.000E 001 OA TO TRIP MG SETS- . .

')d OCR. 5.070E 00104 TO INSERT CONTROL RODS  !

-PPR: . 2.690E 001 FULL AFW AND NO CRI ALL SUPPOR' AVAIL.  !

.l

85. 1.406E-007 -0.24% 3.870E 005

" PMF 1.500E+000 Partial Loss of Main Feedwater Flow RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH OA)

  • ALL SUPPORT.

ONG 5.000E 001 04 TO TRIP MG SETS:

OCR 5.070E-001 04 TO INSERT CONTROL RODS 3 Ost - 1.550E 001 OA TO ESTABLISM EMERGENCT 80 RATION i

90. 1.379E-007 0.23% '3.939E 005' d

, LMF- . 5.300E-001 Loss of Main Feedwater Flow- .l AFW 2.730E-005 2/2 MDPs & TDP- 2/4 SGs FAIL- 5 HRS- ALL SUPPORT j CON 1.000E+000 1/3 CON PMPs 1/4 SGs FAIL - NO SUPPORT' DAS j

1.000E 002 04 70 ESTABLISH BLEED AND FEED COOLING

  • START $1 4
91. 1.367E 007 0.23% - 3.953E 005.

PMF 1.500E+000 Partial loss of Main Feedwater Flow RT 1.800E 005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH DA)

  • ALL SUPPORT

'PLL- 8.610E-001 INITIAL POWER LESS THAN 40%

OMG 5.000E 001 OA TO TRIP MG SETS I OCR 5.070E 001 04 70 INSERT CONTROL RODS 2I AFW 6.790E 002 TOP TO 2/4 SGs FAILS 5 HR$ + ALL SUPPORT.

PPR 3.620E-001 PARTIAL AFW AND NO CRI ALL SUPPORT AVAIL

98. 1.215E 007 . 0.21% .4.041E-005-MLO 8.000E 004 Medium Loss of Coolant Accident -

ESF ' 2.570E-002 ENGINEERED SAFETT FEATURES TRAIN A FAILS (MLO)

LPI 6.660E 0031/2 RPMPs 2/3 CLEGS MLO- TR A SPRT FAILS 100. 1.183E-007 0.20%- 4.065E 005 LOC 3.500E-001 Loss of Condenser  !

RT 1.800E-005 REACTOR TRIP FAILS (DIVERSE SIGNAL WITH 04) - ALL SUPPORT :j PLL 8.610E 001 INITIAL POWER LESS TNAN 40% >

OMG 5.000E-001 OA 70 TRIP MG SETS ~  !

OCR 5.070E-001 OA TO INSERT CONTROL RODS Ost 1.550E-001'0A 70 ESTABLISH EMERGENCT BORATION ,

I l

l 1

l i

~l l

'l l

1 i

E-26 i

l