Reliability Analysis OF Nuclear Power Plant Protective Systems

HN-190
AEC RESEARCH &

DEVELOPMENT REPORT
UC-80, Reactors-General
TID-4500 Distribution
RELIABILITY ANALYSIS
OF
NUCLEAR POWER PLANT PROTECTIVE SYSTEMS
S Sac' > '^ I- h

By ^ » ^ .5 S " "
g 5« - X a t.
B. J. Garrick, Study Director t
a
S5 %
u o S"
W. C. Gekler, Study Leader -- o a ^ o I 2 i! I.
L. Goldfisher
Z m « o •£ • s.: - *= S
I«11! t
R, H. Karcher I 3 S 2I I
B. Shimizu s-o i " ° !
i Itli^ T * u -g £ g ij
J.H.Wilson S ° 5 | - g ° ° «> S 5 i I
' §• 1 o 3 o - DO 5 ^ "3. 2 «
O a §i g s s="si°
z > n S -a « 1 ^ ag B S
o u
1:3 "J 2 >-• B S' = « S =•=
S, o. I °°S i S I
- £ 3 «o
o 2 "S
< Sf " i o - I
Prepared Under o >i u o i j a a § I s s g>
U ^ bl m •»
Subcontract No. C-275 rt 3 a- S S
C »H S «
•5 - 2 I s •a
S IJi S ! " §
PHILLIPS PETROLEUM COMPANY ". = s | i S 9 '. » S o 2
" c >. « n
Atomic Energy Division
S S 2 b I«•==••« ° 1 ? -
Idaho Falls, Idaho
> g to 2
f Sfi-S 8 & l i
53 S** g o S I •
H 5; » " ""^ S,^ 1 2
U. S. ATOMIC ENERGY COAAMISSION
Contract No. AT(10-1)-205
Idaho Operations Office
May 1967
HOLlVtES & NARVBFl, INC. since 1933
NUCLE3AR D I V I S I O N
LOS ANGELES, CALIFORNIA 90017 *^f^ «l*
.0/^
DISCLAIMER
This report was prepared as an account of work sponsored by an

agency of the United States Government. Neither the United States
Government nor any agency Thereof, nor any of their employees,
makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or any
agency thereof. The views and opinions of authors expressed herein
do not necessarily state or reflect those of the United States
Government or any agency thereof.
DISCLAIMER
Portions of this document may be illegible in

electronic image products. Images are produced
from the best available original document.
AC KNOW LED CEMENTS
P r e p a r a t i o n of this r e p o r t has involved the cooperation and advice of

s e v e r a l individuals and o r g a n i z a t i o n s . We wish to thank the management
and employees of the General E l e c t r i c Company, the Westinghouse
E l e c t r i c Corporation, North A m e r i c a n Aviation, I n c . , and the Phillips
P e t r o l e u m Company. We wish t o especially thank M e s s r s . N. K. Sowards
and E, O. Meals of t h e Phillips Petroleumi Company for t h e i r c o n s t r u c t i v e
c o m m e n t s during the c o u r s e of the study.
Special a p p r e c i a t i o n is ejrtended to M r . D. E. B r i m l e y for consultation

on data nnanagement and reliability a n a l y s i s , t o M e s s r s . R. C. E r d m a n n
and O. C. Baldonado of Holmes & N a r v e r , Inc. for investigations of
selected analytical techniques connected with reliability methods, and
to M r . H, P . P o m r e h n , f o r m e r l y of Holmes & N a r v e r , for contributions
during e a r l y p h a s e s of the study.
iii
PREFACE
Much has been said about the safety of n u c l e a r r e a c t o r s c o m p a r e d

to other facilities of m o d e r n i n d u s t r y . In fact, the safety r e c o r d
of the nuclear industry is without p a r a l l e l . But we d a r e not be
complacent for the fact r e m a i n s that a l a r g e nuclear plant contains
within itself an i m m e n s e l y significant amount of radioactive
m a t e r i a l . Thus, we m u s t not r e l a x ; r a t h e r , we m u s t continue
to p r e s s for b e t t e r understanding, b e t t e r control of safety.
P e r h a p s we can go so far as to quantify the notion of safety.
That i s , p e r h a p s we can l e a r n to provide definitions and r u l e s
by which one can a r r i v e at a n u m e r i c a l figure of naerit indicating
the level of safety of a p a r t i c u l a r plant. Or, p e r h a p s it will be
a s m a l l c l u s t e r of figures of m e r i t which collectively tell the
s t o r y . Any quantification of this s o r t will be an aid so that people
(designers, o p e r a t o r s , r e g u l a t o r s ) can m a k e b e t t e r judgments
of m e r i t and r i s k , so that they can naore rationally decide for
or against v a r i o u s designs, s i t e s , and operating p r o c e d u r e s .
How then does one go about making p r e c i s e and quantifying so

vague a concept as that of level of safety? C l e a r l y , the concept
involves knowledge of the origins, likelihoods, and consequences
of a c c i d e n t s . And c l e a r l y , it involves knowledge of routine and
expected, though random, wearing out and failure of equipmênt
and p e r s o n n e l . Such knowledge in turn d e r i v e s from study and
understanding of the b a s i c physical phenomena and of the
p a r t i c u l a r s y s t e m in question. It d e r i v e s a l s o from study of
the e x p e r i e n c e r e c o r d of s y s t e m s and facilities a l r e a d y in
being. Assuming the concept of level of safety can be defined
in c r i s p m a t h e m a t i c a l t e r m s , we will still need the input, the
b a s i c physical data, the p r o b a b i l i t i e s of component failure, and
so on. Thus, we need two things: clarification of concept and
collection of actual operating data.
IV
In the p r e s e n t study and those preceding it, ' ' we have taken
steps to satisfy both these n e e d s . We have gathered information,
and we have identified and e x p e r i m e n t e d with methods of i n t e r -
preting and synthesizing the information into a quantified m e a s u r e
of safety, We have m a d e detailed r e c o m m e n d a t i o n s for a reliability
monitoring p r o g r a m - for b e t t e r methods of collecting and i n t e r -
preting pertinent safety, reliability, and availability infornaation.
The task has been a tedious one involving sifting, searching, and
analyzing hundreds of in-plant r e c o r d s including i n s t r u m e n t a t i o n
and equipment logs, maintenance wôrk o r d e r s , and all m a n n e r
of control room logs. It i-iclL^ded lengthy d i s c u s s i o n s with utility
executives, plant superintendents, plant e n g i n e e r s , o p e r a t o r s ,
m a i n t e n a n c e p e r s o n n e l , government employees, and design
p e r s o n n e l . It involved inany different plants, manweeks of effort
to r e c o n s t r u c t plant s y s t e m s in d i a g r a m form, data compiling
and analyzing, and writing, writing, and writing. It was
approached in this m a n n e r b e c a u s e all the easy ways s e e m e d to
lead to nothing. Like good design, good safety is based on details .
It is b a s e d on knowing the d a y - t o - d a y p r o b l e m s of plant operation.
It is b a s e d on observing f i r s t - h a n d the r e c o r d i n g and handling of
data. Only this provides a solid foundation for a m o r e quantitative
b a s i s for safety evaluations.
Finally, we m u s t a s k o u r s e l v e s how the r e s u l t s of g r e a t e r quantifi-

cation will be r e v e a l e d in the d a y - t o - d a y p r a c t i c e of n u c l e a r safety.
Obviously, t h e r e will be d i r e c t benefits. Much needed reliability
data will be generated. This data will s e r v e a s the g r i s t for many
(1) B. J . G a r r i c k , W. J . Costley, and W. C. Gekler, "A Study

of T e s t Reactor Operating and Safety E x p e r i e n c e , " HN-172
(Vols. I and II), U. S. Atomic E n e r g y Commission, May 1963.
(2) B. J . G a r r i c k , W. C. Gekler, J . M. Duncan, R. H. K a r c h e r ,
and B, Shimizu, "A Study of R e s e a r c h R e a c t o r Operating and
Safety E x p e r i e n c e , " HN-180, U. S. Atomic E n e r g y C o m m i s s i o n ,
June 1964.
(3) B. J. G a r r i c k , W. C. Gekler, and H. P . P o m r e h n , "An
Analysis of Nuclear Power P l a n t Operating and Safety E x p e r i -
ence, " HN-185 ("Vols. 1 and 2), U. S. Atomic Energy C o m m i s s i o n ,
December 1966.
V
other a c t i v i t i e s . Statistical b a s e s will a r i s e to m o r e c l e a r l y
define the p e r f o r m a n c e of equipment. Industry n o r m s will be
e s t a b l i s h e d for comparing equipment and isolating unsatisfactory
reliability p e r f o r m a n c e . T e s t frequencies will be r e l a t e d to
s t a t i s t i c a l expectations and we can approach ever c l o s e r to r e c o g -
nition of the underlying s t a t i s t i c a l distributions which give r i s e
to the o b s e r v e d behavior.
We should also look for i n d i r e c t benefits, not the l e a s t of which

will be the enhancement of reliability a n a l y s i s a s a safety tool.
Reliability data will p e r m i t this technique to be used in quantifying
s y s t e m reliability and establishing the r e l a t i v e i m p o r t a n c e of
v a r i o u s components to s y s t e m r e l i a b i l i t y . This knowledge can,
in turn, provide a valuable l e v e r for improving and controlling
safety. Systems offered for the s a m e safety function will be c o m -
p a r e d on the b a s i s of expectation a s well a s capability. P h y s i c a l
modifications and p r o c e d u r a l changes which i m p r o v e the reliability
of a s y s t e m will be identified. Ultimately we will a r r i v e at the
goal of a figure of m e r i t to quantify safety.
It is our hope that this work will be used to r e a l i z e these and

other benefits and thereby further i n c r e a s e our understanding
of safety.
B . John G a r r i c k
Study D i r e c t o r
VI
TABLE OF CONTENTS
PAGE
ABSTRACT xvi
INTRODUCTION 1
SUMMARY AND CONCLUSIONS 2
Data Management 2
Analytical Techniques 3
Application 5
Recommendations 7
CHAPTER 1 - RELIABILITY DATA MANAGEMENT SYSTEM 1-1
Introduction 1-1
Data Classification 1-2
Data Collection 1-9
CHAPTER 2 - RELIABILITY ANALYSIS TECHNIQUES 2-1
Autonnatic Reliability Mathematical Model (ARMM) P r o g r a m 2-3

Description 2-3
Use of ARMM 2-18
I l l u s t r a t i o n of ARMM Application 2-29
Systems Analysis by Fault Tree Evaluation, S A F T E - 1 2-36
S A F T E - 1 P r o g r a m Description 2-37
Importance Sampling 2-42
Sample Calculation: D r e s d e n - 3 E m e r g e n c y A-C
Power System 2-47
Conclusions and Recommendations 2-50
References 2-51
CHAPTER 3 - EXAMPLE APPLICATIONS OF RELIABILITY

ANALYSIS 3-1
D r e s d e n Unit 3 P r i m a r y Containment 3-3
S y s t e m Description 3-3
Reliability Considerations 3-14
vii
TABLE OF CONTENTS (continued)
PAGE
Reliability Evaluation 3-15

Results of Analysis 3-19
Connecticut Yankee Safety Injection S y s t e m 3-22
S y s t e m Description 3-23
R e s u l t s of Analysis 3-29
Connecticut Yankee Containment Cooling 3-31
System Description 3-31
San Onofre Safety Injection System 3-40
System Description 3-41

Results of Analysis 3-49
APPENDIX A - PRESENT DATA COLLECTION PRACTICES

IN OPERATING NUCLEAR POWER PLANTS A-1
APPENDIX B - DATA M A N A G E M E N T PRACTICES IN

RELATED AREAS B-1
APPENDIX C - EXAMPLE OF LOADSHEET PREPARATION

AND DATA REDUCTION C-1
APPENDIX D S E L E C T E D FAILURE RATE DATA D-1
APPENDIX E S A F T E - 1 SOURCE PROGRAM LISTING E-1
APPENDIX F - TENTATIVE GUIDELINES FOR RELIABILITY

ANALYSIS OF CONTAINMENT ISOLATION VALVE
SYSTEMS F-1
APPENDIX G GLOSSARY G-1
APPENDIX H - RELIABILITY ESTIMATES WITH CONFIDENCE

LEVELS H-1
i viii
TABLES PAGE
2. 1 P o s s i b l e F a i l u r e Combinations Considered by ARMM

of System in F i g u r e 2. 1 (No Dependency) 2-52
2. 2 Examiple Situations 2-52
2. 3 Modes Available, Modes Required, and Weighting
Factors 2-53
2,4 F a i l u r e Combinations and the Use of Depth Control 2-54
2. 5 O r d e r of Magnitude Integration E r r o r by Using
S i m p s o n ' s Rule 2-55
2.6 Time I n t e r v a l s of F a i l u r e Modes 2-56
2. 7 Function and Component Data 2-57
2.8 Time Profile 2-58
2. 9 Logical " O r " and "And" Gates Appearing in
D r e s d e n - 3 E m e r g e n c y AC Power System Fault T r e e 2-59
2.10 Connponent F a i l u r e and R e p a i r Data for D r e s d e n - 3
Ennergency AC Power System 2-61
3. 1 P r i n c i p a l Design P a r a m e t e r s for D r e s d e n - 3
P r i m a r y Containment 3-50
3. 2 P r i n c i p a l P e n e t r a t i o n s of P r i m a r y Containment and
Associated Isolation Valves 3-51
3. 3 D r e s d e n - 3 Standby Diesel Generator Loading
Requirements 3-52
3.4 Slowdown Accident S u m m a r y 3-53
3, 5 T i m e Sequence for Slowdown Accident 3-54
3.6 F a i l u r e Rate Assumptions 3-55
3.7 S u m m a r y of R e s u l t s for D r e s d e n - 3 P r i m a r y
Containment Reliability Evaluation 3-56
3. 8 Major Contributors t o P r i m a r y Containment F a i l u r e 3-57
3. 9 Component Grouping by P e r c e n t a g e Contribution to
System F a i l u r e 3-58
3. 10 L o s s of Coolant Incident and Safety Injection System
Summary 3-59
3.11 Ruptured Pipe Sizes and Safety Injection System
Operation 3-60
3, 12 F a i l u r e Rate Sumnnary 3-61
,3, 13 S u m m a r y of System Unreliability 3-62
3, 14 Major Contributors to System Unreliability 3-63
3, 15 Connecticut Yankee Containment Cooling System
Component F a i l u r e Rates 3-64
3. 16 Component F a i l u r e Combinations Leading to Power
System F a i l u r e 3-65
3. 17A Component Contributions to System Unreliability 3-66
ix
TABLES (continued) PAGE
3. 17B Component Combinations Contributing to System

F a i l u r e (Hand E s t i m a t e ) 3-67
3. 18 Components - Mechanical F e a t u r e s 3-68
3. 19 R e c i r c u l a t i o n Heat Exchanger 3-70
3. 20 Components - E l e c t r i c a l P a r a m e t e r s 3-71
3. 21 Interval Component Contributes to System
Unreliability 3-72
3. 22 F a i l u r e Rate Data Used for San Onofre Safety
Injection System 3-75
3, 23 Major Contributors t o Unreliability of San Onofre
Safety Injection System During T h r e e Time
Intervals 3-76
B, 1 UKAEA Fault Classification System B-20

B, 2 P a r t i a l List of Plant Types B-21
B. 3 P a r t i a l List of Component Types B-22
B, 4 Fault Importance B-23
B, 5 P a r t i a l List of Fault Types B-24
B. 6 Effects B-25
B. 7 Miscellaneous Column Allocations B-26
B. 8 P M - 1 Malfunction Packet C a r d No. 2 B-27
B, 9 Malfunction Packet C a r d No, 3 B-28
B, 10 P a r t i a l List of Subsystem and Component Codes B-29
B, 11 Malfunction, Safety, and Shutdown Codes B-30
B, 12 F a i l u r e Codes B-31
B, 13 Levels of MARAD Classification B-32
B, 14 S y s t e m s and Subsystems B-33
B. 15 Comiponent and Assembly List B-34
B.,r6 Component Type List (Index 2) B-35
B. 17 E E I - Type of Outage B-36
B. 18 F a i l u r e Type B-37
B. 19 Example of A E C - F P C Account Number C o r r e l a t i o n B-39
B. 20 AEC Classification of Construction Accounts
Nuclear Power P l a n t s B-40
B. 21 Example of Detailed Account Listing B-43
C. 1 List of Components in a Simple Pumping System C-5
D. 1 F a i l u r e Rate Data on Selected E l e c t r o n i c , E l e c t r i c a l ,

and Mechanical Equipment D-3
D. 2 Reference Sources for F a i l u r e Rate Data D-7
F, 1 P e n e t r a t i o n Classification F-3
X
FIGURES _ PAGE
1, 1 C o m p a r i s o n of Data Management Information 1-23

1. 2 P r o p o s e d Data Management System 1-24
1. 3 List of Existing Classifications 1 -25
1. 4 N u m b e r s of L e v e l s , Groups, and Digits of Existing
and P r o p o s e d Classification Codes 1-26
1. 5 C o m p a r i s o n of P l a n t / S y s t e m / C o m p o n e n t C l a s s i f i -
cation/Multiple Component Identification Numbers 1-27
1.6 Nuclear Power Plant Classification 1-28
1.7 Reactor Plant Classification System 1-29
1. 8 Reactor Auxiliary Cooling and Heating System and
Emiergency Shutdown Cooling System Classification 1-33
1.9 P a r t i a l List of Comnaon Component Classification 1-34
1.10 Common Subclassification 1-37
1. 11 Sample Classification of Safety Injection System 1-38
1. 12 Sample Classification of Neutron Monitor System
Source Range Channel 1-39
1. 13 F a i l u r e Mode Classification 1-40
1. 14 F a i l u r e Cause Classification 1-41
1. 15 F a i l u r e Effect Classification 1-42
1. 16 Use Event Classification 1-42
1. 17 Reliability Input Data Flow Chart 1-43
1. 18 R e q u i r e d Reliability Information 1 -44
1. 19 Typical Operational T e s t i n g S u m m a r y for Nuclear
Safeguards Systems 1-45
1. 20 C o m p a r i s o n of Required Information 1-46
1. 21 F a i l u r e Report and Maintenance Request form with
Required Reliability Information 1 -47
1. 22 Modified Maintenance Request F o r m 1-48
1. 23 V e n d o r ' s Reliability Input Data F o r m 1-49
1. 24 F a i l u r e Rate Conversion Table 1-50
2. 1 Example S y s t e m 2-63
2. 2 Function-Connponent S u m m a r y Sheet 2-64
2. 3 Input F o r m A 2-65
2.4 Input F o r m B 2-66
2. 5 Input F o r m C 2-67
2.6 Input F o r m D 2-68
2. 7 Input F o r m E 2-69
2. 8 Input F o r m G 2-70
2. 9 Input F o r m H 2-71
2. 10 ARMM Input Deck General A r r a n g e m e n t 2-72
XI
TABLE O F CONTENTS (continued)
FIGURES (continued) PAGE
2. 11 S e r i e s System 2-73
2. 12 P a r a l l e l System 2-74
2. 13 Composite System 2-75
2. 14 E l e c t r i c a l System 2-76
2. 15 Change from Nonredundant to Redundant Components
by P a r t i a l Data 2-77
2. 16 Hydraulic System 2-78
2. 17 Hydraulic System Flow Diagram 2-79
2. 18 E l e c t r o h y d r a u l i c System Block D i a g r a m 2-80
2. 19 ARMM Input Loadsheets 2-81
2. 20 Completed Computer Output - P r o b l e m 1 2-88
2.21 Connputer Output Summiary 2-114
2. 22 P ( X T ) as a Function of X T for S e v e r a l Values of A.
The Model is a T w o - O u t - o f - T h r e e System with
Identical Components and No R e p a i r 2-118
2. 23 Schematic of D r e s d e n - 3 E m e r g e n c y A-C Power
System 2-119
2. 24 Fault T r e e for D r e s d e n - 3 E m e r g e n c y A-C Power
System 2-120
2. 25 Input Data C a r d Listing for Sample Calculation
(Analog) 2-121
2. 2 6 A S A F T E - I Sample Calculation Output 2-122
2. 26B S A F T E - I Sample Calculation Output 2-123
2.26C S A F T E - I Sample Calculation Output 2-124
2. 26D S A F T E - I Sample Calculation Output 2-125
2. 26E S A F T E - I Sample Calculation Output 2-126
2. 26F S A F T E - I Sample Calculation Output 2-127
2. 27 P(T) as a Function of Operating Time (Weeks) for
the D r e s d e n - 3 E m e r g e n c y A-C Power System 2-128
3. 1 Schematic C r o s s - S e c t i o n of D r e s d e n - 3 Containment 3-78

3. 2 Functional D i a g r a m - P r i m a r y Containment 3-79
3.3 Functional D i a g r a m - Drywell A s s e m b l y 3-80
3.4 Functional Diagram - P r e s s u r e S u p p r e s s i o n Channber 3-81
3. 5 D r e s d e n - 3 P r i m a r y Containment P e n e t r a t i o n s 3-82
3. 6 Containment Spray Cooling System 3-83
3. 7 Schematic of E m e r g e n c y A-C Power Supply for
C o r e Spray and Containment Cooling 3-84
3.8 Containment P r e s s u r e for Various Available
E n g i n e e r e d Safeguards 3-85
3. 9 Example of F a i l u r e Mode and Effects Analysis 3-86
xii
3. 10 Reliability Block D i a g r a m Containment Isolation

and Cooling Interval 1 3 - •90
3. 11 Reliability Block D i a g r a m C o r e Spray - Interval 1
(Redundant Operation) 3 - •95
3. 12 Reliability Block D i a g r a m Containment Cooling
Interval 2 3 - •97
3. 13 Reliability Block D i a g r a m Core Spray - Interval 2
(Redundant Operation) 3 -•98
3. 14 Reliability Block D i a g r a m Core Spray - Interval 1
(Both Loops Required) 3 --99
3. 15 Reliability Block D i a g r a m C o r e Spray - Interval 2
(Both Loops Required) 3 - •100
3. 16 Automatic Reliability Mathematic Model
D r e s d e n - 3 P r i m a r y Containment - Case 2 3 - •101
3. 17 P r o c e s s Flow Diagram - Safety Injection System
Connecticut Yankee 3- -111
3.18 Schematic Flow D i a g r a m Residual Heat Removal
Secondary Water System Connecticut Yankee 3- -112
3. 19 115 KV/4160 Volt Schematic D i a g r a m for Safety
Injection System 3- -113
3. 20 480 Volt Schematic D i a g r a m for Safety Injection
System 3--114
3.21 Schematic D i a g r a m 3--115
3.22 Loss-of-Coolant Incident 3-Inch Charging Line Break 3--116
3. 23 F a i l u r e Mode and Effect Analyses 3--117
3. 24 Reliability Block D i a g r a m Safety Injection System
Connecticut Yankee 3-123
3. 25 Reliability Block D i a g r a m E m e r g e n c y Power for
C o r e Deluge System 3-127
3.26 ARMM Input Loadsheets - C a s e 1 3-128
3. 27 ARMM Input Loadsheets - C a s e 2 3-141
3.28 Component Contributions to Unreliability 3-145
3.29 Function Contributions to Unreliability 3-154
3. 30 Air R e c i r c u l a t i o n F a n - Cooling Coil Unit
Connecticut Yankee 3-157
3.31A Reliability Block D i a g r a m Connecticut Yankee -
Air R e c i r c u l a t i o n Unit 3-158
3. 3 IB Reliability Block D i a g r a m Connecticut Yankee
Containment Spray System 3-159
3. 31C Reliability Block Diagrami Connecticut Yankee
Power Supply and S e r v i c e Water System P u m p s 3-160
xiii
3. 3ID Containment Cooling System Reliability Block

Diagram - Connecticut Yankee 3-161
3. 32 Residual Heat Removal System in Containnnent Spray
Mode Connecticut Yankee 3-162
3, 33 Connecticut Yankee Containment P r e s s u r e T r a n s i e n t 3-163
3. 34A F a i l u r e Mode and Effect Analysis Connecticut
Yankee - Containment Spray System 3-164
3. 34B F a i l u r e Mode and Effect Analysis Connecticut
Yankee - Air R e c i r c u l a t i o n Unit 3-165
3. 35 Schematic of San Onofre Safety Injection System 3-167
3, 36 E l e c t r i c a l Power to Safety Injection System -
San Onofre 3-168
3. 37 F a i l u r e Mode and Effect Analysis San Onofre -
Safety Injection System 3-169
3. 38 Reliability Block D i a g r a m Safety Injection System 3-174
A. 1 Maintenance Request Flow A- 1]

A. 2 Maintenance Request Flow A-12
A. 3 Maintenance Request F o r m A-13
A. 4 Maintenance Memorandum A-14
A. 5 Maintenance Memorandunn Flow for E l e c t r i c a l
and Mechanical Work A-15
A. 6 T e s t Bureau Maintenance Memorandum Flow A-16
A. 7 Work Request ( F o r m 23) Flow A-17
A. 8 Equipment Maintenance R e c o r d F o r m A-18
A, 9 Motor Maintenance R e c o r d F o r m A-19
A, 10 Maintenance R e c o r d F o r m s A-20
B, 1 Sample Safety Report B-44

B, 2 Sample F a i l u r e , Shutdown, and Availability Report B-45
B, 3 Sample Shipboard Data Collection F o r m B-47
B. 4 Sample Shipboard Data Collection F o r m B-48
B. 5 MARAD Maintenance and Reliability P r o g r a m B-49
B. 6 Analysis of Component F o r c e d Outages for the
Year 1964 Conventional Drum Type Units Only B-50
B. 7 Report S u m m a r y Sheet B-51
B. 8 FAR ADA Information Flow Chart B-52
B. 9 Sample of Completed "Background Information on
F a i l u r e Rate Data" F o r m B-53
B. 10 Sample of Completed "Tabular F a i l u r e Rate Data
Summary" Form B-55
xiv
B, 11 Sample of Completed " F a i l u r e Mode D i s t r i b u t i o n s "

Form B--56
B . 12 Typical Page of FARADA Computer P r i n t - O u t
from Volume lA B--57
B , 13 Typical Page of FARADA Computer P r i n t - O u t
from Volume IB B--58
B , 14 Typical Page of FARADA F a i l u r e Mode Distributions B--59
B . 15 P a r t i a l List of Major Classifications of the FARADA
Part/Comiponent Generic Code B--60
B . 16 FARADA Common Subclassification B--61
B . 17 Example of FARADA P a r t / C o m p o n e n t Classification
Code B- -62
B . 18 Sample Deficiency Report B--63
B . 19 Deficiency Report Flow Chart B--64
C, 1 Simple Pumping Station C--6

C, 2 Operational H i s t o r y of a Simple Pumping System C--7
c. 43 Input Loadsheet c--8
c. Type 2 Output Data Sheet P a s t S u m m a r y of F a i l u r e
Rate Data c--9
c. 5 Type 1 Output Data Sheet C u r r e n t Listing of
Component F a i l u r e s c--10
c. 6 Type 2 Output Data Sheet C u r r e n t S u m m a r y of
F a i l u r e Rate Data c--11
H. 1 Lifetime E s t i m a t e for Standby Components at
75 P e r c e n t Confidence Level H-10
H. 2 Lifetime E s t i m a t e for Operating Components at
75 P e r c e n t Confidence Level H-11
XV
ABSTRACT
Data and analytical r e q u i r e m e n t s for a reliability monitoring p r o g r a m

in n u c l e a r safety have been identified. A data management s y s t e m is
defined incorporating a method for equipment and event classification
and a plan for data collection. Equipment classification is a c c o m -
plished by use of a 9-digit generic code which identifies equipment
type, environnnent, and operating load. The event classification
provides coded identification of failure mode, effect, and c a u s e , as
well as an index of accumulated e x p e r i e n c e .
The data collection plan u s e s a t w o - s t e p r e c o r d i n g p r o c e s s to enable

use of existing plant p r a c t i c e s and operating staffs. The first step
entails in-plant r e c o r d i n g of failure or r e p a i r data and operating and
t e s t data. The second step r e q u i r e s t r a n s f e r r a l of operating and
failure data to coded input for a c e n t r a l i z e d data bank. Subsequently,
data bank p r o c e s s i n g will convert and r e p o r t accumulating e x p e r i e n c e
as failure r a t e and r e p a i r data.
The a c c u r a c y and flexibility of the Autonnatic Reliability Mathematical

Model (ARMM) technique h a s been i n c r e a s e d for evaluation of t h e
reliability of engineered safety s y s t e m s . A computer p r o g r a m .
S y s t e m s Analysis by Fault T r e e Evaluation (SAFTE-1), has been
developed to implement the fault t r e e concept.
Applications of both techniques t o sannple p r o b l e m s using e s t i m a t e d

or available reliability data d e m o n s t r a t e that they provide useful
reliability e s t i m a t e s . R e s u l t s of t h e s e applications show that the
quality of t h e s e e s t i m a t e s is d e t e r m i n e d m o r e by t h e a n a l y s t ' s skill
than the limitations of the t e c h n i q u e s . It is r e v e a l e d that the
questioning and docunnentation p r o c e s s r e q u i r e d in p r e p a r a t i o n for
quantitative reliability e s t i m a t e s is of value in identifying potential
t r o u b l e spots and suggesting p r o c e d u r a l or design changes which can
eliminate or reduce the a d v e r s e effects of component failures on safety.
It is concluded that reliability analysis can contribute to a m o r e

quantitative, s y s t e m s - o r i e n t e d m e a s u r e of safety; techniques adequate
for safety analysis of nuclear power plants now exist; the data n e c e s s a r y
XVI
to support these analyses can be obtained through the suggested data
nnanagement scheme; «ind the resulting reliability monitoring program
can be executed without need for expanding nuclear power plant
operating staffs. It is recomntiended that the reliability monitoring
program be instituted in operating nuclear power plants at the earliest
possible date to enable the accumulation of data of quality appropriate
to reliability analysis of engineered safety systems.
xvii
INTRODUCTION
In an e a r l i e r study it was noted that the usefulness of r e a c t o r operating

experience could be greatly i n c r e a s e d if t h i s data w e r e collected in a fornn
suitable for reliability a n a l y s i s . An investigation has been made of data
and analysis r e q u i r e m e n t s for a reliability monitoring progrann in power
r e a c t o r safety.
One objective has been the definition of a s y s t e m for the collection and
analysis of operating, nnaintenance, inspection, and t e s t i n g data on
components of engineered safety systenns^ . This data management
s y s t e m will provide c u r r e n t l y unavailable input data for a s s e s s i n g
engineered safety s y s t e m reliability. A second objective has been the
investigation of techniques for the evaluation of reliability and the
application of t h e s e techniques to engineered safety systenns typical
of w a t e r - c o o l e d and - m o d e r a t e d power r e a c t o r s . The applications
provide information about the form and type of data which would be
r e q u i r e d in an operating reliability monitoring p r o g r a m . They also
s e r v e t o i l l u s t r a t e the expected r e s u l t s .
In this r e p o r t , the nnaterial has been a r r a n g e d in the o r d e r of c o n s i d e r a -

tion expected in the reliability nnonitoring p r o g r a m . That i s , the
r e q u i r e m e n t s for a r e l i a b i l i t y data managennent systenn a r e outlined in
Chapter 1, Methods for using data t o a s s e s s reliability a r e d i s c u s s e d
in Chapter 2. Finally, Chapter 3 i l l u s t r a t e s steps r e q u i r e d for the
application of anticipated data to reliability models of selected engineered
safety s y s t e m s in recently designed w a t e r - c o o l e d and - m o d e r a t e d r e a c t o r s .
While specific reliability analysis methods and engineered safety s y s t e m s
have been cited in this study, they a r e not intended to exclude other
methods or s y s t e m s which can be used in a given reliability a n a l y s i s .
R a t h e r , t h e s e examples a r e nneant t o i l l u s t r a t e the r e q u i r e m e n t s for
establishing a p r o g r a m for evaluating and monitoring reliability in
n u c l e a r safety. A g l o s s a r y is provided in Appendix G to indicate the
meaning of s e l e c t e d t e r m s used in this r e p o r t .
G a r r i c k , B. J , , W. C, Gekler, and H, P , P o m r e h n , "An Analysis

of Nuclear Power Plant Operating and Safety E x p e r i e n c e , " HN-185,
U, S, Atomic E n e r g y Connmission, D e c e m b e r 15, 1966,
(2)
E n g i n e e r e d safety s y s t e m s is now the p r e f e r r e d t e r m i n o l o g y for
s y s t e m s previously r e f e r r e d t o as engineered safeguard s y s t e m s ;
i, e, , s y s t e m s provided to prevent or mitigate v a r i o u s
possible r e a c t o r a c c i d e n t s .
1
SUMMARY AND CONCLUSIONS
Reliability analysis can contribute to a nnore quantitative s y s t e m s -

oriented m e a s u r e of safety. The techniques for analysis exist, having
been t a i l o r e d to meet the needs peculiar to safety analysis of n u c l e a r
power p l a n t s . The data n e c e s s a r y to support t h e s e analyses can be
obtained through implementation of the data management schenne detailed
in this r e p o r t . The r e s u l t i n g r e l i a b i l i t y monitoring p r o g r a m can be
executed without the need for expanding nuclear power plant operating
staffs.
As noted in the P r e f a c e , a reliability monitoring p r o g r a m can benefit

nuclear safety and the nuclear industry in many w a y s . Realization of
t h e s e benefits is dependent on the effectiveness of the reliability m o n i t o r -
ing p r o g r a m . P r o g r a m effectiveness i s , in t u r n , contingent on t h r e e
f a c t o r s : (1) the availability of suitable data; (2) analytical techniques
which can d e s c r i b e s y s t e m behavior; and (3) p r o p e r application of t h e s e
data and t e c h n i q u e s .
The r e q u i r e m e n t s and techniques a s s o c i a t e d with p r o p e r t r e a t m e n t of

each of t h e s e factors have been investigated and the r e s u l t s of t h i s work
a r e p r e s e n t e d in t h i s r e p o r t in the form of a data management systenn,
the review and development of two analytical techniques suitable to
r e l i a b i l i t y a n a l y s i s , and s t e p - w i s e examples of application of t h e s e
techniques and anticipated data to engineered safety s y s t e m s .
DATA MANAGEMENT
In Chapter 1, a data management s y s t e m has been defined for collection

and evaluation of r e l i a b i l i t y data from operating plants and equipment
m a n u f a c t u r e r s or v e n d o r s . This s y s t e m c o n s i s t s of a method of c l a s s i f i -
cation and a plan for data collection which w e r e derived from c o n s i d e r a t i o n
of generally available data management s y s t e m s in both nuclear and non-
n u c l e a r i n d u s t r y . The data classification concepts a r e based p r i m a r i l y
on n o n n u c l e a r - o r i e n t e d reliability p r o g r a m s while the data collection
plan is strongly slanted to conformance with r e c o r d i n g and r e p o r t i n g
p r a c t i c e s now used in n u c l e a r power p l a n t s . The data c l a s s i f i c a t i o n
s y s t e m provides a c c e s s t o r e l i a b i l i t y data at the plant, s y s t e m , or c o m -
ponent level. It allows selective grouping for s t a t i s t i c a l s e a r c h e s or
investigations of failure r a t e data as well as s t a n d a r d i z e d format for
r e p o r t i n g r e l i a b i l i t y data by s y s t e m and generic component. Among
2
data r e q u i r e m e n t s c o n s i d e r e d in the classification s y s t e m a r e the mode,
c a u s e , and effect of failure and the r e p a i r t i m e a s s o c i a t e d with each
failure. To convert specific o c c u r r e n c e s of failure into failure r a t e
information, a use event classification is d e s c r i b e d which allows c o r r e l a -
tion of failure to accumulated use or age.
With r e s p e c t t o data collection, it has been found that c u r r e n t p r a c t i c e s

in operating power r e a c t o r s should lend t h e m s e l v e s readily to o r d e r l y
collection and p r o c e s s i n g of reliability data. F u r t h e r m o r e , the effort
a s s o c i a t e d with collecting this data should r e s u l t in little or no i n c r e a s e
in operating staff workload. Much of the r e q u i r e d data is already called
for in existing p r a c t i c e s . Some nnodification of existing r e c o r d s and
r e c o r d i n g p r o c e d u r e s may be r e q u i r e d but the b a s i c ingredient for
s u c c e s s will be the e s t a b l i s h m e n t and adherence to good r e c o r d keeping
p r a c t i c e s , many of which already exist in t h e s e f a c i l i t i e s . E n c o u r a g e -
ment of such p r a c t i c e s can be enhanced by i l l u s t r a t i n g the potential value
of reliability data to those involved in its collection and by p r o c e d u r e s
which a s s u r e that r e s u l t i n g data will be handled in a m a n n e r that
objectively and fairly s e r v e s the i n t e r e s t of the d e s i g n e r , m a n u f a c t u r e r ,
o p e r a t o r , and the public. An information flow s c h e m e which would
a s s u r e p r o p e r use and d i s s e m i n a t i o n of data fronn the reliability m o n i t o r -
ing p r o g r a m is shown in F i g u r e 1.
As p r o p o s e d , the data collection plan entails a t w o - s t e p r e c o r d i n g

p r a c t i c e with subsequent p r o c e s s i n g by a data reduction agency. The
first step involves connpletion of failure or maintenance r e p o r t f o r m s
only slightly different from those c u r r e n t l y in use by the plant p e r s o n n e l
n o r m a l l y r e p o r t i n g and r e c o r d i n g m a i n t e n a n c e . The second step involves
t r a n s f e r r a l of the failure information on t h e s e f o r m s as well as use data
from operating and outage s u m m a r y r e p o r t s to reliability data l o a d s h e e t s .
This t r a n s f e r r a l can be accomplished by in-plant p e r s o n n e l after a brief
t r a i n i n g period or by a r e p r e s e n t a t i v e of the data collection agency during
periodic plant v i s i t s . Subsequently, the loadsheet data would be reduced
and r e p o r t e d as failure r a t e and r e p a i r data s u m m a r y information. Such
information would be d i r e c t l y applicable t o r e l i a b i l i t y analyses of
engineered safety s y s t e m s . It also would be of some use t o any nonsafety
pursuit of improved plant or s y s t e m availability.
ANALYTICAL TECHNIQUES
A number of m a t h e m a t i c a l techniques or machine codes have been

investigated which can be used in evaluating engineered safety s y s t e m
3
reliability. Two p r o m i s i n g techniques utilized in a e r o s p a c e applications
have been examined in detail. They a r e the Automatic Reliability
Mathematical Model (ARMM) and fault t r e e a n a l y s i s . These techniques
have been t a i l o r e d to p e r m i t application to engineered safety s y s t e m s .
The ARMM p r o g r a m p o s s e s s e s nnany attributes d e s i r a b l e in evaluating

engineered safety s y s t e m r e l i a b i l i t y . Among its capabilities a r e the
simulation of r e d u n d a n c i e s , interdependence and mutually exclusive
failure m o d e s , and the operation of standby equipment. Results of an
ARMM analysis include: (1) the probability of successful s y s t e m
operation; (2) each component's contribution to the probability of s y s t e m
failure; and (3) the failed component combinations which a r e nnajor
c o n t r i b u t o r s to s y s t e m unreliability. In the c o u r s e of understanding
and using ARMM, modifications have been made in p r o g r a m subroutines
to b e t t e r suit it to engineered safety s y s t e m applications. These modifi-
cations a r e d e s c r i b e d in Chapter 2 along with identification of s e v e r a l
other changes which, if nnade, would further innprove the p r o g r a m .
P e r h a p s the most important r e s u l t of working with ARMM is recognition
that its effectiveness is limited by the u s e r ' s skill, especially in the
initial applications.
Fault t r e e analysis is p a r t i c u l a r l y appealing because it p a r a l l e l s r e a c t o r

safety analysis p r a c t i c e s . Fault t r e e analysis g e n e r a t e s a logical s t a t e -
ment of events which, in combination or s e p a r a t e l y , can lead to an
undesired event, i. e. , nuclear incident. The approach is to state the
undesired event in r e a l , nneasurable t e r m s and subsequently identify the
event sequences n e c e s s a r y and sufficient t o c a u s e the undesired event.
The r e s u l t is a gated logic (AND and OR gates) which identifies human
e r r o r s , equipment malfunctions, and operating conditions n e c e s s a r y to
the o c c u r r e n c e of an event. To enable use of fault t r e e analysis in nuclear
safety, a computer p r o g r a m has been developed and w r i t t e n having the
code n a m e S A F T E - 1 (Systems Analysis by Fault T r e e Evaluation).
S A F T E - 1 is a connputerized probabilistic model of the logic which allows
simulation of s y s t e m operation through a l a r g e number of t r i a l s h. a short
period of t i m e to identify the likelihood of the undesired event and the
r e l a t i v e contributions of v a r i o u s initiating component f a i l u r e s to this
event. Application of S A F T E - 1 to an engineered safety s y s t e m has shown
that the p r o g r a m yields reliability e s t i m a t e s . However, continued
r e s e a r c h is r e q u i r e d to r e a l i z e the full and highly d e s i r a b l e benefits of
the p r o g r a m .
R e g a r d l e s s of f o r m a t , any nnathennatical method for nnaking quantitative

reliability e s t i m a t e s is a simulation of s y s t e m b e h a v i o r . As the simulation
4
b e c o m e s nnore r e a l i s t i c , its input r e q u i r e m e n t s i n c r e a s e . The two
methods previously r e f e r r e d t o a r e believed to be n e a r t h e upper bounds
of p r a c t i c a l sinnulation for reliability evaluation of engineered safety
s y s t e m s . They can allow changes in operating mode and configuration;
they can accommodate r e p a i r and t e s t i n g p r a c t i c e s ; they can recognize
dependencies and r e d u n d a n c i e s ; and they can i n c o r p o r a t e human e r r o r
either as a coinbined input with component failure r a t e or as a s e p a r a t e
input.
APPLICATION
In reliability analysis the nnethods for operating, maintaining, and

t e s t i n g a systenn a r e d e s c r i b e d to lay a b a s i s for careful, s t e p - b y - s t e p
evaluation of the c a u s e and effect of each failure mode of each c r i t i c a l
component. These failure mode and effect a n a l y s e s , s o m e t i m e s called
failure a n a l y s e s , identify c r i t i c a l components in t e r m s of failure effect
and provide formalized documentation of actions which can be taken to
eliminate the c a u s e of failure or reduce the effect of f a i l u r e . The c o m -
ponents identified in a failure analysis a r e then introduced into
reliability models or logical models of systenn operation. When
p r o p e r l y developed, t h e s e models graphically display the r e l a t i o n s h i p
between components including such concepts as interdependence and
redundancy.
As pointed out in C h a p t e r s 2 and 3, the p r i m a r y factor in the usefulness

and credibility of a reliability analysis for an engineered safety s y s t e m ,
or for that m a t t e r , for any s y s t e m is the a n a l y s t ' s skill and e x p e r i e n c e .
S i m i l a r conditions hold for other engineering analyses in nuclear
s y s t e m s . Without p r o p e r background the analyst is confronted with
what a p p e a r s t o be a r a t h e r complex bookkeeping t a s k . With adequate
background he is able t o identify the equipment and operating p a t t e r n s
which most a d v e r s e l y affect s y s t e m reliability and then c o n c e n t r a t e his
efforts in t h e s e a r e a s .
The steps involved in applying data and m a t h e m a t i c a l models to a

reliability analysis have been i l l u s t r a t e d in Chapter 3 by example applica-
tions to four engineered safety s y s t e m s fronn p r e s s u r i z e d and boiling
w a t e r r e a c t o r s . These steps include:
1. Systemi d e s c r i p t i o n .
2. Operating and t e s t i n g p r o c e d u r e review,
3. Failure analysis.
5
4. Reliability model development.
5. Reliability data selection.
6. Reliability analysis.
7. Evaluation of r e s u l t s .
In developing t h e s e applications, it has been found that the questioning

and documentation r e q u i r e d in p r e p a r a t i o n for quantitative reliability
e s t i m a t e s a r e as valuable as the e s t i m a t e s thennselves. These p r e p a r a -
t o r y functions identify many of the t r o u b l e spots which a r e subsequently
confirmed by reliability estimiates. They also d i r e c t attention to
p r o c e d u r a l or design changes which can eliminate or r e d u c e the a d v e r s e
effects on safety of component f a i l u r e s .
The investigative p r o c e s s e s involved in p r e p a r i n g for a reliability

analysis also occur in the c o u r s e of d i s c u s s i o n s between operator and
d e s i g n e r , and between r e g u l a t o r and o p e r a t o r . Such discussions r e s u l t
from a need to nnake reliability judgment. It is believed that when
p r o p e r l y applied, reliability analyses can r e a d i l y provide o r d e r l y
documented a n s w e r s and p e r m i t a m o r e detailed evaluation of s y s t e m s
important t o r e a c t o r safety.
The exannple applications p r e s e n t e d in Chapter 3 also i l l u s t r a t e the

quantitative r e s u l t s of a reliability analysis and indicate ways in which
t h e s e r e s u l t s may be used t o benefit safety.
Specific examples of t h e s e r e s u l t s include:
1. Components or design f e a t u r e s to which reliability i m p r o v e m e n t

efforts may be most effectively applied.
2. Components contributing to s y s t e m failure at a given probability
level.
3. The effect of adding or removing redundancy on t h e r e l i a b i l i t y
of the s y s t e m .
4. V a r i a t i o n s in systenn reliability which r e s u l t from a l t e r e d
t e s t i n g frequencies or p r o c e d u r e s .
5. The sensitivity of s y s t e m reliability to e r r o r s in component
failure r a t e and r e p a i r data.
In conclusion, the reliability monitoring p r o g r a m d e s c r i b e d in this study

provides a m e a n s for generating much needed s t a t i s t i c a l reliability data
6
as well as guidelines for application of the data to quantitative reliability
e s t i m a t e s . When initiated, it is believed that the p r o g r a m will prove
useful in every step of the activity a s s o c i a t e d with design, manufacture,
evaluation, and operation of engineered safety systenns. Among the
specific benefits a r e reliability data for use in evaluating new engineered
safety s y s t e m d e s i g n s ; a m o r e quantitative b a s i s for c o m p a r i s o n of new
and existing designs; evaluation of the significance of p r e o p e r a t i o n a l
and operational t e s t i n g p r a c t i c e s ; and a feedback m e c h a n i s m for i m p r o v e -
ment of equipment and p r o c e d u r e s in new and existing s y s t e m s by
identification of conditions a d v e r s e l y affecting r e l i a b i l i t y .
RECOMMENDATIONS
Analytical techniques and m a t h e m a t i c a l models n e c e s s a r y to p e r f o r m a

reliability analysis of typical c o m m e r c i a l power r e a c t o r safety s y s t e m s
a r e now available. This study has also developed a data management
s y s t e m designed and t a i l o r e d to collect and reduce experience data to
reliability data for components of power r e a c t o r protective s y s t e m s .
What r e m a i n s to be done is implennentation of an active reliability
monitoring p r o g r a m .
In view of the fact that approximately 17 w a t e r - c o o l e d and - m o d e r a t e d

power r e a c t o r s with output g r e a t e r than 50 Mwe a r e expected to be in
operation by D e c e m b e r 1969 and an additional 24 with outputs g r e a t e r
than 400 Mwe by D e c e m b e r 1972, it is r e c o m m e n d e d that steps be taken
now to initiate operation of the reliability monitoring p r o g r a m in o p e r a t -
ing power r e a c t o r s .
Fronn the standpoint of urgency, the nnost important aspect of the p r o g r a m

is the collection and reduction of experience into useful reliability data.
T h e r e is s o m e demand for this data now and it can be expected to i n c r e a s e
rapidly. F u r t h e r m o r e , t h e r e is s t r o n g justification t o initiate data
collection now in o r d e r to m i n i m i z e the loss of c u r r e n t l y accumulating
e x p e r i e n c e . It is exceedingly difficult and expensive to attempt r e c o v e r y
of t h i s experience in a reliability data s e n s e using existing documentation
practices.
While data collection is the most urgent aspect of the reliability m o n i t o r -

ing p r o g r a m , t h e r e is also a need to verify the integrated concept of the
p r o g r a m in actual p r a c t i c e . That i s , a pilot t e s t should be made to
d e m o n s t r a t e the collection and reduction of data and t h e application of
t h i s data to the reliability analysis of well defined operating s y s t e m s .
7
Finally, t h i s pilot t e s t could provide a m e a n s of experimenting with
other activities concerned with data collection p r o b l e m s . ' ' '
Computer Handling of Reactor Data for Safety, CHORDS, under

development by the Nuclear Safety Information C e n t e r .
Griffin, C. W. , Outline P l a n for Collection, Evaluation and

D i s s e m i n a t i o n of LMFBR F a c i l i t i e s Incident Report Infornnation,
Liquid Metal Engineering Center, M a r c h 15, 1967.
8
Plant and Reliability
Equipment C r i t e r i a &;
Designers Procedures
TT
Reliability
Analysis
Operating &
T e s t Data
i_t
Data Collection
and
Analysis Agency
AEC-Industry
F a i l u r e Rate
Advisory Committee
Failure
Rate Data
FIGURE 1
RELIABILITY MONITORING PROGRAM

INFORMATION FLOW CHART
9
CHAPTER 1
RELIABILITY DATA MANAGEMENT SYSTEM

CHAPTER 1
RELIABILITY DATA'MANAGEMENT SYSTEM
INTRODUCTION
A p r i m a r y objective of this study has been the identification of a data

management s y s t e m for the collection and analysis of operating, m a i n t e -
nance, inspection, and t e s t i n g data on the connponents of power r e a c t o r
protective s y s t e m s which will provide the n e c e s s a r y input for a s s e s s i n g
protective s y s t e m r e l i a b i l i t i e s . To be successful, a r e l i a b i l i t y data
management s y s t e m for r e a c t o r safety must be p r a c t i c a l and flexible.
The p r o g r a m must also recognize a v a r i e t y of data s o u r c e s , the nnost
imiportant nf t h e s e s o u r c e s being operating r e a c t o r s . Within t h e s e general
c o n s t r a i n t s , a data management s y s t e m has been defined. The s y s t e m
c o n c e n t r a t e s p r i m a r i l y on the collection of useful reliability data from
operating facilities. It also r e c o g n i z e s the v e r y important s o u r c e of
r e l i a b i l i t y data r e p r e s e n t e d by t e s t progranns in m a n u f a c t u r e r ' s facilities
and national l a b o r a t o r i e s . The approach used is b a s e d on the fact that
significant amounts of information n e c e s s a r y to development of reliability
data, p a r t i c u l a r l y failure r a t e data, is being g e n e r a t e d in a gross form
via other a d m i n i s t r a t i v e activities r e q u i r i n g data collection. What is now
r e q u i r e d is a method of selectively culling this existing information to
a r r i v e at a useful set of r e l i a b i l i t y data. This r e q u i r e m e n t can be
a c c o m p l i s h e d by setting forth p r o c e d u r e s and f o r m a t s for collecting and
classifying.reliability data from available data. Listed in F i g u r e 1. 1
a r e the s y s t e m objectives and the type of r e q u i r e d information with which
t h e s e objectives can be fulfilled.
To a r r i v e at a s e l e c t e d data managennent systenn, a number of s i m i l a r

s y s t e m s either proposed or in operation have been reviewed. T h e s e s y s -
t e m s r e p r e s e n t both nuclear and nonnuclear applications. Most of t h e m
a r e scoped to develop failure r a t e s on the b a s i s (1) that the collected
failure data derive from chance failures and exclude f a i l u r e s due to
wearout, or (2) that all failures a r e chance f a i l u r e s . The s y s t e m out-
lined in this r e p o r t h a s been developed to provide a s y s t e m a t i c means
of collecting component failure data and to p e r m i t the analysis of failure
m o d e s , and the identification of failure distribution functions a s s o c i a t e d
with the v a r i o u s failure modes, w h e r e v e r possible.
Reliability data nnanagemient can be broadly divided into (1) data collection
efforts which e n c o m p a s s collection, reduction and evaluation of in-plant
or field data and m a n u f a c t u r e r ' s or t e s t data; and (2) classification of
1-1
the collected data by equipment and event types in o r d e r t o facilitate
evaluation and c o r r e l a t i o n of data. Both activities must be p r e d i c a t e d
on the end use of the data. A breakdown of functions r e q u i r e d in data
collection and c l a s s i f i c a t i o n is i l l u s t r a t e d in F i g u r e 1. 2. Since data
c l a s s i f i c a t i o n identifies nnany of the format r e q u i r e m e n t s for data
collection, it will be d i s c u s s e d f i r s t .
DATA CLASSIFICATION
Present Practices
In c o n s i d e r i n g the requirennents for data classification, seven c l a s s i f i -

cation s y s t e m s have been reviewed, along with c u r r e n t p r a c t i c e s in
s e v e r a l c o m m e r c i a l nuclear power plants operating in the United S t a t e s .
C u r r e n t p r a c t i c e s in s e v e r a l U . S . power plants a r e s u m m a r i z e d in
Appendix A. Since t h e r e c u r r e n t l y is no f o r m a l i z e d reliability progrann
in U . S . .nuclear power plants, the data classification activities in t h e s e
facilities is l a r g e l y dictated by other management and maintenance goals,
e. g. , cost control, s p a r e p a r t s inventory, and g e n e r a l availability
m e a s u r e m e n t . Of the s e v e n c l a s s i f i c a t i o n s y s t e m s reviewed, t h r e e
w e r e r e l a t e d t o n u c l e a r plants h e r e and abroad. The r e m a i n d e r w e r e
nonnuclear in orientation. T h e s e classification s y s t e m s which a r e
s u m m a r i z e d in Appendix B a r e :
1. United Kingdom Atomic E n e r g y Authority (UKAEA),

R e a c t o r Fault Reporting System.
2. Computer P r o g r a m for Military Nuclear Power Plant

(PM-1) Data.
3. Uniform Subject Index for Nuclear Power D e m o n s t r a t i o n

(NPD) P r o j e c t .
4. M a r i t i m e A d m i n i s t r a t i o n (MARAD) Classification of
Merchant Ship S y s t e m s .
5. E d i s o n E l e c t r i c Institute (EEI) Outage Classification Code,
6. I n t e r s e r v i c e Data Exchange P r o g r a m (IDEP), Guided M i s s i l e

Data Exchange P r o g r a m (GMDEP), and F a i l u r e Rate Data
P r o g r a m (FARADA).
7. AEC Uniform System of Accounts.
1-2
While the majority of t h e s e s y s t e m s deal with the subject of failure
r a t e data, many of them also included other m i s s i o n s , as shown in
F i g u r e 1. 3, which makes it difficult to c o m p a r e directly all p a r a m e t e r s
between different classification s y s t e m s . F o r example, the P M - 1 s y s -
t e m s classification is understandably simple b e c a u s e of the simplicity
of the installation and the single unit application. Simplicity of the
Canadian (NPD) classification also d e r i v e s to some extent from its
single installation application. The UKAEA classification is relatively
nnore, complicated since it includes not only light-water r e a c t o r s but
also h e a v y - w a t e r , gas-cooled, and l i q u i d - m e t a l r e a c t o r s . In any c a s e ,
it is obvious that t h e r e is m o r e than one good classification s y s t e m .
To d e m o n s t r a t e the r e l a t i v e complexity of t h e s e classification s y s t e m s ,

the number of l e v e l s , groups, and digits used, and some typical
exannples of combined p l a n t / s y s t e m / c o m p o n e n t classification a r e shown
in F i g u r e s 1.4 and 1. 5 r e s p e c t i v e l y . Disadvantages of t h e s e c l a s s i f i c a -
tions a r e that (1) s y s t e m s classifications a r e h a r d w a r e r a t h e r than
function-oriented; (2) component classifications a r e not in generic
codes and thus by component classifications alone, sinnilar components
cannot be placed into common groups; and (3) multiple components of
the identical kind cannot be distinguished.
The NPD and MARAD classifications provide functional s y s t e m b r e a k -

downs, the FARADA classification provides component generic c o d e s ,
and the P M - 1 classification provides multiple component identification
n u m b e r i n g . All of t h e s e a r e c o n s i d e r e d d e s i r a b l e qualities for a good
data c l a s s i f i c a t i o n s y s t e m .
A classification s y s t e m which d e s e r v e s special attention is the AEC

Uniform System of Accounts which was developed p r i m a r i l y for cost
accounting and e s t i m a t i n g p u r p o s e s . The functional breakdown provided
in this s y s t e m , p a r t i c u l a r l y for the r e a c t o r plant, is r a t h e r appealing.
It should be noted that the NPD classification s y s t e m which is used to
collect reliability data as well as to a s s i s t scheduling and accounting
a c t i v i t i e s , was developed from the s a m e s o u r c e as the AEC s y s t e m ,
namely the F e d e r a l Power C o m m i s s i o n (FPC) Uniform System of
Accounts.
Another important t a s k in selecting a classification s y s t e m is d e t e r m i n -

ing the number and detail of classification c a t e g o r i e s for d e s c r i b i n g
failure e v e n t s . T h e s e c a t e g o r i e s must be p r a c t i c a l for use of field data
and at the s a m e t i m e p e r m i t s t a t i s t i c a l examination. The tendency is to
c o n s t r u c t an extensive and detailed event classification systenn and
identify field data collection p r o c e d u r e s and f o r m s which p e r m i t use of
1-3
the c l a s s i f i c a t i o n systenn. The UKAEA and P M - 1 fault classifications
with 200 and 65 fault c a t e g o r i e s , r e s p e c t i v e l y , show the extent of detail
which may be r e q u i r e d . Such an approach can prove difficult t o i m p l e -
ment without adding e x t r a b u r d e n to the workload of operating p e r s o n n e l ,
A checklist fornn such as that used in the MARAD progrann i l l u s t r a t e s
the type of field data requirennent which may r e s u l t . While nnore detailed
failure event classification codes yield b e t t e r failure data, it is c o n s i d e r e d
d e s i r a b l e to match t h e s e codes as closely as possible to the capability
of existing in-plant data r e c o r d i n g and r e p o r t i n g p r a c t i c e s .
The data classification s y s t e m recomnnended in this study is effectively

a connposite of concepts derived fronn the systenns sunnnnarized in
Appendix B, The reconimended systenn has been scoped for use in
r e l i a b i l i t y data generation on engineered safety s y s t e m components.
It a l s o r e f l e c t s c o n s i d e r a t i o n of b r o a d e r potential application to all
nuclear systenns and the possibility of eventual i n c o r p o r a t i o n into data
management s y s t e m s concerned with all connponents in nuclear power
plants. The innnnediate concern, however, has been reliability data
for engineered safety s y s t e m s . While t h e c l a s s i f i c a t i o n s y s t e m p r e -
sented h e r e nnay be adaptable to b r o a d e r u s e , it must be recognized
that t h e r e a r e o t h e r s which nnay be equally applicable. The point is
t h e r e is a definite need for e a r l y standardization of nuclear power plant
data management s y s t e m s to avoid u n n e c e s s a r y duplication of data
managennent activities while achieving useful data,
Reconnnnended P l a n
Data c l a s s i f i c a t i o n is divided into (1) s y s t e m s classification which

e s t a b l i s h e s the h i e r a r c h y of h a r d w a r e or equipment in n u c l e a r plants,
and (2) event classification which identifies the how and why of failure
as well as other e v e n t s .
Systenns Classification - It is d e s i r a b l e that the classification code be

adaptable to all plant systenns and at the sanne tinne be suitable for
acceptance of vendor data. Such an approach is t o identify individual
components by the s y s t e m to which they belong and by the function
which they perfornn. The s y s t e m s classificeition code outlined in t h i s
section is c o n s i d e r e d to s a t i s f a c t o r i l y acconnplish the p r e c e d i n g goals.
While connplete, detailed development of the classification code can be
perfornned by using the classifications d e s c r i b e d in Appendix B as
guides, it is believed that such an effort should be preceded by a
coordinated evaluation by all potential u s e r s at the outline stage in
o r d e r that the detailed classifications a r e of maximunn utility.
As p r e s e n t e d , the systenns classification p e r m i t s identification of data

fronn a specific connponent in a systenn for a p a r t i c u l a r plant; it allows
1-4
collecting data on a specific s y s t e m in m o r e than one plant; and it p e r m i t s
grouping of data on generically sinnilar connponents in a single plant or
all p l a n t s . The nnethod of classification as d i s c u s s e d in the following
s e c t i o n s includes plant identificcation, functional systenn identification,
and in-plant and generic component identification.
Plant Identification - Identification of a n u c l e a r power plant should be

unique. T h u s , classification of a p a r t i c u l a r plant has been made by use
of a portion of the docket nunnber a s s o c i a t e d with its utilization facility
l i c e n s e . S e r i a l i z e d portions of docket n u m b e r s a r e p r e c e d e d by " 0 " for
t h o s e l i c e n s e d under P a r t 50* and by " 5 " for those under P a r t 115*, Thus,
a r e a c t o r with Docket No, 50-206 can be identified by 0206, while that with
Docket No. 115-4 can be identified by 5004. Note that in o r d e r to m a t c h
the column allocation, O's a r e used when the s e r i a l i z e d portion of the
docket number is l e s s than t h r e e digits.
Functional System Identification - After reviewing the nuclear and non-

nuclear equipnnent classification s y s t e m s sunnnnarized in Appendix B, it
is concluded that an adaptation of the approach used in the AEC C l a s s i f i -
cation of Construction Accounts will give the best b a s i s for formalizing
functional s y s t e m s for reliability p u r p o s e s . This classification systenn is
derived fronn the F e d e r a l Power C o m m i s s i o n ' s Uniform System of
Accounts, which applies to governnnent r e c o r d s on all types of power
generation and t r a n s n n i s s i o n f a c i l i t i e s .
Another r e a s o n for using the AEC systenn as a b a s i s for classification is

that it a l r e a d y c o v e r s both p r e s s u r i z e d and boiling w a t e r r e a c t o r s and, in
addition, provides for c o v e r a g e of organic m o d e r a t e d , sodium graphite,
and fast b r e e d e r r e a c t o r s .
In adapting the AEC code to the reliability monitoring progrann, the first
digit of the AEC code (the nunnber 2) has been dropped, since this digit
indicates a nuclear power plant which is the only type of facility p r e s e n t l y
under c o n s i d e r a t i o n . The r e s u l t i n g functional classification s y s t e m uses
a nunnerical designation, generally consisting of five digits. A f i r s t - l e v e l
breakdown of the systenn is shown in F i g u r e 1, 6, The first digit is a
functional classification within the power plant. As can be seen, most of
the equipnnent c l a s s e s of i n t e r e s t will fall in the " 2 " or r e a c t o r plant group.
The first level is in t u r n provided with up to 9 nnajor s y s t e m c l a s s e s by a

second digit, also shown in F i g u r e 1. 6. The t h i r d , fourth, and fifth digits
provide further subsystenn breakdowns, as r e q u i r e d . F i g u r e 1. 7 gives the
nunnerical designations p r e s e n t l y identified at the t h i r d and fourth l e v e l s .
The p r i m a r y difference between this breakdown and that contained in the
AEC systenn is inclusion of the r e a c t o r containment (system c l a s s 2 1 . 9)
as p a r t of the r e a c t o r plant r a t h e r than under s t r u c t u r e s and innprove-
nnents. This move is c o n s i d e r e d d e s i r a b l e b e c a u s e of the close
*Code of F e d e r a l Regulations, Title 10
1-5
r e l a t i o n s h i p between containment operability and r e a c t o r safety. An
example of a further breakdown to the fifth digit is shown in F i g u r e 1. 8.
Of c o u r s e , some s y s t e m s do not r e q u i r e four or five digit b r e a k d o w n s .
Component Identification - Classification of a component h a s been made

(1) by its plant identification nunnber which is familiar to all f i r s t - l i n e
operating p e r s o n n e l and also distinguishes it annong nnultiple connponents
in any given s y s t e m ; and (2) by its generic code which allows grouping of
data from s i m i l a r connponents and c o m p a r i s o n of vendor data to in-plant
data for s i m i l a r c o m p o n e n t s .
1. Plant Identification - The plant identification number for a

connponent can be most expeditiously e s t a b l i s h e d on a plant-
by-plant b a s i s by adapting, for exannple, equipment n u m b e r s
shown on the s y s t e m d i a g r a m s , those a p p e a r i n g on the equip-
ment h i s t o r y c a r d s , or any other adnninistrative n u m b e r i n g
s y s t e m that is used throughout the plant. After adopting the
a p p r o p r i a t e s c h e m e , component identification n u m b e r s can
be c r o s s - i n d e x e d with the generic code for further utilization.
2, Generic Classification - A t h r e e - d i g i t index number followed

by t h r e e two-digit s u b c l a s s groups has been used to provide
generic connponent identification. The t h r e e - d i g i t number is
a s s i g n e d fronn one of two groups of nunnbers, 001 to 199 or
200 to 999, depending upon t h e c l a s s of component involved.
(000 is used if t h e r e is no heading n e c e s s a r y at the component
level. ) The first group of n u m b e r s (001 to 199) is for conn-
ponents which a r e unique to a given plant or r e a c t o r design,
and for which a generic code has not been e s t a b l i s h e d . Thesfe
unique connponents a r e a s s i g n e d consecutive n u m b e r s within
each facility fronn the 001 to 199 group and a r e a s s o c i a t e d
with the systenns classification for identification, until such
t i m e as a new generic code is established.
The second group of nunnbers (200 to 999) a r e for components

which a r e comnnon to many facilities and for which failure data
can be accunnulated fronn both in-plant and equipment vendor
p r o g r a m s . For t h e s e components the nunnbers a r e p r e a s s i g n e d .
The suggested generic code is shown in p a r t i a l development in
F i g u r e 1. 9.
Following the t h r e e - d i g i t component index number a r e s e v e r a l

s u b c l a s s index groups of two-digit nunnbers which identify
s e r v i c e , m a t e r i a l , s i z e , type, function, operation, etc.
S e v e r a l s u b c l a s s e s , e . g . , s e r v i c e , m a t e r i a l , and s i z e , a r e
1-6
applicable to a number of components. In these c a s e s , connmon
subclassifications a r e used as detailed in F i g u r e 1. 10. In all
other c a s e s , a p p r o p r i a t e s u b c l a s s e s a r e c r e a t e d to suit the
p a r t i c u l a r connponent. (00 is used if t h e r e is no heading at
any s u b c l a s s level. )
While the preceding g e n e r i c classification is s i m i l a r in f o r m a t
to that used in the FARADA s y s t e m , the specific code for
components is different. This is considered d e s i r a b l e to a s s u r e
that u s e r s apply g e n e r i c data derived f r o m equipment of the
type found in nuclear power p l a n t s . Some FARADA data is
applicable to nuclear s y s t e m s but the u s e r should be aware of
the FARADA subclassifications and avoid using inapplicable
failure r a t e s . Other r e a s o n s for avoiding blanket use of the
FARADA classification include (a) many FARADA components
a r e not used at all in r e a c t o r s (88 of 463 components in an
available list have no c o u n t e r p a r t in r e a c t o r s y s t e m s ) , thus
nnany component classification n u m b e r s (first three digits)
a r e used for inapplicable data; and (b) some subclassifications
(two digit numbers) p e r t a i n to variable r a n g e s not encountered
in r e a c t o r systenns, e, g. , m o t o r s over 1 hp a r e lumped into
a single s u b c l a s s and operating media include exotic m a t e r i a l s
such as rocket fuels.
Complete s y s t e m - c o m p o n e n t classifications of two r e p r e s e n t a t i v e s y s t e m s
in a typical PWR-type nuclear power plant a r e shown in F i g u r e s 1,11 and
1. 12. In-plant component identification nunnbers w e r e taken from s y s t e m
diagrams.
Event Classification - The p r i m a r y need in p r e p a r i n g r e l i a b i l i t y data is to
r e l a t e failux-es to accunnulated use under specific operating conditions.
Both failures and use a r e considered to be events in this classification
system. In this context, failure events identify the how and why of failure;
and use events provide a b a s i s for c o r r e l a t i n g f a i l u r e s to accumulated u s e .
F a i l u r e Events - To evaluate failure data and allow p r o p e r use of this data
for r e l i a b i l i t y a n a l y s e s , it is n e c e s s a r y to classify individual failure events
by (1) functional nnanife station of the f a i l u r e , i . e . , failure mode; (2) physical
manifestation or failure cause; and (3) effect of failure on s y s t e m p e r f o r m -
ance. The f i r s t two i t e m s a r e important because if we know how and why a
failure o c c u r r e d , we can l e a r n to prevent it. The third i t e m , failure effect,
allows the m o s t efficient use of failure analysis efforts to eliminate i m p o r -
tance failure c a u s e s a n d / o r failure m o d e s ,
1, F a i l u r e Modes - (The way in which a connponent fails) - To
generate a listing of all types of functional failures for e v e r y
possible connponent can lead to an a l m o s t e n d l e s s list of
1-7
failure m o d e s . However, a v e r y useful listing can be formulated
by considering failure modes to be c h a r a c t e r i z e d a s : (1) failure
to open; (2) failure to close; (3) failure to s t a r t ; (4) failure
to stop; (5) failure to continue operation; (6) spurious f a i l u r e ,
i . e , , p r e m a t u r e operation of a component when not called for;
(7) degradation; (8) e r r a t i c operations; (9) scheduled s e r v i c e ; and
(10) scheduled r e p l a c e m e n t .
These functional f a i l u r e s a r e classified as shown in F i g u r e 1, 13.
Applying a r e a s o n a b l e i n t e r p r e t a t i o n it can be shown that any
conceivable failure will involve one of these functional m a n i f e s -
tations. Being functional phenomena, these failure modes a r e
potentially detectable when they o c c u r . Also, they have physical
p r e c u r s o r s (causes) which can be identified; h e n c e , component
f a i l u r e s become always t h e o r e t i c a l l y predictable and p r e v e n t a b l e .
However, they a r e not predictable until the cause is p r e s e n t .
2, F a i l u r e Causes - (What made the component fail the way it did ) —
A g e n e r a l i z e d classification of failure c a u s e s is difficult, but
not because of the outward a p p e a r a n c e of m a n y c a u s e s ; r a t h e r ,
it r e s u l t s fronn the fact that, if pursued far enough, the root
cause of e v e r y failure involves hunnan action or inaction. T e n t a -
tively, h o w e v e r , it is believed that cause classifications should
be oriented to stages in a component's l i f e - - a u s e - o r i e n t e d
c l a s s i f i c a t i o n . This method of classification is considered u s e -
oriented because in a n a l y s i s of cause-effect r e l a t i o n s h i p s the
d e s i r e is to eliminate or counteract those c a u s e s giving r i s e to
undesirable effects. This goal can best be attained by identifying
that p a r t of a component's life wherein the c a u s e s of failure
m o s t frequently a r e g e n e r a t e d . P u t another way, it is d e s i r a b l e
to know if the cause r e s u l t e d from weak or i m p r o p e r design,
poor fabrication, or i m p r o p e r use in operation. On the b a s i s
of the preceding d i s c u s s i o n , three major c a u s a l c a t e g o r i e s a r e
defined. They a r e design, fabrication, and operation. Detailed
definition of these different c a t e g o r i e s is shown in F i g u r e 1. 14.
Design c a u s e s reflect those failure c a u s e s resulting f r o m i m p r o p e r
or incomplete recognition of actual use conditions and e n v i r o n -
m e n t s ; e . g . , no anticipation of high humidity or incomplete heat
t r a n s f e r a n a l y s i s . These c a u s e s may also r e s u l t f r o m lack of
or m i s d i r e c t e d developnnental testing which, in t u r n , allows
fabrication of weak components.
F a b r i c a t i o n c a u s e s a r e broken down into a b n o r m a l i t i e s in
component configuration and a b n o r m a l i t i e s in m a t e r i a l c o m -
position. Configuration a b n o r m a l i t i e s include the commonly
1-8
r e f e r r e d to failure c a u s e s resulting f r o m poor a s s e m b l y p r a c t i c e s .
Design and fabrication c a u s e s a r e m o r e likely to be found
in v e n d o r ' s data.
Operation c a u s e s , with few exceptions, a r e g e n e r a l l y unpredictable,
since the c a u s e s a r e e x t e r n a l to the component in question and lie
in the future u n l e s s the m i s u s e is chronic and has a l r e a d y r e s u l t e d
in w e a r or some other detectable degradation. Operation c a u s e s
probably should dominate m o s t of the in-plant f a i l u r e s .
3. F a i l u r e Effects - (What happened to systenn when component
failed the way it did) - Even when p e r f o r m a n c e levels a r e fairly
well e s t a b l i s h e d , evaluation of failure effects will r e q u i r e some
good engineering judgment. F o r e a s e of judgment, failure effects
have been classified with r e s p e c t to their i m p o r t a n c e to s y s t e m
p e r f o r m a n c e . They a r e specifically divided into (1) no loss of
p e r f o r m a n c e , (2) p a r t i a l loss of p e r f o r m a n c e , and (3) total loss
of p e r f o r m a n c e . Use of many m o r e levels of judgment has been
shown to lead to inconsistency in r e p e a t e d evaluation of m a r g i n a l
c a s e s . The effect classification code is shown in F i g u r e 1, 15,
The effect of failure events on r e a c t o r p e r f o r m a n c e is indicated
by the use classification code which e n c o m p a s s e s both failure and
nonfailure or use data.
Use Events - The r e c o m m e n d e d classification code for use events is
shown in F i g u r e 1, 16, This code provides a b a s i s for c h a r a c t e r i z i n g
or establishing the accunnulated use on pieces of equipment. This objective
is achieved by using changes in plant operating status and the o c c u r r e n c e
of s y s t e m t e s t s outside the n o r m a l schedule as i n d i c e s . The d e s i r e h e r e
is to r e l a t e each bit of reliability data to the plant status during the tinne
in which the data was developed. Thus, a failure event will include a
use classification which defines the plant status during the time that the
data was accunnulated. As indicated in F i g u r e 1. 16, the use codes a r e
defined in such a way that they can be r e a d i l y identified by operating or
reviewing p e r s o n n e l ,
DATA COLLECTION
P r e s e n t p r a c t i c e s in operating nuclear power plants include collection of

(1) use data as a p a r t of periodic m a n a g e m e n t r e p o r t s , (2) failure and
r e p a i r data as an adjunct to performing maintenance o p e r a t i o n s , and (3)
additional e x p e r i e n c e data in conjunction with special r e p o r t s and s t u d i e s .
After reviewing these existing data s o u r c e s , a r e c o m m e n d e d plan for data
collection has been formulated using the previously defined classification
system.
1-9
However, before outlining the reconnmended data collection p r a c t i c e s , it
is d e s i r a b l e to briefly review existing p r a c t i c e s in nuclear power plants
in the United States and in other nonnuclear and foreign nuclear a c t i v i t i e s .
Present Practices
U. S. Nuclear P o w e r P l a n t s - As indicated in Appendix A, it is c u s t o m a r y
for c o m m e r c i a l nuclear power plants in the U. S. to p r e p a r e periodic
m a n a g e m e n t r e p o r t s in which plant operations and outages a r e s u m m a r i z e d .
In m o s t c a s e s , these r e p o r t s provide adequate use data but little reliability
information. These r e p o r t s a r e derived fronn m o r e b a s i c r e c o r d s a c c u m u -
lated in the power plants for p u r p o s e s of guiding maintenance and providing
a h i s t o r i c a l r e c o r d of o p e r a t i o n s . The basic r e c o r d s include documents
such as the r e a c t o r log, control r o o m log, s u p e r v i s o r ' s log, and shift
f o r e m a n ' s log. None of these r e c o r d s p o s s e s s e s a f o r m a t which includes
consideration of r e l i a b i l i t y data generation, although they provide much of
the b a s i c input for r e l i a b i l i t y data.
P r o b a b l y the single g r e a t e s t source of failure data in c o m m e r c i a l power
plants is the documentation g e n e r a t e d to d i r e c t and control m a i n t e n a n c e .
These r e c o r d s m a y be called maintenance m e m o r a n d u m s , maintenance
r e q u e s t s , work i t e m c a r d s , or deficiency r e p o r t s . S e v e r a l e x a m p l e s
of the f o r m a t s for existing r e c o r d s a r e given in Appendix A along with
d e s c r i p t i o n s of the r e c o r d s and their r e s p e c t i v e routing p r o c e d u r e s .
Here again the f o r m a t s in use a r e not completely compatible to reliability
data development; however, it is believed that a collection m e c h a n i s m
for failure data useful in reliability a n a l y s i s can be developed from
existing maintenance r e c o r d s with v e r y little added effort.
Other F a c i l i t i e s - In the r e l i a b i l i t y data m a n a g e m e n t p r o g r a m s that have
been reviewed, data r e c o r d i n g has been accomplished by e i t h e r the check-
list or n a r r a t i v e approach. In the checklist approach, plant p e r s o n n e l
make an initial r e c o r d of all data by filling blanks with quantitative
data and checking boxes opposite applicable s t a t e m e n t s . N a r r a t i v e s t a t e -
m e n t s a r e n e c e s s a r y only to d e s c r i b e unusual events not evaluable within
the scope of available data r e q u i r e m e n t s . The data on these f o r m s a r e
t r a n s f e r r e d d i r e c t l y to punch c a r d s or other r e l i a b i l i t y evaluation f o r m s
which a r e used to derive s u m m a r y data such as failure r a t e s , r e p a i r
t i m e , r e p a i r c o s t s , and availability. This approach has the advantage
of eliminating or reducing to a m i n i m u m data t r a n s f e r r a l activities between
data collection groups (operating and maintenance staffs) and data analysis
and evaluation g r o u p s . On the other hand, it r e q u i r e s additional effort
and knowledge on the p a r t of the initial r e c o r d e r to fill out a fairly e l a b -
orate f o r m . An example of such a f o r m , r e c o m m e n d e d for use by the
M a r i t i m e A d m i n i s t r a t i o n , is shown in Appendix B, F i g u r e B . 3 . Of
c o u r s e , this f o r m was developed to provide m o r e data than r e q u i r e d
1-10
s t r i c t l y for r e l i a b i l i t y information. Another possible drawback to checklist
f o r m s is the r a t h e r formidable appearance they p r e s e n t to p e r s o n n e l whose
p r i m a r y m i s s i o n is to maintain and operate a plant in a safe and efficient
manner.
In the n a r r a t i v e approach, a m e m o r a n d u m type work r e q u e s t f o r m r e -
quiring a m i n i m a l amount of specific data is used as the p r i m a r y source
of failure and r e p a i r data. The f o r m is r e a s o n a b l y simple and does not
r e q u i r e f a m i l i a r i t y with a set of terminology peculiar to subsequent u s e s
of the raw data. The major disadvantage of this approach is that a
r e l i a b i l i t y engineer or a p e r s o n familiar with nuclear power plant s y s t e m s
and data a n a l y s i s m u s t t r a n s l a t e the raw information into r e l i a b i l i t y data
and t r a n s f e r the data to r e c o r d s or input f o r m s suitable for r e l i a b i l i t y
evaluation. Such an approach is c u r r e n t l y in use by the Ontario Hydro-
e l e c t r i c P o w e r C o m m i s s i o n (HEPC) at its Nuclear P o w e r D e m o n s t r a t i o n
(NPD) R e a c t o r . The basic r e c o r d used at the NPD r e a c t o r is a deficiency
r e p o r t (DR) f o r m . A sample of this f o r m is shown in Appendix B,
F i g u r e B, 18. The p r i m a r y use of the DR f o r m is to initiate and c o n t r o l
m a i n t e n a n c e . Its contents and method of handling a r e also scoped to
a s s u r e that periodic review by a reliability engineer (from the HEPC
c e n t r a l offices) can quickly identify all f a i l u r e s and r e p a i r s a s s o c i a t e d
with e a c h component in the s y s t e m s of i n t e r e s t . The DR review s y s t e m
is completely m a n u a l . E x p e r i e n c e with this s y s t e m is believed to show
that v i r t u a l l y all of the r e p o r t a b l e component f a i l u r e s a r e identified. It
also has been r e p o r t e d that the r e l i a b i l i t y engineer r e q u i r e s one to two
weeks per s y s t e m per year in reviewing and r e p o r t i n g on the accumulated
D R ' s . The use of a r e l i a b i l i t y engineer review is considered n e c e s s a r y
to p r o p e r l y evaluate the significance of the data.
Typical n a r r a t i v e type work r e q u e s t f o r m s , used in the U. S. power

r e a c t o r s , a r e shown in Appendix A, F i g u r e s A, 3, A, 4, and A. 10,
Comparing these e x a m p l e s with the Canadian deficiency r e p o r t f o r m s u g -
g e s t s that c u r r e n t work r e q u e s t s might be used as failure r e p o r t f o r m s
with little modification. S u c c e s s of such an approach in the accumulation
of failure data is contingent upon strong i n t e r e s t in implementation by
plant s u p e r v i s o r y p e r s o n n e l (as would be true of any r e c o r d i n g systenn),
and the provision of a p e r s o n knowledgeable in r e l i a b i l i t y data r e q u i r e -
m e n t s to t r a n s l a t e work r e q u e s t data into input for data collection and
evaluation.
Recommended P l a n
Based on the preceding d i s c u s s i o n s , a n a r r a t i v e type approach to data

collection is r e c o m m e n d e d . It is believed that this approach will provide
adequate information and at the s a m e time be m o s t compatible to use in
1-11
existing activities such as m a i n t e n a n c e , c o n t r o l , and documentation.
A plan w h e r e b y n e c e s s a r y data for r e l i a b i l i t y analysis can be collected is
shown s c h e m a t i c a l l y in F i g u r e 1,17. Because of the different degree of
data reduction p e r f o r m e d in operating plants and in manufacturing t e s t
f a c i l i t i e s , e n t i r e l y s e p a r a t e a p p r o a c h e s will be made in collecting
r e l i a b i l i t y data fronn each of these s o u r c e s .
I n - P l a n t Data - There a r e two s o u r c e s of in-plant data that a r e of p r i m a r y
i m p o r t a n c e for r e l i a b i l i t y a n a l y s i s . One is that g e n e r a t e d by the operating
group. It includes r e c o r d s of all use data for t e s t s and n o r m a l o p e r a t i o n s .
The second source is that r e s u l t i n g from failure events observed by the
operating group and subsequently c o r r e c t e d by the maintenance g r o u p .
These failure events a r e g e n e r a l l y r e c o r d e d on failure r e p o r t and m a i n -
tenance r e q u e s t (FR/MR) f o r m s . In e s s e n c e , use data a r e mainly con-
c e r n e d with length in t i m e , while failure events a r e r e l a t e d to point in
t i m e . The r e c o m m e n d e d plan for collection and c o r r e l a t i o n of these data
follows.
1. F a i l u r e Data - When a failure has been r e p o r t e d , some type
of p r e l i m i n a r y investigation b e c o m e s n e c e s s a r y to d e t e r m i n e
the basic failure cause and effect. Otherwise, only a s u p e r -
ficial d e s c r i p t i o n of a b n o r m a l symptoms will r e s u l t . Useful-
n e s s of raw data collected for reliability a n a l y s i s depends
l a r g e l y on the information r e q u i r e d of the i n v e s t i g a t o r .
Minimum information expected from the investigator for
r e l i a b i l i t y p u r p o s e s includes::
a. Component identification by name and s y s t e m to
which it b e l o n g s .
b. Component failure d e s c r i p t i o n including c a u s e ,
m o d e , effect on s y s t e m p e r f o r m a n c e and plant
operation, and time at which failure o c c u r r e d
or was d i s c o v e r e d .
c. Component r e p a i r d e s c r i p t i o n including whether
r e p a i r or r e p l a c e m e n t was m a d e , length of
time for r e p a i r , and time at which r e p a i r was
completed.
In F i g u r e 1. 18 a list is p r e s e n t e d for specific information r e -
quired of in-plant p e r s o n n e l for eventual use in r e l i a b i l i t y
analysis. Identification of the individual component is n e c e s -
s a r y in o r d e r to be able to calculate the length of time between
f a i l u r e s for specific components as well as for identical or
s i m i l a r components in s i m i l a r s e r v i c e . This is p a r t i c u l a r l y
1-12
i m p o r t a n t if it is d e s i r e d to p e r f o r m failure distribution a n a l y s e s .
Date and time of component failure and r e p a i r completion
provide b a s i c input to the calculation of failure r a t e s and, if
d e s i r e d , the evaluation of failure distribution assunnptions.
Total r e p a i r time is the total elapsed tinne f r o m the o c c u r r e n c e
of a failure event to the completion of r e p a i r including time in
which no active maintenance o c c u r s . If a failed component is
r e p l a c e d by another new or r e p a i r e d connponent, completion of
r e p a i r o c c u r s at the time installation of the new component is
connpleted. Repair time is needed to compute actual use time
and allows attainment of m a x i m u m effectiveness in r e l i a b i l i t y
evaluation techniques such as f a u l t - t r e e a n a l y s i s . An example
of a f a u l t - t r e e type of technique is given in Chapter 2.
Mode of failure allows apportionment of the o v e r a l l component
failure r a t e among v a r i o u s c r i t i c a l failure m o d e s . Mode and
cause of failure a r e also important in evaluating f a i l u r e s and
failure r a t e s . F o r an unusual type of failure or a failure
o c c u r r i n g at an unusually high r a t e , mode and cause data p r o -
vide a m e a n s for r e t r o s p e c t i v e review of failure data to p e r m i t
detection and c o r r e c t i o n of g r o s s deficiencies. Knowledge of
failure effect on s y s t e m perfornnance and plant operation is
n e c e s s a r y to link failure data to use data, i . e , , effect data
p r o v i d e s a nneans of identifying components put in operation or
shutdown by a failure event. Effect data also provides a
s o u r c e of information for use in c o r r o b o r a t i n g failure nnode and
effect assunnptions in s y s t e m r e l i a b i l i t y a n a l y s e s .
Description of r e p a i r is r e q u i r e d to the extent that it identifies
the extent of repair, and p a r t i c u l a r l y , whether failed i t e m s w e r e
r e p l a c e d by completely new or r e p a i r e d components, r e p a i r e d
in place with some p a r t r e p l a c e m e n t , or adjusted or c a l i b r a t e d
without any new p a r t s . Component r e p l a c e m e n t s m u s t be
identified in any a n a l y s i s of failure distribution functions,
e s p e c i a l l y when these replacennents reflect component w e a r o u t .
2, Use Data - Use data is defined as the time e l e m e n t or "use t i m e "
by which successful operation of the plant or a s y s t e m is m e a -
s u r e d . Individual e n t r i e s f r o m which use data can be derived
a r e r e c o r d e d chronologically in v a r i o u s log books; however, the
m o s t convenient s o u r c e s of this information a r e periodic
Operating and Outage S u m m a r y (O/OS) r e p o r t s used in conjunc-
tion with the failure data.
In any s y s t e m whose operation is continuous and d i r e c t l y
m e a s u r a b l e by length in t i m e , the use time can be m e a s u r e d
by one of the following time e l e m e n t s :
1-13
a. Calendar Time - e . g . , a radiation monitor which
o p e r a t e s continuously with no relation to plant
operation.
b. Plant Operating Time - e . g . , r e a c t o r operating
time a n d / o r t u r b i n e - g e n e r a t o r (T/G) operating
time.
There a r e s y s t e m s whose use t i m e s a r e not exactly the same
as those listed above but a r e p r o p o r t i o n a l to t h e m . F o r these
s y s t e m s , use time can be modified by a use fraction, K, and
computed as follows:
Use time - K x Calendar t i m e , or

K X Reactor operating t i m e , or
K X T/G operating t i m e .
Any component operation which is continuous in nature can be
m e a s u r e d by one of the above use t i m e s . In o r d e r to facilitate
the bookkeeping for v a r i o u s use t i m e s , the following r u l e s a r e
suggested:
Rule 1: Unless a s y s t e m failure is r e p o r t e d , the use
time of any systenn will c o r r e s p o n d to that of
the plant operation (reactor or T/G), a p p r o -
p r i a t e l y modified by a use fraction.
Rule 2: Unless a connponent failure is r e p o r t e d , the
use time of any component will c o r r e s p o n d to
that of the systenn to which it belongs.
This type of r e c o r d i n g p r a c t i c e , namely "data m a n a g e m e n t by
exception, " where only exceptions to n o r m a l operation a r e
r e c o r d e d a l r e a d y e x i s t s in p r e p a r i n g O/OS r e p o r t s . By
extending the s a m e technique, the paper work involved in
r e c o r d i n g use data can be simplified to initial identification
of use fractions for components or s y s t e m s in a plant. Subse-
quently, use for a component is computed by the product of
the use fraction and the a p p r o p r i a t e operating time l e s s c o m -
ponent down time r e c o r d e d in failure event data.
Use time for any test operation which is cyclic in nature and
not d i r e c t l y dependent on the length in time cannot be m e a s u r e d
by the calendar time or plant operating t i m e . Test i n t e r v a l s
of routine operational t e s t s r e q u i r e d by the technical specifica-
t i o n s * and operating p r o c e d u r e s will provide a useful guide in
*Code of F e d e r a l Regulations, Title 10, P a r t 50.
1-14
predicting the actual number of t e s t s p e r f o r m e d on any given
s y s t e m or component. In g e n e r a l , the number of successful
t e s t s of any component will c o r r e s p o n d to that of the systenn
to which it belongs; however, operational t e s t p r o c e d u r e s m u s t
be carefully studied to verify that individual components a r e
indeed operationally tested when testing the e n t i r e s y s t e m
operation. F o r e x a m p l e , when an e m e r g e n c y c o r e cooling
s y s t e m is p e r i o d i c a l l y tested during power operation, not all
components may be tested operationally with each t e s t .
Typical i n t e r v a l s for operational t e s t s a r e s u m m a r i z e d in the
technical specifications issued for a power plant, as shown in
F i g u r e 1.19, F r o m this listing, the following "use f r a c t i o n s "
can be obtained:
a. Number of t e s t s / c a l e n d a r t i m e .
b. Nunnber of t e s t s / r e a c t o r operating t i m e .
c. Number of t e s t s / T / G operating tinne.
By multiplying the a p p r o p r i a t e use fraction by the calendar
time or the a p p r o p r i a t e plant operating t i m e , the cyclic use of
protection s y s t e m components can be e s t i m a t e d .
In addition to connponents whose use t i m e s can be defined as
above, t h e r e a r e some components which a r e a l s o operated
with e a c h r e a c t o r s t a r t u p and shutdown; e , g . , r e a c t o r p r o -
tection c i r c u i t s . F o r components in this category, it b e c o m e s
n e c e s s a r y to identify all plant s t a r t u p s and shutdowns, including
r e a c t o r s c r a m s , and to include these o c c u r r e n c e s as p a r t of the
overall use.
Data Recording and Reporting - In-plant data r e c o r d i n g and r e p o r t i n g will
be accomplished in a t w o - s t e p approach. The f i r s t step will be p e r f o r m e d
by operating and maintenance p e r s o n n e l using F R / M R f o r m s to r e c o r d all
failure and r e p a i r data, and b y periodic O/OS r e p o r t s to r e c o r d all use
data. This data r e c o r d i n g activity a l r e a d y e x i s t s in nuclear power plants
and can be upgraded to a level suitable for use in reliability evaluation
by minor nnodification of the existing fornns and r e p o r t s , and provision
of simple p r o c e d u r e s to a s s u r e that all pertinent data a r e r e c o r d e d on
them. Of c o u r s e , any changes in these f o r m s should not d e t r a c t from
their original p u r p o s e s .
Much of the failure and r e p a i r information is a l r e a d y available in existing
F R / M R fornns. In o r d e r to a s c e r t a i n what additional information will be
r e q u i r e d fronn operating p e r s o n n e l , the r e q u i r e d information, shown in
F i g u r e 1. 18, has been c o m p a r e d with the information asked for on some
1-15
of the existing work o r d e r f o r m a t s in Appendix A, F i g u r e s A, 3, A, 4,
and A, 10, and in Appendix B, F i g u r e B, 18. This c o m p a r i s o n is
shown in F i g u r e 1, 20.
Based on the c o m p a r i s o n given by F i g u r e 1.20, a suggested F R / M R
format with n e c e s s a r y reliability information is shown in F i g u r e 1. 2 1 .
Although the suggested format differs in some r e s p e c t s from any in
c u r r e n t u s e , these differences a r e s m a l l . In m o s t c a s e s existing f o r m s
could be adapted e a s i l y to the r e l i a b i l i t y oriented format by use of a
rubber stamp f o r m on the front or back of the existing f o r m . An
example of such a modification is given in F i g u r e 1, 22.
The next step in in-plant data collection r e q u i r e s periodic t r a n s l a t i o n and
t r a n s f e r r a l of raw data generated by the operating p e r s o n n e l to data f o r m s
suitable for data handling, indexing, storing, and r e t r i e v i n g with the
possible use of computerized data handling s y s t e m s . This step r e q u i r e s
an engineer or technician familiar with both the subject plant s y s t e m s
and the r e l i a b i l i t y data classification r e q u i r e m e n t s .
The use data r e p o r t e d in O/OS r e p o r t s and failure data r e p o r t e d on F R / M R
fornns would be codified onto an 80-column loadsheet using a p p r o p r i a t e
field allocations as shown in an example in Appendix C, F i g u r e C, 3.
These data inputs may be d e s c r i b e d as follows:
1. Date of Report - Date will be r e p o r t e d as Day (01 to 31),
Month (01 to 12), and the last two digits of the calendar y e a r ,
2. Data Source - Identification number of the data s o u r c e , i , e , ,
plant I, D,
3. S y s t e m Code - Refer to the classification of functional s y s t e m s .
4. Component I, D, Number - Plant assigned I, D. No. of the
failed component. Generic component identification is provided
during data reduction,
5. New component I, D. Number - Enter only when r e p a i r is
accomplished by r e p l a c e m e n t with a new connponent of different
design,
6. New Component M a n u f a c t u r e r ' s Code - E n t e r only when r e p a i r
is accomplished by r e p l a c e m e n t with a new component f r o m a
different m a n u f a c t u r e r .
7. Time of Event - Time of the day when event o c c u r r e d in Hours
(00 to 24) and Minutes (00 to 60). If information on time is not
available, 0800 will be used. This is used to identify multiple
f a i l u r e s or s t a r t u p s and shutdowns within the same day.
8. Total Repair Time - E n t e r to the n e a r e s t hour.
1-16
9. Date of R e c o v e r y - Date will be r e p o r t e d in the same m a n n e r
as for date of r e p o r t i n g in i t e m (1),
10. F a i l u r e Mode - Refer to failure classification. F i g u r e 1,13.
11. F a i l u r e Cause - Refer to failure classification. F i g u r e 1.14.
12. F a i l u r e Effect - Refer to failure classification. F i g u r e 1.15.
13. Use - Refer to use classification. F i g u r e 1.16.
14. Description of Event - Enter in 20 l e t t e r s or l e s s , and in case
of failure event it should identify the failed p a r t s and indicate
whether they were r e p l a c e d , r e p a i r e d , adjusted, or c a l i b r a t e d .
Two b a s i c a l l y different line e n t r i e s a r e made in the input loadsheet to
a s s u r e p r o p e r c o r r e l a t i o n of use and failure data in generating failure
r a t e s and r e p a i r data. They a r e (1) e n t r i e s which define the beginning of
plant s t a r t u p s , and scheduled shutdowns; and (2) e n t r i e s which define e a c h
failure event.
Using these line e n t r i e s , including the failure effect and u s e c o d e s , the
operational h i s t o r y of e a c h component can be reproduced either by hand
calculation or a computer p r o g r a m . The proposed method of data r e d u c -
tion is explained in a subsequent section, and salient points in loadsheet
p r e p a r a t i o n a r e d e m o n s t r a t e d in Appendix C, with the use of a hypothetical
systenn consisting of s e v e r a l components operating continuously, as well
as cyclically.
Vendor Data - Qualification t e s t s , production t e s t s , and other t e s t s a r e
routinely conducted by v a r i o u s equipment v e n d o r s ; and the r e p o r t s
s u m m a r i z i n g these t e s t s r e p r e s e n t an additional s o u r c e of r e l i a b i l i t y
data. Consideration is given h e r e to the r e q u i r e m e n t s for collection of
reliability data fronn equipment vendors in a f o r m compatible with that f r o m
in-plant s o u r c e s . The objective is to allow eventual accumulation of all
these data into one data bank.
To a s s u r e collection of vendor data in a f o r m consistent with the in-plant
data, the v e n d o r ' s r e l i a b i l i t y input data format shown in F i g u r e 1.23 is
r e c o m m e n d e d for use in the r e l i a b i l i t y data p r o g r a m . In this f o r m a t
component identification can be made by model number or p a r t number;
but in any case it should also be identified by the g e n e r i c code previously
developed for in-plant data. The t e s t condition e n t r y called out in i t e m 5
of F i g u r e 1.23 m a y be divided into the following c a t e g o r i e s .
T e s t Condition Description
Life Test Component operating in l o n g - t e r m t e s t .
Proof Test Connponent operating in s h o r t - t e r m
t e s t , e . g . , production t e s t , quali-
fication t e s t , e t c .
S t a r t - u p Test Component operating in-plant s t a r t u p .
1-17
Items 6, 7, 8, and 9 a r e the basic s t a t i s t i c a l data n e c e s s a r y in evaluating
failure r a t e . If known, the confidence level and a s s u m e d failure d i s t r i -
bution should be noted as indicated in i t e m 9. Functional modes of failure
a r e the same as those defined for in-plant data. Another important data
e n t r y in r e p o r t i n g component failure rate is the derating f a c t o r . Headings
a r e given in i t e m 11 for the m o r e commonly used derating p a r a m e t e r s .
Other e n v i r o n m e n t a l s t r e s s factors should be noted in i t e m 12, if known.
Finally, to avoid submission of the same data f r o m different s o u r c e s , it
is n e c e s s a r y to r e f e r e n c e the t e s t document f r o m which the test data were
derived.
It should be noted that the f o r m a t in F i g u r e 1.23 suggests the n e c e s s a r y
data from vendor s o u r c e s . If existing vendor r e p o r t s include the informa-
tion indicated in F i g u r e 1.23 then these r e p o r t s m a y be used as the f i r s t
level input to the g e n e r a l i z e d data collection f o r m . Reduction of both
in-plant and vendor data is discussed in the following section.
Data Reduction - Reliability data collected f r o m in-plant s o u r c e s and
equipnnent vendors should be compiled in a m a n n e r that allows e a s y r e -
t r i e v a l and updating of all data. The f o r m a t s i l l u s t r a t e d in Appendix C
a r e considered to satisfy this need. The output provided in this r e c o m -
mended f o r m a t will yield the following information for r e l i a b i l i t y a n a l y s i s :
1. F a i l u r e r a t e s by a single component.
2. F a i l u r e r a t e s by components of the same g e n e r i c code.
3. F a i l u r e r a t e s by failure mode for each connponent.
4. Mean r e p a i r t i m e .
5. Standard deviation of failure r a t e s or m e a n time between
failure.
6. Standard deviation of nnean r e p a i r t i m e .
7. Time between failure of a single component which will enable
detailed examination of failure distribution functions with
accumulation of sufficient failure e v e n t s .
As suggested in Appendix C, F i g u r e s C , 4 , C, 5, and C , 6 , the f o r m a t s can
be a r r a n g e d as computer output s h e e t s . These f o r m a t s also can be
r e a d i l y converted to calculation f o r m s suitable for m a n u a l computation.
The r e c o m m e n d e d f o r m a t s a r e as follows:
Type 1 Output Data Sheet - Listing of Component F a i l u r e s
Column 1 Date of Report - Date of r e p o r t will be r e p o r t e d in

the same m a n n e r as in the input l o a d s h e e t .
1-18
Column 2 Component I. D, No. - P l a n t or m a n u f a c t u r e r ' s
I. D, No. for component, e . g . , see Appendix C,
F i g u r e C. 3.
Column 3 Manvifacturer's Code - A unique t h r e e - d i g i t code
number assigned to the nnanufacturer of the
equipment i t e m on which data is to be given.
Column 4 F a i l u r e Mode - Same as shown on the input
loadsheet (see Appendix C, F i g u r e C. 3),
Column 5 Hours or Cycles - To distinguish the unit of use
a s s o c i a t e d with the operation of the component.
Column 6 Time to F a i l u r e in Million Hours or Cycles - Time
f r o m the initial use until the failure of a single
component or the time since the last failure of
the component.
Column 7 Accumulated Time in Million Hours or Cycles -
The s u m of T i m e s to F a i l u r e in Million Hours
or Cycles from the initial operation to the end
of reporting period for a specific component.
Column 8 Repair Time - Same as the input loadsheet (see
Appendix C, F i g u r e C , 3 ) ,
Column 9 Description of Repair - Same as the input load-
sheet (see Appendix C, F i g u r e C, 3),
Type 2 Output Data Sheet - S u m m a r y of F a i l u r e Rate Data
Column 1 Component I, D. No, - Plant or m a n u f a c t u r e r ' s

I, D, No. for component on which data is being
given (see Column 2 of Type 1 Output Data Sheet),
Column 2 No, of Components - Number of components
identified with the component I. D. No. given in
Column 1.
Column 3 F a i l u r e Mode - Same as Column 4 on Type 1
Output Data Sheet.
Column 4 No. of F a i l u r e s - Number of component f a i l u r e s
identified on each component and for all compon-
ents of a g e n e r i c type from initial operation to
end of r e p o r t i n g period.
Colunnn 5 Hours or Cycles Same as Column 5 on Type 1
Output Data Sheet.
1-19
Column 6 Accumulated Time in Million Hours or Cycles -
The sunn of T i m e s to F a i l u r e in Million Hours or
Cycles from initial operation to the end of r e p o r t -
ing p e r i o d .
Column 7 F a i l u r e s per Million Hours or Cycles - This is the
quotient of No. of F a i l u r e s divided by Accumulated
Time in Million Hours or C y c l e s . The use of failure
r a t e s i m p l i e s assumption that the observed f a i l u r e s
r e l a t e to the chance or exponential failure distribution.
With this assumption, the failure r a t e for nonfailed
components m a y be r e p o r t e d as the i n v e r s e of
Accumulated Time with 63 p e r c e n t confidence. F a i l u r e
r a t e s , hence r e l i a b i l i t i e s , for both failed and non-
failed components m a y be e s t i m a t e d at other confidence
levels using the methods outlined in Appendix H or
s t a t i s t i c a l c h a r t s such as provided in Appendix 4 of
HN-185.*
In v e n d o r ' s input data, failure r a t e s m a y b e provided
with either the number of f a i l u r e s and accumulated
time or the e s t i m a t e d confidence level. The f i r s t
f o r m is the m o r e d e s i r a b l e since it is b e t t e r suited
to e s t i m a t i n g failure r a t e s at other confidence l e v e l s .
Another variation which m a y occur in r e p o r t i n g
failure r a t e s is the use of different u n i t s . F o r
convenience, a conversion table is provided in
F i g u r e 1. 24 to allow conversion to the suggested
units of f a i l u r e s per million h o u r s or c y c l e s .
Column 8 F a i l u r e Rate Standard Deviation - Standard deviation
of the failure rate for g e n e r i c a l l y s i m i l a r c o m p o n e n t s .
This number m a y be calculated when the number of
components is equal to or g r e a t e r than t h r e e .
Standard Deviati on = V S (x - x) hr
N
where x = Mean time between s u c c e s s i v e

f a i l u r e s for a specific component
in h o u r s or c y c l e s ,
* G a r r i c k , B . J . , Gekler, W. C,,and P o m r e h n , H. P . , "An Analysis

of Nuclear F o w e r P l a n t Operating and Safety E x p e r i e n c e , " HN-185
December 15, 1966.
1-20
X = Average mean time between f a i l u r e s for
all g e n e r i c a l l y s i m i l a r components in
h o u r s or c y c l e s , and
N No. of c o m p o n e n t s .
Note that a sinnilar t e s t can be applied to m e a n t i m e s

between failure for a single component when m o r e than
t h r e e f a i l u r e s have o c c u r r e d .
Colunnn 9 Accumulated Repair Time - The sum of all R e p a i r

Time from the beginning to the r e p o r t i n g d a t e .
Column 10 Mean Repair Time - The quotient of Accumulated

Repair Time divided by No. of F a i l u r e s or r e p a i r s .
Column 11 Repair Time Standard Deviation - Standard deviation

m a y be calculated when No. of R e p a i r s is equal to or
g r e a t e r than t h r e e .
Standard Deviation - S(r - F ) ^ , hr

N
where r - Repair time for individual failure

in h o u r s .
Mean r e p a i r time in h o u r s , and
N No. of f a i l u r e s
Many of the i t e m s noted above a r e d i r e c t inputs f r o m the input loadsheet.

However, it should be noted that Type 1 Output Data Sheet has line e n t r i e s
for failed components only while the Type 2 Output Data Sheet tabulates
all components whether they failed or not during a p a r t i c u l a r r e p o r t i n g
period.
To bridge the gap and provide information on successful (nonfailed) c o m -

p o n e n t s , the principle of "data m a n a g e m e n t by exception" nnentioned e a r l i e r
under the heading of Use Data m u s t be u s e d . P r o p e r i n t e r p r e t a t i o n of this
principle for data reduction computations m a y be accomplished by use of
the following r u l e s :
Rule 1: If no component failure is r e p o r t e d in the input load-

s h e e t , the use time of any components will c o r r e s p o n d
1-21
to that of the plant operation, modified by the
a p p r o p r i a t e use fraction.
Rule 2: If a component failure accompanied by no loss in

s y s t e m p e r f o r m a n c e i s r e p o r t e d , the use time of
other components in the s a m e s y s t e m will c o r -
respond to that of the s y s t e m to which they belong
in the s a m e c a l e n d a r p e r i o d .
Rule 3: If a component failure accompanied by s y s t e m

loss is r e p o r t e d , the use time of other compon-
ents in the s a m e s y s t e m will be d e c r e a s e d by the
r e p a i r time identified for the failed component.
The key to use of the foregoing r u l e s is p r o p e r identification of the failed

connponent and the effect and use codes e n t e r e d in the input loadsheet. One
should be fanniliar enough with the s y s t e m s operation or the c o m p u t e r s u b -
routine should be w r i t t e n so that the status of all nonfailed components in
the s a m e s y s t e m can be identified with the component failure in the systenn,
or in c a s e of no f a i l u r e s all components within the s a m e s y s t e m can be
identified. Specific e x a m p l e s of these m a t h e m a t i c a l operations a r e given
in Appendix C,
1-22
Data Management Information
P r o g r a m Objective Available Minimal Proposed
System/Component By Name By Generic By Generic Code

Classification Description
Component F a i l u r e No. of F a i l u r e s No. of F a i l u r e s No. of F a i l u r e s

Rate Total Operating Total Operating Total Operating
Time Time Time
F a i l u r e Distribution None Identification of Length of Time

Function Wearout or Chance or No. of Cycles
Failures to F a i l u r e
F a i l u r e Mode and Safet^^ Analysis Final Safety F a i l u r e Mode,

Effect Analysis Reports Analysis Report; Cause and Effect
Complete D e s c r i p - Analyses
tions of S y s t e m s ,
System Functions
and Operating and
Testing P r o c e d u r e s
R e p a i r Data R e p a i r Description R e p a i r Description Repair Description

Repair Time Repair Time
FIGURE 1. 1
COMPARISON OF DATA MANAGEMENT INFORMATION
Use Data
I n - P l a n t Data
F a i l u r e Data
Data
Vendor's Data
Collection
J D a t a Reduction
and Reporting
Data
Management Nuclear P o w e r P l a n t
System
Systems
Functional System
Classification
Component
Data
Classification
^ Use Event Mode

J
Event
Classification
Failure Event Cause
Effect
FIGURE 1, 2
PROPOSED DATA MANAGEMENT SYSTEM
1-24
Classification Organization Purpose
UKAEA United Kingdom Atomic 1 F a u l t and incidence r e p o r t .

Energy Authority 2 Safety a s s e s s m e n t .
3 F a i l u r e r a t e data.
PM-1 U. S. A i r F o r c e 1 P l a n t p e r f o r m a n c e and e c o n o m i c s r e p o r t .
2 Safety a s s e s s m e n t .
3 Availability report.
4 F a i l u r e rate data.
NPD Nuclear Power Demonstration, 1 Safety a s s e s s m e n t .

Ontario Hydro-Electric Power 2 F a i l u r e rate data.
Connnnission 3 Scheduling.
4 Cost Accounting.
MA RAD Maritime Administration, 1 F a i l u r e r a t e data.

D e p a r t m e n t of C o m m e r c e 2 Maintenance cost minimization.
3 Inspection frequency optinnization.
EEI Edison E l e c t r i c Institute 1 Outage data.

2 Equipment availability report.
IDEP-FARADA Interservice Data Exchange 1 F a i l u r e r a t e data.

P r o g r a m and F a i l u r e Rate Data 2 Part/component test data.
P r o g r a m , DOD and NASA
AEC Uniform U. S. A t o m i c E n e r g y C o m m i s s i o n 1 Cost accounting.

S y s t e m of 2 Cost estimating.
Accounts
FIGURE 1.3
LIST O F EXISTING CLASSIFICATIONS

SYSTEM CODE COMPONENT CODE FAULT CODE USE CODE
CLASSIFICATION
Level 1 Digit Level Digit Group Digit Group Digit
r
UKAEA 8 8 6 6 3 2,4,&5 2 2
PM-1 1 3 1 5 2 2 2 2
NPD 3 3 2 2 2 (2) 1 (2)
MARAD 3 3 4 8 4 (3) 1 (3)
EEI 1 1 1 3 (1)
IDEP/FARADA 7 9 (4)
AEC Uniform
S y s t e m of Accounts 6 6 (5)
Proposed System 6 6 7 9 3 1 1 1
Notes
(1) Fault identified with component.

(2) Yes or No only.
(3) Checklist f o r m .
(4) Number of fault groups v a r i e s with connponents.
(5) Component identified only to extent n e c e s s a r y for cost accounting,
FIGURE 1.4
NUMBERS OF LEVELS. GROUPS, AND DIGITS OF EXISTING
AND PROPOSED CLASSIFICATION CODES
PROPOSED
0 2 0 6 / 2 1 4 1 0 / 2 0 2 5 6 5 4 5 2 / M 0 V 8 5 1 A
San Onofre Unit #1
Reactor Plant
Reactor
Reactor Auxiliary Cooling and Heating Systems
Safety Injection System
Valve
S e r v i c e , water
M a t e r i a l , stainless steel
Size, over 12 inches
Type, gate
Function, shutoff
Operation, nnotor
Multiple component number
UKAEA
3 1 / 1 5 1 3 5 3 0 0 / 3 2 3 2 1 0 / None
Calder Hall 1
Reactor
Heat exchange c i r c u i t
Prinnary
Air/gas system
Vacuum pump
Valve
Mechanical
Liquid s y s t e m
Valves
Control valve
Automatic
WESTINGHOUSE
P M I / P I A / R Y A / 3 6
Air F o r c e Sundance Reactor
Annunciator and t e m p e r a t u r e scan s y s t e m s
Relay a l a r m
Location number
CANADIAN
None / 7 1 2 / 2 0 / None
NPD
Common p r o c e s s e s and s e r v i c e s
Water supply s y s t e m
Circulating water s y s t e m
Pumps
MARAD
2 6 4 7 0 4 / P B B / 0 Q 1 D 0 2 / 0 1
S. S. P r e s i d e n t Arthur
Power and propulsion system
Steam subsystem
Steam Supply Unit
Boiler
Bent tube type
Steam drum
Starboard
FARADA / IDEP-II CODES
None / None / 9 2 5 2 0 7 5 8 9 / None

Valves
F u e l , exotic
P r e s s u r e , 200 psig
Function, shutoff
Type, globe
Activation, solenoid
FIGURE 1.5
COMPARISON OF PLANT/SYSTEM/COMPONENT CLASSIFICATION/

M U L T I P L E COMPONENT IDENTIFICATION NUMBERS
1-27
San Onofre Nuclear Generating Station
0206
Lands & Structures & R e a c t o r Plant Turbo-generator Electrical Plant Plant

Land Rights Improvements (energy source) (energy conversion) (electrical energy) Services
0 1 2 3 4 5
21 Reactor
I
22 Heat Transfer
CSJ
00
23 F u e l Handling
24 Not Used
25 Radioactive Waste T r e a t m e n t and Disposal
26 Instrumentation and Control
27 F e e d w a t e r Supply and T r e a t m e n t
28 Steam, Condensate, F e e d w a t e r Piping
29 Other Reactor Plant Equipment
FIGURE 1. 6
NUCLEAR POWER PLANT CLASSIFICATION
20 Reactor Plant
21 Reactor Equipment
21, 1 Reactor V e s s e l
21. 11 V e s s e l Supports
21, 12 Vessel
21, 13 V e s s e l I n t e r n a l s , Removable (excluding full
m o d e r a t o r , reflector and reactivity control
components)
21.2 R e a c t o r Controls
21.21 Control Rods
2 1 . 22 Housing
21,23 Drive Mechanisms or Systems
21. 24 Supplementary Control Systems
21.25 Neutron Source
21.3 Reactor Shielding
21.31 T h e r m a l Shield
21.32 Biological Shield
21, 33 Blast Shield
21. 34 Shield Cooling System
21.4 R e a c t o r Auxiliary Cooling and Heating System
21.41 Safety Injection System
21.42 E m e r g e n c y Shutdown Cooling System
21.43 Decay Heat Removal System
21.44 Component Cooling Systenn
21.45 P r e h e a t i n g Systems
21.46 Post-Incident Cooling System
21.47 P r e s s u r e Suppression System
21. 5 Reactor Plant Containers (in the form of tanks
installed within a building)
21. 51 Containers (including supports)
21. 52 F l o o r s and B a r r i e r s
21,53 Drain Systems
21. 54 Ventilation and Cooling System
21. 6 M o d e r a t o r and Reflector
21.7 Reactor Plant C r a n e s and Hoists (not fuel handling)
21.9 Reactor Containment
21.91 Foundation M a t e r i a l
21. 92 Bearing P i l e s and Caissons
21. 93 S u b s t r u c t u r e Concrete
FIGURE 1. 7
REACTOR PLANT CLASSIFICATION SYSTEM
1-29
2 1 . 94 Superstructure
2 1 . 95 L i g h t i n g and E l e c t r i c a l S y s t e m
2 1 , 96 P l u m b i n g and D r a i n a g e
2 1 , 97 T e m p e r a t u r e C o n t r o l S y s t e m ( h e a t i n g and c o o l i n g )
2 1 , 98 Purge System
21.99 Fire Protection
22 Heat T r a n s f e r Systems
22, 1 R e a c t o r Coolant S y s t e m
22, 2 Interinediate Cooling System
22, 23 I n t e r m e d i a t e H e a t E x c h a n g e r and S u p p o r t s
22, 3 Steam Generators, Superheaters, Steam Drums,
and Steann S e p a r a t o r s
22,31 S t e a m G e n e r a t o r s and S u p p o r t s
22, 32 Superheaters
2 2 . 33 S t e a m D r u m s and I n t e r n a l s
2 2 . 34 Steam Separators
2 2 . 35 Reheaters
22.4 R e a c t o r C o o l a n t R e c e i v i n g , S u p p l y and T r e a t m e n t
(and i n t e r m e d i a t e , if any)
22.41 C h a r g e , V o l u m e C o n t r o l , P r e s s u r i s i n g and
Relief System
2 2 , 42 Purification System
22.43 C h e m i c a l T r e a t m e n t , B l o w d o w n and S a m p l i n g
Systems
22.44 C o o l a n t R e c e i v i n g , S t o r a g e and M a k e u p
22.45 I n e r t Gas S u p p l y and B l a n k e t i n g S y s t e m
22. 5 Reactor Moderator Auxiliary Systems
2 2 . 51 Gas S y s t e m s , Supply and C i r c u l a t i o n
22, 52 C o o l i n g and P u r i f i c a t i o n S y s t e m for Gas and L i q u i d s
22. 7 C o n v e n t i o n a l F o s s i l F u e l F i r e d S u p e r h e a t e r s or
Boilers
22.71 S u p e r h e a t e r s or B o i l e r s
2 2 . 72 Firing Equipment
2 2 . 73 Coolant S y s t e m s
2 2 . 74 F u e l H a n d l i n g and S t o r a g e E q u i p m e n t
2 2 . 75 Blowdown Equipment
2 2 . 76 A s h H a n d l i n g and S t o r a g e
23 N u c l e a r F u e l H a n d l i n g and S t o r a g e E q u i p m e n t
23. 1 C r a n e s and H o i s t i n g E q u i p m e n t (fuel h a n d l i n g )
23. 2 S p e c i a l T o o l s and S e r v i c e E q u i p m e n t
2 3 , 21 Reactor Vessel Servicing Equipment
23.22 F u e l R e m o v a l , A s s e m b l y and D i s a s s e m b l y
Equipment
F I G U R E 1. 7 ( c o n t . )
1-30
23. 23 Control Rod Handling
23.24 Television, Other Viewing and Special Lighting
23. 2 5 Containers and Racks
23. 3 Spent F u e l Storage, Cooling, Cleaning and Inspection
Equipment
23.31 Spent F u e l Cooling and Cleaning
23.32 Spent Fuel Washing (organic coolant)
23.33 Spent F u e l Washing (sodium coolant)
23.34 Inspection Equipment
23,4 Shipping Casks and C a r s
25 Radioactive Waste T r e a t m e n t and Disposal

2 5, 1 Liquid Waste
25. 11 Aqueous
25, 12 Organic
25,2 Gaseous Waste
25, 3 Solid Wastes
25,4 Drain and Vent System, R e a c t o r Coolant
25. 5 Drain and Vent System, I n t e r m e d i a t e Coolant
26 I n s t r u m e n t a t i o n and Control
26. 1 R e a c t o r Plant Control System
26, 11 Reactor
26, 12 Reactor Shield
26, 13 R e a c t o r Auxiliary Systems
26, 14 Vapor Containers
26, 2 Heat T r a n s f e r System
26.21 R e a c t o r Coolant System
26, 22 I n t e r m e d i a t e Coolant System
26, 23 Steam G e n e r a t o r s and S u p e r h e a t e r s
26, 24 Coolant Supply and T r e a t m e n t
26, 25 Coolant Receiving and Storage
26, 3 S e r v i c e to F u e l Handling and Storage
26. 31 Spent F u e l Storage Cooling System
26. 32 F u e l Wash System
26.4 S e r v i c e to Radioactive Waste T r e a t m e n t
and Disposal
26.41 Liquid Waste
26.42 Gaseous Waste
26.43 Solid Waste
26. 5 Radiation Monitoring
26. 51 Process
FIGURE 1. 7 (cont. )
1-31
52 Health Physics
53 Off-site Environs
6 Steann G e n e r a t o r
F e e d w a t e r Supply and T r e a t m e n t S y s t e m
1 Raw W a t e r Supply
2 Make-Up Water Treatment
3 Steam Generator Feedwater Purification
4 Feedwater Heaters
Other Reactor Plant Equipment

1 C h e m i c a l Decontannination System
2 Reactor Plant Maintenance Equipment
21 Rennotely C o n t r o l l e d Tools
22 Radioactive Maintenance Facilities
23 P o r t a b l e Shielding
F I G U R E 1.7 (cont. )
1-32
21.4 R e a c t o r Auxiliary Cooling and Heating S y s t e m s
21.41 Safety injection s y s t e m

21.42 E m e r g e n c y shutdown cooling s y s t e m
21.43 Decay heat r e m o v a l s y s t e m
21.44 Component cooling s y s t e m
21.45 (not used)
21.46 P o s t incident cooling s y s t e m
21. 47 P r e s s u r e suppression system
21,42 E m e r g e n c y Shutdown Cooling Systenn
21.421 Turbine s t e a m bypass s y s t e m

21.422 E m e r g e n c y condenser s y s t e m
21.423 E m e r g e n c y feedwater s y s t e m
21.424 S t e a m dump s y s t e m
FIGURE 1. 8
REACTOR AUXILIARY COOLING AND HEATING SYSTEM AND
EMERGENCY SHUTDOWN COOLING SYSTEM CLASSIFICATION
1-33
200 Piping
201 P i p e s and Fittings
201. 00^ Service and M a t e r i a l (common)
202 Valves
202. 0£ S e r v i c e and M a t e r i a l (comnaon)
202. 00. 0£ Size (common) and Type
.01 Ball
,02 Butterfly
.03 F l a p p e r
.04 Gate
.05 Globe
.06 Needle
.07 Plug
.08 Poppet
202,00.00,00 Function
.10 Check
, 20 Multifunction
, 30 Relief
,40 Servo
.50 Shutoff
. 60 3-Way Selector
. 70 4-Way Selector
202, 00. 00. 0£ Operation
. 01 Manual
. 02 Motor
, 03 P i l o t (remote manual)
, 04 Pressure
, 05 Solenoid
203 F i l t e r s and S t r a i n e r s (nonelectrical)
203.00 Service (common) and F i l t e r i n g M a t e r i a l
, 01 Cloth
.02 Ceramic
.03 Earth
.04 Fiberglas
.05 Paper
,06 Resin
.07 Sintered Metal
.08 Spaced P l a t e s
.09 Wire Mesh
FIGURE 1. 9
PARTIAL LIST OF COMMON COMPONENT CLASSIFICATION
1-34
203.00.00 P r e s s u r e (common)
203.00.00.00^ Operation
. 01 Chemical
. 02 Centrifugal
. 03 Electrostatic
. 04 Gravitational
^^^ _ .05 Mechanical
220 Pump
221 P u m p
221. 00 S e r v i c e and M a t e r i a l (common)
221. 00. £0 Capacity
. 10 Under 10 GPM
.20 10 up to 100 GPM
.30 100 up to 1000 GPM
.40 Over 1000 GPM
221.00.00 Type
. 01 Axial
. 02 Centrifugal
. 03 Diaphragm
. 04 Electromagnetic
.05 Gear
. 06 Reciprocating
.07 Rotary
240 Heat E x c h a n g e r s
240. 0£ S e r v i c e and M a t e r i a l , p r i m a r y side (common)
240.00.0£ Service and M a t e r i a l , secondary side (common)
240. 00. 00. £0 P r e s s u r e (common)
400 Tanks
400. 0£ S e r v i c e and M a t e r i a l (connmon)
400. 00.£0 Capacity
.10 Under 1 gallon
.20 1 up to 10 gallons
.30 10 up to 100 gallons
. 4 0 100 up to 1000 gallons
.50 Over 1000 gallons
400. 00. 0£ Type
. 01 Drain
. 02 Holdup
. 03 Relief
.04 Storage
. 05 Sump
.06 Surge
. 07 Waste
400. 00. 00.£0 P r e s s u r e (common)
FIGURE 1. 9 (continued)
1-35
500 I n d u s t r i a l Instrixment
500. 00 S e r v i c e , Media M e a s u r e d (common)
5 0 0 , 0 0 . £ £ Type
, 10 Controller
, 20 Indicator
. 30 M e t e r
. 40 Switch
. 50 Testing
. 60 T r a n s m i t t e r
5 0 0 . 0 0 , 0 0 . £ £ Readout
.. 10 Audio
. 20 Dial
. 30 Digital
. 40 Plotting
. 50 Recording
, 60 Video
800 N u c l e a r Equipment
801 Flux Detector
801.00 Type
.01 Ion C h a m b e r
.02 Fission Chamber
,03 BF3 Counter
.04 G-M Tube
.05 Scintillator
.06 Seini -Conductor
.07 Detector Lead
802 Preamplifier
803 Amplifier
803.£0 Type
.01 Linear
. 02 Log
. 03 Magnetic
. 04 Pulse
. 05 Period
. 06 Bistable
804 P o w e r Supply
804. 00 Service
. 10 Low Voltage
. 20 High Voltage
804. 0 0 , 0 £ Voltage Rating (common)
FIGURE 1.9 (continued)

1-36
S e r v i c e , Media Handled P r e s s u r e Range
1 Air 1 Vacuum
2 Gas 2 Ambient
3 Hydraulic 3 0 up to 100 psig
4 Liquid Metal 4 100 up to 1000 psig
5 Water 5 Over 1000 psig
6 Heavy Water
S e r v i c e , Media M e a s u r e d
01 Flow
Size 02 Level
. 1 Under 1 inch 03 Pressure
.2 1 up t o 3 i n c h e s 04 Temperature
. 3 3 up t o 6 i n c h e s 05 Vacuum
.4 6 up t o 12 i n c h e s 20 Conductivity
. 5 O v e r 12 i n c h e s 21 PH
22 Hydrogen Con-
centration
Voltage Rating 23 Hydrazine Con-
1 Under 1 mV centration
2 1 up to 10 mV 24 Oxygen Con-
centration
3 10 m V u p to.l V 25 CO- Concentration
4 1 to 100 V 30 Current
5 100 to 1000 V 31 Power
6 1 to 10 KV 32 Resistance
7 Over 10 KV 33 Voltage
40 Count R a t e
41 Dose Rate
Material 42 Flux
43 Period
1 Aluminum 50 Position
2 Brass/Bronze 51 Revolution
3 Copper 52 Torque
4 Steel, Carbon 53 Speed
5 Steel, Galvanized 54 Vibration
6 Steel, C o r r o s i o n R e s i s t a n t 60 Time
7 Nonmetallic 70 Light
,8 Multimetallic
,9 C o m p o s i t e - M e t a l l i c and Nonmetallic
FIGURE 1. 10
COMMON SUBCLASSIFICATION
1-37
COMPONENT
System Generic Identification
Code Code Number Name
21.410 221.46.42 G50A Safety Injection P u m p
2L410 221.46.42 G50B Safety Injection P u m p
27.500 221.46.42 G3A F e e d w a t e r Pum.p*
27.500 221.46.42 G3B Feedwater Pump *
2L410 400. 5 6 . 5 4 . 2 0 Refueling Water Storage Tank
2L410 202. 56. 54.52 MOV853A F e e d w a t e r Inlet Valve
21.410 202. 56. 54.52 MOV853B F e e d w a t e r Inlet Valve
27.370 202. 56.35.55 CV36 Condenser Hotwell Valve
27.370 202. 56.35.55 CV3 7 Condenser Hotwell Valve 1
1 21.410 202. 56.43.14 867A06C58 Check Valve
21.410 202. 56.43.14 867B06C58 Check Valve
21.410 202. 56.43.14 867C06C58 Check Valve
26.132 500.01.20.60 FI912 Flow Indicator {
26.132 500.01.20.60 FI913 Flow Indicator
126.132 500.01.20.60 FI914 Flow Indicator j
26.132 500,01.60 FT912 Flow Transmitter !
26.132 500.01.60 FT914 Flow Transmitter i
26.132 500.01,60 FT914 Flow Transmitter 1
1
(*) These components n o r m a l l y functioning in different s y s t e m s .
FIGURE 1.11
SAMPLE CLASSIFICATION OF SAFETY INJECTION SYSTEM
COMPONENT
System Generic Identification
Name
Code Code Number
26. lllA 801. 03 NE1201 BF., Detector

26. UlA 801. 03 NE1202 BF^ Detector
26. lllA 802. 00 NM1201. 4 Preamplifier
26. lUA 802. 00 NM1202.4 Preamplifier
26. lllA 803. 02 NM1201. 1 Log Count Rate Amplifier
26. lllA 803. 02 NM1202. 1 Log Count Rate Amplifier
26. l l l A 001 ND1201 Power Supply Cutoff A s s e m b l y
26. l U A 001 ND1202 Power Supply Cutoff A s s e m b l y
26. l l l A 002 NT1201 Test and Calibration A s s e m b l y
26. l l l A 002 NT1202 Test and Calibration A s s e m b l y
26. lllA 500. 04. 20. 60 TA1200. 1 Thimble T e m p e r a t u r e Indicator
26. lllA 500. 04. 20. 60 TA1200. 2 Thimble T e m p e r a t u r e Indicator
26. UlA 500. 04.40 TE1201 Thimble T e m p e r a t u r e Detector
26. UlA 500. 04.40 TE1202 Thimble T e m p e r a t u r e Detector
26. UlA 500. 40. 20. 60 NFA1201.5 Log Count Rate A l a r m
26. UlA 500. 40. 20. 60 NFA1202.5 Log Count Rate A l a r m
26. UlA 500. 40. 20. 60 NLA1201. i Log Count Rate A l a r m
26. UlA 500 40. 20. 60 NLA 1202. 1 Log Count Rate A l a r m
26. UlA 500. 40. 30, 20 NLI1201 Log Count Rate Meter
26. UlA 500. 40. 30. 20 NLI1202 Log Count Rate Meter
26. UlA 500. 40.20. 50 NRL1201 Log Count Rate R e c o r d e r
26. UlA 500. 40. 20. 50 NRL1202 Log Count Rate R e c o r d e r
FIGURE 1. 12
SAMPLE CLASSIFICATION OF NEUTRON MONITOR SYSTEM
SOURCE RANGE CHANNEL
Mode Code Functional F a i l u r e Mode
1 F a i l u r e to close
2 F a i l u r e to open
3 F a i l u r e to s t a r t
4 F a i l u r e to stop
5 F a i l u r e to continue operation
6 Spurious failure - prenaature
operation
7 Degradation
8 E r r a t i c operation
9 Scheduled s e r v i c e
1 ° Scheduled r e p l a c e m e n t
FIGURE 1.13
FAILURE MODE CLASSIFICATION
1-40
Cause
Code
10 DESIGN
11 Not suitable to n o r m a l operating conditions.

12 Not designed to withstand design environnaent.
13 Not suitable for simultaneous application of all
design s t r e s s e s ,
14 Useful life too s h o r t for design application,
15 M a r g i n a l design leading to reduced p e r f o r m a n c e of
s e v e r a l p a r t s under s t r e s s .
20 FABRICATION
21 Configuration Abnormality
a) B r e a k s or c r a c k s .
b) Distortion or deformation,
c) P a r t left out,
d) P r e s e n c e of foreign objects, p a r t s , or m a t e r i a l ,
e) I m p r o p e r size or shape.
f) Depletion.
g) Wear or a b r a s i o n ,
h) Mechanical or e l e c t r i c a l maladjustment, including
loose p a r t s and faulty positioning,
22 Composition Abnormality
a) Wrong m a t e r i a l used.
b) E x c e s s i v e i m p u r i t i e s in conaponent m a t e r i a l .
c) Change in composition or g r a i n s t r u c t u r e .
30 OPERATION
31 Actual environmental s t r e s s e s exceed n o r m a l s t r e s s e s
called for in operation.
32 Actual operating conditions exceed those called for.
33 Maladjustment.
34. Operating e r r o r as a d i r e c t cause of f a i l u r e .
35 Operation beyond stipulated design life.
00 UNSPECIFIED
FIGURE 1.14
FAILURE CAUSE CLASSIFICATION
1-41
Effect Code F a i l u r e Effect on System P e r f o r m a n c e
1 No loss of p e r f o r m a n c e
2 P a r t i a l loss of p e r f o r m a n c e
3 Total loss of p e r f o r m a n c e
FIGURE 1.15
FAILURE E F F E C T CLASSIFICATION
Use Code Type of Use Event
0 No Operation (Plant R e m a i n s Shutdown)

1 Startup Operation
2 Continue Operation
3 Shutdown, N o r m a l
4 Shutdown, S c r a m
5 System T e s t
FIGURE 1.16
USE EVENT CLASSIFICATION
1-42
IN-PLANT IN-PLANT VENDOR
USE DATA FAILURE DATA FAILURE DATA
Operating Group
F i l l s in F R / M R
a
o
Maintenance Group Vendor P e r f o r m s
Makes Repair and Equipment Failure
D e s c r i b e s in F R / M R o Test
O o
O
Operating Group Operating Group Vendor P r e p a r e s

P r e p a r e s O/OS Acknowledges Failure Data
Periodically Completed F R / M R Report
m
Q
a
Reliability Engineer
Reviews F R / M R and
O/OS, and P r e p a r e s
f-ll
Input Loadsheet
Data Collection Agency Activities
Use Fractions for Comiponent

Testing and S y s t e m s Identification - G e n e r i c
Operation Code C r o s s Indexing
Failure Rate Data

Report
F R / M R denotes Failure Report and Maintenance Request

O/OS denotes Operating and Outage Summary
FIGURE 1.17
RELIABILITY INPUT DATA FLOW CHART
1-43
Item R e q u i r e d Information
1. Component/System Name of component and s y s t e m to which

it belongs. Where two or m o r e identical
components e x i s t in one s y s t e m , i n d i -
vidual component m u s t be identifiable.
2. D a t e / T i m e of F a i l u r e O c c u r r e n c e or discovery of failure in
day, month, y e a r , h o u r s , and m i n u t e s .
3. Total Repair Time Total r e p a i r time, including off-hours,

r e c o r d e d to the n e a r e s t h o u r s and
maintenance man-hours.
4. Completion T i m e of R e p a i r T i m e when r e p a i r was completed and

s y s t e m becanae operational.
5. Functional Mode of F a i l u r e The way in which a component failed,

i. e. , to close, open, s t a r t , stop, or
continue operation; p r e m a t u r e ,
degrading, or e r r a t i c operation; or
scheduled s e r v i c e or r e p l a c e m e n t .
6. Cause of F a i l u r e What made the component fail the

way it did?
7. Effect of F a i l u r e on System The degree to which s y s t e m p e r f o r m -

Performance ance was affected, i . e . , no l o s s ,
p a r t i a l l o s s , or total loss of p e r f o r m -
ance.
8. Result of F a i l u r e on R e a c t o r The way in which r e a c t o r operation

Operation was affected, i. e. , none, shutdown
or s c r a m .
9. Description of R e p a i r Description of failed p a r t s and

whether they w e r e replaced, r e p a i r e d
adjusted, c a l i b r a t e d e t c . ; and
name of m a n u f a c t u r e r if r e p l a c e d
with unit of different m a k e .
FIGURE 1.18
REQUIRED RELIABILITY INFORMATION
1-44
TYPE OF TEST ' INTERVAL BETWEEN SECTION IN TECHNICAL
ROUTINE TESTS SPECIFICATIONS
E x e r c i s e control r o d s . Daily during periods of sustained power operation. Section V - B - 2
Gas treatment system checks. Daily during periods of sustained refueling Section V n i - B - 4
operation.
Operate transfer scheme for e m e r - One month or l e s s . Section VI-B-7
gency section of 480 volt a-c system.
Calibrate stack gas, liquid waste a i r One month or l e s s . Sections VII-B-2, 4, 6
vent, a r e a monitoring systems and
portable dose rate i n s t r u m e n t s .
Refueling Building leak rate t e s t . One month or l e s s during periods of operation. Section m - B - 4
E x e r c i s e liquid poison injection One month or l e s s during periods of operation. Section V - B - 3
valve s,
Gas treatment system checks. One month or l e s s during periods of power Section V m - B - 5
1 operation.
E x e r c i s e automatically initiated One month or l e s s during periods of power ' Section III-B-2
dry well motor operated isolation operation.
valve s,
Check calibration of off-gas One month or l e s s during periods of power Section V I I - B - l
monitoring s y s t e m s and test their operation.
automatic functions.
Calibrate emergency condenser vent One month or l e s s during period* of power Section VII-B-3
monitoring s y s t e m s . operation.
E x e r c i s e a i r ejector off-gas One month or l e s s during periods of power Section V m - B - 4
isolation valve. operation.
Control rod drive performance. 1 Once each q u a r t e r . Section V-B-2
Dry well top and bottom a c c e s s P r i o r to power operation each time these Section n i - B - 1
head joints and suppression penetrations a r e opened.
chamber a c c e s s opening leak t e s t s .
Verify control rod following by P r i o r to commencement of each refueling Section V-B-2
coupling integrity check. operation or s e r i e s of low level critical t e s t s .
Functionally test Refueling Building P r i o r to each regularly scheduled refueling Sections III-B-5 and
ventilation system automatic outage. V n - B - 5 and 6
operation.
Functionally test all manual, motor During each regularly scheduled refueling Section III-B-2
operated, a i r operated and solenoid outage.
operated isolation valves.
Functionally test core spray and post During each regularly scheduled refueling Section i n - B - 3
incident cooling system automatic outage,
operation.
Control rod drive performance. During each regularly scheduled refueling Section V-B-2
outage.
Functionally test all s c r a m , During each regularly scheduled refueling Sections VI-B-1
automatic dry well and isolation outage. andni-B-2
valve c l o s u r e .
Functionally test m a s t e r reactor P r i o r to each regularly scheduled refueling Section VI-B-3
switch. outage.
Functionally test control rod with- During each regularly scheduled refueling Section VI-B-4
drawal permissive c i r c u i t s . outage.
Functionally test Refueling Building During each regularly scheduled refueling Section VI-B-5
high differential p r e s s u r e protection outage.
system.
Functionally test emergency During each regularly scheduled refueling Section VI-B-6
condenser control system. outage.
Dry well and suppression chamber Z4 months or l e s s . Section m - B - l
vacuum breaker t e s t s .
Leak rate tests on sample dry well 24 months or l e s s . Section III-B-1
electrical penetrations.
Reactor safety valves testing. 24 months or l e s s . Section IV-B-3
Emergency section of the 480 volt 24 months or l e s s . Section VI-B-7
a-c system load t e s t .
125 volt d-c system load test. 24 months or l e s s . Section VI-B-7
Dry well and suppression chamber Discussed in Section H I - B - l . Section n i - B - l
leak t e s t s .
FIGURE 1.19
TYPICAL OPERATIONAL TESTING SUMMARY

FOR NUCLEAR SAFEGUARDS SYSTEMS
1-45
Indian Shipping -
Items Yankee Point port NPD
(1) C omponent/ Sy stem Yes Yes Yes Yes
(2) Tinae of F a i l u r e Yes No Yes Yes
(3) R e p a i r Time No No Yes No
(4) Completion Time

of Repair Yes No Yes Yes
(5) Functional Mode of

Failure No No No No
(6) Cause of F a i l u r e No No No No
(7) Effect of F a i l u r e on
Systena P e r f o r m a n c e No No No Yes
(8) R e s u l t of F a i l u r e on
R e a c t o r Operation No No Yes Yes
(9) D e s c r i p t i o n of R e p a i r Yes Yes Yes Yes
FIGURE 1.20
COMPARISON OF REQUIRED INFORMATION
1-46
1. Component/System
2. D a t e / T i m e of F a i l u r e / / :
3. Functional Mode of F a i l u r e (circle one)
F a i l e d to (a) close (b) open (c) s t a r t (d) stop or (e) continue
operation (f) p r e m a t u r e operation (g) degradation (h) e r r a t i c
operation (i) scheduled s e r v i c e (j) scheduled r e p l a c e m e n t
4. Cause of F a i l u r e (if known or r e q u i r e d ) _
5. Effect of F a i l u r e on System P e r f o r m a n c e (circle one)

(a) no loss (b) p a r t i a l l o s s or (c) total loss of p e r f o r m a n c e
6. Effect of F a i l u r e on P l a n t Operation (circle one)
(a) none (b) continue operation (c) shutdow^n or (d) s c r a m
7. Work to be P e r f o r m e d
8. R e p o r t e d by
9. Work Assigned to
10. Date of Completion / /
11 . Total R e p a i r T i m e hours
12. Defective/Replaced P a r t s
Work P e r f o r m e d
Name of Manufacturer (if replace id with unit of diffeirent make)
FIGURE 1.21
FAILURE R E P O R T AND MAINTENANCE REQUEST FORM
WITH REQUIRED RELIABILITY INFORMATION
1-47
DATE o n d TIME SHUTDOWN REPAIR
OF FAILURE REQUIRID TIMB
FAILURE FAILURE FAILURE

MAINTENANCE MEMORANDUM
N9 81913
MODE CAUSE EFFECT
DATE-
WATCH.
Ji^ji.-u..i:-.."....',.,,' 1 '. •. '!• : . .. • • ..:.: LL,
APPARATUS WORK
JUKWU j ; . r- 'ViTf.".'V?•• •••'•• i .. '• : • . . , . f .r. :.:— i
REPORTED BY_
WATCH FOREMAN
APPROVED FOR INTERDEPARTMENTAL WORK REQUEST.

IS-eO (EA.) 7-62 PRODUCTION
FIGURE 1.22
MODIFIED MAINTENANCE REQUEST FORM
V e n d o r ' s Name
Component Name
Component Identification/Generic Code
T e s t Date or Duration
T e s t Condition ( c i r c l e one or describe)
(a) Life T e s t (b) Proof T e s t (c) S t a r t u p T e s t (d) O t h e r s
Total No. of Components T e s t e d

Total No. of F a i l u r e s
Total Operating Time million comp - h r . or cy.
E s t i m a t e of F a i l u r e Rate p e r million h r . or cy.
(a) Confidence Level %
(b) A s s u m e d F a i l u r e Distribution
Functional Mode of F a i l u r e by P e r c e n t of Total F a i l u r e s
F a i l e d to (a) close (b) open (c) s t a r t
(d) stop or (e) continue operation
(f) P r e m a t u r e operation (g) Degradation
Derating F a c t o r by P e r c e n t of Rated
(a) Voltage (b) C u r r e n t
(c) P o w e r (d) F r e q u e n c y
(e) P r e s s u r e (f) T e m p e r a t u r e
(g) O t h e r s
Other E n v i r o n m e n t a l S t r e s s F a c t o r s
Reference
FIGURE 1.23
VENDOR'S RELIABILITY INPUT DATA FORM
1-49
Bits (% % Failures Failures Failures
failures p e r per per per
million h o u r s ) 1000 h o u r s million h o u r s hour
Bits (% 3 2 »
failures per 1 10^ 10^ lo"
million hours)
% failures per
10-^ 1 10-^ 10^
1000 h o u r s
Failures per 10-^ lo' 1 10^

million h o u r s
Failures io-« 10-5 10-^ 1

p e r hour
FIGURE 1. 24
FAILURE RATE CONVERSION TABLE
1-50
CHAPTER 2
RELIABILITY ANALYSIS TECHNIQUES

CHAPTER 2
RELIABILITY ANALYSIS TECHNIQUES
An objective of this study has been to define r e q u i r e m e n t s and methods

of application for data collected in a reliability monitoring p r o g r a m .
Basically, what is needed is an examination of the types of reliability
analysis techniques which might be used in such a p r o g r a m . The range
of candidate techniques either in existence or c u r r e n t l y conceivable is
l a r g e . It includes p a r t - c o u n t models r e q u i r i n g all components to
function, simple b l o c k - d i a g r a m models allowing c r e d i t for redundancy,
m o r e complex b l o c k - d i a g r a m models accounting for various component
interdependencies and standby operation, and logical systenn simulation
models which include hunnan e r r o r . As the complexity of technique
i n c r e a s e s the data r e q u i r e m e n t s i n c r e a s e and the r e s u l t s of the analysis
technique can generally be expected to provide m o r e r e a l i s t i c evaluations
of the r e l a t i v e contributions to unreliability of the v a r i o u s p a r t s of a
s y s t e m design. As the application of reliability analysis techniques to
nuclear safety i n c r e a s e s , it can be expected that the techniques will
i n c r e a s e in sophistication and complexity-.
Various reliability analysis methods c u r r e n t l y in use have been investiga-

ted in the c o u r s e of this study. Out of this review two methods have been
selected whose data r e q u i r e m e n t s a r e believed to r e p r e s e n t the upper
limit which might be encountered in a reliability monitoring p r o g r a m for
r e a c t o r safeguard s y s t e m s . These methods a r e the Automatic Reliability
Mathematical Model (ARMM) and fault t r e e a n a l y s i s . ARMM is a w o r k -
ing, c o m p u t e r i z e d reliability analysis p r o g r a m . Fault t r e e is a logical
analysis concept developed during the Minuteman m i s s i l e p r o g r a m . A
p r e l i m i n a r y fault t r e e computer p r o g r a m , S A F T E - 1 , has been developed
during this study. Both of t h e s e methods a r e d e s c r i b e d in this c h a p t e r .
An appreciation for the data r e q u i r e m e n t s and method of data application
which would be encountered in a reliability monitoring p r o g r a m is gained
from a d i s c u s s i o n of ARMM and fault t r e e . F r o m this d i s c u s s i o n , as
well as the examples given in Chapter 3, it will be s e e n that either
method is capable of a c o m p r e h e n s i v e r e l i a b i l i t y examination of the
s y s t e m , given sufficient information r e g a r d i n g the equipment, the design,
and the methods of operation and t e s t i n g of the s y s t e m . Items of
information which a r e p a r t i c u l a r l y important in either method include:
1, Equipnnent relationships d e t e r m i n e d by both functional and

physical design.
2-1
2. Significant failure modes for each item of equipment.
3. F a i l u r e r a t e data for each significant failure mode.
4. Time to detect and r e p a i r failed equipment.
5. T e s t i n g or inspection frequencies which r e v e a l ability to
p e r f o r m or c o n v e r s e l y failure to p e r f o r m on each item of
c r i t i c a l equipment which is not continuously monitored.
6. N o r m a l or expected use p a t t e r n s for aging of each item
of equipment.
Finally, it should be noted that in either of t h e s e methods a p r i m a r y

limitation on the quality of r e s u l t s is the experience of the u s e r . As
r e p e a t e d applications a r e m a d e , the u s e r will become aware of the
fact that many apparently impossible configurations or sequences can
be a p p r o p r i a t e l y simulated. Such an observation applies equally to
other p r o m i s i n g reliability analysis techniques which w e r e not included
here.
2-2
AUTOMATIC RELIABILITY MATHEMATICAL
MODEL (ARMM) PROGRAM
ARMM (1 ' 2) is a g e n e r a l purpose computer p r o g r a m for deriving and

solving a m a t h e m a t i c a l model of the reliability of conaplex s y s t e m s . It
is b a s e d on a sequential application of the conditional probability
t h e o r e m to the probability of s y s t e m failure. The p r o g r a m s e l e c t s
those combinations of component failures which cause a s y s t e m failure,
and derives and solves the reliability m a t h e m a t i c a l model for computing
failure p r o b a b i l i t i e s . The output includes (1) the probability of s u c c e s s -
ful s y s t e m operation; (2) the probability of o c c u r r e n c e of each failure
combination; (3) the probability of function failure, its p e r c e n t a g e of
s y s t e m failure, and r a n k of each function of the s y s t e m ; (4) each c o m -
ponent's contribution to the probability of s y s t e m failure, i. e. , its
p e r c e n t a g e of the total probability and r a n k among the components; and
(5) the component connbinations which a r e the major contributors to
s y s t e m unreliability. Other useful aspects of the p r o g r a m a r e a built-in
capability to handle dependent components and nautually exclusive failure
m o d e s , and the use of input data r e q u i r e m e n t s which a r e simplified for
engineers not familiar with p r o g r a m m i n g m e t h o d s .
ARMM was developed by North A m e r i c a n Aviation, Inc. under contract

to the U. S. Air F o r c e . Subsequently, it has been r e v i s e d and expanded
to allow t r e a t m e n t of l a r g e r and m o r e connplex reliability m o d e l s . It
has been used by North A m e r i c a n to evaluate reliability and reliability
achievement in a i r c r a f t s y s t e m design from the conceptual design phase
through the detailed design p h a s e . With the availability of t e s t data it
also has been found capable of calculating a s y s t e m ' s dennonstrated
reliability; specific examples include analyses of systenns in e x p e r i -
mental or advanced design a i r c r a f t .
It will be noted that ARMM has linnitations which can be of i m p o r t a n c e

in some safeguard s y s t e m reliability a n a l y s e s ; however, t h e s e l i m i t a -
tions a r e not believed to be c r i t i c a l to the use of ARMM in nuclear
applications. E a c h of the limitations and suggested nnedifications a r e
d i s c u s s e d in the d e s c r i p t i o n and d i s c u s s i o n of use which follow.
DESCRIPTION
Logical Concept
ARMM c o n s i d e r s a s y s t e m to be made up of functions which in t u r n a r e

made up of components. When a function fails, the s y s t e m fails if t h e r e
2-3
a r e no other operating or standby functions which a r e alternate to the
failed function. The failure of a function is d e t e r m i n e d by the r e l a t i v e
values of the "modes available" and the "modes r e q u i r e d " which a r e
assigned to that function. A component can support m o r e than one
function, and for each of the functions a component supports it is
assigned a "weighting factor. " When the component fails, the c o r r e s -
ponding weighting factor is subtracted from the modes available of each
function it s u p p o r t s . When the modes available of a function become
(by this subtraction at each component failure) l e s s than the modes
r e q u i r e d , the function has failed.
A component is the s m a l l e s t piece of equipment the reliability analyst

wants to consider and for which he has failure r a t e data. If a piece of
equipment has s e v e r a l modes of failure, each mode can be considered
as a unique component if t h e r e is failure r a t e data for the different
nnodes. If the failure modes of a piece of equipment a r e mutually
exclusive, i . e . , the failure in one mode excludes the possibility of
failure in another (e. g. , a valve failing open cannot fail closed at the
s a m e t i m e ) , this can be d e s c r i b e d to the progrann by making one m o d e -
component a "must not fail" dependent component on the other m o d e -
component. If two components a r e physically dependent on each other,
e . g . , a pump and its m o t o r , but not mutually exclusive, this dependency
is input to the p r o g r a m as a "must fail" dependency. This l a t t e r type
of dependency can also be used between components which, though not
physically dependent, a r e dependent in such a way that the failure of one
makes c o n s i d e r a t i o n of failure in the other superfluous. Use of "must
fail" dependency is especially helpful in reducing computer t i m e .
Mathematical B a s e s
Application of the Conditional Probability T h e o r e m to Reliability - What

follows is a d e t e r m i n a t i o n of the probability of s y s t e m failure by the
application of the conditional probability t h e o r e m . The s y s t e m to be
used throughout this d i s c u s s i o n is shown in F i g u r e 2. 1. It c o n s i s t s of
five components a r r a n g e d on t h r e e " s u c c e s s p a t h s . " So long as the
components on at least one s u c c e s s path a r e operating, the s y s t e m has
not failed.
According to the conditional probability t h e o r e m , the probability of

s y s t e m failure can be w r i t t e n a s :
P(S) = P(S/A) P(A) + P(S/A) P(A) (1)
2-4
where
S = s y s t e m failure,
A = component A is working (not failed),
A = component A has failed (the b a r over the
connponent name signifies the connponent
has failed),
P(S) = probability of s y s t e m failure,
P(S/A) = probability of s y s t e m failure given that
component A has not failed,
P(S/A) = probability of s y s t e m failure given that
component A has failed,
P(A) = probability that component A has not failed, and
P(A) = probability that component A has failed.
The probability that component A has or has not failed is d e t e r m i n e d

by the failure density function for the component. Evaluated at t i m e t
the probability of failure is
t
P(A) f^ (t) dt
and the probability of no failure is
P(A) = l-P(A)
where
f (t) = failure density function for component A,
f^(t) = ^CCt^-'e-'''^
/S = Weibull shape p a r a m e t e r . If /3 = 1, f^(t)

b e c o m e s the exponential failure density function,
and
a. = Weibull scaling p a r a m e t e r . If /3 = 1, a becomes
the failure r a t e , X •
2-5
Given Equations (2) and (3), the probability of s y s t e m failure P(S)
r e q u i r e s that P(S/A) and P(S/A) also be evaluated. These t e r m s can
be defined by a stepwise application of the conditional probability
t h e o r e m to the s y s t e m shown in F i g u r e 2, 1. If A has not failed, the
s y s t e m can fail only if components B, C, and D or D or E also fail.
The following equations state this in the notation of Equation (1):
P(S/A) = P(S/A, B) P(B) + P(S/A, B) P(B). (4)
Since the s y s t e m will not fail if both A and B a r e operating then
P(S/A, B) = 0
and Equation (4) r e d u c e s to
P(S/A) = P ( S / A , B ) P(B). (4a)
The probability of systern failure given that B has failed is evaluated

as:
P(S/A, B) = P(S/A, B, C) P(C) -I-P(S/A,B,C) P(C). (5)
The first t e r m on the right is z e r o since the s y s t e m cannot fail if C

has not failed. Equation (5) b e c o m e s
P(S/A, B) = P ( S / A , B , C) P(C) (5a)
The probability of s y s t e m failure given that C has failed is evaluated

as:
P ( S / A , B , C ) = P(S/A, B , C , D ) P(D) + P ( S / A , B , C , D ) P(D). (6)
Since Equations (4a) and (5a) say that B and C have failed, then if
D fails the s y s t e m fails ( i . e . , P(S/A, B , C , D ) = 1). All that r e m a i n s
to be evaluated so that Equation (4a) can be e x p r e s s e d in t e r m s of un-
conditional component probabilities is the factor P(S/A, B, C, D). It is
evaluated by
P(S/A, B, C,D) = P ( S / A , B , C , D , E ) P(E) + P ( S / A , B , C , D , E) P(E)(7)
2-6
In Equation (7) D has not failed, so P(S/A, B, C, D, E) = 0 for if D and
E have not failed, t h e r e r e m a i n s an unfailed s u c c e s s path. But if E
fails then the systenn fails so P(S/A, B, C, D, E) - 1. It is now possible
to r e w r i t e Equation (4a) a s ;
P(S/A) = [ 1 - P ( E ) P ( D ) ] [ l - P ( C ) ] [ l - P ( B ) ] . (8)
The other unknown in Equation (1), P(S/A), can be evaluated in a

nnanner s i m i l a r to Equations (4) through (8)
P(S/A) = P ( S / A , B ) P(B) + P ( S / A , B ) P(B). (9)
Since A has failed
P(S/A,B) = P(S/A,B) (10)
which has been evaluated by Equations (5a), (6), and (7). So Equation
(9) can be r e w r i t t e n a s :
P(S/A) - [ l - P ( E ) P ( D ) ] [l-P(C)]. (11)
If Equations (8) and (11) a r e substituted into Equation (1), the p r o b a b i -

lity of systenn failure i s :
P(S) = [ 1 - P ( E ) P ( D ) ] [ 1 - P ( C ) ] [ 1 - P ( A ) P ( B ) ] . (12)
The probability of s y s t e m failure for the sinnple s y s t e m of F i g u r e 2. 1

could have been obtained by recognizing that for this s y s t e m , with
redundant s u c c e s s paths, the probability of failure is the product of the
probabilities of failure of each of the s u c c e s s p a t h s . In m o r e complex
systenns, solution by inspection is difficult if not i m p o s s i b l e and the
value of this approach is apparent.
ARMM's Use of the Conditional Probability T h e o r e m - ARMM's analysis

of the s y s t e m in F i g u r e 2. 1 i s , of c o u r s e , that of a connputer. T h e r e -
fore, it is a sequential application of the conditional probability t h e o r e m
r a t h e r than an "it is c l e a r that . . . " approach. ARMM p r o c e e d s down
the list of components s e a r c h i n g for connbinations of failed components
which cause the systenn to fail. The u s e r specifies the maxinnunn
nunnber of failed connponents ARMM needs to consider in a combination.
Table 2. 1 l i s t s , in the p r o p e r o r d e r , the connbinations ARMM would
consider for the systenn in F i g u r e 2. 1 if the m a x i m u m nunnber of failed
components allowed per connbination w e r e four.
2-7
N o t e t h a t a f t e r t h e s y s t e n n h a s f a i l e d , it is r e t u r n e d t o o p e r a t i o n by
t u r n i n g on t h e l a s t f a i l e d c o m p o n e n t . T h i s is f i r s t m e t by A R M M w i t h
t h e c o m b i n a t i o n A B C D . C o m p o n e n t D is t u r n e d on and for t h e n e x t
c o n n b i n a t i o n E is f a i l e d .
If no s y s t e m f a i l u r e o c c u r s w i t h t h e f a i l u r e of four c o m p o n e n t s a s w i t h
the c o m b i n a t i o n ABODE t h e n as with a s y s t e m failure the last failed
c o m p o n e n t is t u r n e d b a c k on. H o w e v e r , in t h i s exannple t h e l a s t f a i l e d
connponent is t h e l a s t c o m p o n e n t on t h e l i s t . What A R M M d o e s h e r e is
t u r n on B and D a s w e l l and t h e n f a i l C .
If t h e u s e r h a d s p e c i f i e d t h a t c o m p o n e n t B w a s a "nnust f a i l " d e p e n d e n t
connponent t o c o m p o n e n t A t h e n A R M M w o u l d not c o n s i d e r a n y c o m b i -
nation with b o t h A and B f a i l e d . So f e w e r c o m b i n a t i o n s a r e
considered by t h e p r o g r a m w h i c h m e a n s a s a v i n g s in t i m e .
W i t h o u t t h e d e p e n d e n c y and a s s h o w n i n T a b l e 2. 1, t h e r e a r e s i x f a i l u r e
c o m b i n a t i o n s . T h e y a r e : A B C D , A B C D E , A B C D , _ A B C D E , A B C D , and
A B C D E . W i t h t h e d e p e n d e n c y t h e r e a r e f o u r : A C D , A C D E , A B C D , and
A B C D E . N o t e t h a t s i n c e P ( B ) -I- P ( B ) = 1, t h e s e t w o l i s t s a r e t h e s a m e .
T h e f i r s t l i s t r e q u i r e d m o r e c o n n p u t e r t i n n e . If only t h r e e c o n n p o n e n t s
w e r e a l l o w e d t o b e f a i l e d at a t i n n e , and a l o o k at F i g u r e 2. 1 s h o w s t h a t
r e a l l y t h a t is a l l t h a t is n e c e s s a r y , t h e n t h e t w o l i s t s w o u l d not b e t h e
s a m e and t h e r e w o u l d be a n e r r o r in t h e r e s u l t s of t h e r u n w i t h o u t t h e
dependency.
T h e p r o b a b i l i t y of s y s t e m f a i l u r e is t h e s u m of t h e p r o b a b i l i t y of o c c u r -
r e n c e of e a c h of t h e f a i l u r e c o m b i n a t i o n s . F o r t h e f a i l u r e c o n n b i n a t i o n
A B C D E , t h e p r o b a b i l i t y of i t s o c c u r r e n c e is c a l c u l a t e d by A R M M a s :
P ( A B C D E ) = P ( B ) P ( C ) P ( E ) [ 1-P(A+D) ] (13)
where
P(A-I-D) = probability that A or D or both fail,
P(A+D) = P(A) + P(D) - P ( A ) P ( D ) = l - P ( A ) P ( D ) ,

P(A) = l-P(A), and
P(D) = l-P(D).
T h e f a c t o r in b r a c k e t s in E q u a t i o n (13) is t h e p r o b a b i l i t y t h a t n e i t h e r A
n o r D f a i l . T h e p r o b a b i l i t y of s y s t e n n f a i l u r e , S F , d u r i n g e a c h t i m e
2-8
i n t e r v a l , is obtained by summing the probability of o c c u r r e n c e of each
of the N failure connbinations
N
SF, = y P (failure combination k in t i m e (
k=l i n t e r v a l i).
This sum is the probability of s y s t e m failure during t i m e i n t e r v a l i.
The probability that the s y s t e m has failed by the s t a r t of t i m e i n t e r v a l

i is given by the r e l a t i o n :
T S F . = TSF. , + (1-TSF. J S F . , (
1 1-1 1-1 1-1
w h e r e by convention
TSF = 0
o
and, t h e r e f o r e ,
TSF = 0
TSF^ = S F ^ .
F o r e x a m p l e , the probability that the s y s t e m has failed by the s t a r t of

the t h i r d i n t e r v a l i = 3 i s :
TSF^ = SF^ + ( 1 - S F j ) S F ^ . (
Equation (16) can be r e a d as the probability that the s y s t e m failed in

i n t e r v a l one plus the product of the probability that it failed in i n t e r v a l
two and the probability that it did not fail in i n t e r v a l one. This product
suggests the use of the "good as new" approximation for all connponents
at the beginning of each tinne i n t e r v a l .
Originally, ARMM evaluated the probability of failure of each component

for the t i m e i n t e r v a l i from t. t o t. , by Equation (17)
1 1+1
S+1
P(B) = Jfg(t) dt.
t.
1
2-9
This does not i n c o r p o r a t e the "good as new" approximation. This
equation has been changed so that the linnits of integration a r e now
from 0 t o (tj+i -t^) which does reflect the "good as new" approximation.
A connparison of the different integration linnits can be nnade as follows.

F o r the exponential density function
P < " ( t . ^ , - t . , 0) =P (18)

<"Vi-V»'*'
w h e r e t h e s u p e r s c r i p t i n p a r e n t h e s i s s p e c i f i e s t h e v a l u e of j3.
H e r e t h e f a c t o r s in t h e a r g u n n e n t of P a r e t h e u p p e r and l o w e r l i m i t s
t o t h e i n t e g r a l , r e s p e c t i v e l y . E q u a t i o n (18) s h o w s t h a t t h e e r r o r in
u s i n g t h e l i m i t s of E q u a t i o n (14) is snnall if Xti is s m a l l . W h e n W e i b u l l
d i s t r i b u t i o n s a r e used, the following r e l a t i o n obtains:
i3
Ort:
p(^\t,,,-t^, 0) = p ( ^ ) ( t , , , , t , ) e '
P^^)(t^,/-t/,0)
P<^) - P^^^ P - 1, (19)
H e n c e t h e v a l u e s of a and j3 u s e d w i l l d e t e r n n i n e t h e d i f f e r e n c e
i n v o l v e d in u s i n g t h e t w o s e t s of l i m i t s .
T h e p r o b a b i l i t y t h a t t h e u n f a i l e d c o n n p o n e n t s in t h e f a i l u r e c o n n b i n a t i o n
of E q u a t i o n (13) do not f a i l is c a l c u l a t e d a s :
t. , -t.
1+1 1
[1-P(A+D)]= 1 - J [(X^+Xj3)e"<Â+XD)t-j dt. (20)
Equations (17) and (20) use the exponential failure density function.
ARMM in its p r e s e n t fornn also is able to use the Weibull failure density
function in Equation (17) but not in Equation (20). Equation (20) was
generalized in this study to include a Weibull failure density function.
This yields
2-10
t -t
i+1 i
[ 1-P(A+D) ] = 1- J [^â^tÂ-^ + ^j^V^D"^ ]
- f a tÂ + a t^D"!
• e'-^ ^ -"dt. (21)
The r e s u l t obtained using Equation (12), and the r e s u l t obtained by

ARMM, Equation (14), a r e identical for the simple s y s t e m of F i g u r e 2. 1.
So for simple s y s t e m s ARMM gives the s a m e r e s u l t for s y s t e m failure
during an i n t e r v a l as the conditional probability t h e o r e m . F o r connplex
s y s t e m s , since ARMM limits the number of connponents failed in a
failure combination, the r e s u l t s will not be identical to those of the
conditional probability t h e o r e m . However, Equation (13) shows that
the probability of systenn failure is p r o p o r t i o n a l to the product of the
probabilities of failure of each failed connponent, so for a failure c o m -
bination with many failed components its contribution to the probability
of s y s t e m failure will be s m a l l . However, significant e r r o r s can
r e s u l t for simple s y s t e m s when not enough failures a r e allowed.
System Probability - B a y e s ' theorenn s t a t e s :
P(A/S) = £ i ^ ^ | f i ^ (22)
where P(A/S) is the probability, that given the systenn has failed, it
was caused by the failure of component A. In other w o r d s , it is A's
contribution to s y s t e m failure (or to s y s t e m unreliability).
ARMM calculates the contribution of each of the components, j , to

s y s t e m unreliability in tinne interval i by the equation:
C..SF.(1-TSF.)
P.(j/S) = -^ i (23)
1 a.
where
n \
(24)
2-11
m
\ c . k -- I ^ ^ . k (25)
1=1
X» , - failure r a t e of component -t which was involved

' in failure combination k,
m = number of failed components in a given failure

combination,
P. = probability of failure cf component -t ,
n = number of failure combinations in which component j

was involved,
N
a. =1 C.. , and (26)
j=l
N - number of "on" components during i n t e r v a l i.
The factor C.. is the s u m of the contributions connponent j nnakes to

e a c h failure combination of which it is a failed connponent. Its contribution
is d e t e r m i n e d by the r a t i o of failure r a t e s . F o r exannple, for connponent A
in the failure combinations ACD and ACDE
X
'i.A = [ x - T x r T x - ] P(A)P(C)P(D)
•A • ^C -D
+ [ T ~ 7 i r - T T - ] P(^> P<<^) p(E) . (27)

UX^ + X^ + Xj, -J
The contribution of component j to systenn unreliability P.(j/S) is

included in the ARMM output for each time i n t e r v a l that connponent j
2-12
has not been turned off by the u s e r . It is also p a r t of the s u m m a r y output
which is the sunn of systenn perfornnance for all the tinne i n t e r v a l s . The
contribution of component j to systenn u n r e l i a b i l i t y for the e n t i r e t i m e ,
Prp(j/S), is given by:
N
PT(J/S) =1i=l
Pi(j/S) (28)
for N time i n t e r v a l s .
If component j was turned off during an i n t e r v a l , the P . ( j / S ) for that

i n t e r v a l is z e r o .
Standby Functions - ARMM can a l s o handle standby functions. These

a r e functions which do not operate until the function to which it is standby
fails.
In F i g u r e 2, 1, for e x a m p l e , the function which is composed of components

D and E could be standby to the function which is composed of component C,
The probability of o c c u r r e n c e of a failure combination which includes

a failed standby component is calculated by an equation which is a
nnodification of Equation 13. Since component E i s , for this c o n s i d e r a t i o n ,
a standby component which, along with component D, was brought into
operation by the failure of component C, the product P(C) P ( E ) in
Equation 13 is r e p l a c e d by:
t -t.
i+1 i
^CÊ -X t - x _
P(CE)
(>•.
Ê' [ e E -e C •] dt (29)
X then:
'' ^C = ^ E
t., - - t .
1+1 1
P(CE) = X^te'^'dt (30)
2-13
The g e n e r a l form for Equation 29, as used in ARMM, is
i+1 i n
n X p n
P(n failures) - dt (31)
J S-2^XjL j=2 J
j=2
where
X = failure r a t e of the operating component whose failure " t u r n s on"

all n-1 standby components, and
P ( n failures) = probability that the operating component and all of its

standby components fail.
Equation 31 is for an operating component, and n-1 standby connponents

all of which a r e brought into operation at the time the operating component
fails. In the s y s t e m in F i g u r e 2. 1, D and E a r e standby to C and both
a r e turned on when C fails; however, the s y s t e m fails with e i t h e r
component D or E failed, so n equals 2 for this s y s t e m .
Equation 31 was derived by making the assunnption that when the standby
connponents w e r e turned on, the probability of systenn failure could be
w r i t t e n as the product of the probabilities of failure of the individual
c o m p o n e n t s . This yields Equation 31 which does not contain the limiting
values of one and z e r o for large and s m a l l t i m e s , r e s p e c t i v e l y .
Consider a simple standby nnodel with t h r e e components A, B, and C,

e a c h having exponential failure d e n s i t i e s . Component A o p e r a t e s and
when it fails both B and C a r e turned on. S y s t e m failure o c c u r s when
all t h r e e components fail. The c o r r e c t e x p r e s s i o n for s y s t e m failure
probability in this c a s e is
. -x^t . -X.t .
X.e
-M .
C -Xê
-X.t
A
X ,e B -X„e A A C
P(t,0) = 1 A B
(32)
Â • <^B + ^ c ' ^]-

2-14
The e x p r e s s i o n for P ( t , 0), b a s e d on the a s s u m p t i o n of product
p r o b a b i l i t i e s , is from Equation 31
P(t,0)
^^c ^ ^ E ^ C e A
(33)
X +X
B C <^B+^C' J
An e s t i m a t e of the difference between the two e x p r e s s i o n s h a s not been
m a d e . Equation 31 is exact for n - 2.
ARMM, in its p r e s e n t f o r m , does not allow for sequential activation of

standby functions. That i s , it does not c o n s i d e r a s y s t e m wherein there
is a standby function which t u r n s on when another standby function
f a i l s . An e x p r e s s i o n for this configuration was obtained using a t h r e e
component s y s t e m nnodel which c o v e r s m o s t p r a c t i c a l c a s e s . The
r e s u l t is
X X -X^t
P ( t , 0) - 1
Vce-Â^ A C e B
X )
< ^ - V <^C A'
(Â-^B)(^C-^B)
^ ^ B e ^c' (34)
+ (X
V < ^ B ^C^
Also, ARMM does not c o n s i d e r Weibull f a i l u r e density functions for

standby functions; it c o n s i d e r s only the exponential. In extending
this a n a l y s i s to include Weibull d e n s i t i e s , one obtains e x p r e s s i o n s
which a r e not integrable in closed f o r m . Hence, double i n t e g r a l s
will appear and n u m e r i c a l p r o c e d u r e s will have to be developed to
handle t h e m .
Function Contribution to Unreliability - Included in the ARMM output

is the function contribution to u n r e l i a b i l i t y for each function. The one
exception of this is when a function h a s a standby function, then the
2-15
contribution of the functions is assigned to its standby. The function
contribution for function (nn) in t i m e i n t e r v a l (i) is calculated by:
^ n
(1-TSF.) S F . kj nn
P . (function m / S ) - 1 1 Lk=i <e,=i (35)
N r a
m^lL k=l -1=1 ^ : m
where
n - n u m b e r of failed connponents in a given failure

combination whose failure is attributed to function
m,
a - number of failure combinations whose failure is
attributed to function m , and
N number of failure combinations in time i n t e r v a l i.
A failure combination is attributed to the function supported by the l a s t

failed connponent in that combination. F o r this r e a s o n , it is possible
to have two p a r a l l e l or redundant functions with the s a m e type of
connponents and yet different contributions to u n r e l i a b i l i t y .
The contribution for a function for the e n t i r e time is given by the s u m

of its contribution for e a c h i n t e r v a l it is on.
S e r i a l P r o b a b i l i t y - The s e r i a l probability is the contribution each "on

component m a k e s to s y s t e m unreliability if all the "on" connponents in
the s y s t e m a r e in s e r i e s . It is calculated by the equation:
SP.. = (36)
"-Vi'Pi
where
t -t
i+1 i
>. = J Xê-\^t,
2-16
n
XT
= iv
X. - the failure r a t e of connponent j ,
n = number of "on" connponents,
X. = X. , + ( 1 - x , , ) P . , and
1 1-1 1-1 1
% = °-
The f a c t o r , ( l - t t . ), is the probability that t h e r e has b e e n no connponent
failure up to the s t a r t of i n t e r v a l i.
The s e r i a l probability for the e n t i r e tinne is calculated by
X. A T .
VX.AT.
j=l
where
AT. = total operating tinne of the jth connponent during

the N tinne i n t e r v a l s .
"^^ = the probability of at least one connponent failure
in the total operating tinne t = 0 to t = t .
The value of the s e r i a l probability is of little significance in s y s t e m s

p o s s e s s i n g extensive amounts of redundancy. It does allow a c o n s e r v a t i v e
estinnate of component contribution to u n r e l i a b i l i t y in complex s y s t e m s
containing extensive c r o s s linking.
2-17
USE O F ARMM
As p r e v i o u s l y indicated, ARMM has b e e n designed for use by e n g i n e e r s

who do not have connputer e x p e r i e n c e . To use ARMM to analyze the
r e l i a b i l i t y of a systenn one is r e q u i r e d to (1) p r e p a r e a r e l i a b i l i t y d i a g r a m
of the s y s t e m , and (2) identify the functions and t h e i r supporting c o m p o n e n t s .
Subsequently the information p r e s e n t e d in the d i a g r a m is t r a n s l a t e d to
n u m e r i c and a l p h a n u m e r i c input data.
The function and component s u m m a r y sheet shown in F i g u r e 2, 2 is an

aid in organizing the input data. The components a r e a s s i g n e d a weight
for each function they support. Also, the components a r e assigned failure
r a t e s and the functions a r e assigned "modes a v a i l a b l e " and "modes r e q u i r e d , "
The r e l a t i o n s h i p between nnodes available, modes r e q u i r e d , and connponent
weight is developed in detail in subsequent d i s c u s s i o n s of fields 4B and 5B,
E a c h of the seven input fornns shown in F i g u r e s 2. 3 through 2. 9 has been

subdivided into data fields for a p p r o p r i a t e input infornnation. The fields
a r e m a r k e d with v e r t i c a l lines and have a p p r o p r i a t e h e a d i n g s . E a c h line
or row on a form c o r r e s p o n d s to a single punch c a r d of infornnation. In
each row columns 73 to 80 a r e used for assigning c a r d identification or
c a r d sequencing n u m b e r s which a s s u r e c o r r e c t a r r a n g e m e n t of a connplete
input data deck.
It a l s o should be noted that sonne of the input data nnust be given in fixed
point n u m b e r s , e, g, , 386, while other portions of the data must be in
floating point n u m b e r s , e. g, , 386, 0, Fixed point n u m b e r s must be right
adjusted, i. e. , placed in the right hand columns within the field. The data
fields that r e q u i r e a floating point nunnber have a notation to that effect in the
heading. The other fields use only fixed point nunnbers.
A review of the requirennents for filling out each input f o r m follows:
F o r m A - G e n e r a l Information - Rows 1 through 7
Field lA - Columns 1 through 3 (Nunnber of Components) - This field

i n s t r u c t s the progrann about the number of connponents for which it will
expect to r e a d input infornnation. This number must a g r e e with the actual
nunnber of components for which input infornnation has been provided or
the p r o g r a m will r e j e c t the p r o b l e m . The progrann will handle a m a x i m u m
of 500 c o m p o n e n t s .
2-18
Field 2A - Columns 4 and 5 (Nunnber of Tinne Intervals) - E v e r y p r o b l e m
nnust consider 1 or nnore tinne i n t e r v a l s . The p r o g r a m is capable of
c o n s i d e r i n g a nnaxinnunn of 20, If the number in this colunnn is not the
sanne as the nunnber of tinne i n t e r v a l s for which information is provided in
F o r m G e n t r i e s , the progrann will not accept the p r o b l e m .
Field 3A - Columns 6 through 10 (Operating Tinne) - The operating tinne is the

length of tinne in hours from the beginning of the first t i m e i n t e r v a l to the end
of the last t i m e i n t e r v a l , A floating point nunnber should be used.
Field 4A - Columns 11 through 13 (Maximum Number of Components F a i l e d

at a Time) - This field is used to regulate the amount of detail that is to
be used in the a n a l y s i s , which in t u r n helps regulate the machine t i m e
r e q u i r e d by the problenn. As the nnaximunn number of failed components
is i n c r e a s e d the machine tinne i n c r e a s e s at a r a t e g r e a t e r than that indicated
by the linear r a t e of change in this nunnber. T h e r e f o r e , the nnaximum
number of failed connponents considered nnust be judiciously s e l e c t e d to
p r e s e r v e sensitivity and yet limit connputer run tinne.
Although the value of this nunnber nnay be 8 or l e s s , it is suggested that as

a r u l e 3 or 4 will give an adequate level of sensitivity without e x c e s s i v e
machine t i m e for s y s t e m s with limited redundancy. F o r highly redundant
s y s t e m s e x c e s s i v e r u n t i m e s nnay r e s u l t if this number is g r e a t e r than
2 or 3. In this c a s e the depth control feature can then be used to consider
failure combinations of a higher number for specific components. As
d i s c u s s e d in Field 13C, the depth control allows specific adjustment of
the maximunn nunnber of failed connponents c o n s i d e r e d with any given
component. Thus, i n t e r n a l sensitivity control is provided e l s e w h e r e in the
data, and the o v e r a l l input level in Field 4A may be set lower than that
c o n s i d e r e d for specific connponents.
Field 5A - Columns 14 through 16 (Number of Functions) - This input i n f o r m a -

tion t e l l s the p r o g r a m the nunnber of functions for which it must r e a d input
infornnation. The p r o g r a m will handle a m a x i m u m of 3 00 functions.
Field 6 A - Columns 17 and 18 (Nunnber of Integration Intervals) - ARMM

calculates probability of failure by integrating a failure density function
using S i m p s o n ' s Rule. Sinnpson's Rule r e q u i r e s a division of the i n t e g r a -
tion i n t e r v a l into s u b i n t e r v a l s . The input infornnation gives the p r o g r a m
the number of s u b i n t e r v a l s to use in the integration. The progrann can
accept a nnaximum of 24 s u b i n t e r v a l s . As a rule 10 i n t e r v a l s should be
sufficient.
2-19
Field 7A - Column 19 (Print Equation) - This field should always have a 1,
Field 8A - Column 20 - This field is not used.
Field 9A - Colunnns 21 through 23 - This field is not used.
Field lOA - Colunnn 24 (Insert P a r t i a l Data) - A z e r o (0) in this column

i n s t r u c t s the p r o g r a m to e r a s e all previous data and p r e p a r e to r e a d all
input data r e q u i r e d for this problenn. A one (1) in this colunn i n s t r u c t s
the progrann to keep the input data from the previous p r o b l e m and p r e p a r e
to r e p l a c e portions of the data. T h e r e a r e only c e r t a i n portions of the data
in this p r o g r a m which can be changed without r e a d i n g all of the input data.
T h e s e portions a r e :
1. The number of nnodes available for a function. Field 4,

Columns 25through 28 of F o r m B,
2. The number of modes r e q u i r e d for a function. Field 5,

Colunnns 29 through 32 of F o r m B,
3. A connponent's nanne, failure r a t e , beta value for the Weibull

distribution, and depth c o n t r o l . These a r e in Fields 3, 5, 6,
7, 12, and 13 of F o r m C.
4. Cumulative tinne to the s t a r t of this t i m e i n t e r v a l . Field 3 of

F o r m G. P r o b a b i l i t y of failure for this tinne i n t e r v a l . Fields
5 and 6 of F o r m G.
Field H A - Columns 25 through 27 (Nunnber of Major Contributors to

System Unreliability)- The p r o g r a m can list from 1 to 100 combinations
of failed components which cause s y s t e m failure. Also, it will r a n k t h e m
and print the major combinations. This input governs the number of
failure combinations which the p r o g r a m will l i s t . Of c o u r s e , if t h e r e a r e
only X connbinations it will only print X combinations if that is l e s s than
this input. As a rule it is not n e c e s s a r y to specify a value in this field.
Field 12A - Columns 3 0 through 72 ( P r o b l e m Name) - These 42 s p a c e s a r e

provided for the p r o b l e m n a m e . Any FORTRAN symbol may be used. This
name will be printed on each page of the output.
F o r m A - D e s c r i p t i v e Infornnation - Rows 8 through 27 - Columns 3

through 68 - This space is r e s e r v e d for any d e s c r i p t i v e purpose to which
the engineer may wish to apply it. It will accept and r e p r o d u c e in the
output any FORTRAN c h a r a c t e r . E x a m p l e s of the use of this capability a r e
a problenn d e s c r i p t i o n and assumptions nnade in the a n a l y s i s .
2-20
E a c h c a r d used for this purpose must be identified with a four (4) in
Colunnn 2. A m a x i m u m of 55 c a r d ? may be used for this p u r p o s e .
F o r m B - Function Data
This form o r g a n i z e s e n t r i e s for input information d e s c r i b i n g the systenn

in t e r m s of functions. Each c a r d will contain the information for one
function.
Field IB - Columns 1 and 2 (Function Input Card Identification) - A 1

in Colunnn 2 will identify this infornnation as function information to
the p r o g r a m . If a 1 is not in Column 2 of each function c a r d , t h e program
will give an e r r o r s t a t e m e n t and p r o c e e d to the next c a r d or job. In either
c a s e , the analysis will not be done.
Field 2B - Columns 3 through 6 (Function ID Number) - The progrann will

accept any integer of 3 digits or l e s s . They do not need to be in any o r d e r
or have a n u m b e r i n g s c h e m e . The progrann uses i n t e r n a l index n u m b e r s ,
but will always print the ID nunnbers. Standby functions a r e identified by
a (-) in Column 3.
Field 3B - Colunnns 7 through 24 (Function Name) - The p r o g r a m will accept

an 18 l e t t e r n a m e for each function. It will print this name in the input
data printout and again in the output. This feature aids in the analysis of
the p r o b l e m printout.
Field 4B - Colunnns 25 through 28 (Number of Modes Available) - The

n u m b e r to be placed in this field is a nunnerical value which is given to a
function when all components which support the function a r e in operating
condition. As components supporting the function fail, they d e t r a c t
from the operability of the function and when a sufficient number of
supporting components have failed the function will be failed. To reflect
this change in function operability each component is given a "weighting
f a c t o r " in each function that it s u p p o r t s . When a connponent fails, the
p r o g r a m s u b t r a c t s the component weighting factor from the "nunnber of
modes a v a i l a b l e " a s s i g n e d to each function supported by the component.
A floating point nunnber should be used in this field.
Field 5B - Colunnns 29 through 32 (Number of Modes Required) - The

number to be placed in this field is a floating point number which is used
by the p r o g r a m to deternnine when sufficient connponent failures have
o c c u r r e d to c a u s e function failure. The progrann r e c o g n i z e s a function
failure when it finds the nunnber of modes available for the function has
been r e d u c e d to l e s s than the number of modes r e q u i r e d .
2-21
Field 6 B - Columns 33 through 36 (Number of Alternate Functions) - An
a l t e r n a t e function is a function which is capable of doing the s a m e job.
This input information s t a t e s the number of function ID's which a r e
a l t e r n a t e to a given function. T h e r e is a maxinnum number of 1100
a l t e r n a t e functions for the p r o b l e m .
Field 7B through 14B - Columns 37 through 72 in Width (Alternate

Functions) - Use only the ID number of the a p p r o p r i a t e a l t e r n a t e function.
Standby functions a r e c o n s i d e r e d to be a l t e r n a t e functions. However, when
a standby function is l i s t e d as an a l t e r n a t e function, the nninus sign should
not be used h e r e . Alternate functions should be listed in i n c r e a s i n g
nunnerical ID n u m b e r s , one function for each 4 column field. The function
nunnbers should be right adjusted and should not have nnore than 3 digits.
If the function has as an a l t e r n a t e a s e r i e s of functions all of which nnust
work, e, g. , function 10 has as a l t e r n a t e functions 20, 30, and 40 and they
all nnust work, then an "A" nnust be put in the f i r s t column of the field of
each of the a l t e r n a t e functions in the s e r i e s except the f i r s t a l t e r n a t e function
of the s e r i e s . The "A" signifies the word "and" and indicates to the progrann
that all A connected functions in the s e r i e s must w o r k to provide an effective
a l t e r n a t e function. In the exannple above, the a l t e r n a t e functions would be
input as 20A_30A_40, Fronn the standpoint of p r o g r a m capacity, each
function in a s e r i e s counts as an a l t e r n a t e function. If nnore than 9 a l t e r n a t e
functions a r e needed, the additional functions should be e n t e r e d on a following
function c a r d with a 1 in Column 2 and a l t e r n a t e function number e n t r i e s
beginning in the field defined by Columns 37 through 40.
Component Infornnation
F o r m s C, D, and E a r e used to input infornnation about a single connponent.

When a s s e m b l i n g the c a r d s for a specific component, the c a r d from the
e n t r y on F o r m C nnust be followed by c a r d s from e n t r i e s on F o r m s D and
E which p e r t a i n to the s a m e connponent if t h e r e a r e n u m e r i c a l e n t r i e s in
F i e l d s 8 and 9 of Fornn C. T h e r e will always be a positive entry in
Field 8.
F o r m C - Connponent General Infornnation
Field 10 - Columns 1 and 2 - A 2 in Column 2 identifies this c a r d as one

which contains connponent infornnation. T h e r e f o r e , a 2 nnust appear in
Column 2 of e v e r y row used on this page.
Field 2C - Columns 3 through 9 (Component ID Nunnber) - These seven

spaces a r e available for connponent identification. They provide space for
a 3-digit component ID n u m b e r , a decinnai point, and a 2-digit s u b s y s t e m
2-22
identification number which may be used by the p r o g r a m m e r for r e f e r e n c e
information; e. g. , the p a r t i c u l a r failure nnode being c o n s i d e r e d . The
s u b s y s t e m nunnber and the d e c i m a l point need not be used; however, in
either c a s e , the component ID nunnber should be right adjusted in Field 2 0 ,
Field 3C - Columns 10 through 27 (Component Name) - These 18 spaces

a r e to be used for an alphanunneric component n a m e . They a r e placed in
t e m p o r a r y s t o r a g e and printed beside the component ID nunnbers when the
input and output data is printed.
F i e l d 4 0 - Columns 28 through 32 - This field is not used.
Field 50 - Columns 33 through 39 (Cyclic F a i l u r e Rate) - This field is to

be used only if the component o p e r a t e s cyclically and has a cyclic failure
r a t e . If the component operates continuously, then this field should be left
blank. When it is used, the failure r a t e must be e x p r e s s e d as failures per
million c y c l e s . A floating point nunnber nnust be used.
Field 6C - Columns 40 through 46 (Average Number of Cycles per Hour) -

This field must be used if and only if Field 50 is used. A floating point
nunnber must be used.
Field 70 - Columns 47 through 54 (Continuous F a i l u r e Rate) - If a component

o p e r a t e s continuously throughout the t i m e i n t e r v a l s under c o n s i d e r a t i o n , then
its failure r a t e must be listed h e r e . The failure r a t e must be e x p r e s s e d as
the number of failures per million h o u r s . A floating point nunnber nnust be
used. If the Weibull function is used for this connponent, then the input in
this field is the p a r a m e t e r a.
Field 80 - Columns 55 through 57 (Number of Functions Supported) - The

effect on the s y s t e m of the failure of components is d e t e r m i n e d by the effect
on the functions that the connponent s u p p o r t s . The number input in this field
is the n u m b e r of functions in which the component is involved. Since a c o m -
ponent may support every function, it can support a nnaxinnum of 300 functions.
The sunn of the n u m b e r s placed in this section for e v e r y connponent in the
problenn must not exceed 1200. If a 0 is placed in this column, the progrann
will not r e a d a c a r d from Fornn E. If this number is g r e a t e r than 10, then
the p r o g r a m will expect 2 c a r d s fronn F o r m E to follow the component c a r d .
F o r each additional 10, the progrann will expect another c a r d from Fornn E.
A fixed point number must be used and it must be w r i t t e n as far to the right
of the field as p o s s i b l e , i. e. , it nnust be right adjusted.
Field 90 - Columns 58 through 60 (Number of Dependent Components) - A

component can have 3 kinds of dependent connponents. They a r e (1) the
"must fail" type of dependent component, (2) the "must not fail" type of
dependent component, and (3) the s e r i e s dependent component. E a c h will
be identified on F o r m D.
2-23
A "must fail" type of dependent component is one which c e a s e s to operate
upon failure of the component upon which it is dependent. An example
would be a pump which is dependent on a motor because when the m o t o r
fails, the pump c e a s e s to p e r f o r m its function. C l e a r l y , it cannot s u b -
sequently fail, so it is taken out of consideration by the p r o g r a m .
A " m u s t not fail" type of dependent component is one which cannot fail
when the component on which it is dependent fails. It can be used to
r e p r e s e n t mutually exclusive failure modes of a single physical cbnn-
ponent; e . g . , a flip-flop switch which if it fails open in one c i r c u i t m u s t
fail closed in another c i r c u i t . Another example is a valve which can fail
either open or closed. These nnodes of failure can have different effects
on the s y s t e m . Once the valve is considered failed open, it cannot be
considered failed closed. Each of these modes of failure is dependent on
the o t h e r . To consider different failure modes of a single physical c o m -
ponent, the physical component m u s t be r e a d into the p r o g r a m as s e v e r a l
components.
When components a r e a r r a n g e d in a s e r i e s configuratior -'n a function,

some of the components may c e a s e operation upon the failure of an
e a r l i e r component in the s e r i e s , while o t h e r s may not. Those that c e a s e
operation have a l r e a d y been mentioned as " m u s t fail" components. Sub-
sequent f a i l u r e s of those components in the s e r i e s , which a r e not of this
type, have no effect on the s y s t e m failure, since a preceding failed c o m -
ponent has a l r e a d y caused function f a i l u r e . Hence, these operating
components can be taken out of consideration without a l t e r i n g the r e s u l t
and t h e r e b y reduce the number of combinations to be c o n s i d e r e d by the
p r o g r a m . So, a component which is in s e r i e s with and fails after another
component whose failure m a k e s its consideration superfluous is c o n s i d e r e d
to be s e r i e s dependent and may be listed as a "must fail" dependent
connponent.
Components of the first and third type pre handled alike. They a r e listed
on F o r m D with a minus preceding their ID n u m b e r . Their information
m u s t be listed after the information for the component upon which they a r e
dependent.
Components of the second type a r e listed on Fornn D without a sign p r e -

ceding their ID n u m b e r s . As an example, consider a switch which m a y
fail open or closed. Let Componjnts 1 and 2 be the switch failing open
and closed, r e s p e c t i v e l y . A 0 n n u s t be listed on F o r m D so that it a p p e a r s
in a p r o p e r place in the information about Component 1, and a (1) m u s t
be listed on F o r m D so that it a p p e a r s in the information about Component 2.
2-24
If a (0) is placed in Field 9, the p r o g r a m will not look for a c a r d from
F o r m D. F o r each 18 dependent connponents, or p a r t thereof, a c a r d
from F o r m D m u s t be coded to follow the component c a r d .
A single component may have any number of dependent components, but

the total for all components m u s t not exceed 500.
Field IOC-Column 61 - This field is not used.
Field l i e - C o l u m n 62 - This field is not u s e d .
Field 12C-Colunnns 63-67 (WeibuU Shape P a r a m e t e r ) - The p r o g r a m has

been coded to use a value of 1. 0 for the shape p a r a m e t e r of a component
if no number or 0. 0 is put in this field. If other values a r e d e s i r e d , then
they m u s t be put into this field as a floating point number.
Field 13C - Column 68 (Depth Control) - This number controls the m a x i -

m u m n u m b e r of components which can fail in a failure combination
headed by the failure of this component. F o r this component only it o v e r -
r i d e s the value of Field 4A of the g e n e r a l information c a r d . Depth control
can be used to avoid superfluous consideration of failure combinations,
in which a component failure m a k e s no contribution to s y s t e m f a i l u r e .
C o n v e r s e l y , it allows consideration of failure combinations for a specific
component involving m o r e failed components than allowed by the number
of Field 4A.
F o r m D - Dependent Component Information
If Field 9C of the component c a r d is ennpty or has a z e r o (0), then no in-

formation is r e q u i r e d on this form. If Field 9C of the component c a r d
has a positive integer, then the fields on F o r m D m u s t be coded with right
adjusted, component ID n u m b e r s until the number of fields filled equals
that number on the component c a r d . Do not skip any fields. E a c h field is
4 columns wide.
If a component is a " m u s t fail" type of component, then it m u s t be coded

with a minus sign preceding its ID number on this c a r d . P l a c e the minus
sign in the f i r s t column of the section. If the component is a " m u s t not
fail" type, then the f i r s t column should be left blank.
The p r o g r a m ' s a n a l y s i s will not be c o r r e c t if a component's " m u s t fail"

type of dependent components a r e listed in the input data before it. F o r
e x a m p l e , if Component 20 is dependent on 10, then the c a r d s for 10 m u s t
p r e c e d e those foj: 20. The p r o g r a m has been coded to print an e r r o r
s t a t e m e n t and to refuse to execute if it finds any " m u s t fail" type of depend-
ent component e a r l i e r in the on-component a r r a y than the component upon
which it is dependent.
2-25
F o r m E - Functions Supported Information-10 P e r C a r d - E a c h Field
has 7 Columns
This form has ten 7-column data fields on each line. The f i r s t t h r e e
columns in each field a r e for the ID of the function which is supported by
a component. Do not use any minus signs to differentiate between
operating functions and standby functions h e r e . Use only the function
ID n u m b e r .
The l a s t 4 colunnns in each data field a r e r e s e r v e d for the component

weight or weighting factor in the r e s p e c t i v e supported functions. The
c o r r e s p o n d i n g component weighting factor will be s u b t r a c t e d from the
"modes a v a i l a b l e " of each of the supported functions upon failure of the
component. Thus the weighting factor r e p r e s e n t s the effect of a c o m -
ponent on the operation of a function. This number can be an integer if
it is right adjusted. It also can be any nonnegative d e c i m a l number which
a p p r o p r i a t e l y r e p r e s e n t s the effect of the conaponent on the function. The
number of weighting factors assigned to each component m u s t be equiva-
lent to the number of functions supported as listed in Field 8C. If they
a r e not equal, the p r o g r a m will print an e r r o r statement and refuse to
execute the p r o b l e m . If a connponent supports m o r e than 10 functions,
then an additional c a r d should be used fronn F o r m E for each additional
10 functions.
The weighting factor for a component in support of a given function m u s t

be g r e a t e r than the difference between modes available (MA) and modes
r e q u i r e d (MR) for the function, if failure of the component will cause
function f a i l u r e . If two components m u s t fail to cause function failure,
then the sum of the failed component weighting factors m u s t be g r e a t e r
than the difference given by MA-MR. Similar analogies a r e used in
l a r g e r component failure combinations.
F o r m G - Time Profile Information
Field IG - Columns 1-2 Input Card Type 3 - The progrann will recognize
this information as time profile information if it finds a " 3 " in Column 2
on every c a r d concerning the time profile. E v e r y row coded on this page
m u s t have a " 3 " listed in Column 2. If t h e r e a r e N time i n t e r v a l s , then
t h e r e should be N + 1 row e n t r i e s or c a r d s filled out on F o r m G.
Field 2G - Columns 3-4 (Time Interval) - In o r d e r to define a time

i n t e r v a l , its beginning and end m u s t be specified. This implies that
N + 1 t i m e s m u s t be specified to define N time i n t e r v a l s . The time
i n t e r v a l s should be n u m b e r e d as their beginning. The c a r d which e n t e r s
the time for the end of the l a s t time interval should have this field blank.
2-26
The number of i n t e r v a l s listed h e r e m u s t a g r e e with the value coded in
Field 2A on F o r m A, or an e r r o r s t a t e m e n t will be printed and the
p r o b l e m will be r e j e c t e d . Twenty time i n t e r v a l s is the m a x i m u m that
the p r o g r a m will handle.
Field 3G - Columns 5-13 (Cumulative Time to the Start of this Interval) -

This field should have a floating point number eq'âl to the accumulated
time at the s t a r t of an i n t e r v a l . Thus, the e n t r y on the f i r s t c a r d will be
0. 0, and the entry in this field on the l a s t c a r d for time profile will be
the accumulative tinne to the end of the l a s t i n t e r v a l .
Field 4G - Columns 14-18 - This field is not u s e d .
Field 5G - Columns 19-32 (Probability of System S u c c e s s for this Time

Interval) - If this probability is known from a previous run, then it may
be listed h e r e j u s t as it a p p e a r s on the p r i n t - o u t of the previous r u n .
When this field is not blank, then the p r o g r a m accepts the value and skips
the a n a l y s i s for this time i n t e r v a l , and begins to consider the next time
interval.
Field 6G - Columns 33-48 - This field is not used.
Field 7G - Columns 47-49 (Number of Functions Requiring a State Change) -

Functions may be turned on or off at the beginning of a time i n t e r v a l .
Components which support only those functions which have been turned off
for this i n t e r v a l will not be considered until those functions a r e turned on
again. Components m a y support both operating and nonoperating functions
during a time i n t e r v a l , but the p r o g r a m will not check nonoperating
functions for a s y s t e m f a i l u r e .
Standby functions a r e in the on-function a r r a y only after the failure of an

a s s o c i a t e d function is in a nonfailed condition. Since they a r e brought
into c o n s i d e r a t i o n in this m a n n e r , they a r e not turned "on" or "off" in
this field.
In this field, place the sum of the number of functions to be turned e i t h e r

on or off. P l a c e the ID's of the f i r s t five functions in the fields i m m e d i a t e l y
following this field on this c a r d , each proceded by a + or - sign, as
d e s c r i b e d next.
F i e l d s 8G, lOG, 12G, 14G, l6G - (-) Off / (+) On - If a function is to be

turned off, then a minus should be placed in this single column field and
the function ID should follow in the next section. If a function is to be
turned on, then this column m a y be left blank or have a plus sign.
2-27
The p r o g r a m will consider all functions, except standby functions, "on"
at the beginning of the f i r s t t i m e i n t e r v a l . If a function is not to be con-
s i d e r e d in the f i r s t time i n t e r v a l , then it will have to be turned off.
F i e l d s 9G, I I G , 13G, 15G, 17G - Function ID - These fields m u s t contain

the ID of the function whose state is changed by the i m m e d i a t e l y - p r e c e d i n g
function change of state field. If a function is to be turned off, then a
minus m u s t be in the preceding field.
If nnore than 5 functions a r e to change state at the beginning of a time

i n t e r v a l , then the rennainder m u s t be listed on following c a r d s , using
the format of F o r m H. In F o r m H they m u s t be l i s t e d in the s a m e
p a t t e r n , but beginning in Colunmn 3. A (3) m u s t be placed in Column 2
of these c a r d s a l s o .
Data Arrangennent
These instructions have been a r r a n g e d in the o r d e r of c a r d type; that i s ,

c a r d type (1) signified function information type, (2) component i n f o r m a -
tion and type, and (3) time profile information. The actual deck should
be a r r a n g e d as show^n in Figure 2, 10.
End of Data
The p r o g r a m m u s t be able to recognize the end of the data for a p r o b l e m .

This is done by a (1) in Column 1 of the l a s t c a r d that contains an input
c a r d type e n t r y ; i . e . , the l a s t c a r d in the time profile information.
S e v e r a l p r o b l e m s can be worked in s u c c e s s i o n by the p r o g r a m because
it will r e a d data until it r e a d s a (1) in Column 1 of a p r o p e r c a r d , work
the p r o b l e m , and then r e a d the next set of data. When i n s e r t i n g p a r t i a l
data, the end of the data m u s t be signified in the same naanner.
2-28
ILLUSTRATION O F ARMM APPLICATION
This section shows how ARMM handles a number of situations encountered

in reliability a n a l y s i s . The design detail has been kept at a minimum to
avoid an overly complex s y s t e m . Example applications of ARMM to r e a l
s y s t e m s a r e given in Chapter 3. Table 2. 2 lists the situations i l l u s t r a t e d
by e x a m p l e s .
Exannples
Reliability Block Diagranns - One of the sioiplest reliability block diagranns

c o n s i s t s of s e v e r a l connponents connected in s e r i e s and perfornning one or
m o r e functions. In F i g u r e 2. 11 such a s e r i e s s y s t e m is shown p e r f o r m i n g
both as a single function and as two functions. The o r d e r in which the
components a r e placed in the block diagrann does not have to be the s a m e
as in the flow diagrann. The simple systenn in F i g u r e 2. 11 has been
divided into functions in two w a y s . F i r s t the t h r e e components a r e grouped
in the s a m e function; this is the s i m p l e s t way. However, both the tank
and pump p e r f o r m continuously and may be r e q u i r e d over s e v e r a l t i m e
i n t e r v a l s , but the valve is cyclic and its operation may be r e q u i r e d in
only one i n t e r v a l . To r e m o v e the valve from c o n s i d e r a t i o n during
i n t e r v a l s when it is not needed it must be put in a s e p a r a t e function which
will then be t u r n e d off in those i n t e r v a l s . This is shown as the second
c a s e in F i g u r e 2. 11 and r e q u i r e s a r e a r r a n g e m e n t of the components (in
the d i a g r a m ) .
Dependent Connponents - In F i g u r e 2. I I B , C a s e 1, Components V and P

a r e dependent components of Component T since once the tank has failed
the s y s t e m has failed, and it is no longer n e c e s s a r y to consider the
additional failure of Components V and P . Sinnilarly, Connponent P is a
dependent connponent on Connponent V.
Redundancy - In ARMM, redundancy is achieved by either the use of the

proper modes available, nnodes r e q u i r e d , and connponent weighting factors
within one function, or the use of a l t e r n a t e operating and standby
functions. Consider the t h r e e valves in F i g u r e 2, 12A as one function.
The v a r i o u s redundancy r e q u i r e m e n t s which nnay be innposed on t h e s e
valves a r e none, 2 out of 3 or 1 out of 3. These redundancy r e q u i r e -
nnents a r e shown in block diagrann fornn in F i g u r e 2. 12B. The use of
a l t e r n a t e functions is i l l u s t r a t e d in F i g u r e 2. 13. H e r e a s y s t e m of two
units of redundant connponents is d e s c r i b e d in t h r e e different ways by
grouping the connponents in different functions. In the first c a s e each
unit is a function and would have to be handled in the sanne way as the
2-29
function in F i g u r e 2. 12, In the second c a s e the s y s t e m is divided into two
p a r a l l e l functions (numbered 3 and 4) each an a l t e r n a t e of the o t h e r . In the
third c a s e , six p a r a l l e l functions a r e used (numbered 5, 6, 7, 8, 9, and
10). Functions 6, 7, 8, 9, and 10 a r e a l t e r n a t e to Function 5; Functions
5, 7, 8, 9, and 10 a r e a l t e r n a t e to Function 6; and s i m i l a r l y for Functions
7, 8, 9, and 10. The modes available and r e q u i r e d and the component
weighting factors for Functions 1, 2, 3, and 5 a r e given in Table 2 . 3 .
If one of the pumps is in standby then a d e s c r i p t i o n of the systenn s i m i l a r

to Case 1 should be used, except each pump is now a function; the standby
pump is a standby function. The other two c a s e s could be used with the
functions containing the standby pump input as standby functions.
An i n t e r e s t i n g situation involving a standby component a r i s e s in the

placement of bus ties in a power s y s t e m . This situation and how it can be
d e s c r i b e d in the ARMM input is shown in F i g u r e 2. 14. The bus tie is a
standby function and is alternate to the two t r a n s f o r m e r s in Function 1,
This a r r a n g e m e n t a s s u r e s that when either of the t r a n s f o r m e r s fail the bus
tie is turned on.
P a r t i a l Data Change - An i n t e r e s t i n g use of this option o c c u r s in the

investigation of the effect of different d e g r e e s of redundancy on s y s t e m
r e l i a b i l i t y . The ARMM p r o g r a m can handle a change between r u n s , in the
number of modes available and modes r e q u i r e d for a function, but it cannot
handle a change in the number of components which support the function.
The sample case i l l u s t r a t e d in F i g u r e 2. 15 u s e s a scheme which allows
ARMM to calculate the effect of redundancy without having to change the
number of components in a function. Case 1 r e p r e s e n t s a single valve and
Case 2 a two valve s y s t e m . To convert from Case 1 to Case 2 using the
p a r t i a l data option. Case 1 is r e p r e s e n t e d by the two valves of Case l a .
E a c h of these valves has a fictitious failure r a t e . The value of these
failure r a t e s is found as follows.
If
P(V) - probability of failure of valve V(Case 1),

P(b) - probability of failure of Case l b ,
X - failure r a t e of the r e a l valve V, and the two
valves of Case 2,
1' 2 - failure rate of the two fictitious valves V - 1 and

V - 2 , respectively.
2-30
and it is d e s i r e d that
P(V) = P(b) .
since
Xt
P(V) = l-e
and
P(b) = 1- l-P(V^)] [l-P(V2)] - P(V^)+ P(V2) - P(V^)P(V2)
= 1-e -<^-^ V ^
then it follows that for Case 1 and Case l a to give s i m i l a r r e s u l t s
X - x^+x^
It is convenient to make X ^ = X^ = l / 2 \ .
After running the p r o b l e m as Case l a , the effect of redundancy can be

investigated in the second run by changing the values of X and X to X
and by changing the modes available from one to two.
Maximum Number of Components Failed at a Time and Depth Control -

The value, m e a s u r e d in savings in computer t i m e , of a p r o p e r choice
of e i t h e r the m a x i m u m number of components failed at a time or the depth
control on any of the components can be appreciated by considering the
way ARMM goes down a list of components in its s e a r c h for failure
combinations. Table 2.4 lists the failure combinations c o n s i d e r e d
by ARMM for the s y s t e m in Figure 2. 13 . A value of two has been
a s s u m e d for the m a x i m u m number of components failed at one tinne.
The p r o g r a m c o n s i d e r s the failure of connponents in the o r d e r they were
read into the progrann. So the failure of Component P - 1 is c o n s i d e r e d
with the four r e m a i n i n g components, while for P - 2 only three a r e
c o n s i d e r e d . Also note that a t h r e e component failure combination,
which could not have been picked up by the p r o g r a m , would be c o n s i d e r e d
2-31
if a depth control of t h r e e had been applied to Component V - 1 . In
a r r a n g i n g connponents in a block d i a g r a m , it saves connputer t i m e to
place t h o s e components with the higher n u m b e r e d depth control t o w a r d s
the end. This minimizes progrann c o n s i d e r a t i o n of failed component
combinations which do not cause s y s t e m failure.
S i m i l a r l y , it is advisable to keep the value for the maximunn number of

connponents failed a n d / o r depth control at a low level, since some failed
component combinations causing s y s t e m failure do not contribute signifi-
cantly to the total probability of s y s t e m failure. To i l l u s t r a t e this point,
consider a s y s t e m connposed of connponents which have a probability of
failure of 1 x 10" for the p a r t i c u l a r systenn operation. The probability
of any double failure o c c u r r i n g is 1 x 10"'*. In c o m p a r i s o n , the p r o b a b i -
lity of any quadruple connponent failure is 1 x 10"°. Since ten thousand
of t h e s e quadruple connbinations a r e equivalent to one double component
failure connbination, the contribution to systenn failure fronn failure
combinations containing four or m o r e components is negligible.
Number of Integration Intervals - Simpson's r u l e s calculate the a r e a

under a c u r v e passing through a given set of ordinates spaced at two
or t h r e e equal i n t e r v a l s , by approxinnating the curve with a second or
t h i r d o r d e r polynomial, r e s p e c t i v e l y . F o r two i n t e r v a l s , the method is
r e f e r r e d to as the Simpson's first rule and for t h r e e i n t e r v a l s as the
second r u l e . In ARMM when the number of integration i n t e r v a l s is even,
the first rule is applied half as many t i m e s as t h e r e a r e number of
i n t e r v a l s . When the number is odd, the second rule is applied on the
first t h r e e i n t e r v a l s and the first rule on the rennaining i n t e r v a l s . As
shown in Table 2. 5, an e s t i m a t e was made of the o r d e r of nnagnitude
e r r o r introduced by use of Simpson's r u l e s in integrating the exponential
failure density function. Since ARMM perfornns n u m e r i c a l integration
to eight significant f i g u r e s , it can be seen that significant integration
e r r o r s can occur in the ARMM output only when XT = 1 and the number
of i n t e r v a l s is l e s s than approximately 10. Table 2. 5 may also be used
t o select the p r o p e r number of i n t e r v a l s t o avoid integration e r r o r when
XT is l e s s than one. In this c a s e , the integral of the exponential failure
density function for tinne i n t e r v a l 0 to T is of the o r d e r of XT. T h u s ,
from Table 2. 5 the number of integration i n t e r v a l s can be chosen such
that the integration e r r o r introduced by using Simpson's r u l e s is at
least eight to ten o r d e r s of nnagnitude s m a l l e r than XT. In choosing XT
look for the connponent which has the highest failure r a t e X. Generally,
XT is l e s s than one so the use of 10 integration i n t e r v a l s should yield
r e s u l t s without significant e r r o r .
2-32
Configuration Changes Between Time I n t e r v a l s - The ability to turn
functions on and off at the s t a r t of each time i n t e r v a l allows the u s e r
to change the configuration of the s y s t e m with t i m e . An i l l u s t r a t i o n
of this is given in F i g u r e 2. 1 6 . P u m p s in a p a r a l l e l s y s t e m a r e
designed with check valves on the d o w n s t r e a m side to prevent r e v e r s e
flow through the failed pump. The s y s t e m is considered for t h r e e time
i n t e r v a l s . During the f i r s t i n t e r v a l the pumps a r e to s t a r t . During the
second and third i n t e r v a l s they a r e to continue operating. In the f i r s t
two i n t e r v a l s the failure of any one component fails the s y s t e m ; w h e r e a s ,
in the third i n t e r v a l only one pumping t r a i n is r e q u i r e d . The s y s t e m ' s
v a r i o u s configurations a r e r e p r e s e n t e d by the seven functions indicated
in F i g u r e 2. 16. The time i n t e r v a l s these functions a r e on and the
components which support them a r e listed in Table 2. 6 .
Mutually Exclusive F a i l u r e Modes - In Table 2.6 the check values a r e

given s e p a r a t e designations to signify two different failure m o d e s , i . e . ,
blockage and leakage. These a r e r e f e r r e d to as mutually exclusive
failure m o d e s , since once the check valve has failed by blockage it no
longer can fail by leakage. Also note that the second failure mode (leakage)
m u s t be in a standby function to the pump, since this failure mode cannot
be c o n s i d e r e d until pump failure has o c c u r r e d .
Miscellaneous - Additional ways in which computer time can be

mininnized include (1) the grouping of all the components which a r e in
a long s e r i e s and which do not have dependencies outside of the group
into one r e p r e s e n t a t i v e component, (2) the utilization of only one time
i n t e r v a l for p r e l i m i n a r y studies, and (3) the placement of s e v e r a l s m a l l
p r o b l e m s behind one another by use of the p a r t i a l data option.
Sample P r o b l e m
The application of the ARMM p r o g r a m will be d e m o n s t r a t e d by combining

the e x a m p l e s shown in F i g u r e s 2.14 and 2.17 into the single s y s t e m shown
in Figure 2.18. Some minor v a r i a t i o n s a r e made to i l l u s t r a t e the use of the
p a r t i a l data option. The reliability of the b a s i c block diagrann as shown
will be calculated as P r o b l e m 1, and that of a modified s y s t e m as P r o b l e m 2.
Connected to the tank is a valve, V, r e p r e s e n t e d by two fictitious v a l v e s ,

V-1 and V-2, each assigned one half of the true failure r a t e . This
enables the valves to a s s u m e one out of two redundancy in Problenn 2.
Following the valves is the block d i a g r a m of the e l e c t r i c a l s y s t e m . Next,
the d i a g r a m splits into two b r a n c h e s . The f i r s t b r a n c h c o n s i s t s of the
two operating puimping t r a i n s r e p r e s e n t e d by Functions 30 through 75.
2-33
The other branch consists of a standby punnping t r a i n r e p r e s e n t e d by
Functions 80, 85, and 90. P e r t i n e n t data for the functions and components
is shown in Table 2. 7. P a r t i a l data changes to be applied in P r o b l e m 2
a r e noted by a s t e r i s k s .
Infornnation about the t i m e profile is shown in Table 2. 8. During t i m e

i n t e r v a l 1 the s y s t e m is considered to be in a state of r e a d i n e s s . In
order to maximize the effect on systenn unreliability, this interval is the
t i m e between periodic t e s t i n g . In P r o b l e m 1 the t e s t interval is a s s u m e d
to be one month, while in P r o b l e m 2 the t e s t interval is reduced to one
week. During tinne i n t e r v a l s 1 and 2, two punnps a r e r e q u i r e d to be
operational, while during interval 3 only or.e pump is r e q u i r e d for the
s y s t e m s u c c e s s . The loadsheets for the sannple calculations a r e shown
in F i g u r e 2. 19. The sequencing c a r d n u m b e r s a r e in Colunnns 78 to 80,
The c a r d s numbered from 1 t o 300 a r e for Problenn 1 and those in the
500's a r e the changes made for P r o b l e m 2. The final data deck is
a r r a n g e d as shown in F i g u r e 2. 10,
E a c h of the example situations listed in Table 2, 2 has been c o n s i d e r e d

in this sample p r o b l e m . They a r e d i s c u s s e d h e r e in the o r d e r in which
they appear in the l o a d s h e e t s .
1, The maxinnum number of failed components in a failure

combination (field 4A) is set at two, since n e a r l y all
conceivable failure combinations involve two or l e s s
components. This setting is modified on two components
by use of depth control,
2, The nunnber of integration i n t e r v a l s (field 6A) is chosen
as 2 from Table 2. 5 since the l a r g e s values of XT a r e
on the o r d e r of 1 x 10~2.
3, The p a r t i a l data change is indicated for Problenn 2 by
a " 1 " in field lOA.
4, The number of modes available (field 4B) and modes
r e q u i r e d (field 5B) a r e taken from Table 2, 7.
5, The standby functions (field 2B) a r e identified as listed
in Table 2. 7,
6, Alternate functions (fields 7B to 14B) a r e selected by
reviewing all possible s u c c e s s paths at function level
including those of standby functions in the block d i a g r a m
of F i g u r e 2. 18, Many a l t e r n a t e paths can be eliminated
2-34
by t r a c i n g only those functions that a r e operating during
each t i m e i n t e r v a l . Note that for Function 90 t h e r e a r e
t h r e e a l t e r n a t e paths and each path contains four a l t e r n a t e
functions. Also note that path 50-60-70-75 cannot exist
in a r e a l s y s t e m .
7, A depth control (field 13C) of t h r e e is applied to conn-
ponents 140 and 200, in o r d e r to include all potentially
significant failure combinations. F o r e x a m p l e , for
function 75 to fail all t h r e e valves in that function must
fail. If a depth control of t h r e e is put on the c a r d of the
first valve (Connponent 200), then ARMM is able to con-
s i d e r this failure connbination. Also note that for
Component 200, the depth control has been reduced to
2 as a p a r t i a l data change in P r o b l e m 2.
8, Dependent components a r e identified on F o r m D. F o r
e x a m p l e , C a r d No, 165 for Check Valve C-1 is followed
by Card No, 166 listing Component 170 as a mutually
exclusive dependent connponent and Component 180 as
a "must fail" dependent component,
9, The weighting factors of and functions supported by the
connponents a r e taken from Table 2, 7 and listed on
Fornn E. An example of the placement of t h e s e c a r d s
in the deck is Card No, 167 which follows Card No. 166
cited above,
10. Configuration change with t i m e i n t e r v a l is taken from
Table 2. 8.
complete set of computer output for P r o b l e m 1 is p r e s e n t e d in

gure 2. 20; the s u m m a r y of P r o b l e m 2 is p r e s e n t e d in F i g u r e 2,
2-35
SYSTEMS ANALYSIS
BY FAULT TREE EVALUATION. S A F T E - 1
F a u l t t r e e a n a l y s i s (3) is a technique which p r o v i d e s a concise and o r d e r l y

d e s c r i p t i o n of the v a r i o u s combinations of possible o c c u r r e n c e s within a
s y s t e m that can r e s u l t in a predefined " u n d e s i r e d event. " Equally as
i m p o r t a n t , it m a k e s available a m e a n s with which to m e a s u r e the level of
safety inherent in any p a r t i c u l a r configuration. The r e s u l t is an e n g i n e e r -
ing capability to not only identify potential p r o b l e m a r e a s but also evaluate
their o v e r a l l s y s t e m impact.
The concept of fault t r e e analysis was developed by Bell Telephone Labo-
r a t o r i e s as a technique with which to p e r f o r m a safety a n a l y s i s of the
Minuteman launch control s y s t e m . Bell e n g i n e e r s discovered that the
method used to d e s c r i b e the flow of " c o r r e c t " logic in data p r o c e s s i n g
equipment could also be used for analyzing the "false" logic which r e s u l t s
f r o m component f a i l u r e s . F u r t h e r , such a technique was ideally suited
to the application of probability theory in o r d e r to n u m e r i c a l l y define
c r i t i c a l fault m o d e s . The Minuteman safety study was successfully
completed using the new technique and provided convincing a r g u m e n t s
for the incorporation of a nunnber of equipment and p r o c e d u r e modifi-
cations.
(4 5)
The Boeing Company ' subsequently developed fault t r e e analysis to the
stage of m a t h e m a t i c a l simulation (Monte C a r l o ) , utilizing hybrid data
p r o c e s s i n g s y s t e m s and tinne decrementing n u m e r i c a l p r o c e d u r e s .
In the p r e s e n t study, the simulation of fault t r e e networks by digital
m e a n s exclusively has been investigated as has the elimination of costly
time d e c r e m e n t i n g p r o c e d u r e s . In connection with this effort, a Monte
C a r l o fault t r e e simulation p r o g r a m (SAFTE-1) has been developed.
The p r o g r a m , w r i t t e n in FORTRAN IV, a s s u m e s exponential failure
and n o r m a l (Gaussian) r e p a i r at the component level. Only single phase
operation is p e r m i t t e d . A generalized importance sampling technique
has been i n c o r p o r a t e d into the p r o g r a m and has been tested in a number
of c a s e s . Importance sampling is n e c e s s a r y to i n c r e a s e the frequency
of unlikely events in the s y s t e m and thereby a c c o m p l i s h the following
results:
1. Make possible the e s t i m a t i o n of s y s t e m failure
probability for operating t i m e s which a r e v e r y short
c o m p a r e d to the m e a n life of the components in the
system.
*Coupled digital-analog s y s t e m .
2-36
2. Significantly s h o r t e n the computation time r e q u i r e d
to achieve a given level of c o n v e r g e n c e .
The following sections d e s c r i b e the g e n e r a l f e a t u r e s of S A F T E - 1 , including
s u b r o u t i n e s , input and output, and importance sampling. The r e s u l t s of
sample calculations for an idealized t w o - o u t - o f - t h r e e s y s t e m and for the
D r e s d e n - 3 e m e r g e n c y a-c power systenn a r e s u m m a r i z e d . A listing of
the source p r o g r a m is given in Appendix E.
S A F T E - 1 PROGRAM DESCRIPTION
The S A F T E - 1 p r o g r a m is a Monte C a r l o p r o c e d u r e for fault t r e e simulation.
It views the s y s t e m or fault t r e e to be analyzed as a s t a t i s t i c a l a s s e m b l y
of connponents, each c h a r a c t e r i z e d by an exponential failure distribution
and a n o r m a l r e p a i r distribution. The s y s t e m is simulated m a t h e m a t i c a l l y
by assigning a randomely determined time to failure (TTF) and time to r e p a i r
(TTR) to each component. It is then tested to d e t e r m i n e the time at which
failure o c c u r s at the s y s t e m level. E s t i m a t e s of systenn reliability a r e
then obtained by testing a sufficiently large population of s y s t e m s in this
nnanner.
The nnechanics of the p r o c e d u r e can be described as follows. Initial
values of T T F and TTR a r e computed for each component. The connponent
T T F ' s a r e a r r a n g e d in computer m e m o r y according to component I. D.
number and o r d e r in which failure o c c u r s . The computer e x a m i n e s the
list of T T F ' s in order of failure pausing after each failure to d e t e r m i n e
if a failed state at the systenn level has been achieved. If at any step a
previously failed component h a s been r e p a i r e d , a new T T F and TTR a r e
computed for that component based on the g o o d - a s - n e w assumption; and
it is placed back in s e r v i c e at the time r e p a i r is completed. The new
T T F is i n s e r t e d in p r o p e r sequence in computer m e m o r y . This p r o c e -
dure continues until a s y s t e m failure occurs or a step in time is r e a c h e d
which exceeds a specified maximunn time of i n t e r e s t .
The advantages of this approach relative to e a r l i e r p r o c e d u r e s a r e :
1. Elimination of the need for stepping-off s m a l l time i n c r e -
m e n t s and examining the list of T T F ' s and T T R ' s after
each s t e p .
2. Elimination of m i s i n f o r m a t i o n resulting from round-off
of T T F ' s and T T R ' s to integer multiples of the time
i n c r e m e n t used.
3. Elimination of the r e q u i r e m e n t for a hybrid connputer.
2-37
The m a j o r disadvantage is the limitation on p r o b l e m size due to the
r e q u i r e m e n t for two-dimensional (n x n) a r r a y sequencing of component
failure t i m e s , where n is the number of components in the systenn.
C u r r e n t 32K c o m p u t e r s will handle systenns of about 100 to 150 c o m p o -
n e n t s . The l a r g e r c o m p u t e r s which a r e beginning to appear should e a s e
this linnitation significantly.
Subroutines
Eight subroutines a r e used in S A F T E - 1 , The function of each of these is
as follows:
1. MAIN - This routine calls the v a r i o u s subroutines in the
p r o p e r sequence to execute the progrsnn logic. The
following subroutines a r e called: RANDIN, EXPRN,
F L T R N , SETLOG, GAUS, SEQNCE, LOGIC, SUM,
and E D I T . Input data is read and printed, and the
e s t i m a t o r a r r a y s a r e z e r o e d . Component T T F ' s and
T T R ' s a r e computed, and the logical operations
a s s o c i a t e d with e s t i m a t o r weight c o r r e c t i o n and
undesired event detection a r e p e r f o r m e d .
2. RANDIN - This subroutine is p a r t of a r a n d o m
number package utilized by S A F T E - 1 , which also
includes EXPRN and F L T R N . RANDIN is called by
MAIN at the beginning of each case with the a r g u m e n t
DUMMY = 0 to initialize the r a n d o m number g e n e r a t o r .
EXPRN s e l e c t s r a n d o m nunnbers with an exponential
distribution. F L T R N s e l e c t s random n u m b e r s
uniformly distributed on the unit i n t e r v a l . This is a
machine language routine.
3. SETLOG - This subroutine s e t s all the logical
v a r i a b l e s f a l s e . SETLOG is called by the m a i n
p r o g r a m at the beginning of each t r i a l and whatever
a component is r e p a i r e d and placed back into s e r v i c e .
4. GAUS - This subroutine, w r i t t e n in machine language,
g e n e r a t e s r a n d o m n u m b e r s with a n o r m a l distribution.
5. SEQNCE - This subroutine a r r a n g e s the c u r r e n t list
of component T T F ' s in a two-dinnensional a r r a y ,
ARRAY (I, J ) . Dimension I c o r r e s p o n d s to the
component identification nunnber, and dimention J
c o r r e s p o n d s to the order of failure ( e . g . , J = 1
signifies the component with the s m a l l e s t T T F ) .
2-38
6. LOGIC - This subroutine contains the logical a r i t h m e t i c
needed to d e s c r i b e a given fault t r e e . A subroutine LOGIC
m u s t be w r i t t e n for each different fault t r e e to be analyzed.
Subroutine LOGIC is called after the o c c u r r e n c e of each
component failure to d e t e r m i n e if a failed state for the s y s t e m
has been achieved. If the test is positive (signifying f a i l u r e ) ,
the t r i a l is t e r m i n a t e d and the a p p r o p r i a t e bookkeeping is
p e r f o r m e d . Given a good fault t r e e d i a g r a m , subroutine
LOGIC is usually simple to p r e p a r e . An exannple of
subroutine LOGIC is given in Appendix E for the D r e s d e n - 3
e m e r g e n c y a-c power s y s t e m .
7. SUM - When s y s t e m failure o c c u r s in a given t r i a l , this
subroutine is called to p e r f o r m the bookkeeping operations
e s s e n t i a l to the calculation.
8. EDIT - When the specified number of t r i a l s have been
completed, this subroutine o p e r a t e s on the data s t o r e d by
SUM to compute the failure frequency function and cumulative
failure distribution for the s y s t e m . S e v e r a l other optional
outputs a r e available a l s o . This includes a detailed
s t a t i s t i c a l e r r o r analysis for selected operating t i m e s
l e s s than or equal to TMAX and an e s t i m a t e of the p r o b a -
bility of a given component failure r e s u l t i n g in the u n d e s i r e d
event before TMAX for each component in the s y s t e m . The
e r r o r analysis logic has not yet been debugged.
A complete listing of the S A F T E - 1 source progrann is given in Appendix
including subroutine LOGIC developed for the D r e s d e n - 3 e m e r g e n c y a-c
power s y s t e m .
Input Description
A m i n i m u m of seven input data c a r d s a r e r e q u i r e d per c a s e . These c a r
contain the following information and f o r m a t .
a b o d e
Card A: FORMAT (15, 15, 15, 15, 15)
a. NTRIAL: The number of t r i a l s .
b. IMX: The nunnber of components (maximum 90). Must
be consistent with subroutine LOGIC.
c. NOINT: The number of time i n t e r v a l s (maximum 250).
d. NCONS: A dummy p a r a m e t e r c u r r e n t l y not used. Set
NCONS ^ 1.
e. NPTH: A dummy p a r a m e t e r c u r r e n t l y not used. Set
NPTH ^ 1.
2-39
a b e d
C a r d B : FORMAT (E12. 5, E12. 5, E12. 5, E12. 5)
a. TMAX: Maximum time of i n t e r e s t (hours). The t r i a l is
t e r m i n a t e d if a point in time is r e a c h e d in the calculation
exceeding TMAX before the s y s t e m achieves a failed
state.
b. AA: Biasing p a r a m e t e r for T T F calculation. Values of
AA g r e a t e r than 1. 0 cause short T T F ' s to be e m p h a s i z e d .
c. BB: Biasing p a r a m e t e r for TTR c a l c u l a t i o n s . Values
of BB g r e a t e r than 1, 0 cause short T T R ' s to be d e -
emphasized.
d. CC: Biasing p a r a m e t e r for TTR c a l c u l a t i o n s . Values of
CC g r e a t e r than 1. 0 cause long T T R ' s to be e m p h a s i z e d .
The d i r e c t analog calculation ( i . e . , unbiased) is p e r f o r m e d by specifying
a value of 1. 0 for each biasing p a r a m e t e r .
a
Card C: FORMAT (6E12. 5)
a. XMTTF(I), 1 = 1 , IMX: The m e a n time to failure (hours)
for each component in the s y s t e m . The list is sequenced
in the same o r d e r as the component I. D. ' s ( i . e . , X M T T F
(1) c o r r e s p o n d s to component No. 1). These p a r a m e t e r s
a r e punched six to a c a r d . As many c a r d s C a r e used
as a r e n e c e s s a r y to specify IMX values of m e a n time to
failure.
a
Card D: FORMAT (6E12. 5)
a. XMTTR(I), 1 = 1 , IMX: The m e a n time to r e p a i r (hours)
for each component in the s y s t e m . The same i n s t r u c t i o n s
apply as for Card C.
a
C a r d E: FORMAT (6E12. 5)
a. SIG(I), 1 = 1 , IMX: The standard deviation (hours)
a s s o c i a t e d with the r e p a i r distribution of each connponent
in the s y s t e m . The sanne instructions apply as for Card C.
a
Card F : FORMAT (6E12. 5)
a. CONS(I), 1 = 1 , NCONS: Dummy variable of which NCONS
values m u s t be e n t e r e d .
2-40
a
Card G: FORMAT (515)
a. K1(I), I == 1, 3: The time i n t e r v a l n u m b e r s selected
for s t a t i s t i c a l e r r o r a n a l y s i s . Since this p a r t of
the p r o g r a m is not debugged, it is recomnaended that
a single value of Kl = 0 be e n t e r e d . E r r o r analysis is
then omitted.
Successive c a s e s can be performed by i n s e r t i n g the additional case c a r d s
A through G n e c e s s a r y to completely specify a p r o b l e m . A sample data
deck listing is given in the section dealing with the D r e s d e n - 3 e m e r g e n c y
power s y s t e m c a l c u l a t i o n s .
Output Description
The input to S A F T E - 1 is printed out after it is r e a d , allowing an e a s y
verification of the input and providing a w r i t t e n r e c o r d of the run. In
addition, the c a s e r e s u l t s a r e printed. These include:
1. The probability of s y s t e m failure before TMAX, P (TMAX).
2. The failure density function of the s y s t e m failure (the
probability per unit time that the s y s t e m fails at time t),
p (t), as a function of time for the time grid specified
by the input. This function is in units of h o u r s " .
NOINT values a r e printed 5 to a line in order of increasing
t i m e . The i n t e r v a l size is TMAX/NOINT.
3. The cumulative distribution function for s y s t e m failure
(probability of s y s t e m failure before time T ) ,
T
o
P(T) - p(t) dt.

J0
as a function of time for the same grid as described under 2.
It should be noted that the s y s t e m r e l i a b i l i t y at time T is
given by
R(T) - 1 - P(T).
4. A s u m m a r y table of the contribution from each component

Pj^(TMAX) to P(TMAX), where
IMX
P(TMAX) = ) P . (TMAX) .
i=l '
2-41
P h y s i c a l l y , P i (TMAX) r e p r e s e n t s the probability that
component i is the final failure in a sequence of
component f a i l u r e s leading to the undesired event
before TMAX. P^ (TMAX) then, is a direct m e a s u r e
of the sensitivity of s y s t e m r e l i a b i l i t y to the reliability
of component i .
A sample c a s e output is given in the section dealing with the D r e s d e n - 3
e m e r g e n c y power s y s t e m .
IMPORTANCE SAMPLING
The fault t r e e i n t e g r a l for an "n" component s y s t e m without r e p a i r is
n
P(T) = w ( t ^ . t ^ . . . t ) n f(t.) dt. (1)
12^ n . , 1 1
1-1
where f(ti)dti is the probability that component i fails between t^ and

tx+ dt^ . In the S A F T E - 1 p r o g r a m , where exponential component failure
is a s s u m e d , f(tj_) = X-e ^ ^. S r e p r e s e n t s n dimensional phase space
of which there e x i s t s a subset F consisting of all possible s y s t e m
f a i l u r e s before time T . The function W is defined as follows:
W(t,,t^,...t„) = / 1, ( t ^ , t . , , . . . t _ ) € F (2)
'1' 2 n 1' 2'
0, {t^,t^,...t^ /F
Thus, W = 1 if t , . . . tn is a point contained in F , otherwise W = 0.
Fault t r e e simulation is performed by generating n random n u m b e r s R^,

R2» . . • Rv, . and computing a r a n d o m time to failure t^ for each component
from
X.t.
R. = f(x.) dx. , (3)

1 1 1
where 0 S R . S 1,
1
2-42
If each simulation is thought of as a t r i a l , an estimate of Equation (1) is
given by
N
es — ) W. (4)
where N is the total number of t r i a l s and Wj , as defined by Equation (2),

is the Monte C a r l o e s t i m a t o r for t r i a l j . This ir e s s e n c e is fault t r e e
simulation by m e a n s of analog Monte C a r l o .
Analog Monte C a r l o is a powerful tool for analyzing s y s t e m reliability,

R(T) - l - P ( T ) , for values of P(T) > l O ' ^ . The required number of t r i a l s
and hence computer costs become prohibitive when e s t i m a t e s of P(T)
much below this level a r e d e s i r e d . F o r e x a m p l e , 4 x 10^ t r i a l s a r e
r e q u i r e d in o r d e r to obtain 50 p e r c e n t confidence limits of approximately
an order of magnitude in the e s t i m a t e of P(T) = lO"'^. As P(T) gets s m a l l e r ,
the r e q u i r e d number of t r i a l s i n c r e a s e s . Small P(T) generally occurs
when T < < 1/X, where X is the a v e r a g e failure rate for s y s t e m components.
Inadequate sampling is then obtained in the subset F of phase space to
provide adequate s t a t i s t i c s .
This inefficiency in the analog Monte C a r l o procedure can usually be

overcome by what is r e f e r r e d to as i m p o r t a n c e sampling. To p e r m i t
importance sampling, Equation (1) is r e w r i t t e n in the following modified
form
n
^<V^2'---V iPl'^V n
P(T) = n f (t.) dt. (5)
n
n f (t.) i=i ' '
i=i 1
n
where H f (t.) is the i m p o r t a n c e function from, which t^ is now selected,
i=l ^ *
a i d the quantity in b r a c k e t s is the new Monte Carlo e s t i m a t o r W^ . The
optimum i m p o r t a n c e function is
n
W(ti,t2....tn) .Qjf(ti)
W(t,,T2,...tj^) n f(ti)dti
1-1
and would yield the c o r r e c t answer in a single t r i a l .
2-43
However, for complex s y s t e m s it is impossible to construct the optimum
i m p o r t a n c e function since an a p r i o r i knowledge of the answer to be
calculated is r e q u i r e d . In simple s y s t e m s where exact analytical solutions
a r e obtainable, the question of an optinnum importance function b e c o m e s
t r i v i a l . In p r a c t i c e , t h e r e f o r e , we try to c o n s t r u c t an it f (t^) which will
n i=l
m i m i c 11 i(t^) to some extent, but which will sam.ple the subset F more
frequently. The condition m u s t also be satisified
n
n f*(ti) dti = 1 . (6)
i=l
The c u r r e n t v e r s i o n of S A F T E - 1 p e r m i t s component failure sampling of

the following f o r m
"^ * n n , -AX.t. ,_,

n f (t.) = A "n X.
^ e 1 1 , (7)
i=l i=l ^
where A is a biasing p a r a m e t e r and corresponds to AA in the program

input d e s c r i p t i o n .
F o r values of A > 1.0, Equation (7) effectively s h o r t e n s component m e a n

time to f a i l u r e . To offset this distortion and p r e s e r v e expectation v a l u e s ,
the Monte C a r l o e s t i m a t o r of Equation (4), W , b e c o m e s
W (t.,t t ) = W(t.,t-,...t^) -^ n e^^ ' ' ^ 1 . (8)
The above p r o c e d u r e has b e e n e x e r c i s e d for an idealized two-out-of-three

s y s t e m without r e p a i r in o r d e r to study i t s g e n e r a l applicability for fault
t r e e a n a l y s i s . The exact solution for the two-out-of-three s y s t e m with
identical components is
P(XT) = 3 ( l - e " ^ ' ^ ) ^ e ' ^ ^ + ( l - e " ^ " ^ ) ^ , (9)
and for XT << 1.0
P(X T) ~ 3 (XT)^ . (10)
2-44
F i g u r e 2.22 shows the r e s u l t s of s e v e r a l calculations for values of A = 1,2. 5,
5, 10. Since identical components a r e a s s u m e d , it is convenient to e x p r e s s
the independent variable in F i g u r e 2.22 as the dimensionless p a r a m e t e r XT.
Each calculation r e p r e s e n t s 5, 000 t r i a l s . An independent sequence of
p s e u d o - r a n d o m numbers'" was used in each c a s e . The exact solution for
the t w o - o u t - o f - t h r e e s y s t e m is shown by the solid line. Good a g r e e m e n t
with the exact solution is obtained using analog Monte Carlo (A=l) for
values of P(X T) s 4 x 10-4. This c o r r e s p o n d s to X T ^ 1. 2 x l O ' ^ .
When A = 2. 5, the Monte C a r l o a g r e e m e n t is within 30 p e r c e n t for values of
XT 2: 7 X 1 0 - 3 . Samples w e r e obtained for X T < 7 x 10~3 in this c a s e ;
however, these e s t i m a t e s exhibit e x t r e m e l y large s t a t i s t i c a l v a r i a n c e ,
defined as
N ^ 2
F o r the case of A=5, the s t a t i s t i c a l v a r i a n c e is improved somewhat in

the range 7 x 10-3 s XT ^ 1.25 x 10-2, When A=10 , the solution in the
range X T s 6 x 10"3 is consistently low by about a factor of two. However,
for XT < 6 X 10-3 , a significant i m p r o v e m e n t over previous solutions is
obtained.
The calculations of F i g u r e 2. 22 show that good e s t i m a t e s of P(XT) of order

10-4 a r e p r a c t i c a l using analog Monte C a r l o . It is also noted that
c o n s i d e r a b l e i m p r o v e m e n t in e s t i m a t e s of s m a l l e r values of P(XT) can
be obtained using i m p o r t a n c e sampling. The degree of importance
sampling n e c e s s a r y ( i . e . , the size of A) depends on the value of P(XT)
being e s t i m a t e d as well as the d e s i r e d a c c u r a c y of the r e s u l t . At
p r e s e n t , the value of A a p p r o p r i a t e to a given calculation is b e s t
d e t e r m i n e d by e x p e r i m e n t a t i o n .
S A F T E - 1 a l s o contains a p r o v i s i o n for importance sampling component

r e p a i r d i s t r i b u t i o n s . The probability per unit time that component i is
r e p a i r e d at time x- is given by the n o r m a l or Gaussian distribution
* P s e u d o - r a n d o m sequence of n u m b e r s is a sequence calculated one number

at a t i m e as needed f r o m a completely specified p r e s c r i p t i o n so devised
that r e a s o n a b l e s t a t i s t i c a l t e s t s will detect no significant d e p a r t u r e
from randomness.
2-45
The p a r a m e t e r s B and C c o r r e s p o n d to BB and CC r e s p e c t i v e l y in the input
description.
F o r B > 1.0, the above p r o c e d u r e d e e m p h a s i z e s short r e p a i r t i m e s which

r e s u l t from sampling the left side of the n o r m a l distribution ( i . e . , a- -1),
and for C > 1.0 it e m p h a s i z e s long r e p a i r t i m e s which occur in sampling
the right side of the distribution ( i . e . , OC - I). As in the case of the
p a r a m e t e r A , values of B and C a p p r o p r i a t e to a given calculation m u s t
be d e t e r m i n e d through e x p e r i m e n t a t i o n at the p r e s e n t t i m e .
In o r d e r to p r e s e r v e expectation values when r e p a i r distributions a r e

i m p o r t a n c e sampled, the Monte C a r l o e s t i m a t o r (Equation 8) is multiplied
by the additional factor
i=i ' fn) i=i <'i
The r e p a i r logic of S A F T E - 1 h a s only been used in the c a s e of v e r y large

component m e a n time to r e p a i r (MTTR) and s m a l l standard deviations to
simulate systenns without r e p a i r . Calculations for s y s t e m s with r e p a i r
have not yet been performed; consequently, this a r e a of p r o g r a m logic
has not been verified.
SAMPLE CALCULATION: DRESDEN-3 EMERGENCY A-C POWER SYSTEM
A fault t r e e was developed for the D r e s d e n - 3 e m e r g e n c y a-c power s y s t e m

as depicted in the s c h e m a t i c ' ' of F i g u r e 2 . 2 3 , and s e v e r a l sanaple
calculations w e r e p e r f o r m e d . The fault t r e e development (Figure 2.24),
which was c a r r i e d to a level of detail c o m m e n s u r a t e with the schenaatic,
d e s c r i b e s the v a r i o u s combinations of possible o c c u r r e n c e s within the
s y s t e m that can r e s u l t in the predefined " u n d e s i r e d e v e n t . " The undesired
event in the s y s t e m i s L o s s of E m e r g e n c y A-C P o w e r . The symbols
appearing in F i g u r e 2 . 2 4 a r e defined as follows:
output event
The logical "OR" gate. This
gate defines the logical o p e r -
ation whereby one or m o r e
input events a r e r e q u i r e d to
produce the output event.
input events
2-47
2 /o 2
-X. /2CT,
r(xi) = e l 1 (11)
a.
where (7. is the standard deviation for component i, and x- is displacement

from the m e a n time to r e p a i r jj,- . The elapsed time of r e p a i r , dj^, is then
given b y
di = Mi + Q!Ti (12)
where Oir- i s a r a n d o m l y d e t e r m i n e d v a r i a t i o n about U
The value of T. is computed from the half-Gaussian
2 ,_ 2
- x - /2 a ,
r (x i) dXi = ^ / i " e l 1 dx. , (13)
"1
0 0
and a is a dummy p a r a m e t e r satisfying the conditions
a = 1' ^ 2 ^ ^* ^ '
a = - 1 , R^ < 0 . 5 ,
where R and R a r e independent, uniformly distributed random n u m b e r s .

Importance sampling is perfornaed by computing T. f r o m the modified
form of Equation (13),
T. r-
*/ X ^ -1 , r ^ r -xf/2ai''dx. (14)
^1 = r (x.) dx. = V -z- ! e 1 i
0
where the following definitions apply
î " O'i/^ . a = -1 .
a| = ai C , a = 1
2-46
output event
1
' \ The l o g i c a l " A N D " g a t e . T h i s
g a t e d e s c r i b e s the l o g i c a l
I I o p e r a t i o n w h e r e b y the c o e x i s t e n c e
input events of a l l input e v e n t s i s r e q u i r e d to
p r o d u c e t h e output e v e n t .
The c i r c l e d e f i n e s a b a s i c s y s t e m
component, c h a r a c t e r i z e d by a
m e a n t i m e to f a i l u r e ( M T T F ) and
a MTTR.
The t r i a n g l e s y m b o l i z e s t r a n s f e r .
A line f r o m the a p e x of the
triangle denotes t r a n s f e r - in,
and a line f r o m the s i d e d e n o t e s
t r a n s f e r - out.
T h e l o g i c a l " O R " and " A N D " g a t e s a p p e a r i n g in F i g u r e 2 . 2 4 a r e

s u m n n a r i z e d in T a b l e 2 . 9 w i t h t h e i r r e s p e c t i v e c o n s e q u e n c e s . S u b -
r o u t i n e LOGIC f o r the D r e s d e n - 3 e m e r g e n c y a - c p o w e r s y s t e m a p p e a r s
in A p p e n d i x E w i t h the S A F T E - 1 p r o g r a m l i s t i n g .
The D r e s d e n - 3 e m e r g e n c y a - c p o w e r s y s t e m a s defined in F i g u r e 2 . 2 4
c o n t a i n s 57 c o m p o n e n t s . T h e s e a r e l i s t e d in T a b l e 2. 10 w i t h v a l u e s for
M T T F and M T T R . The s t a n d a r d d e v i a t i o n s a s s u m e d for the r e p a i r
d i s t r i b u t i o n s a l s o a r e g i v e n in the M T T R c o l u m n . The v a l u e s l i s t e d in
T a b l e 2 . 10 a r e b a s e d on d a t a c o n t a i n e d in A p p e n d i x D and e n g i n e e r i n g
judgment.
S e v e r a l c a l c u l a t i o n s w e r e p e r f o r m e d for v a r i o u s v a l u e s of A ( i . e . , A = l ,
1. 2, 1. 5) in w h i c h r e p a i r w a s not c o n s i d e r e d . R e p a i r w a s d e l e t e d f r o m
the m o d e l b y s p e c i f y i n g a f i c t i t i o u s s e t of v a l u e s for c o m p o n e n t M T T R ' s
w h i c h w e r e l a r g e c o m p a r e d to T M A X . S m a l l v a l u e s for s t a n d a r d
d e v i a t i o n SIG w e r e a l s o s p e c i f i e d . T h i s a s s u r e s t h a t the p r o b a b i l i t y of
c o m p o n e n t r e p a i r b e f o r e TMAX w i l l be z e r o .
2-48
F i g u r e 2. 25 shows a listing of the input data card images as they appear
in the analog calculation. In e a c h calculation 3, 000 t r i a l s were p e r f o r m e d .
The m a x i m u m time i n t e r v a l TMAX is 4. 2 x 10^ hours or 250 w e e k s .
Using NOINT equal to 250 then reqiaires the calculated r e s u l t s to be
r e p o r t e d out with a grid size equal to l68 hours or one week. This was
a convenient scale to adopt in the p r e s e n t calculations. A value of
MTTR = 1 X 10^ hours and SIG = 1 x lO"-*^ h o u r s was assigned to each
component.
F i g u r e s 2. 26A through 2 . 2 6 F show the m o s t significant e l e m e n t s of
computer output for the analog calculation. The calculated r e s u l t s for
P(T) have been plotted as a function of time in Figure 2. 27 for the three
c a s e s . Identical randora number sequences were used in each c a s e .
The a b s c i s s a shows operating time in w e e k s . As expected, fairly well
converged ( i . e . , low v a r i a n c e ) e s t i m a t e s were obtained for P(T) at long
operating t i m e s ( i . e . , T S 4 0 weeks) using the analog p r o c e d u r e . This
c o r r e s p o n d s to values of P(T) s 1 0 - 3 .
When A=1.2, e s t i m a t e s for P(T) a r e obtained at s h o r t e r operating t i m e s
(~24 weeks); however, this a p p e a r s to be accompanied by poorer c o n v e r -
gence in the overall solution. We see this effect become even m o r e
pronounced for A = l . 5 where the tail of the solution looks to be in e r r o r
by an o r d e r of magnitude. The v e r t i c a l b a r s shown at the 19 week data
point, r e p r e s e n t i n g the 50 p e r c e n t confidence limits for this p a r t i c u l a r
point, e n c o m p a s s the e s t i m a t e d exact solution (solid curve). It is
believed that significant i m p r o v e m e n t s in convergence can be achieved
by i n c r e a s i n g the number of t r i a l s N . The extent to which N m u s t be
i n c r e a s e d in order to obtain s a t i s f a c t o r y performance has not been
determined.
F i g u r e 2 . 2 6 F gives a tabulation of the individual contribution Pi(TMAX)
from each of the s y s t e m components in the analog c a s e . P^^ (TMAX)
r e p r e s e n t s the probability that component i is the final failure in a
sequence of component f a i l u r e s which r e s u l t in the undesired event
previous to TMAX. F i g u r e 2. 26F indicates that component X23, the
d i e s e l g e n e r a t o r , is the l a r g e s t contributor to P(TMAX). Components
X9 and X8, the s e c o n d a r y and p r i m a r y windings r e s p e c t i v e l y of
t r a n s f o r m e r , T - 3 , a r e the next l a r g e s t c o n t r i b u t o r s . The latter two
components should contribute equally to P(TMAX); however, the
number of t r i a l s p e r f o r m e d was inadequate to show t h i s .
Execution time for the analog calculation was approximately 81 minutes
on the IC 6000, a 7094 s i m u l a t o r with a disadvantage factor of approx-
i m a t e l y 3 or 4 to 1. The biased calculations required approximately
100 m i n u t e s on the same s y s t e m . Although an equal number of t r i a l s
w e r e p e r f o r m e d in each c a s e , an i n c r e a s e in execution time for the
2-49
two biased c a s e s r e s u l t s f r o m the l a r g e r average number of component
f a i l u r e s which a r e considered per t r i a l .
CONCLUSIONS AND RECOMMENDATIONS
The feasibility of fault t r e e simulation by digital m e a n s and without r e c o u r s e

to s m a l l time increnaenting has been demionstrated. The Monte Carlo
p r o c e d u r e s outlined and the existing computer p r o g r a m (SAFTE-1) a r e
believed to be useful tools for the m a t h e m a t i c a l analysis of fault t r e e s .
Additional work is n e c e s s a r y to develop these tools to their m o s t efficient
state.
It should be possible in m o s t applications to obtain e s t i m a t e s of P(T) as
low as 10-3 or 10-4 using the analog method. Some f o r m of importance
sampling will g e n e r a l l y be r e q u i r e d to improve computational efficiency
when s m a l l e r values of P(T) a r e to be e s t i m a t e d . The p r o c e d u r e s outlined
for this purpose a r e r e l a t i v e l y simple to apply and with further development
should prove v e r y useful in this r e s p e c t .
The p r i n c i p a l f a c t o r s influencing computational costs a r e the problenn size
(number of conaponents) and the number of t r i a l s to be p e r f o r m e d . Compu-
tational costs a r e d i r e c t l y p r o p o r t i o n a l to these f a c t o r s .
S e v e r a l a r e a s exist in which additional Monte C a r l o methods development
and p r o g r a m m i n g effort appear to be justified. These include:
1. F u r t h e r investigation of importance sampling techniques.
2. Extension to multiphase operation.
3. More g e n e r a l failure and r e p a i r d i s t r i b u t i o n s .
4. Investigations of r e p a i r situations.
5. Human e r r o r .
6. More efficient r a n d o m number generation.
7. P o s s i b l e elimination of two-dimensional a r r a y s .
8. Check out of e r r o r analysis portion of code.
2-50
REFERENCES
1. McKnight, C. W. , W. H. Hatton, L. J. Modiest, N. E. Schmidt,

S. A. S t o n e b e r g e r , and M. G. Singleton, "Automatic Reliability
M a t h e m a t i c a l M o d e l , " NA 66-838, North American Aviation, Inc.
2. McKnight, C. W. , L. J. Modiest, and N. E. Schmidt, "An
Automatic Reliability M a t h e m a t i c a l Model, " P r o c e e d i n g s on the
11th National Symposium on Reliability and Quality Control, Miami
Beach, F l o r i d a , J a n u a r y 12-14, 1965.
3. M e a r n s , A. B. , "Fault T r e e Analysis: The Study of Unlikely Events
in Conaplex S y s t e m s , " System Safety Symposium Sponsored by the
University of Washington and the Boeing Company, Seattle,
Washington, June 1965.
4. H a a s l , D. F . , "Advanced Concepts in Fault Tree Analysis, " System
Safety Symposium sponsored by the University of Washington and
the Boeing Company, Seattle, Washington, June 1965.
5. Nagel, P . M. , "A Monte C a r l o Method to Compute Fault T r e e
P r o b a b i l i t i e s , " S y s t e m Safety Symposium sponsored by the
University of Washington and the Boeing Company, Seattle,
Washington, June 1965.
6. D r e s d e n Nuclear P o w e r Station, "Unit 3-Plant Design and Analysis
R e p o r t , " Commonwealth Edison Company, F e b r u a r y 1966.
2-51
TABLE 2. 1
POSSIBLE FAILURE COMBINATIONS CONSIDERED BY ARMM
OF SYSTEM IN FIGURE 2. 1 (NO DEPENDENCY)
Possible Failure System

Combinations Not Failed Failed
A X
A B X
ABC X
A B C D X
ABODE X
A B C D X
ABODE X
ABC X
A B C D X
A B C D E X
A B CD X
ABODE X
A B X
ABC X
ABC D_ X
A B C D E X
A B C D X
ABODE X
A B e X
A B C D X
A B C D E X
A B C D X
ABODE X
ABODE X
TABLE 2. 2
EXAMPLE SITUATIONS
Reliability Block D i a g r a m s
Dependent Components
Redundancy
P a r t i a l Data Change
Maximum Nunaber of Components F a i l e d at a
Time and Depth Control
N u m b e r of Integration I n t e r v a l s
Configuration Changes Between T]ime Intervals
Mutually Exclusive F a i l u r e Modes
Miscellaneous
Sample P r o b l e m
2-52
TABLE 2.3
MODES AVAILABLE, MODES REQUIRED, AND WEIGHTING FACTORS
FUNCTIONS
1 2 3 4
Modes Modes Modes Modes Modes Modes Modes Modes

Avail. Req'd. Avail. Req'd. Avail. Req'd. Avail. Req'd.
COMPONENT 2 1 3 1 3 1 1 1
Component Component Component Component
Weighting Weighting Weighting Weighting
Factors Factors Factors Factors
P-1 1 3 1
P-2 1
V-1 1 1 1
V-2 1 1
V-3 1 1
TABLE 2.4
FAILURE COMBINATIONS AND THE USE OF DEPTH CONTROL
Combinations Considered
F i r s t Component Failed
No Depth Control Depth Control of 3 on V-1
P-1 P-1 P-1

(P-1. P-2) (P-1, P-2)
P-1, V-1 P-1, V-1
P-1, V-2 P-1, V-2
P-1, V-3 P-1, V-3
P-2 P-2 P-2

P - 2 , V-1 P - 2 , V-1
P - 2 , V-2 P - 2 , V-2
P - 2 , V-3 P - 2 . V-3
V-1 V-1 V-1

V - 1 , V-2 V - 1 , V-2
V - 1 , V-3 (V-1, V-2, V-3)
V-2 V-2 V-2

V-2, V-3 V-2, V-3
V-3 V-3 V-3
Notes: 1. Maximum number of conaponents failed a t a time = 2.
2. P a r e n t h e s i s indicates a failure combination.
2-54
Integration E r r o r
"^^•^•^^.^.Iûmbe r of Integration
^*^->«^.Inte r vals ,TM
2 4 10 ?4
XT ^^"""----...^^^^
1 10-5 10-6 10-^ 10-11
10-1 10-10 10-11 10-12 10-16
10-2 10-15 10-16 10-1"7 10-21
10-3 10-20 10-21 10-22 10-26
10-4 10-25 10-26 10-27 10-31
N: Number of i n t e g r a t i o n i n t e r v a l s
X; Failure rate
T: Total time
TABLE 2.5
ORDER OF MAGNITUDE INTEGRATION ERROR BY USING SIMPSON'S RULE

Time I n t e r v a l Function Number Supporting Components F a i l u r e Mode
1 1 Pump P-1 F a i l to s t a r t
Pump P-2 F a i l to s t a r t
Check Valve C-1 Blockage
2 2 Punap P'-l F a i l to continue running
Pump P'-2 F a i l to continue running
3 3 (same as Function 2)
4 Pump P ' - l F a i l to continue running
Check Valve Blockage
Check Valve Leakage
(standby)
6 Pump P'-2 F a i l to continue running
7 Check Valve C ' - 2 Leakage
(standby)
TABLE 2.6
TIME INTERVALS OF FAILURE MODES

TABLE 2.7
FUNCTION AND COMPONENT DATA
Function Modes Modes Supporting Weighting Failure Per Failure

Number Available Required Components Factor Million H o u r s Mode
1 1 Tank T 1 .1 E x c e s s i v e leakage
10 1 Valve V-1 1 5.0 F a i l to open
2* Valve W-1* 10.0*
Valve V-2 1 5.0 F a i l to open
Valve W-2* 10.0*
20 1 T r a n s f o r m e r X-1 1 5 0 F a i l to supply power
T r a n s f o r m e r X-2 1 5.0 F a i l to supply power
25 2 Bus Tie B - T 2 2 0 F a l l to close
(Standby) (Others s e e Function 20)
30 1 Pump P-1 1 10.0 F a i l to s t a r t
(Interval 1) Check Valve C-1 1 .25 Blockage
Pump P-2 1 10.0 F a i l to s t a r t
Check Valve C-2 1 .25 Blockage
35 1 Pump P'-l 1 5.0 F a i l to continue running
(Interval 2) Check Valve C-1 1 .25 Blockage
Pump P'-2 5.0 F a i l to continue running
Check Valve C-2 I .25 Blockage
50 2 (Same a s Function 35)
55 1 (See Function 35)
(Intervals
2 and 3)
60 1 Check Valve C ' - l 1 1 0 Leakage
(Standby)
65 1 (See Function 35)
(Intervals
2 and 3)
70 1 Check Valve C ' - 2 1 1.0 Leakage
(Standby)
75 3 Valve V-5 I 10.0 F a i l to open
2* Valve V-6 1 10 0 F a i l to open
Valve V-7 1 10 0 F a i l to open
80 6 Pump P-1 3 10.0 F a i l to s t a r t
(Standby for 2* Pump P-2 3 10.0 F a i l to s t a r t
I n t e r v a l 1) Pump P-3 3 10.0 F a i l to s t a r t
Check Valve C-1 3 25 Blockage
Check Valve C-2 3 .25 Blockage
Check Valve C-3 3 25 Blockage
Valve V-4 3 10 0 F a i l to close
85 6 1 Pump P ' - l 3 5 0 F a i l to continue running
(Standby for 2* Pump P'-2 3 5 0 F a i l to continue running
I n t e r v a l 2) Pump P'-3 3 5.0 F a i l to continue running
Check Valve C ' - l 3 1 0 Leakage
Check Valve C ' - 2 3 1.0 Leakage
(Others see Function 80)
90 3 1 Pump P'-3 3 5.0 F a i l to continue running
(Standby for 2* ( O t h e r s see F u n c t i o n s 80
I n t e r v a l 3) and 85)
2-57
TABLE 2. 8
TIME P R O F I L E
Cumulative Time a t
Time Start of I n t e r v a l Hours Configuration Change
Interval
Problem 1 Problem 2
1 0.0 0.0 Functions 35, 50, 55, 65, 85 and 90

turned off.
2 720.0 168.0 Functions 30 and 80 turned off and 35

and 85 turned on.
3 721.0 169.0 Functions 35 and 85 turned off and 50,

55, 65, and 90 turned on.
Cumulative
745.0 193.0
T i m e Attend
TABLE 2 . 9
LOGICAL "OR" AND "AND" GATES APPEARING IN
DRESDEN-3 EMERGENCY AC POWER SYSTEM FAULT TREE
Logical Gate
Consequence
Identification
Al No P o w e r To T-1
A2 T-1 F a i l s Open
A3 Line 12 Dead
A4 Line 11 Dead
A5 No P o w e r To Line 13
A6 No P o w e r To T-3
A8 No P o w e r F r o m T-3
A9 Line 32 Dead
AlO Line 32A Dead
All BAB-32 Source Dead
A14 No P o w e r To Line 21
A15 No P o w e r To BAB-31
& No Power To Line 21A
A16 BAB-31 Source Dead
A17 No P o w e r To BAB-42
A18 BAB-51 F a i l s Open
A19 No Power F r o m BAB-51
A20 No P o w e r F r o m Diesel Generator
A22 No P o w e r F r o m BAB-52
A23 BAB-53 Failed Open
A25 No P o w e r F r o m T-8
2-59
T A B L E 2. 9 (continued)
1 Logical Gate
Consequence
j Identification
A33 BAB-62 Fails Open
A37 No Power F r o m BAB-63
A42 No Power F r o m T-6
A43 No P o w e r 'i;o BAB-2A
A44 BAB-2A F a i l s Open
A45 BUS-2A Dead
A50 No Power F r o m T-7
A51 No P o w e r To BAB-2B
A52 BAB-2B Fails Open
A53 BUS-2B Dead
Bl No P o w e r To BAB-51
B2 BUS-5 Dead
B3 No P o w e r to BAB-61
B4 BUS 6 Dead
B5 Loss of 4160 V Power
B6 Loss of 480V Power
B7 Loss of Emergency AC Power
2-60
TABLE 2. 10
COMPONENT FAILURE AND REPAIR DATA
FOR DRESDEN-3 EMERGENCY AC POWER SYSTEM
Component
Failure MTTF (hours) MTTR (hours)
LD.
XI T-1 345 KV Bus Connection F a i l s 1.0 X 10^ lots

X2 345 KV Bus Dead l . O x 10^ 15t7.5
X3 T-1 P r i m a r y F a i l s Open 1.11x10^ 48 i 12
X4 T-1 Secondary F a i l s Open 1.11x10^ 48 t 12
X5 Unit 3 Generator F a i l s 1.0 X 10^ 334 t 50
X6 Line 11 Broken l . O x 10^ 5t2.5
X7 T-3 Bus Connection F a i l s 1.0 X 10^ 10 1 5
X8 T-3 P r i m a r y F a i l s Open 1,11x10^ 48 1 12
X9 T-3 Secondary F a i l s Open 1.11x10^ 48 1 12
XIO Line 32 Broken l . O x 10^ 5t2.5
XU Line 32A Broken l . O x 10^ 5 t 2. 5
X12 BAB-32 F a i l s Open 2 . O x 10^ 8^4
X13 Line 13 Broken 1x10^ 5t2.5
X14 T-2 P r i m a r y F a i l s Open 1.11x10^ 48 t 12
X15 T-2 Secondary F a i l s Open 1.11x10^ 48 1 12
X16 Line 21 Broken 1x10^ 5t2.5
X17 BAB-31 F a i l s Open 2 . O x 10^ 8t4
X18 Line 21A Broken 1x10^ 5I2.5
X19 BAB-51 Failed Open 2.0 x 10^ 8t4 1
X20 BAB-51 Manual Actuator F a i l s 2 . 0 X 10^ 3ti.5
X21 BAB-52 Failed Open 2. Ox 10^ 8t4
X22 BAB-52 Auto-Actuator F a i l s 1.0 X 10^ 3tl.5
X23 Diesel Generator F a i l s l . O x 10^ 200 t 50
X24 Line To Diesel Generator Broken 1.0 X 10^ 5t2.5
X25 BAB-53 Auto-Actuator Failed l . O x 10^ 3tl.5
X26 BAB-53 Failed Open 2.0 X 10^ 8-4
X27 T-8 Secondary F a i l s Open 1. 11x10^ 48 t 12
X28 T-8 P r i m a r y F a i l s Open 1. 11x10^ 48 t 12
2-61
TABLE 2. 10 (continued)
Component
Failure MTTF (hours) MTTR (hours)
LD.
X29 Line F r o m T-8 Broken l . O x 10^ 5t2.5

X30 BAB-42 Failed Open 2 . O x 10^ 8t4
X31 BAB-42 Auto-Actuator Fails l . O x 10^ 3I1.5
X33 BAB-41 Auto-Actuator F a i l s l . O x 10^ 3ti.5
X34 BAB-61 F a i l s Open 2 . O x 10^ 8t4
X35 BAB-61 Manual Actuator F a i l s 2 . O x 10^ 3tl.5
X36 BAB-62 F a i l s Open 2.0 X 10 8^4
X37 BAB-62 Auto-Actuator F a i l s l . O x 10^ 3I1.5
X38 Underground F e e d e r To T-8 Failed l . O x 10^ 70 1 35
X39 34. 5 KV Outage l . O x 10^ 10 1 5
X40 BAB-63 F a i l s Open 2.0 X 10^ 8t4
X41 BAB-63 Auto-Actuator F a i l s l . O x 10^ 3ti.5
X43 BAB-54 Auto-Actuator Failed 1.0 X 10^ 3tl.5
X44 Line To T-6 F r o m BAB-54 Broken l . O x 10^ 5t2.5
X45 T-6 P r i m a r y F a i l s Open 1. 11x10^ 48 1 12
X46 T-6 Secondary F a i l s Open 1. 11x10^ 48 1 12
X47 Line To T-6 Broken l . O x 10^ 5t2.5
X48 BAB-2A F a i l s Open 2.0 X 10^ 8t4
X49 BAB-2A Auto-Actuator F a i l s 1.0 X 10^ 3tl.5
+
X50 BAB-64 Failed Open 2.0 X 10^ 8-4
X51 BAB-64 Auto-Actuator Failed 1.0 X 10^ 3tl.5
X52 Line F r o m BAB-64 Broken l . O x 10 5i2.5
X53 T-7 P r i m a r y F a i l s Open 1. 11x10^ 48 1 12
X54 T-7 Secondary F a i l s Open 1. 11x10^ 48 t 12
X55 Line To T-7 Broken 1,0 X 10^ 5t2.5
X56 BAB-2B F a i l s Open 2, Ox 10^ 8I4
X57 BAB-2B Auto-Actuator F a i l s l . O x 10^ 3tl.5
2-62
FIGURE 2 . 1
EXAMPLE SYSTEM
2-63
System Reliability Diagram
FUNCTIONS
Component 1M o d e s 1 !_._._
Failure Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes Modes
Component Component
Rate. Avail Req'd Avail Req'd Avail Req'd Avail Req'd Avail Req'd Avail Req'd Avail Req'd Avail Req'd Avail Req'd Avail Req'd
ID Name
Failures/
lO^Hr Component Component Con:iponent Component Component Component Component Component Component Component
Weight Weight Weight Weight Weight Weight Weight Weight Weight Weight
FIGURE 2.2
F U N C T I O N - C O M P O N E N T SUMMARY S H E E T
V WHOa XfldNI
I'z aiinDia
IJlb- nC 9^11^3 fiiM ii. tll^\0^ «9 S3 / 5 ?9|j9V9'£S?29'l9|69'6i Ss ^ 9 * ^ 9 9 ' ts'ts'zS'lSlOS'6P'ei''it'9P|SPVp'Ef'Z/U|0?'6€'9€'ê ? f i " C K E £ ?€ leiOTfiz'si iZ'9Z|SZ F2'e2'22'l2|02'61 •STTT 91 fs 1' F1'i7'2T7n5ir''?'7''9" I^tTf?- 2 ' l
1—1' I ; 1 - 1 -• I- r
rn r —
* • 1 ' ' • 1 ' j
T
/.'
f'
' ' V
h'
' h'
'1
•h'
. . . 1 . . . . 1 . . . t . _ . . . , . .
' '" A'
' ' A'
' • • ' ' ' I . . . . . . .
h'
k''
. . . . . . . . . . . . . . . . . . . . . .' ' ' 1
h'
\\ h'
1
h'
' . h'
A'
' f'
1' 1 'I
' r~ V
1 " I
• • I 1 ( > ( 1 1 • 1 t • 1 I 1 « . 1 I I
1 1 I I 1 ' • '
f
^'
1 I 1 1 1 > 1 1 1 1 1 1 1 J 1 1 1 1 1 1 1
"T^ -I"
' • i 1 I 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 <
1 1'
y7
\ / ~i
'
—1
'
1 1 1 1 1 1 1 1 T""—1—1—r'T"T-T—1—I—1—1—1—1 A '
• • • 1 I • • • 1 1 1 1 • 1 . I 1 1 1 1 1 / \
/ \
1 / ' '\
JS Si OZ. S9 09 SS OS Str Ofr SE OE ' £2 oS SI 01 5
Mi
0 1
r J'
1 1^ Ji r
I If!1 r 1 Si 1
a pN["a:o^ xndNi
fz annoij
0 eJ a^'ti'sijiiTiti irT"|0i'69 69' i^99|S9 r9'C9'J9 19 0 9 ' 6 i ' e S ' i 9 9i|i9^r5'Ci e s ' i s j o s ' S f e p ' i p rq^ TV zv'zv' iv 0P'6C'9€'i£ 9C|5£'H:'E£ ZZ'\z]0Z^6Z ez'^z'9z|9z PZ^Zi'zZ' l i | 0 2 ' 6 l ' e i ' i l ' 9 l | s r n ' t l ' 2 l ll|01 ' » ' 8 ' i 3 1 i ' » ' £ Z ' l
' * 1 1—
' ''
' ' • ' 1
T"
1 1 1 1 1 1 1 I 1 1 1 1
1 1 1 i
. ' •1
'
1
' 1 1 1 ' '
• ' '
:8 Si Oi si 09 ss OS s^ 017 SE - oe •iZ 01 s
-0 a: ft*
5" 3 t 3 -1
'if -^"^W l^<"-L3f"^J tp <=- i :
1-
1 -^
• 1 CM
D W-HOd JLIldNI
S "Z a ' H n o i d
•
o CI ^777'diJTi T7^ z^ V)'!9S9i'i Esp? /9[o9igy / S ' - ^ s PS z'i'f,'iS\oSÛrltr ^M^^Wt, 2r'ir|0p 6C'e£'i£'9E|S£Ve'Ge zE'u|oe<ii« i r ^ f s s + e e i w iz|oz'6rsi'ir9i|si'i'i'Ei'zi'ii|oi 6 ' ( ( ' i ' 9 | S ' f ' £ z'l
' M l ^"
r- 1 1—I— 1 1 1 1 11
z'
^'
1' 1 ' '/
z'
r'
' \ ' ' / z'
1 ' ' 1 ' ' /'
'11 ' /'
z'
' z'
1' f z'
I ' /' 'V 7 ' ?'
z'
.
1/n' z'
W' z'
1 itfl 1
1' * z'
11 ' . ' 'il' ' z'
2"'
/V z'
(1 ' /' A ' z'
\\ ill ill
1' 1 t
'/' ' I ' z'
7' 'V z'
/ ' ' 1 7'
'
1 / ' '\ z'
1 /' ' ' \ t
—1 /l 1 1 ij
1 1 •
z'
/ I 1 / l-l-f-T V
' • I • 1 ' I 1 1 1 • 1 1 1 1 1 I 1 1
z'
f. I T - ^ - F - ^'
8 ^L Oi 99 09 SS OS sfr ot7 se SsE OE SI 01 S
oc
1 ^•ve-A/ xpiaNOdiôj
^
O 1 d
> ^ > ^
a M-Ho.a i n d N i
9 'z a ' a n o i d
ViioC 8 / i i ' 9.]i tVi >. i u ' l i | 0 i ' 6 9 [89T/9»JS9 rrrs'zTtT 09*6S'8<i iS lailTs'i's'^ zs'islos'er 9f'ip'9l'|Sf p » t » ' z p ' i » op'eeêc'iE 9E|SE'PE'E£ ZE'lE'Iot.'iF 9Z'iZ'9Z|SZ PZ'EZ'ZZ' IZ | 0 Z ' 6 l ' 8 l ' t ! 9 l | j l ' p l ' t i zi'iiloT'e 9 ' i ''9 fi TÊ n .
I 1
r—
. , ,
r—
r—'
1 1
'" t'"
.
*
1 ' 1
'
I" 1 - I —
ft Si Oi S9 09 'SS OS Sf or S£ oe oz SI 01 s
0
^ _ h — ^
4
5 * 1 ? ? ^ "^ ^ 3L
1
<r UI103
It
3 PM-aOd x n d N i
L'Z S'HnOId
!•'..^«7if9i|»t'rttt i i ' i / O i ' c j ' e s Ti 99|S9'P9 |£9'Z9'19|09 es'es'zs 9S|SS'PS'ES ZS IS|0>, 6P'l)P'^P'9P 8 E 7 E ' 9 £ SE'PE'EE'ZC ^b>'ia n' tz^gzjsz pzTz'T'z 17, >«'6i'er IFgTlsi Pl'El'zi'l 7t'"6 ' 9 [ ' i ' . ' f ' s ' p ' E ' z ' . ^
::wt. ZP'|P|0P'6E
' ' 1 1 v_ ' ' i
1 ' 1
. . . . . . .
1 1 1
r- 'V '
1 i>'j
' '
1— 1 1 1 -1 1 1 1 ' '
' '
i\ 1
'-4
1 t 1
' I '.
"1 ' '
1 '
' '
' '
t
.
1 • ' .
' '
1 '
• • • 1 '
'
T-T- r
, . . ' '
0% Si |0i 59 1 09 1 SS OS s» 0. se cc sz OZ s 01 5
^ ^ ^ & ^
^ ^ {? •^ ^ ^
i ? ^ ^ 6^ s l^f s.f
^ ^
dnp OA««d 41 " S
>^ '^: 9««'ni I OOIJ. ria'JC
D i^r'aod xndNi
8'Z 3 ' a n D I d
ttHL'teiO'ufii t U t Zt'lifoi ed'es' ti 9 ? i 9 Tsts c 9 19|09'6S OS U^s^î w fiî'tS <5 kl^.vUv aplsp'rptp '2p l p | 0 P ' 6 C ' e E ' Z E ' 9 t | S E ' p £ ' E E Z £ ' l E | 0 C ' 6 Z ' 8 Z ' z Z ' 9 Z t S Z PZ'EZ'ZZ' U | 0 Z ' 6 1 o i ' i i ' s i | . r p t I ' Z l ' l l|01 ' 6 ' 8 ' ^ ' 5 1 S V ' t TT"
' 1
' ' /
11 1 1 1 s'
1 1 • 1
/ ?'
1 • ' ' • 1• / ' 1
P
1 ' /' f
' 1 '/ ' ' ' '' '
• ' I
e'
/' ' f'
1 ' ' ' ' / . ' '
i
' ' '
, , , , y, , 1 P'
,,,,/,,.,
1 ' ' •/' 1 ' • f
\ , , . / , , 1 , ,
s'
\ '/''"' ' s'
i\'/• . . 1. .
e'
£'
1 y. ' ' 1 ' '
. ,A,,.,,, f'
hr^r- /' \ ' ' ' ' ' f'
A . ,\, . , . . f'
_. n • '\ • 1' ' f'
, , , ,\ , , , , ^
' , , . .\ . ., f'
1 ' ' / '
?'
, , , , ,\y , , f'
' ' ' ' '\ ' '
1 '/ ' ' 1 ' ' • ' iV '
r
'\' f
1. 1 ' y f'
A ' ' ' —1 1 1—1—1 1 ' ' 1 ' \
' \ f'
TV '••T-i—1 • ' 1 •
JS Si
, . . . . , . .y r
0 59 09 e 3 sr ot SE OE SZ OE SI 01 S
7
1 1 r 1
11 H H J
^ 3 c
+ :>
0
9
y\ xa X
H PV-HOd X n d N I
6 'Z 3 ' a n D I d
:-- »J firii'Silii'ctti'ji TTlOt'GSSg' is/95|S9'P9'£s'z9'l9|09'6S'liS'is'9slsS'PS'£S'ZS'l5|0S'6P'ep'£p'9p|SP'pp'£p'Zp'lp|0p'6E'9£'iE'9£|5E'PE'EE'ZE'lE|0£'6Z'8Z'iZ'9Z|SZ'pz'CZ'ZZ' IZJOZ'tl'Sl ' i l ' ' j l |S 1' P l'£ I'Z I ' u |01 ' 6 ' 3 ' i ' 9 | S ' f 6 ' Z t
' ' ' ' 1 1
^^
f
' ' F'
?'
e'
• '
f'.
e'
' ' ' I ' ' P
F'
e'
f*
£'
f'
i , , , 1 , ,
* f
£'
f'
f'
i'
?'
f
g'
f
£'
f
f'
* '
r'
^8 Si Oi S9 09 SS OS
f
sr Of bt oe SZ OZ SI 01 9
1 1
1 \ \ 1 1 1 1 1 1 1 1 \ 1
H H H H h h H H H H H H H
o ;> + ;> + o 4- o •V- o t
D i
i I.
I Time Profile Cards (Form G)
I Component Information Cards (Form C)

Partial Data
I Function Data Cards (Form B)
General Information Card (Form A)

I Time Profile Cards (Forms G & H)
Data Deck
^___ Functions Supported Listing Card (Form E) I Set per

^ —Dependent Components Listing Card (Form D) J _
Component Component Cards
^__— -Component Information Card (Form C) f
ro
I Function Data Cards (Form B) 1 or mpre cards per function
t Descriptive Information Cards (Form A)
n
-General Information Card (Form A)
-$ Data Card
I -Program Deck
FIGURE 2 . 1 0
ARMM INPUT DECK GENERAL ARRANGEMENT

2. I I A FLOW DIAGRAM
(1) One Function System
(2) Two Function Systenn
2. I I B BLOCK DIAGRAMS
NOTE: indicates division of functions.

1. 2, and 3 indicate function number.
FIGURE 2. 11
SERIES SYSTEM
2-73
VALVES
V-1
HXh
V-2
V-3
2:12A F L O W DIAGRAM
V-1 V-2 V-1
V-1 V-2 V-3 V-1 V-3 V-2
V-2 V-3 V-3
(1) No R e d u n d a n c y (2) 2 / 3 R e d u n d a n c y (3) 1/3 R e d u n d a n c y
2:12B B L O C K DIAGRAMS
F I G U R E 2 . 12
PARALLEL SYSTEM
2-74
PUMPS VALVES
P-1 V-1
rC><h
V-2
P-2
V-3
4x^
2:13A FLOW DIAGRAM
V-1
P-1 V-1
- — -
J
P-1 V-2
2 P-1 V-2
V-1
— — --
P-1 V-3
P-1 V.3
V-2 --
P-2 V-1
P-2 V-1
- - - -
4
V - 3 ..
P-2 V-2
P-2 V-2
— —
10 P-2 V-3
V-3
(1) Two Functions in Series (2) Two Functions in P a r a l l e l (3) Six Functions in P a r a l l e l
2:13B BLOCK DIAGRAMS
F I G U R E 2. 13
COMPOSITE SYSTEM
2-75
Transformers
X-1
Bus Tie
X-2 N.O.
B-T
2. 14A LINE DIAGRAM
X-1 X-2
— X-1
B-T
^ - X-2
2, 14B BLOCK DIAGRAM
FIGURE 2. 14
E L E C T R I C A L SYSTEM
2-76
VALVES
V-1
VALVE VALVE VALVE
V-1 V-2
r{Xh
>. ^
v-2
(1) (la)
HXH
(2)
2.15A F L O W DIAGRAMS
V-1
I 1 I 1
I I I I
V -I V - 1 h- HI V - 2 I-
I I I
v-2
(1) Single V a l v e (la) T w o V a l v e s in S e r i e s (2) Two V a l v e s

(Fictitious Case) in P a r a l l e l
2 . 15B B L O C K DIAGRAMS
F I G U R E 2 . 15
CHANGE F R O M NONREDUNDANT TO REDUNDANT

C O M P O N E N T S BY P A R T I A L D A T A
2-77
PUMPS CHECK VALVES
P-1 C-1
r-^
C-2
p-2
r\H
2. 16A F L O W DIAGRAM
P-1 C-1 P-2 C-2
P'-l C-1 P'-2 C-2
4 6 ~1
P ' -1 C-1 P'-l c-1 P'-2 C-2
\3
5 7
P ' -2 C-2 C'-l C'-2
(£)tandb y) (S tandb^')
2.16B B L O C K DIAGRAM
NOTE: indicates configuration change.with time intervals.
F I G U R E 2. 16
HYDRAULIC SYSTEM
2-78
PUMPS CHECK VALVES VALVES
P-1 C-1 V-5
HXH
VALVE P-2 C-2 V-6
TANK
T
V ix}
I
V-3N
P-3 C-3 V-7

(Standby)
HXH
F I G U R E 2. 17
H Y D R A U L I C S Y S T E M F L O W DIAGRAM
P'-l C-1 — C'-2 —
85
1— P ' - 2 C'-l — C-2 —
C-1
80
P-2 — c-2
FIGURE 2. 18
ELECTROHYDRAULIC SYSTEM BLOCK DIAGRAM 2-80
N5|
1
1
|28
S 10 15
1 20
i
5
25
\li 30 35 40 45 50 55 60 65 '0 75 80
A.l ,3 1AF..,0 1 1^ il|5 ,z 1 0 A.R.M,M A|P f , L , i . C , A . T l . S * , N , . - . - , .PiR.^.K.L.FiM. . 1 . . . i 1 1 1
,1 2 ,3 l . ^ . V - , 0 1 ,1- ,1(5 ,2 1 1 1 AiR.M.M, AiP P . L . l . t . A . T . I.^.M, . - , - . P|<li^ e K fiM 2 J ",*
1 1 1 1 1 1 1 , 1 f , , , 1 , , .
1 t I 1 1 . . 1 1 , . . , 1 , , ,
1
1 , , 1 1 . , 1 1 , i ,
1 r i l l ,, I , , , 1 , , , , 1 , , . r
,4 ,
. . . . . .-.-,LL L,U,J 1 1^ hTrl *iN ,/ F. lA.R.M.M lA P.P,L.I.C.fl.T,l.*rf4.-.-, ,2
,4 P^,* e.L.CM, 1 A.e M,M, A PP III C|A 1.1 f N . .T,^, Ai J.A.M.Pil,t. . J . y . / . T . f M 1
>.] ,}
,4 P l,^ 6,L.f,M, 2 hi AiMtP L & «,i t, fl,F ,P,A ,(2,1,1 i i L ,P,fl,T.A, ,jJ.P,T.I,0,N,. \ 4
-'
, , , 1 . . . , 1 , , ,
1\ ' /
t i l l 1 1 1 1 t 1 . 1 , t , . . . 1 , , , ,
1 1 . 1 1 , , . 1 . 1 1 , 1 . , ,
1
-
. . . 1 . . . . t . . ,
'.
1 1 T 1 1 1 1 1 1 1 . , . 1 . . . . f . . .
-.
. . . 1 . . . . 1 . . .
-'
I l l l 1 t i l l . .
.
.
.
.
.
1
1
.
.
.
.
.
.
.
.
1
1
.
.
.
.
.
.
f.A '
. . . .
1 1 ( 1
1
' . . . 1 . , , .
1
1
,
.
.
,
.
.
A.- - uu^ _ l
t 1
( I
1
l
1
l
1
l
1 .
1
.
1
.
>
1
1
.
.
.
>
.
<
.
1
1
1
.
.
.
.
.
.
M. 1
I l l l
-
. . . t . . . . 1 . . .
-
1 t 1 1 1 1 1 1 t 1
.
. .
.
.
, 1
1
.
I
.
.
.
. .
, 1
1
,
. .
. ,
.
IA ,
t 1 1 t 1 I , , • 1 . . . , 1 , . . 1 , 1 l _ _ Jt 1
^ 1 t 1 1 ( t i l l 1 f r r 1 r 1 1 1 1 1 1 , , , la. L III L.. inn 1 1 1 ,
1,2
ij
i | , i 3 ^ 25|26,27,28
_ 4 _ ^ 5 _ l l , 7 _ , 1 ^ 1 0 l l l , l 2 , 1 3 , l 4 , l j ) l C , 17,18,19 ,20|?l , 2 9 J O l 3 l 52 3 3 3 4 55-56 3 7 , 3 8 , 3 9 . 4 0 | 4 1 , 4 2 , 43i44,45|46,47.48,49.50|51 . 5 2 .53,
SL L^55 5<.57 S3 S9 \^^ ^ ^ 3 , * ; 4 & - l 6 f 6 M 8 6 9 - ' 0 | ' 1 7 i 7 3 7V75'-C-j272_e29_?ll
FIGURE 2 . 1 9
ARMM INPUT LOADSHEETS

1*) ^
FUMCTIOAJ / V A « e-
^
^
> 1
1 Ho 1 (5
i «0
•p •3r \ 0"
5 10 25 n: 30 40 45 50 55 60 f55 70 75 8'-.
. 1 |5 W,A,T,E,R., ,l.ft,N,K, , I - . L-. il |0 . 1 . ' , . 1 , , , , 1 I . 5
, ,1.0 S.U,P,P,L.Y, .V.AiL.V,f s ,
i" ir)
, , l | 0 7,ll-,A,N|i,F,0,|E„M|e,e,J - J 1
1 _j 1 .z,^ 1 , 1 1L— ,2,0
1 . .1,0
- ,^|S 6.1».^. . T . l . F L . ,2,5
, ,liO P.U-M.P.J., IN f .1, , , ,1,0 1 ,V0
, ,)|5 P.U.M.Pif,j. . , I ,l.^^ T ,2, . , ,%,5 I ,5,5
. .SiO P.U.KPrf , .I.N T .^. . I 1 iHiO i5",0
1 , 5 , 5 P,U.M,P, ,P.'.-.\, , , . .1,0 1 ,^,5
,-,l>i« C,M,E,C,|C, ,V,A,L,V,G, c'r,l, 1 . .5-.r ,i,o
, ,(.i5 P.U,M.P, ,?.' ,-X, , . . .1.0 1 » .ts
-. .TiO C.H,E,C,<, c ',-.2. .>/.A,L,v,e. , .t.r ,1^
, .Tl? H,E,A.PiE,li, .V.AiL.V,? ^ 1 3 |0 I t ( I ,7,5
- . .%rO J.T.A.NiP.B.Y. ,PiU,M,P IiN.T. 1 , , t |2 , .?.o A 7,F ,8,0
-. >u I . T . A . N i D . I . Y . .P,U,M.P 1.N.T, I {, ,2 , ,5,5 0 ^s ,8,5
- , r'ilfl J.T,A,NiP,B,Y, .PiU.M.p 1|N,T. 1 1 ? >|2 . , f , 0 1 5,5 A| b5 A 0 5 5'|0 A 1. 0 A t s Al 7 ^ l?,0 All
> I 1 A. . 5 , ; A 7,0 A. 7y .'l,!
. 1 1
1 1 1
1 • 1
. 1 1
1 , 1
I I 1 1 1 1 1 r r 1 1 1 f t 1 1 1 1 r 1
, ,1.0 I 2 ?,0,J
• ,7.5 1 f 1 1 1 1 1 1 1 t 1 1 1 ,2 1 1 I 1 r 5,0,;
- , ,%,0 t 1 f 1 ) 1 I t I t f 1 .1 t t ( 1 .... 5,0,4
-. .4.5 1 A ^,Q.i
-. ^,0 I ( t I T » 1 ' 1 1 1 1 'i ( 1 t t i 1 ?,0,i
•1,2 3j 4 , Sj 6 7 . 8 , 9 , lOll 1.12,13,14 , I S | i e , 1 7 ,18
^ ?0j21 , 2 2 , 2 3 24 2 5 [ 2 6 j IL 28 il! 3 0 | 3 1 , 3 2 ^ J i 15l36 37,38,39,40
^ ih.'y- 45|.-,„ 4 7 , 4 8
ih 50|51,52
=yji i j 5«l56
57, 53, 59, 15 l i 5 1 ^ 64
i"i"Pi _63 6 9 70|71|72 7 ^ V L ^ 7 6 j 77 :8_-i_.=
'J . ^ 1s
FC/2M C
VI a
\
CoMeof^/eMr NAHÊ
^
^1^4 4i is 1
lb 0
1—
5 10 lb 20 2=; » 35 40 45 50 55 60 65 a. 70 1 75 8C
"^ 1 , \ M TiA.N.t. T . , .0...I 1 ,1 . ,0 . . 1 . 1.0,5
,2 . ,1.1.0 V,A.l.l/.t i V . - . l . . , L ... L 5 .,0 1 ,(? 11.
,2 . ,1,1.5 V.A.L.V.E- il',".2, , 1 1. . 5 .,0 1 ,0 1,1 ,5
,2 , .l.Z,fl T.R.A.H.J h*,R.,M.9,lli X 1 5 .,0 I ,0 1,2,0
,2 . ,1,2,5 Till,A,N,J Pifll,IM.f,R.. i * 1 ? •,0 I ,0 l,i,5
,2 , ,1,3.0 BiU.i, ^ l i t , ,8,-,Ti ? ,,0 1 ,0 li^/)
, ,1,3,5 P.U.M.P, P r . i , . . 1 ll 0 • lO I ll l|3,5
•^
,2 1 ,1,4,0 P,U,M,P, P / , - , i , , 1 5 •lO 4 ,2 3 1,4,0
,2 , ,1,4,5 PiU.M.P, P.-.2, , . . ll 0 iiO 2 ,1 K^^l
,2 . ,l.5,fl P.y.M.P. p.',-,2, , . I 5 M« 4 ,1 1,5,0
••
,2 , .1,5.5 riU.M.P. P,-,3, . . 1 ll 0 •iO 1 ,(> , l,.5.5j

,2 . , l . t , o M),M.P. PI' . - . 3 , . . 5 •lO I ,i> lit ,1)1
,2 . . i . t . y CiH.E.Ck .\/,A,L.V,ti c I .0 2,5 t ,Z l,t,5
,2 f , ,1,1.0 C,H.E^.C.H iV.A.L.U.E-i c/ f| 1 .,0 3 ,1 IJfl
,2 . .1.1,5 CiH.E.C.K iV,A,L,«,&, c- 2 ll) ^5 <> ,1 >,T,fl
,2 . .1.^.0 CrH,F,C,l< rV.A.L.V.ti c "" 2, 1 ,,0 ? ,1 ',%,«
,2 1 ,l,ft.5 CiH.E-.C.I: il/,A,L,)/,Ei c ? |0 ^5 } ,5 li%,5
,2 , .1.1.0 V,A,L\/,E- 1V.-.3. . . 0 • ,o i ,4 1.1 i(J
,2 1 .1,1.5 ViA.L.l/.E- .V,-.4. . . 0 • ,(? ^ ,5 1,15
|2 1 , t o ^ ViA.L.V.E- iV.-,5. , 1 () • ,0 4 .0 } ^lOiO
,z , ,2.0.5 ViA.L.V.C . v , - . t . , . - fl iiO 4 ,0 ?in,5^
,2 . .2.1j) i;.A,L,\;,t- .l/,-,7, . 1 0 MO 4 |0 2.1 iC
,2 _i J 1 1 1 1 . , , , 1 , , > , . t 1 1 ' ' 1
I l l l I . I . 1 , . . . 1 I 1 I 1 L1.1J
,2 , .1,0.0 V.A.L,V,F .V,-,5,- , , 2 5,0 % ..0,"

,2 1 ,1.1.0 V.A,L,\I,F ,w.-,i. . . .1 0 1,0 5,?i-7
L? 1 ,1,1.5 V,A,L,V,t iW,-,2, , , 1 , , 1 ,1.0 ..0 . t . • ._! 5i0,%
'i' liAi 5(6,7,8, 9 •"l-'i'î'li'^L 1 5 | I 6 , 1 7 , 1 8 , 1 9 , ? 0 | 2 I XLl31^7S2Un ?r2?3o!^. ^b ^ î ^ ^
38^39 ^-0|-"i 'f7^4r9>\SK^253|S4 5M'rSr Ssrioiu<aki 64«rM6i en6 9 , 7 0 | 7 1 , 7 ? h X d ,7?|76,77?B.7'> -
FoUn V
«4 \t r r k k 1 k -
1 k *
n in \t k ^
5 10 15 20 '^ 30 35 40 45 50 55 60 65 70 75 eo
-|l,t,5 1 1 , , . . , . . 1 .•> i
-,'|t,5 -<!.%.0 ' , 1 . . , . .1.4.1
|-.l.l,5 I I I f . t . . 1 . .I.4.<.
1-. 1.1.0 - . 1 . 1 . 5 1 . . . 1 . .I.?.!
- , l , f t , ? -!','»,0 -.tl'^.J - . 2 , 0 . 0 - , 2 , 0 . 5 -,Z.l .0 . , , ,l,5,fc
- . l . f t . 5 - . 1 . 1 . 0 k 1.1,5 -.i.oiO - . t O . 5 -.^^ ,0 , , , ,l,t,l
.l.n.O - r l . % . 0 1 1 I 1 I 1 , 1 . .I.t.fc
1 .l.t,^ - . 1 , 1 . 5 1 . .l.l.ll
1 .l.*.o 1 . 1 1 1 . , , , , .I.T.tl
1 ,1.1.5 , t I 1 1 1 • • I . , , , ,l,?,,i|
k l . l . O -.!.<».5 -.2.0,0 - . 2 . 0 , 5 -.1.1 .0 . . 1 . .I.%.b|
| - , i . 1 . ? - . 2 , 0 , 0 -.l.O.F - . 2 . 1 . 0 1 1 t , 1 . .1.1,ll
I-.U.O - l i . o . y - . i l l .0 _j X J-- . 1 . .l.l.tl
I r 1 1 ' ' 1 ( 1
I I I 1 1 1 1 1 1 1 . 1 . . . 1
I I I . 1 f , . 1 ( 1 1 1 f r 1
I I I
I I I 1 • 1 . I 1 t 1 .
I I I . . 1
I I I I I I 1 1 1
1 1 1
1 I 1 1 1 1
J ,
I I I , , 1
. . 1
1 f ! r r 1 , , 1 i.i t 1 1 1 ._i__i 1
34,35|36 37,38,39,40 41,42, 43,4 45|46,47,4 49,50|51j52|53,54,55j.;6 5Z S8,59,6o|6 1,62,63 6^ 65|66^_7j 6 8 69|70|71|7? 7-\ 74jJ«['c ^TT^Tpy«_pC1
'LIJJA i J l i ^ ' _9j 22111,1? n , l 4 , i e ; | l 6 | l 7 , 1 8 , 1 9 . 2 0 ?1,22,23,24|25|26
^ 28|29.^0|31.32
^
FUUCTIOH FuUCTtOlO \^hJcrtoK> PuMcnoo FuMcTioio FUoCTlOM 1 FôcTiop
SuPPoerrp Su-rpoareo SuPPooreo SuPPoareo SuPPoareB Suppoareo Surpoarec s-uPfoarfD SuPPoe.fei> 1 suPPotreb.
u.
|e ^ 5 ^ ^ ^ « ^ ^ ^ ^ ^ ^ ^ i -? *"
5 10 15 20 25 30 35 40 1 45 50 55 1 SO 1 6S 70 75 80
1 ,5 . J _t_l. ,, .I.O.J,
,'|0
,',' '
.1.0 1 1 1 ' r ,l,l,t
,2,0 .2,5 . . ,1 1 1 • t ,l,i,'
,2,0 ,2,5 , , ,1 ,1,2,*.
,2,5 1 I I 1 1 t 1,3,1
,"^.0 ,%,0 . , .3 1,3,7
,'>i5 ,5,0 . , .1 .5,5 , . ,1 ,ft,5 , , ,3 '> 1,4,2
,3,0 ,*,0 . . .3 1,4-,?
.?,5 .5",o . . .1 ,t,5 , , ll ,% 5 1 , ,3 1,5,2
,•^,0 1,57
,ft,5 ,*»,o . , .? 1 1 l.d.t
.•5.0 ,5,5 , , ,1 ,5,0 , , ii ,5',5 1 , ,1 ,%,0 . , ,3 AS , . ,3 l,t,7
,l>,0 ,*,5 , . ,3 l%0 , , ,3 1 1 1,1,1
,?,0 .^5 . . ,1 |5,0 , , .1 ,t,5 I , ,' ,%|0 , , ,3 ,?l,5 . 1 ,3 1,1,1
,T,0 ,ft,5 . . ,3 \%o . , .3 l,*.2
,8.0 ,»,5 . . ,3 ,1,0 . . .3 ',%,•'
,%,0 ,».5 , , ,3 ,1,0 . . .3 1 1 1,1,1

,1,0 ,ft,5 . , .3 1^0 . . .3 'i<^,T
•1,5 ,^.« . . .« lis . , .t .1.0 . , .1 r r 2,0,1

.1.5 . 1.1 ,*.o , . .1 lft,5 . , ll ,1,0 . . ,1 -• 1,0,1,
.1.5 . 1,1 ,%,0 . . .1 l4,5 , . il ,-1,0 1 , ,1 1 t .,..j 1,1,1
1 ., 1 \i 1 1 t > . 1
,
t 1 1 1 1 1 t 1 1 —i-.. I
, , 1 ,,, ' 1 _ i
k ? . 3 , " , 5 , 6 , 7 6 1 9 , K, l j j j l 3 , 1 4 15ilC,)7 ^ j 9 , ? ' 'i\ 77^22^ 25li6^",M l«, «j3i 02,33,34,35 36,37,38 39,40|41,42 43,44,4- ^6 47.48.49 ^ 5 1 5?la5.'45a55k 58,59 60|61,6?,6 3|f4,6 5|66 6 8 , 6 9 , 7 o | 7 1 , 7 ? , 7 i 7 V 5 l 7 6 ,7 7 ^ 8 . - . -
ILi
X X
2
^-5? 1 6
II J^^^fe G- .1 1 ^ X if u
3
+
1
H
+
\ 1 \ ^
5 10 15 20 25 30 35 40 45
I
5' 5 60 65 io 75 80
,3 ,1 , 0,.,0 1 it
. .3,5 - t^,0
- ,5,5 - ,b,5 . ,«,5 3.1 0
,3 ,2 , . , ,1.2.0,.,0 1 1+ - 1^,0 .•>,5 - ,'biO ,%,5 . . . . .3.2.0
,3 ,3 - , , ,l,2i l,-,0 1 i^*
- ,?,5 ,5,0 ,5|5 ,6,5 - i*,5 . . , , .3,3,<J
1,3 1 . . .1,4,5,.,0 3.4.0
3
,3 ,2 1 . . ,l,fci%,..0 . . , . .5.0 f>
,3 ,J , , , .l.l,.1...0 SM)
1,^ . . . ,l,1i3,.,0 5.1.1
r^
,5
,3
,^
,3 •
,3
,3
,^
.5
,3
,5 ,
,^
,^
,5 . 1 . 1 . . t 1 1
,3
4
,5
.3 t 1 1 . 1 I I I •
,5 ,
1,? .3j 4 5 | 6, 7 , 8 , 9,10,,1,12,13 , 4 , , 5 , 1 6 , , 7 , 1 8 I9,?0|?l ,22,23,24,25, 26,27,28,29,30|31,32 33.34,35,36, 37,38,39, 40,41,42. 43i44,45|46 47,4r,«i SB Si,W,»3 t^ 55(56,57 58 59,60|61 62163,64,65 66 67 ,68,69 70|71,7? ?37*;sn*'n7jr,7tr»5
(p3nui:;uoD) 6 l 'Z S ' H n D M
:.- 6 i ^ 8 z / i i ' 9 i | i i ' p i t i ' Z i ' l i , 0 i ' 6 9 ' 6 9 ' iS( 9'9Js9'P9'£y Z9'l 9|09'6S'liS'iS'9S JSS ' PS'ES'ZS ' IS|0S'6P'8P'ip'9p|SP'pp'EP 'Zp'lp|OP ' 6E'9E'iE ' 9£|S£'PE'££ ' Z£'1E,0E'6Z ' 9Z'iZ'9Z (^Z'PZ'EZ'ZZ' 1Z|0Z'61'91 ' il'91 |S 1' P l'E I'Z l'11 |01 ' 6 ' 3 ' I. ' 0 \ t ' * • i ' Z 1
£'
£'
e'
g'
' ' c'
?'.
,y , , , . . e'
t"
p'
•'
e'
f"
' ' g'
f'
' ^ g'
£'
f'
' f'
^'
?'
f
e'
f
£'
f
f'
fii ' t
Cb' f
' 1 ' •
ITi , O'b' - f'
38 Si Oi S9 09 SS OS Sf Of it oe SZ OZ £1 01 s
1 1 1 1 1 1 1 1 1 1 1 1 1
H H H H H H H H H H V, H
O D 0 s + V 4- o +• a N ^1
t
^ 1-
iiUTOMATIC ItELIABILIT^' MATH MODIIL
ARM^ A P P ^ i t A T l O N —j- PH08LEM | :^.

I
I
- I L L U S T R A TIQN OF AR MM APPLICATION—
PROBLEM i ARMM A^Pf LIGATION 0 A SAMPLi: SYSTEM.
PROBLEM if EXAMPLE USE CF PAR TIAL DATA OPTION.
lilUMiiER OF (tOMPONENTl NUMBER OF TIME INTERVALS

3
fp.jMaER ur ffUNcrioNS NUMBER OF INTEGRATirjN INTERVAl^S

5 2
MAXIIPUM NUMBER OF COMPOfiltNTS REINITIALUE

F A I L E D AT A I !ME INDICATOR
2 0
FIGURE 2.20
C O M P L E T E D C O M P U T E R OUTPUT - P R O B L E M 1
AUTOMATIC RELIABILITY MATH MODEL PAGE 2
ARMM APPLICATION - PaUBLEM I ]. CCCOCC0O, isco pooo-oc

FUNCTIONS
FUNClllDM ID FUNCnON NAMjf MOllJeS A V A I L A $ L E MO0ES RtQUlR|0 ALTERNATE FUNCTION ID
I
•J WAFIt R TANK ] 1.00 1.00 I

10 SUPf'LY VALVE^ I.00 1.00
20 fRANSFORMERS; I.00 1.00
' 25
-23 aus T i e ! 2.00 1.00
20
30 PUMff S, INJ^ 1 I . 00 1.00
I
I 1 80
35 PUMt's, INt
1
2 1.00 1.00
85
50 PUMf s, INI 3 2.00 i.OO t
5'i PUMI' P ' - l 1.00 1.00

I ^^
I 60
00 -60 CHE(, K VALVE 4 ' - 1 I . 00 I.OO t
65 PUMI' P'-2 I i.OO 1.00 I 55
-70 CH£( K VALVE (f - 2 1.00 1.00 70
7i HEAti ER VALVE^ J . 00 I.OO 65

-ao TANDBY PUMP^ iNIT I 1.00
6.00 30 A 75
-8ii STAfjlDB Y PUMPJ AT 2 1.00
6.00 35 A '5
-90 STAM DBY PUMP* HT 3 1.00
3.00 50 A 115 A 65
A 75 50 A 60
A 65 A 75 5C
A 55 A tC A 75
F I G U R E 2.20 (continued)
AUTOMATIC RELIABILITY MATH MOO^L PAGE
ARMM AJ>P41CATIJDH, J>ftDBi6M 00000 000 , 1900 (iOOO-OC

C(»1 PONE fir FAILURE B StjIPPORTEC WEIGHT HE PENDENT DEPTH
10 NQMaiilCLATURE iÂTF FUN(tTION IC FACTOR OMP. ID CCKTRCL
• 10
1 0 3 . 0<b TANK T 0.0999«I999E 0 0 | 1.00

5 l.OCO
110.0(1 VALVE y - 1 O.SOOOdOOOE 0 1 1.00
10 l.COO
US.QJi VALVE y - 2 O.SOOOdOOOE 0 1 I 1.00
10 l.COC
120.0(1 TRANSFtifiMER X-1 0.5000{j)000E 0 1 I 1.00
20 l.QOO
! I
25 l.COC
N)
125.0(1 TRANSFl^HMER X-2 0.5000(IOOOE 0 1 j 1.00
20 1.000
o i
25 l.COO
130.0(1 BUS T i c B-T 0.2000(IOOOE 0 1 I 1.00
1
I 25 2.000
135.0(i PUMP P-1- O.lOOOdOOOE 02 I 1.00
30 1-CCC
-165
I
80 3.CCC
140.00 PUMP P ' - l O-SOOodlOOOE 01 1.00
35 l.COO
-165
50 l.COC
-18C
55 l.COC

1 4 5 . OCi PUMP P O.IOOOOOOOE 0 2 ' 1.00 -0
30 l.CCC
-175
80 3.000
150.0(1 PUMP P ^ - 2 0.5000(10006 0 1 , 1.00 rO
35 l.CCC
Ii -17C
50 ' l-OCC
-175
I
65 l.COO
i
85 j3.C0C
I5b.0(i PUMP P-r3 O.IOOOOOOOE 02 1.00 -0
80 is.ooo
I
-185
n
s r C S 1 0 6 9 l 9 9 t C Z t 6 a i 9 S t Z Z l O 6 8 Z 9 S > C Z 1 0 6 8 Z 9 e » ' e z i O l 6 8 i 9 f f » E C l O 6 8 i 9 S » ' t : C L 0 6 8 Z 9 S » ' E t l 0
-19C *
6 B l 9 S f t t t O >
-195
-200 6 8 l 9 9 f £ Z 10
fi >• E C I 0 6 8 Z 9 S » £ e I 6B£99¥£Z l C A 8 ^ 9 S t ' E Z l 0 6 8 ^ 9 S > E C l 0 6 8 ^ 9 ' . » ' C f I O U e z V e P G i 1 0 6 8 Z 9 S > E J LO
-205
-21C
160.00 PUMP P » - 3 O.SOOOdOOOE 0 1 1.00
85 3.ceo
-185
90 3.COO
-19C
-195
F I G U R E 2 . 20 ( c o n t i n u e d )
AUTOMATIC I I E L I A B I L I T V MATH MODIiL PAGE
ARMM APPll-ICATlOIt PROBLEM OOOOOCC<)0. 1900 (IQOC-OC

COMPONtliiT FAILURE SUPPORTED WEIGHT DEPENDENT (lEPTJ-
ID NUM InCLATURfc RATf FUNCTION ID FACTCR COMP. ID CChTRCJ.
I
• 10
-20C
-205
-21C
165.0(1 CHECK V/iLVE C-l 0.2500(IOOOE 0 0 1.00
30
170
35
-18C
50
55
I
80
85
170.0(1 CHECK *ALVE C'-l O.lOOOdOOOE 0 1 1.00
60
165
85
-175
90
l?5,0
80
85
FIGURE 2 . 2 0 (continued)
180.0(1 CHECK V/iLVt C « - 2 O.IOOOOOOOE 01 1.00 -0^
70 l.CCC
I 175
i 85 3.COO
! " 3.000
185.0(1 CHECK *ALVE C - i 0.2500(IO00E 00 1.00 i 80 -0
3.COG
-19C .
III 11
68Z9srezto 6 » l 9 S t C Z I 0
)
6 8 4aC£ f E C t 0
I
6 t i 9 S t t Z l »
fI
* c r c z I 0 « t z * ; r c c i 6 > z 9 : r c z i o
'B3'
-195
I
« s r c S 1 0 6 f l 9 S t t t l 6 8 i : 9 £ r E S 1 0 6 8 / 9 £ » E 2 1 0 d 8 Z 9 S » ' E Z 1 0
90 ,3.C0C it/VS-tCtlt 6*i t t »
vO 6 8 Z 9 S r e Z 1 0|6 8 l 9 S * Z l l O
II ^1 )
-205
-21C
I9(|»aii .\IALVE f - J O.IOOOOOOOE 02 I.00 jrC ,
80 3.0CC
-195
85 3.000
-20C
90 3.000
^05- „ J
/lUTOMATIC (tELIABILITY MATH MODEL PAGE
ARMNI A P P i l C A T I O N — PROBLEM I ], OCCOO C(t)0, 19C0 (!OOC-CC

COMPONt.li" FAILURE B SyPPURTEC WEIGHT l|)EPEKDENT KEPTh
ID NOMttflCLATURfc RATE FUNCTION I C 'FACTOR OMP. ID CCMRCL
i
• 10 I
-21C
195.0(1 VALVE y- 0.1000(30006 02 1.00 -0
80 3.COO
-20C
85 3.0CC
-205
90 3.000
-21C
200.0(1 VALVE V O.1OOO0OOOE 02 I 1.00
75 l.COO
1
80 l.CCC
4^
85 1.000
90 l.COO
205.00 VALVE V - 6 O.lOOOtilOOOt 0 2 1.00
75 l.COO
8C l.OCC
85 l.COO
90 l.CCC
210.0(1 VALVE V - 7 O.lOOOdOOOE 02 ' 1.00 -Q
75 I.000
8C l.COO
85 l.COC
90 1.000
>,UTOHATIC flELIABILITV MATH MODIJL PAGE
ARMM APPI.ICATIOM — PftOBLEM OOOOOCOO, 1900 0OOC-OC

TIM SCHEDULE
IMTfcHlVAL TIME FUNCriQN i l A I E CHAN(f ES (- FOft OFF)

ID
IV
(I.
Ui
-35 - 50 -51i -65 -85 -90
72(1.000
-iO 35 -8(1 85
72J . 0 0 0
-35 50 55 65 -85 9C
-0 74S.000
JiUTOMATIC liELIABlLITV MATH MODIIL PAGE
ARMM APP ICATION — PROBLEM'\. OCOOOCOO, 19C0
JfaOBABILl r OF MISSUIN SUCCESi PRIOR THI INTERVAL = O.IOOOOOOOE 01
COMPUNENT FAILURE C(iMBINATIOlil$ I«£ INTERVAL 1 P(F) FUNCT Illf
NO.
O.14:!99395E-03 5
105
0.71{IA89g4E-G2 10
110
0.71848994E-C2 10
115
0.60371129E-05 -25
t\) 120
130^
0.51&22778E-04 20
120 125
0.60371129E-05 -25
125
130<,
0.60i69952E-04 -80
t35
155<,
0.15(l8C222E-05 -ec
135
185:.
0.60].69852E-04 -£Q
135
I90i,
0.fc0].69852E-04
135
195;.
0.20!i62628E-03 3Q
135 145
0.5K.17409C-05 30
135 175
0.6C1.69952E-04 -8Q.
i.45
155^,
O.15()8C222E-01,
145
185;;
i 0.601.69852E-G4 ^€0
6 8 i 9 t f C Z l O 6 » i . 9 s t e t i o 6 B i 9 s * t i no 6 B i 9 S t t l l O 6 t l 9 S t C Z l O 6 » i 9 S r C l l O 6 a i C 9 : r c z i o 6 8 i 9 s r e j i o 68Z9:rczi(t « S i» s» c
145
I
sO 190S
-J
 C Z 1 0 6 8 Z 9 5 t ' E J [ 0 6 8 i 9 S » C I I 0
0.6C169a52E-04 . -JBd
6 S l 9 i t t l I0 6 8 Z 9 S > E I t « 6 8 / » S * e
145 I I 1 I
195$
0.51<a7409£-05 3a
145 165
O.15()8C222E-05 -€0
165
I55i.
0.37795139E-07 -80
165
i8'i:.
0.15(l80222E-05 -80
165
i9o;.
0.15()8C222E-05
165
195:i
0.12<I57278E-C6
165 175
0.15()80222E-05
175
155;,
0.37795139E-07
175
185;;
0.15()8C222E-05
175
i9o;;
0.15(ia0222E-05
175
195;.
0.29''(8614GE-05
200 205 210
ACCUMULATIVE MISSION FAILURE THIS INTERVAL = 0.1!;080514E-01.
/iUrOMATIC (LELIABILIT> MATH MODEL
ARMM A P P i . I C A H O l i — PROBLEM
TIME INTER\'AL 1
FUNCTI OH 10 FUNCT ON NAME PROBABILITY OF FljJNG TION FAILURE PLRCENT CF
5 WATER TANK 0 . 1 4 3 1 4 7 6 0 E-03
10 SUPPLV VALV/tS 0 . 1 4 2 8 5 3 38E-01
20 TRANSf ORMERS 0 . 5 1 3 1 9 3 57E-04
-25 BUS T c 0 . 1 2 0 0 3 50E-04
30 PUMPS INT 0 . 2 1 4 8 0 9 2 9 E-03
75 HfcADEf, VALVES 0 . 2 9 3 1 2 « l 30t-05
-80 STANDI Y PUMP,INT 1 0 . 3 7 0 9 6 5 5 5 E -03
MAJOR CONTRIBUTORS TO SYSTEM UNRELIABILITY

(pHPONENT CCiMBINATIOfii. PROBABILITY
115
I
0.7184)!994E-02
11 J
0.7184(l994E-02
133 145
0.2056;!628E-03
'.05
0.14394395E-03
145 155 I
0.6016<^852E-04
135 190
0.60l6^852£-04
135 155
0.6016<?852E-04
145 190
0.6016^852E-04
135 l'J5
I
0.6016^852E-04
145 195
0.60169852E-04
F I G U R E 2. 20 ( c o n t i n u e d )
ikUTOMATIC I I E L I A B I L I T V MATH MODEL PAGE-
ARMM APPLICATION PROBLEM OOOOOOOO, a 9 C 0 JIOOQ-OO

riME INTER\'AL
(fOMPONENf CONTRIBUTIOHS TO UNRELIABILITY
COMPONENI FAILURE SERIAL ERIAL ;;ERIAL SYSVEM SYSTEIf SYSTEM

ID NAME lflATt»10**6 PR08ABI I T Y ERCENT l|(ANK PROBABILITY PERCENT RAMIL
105.00 •ANK T 0.10 0.139806 $ 8 E - 0 3 .1416 12 .14:il4760E-03 C.9492 5
110.00 VALVE V - 1 5.00 0.6.99032')2E - 0 2 .0822 6 .71-»26693£-C2 47»3636- 1
115.00 \IM\JE V - 2 5.00 0.699032 2 E - 0 2 .0822 7 .7P»26693E-02 47.3636 2
120.00 "UANSFORM Ef- X - 1 5.00 0.699032 «I2IE-02 .0822 8 .29«)46557E-04 £.1986 9
125.00 '.AÎSF0R^C X-2 5.00 0.6990312M 2 E - 0 2 .0822 9 .29«»46557£-04 C.I986 10
130.00 hUS T I E B- 2.00 0. (f. 0 .34:!95023E-05 C.0227 11
135.00 CUMP P - 1 10.00 0.139806?8C-01 I^h.l643 1 .19II4C197E-03 1.3156 3
140.00 I'UMP P ' - l 5.00 0. (I. 0 C. iJ
145.00 PUMP P - 2 10.00 0.139806$8E-01 1^^.1643 2 19(l40197E-03 1.3156 4
150.00 PUMP P ' - 2 5.00 C. 0 C. C
155.00 l-UMP P-i 10.00 0. 0 .62 4 1 3 8 2 E - 0 4 C.4160 6
160.00 I'UMP P ' - 3 5.00 0. 0 C. -0
165.00 CHECK VAL-vr: C - l 0.25 0.34951646C - 0 3 0.3541 10 ,3 l $ 0 4 2 7 8 E - 0 6 C.C021 15
170.00 (HECK VALVL C ' - l I.00 0. 0 C. 0^
175.00 CHECK VALVI C-2 0.25 0.34951646E - 0 3 0.3541 11 31(l04277E-06 C.C021 16
180.00 CHECK VALVL C«-2 1.00 0. 0 C. . - 0-
185.00 CHECK VALV? C-3 0.25 0. 0 .11 70268E-06 C.0007 17
190.00 UALVE V - 3 10-00 0. 0 . 6 2 t 4 1 382E-04 C.4l6a _ - J7-
195.00 UALVE V - 4 10.00 0. 0 .62 741382E-04 C.4160 8
200.00 IfALVE V - 5 10.00 0.1398064 8E-0I .1643 3 .97 0 9 4 3 6 E - 0 6 C.C065 12
205.00 VALVE V - 6 10.00 0.139a0658L - 0 1 I* . 1 6 4 3 4 .97Y 0 9 4 3 6 E - 0 6 C.0065 13
210.00 VALVE V - 7 10.00 0.13980 6!i8C - 0 1 .1643 5 . 9 7709436E-06 £.43065 - -_ 1 4 -
iiUTOMATIC f l E L I A B I L I T V MATH MODEL
ARMM APP ICATtON^ PROBLEM ].. OOOOOCOO
IftiOBABILir OF MISSICjIN SUCCESS PRIOR FHI;, INTERVAL 0 . 9 8 4 9 1 9 4 8 E 00
COMPONENT FAILURE CCIMB I N A T I O i i TIME INTERVAL 2 ff{F)
0.19<l999gaE-06
105
0.99999706E-05
llO
0.99'l99706E-05
115
0.1166C158E-1C
120
130;.
0.99<I99412E-1C
120 125
0.11660158E-1C
125
0.99^99412E-1C
130$
0.99999412E-1C
140 150
0.19'i95929E-lC
140 160
0.49999S44E-11
140 170
140 175
0.49999944E-11 -85
140 185
0.19'I99824E-C9 -85
140 190
0.19<)99824E-09 -85
140 195
0.99<l9g412E-lC -85
150 160
0.49<I99944E-11 35
150 165
0.19<I99929E-1C -85
1
1—'
o 150 po I •'I 0.49<I99844E-11 -85
6 8 ^ 7 S y C Z L 0 6 8 Z 9 C I ' C 2 1 0 6 t l 9 5 r C Z l 6az9:i'c:io 6 8 / 9 C > C : 10 6 8 Z 9 : ^ C 2 1 0 6 8 Z 9 S r C Z 1 0 6 B Z 9 S r E Z 1 0 6 8 / 9 s r c : i o 6 8 Z 9 s y e
150 185
0.19999824E-C9 -85
l^tj' I a w 'i l l 9 S * t l i B 6«Z»S»-Eei 6 « Z 9 : » C {

/
10 6 S Z 9 S > C : i O 6 8 ^ 9 ; > C Z 1 0 6 8 Z 9 S » C i l O 68^9ffrC2lO e s i v t r E J i O 6 B i 9 s • e
il HI ) 0.19«199924E-09 -85
150 195
0.49<)99944E-11 35
ibd 165 1
0.49<)99844E-11 35
* r
im 11^ '
0.24^99991E-12 35
n V ^ * 1^ ^ 1°
165 175 t.
0.24099991E-12 -es
16S las
0.99099397E-11 -85
,
165 190
0.99<)99397E-11 -85
2-103
16S i95
0.'24<I99991E-12 -85
ITS taf
' 0.99<I99397E-11 -85
175 190
0.99<)99397E-11 •85
175 195
i .CCUMULATn 'g WISSIDI^ P A I i U R E Tla s INTERVi\L * O.2(j»2O1167C-0f
F I G U R E 2 . 2 0 (continued)
/lUTOMATIC f t E L I A B I L I T V MATH MODIiL PAGE-
ARMM APPLICATIOM PROBLEM] 000000(0, 19C0 t

TIME INTER\'AL
FUNCTION ID FUNCTl ON NAMc ' PROBABILITY OF Fl|)NCTION FAILURE PIIRCENT CF SYSTEM FAItURE
5 WATER lAMK I 0.19698 82E-06 Q.99C
10 SUPPLY V A L V E S i 0 . 1 9 6 9 8;i26E-- 0 4 99.003
20 TRANSf ORMERS ] 0.98490ft43E - 1 0 C.OOO
-25 BUS T fc ' 0.22968$ llE-10 O.COO
35 PUMPS INT i 0.11843 $29E-09 O.COl
-85 STANDS Y P U M P . I N t 2 0.107404 04E-08 G.C05
MAJOR CCNTRIBUTqiRS TO SYSTEM UNRELI a i L I T Y

COMPONENr CtlMBINATIO.Sl! PR03A8 L I T Y PERCEIIT
115
0.9999<) 7 0 6 E - 0 5 49.50nl
110
0.99999 706E-05 49.50^(1
105
0.1999999 8E-06 0.99(11
140 190
0 . 1 9 9 9 < I 8 2 4 E- 0 9 c.oc:.o
150 190
0.19g9<l 8 2 4 E - 0 9 o.ooio
140 195
0.1999<l 824E-09 0.0010
150 195
0.1999M82 4E-09 o.oo:.o
140 160
0.9999<l 412E-1C 0.0005
120 125
0.9999*1412E-10 O.OCdS
140 150
0 . 9 9 9 9 < I 4 12E-1C O.OCdSL

/lUTQMATIC I t E L I A B I L I T V MATFH MOCltl PAGE 12
ARMM APPLICATION — PRCiBLEM I . OCOOOOipO, 1 9 0 0 000-00
riME INTER\'AL
IfOMPONENT CtlNTRieUTIONS TO U N R E L I A B I L I T Y
COMPONEN FAILURE SERIAL ;;ERIAL ;iERIAL SYSTEM SYSTEM

iO riA,*! E lltATfc*10«*6 PRCBABI I T Y PERCENT ilANK PRC ABILITY PERCENt
105.00 ANK T 0.10 0 . 1 8 0 2 5 0(j)6E-06 0.1138 18 .19^ 98283£-0e C.99C0
110.00 VALV £ V - 1 5.00 0 . 9 C 1 2 5 0 ;i4E-05 fi.6915 6 .98 91137E-C5 49.5017
115.00 VALV E V - 2 5.00 0.901250 34E-05 5.6915 7 .918^19]1137E-05 49.5017
120.00 T.IAN SFORKEf: X-1 5.00 0.901250 4E-05 6915 8 .5i7^f4<8462E-1C C.C003
125.00 UN SFOKM'.Efl X-2 5.00 0.90125 034C-05 5.6915 9 .57448462E-1C C.00C3
130.00 A US T I E B - 2-00 0. 0 .65 24319E-11 C.OOCO
135.00 ("UMP P - 1 10.00 0. 0 C.
140.00 PUMP P ' - l 5.00 0.901 250:i4C-05 6915 10 .2556C687E-09 C.C013
145.00 1>UMP P-2 10.00 0. O. 0 C.
150.00 PUMP P ' - 2 5.00 0.9C1250 ; i 4 E - 0 5 !i.6915 11 25!i6C688E-C9 C.C013
155.00 PUMP P - J 10.00 0. fl. 0 C.
160.00 i'UKP P « - 3 5.00 0.901250 34E-05 !i.69I5 12 ,1C a7095E-09 C.C0C5
165.00 (.HEC K VALVS: C-l 0.25 0.450625 7E-06 0.2846 15 .11 56768E-11 C.COCO
170.00 (.HEC VALV C'-l 1.00 0.180250(t> / C - 0 5 1..1383 13 .32 30358E-11 C.OOCO
175.00 CHEC VALVi: C-2 0.25 0 . 4 5 0 6 2 5 7C-06 (1.2846 16 11 56768E-11 C.COCO
180.00 (.NEC VALVI C '-2 1.00 0 . 1 8 0 2 5 007 05 i.l383 14 .32$ 30358E-11 C.OOCO
185.00 CHEC VALVS; C-3 0.25 0.450625 7C-06 .2846 17 .71 2338CE-12 C.OOCO
190-00 VALV V-3 10.00 0.180250(1> 7 E - 0 4 11 .3830 1 .28 85921E-09 C.C014
195.00 VALV V-4 10.00 0.180250(1 7E-04 1 .3830 2 .28 85921E-09 C.C014
200.00 \rALV V-5 10.00 0.180250(1) 7E-04 1 .3830 3 c.
205.00 \'ALV V-6 10.00 0 . 1 8 0 2 5 0(jl7E-04 1 .3830 4 c.
210.00 \fALV V-7 10.00 0.180 250d7E-04 1 .3830 5 c.
/lUTOMATIC RELIABILITY MATH MODIiL PAGE 13
ARMM APP ICATION. PROBLEM OCOOOC<]0, 1900 6QD0-CC
I^ROBABlLir OF MISSION SUCCES PRIOR THI!. INTERVAL 0.984«19959E 00
COMPONENI f-AILURE COMB INATIO (»;. TIME INTERVAL PIF) FUNCTl I;N
NO.
0.47<l99931E-05 5
105
0.23<l9e32CE-03 IC
110
0.23^9832GE-03 IC
115
0 . 6 ? .9132CE-08 -25
120
13O:;
0.57591935E-07 20
120 125
0.67191320E-08 •25
125
13O:;
0.13n21C97E-lC -90
44Q >50 1*0

0.69J.1CC79E-12 -90
440 ,150
0.27<)4C258E-1C -90
i f
* / % o -^
0.27<i4C258E-lC -90
4a 150 Wt ''
0.69ilCC79E-12 50
i40^ 160 ITS.

CNJ 0.1i;il9032E-07 -60
o 140 170
0.34!i57337E~13 -90
140 175 •feisty

0.13{I21C48E-11 -90
140 175 190

0.13021C48E-11 -9C
140 175 195

0.11?il9G32E-07 -70
150 . 1 8 0
f f
, 6 » Z 9 S r C Z l 0 6 e i 9 S V C l [ 0 6 H I 9 S f
« 8 Z 9 S * ' C Z 1
»cco«uiaf ive« f«55)icw f ailURe= TrtlS' ItiTERV^t' *=' = - O'.4<8'4«OtD5'3'C'^'0°3^f^
/lUTOMATIC f l E L I A B I L I T V MATH MODIiL PAGE
ARMM APPLICATION PROBLEM 1.. OCOOOCOO, 19C0 C
riME INTERVAL
FUNCT 10,^ ID FUNCT ON NAME PROBABILITY OF F O N C T I O N FAILURE PERCENT CF SYSTEM F A U U R E

5 WATfcR FANK 0 .. 4 7 2 6 9 ; ! 6 2 £ - 0 5 0.990
10 SUPPav VALVES 0.47266(1)2 l E - 0 3 93.991
20 TRANSr ORMfcRS 0.567152 54E-07 C.C12
-25 BUS T e 0 . 1L3233"'03E - 0 7 0.003
50 PUMPS INT ? 0.68058(|)66E-12 0.000
-60 CHECK VALVE C '-I-1 0.11343<.86E- 07 0.C02
-70 CHECK VALVE C * 0.11343 8 6 E - 0 7 C.C02
-90 STANDii Y PUMP.I.^n 0.7148647 1 E - 1 0 O.COO
MAJOR CONTRIBUTIPRS TO SYSTEM UNRELI B I L I T Y

dlMPONENI CtiMBINATION!, PROBAB L I T Y PERCENT
115
ro 0.2399 320E-03 49.49!)4
110
o 0.2399 $320E-03 49.49!i4
00 105
0 . 4 7 9 9 <»9:3 1 E - 0 5 0.9900
120 125
0.5759 935E-07 0.01.9
140 1 10
0 . 1 1 5 1<I0 3 2 E - 0 7 0.0C;!4
150 180
0.1151 $032£-07 0.0C:!4
125 130
0.6719 320E-0e 0.0C].4
120 130
0.6719 320E-08 o.oc:.4
140 150 195
0 . 2 7 6 4 0 258E-1C O.OCDO
140 150 190
0 . 2 ;764(!25 8E-1C O.CCCO
iiUTOMATIC f l l E L I A B I L I T Y MATH MODEL PAGE 15
OOOOOCOO, 19CQ dOOC-GC

riME INTERVAL
4(|)MPaNENr C()NTRiaUTIOr|;S TO U N R E I i l A B I L I T Y
FAILURE SERIAL SERIAL :;ERIA L SYSr EM SYSTEM SYSTEI*

l)LAT£«10»*6 PROBABI ITY PERCENT j|(ANK PRC8 ABILITY PERCENT RAKK
0.10 0.432014 3E-05 0.1138 18 0.47;:69262E-C5 C.99C0 3
5.00 0 . 2 1 6 0 0 73 7 C - 0 3 5.6915 6 0.23 33011E-03 49.4953 1
5.00 0 . 2 1 6 0 0 7:i7E - 0 3 5.6915 7 0.23 33C11E-03 49.4953 2
5.00 0.2160073 7E:-03 .6915 8 0.33 83949E-07 C.C069 4
5.00 0.2160073 7E-03 .6915 9 0.33 8394SE-C? C.C069 5
2.00 0. • 0 0.37 1C58CE-08 C.CQC8 8
10.00 0. 0. 0 0. C. 0
5.00 0.2 l6007:i7E-03 ?i.6915 10 0.94 V 2 8 C 5 3 E - 0 8 C.0020 6
10.00 0. 0. 0 0. C. C
5.00 0 . 2 1 6 0 0 7 ;i7E-03 f«.6915 11 0.94 1 5 5 0 l E - 0 e C.CC2Q 7
10.00 0. (|>. 0 0. C. 0
5.00 0.216007 37C-03 6915 12 0.4(868 8 9 3 2 E - 1 1 C.COCO 13
0,25 0.1G8003^ 8E-04 (1).2846 15 0. c. C
1.00 0.432014 74C-04 1.1383 13 0.18 C6143E-08 C.C0C4 9
0.25 0.1080036 8C-04 0.2846 16 0.62 7152CE-13 C.COCO 14
1.00 0.432014^ 4C-04 i.l383 14 0.18 06143t-08 C.C004 IC
0.25 0.1C800 368E--04 .2846 17 0.18 46405E-13 C.OOCO 15
10.00 0.43201 474E-03 .3830 1 0.14 $02258E-1C C.COCO 11
10.00 0 . 4 3 2 0 1 474E-03 .3830 2 0.14 02258E-10 C.COCO 12
10.00 0 . 4 3 2 0 1 41'4E-03 .3830 3 0. C. C
10.00 0 . 4 3 2 0 1 474E-03 .3830 4 0. c. C
10.00 0.432014 •'4E-03 .3830 5 0. c. 0
iiUTQMATIC H E L I A B I L I T ^ ' MATH MODIiL PAGE 16
Ama AI'HI.tCAJKllt. ^ JPHOBLEM occocc<:o, 1900 tOCC-QO

SU MMARY
IfLQBABILITY CF SYSTEM FAILURE = 0.155778<)0E-0l
t»f:OBABIHTY OF SYSTEM SUCCESS = 0.98^(42210
FUNCTlOfl ID FUNCTi ON NAME PROBABI LITY OF FUNCTION FAILURE PERCENT OF SYSTEM FAILURE RANK
5 WATER TANK 0. 14806«l21E-03 0.951 4
10 SUPPLV VALVfcS 0. 1477 7 ' i 6 7 E - 0 1 94.863 I
20 TR AN SI OR MERS 0. 51376 : . 4 2 E - 0 4 0.330 5
-25 BUS T] e 0,.1 2 0 1 6 5 0 8 E - 0 4 0.077 6
30 PUMPS 0. -03 1.379 3
35 PUMPS
IMT \ 0. 11 8 4 3 ^ 9 0 E - 0 9 O.CCO 11
INT ^ 0.6802 507]l E - 1 2
50 PUMPS
INI 3 C.CCO 13
-60 CHECK VALVE C'|l 0. 11338 8 7 E - 0 7 O.CCO 8
-70 CHECK VALVE C'-*2 0. 11338 t 8 7 E - 0 7 O.COO 9
75 HIEAOEi. VALVLS 0.29312$ 3 0 E - 0 5 0.C19 7
-80 STANDL Y PUMP.Ifill 1 0.37096 5 5 E - 0 3 2.381 2
-85 STANDS. Y PUMP.Iffir 2 0. 10740 1 8 7 E - 0 8 O.CCO 10
-90 STANDI Y PUMP.INV 3 0.71451$ 1 4 E - 1 0 O.COO 12
iiUTOMATIC f t E L I A B I L I T V MATH MODEL PAJEE^ „
mm AI»RJ.l£AJLOIt. ^ fftOBLEM 00000000, i9C0

SUMMARY
MAJOR CONTRIBUT(j)RS TO SYStEM UNRELI B I L I T Y

c4)r»>ai'Bi I CIIMBINATIONii PROBAB L I T Y PERCEIHT
0.74341! a 2 5 E - 0 2 4 7 , 4 (3;! 3
m 4 7 * 4i l i ! 3^
0.7434882 5 E - 0 2
m 145
0 ..2056;!62 8 E - 0 3 1.3118
403
I 0.1489$ 394E-03 0.95(15
135 155
0 . 6 0 1L6«l 8 5 2 E - 0 4 0.38;i9
145 190
0.6016$8 5 2 E - 0 4 o.3e:i9
1^3 190
0 . 6 0 1L6«l 8 5 2 E - 0 4 0.38^19
135 l ^
0.6016 852E-04 0.38:19
145 155
0 . 6 0 1L6<l 8 5 2 E - 0 4 0.38;i9
*S 195
0.60169 852E-04 o.3e;i9
AUTOMATIC itELiABiLiTt MATH MODEL J»AG6 Ifi _
ARMM APPl.ICATIOli - - PROBLEM OCCOOGÔ, 4 9 0 0 . -ioOCferOO

SUMMARY
Cf(t)MPUN£NT CflJNTRIBUTIOJlS TO U N R E L I A B I L I T Y
COMPONENT FAILURE SERIAL !.ERIAL ;;ERIA L SYSTEM SYSTEM SYSTEIf

10 NAME MT£»10»«6 PROBABI ITY PERCENT lltANK PROBABILITY -PERCE N"
105.00 • ANK T 0.10 0.1442240 7 E - 0 3 1405 17 0.14II0715IE-03 C.95C5 5
110.00 VALVE V - 1 5.00 0.721120 J 6 C - 0 2 "'.0246 6 0.73(l8848SE-i)lJ 4^7**316J _. . a -
115.00 VALVE V - 2 5.00 0.721120 3 6 E - 0 2 r.0246 7 0.73II88485E-02 47.4316 2
120.00 RANSFORMEft X-1 5.00 0.721120$ 6 E - 0 2 •'.0246 8 0.29<)79698E-04 C.1925L - - 9-
125.00 RANSFORMEL X-2 5.00 0.721 1 2 0 3 6 E - 0 2 •'.0246 9 0.29<l79698E-04 C.1925 IC
130.00 KUS T I E B - 2.00 0. (I. 0 0.34:i32899E-05 C.022Q. - U_
135.00 I'UMP P - l 10.00 0 . 1 3 9 3 8J4:i4E-01 13.5777 4 0.19«I40197E-C3 1.2736 3
140.00 I'UMP P ' - l 5.00 0 . 2 41986 'OE-03 .2357 14 0.97:!84122E-08 C.COCl
145.00 l»UMP ?-2 10.00 0.139 3 8 4 i ! 4 E - 0 1 l-l .5777 5 0.19II4C197E-03 1.2736 4
150.00 PUMP p i - 2 5.00 0 . 2 4 1 9 8 6 'OC-03 .2357 15 0.97;!7157CE-08 C.OOOl _ - 19-
155,00 I'UMP P-3 10.00 0. 0 0.62 '41382E-04 €.4028 8
160.00 PUMP P « - 3 5.00 0 . 2 4 1 9 8 6 •'OE-03 .2357 16 0.1i;!739e5E-09 C.OOCO - 22 -
165,00 (HECK VALVI C-l 0.25 0 . 3 6 0 5 6 0 8C-03 .3512 12 0.3H)04397E-06 C.C020 16
170.00 CHECK VALVL C'-l I.00 0 . 4 (83973î0E - 0 4 .0471 18 0.18<l38973E-08 C.OOCOj -. - 20 ^
175.00 (HECK VALVI C-2 0.25 0.360560 8E-03 .3512 13 0.31(I04403E-C6 C.0020 15
180.00 CHECK VALVL C'-2 1.00 0 . 4 8 3 9 7 3îOE-- 0 4 .0471 19 0.18M38973E-C8 c.ooca - - 21-
185.00 (.HECK VALVI C-3 0.25 0.1. 2 0 9 9 3 a 5 E - 0 4 .0118 20 0.11()7C342E-06 C.C0C7 17
190.00 VALVE V - 3 10.00 0 . 4• 83973-.0E- 0 3 .4714 10 0.62'41677E-04 €.4028-1 J6^
195.00 VALVE V - 4 10.00 0.48397 340E-03 .4714 11 0.62 '41677E-04 C.4028 7
200.00 VALVE V - 5 10.00 0.14422 4(i»7E-01 l^( .0491 1 0.97 '09436E-04 C.JC063. -12.
205.00 VALVE V - 6 10.00 0.14422;4() 7 E - 0 1 I ' h .0491 2 0 . 9 7 'C9436E-06 C.C063 13
2 1 0 . 0 0 VALVE V - 7 10.00 0 . 1L44224(I7E - 0 1 .0491 3 0.97709436E-06 €.0063
rOTAL SER :AL UNRELIABILITY 0.1L02657d4E 00
iiUTOMATIC I I E L I A B I L I T Y MATH MODEL
PROBLEM';
SUMMARY
i NDEX
•NPUf
OUTPljll
INTER\'AL 1 ( 0. TO 720.00(1
INTERVAL 2 ( 720.COO TO 721.00(1
INTERVAL 3 I 7 2 1 . 0 0 0 TO 745.00(1
NUMBER (IF COMBINATIONS CONSIDERED 260
NUMBER (IF FAILURE TERMS CAL(tULATED-= 72
NUMBER (iF COMBINATIONS WRITTEN 71

PHI = d.156747351 -01
/.UTOMATIC llELIABILITI' MATH MODIiL
ARMM A P P i l C A T l O l t - - 4 PROBLEM
-ILLUSTRA TION OF AfliMM APPLIC/.T I O N —
PROBLEM I ARMM AiPP LICATIQN 0 A SAMPLE SYSTEM-
PROBLEM 4 EXAMPLE use Cr PAUtT lAL DATA OPTION.
IIUM8ER OF COMPONENTS NUMBER OF TIME !NTERVALS

2 3
MIJM8ER OF JUNCTIONS NUMBER OF INTEGRATI(])N INTERVALS

S 2
MAXII|IUM NUMBER OF COMPONENT. REINITIAL ) ZE

F'VILEO AT A TIME INDICATOR
2 1
FIGURE 2.21
C O M P U T E R O U T P U T SUMMARY
/.UTOMATIC IIELIABILITY MATH MODEL PAGE 17
ARMM APPLICATION PRUBLEM OCGOOC0O. 19C0 ooc-cc

SU MMARY
IfltOBABUnY CF SYSTEM FAILURE = 0.1l8483|6E-03
I
PROBABILITY CF SYSTEM SUCCESS = 0.9g<p88l51
tN)
I
FUNCriON !D FUNCT] ON NAMt PROBABILITY OF FllJNCTION FAILURE PERCENT CF iYSTCH F A l l U R E RANK
5 WATbR TANK 0.38239 74E-04 I j 32.274 1
10 SUPPLY VALVES 0.11377681E-04 9.603 5
20 TRAMSf ORMERi 0.2847 lioiE-05 1 2.403 6
-25 BUS T] E 0.66470 02E-06 ' { C.561 7
30 PUMPS, INT 0.11711 fi39E-04 9.885 4
35 PUMPS, INT 0.12023563E-09 C.CCO 11
50 PUMPS INT 0.69100 a5E-12 O.CCC 13
-60 CHECK VALVE C 0.1151 7400E-07 C.CIC 8
-70 CHECK VALVE C 0.1151 7400E-07 O.CIO 9
75 HEAOEf, VALVES 0.33440 33E-04 29.224 2
-80 STANDI. Y PUMP,I 0.20177 2 6 E - 0 4 17.C3C 3
-85 STANDE Y PUMP,I 0.10903 4 i 6 9 E - 0 8 C.CCl IC
-90 STANDI. Y PUMP,I 0.72581 9 1 6 - 1 0 C.CCO 12

iiUTOMATIC IIELIABILITV MATH MQDIIL
ARMM APPJ.lCAJlCtt. J>(tt)aLi:l1

SUMMARY
MAJOR CONITRiaUTORS TO SYST EM UNRELIABILITY

JMPnN e*JT CllMBINATION'i PROaABJLITY
105
0.3359<I662E-0A
110 115
O.H<»g^232E-04
iOO 210
0.1126|496E-04
20 Q 205
0.11267A96E-04
135 145
0.ll26t496E-0'*
205 210 I
0.11267496E-0A
135 190
0.3288^51lE-05
135 195 I
0.3288^511E-05
IA5 190
0.32888511E-05
135 155
0.32886511E-05

i J. I i
/>U1CMATIC liELIABILITY MATH MODEL PAGE
ARMM A P P L I C A T I O N PROBLEM :\. OCOOOCDO, 1900 (lOOC-CC

SUMMARY
(fOMPONENT CONTRIBUTIOtIS TO U N R E L I A B I L I T Y
uUMPONENI' tÂILUKE SERIAL $ERIAL SERIA L SVST EK SYSTEM

10 NAME ()tATfc»lO»«6 PRODABIL ITY (j-ERCENT RANK PRCB ABILIT Y FERCEN'
105.00 ANK r 0.10 0.381756()l E - 0 4 0.1207 19 0.382 3g60CE -04 32.2742
110.00 UALVE V - l 10-00 0.3817566 3C-02 12.0723 1 0.5f8 88412E -05 4.8014
115.00 UALVE V - 2 10.00 0-3817566 3E-02 1?.0723 2 0.568 8e412E -05 4.8014
120.00 "lUNSFORMEf, X-1 5.00 0.1908783 lC-02 $.0361 8 0.166 09742E -05 1.4019
125.00 ilANSFORME X-2 5.00 0.l90878i l E - 0 2 6.0361 9 0.166 09742E -05 1.4019
I 130.00 flUS T I E B - 2.00 0. 1 (?. ! 0 0.189 91517E -C6 C.16C3
135.00 CUMP P - i 10.00 0.3323062 10.5085 6 0.1C8 C5541E -04 9.1199
140.00 I'UMP P ' - l 5.00 0.2472517 0.7819 12 0.987 74133E -06 C.0083
^ 145.00 I'SJFP P - ^ 0.332306? 0.1C8 05;41E -04
10.00 10.5085 7 9.1199
150.00 5.00 0.247251^ 0.7819 13 0.S87 61366E -ce c-coea
155.00 I'UMP P-i 10-00 0. 0 0.341 24919E -05 2.88C1
160.00 PUMP P»-3 5.00 0.247251 0.7819 14 0.114 45421E -09 c.cooi
165.00 CHECK VALVt C-1 0.25 0.954391 (t).3018 15 0.172 68C23E 07 C-0146
170.00 4;HECK VALVL C«-I 1.00 0.494503 (t).1564 0.192 2gC94E -06 C.C016
175.00 CHECK VALVE C-2 0.25 0.954391 0.3018 : 16 0.172 68C87E -07 C.0146
180.00 CHECK VALVi: C'-2 1.00 0.494503 0.1564 18 0.192 29094E -06 C.0016
185.00 CHECK VALvi C-3 0-25 0.123625 9.0391 20 0.6C0 68835E -08 C.0051
190.00 VALVE V-3 10.OO 0.494503 1.5638 , 10 0.341 27e27E 05 2.88C4
195.00 I'ALVE V-4 10-00 0.494503 1.5638 11 0.341 27327E -05 2.8804
200.00 \fALVE V-5 10.00 0.3817564 12.0723 . 3 0.111 46978E -04 9.4080
205.00 VALVE V-6 10.00 0.381756<. li.0723 I 4 o . i n 4697eE -04 9.4080
210.00 VALVE V-7 10.00 0.381756() 12.0723 5 O.lli 46g7eE -04 9.4080
TOTAL SEK AL U N R E L I A B I L I ""Y 0.316226(1

• A-1.0, N-5,000
• A "2.5, N = 6,000
A A-5.0, N =5,000
• A-10.0, N« 5,000
XT —
FIGURE 2.22
P(X T) AS A FUNCTION OF XT FOR SEVERAL VALUES OF A .
THE MODEL IS A T W O - O U T - O F - T H R E E SYSTEM WITH IDENTICAL
COMPONENTS AND NO REPAIR.
2-118
UNIT 3
GENERATOR
345kvGRID
(5 OUTSIDE LINES)
DIESEL
GENERATOR
BAB-52 -62
-TV
34.5kvLtMH
ON
BAB-Sl J
11 Ji i-ra - ^ T-8
i22—rv-j
BAB-K
JL
BAB-61
BUS5(4160Icv) BU5 6016O;cv)
PBAB-54 BAB
ulu.T-7
^BAB-2A BAB-i
r
BUS 2A^v)i
BU5 25^0v)
LESEND
T =« TRANSFORMERS
BAB >= BUS AIR CIRCUIT BREAKERS
F I G U R E 2. 23
(4)
SCHEMATIC OF DRESDEN-3 E M E R G E N C Y A-C P O W E R SYSTEM
2-119
& ^ @
FIGURE 2. 24
FAULT TREE FOP. DRESDEN-3 EMERGENCY A-C POWER SYSTEM
2-120
3000 57 250 1 ]L
4.20000E 04 l.COOOOE 00 l.OOOOOE 00 l.OOOOOE 00
l.OOOOOE 06 l.OOOOOE 07 I.IIOOOE 05 I.IIOOOE 05 l.OOOOOE 0^ l.OOOOOE 06
l.OOOOOE 06 I.IIOOOE 05 I.IIOOOE 05 l.OOOOOE 06 l.OOOOOE 06 2.OOOOOE 05
l.OOOOOE 06 I.IIOOOE 05 I.IIOOOE 05 l.OOOOOE 06 2.OOOOOE 05 l.OOOOOE 06
2.00000E 05 2.00000E 05 2.00000E 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 06
l.OOOOOE 05 2.00000E 05 I.IIOOOE 05 I.IIOOOE 05 l.OOOOOE 06 2.OOOOOE 05
l.OOOOOE 05 2.oaooo£ 05 l.OOOOOE 05 2.00000E 05 2.OOOOOE 05 2.OOOOOE 06
l.OOOOOE 05 l.OOOOOE 06 l.OOOOOE 05 2.00000E 05 l.OOOOOE 05^ 2.OOOOOE 05
l.OOOOOE 05 l.OOOOOE 06 I.IIOOOE 05 I.IIOOOE 05 l.OOOOOE 06 2.OOOOOE 05
l.OOOOOE 05 2.00000E 05 l.OOOOOE 05 l.OOOOOE 06 I.IIOOOE 05 I.IIOOOE 05
l.OOOOOE 06 2.00000E 05 l.OOOOOE 05
l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 i.OOOOOE 05 l.OOOOOE 05 1.00000t 05
l.OOOOOE 05 I.OUOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05
l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 I.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05
l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05
l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 i.oooooeo5
l.UOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 i.OOOOOE 05 l.OOOOOE-05
l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 l.OOOOOE 05 1.OOOOOe O S I.OOOOOE 05
I.00000 E--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE-Ol- biOOOOOE-Olr
l.OOOOOt--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE-01
l.00000 E-•01 l.OOOOOE--Oi l.OOOOOE--01 l.OOOOOE--01 i.OOOOOEHM ir.O000OE-0t
1.00000 E--01 l.OOOOOE--01 l.OOOOOE--01 1.OOOOOE--01 l.OOOOOE--01 l.OOOOOE-Ol
1. 00000 E--01 l.OOOOOE--01 l.OOOOOE-01 1. OOOOOE--01 l.OOOOOE-Oi--l.OOOOOC-Ol
l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 i.OOOOOE--01 1.OOOOOE--01 l.OOOOOE-01
1.00000 E-•01 l.OOOOOE--01 l.OOOOOE--01 1 n/\j?vri/!^d_ 1 f\nf\nnr n1
i. . U U U U U C — U L
L.u u uuu c -U 1 1. uuuuuc XTX
1.00000E--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE-01
l.OOOOOE--01 l.OOOOOE-'01 l.OOOOOE--01 l.GOOOOE--Ol-t.OOOOOE"-Oir-±TO0OOOE-Ot
l.OOOOOE--01 l.OOOOOE--01 l.OOOOOE--01 l. OOOOOE--01 l.OOOOOE--01 l.OOOOOE-01
l.OOOOOE 00
0 0 0
F I G U R E 2 . 25
I N P U T DATA C A R D LISTING F O R S A M P L E C A L C U L A T I O N (ANALOG)
NTRIAL= 3000
IMX= 57
IM0INT= 250
NCONS« 1
NO. OF CRITICAL PATHS'
THAX« 0.42000E 05
AA- O.IOOOOE 0 1
BB= O.IOOOOE 0 1
CC= O.IOOOOE 0 1
FIGURE 2.26A
S A F T E - I SAMPLE CALCULATION OUTPUT
2-122
MTTF MTTR
O.IOOOOE 07 O.IOOOOE 06
O.lllOOE 06 O.IOOOOE 06
0.lOOOOE 05 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0-20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 07 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
0.20000E 06 O.IOOOOE 06
FIGURE 2.26B
2-123
SIG SIGl SIG2
0.lOOOOE 00 O.IOOOOE 00 O.IOOOOE 00
O.IOOOOE 00 O.IOOOOE 00 O.IOOOOE 00
O.IOOOOE 00 O.IOOOOE 00 O.IOOOOE 00'
O.IOOOOE 00 O.IOOOOE 00 O.lOOOOfc 00
O.IOOOOE 00 O.IOOOOE 00 0,lOOOOE 00
FIGURE 2. 26C
2-124
PROBABILITY OF SYSTEM FAILURE BEFORE TMAX- 0 . 2 5 4 6 7 E 00
SYSTEM FAILURE FREQUENCY

0. 0. 0. 0. 0.
0. 0. 0. 0. 0.
0. 0. 0. 0. 0.
0. 0. 0. 0. 0.
0. 0. 0. 0. 0.
0. 0. 0,l9841E-05 0. 0.
0. 0. 0. 0. 0.
0.39683E-05 0 . 0. 0. 0.19841E-05
0. 0. 0. 0.19841E-05 0.
0.19841E-05 0.19841E-05 0 . 0. 0.39683E-05
0. 0.19841E-05 0 . 0. 0.
0.19841E-05 0.19841E-05 0.19841E-05 0.79365E-05 0.19841E-05
0.39683E-05 0.39683E-05 0 . 0. 0.
0.39683E-05 0.19841E-05 0. 0. 0.39683E-05
0. 0.19841E-05 0. 0. 0.19841E-05
0.59524E-05 0.19841E-05 0 . 0. 0.19841E-05
0.39683E-05 0.39683E>05 0.59524E-05 0.59524E-05 0.39683E-05
0.19841E-05 0 . 0.39683E-05 0. 0.
0.39683F»05 0.59524E-05 0.39683E-05 0.99206E-05 0.99206E-05
0.79365E-05 0.19841E-05 0.59524E-05 0.19841E-05 0.59524E-05
0. 0.39683E-05 0.79365E-05 0.59524E-05 0.19841E-05
0.79365E-05 0.79365E-05 0.59524E-05 0.59524E-05 0.99206E-05
0.19841E-05 0.39683E-05 0.59524E-05 0.39683E-05 0.39683E-05
0.39683E-05 0.79365E-05 0.19841E-05 0.59524E-05 0.99206E-0S
0.19841E-05 0.19841E-05 O.99206E-0S 0.59524E-05 0.99206E-05
0.39683E-05 0.59524E>05 0.39683E-05 0.1I905E-04 0.59524E-05
0.39683E-05 0.39683E-05 0.39683E-05 0.79365E-05 0.79365E-05
0. 0.17857E-04 0.99206E-05 0.19841E-05 0.99206E-05
0.99206E-05 0.59524E-05 0.19841E-05 0.1984IE-05 0.39683E-05
0.19841E-05 0.79365E-05 0.99206E-05 0.39683E-05 0.79365E-05
0.79365E-05 0.99206E-05 0.11905E-04 0.39683E-05 0.15873E-04
0.1S873E-04 0.1190SE-04 0.59524E-05 0.99206E-05 0.79365E-05
0.99206E-05 0.11905E-04 0.17857E-04 0.15873E-04 0.79365E-05
0.11905E-04 0.79365E-05 0.79365E-05 0.11905E-04 0.39683E-05
0 . 1 1 9 0 5 E - 0 4 0.11905E<>04 0 . 7 9 3 6 5 E - 0 5 0.59524E-05 0.11905E-04
0 . 1 5 8 7 3 E - 0 4 0 . 138&9E-04 0 . 5 9 5 2 4 E - 0 5 0.99206E-05 0.13889E-04
0.79365E-05 0.39683E-05 0.79365E-05 0.99206E-05 0.19841E-05
0.99206E-05 0.79365E~05 0.79365E-05 0.59524E-05 0.39683E-05
0.79365E-05 0.11905E-04 0.99206E-05 0.79365E-05 0.99206E-05
0 , l l 9 0 5 E - 0 4 0.13889E-04 0.13889E-04 0.13889E-04 0.39683E-05
0.79365E-05 0.11905C-04 0.13889E-04 0.11905E-04 0.11905E-04
0.59524E-05 0.79365E-05 0.11905E-04 0.19841E-05 0.11905E-04
0.15873E-04 0.79365E-05 0.11905E-04 0.11905E-04 0.13889E-04
0.17857E-04 0.79365E-05 0.39683E-05 0.17857E-04 0.15873E-04
0.11905E-04 0.15873E-04 0.99206E-05 0.L1905E-04 0.59524E-05
0.39683E-05 0.19841E-04 0.15873E-04 0.11905E-04 0.99206E-05
0.79365E-05 0.15873E-04 0.13889E-04 0.79365E-05 0.13889E-04
0.79365E-05 0.99206E-0S 0.99206E-05 0.17857E-04 0.1190SE-04
0.79365E-05 0.11905E-04 0.99206E-05 0.99206E-05 0.17857E-04
0.59524E-05 0.59524E-05 0.29762E-04 0.99206E-05 0.13889E-04
FIGURE 2 . 2 6 D
2-125
CUMULATIVE FAI LURE D I S T .
0. 0. 0. 0.
0. 0. 0. 0.
0. 0. 0. 0.
0. 0. 0. 0.
0. 0. 0. 0.
0. 0. 33333E •03 0. 33333E- •03 0. 33333E-03
0 . 3 3 3 3 3 E - 0 3 0 . 33333E-03 33333E- •03 0.33333E- 03 0. 33333E-03
O.lOOOOE-02 0 . lOOOOE-02 lOOOOE- •02 0. lOOOOE- •02 0. 13333E-02
0 . 1 3 3 3 3 E - 0 2 0 . 13333E-02 13333E •02 0. 16667E- •02 0. 16667E-02
0 . 2 0 0 0 0 E - 0 2 0 . 23333E-02 23333E- •02 0. 23333E- •02 0. 30000E-02
0 . 3 0 0 0 0 E - 0 2 0 . 33333E-02 33333E •02 0.33333E- •02 0. 33333E-02
0 . 3 6 6 6 7 E - 0 2 0 . 40000E-02 43333E •02 0.56667E- •02 0. 60000E-02
0 . 6 6 6 6 7 E - 0 2 0 . 73333E-02 73333E 02 0. 73333E- •02 0. 73333E-02
O.80O00E-02 0 . 83333E-02 83333E 02 0. 83333E- •02 0. 90000E-02
0 . 9 0 0 0 0 E - 0 2 0 . 93333E-02 93333E 02 0. 93333E- •02 0. 96667E-02
0 . 1 0 6 6 7 E - 0 1 0 . llOOOE-Ol llOOOE 01 0. llOOOE- •01 0. 11333E-01
0 . 1 2 0 0 0 E - 0 1 0 . 12667E-01 13667E 01 0, 14667E- •01 0, 15333E-01
0 . 1 5 6 6 7 E - 0 1 0 . 15667E-01 16333E 01 0. 16333E- 01 0. 16333E-01
0 . 1 7 0 0 0 E - 0 1 0 . 18000E-01 18667E 01 0. 20333E- 01 0. 22000E-01
0 . 2 3 3 3 3 E - 0 1 0 . 23667E-01 24667E •01 0. 25000E- 01 0 26000E-01
0 . 2 6 0 0 0 E - 0 1 0 . 26667E-01 280O0E •01 0. 29000E- 01 0 29333E-01
0 . 3 0 6 6 7 E - 0 1 0 . 320OOE-01 33000E 01 0. 34000E- •01 0 35667E-01
0 . 3 6 0 0 0 E - 0 1 0 . 36667E-01 37667E 01 0. 38333E- 01 0 39000E-01
0 . 3 9 6 6 7 E - 0 1 0 . 41000E-01 41333E •01 0. 42333E- 01 0 44000E-01
0.44333E-01 0 . 44667E-01 46333E •01 0. 47333E- •01 0, 49000E-01
0 . 4 9 6 6 7 E - 0 1 0 . 50667E-01 51333E 01 0, 53333E- 01 0, 54333E-01
0 . 5 5 0 0 0 E - 0 1 0 . 55667E-01 56333E 01 0. 57667E- 01 0, 59000E-01
0 . 5 9 0 0 0 E - 0 1 0 . 62000E-01 63667E •01 0 64000E- 01 0, 65667E-01
0 . 6 7 3 3 3 E - 0 1 0 . 6 8 3 3 3 E - 0 1 0 68667E •01 69000E- •01 0, 69667E-01
0 . 7 0 0 0 0 E - 0 1 0 . 7 1 3 3 3 E - 0 1 0 73O00E 01 73667E- 01 0, 75000E-01
0 . 7 6 3 3 3 E - 0 1 0 . 78000E-01 80000E •01 80667E- 01 0. 83333E-01
0 . 8 6 0 0 0 E - 0 1 0. 88000E-01 89000E •01 90667E- •01 0. 92000E-01
0.93667E-01 0 . 95667E-01 98667E •01 10133E 00 0. 10267E 00
0.10467E 00 0 . 10600E 00 10733E 00 10933E 00 0. llOOOE 00
0.11200E 00 0 . 11400E 00 11533E 00 11633E 00 0. 11833E 00
0.12100E 00 0 . 12333E 00 12433E 00 12600E 00 0. 12833E 00
0 . 1 2 9 6 7 E 00 0 . 13033E 00 13167E 00 13333E 00 0, 13367E 00
0 . 1 3 5 3 3 E 00 0 . 13667E 00 13800E 00 13900E 00 0. 13967E 00
0 . 1 4 1 0 0 E 00 0 . 14300E 00 14467E 00 146OOE 00 0. 14767E 00
0.14967E 00 0 . 15200E 00 15433E 00 15667E 00 0 ,15733E 00
0 . 1 5 8 6 7 E 00 0 . 16067E 00 16300E 00 16500E 00 0< ,16700E 00
0 . 1 6 8 0 0 E 00 0 . 16933E 00 17133E 00 17167E 00 0. 17367E 00
0.17633E 00 0 . 17767E 00 17967E 00 18167E 00 0. 18400E 00
0.18700E 00 0 . 18833E 00 18900E 00 0. 19200E 00 0.:19467E 00
0 . 1 9 6 6 7 E 00 0 . 19933E 00 20100E 00 0. 20300E 00 ,20400E 00
0.20467E 00 0 . 20800E 00 21067E 00 21267E 00 21433E 00
0 . 2 1 5 6 7 E 00 0 . 21833E 00 ,22067E 00 22200E 00 22433E 00
0.22567E 00 0 . 22733E 00 22900E 00 23200e 00 ,23400E 00
0 . 2 3 5 3 3 E 00 0 . 23733E 00 23900E 00 24067E 00 .24367E 00
0 . 2 4 4 6 7 E 00 0 . 24567E 00 25067E 00 25233E 00 ,25467E 00
FIGURE 2 . 2 6 E
2-126
COMP. NO. OF FAILURES
I 0.
2 0.33333E-03
3 0.
4 0.66667E-03
5 0.70000E-02
6 0.
7 0.13333E-02
8 0.22667E-01
9 0.27333E-01
10 0.16667E-02
11 0.16667E-02
12 0.70000E-02
13 0.33333E-03
14 O.lOOOOE-02
15 0.33333E-03
16 0.
17 0.
18 0.
19 0.56667E-02
20 0.40000E-02
21 0.63333E-02
22 0.73333E-02
23 0.61667E-01
24 0.70000E-02
25 0.36667E-02
26 0.23333E-02
27 0.13667E-01
28 0.16333E-01
29 0.13333E-02
30 0.
31 0.33333E-03
32 0.26667E-02
33 0.56667E-02
34 0.30000E-02
35 0.20000E-02
36 0.66667E-03
37 0.18000E-01
38 0.23333E-02
39 0.14000E-01
40 0.23333E-02
41 0.30000E-02
42 0.
*3 0.
44 0.
45 0.
46 0.
47 0.
48 0.
49 0.
50 0.
51 0.
52 0.
53 0.
54 0.
55 0.
56 0.
57 0.
FIGURE 2. 26F
2-127
I
FIGURE 2 . 2 7
P ( T ) AS A FUNCTION OF OPERATING TIME (WEEKS) FOR
THE DRESDEN-3 EMERGENCY A-C POWER SYSTEM
CHAPTER 3
EXAMPLE APPLICATIONS OF RELIABILITY ANALYSIS

CHAPTER 3
EXAMPLE APPLICATIONS OF RELIABILITY ANALYSIS
A s y s t e m for collection and g e n e r a t i o n of reliability data has been defined

and two methods of performing the quantitative a s p e c t s of reliability
a n a l y s i s have been d e s c r i b e d . This chapter i l l u s t r a t e s the steps r e q u i r e d
in using these tools in r e l i a b i l i t y a n a l y s e s for engineered safeguard
s y s t e m s . The intent is to indicate the steps involved in an analysis by
example applications to selected PWR and BWR safeguard s y s t e m s . The
e x a m p l e s a r e not m e a n t to be c r i t i c a l evaluations of the safeguard design.
Specific s y s t e m s for which brief, example reliability applications have
been given in following sections a r e the D r e s d e n - 3 p r i m a r y containment,
the Connecticut Yankee safety injection s y s t e m , the Connecticut Yankee
containment cooling system, and the San Onofre safety injection s y s t e m .
Briefly, the steps involved in a reliability analysis a r e :
1. Define the s y s t e m to be analyzed including specific equipment

i t e m s and their r e q u i r e d operating p a t t e r n s .
2. Define the p e r f o r m a n c e goals for which the probability of

s u c c e s s is d e s i r e d or, c o n v e r s e l y , the undesired events for
which the probability of o c c u r r e n c e is to be d e t e r m i n e d .
3. D e s c r i b e the methods of testing, checking, and maintaining the

s y s t e m , including the time i n t e r v a l s between these a c t i v i t i e s .
4. P e r f o r m an a n a l y s i s of failure modes and effects for each

equipnaent item in the s y s t e m identifying the cause of each
failure and its i m p o r t a n c e to s y s t e m p e r f o r m a n c e goals, and
indicating conditions or p r a c t i c e s which m a y eliminate or reduce
critical failures.
5. Construct s y s t e m r e l i a b i l i t y block d i a g r a m s reflecting the knowl-

edge gained in the preceding s t e p s . It is important that this
d i a g r a m include all c r i t i c a l c o m p o n e n t s . All time intervals of
i n t e r e s t should be c o n s i d e r e d .
6. Obtain failure r a t e e s t i m a t e s for all components in each failure

mode of i n t e r e s t .
3-1
7. P e r f o r m n u m e r i c a l r e l i a b i l i t y evaluations using block d i a g r a m
logic and a p p r o p r i a t e failure r a t e s . These evaluations m a y
include machine or hand calculations or a combination of both.
8. S u m m a r i z e r e s u l t s of r e l i a b i l i t y evaluation, identifying the

r e l a t i v e i m p o r t a n c e of v a r i o u s components, the effect of
simplifying a s s u m p t i o n s and redundancies and the c r i t i c a l p h a s e s
or i n t e r v a l s in s y s t e m operation.
9. Identify c o r r e c t i v e actions which m a y be taken to improve s y s t e m

r e l i a b i l i t y o r , c o n v e r s e l y , reduce the probability of s y s t e m fail-
u r e . These actions m a y include further investigation of failure
r a t e a s s u m p t i o n s , identification of a r e a s for potential use of
redundancy or for equipment r e d e s i g n , modification of operating
or maintenance p r o c e d u r e s or a l t e r e d test p r o c e d u r e s and
frequencies.
The preceding p a t t e r n of r e l i a b i l i t y analysis has been used in each of the

following e x a m p l e s .
In following the applications it should be noted that while the goal is a

quantitative evaluation, the qualitative information developed in the
i n t e r m e d i a t e steps sheds much light on the potential trouble spots in a
s y s t e m . This is p a r t i c u l a r l y true with r e s p e c t to performing the failure
mode and effect a n a l y s i s and c o n s t r u c t i o n of the appropriate reliability
block d i a g r a m s . At this stage of the a n a l y s i s , the potential c u l p r i t s in
a s y s t e m frequently a r e obvious to the analyst. F u r t h e r steps leading
to a quantitative r e s u l t tend to confirm the qualitative evaluation and
point out the r e l a t i v e contributions to s y s t e m unreliability which can be
expected f r o m the v a r i o u s components. Thus, n u m e r i c a l reliability
e s t i m a t e s provide a m e a n s for qualifying the effectiveness of a s y s t e m
and any modifications which m a y be made in its operation, testing or
equipraent. In this r e g a r d , it should be noted that while c o r r e c t i v e actions
will be m o s t benefical if applied to p r i m e c o n t r i b u t o r s to unreliability, the
l e s s e r c o n t r i b u t o r s m u s t not be overlooked for Murphy's law'" tends to
p r e v a i l in all c a s e s . Consideration of l e s s e r contributors is p a r t i c u l a r l y
important if it identifies ways in which these components can be e l i m i -
nated or the effect of their f a i l u r e s can be made inconsequential to
system success.
* If a device can fail, it will fail, (eventually).
3-2
DRESDEN UNIT 3 PRIMARY CONTAINMENT
A p r e l i m i n a r y investigation of the r e l i a b i l i t y of the D r e s d e n - 3 contain-

m e n t has been p e r f o r m e d . This a n a l y s i s is based on s y s t e m d e s c r i p t i o n s
and functional designs indicated in the Unit 3 Plant Design and Analysis
Report (PDAR), dated F e b r u a r y 1966, and its f i r s t three a m e n d m e n t s .
SYSTEM DESCRIPTION
As d e s c r i b e d in the preceding d o c u m e n t s , the Unit 3 containment can be

c o n s i d e r e d as consisting of two m a j o r s u b s y s t e m s - - a p r i m a r y contain-
m e n t and a s e c o n d a r y containment. Within each of these s u b s y s t e m s a r e
a s s e m b l i e s of components designed to p e r f o r m various functions
n e c e s s a r y for the maintenance of o v e r a l l containment integrity under
n o r m a l and accident conditions. A s c h e m a t i c c r o s s s e c t i o n of the o v e r -
all facility is shown in F i g u r e 3. 1 In the Unit 3 PDAR seven containment
b a r r i e r s to fission product r e l e a s e a r e cited. They a r e : (1) the high
density c e r a m i c UO2 fuel; (2) the high integrity z i r c o n i u m cladding;
(3) the r e a c t o r v e s s e l and its connected piping and isolation valves;
(4) the drywell s u p p r e s s i o n c h a m b e r p r i m a r y containment; (5) the r e a c t o r
building; (6) the r e a c t o r building standby gas t r e a t m e n t s y s t e m utilizing
high efficiency and c h a r c o a l f i l t e r s ; and (7) elevated discharge of gaseous
effluents f r o m a stack. In this d i s c u s s i o n , the isolation valves in b a r r i e r
3 and all of b a r r i e r 4 a r e c o n s i d e r e d the p r i r a a r y containment while
b a r r i e r s 5, 6, and 7 a r e c l a s s e d as the secondary containment.
The p r i m a r y containment is designed to provide a low leakage b a r r i e r to

the r e l e a s e of radioactivity (0. 5 p e r c e n t contained air at 62 psig i n t e r n a l
p r e s s u r e ) , and the s e c o n d a r y containment is provided for controlled
r e l e a s e of any p r i m a r y containment leakage to a 310-foot stack. The
Unit 3 s e c o n d a r y containment also s e r v e s as the secondary containment
for D r e s d e n Unit 2.
The p r i m a r y containment h o u s e s the r e a c t o r v e s s e l , the r e a c t o r coolant

and r e c i r c u l a t i n g loops, and other s e r v i c e loops connected to the r e a c t o r .
It c o n s i s t s of a drywell, a p r e s s u r e s u p p r e s s i o n c h a m b e r which s t o r e s a
l a r g e volume of w a t e r , a connecting vent s y s t e m between the drywell and
the w a t e r pool, isolation v a l v e s , containment cooling s y s t e m s , and other
s e r v i c e equipment. If piping containing r e a c t o r coolant or s t e a m fails in
the d r y w e l l , r e a c t o r w a t e r and s t e a m would be r e l e a s e d into the drywell
a i r s p a c e . The resulting i n c r e a s e in drywell p r e s s u r e would then force a
3-3
m i x t u r e of a i r , s t e a m , and w a t e r through the vent s y s t e m and into the
w a t e r s t o r e d in the s u p p r e s s i o n c h a m b e r . Appropriate isolation valves
a r e actuated during this p e r i o d to complete the p r i m a r y containment.
Cooling s y s t e m s a r e provided to r e m o v e heat from the r e a c t o r c o r e , the
drywell, and from t h e w a t e r in t h e s u p p r e s s i o n c h a m b e r ; and, thus provide
continuous cooling of the p r i m a r y containment under accident conditions.
A r e a c t o r building completely e n c l o s e s the Unit 2 and Unit 3 p r i m a r y

c o n t a i n m e n t s . This s t r u c t u r e provides secondary containment when the
p r i m a r y containment is in s e r v i c e , and provides p r i m a r y containment
during periods when the p r e s s u r e s u p p r e s s i o n containment s y s t e m (pri-
m a r y containment) is open. The principal function of the secondary
containment is to m i n i m i z e ground level r e l e a s e of a i r b o r n e radioactive
m a t e r i a l s and to provide for controlled, decontaminated, r e l e a s e of the
building a t m o s p h e r e through a stack under accident conditions. This is
a c c o m p l i s h e d by (1) directing leakage from the p r i m a r y containment to
the secondary containment, (2) maintaining the secondary containment
at a negative p r e s s u r e with r e s p e c t to the outside a t m o s p h e r e during
accident conditions, (3) designing the building for a specified inleakage
r a t e , and (4) discharging the ventilation gases through the 310-foot
stack after they have p a s s e d through a s e r i e s of high efficiency p a r t i -
culate and halogen f i l t e r s .
Although the Unit 3 containment includes both a p r i m a r y and a secondary

containment, only the p r i m a r y containment has been c o n s i d e r e d . The
r e l i a b i l i t y analyses techniques used on the p r i m a r y containment will
apply equally well to the s e c o n d a r y containment.
The most innportant function of the p r i m a r y containment and its a s s o -

ciated isolation and protective s y s t e m s is to mitigate rapidly the
consequences of postulated accidents involving the r e a c t o r p r i m a r y
s y s t e m . The major a s s e m b l i e s in this containment s u b s y s t e m w e r e
previously l i s t e d and a r e shown functionally in F i g u r e 3. 2. P a r a m e t e r s
used in developing the p r i m a r y containment design a r e listed in Table 3. 1.
The design r e q u i r e m e n t s and features of the p r i m a r y containment c o m -
ponents a r e d e s c r i b e d briefly in the following sections. More extensive
d i s c u s s i o n of design c o n s i d e r a t i o n s is provided in the Unit 3 PDAR, as
amended.
Drywell
As shown in F i g u r e 3. 1, the drywell is a steel p r e s s u r e v e s s e l with a

s p h e r i c a l lower portion, 66 feet in d i a m e t e r and a cylindrical upper
portion, 37 feet in d i a m e t e r . The overall height is approximately 113 feet.
3-4
The drywell is enclosed in the reinforced concrete s t r u c t u r e of the
r e a c t o r building for shielding p u r p o s e s and to provide additional
r e s i s t a n c e to deformation and buckling of the drywell over a r e a s where
the c o n c r e t e backs up the s t e e l shell. Shielding at the top of the drywell
is provided by a r e m o v a b l e , s e g m e n t e d , reinforced concrete plug.
Access to the drywell is provided by the drywell head, one double door
a i r l o c k , and two equipment h a t c h e s . The drywell head and hatch c o v e r s
a r e bolted in place and sealed with g a s k e t s . The locking m e c h a n i s m s
on each a i r l o c k door a r e designed so that a tight s e a l will be maintained
when the doors a r e subjected to e i t h e r i n t e r n a l or e x t e r n a l p r e s s u r e .
The d o o r s a r e m e c h a n i c a l l y interlocked so that one door cannot be
operated u n l e s s the other door is closed and locked. The s e a l s on the
doors and the hatches a r e capable of being tested for leakage.
The drywell will not be entered during power operation, but a c c e s s is

p e r m i s s i b l e during hot standby operation with the r e a c t o r s u b c r i t i c a l .
The n o r m a l operating environment in the drywell is an a t m o s p h e r e con-
taining l e s s than n o r m a l c o n c e n t r a t i o n s of oxygen at e s s e n t i a l l y 0 psig and
135 F . T e m p e r a t u r e control is provided by r e c i r c u l a t i n g the drywell air
through cooling units which, in t u r n , a r e cooled by a closed loop cooling
w a t e r s y s t e m . A functional d i a g r a m of the drywell a s s e m b l y is shown in
Figure 3 . 3 .
P r e s s u r e S u p p r e s s i o n Chamber and Vent System
The functions of these a s s e m b l i e s a r e as follows:
1. The vent s y s t e m will conduct flow of vapors and liquids from the
drywell to the s u p p r e s s i o n c h a m b e r , distribute this flow
uniformly throughout the pool following a postulated rupture in
equipment contained in the drywell, and limit the p r e s s u r e
differentials between the drywell and s u p p r e s s i o n c h a m b e r by
use of c h a m b e r - t o - d r y w e l l v a c u u m b r e a k e r s .
2. The s u p p r e s s i o n c h a m b e r will receive vapor-liquid flow from

the vent s y s t e m , condense the s t e a m portion of this flow, con-
tain the noncondensable g a s e s and fission products that m a y be
driven into the c h a m b e r during the postulated rupture sequence,
and provide a source of w a t e r for cooling the r e a c t o r c o r e and
p r i m a r y containment.
3-5
The vent s y s t e m c o n s i s t s of eight 8-foot d i a m e t e r c i r c u l a r vent pipes
connecting the drywell to the s u p p r e s s i o n c h a m b e r . The vent pipes open
d i r e c t l y into the drywell and t e r m i n a t e in a 4-foot, 10-inch toroidal vent
h e a d e r in the a i r - s p a c e of the s u p p r e s s i o n c h a m b e r . Jet deflectors a r e
provided in the drywell at the e n t r a n c e of each vent pipe to prevent
possible damage to the vent pipes from jet forces which might accompany
a pipe b r e a k in the drywell. The pipes a r e enclosed with sleeves and a r e
provided with expansion joints to accomnaodate differential motion between
the drywell and s u p p r e s s i o n c h a m b e r . Projecting downward from the
vent h e a d e r a r e 96 downcomer p i p e s , 24 inches in d i a m e t e r and t e r m i n a t -
ing 4 feet below the w a t e r surface of the s u p p r e s s i o n chamber pool.
Baffles a r e provided in the s u p p r e s s i o n chamber to e n s u r e proper
i n t e r a c t i o n of the vent pipe d i s c h a r g e with the s u p p r e s s i o n pool w a t e r .
Six vacuum b r e a k e r s , which d i s c h a r g e from the s u p p r e s s i o n pool into

the drywell, prevent a backflow of w a t e r from the s u p p r e s s i o n pool into
the vent h e a d e r s y s t e m . Operation of two of the vacuum b r e a k e r s is
calculated to be adequate for p r e s s u r e differential c o n t r o l .
The p r e s s u r e s u p p r e s s i o n c h a m b e r , located below the drywell, is a s t e e l

p r e s s u r e v e s s e l in the shape of a t o r u s with a major d i a m e t e r of
a p p r o x i m a t e l y 109 feet and a c r o s s - s e c t i o n a l d i a m e t e r of 30 feet. It
contains a p p r o x i m a t e l y 106, 000 cubic feet of water and h a s a net a i r -
space volume above the w a t e r pool of approximately 119, 500 cubic feet.
The s u p p r e s s i o n c h a m b e r is held on supports which t r a n s m i t v e r t i c a l
and s e i s m i c loading to the reinforced concrete foundation slab of the
r e a c t o r building. Space is provided outside of the c h a m b e r for inspection
and m a i n t e n a n c e .
Sufficient w a t e r is provided in the s u p p r e s s i o n pool to a b s o r b the initial

e n e r g y r e l e a s e into the drywell f r o m any postulated pipe failure. The
s u p p r e s s i o n c h a m b e r is sized to contain this w a t e r , plus the water
displaced from the r e a c t o r p r i m a r y s y s t e m together with the free air
initially contained in the d r y w e l l .
A c c e s s to the p r e s s u r e s u p p r e s s i o n c h a m b e r for inspection is provided

by two 3-foot d i a m e t e r manhole e n t r a n c e s with double-gasketed, bolted
c o v e r s . These a c c e s s p o r t s will n o r m a l l y be bolted closed and will be
opened only when the r e a c t o r p r i m a r y coolant t e m p e r a t u r e is below
212 F and the p r e s s u r e s u p p r e s s i o n s y s t e m is not r e q u i r e d to be
o p e r a t i o n a l . A functional d i a g r a m of the s u p p r e s s i o n chamber and vent
s y s t e m a s s e m b l i e s is shown in F i g u r e 3 . 4 .
3-6
Penetrations
Openings in the p r i m a r y containment which p e r m i t the e n t r y of pipes,

d u c t s , e l e c t r i c a l c a b l e , and the traveling i n - c o r e probe (TIP) guide
tubes a r e designed to:
1. Withstand the peak t r a n s i e n t p r e s s u r e which could occur due

to the postulated r u p t u r e of any r e a c t o r p r i m a r y s y s t e m pipe
inside the d r y w e l l .
2. Withstand jet f o r c e s equal to that associated with flow from

the l a r g e s t local pipe or connection without f a i l u r e .
3. Accommodate t h e r m a l s t r e s s e s which may be encountered

during all m o d e s of operation without f a i l u r e .
4. Allow individual leak testing to the extent p r a c t i c a l and

necessary.
Two g e n e r a l types of pipe p e n e t r a t i o n s a r e provided - - those which m u s t

accommodate t h e r m a l m o v e m e n t , and those which experience relatively
little t h e r m a l s t r e s s . Piping p e n e t r a t i o n s which provide for movement
c o n s i s t of a p e n e t r a t i o n sleeve which p a s s e s through the concrete and is
welded to the p r i m a r y containment v e s s e l ; a p r o c e s s line which p a s s e s
through the penetration and is connected at one end by a bellows
expansion joint to a c c o m m o d a t e axial movement; and a guard pipe around
the p r o c e s s line to p r o t e c t the bellows and maintain the penetration s e a l
should the p r o c e s s line fail within the penetration.
The cdd piping and ventilation duct penetrations a r e welded directly to the
penetration s l e e v e s . Bellows and guard pipes a r e not n e c e s s a r y in this
design, since the t h e r m a l s t r e s s e s a r e s m a l l and a r e accounted for in
the design of the weld joints.
With the exception of the pipe p e n e t r a t i o n s which a r e welded directly to

the p r i m a r y containment s h e l l , it will be possible to leak test individual
containment p e n e t r a t i o n s without p r e s s u r i z i n g the entire containment
s y s t e m . Testing m a y be accomplished by p r e s s u r i z i n g the penetration
between the double s e a l s utilizing the p r e s s u r e tap. Leak detection m a y
then be accomplished either by the use of soap suds or by p r e s s u r e decay
techniques.
3-7
Leakage through valves installed in pipelines which open into the contain-
nnent can be detected by p r e s s u r i z i n g between p a i r s of containment
isolation v a l v e s . Leakage through valves installed in pipelines that
connect to the r e a c t o r p r i m a r y s y s t e m m a y be determined when the
r e a c t o r p r i m a r y s y s t e m is p r e s s u r i z e d with the containment isolation
valves c l o s e d .
The e l e c t r i c a l p e n e t r a t i o n s a r e for e l e c t r i c a l power, signal, and

i n s t r u m e n t l e a d s . Depending on the number of lines for which a c c e s s is
provided two types of e l e c t r i c a l penetration c a r t r i d g e s a r e u s e d . In
e a c h c a s e , the penetrating sleeve is welded to the p r i m a r y containment
v e s s e l , and the flanged ends a r e bolted and sealed with a soft gasket
m a t e r i a l . A bonding r e s i n is utilized in the s e a l s where the cable e m e r g e s
f r o m the flange. This a r r a n g e m e n t provides a leak-tight configuration
which is l e a k - t e s t e d after installation and provides a m e a n s for periodic
leakage testing.
Isolation valves on the r e a c t o r p r i m a r y s y s t e m pipe and other ducts or

p i p e s , which penetrate the p r i m a r y containment, provide a containment
b a r r i e r in these lines which is c o n s i d e r e d to be as effective as the
p r i m a r y containment s h e l l .
The c r i t e r i a on n u m b e r , type, operation, testing, and location of valves

for the v a r i o u s c a t e g o r i e s of p e n e t r a t i o n s a r e as follows:
1. P r o c e s s pipes which connect to the r e a c t o r p r i m a r y s y s t e m , and

pipes or ducts which p e n e t r a t e the p r i m a r y containment and a r e
open to the drywell free air s p a c e , shall be provided with at
l e a s t two isolation valves in s e r i e s .
Valves in this c a t e g o r y shall be designed to close automatically

f r o m selected s i g n a l s , and shall be capable of r e m o t e manual
actuation f r o m the c o n t r o l r o o m .
2. The valves will be physically s e p a r a t e d . On lines connecting

to the r e a c t o r p r i m a r y s y s t e m , one valve shall be located
inside the p r i m a r y containment and the second outside the
p r i m a r y containment as close to the p r i m a r y containment wall
as practical.
3. Lines which p e n e t r a t e the p r i m a r y containment and which neither

connect to the r e a c t o r p r i m a r y s y s t e m nor open into the
p r i m a r y containment shall be provided with at least one valve
which m a y be located outside the p r i m a r y containnnent.
3-8
Valves in this c a t e g o r y shall be capable of manual actuation
from the control r o o m .
4. Motive power for the valves on p r o c e s s lines which r e q u i r e two

valves shall be physically independent s o u r c e s to prevent a
single accident f r o m interrupting motive power to both closure
devices.
5. Upon loss of motive power and when containment c l o s u r e action

of the valve is called for, the valve shall fail closed or shall fail
in its existing position.
6. Valve actuation power failure shall be detected and annunciated.
7. The functional p e r f o r m a n c e of valves, s e n s o r s , and other

automatic devices e s s e n t i a l to the isolation of the containment
will be p e r i o d i c a l l y tested to d e m o n s t r a t e p r o p e r function,
c o r r e c t setpoint of s e n s o r s , p r o p e r speed of r e s p o n s e , and
operability of fail-safe f e a t u r e s .
The following a r e exceptions to the above isolation valve c r i t e r i a :
1. Automatic isolation valves will not be used on the inlet or outlet

lines of the core s p r a y , containment s p r a y , and feedwater supply
s y s t e m s , since operation of these s y s t e m s is e s s e n t i a l following
a l o s s - o f - c o o l a n t accident. Check valves located on these l i n e s ,
inside the d r y w e l l , will provide automatic isolation when n e c e s s a r y
on inlet l i n e s .
2. One automatic isolation ball valve is provided on each TIP s y s t e m

guide tube outside the p r i m a r y containment. A second shear
isolation valve is provided inside the containment and r e q u i r e s
manual actuation.
3. No automatic isolation valves a r e provided on the control rod

drive hydraulic s y s t e m l i n e s . These lines a r e isolated by m e a n s
of the n o r m a l l y closed h y d r a u l i c s y s t e m control valves located
in the r e a c t o r building and by m e a n s of check valves comprising
a p a r t of the drive m e c h a n i s m .
4. Snnall d i a m e t e r i n s t r u m e n t lines are provided with one manually

operated shut-off valve, operable from the r e a c t o r building.
3-9
The preceding exceptions a r e made only in the c a s e s where n o r m a l
c r i t e r i a lead to a l e s s d e s i r a b l e situation because of r e q u i r e d operation
or maintenance of the s y s t e m in which the valves are located. In these
c a s e s , special attention is given to a s s u r e that the piping to the isolation
valves has an integrity at least equal to the containment.
Table 3. 2 is a listing of the p r i n c i p a l isolation valves to be used in the

piping which p e n e t r a t e s the p r i m a r y containment. The table indicates
the number and s e r v i c e of the v a l v e s , location of the valves with r e s p e c t
to the p r i m a r y containment, the signal which actuates the valves, the
motive power which actuates the valve, and the closure time of the valve.
Approximate valve locations and a r r a n g e m e n t s a r e also shown on
F i g u r e 3 . 5 . There a r e a p p r o x i m a t e l y 550 penetrations in the p r i m a r y
containment.
Containment Spray Cooling
Two containment s p r a y cooling s y s t e m s a r e provided to remove heat

f r o m the p r i m a r y containment s y s t e m following a blowdown accident.
E a c h s y s t e m is capable of removing the fission product decay heat at
the naaximum anticipated r a t e . This cooling is provided (1) to r e m o v e
heat from the p r i m a r y containment and thereby a s s u r e that the contain-
ment does not become o v e r p r e s s u r i z e d and fail; and (2) to reduce
rapidly the p r e s s u r e of the p r i m a r y containment and h e n c e , the
containment leakage r a t e .
The containment s p r a y cooling s y s t e m c o n s i s t s of two independent loops

each provided with two full-capacity pumps (one a s p a r e ) , a heat
exchanger rejecting heat to the containment cooling s e r v i c e water s y s t e m ,
piping and v a l v e s , and a containment s p r a y h e a d e r . One of the loops is
s h a r e d with Unit 2 as shown in F i g u r e 3 . 6 . The shared loop is on standby
and would s t a r t automatically if the independent Unit 3 loop failed to s t a r t
on demand. Both loops can be operated sinaultaneously. Automatic
s t a r t is initiated by c o n c u r r e n t t r i p s from drywell high p r e s s u r e and the
low r e a c t o r water level.
When operating, this systeoi pump w a t e r from the s u p p r e s s i o n chamber

through the heat exchanger and the s p r a y h e a d e r . The water then flows
by g r a v i t y back into the s u p p r e s s i o n c h a m b e r . A bypass flow path directly
f r o m the heat exchanger d i s c h a r g e line to the s u p p r e s s i o n chamber air
space is provided for t e s t p u r p o s e s .
3-10
Core Spray Cooling
R e d u n d a n t , full capacity, c o r e s p r a y loops and a core flooding

capability are provided to r e m o v e decay heat following a blowdown
accident. Each of the c o r e s p r a y loops has sufficient capacity to rapidly
i m m e r s e the fuel a s s e m b l i e s . To continue c o r e cooling following
r e s t o r a t i o n of a water level in the c o r e r e q u i r e s a supply of water from
e i t h e r one or both of the loops, the r e a c t o r feedwater s y s t e m , or the
control rod drive feed s y s t e m .
The c o r e s p r a y s y s t e m is designed to pump water directly from the

s u p p r e s s i o n c h a m b e r into the r e a c t o r v e s s e l . Core s p r a y piping f r o m
the s u p p r e s s i o n c h a m b e r to the outer isolation valve is fabricated of
c a r b o n s t e e l . Safety valves a r e provided for p r e s s u r e protection of this
piping. Stainless s t e e l piping having a design p r e s s u r e of 1, 250 psig is
used f r o m the outer isolation valve to the r e a c t o r .
A s e p a r a t e ring h e a d e r for each of the two loops is located inside the

r e a c t o r v e s s e l d i r e c t l y above the core and s p r a y s water d i r e c t l y onto
the fuel b u n d l e s . A s t r a i n e r is placed ahead of the core s p r a y pump
suction to s c r e e n out p a r t i c u l a t e s which could interfere with a discharge
of w a t e r f r o m the n o z z l e s .
Upon r e c e i p t of the actuating signal, the pumps in one loop a r e s t a r t e d

automatically and the isolation valve o p e n s . When the r e a c t o r p r e s s u r e
d r o p s to approximately 160 psig, the check valve opens and water is
sprayed onto the top of the fuel b u n d l e s .
This s y s t e m is also designed so that if the pumps in one loop fail to

s t a r t , the pumps in the other loop a r e automatically switched into
operation. Both the puraps and isolation valves may be actuated from
the c o n t r o l r o o m . The e l e c t r i c a l loads associated with these s y s t e m s
a r e considered in the standby d i e s e l g e n e r a t o r s i z e .
P r o v i s i o n s a r e made for p e r i o d i c a l l y testing the components in the c o r e

and containment cooling s y s t e m s . These t e s t s include:
1. Flow r a t e m e a s u r e m e n t in the core s p r a y s y s t e m . P r e o p e r a t i o n a l

testing of the core s p r a y s y s t e m will d e m o n s t r a t e the core flooding
capability of the s y s t e m . After p r e o p e r a t i o n testing, no special
testing of this feature is planned.
3-11
2. Flow r a t e m e a s u r e m e n t in the containment cooling s y s t e m . In
t e s t 1 and 2 each pump of each s y s t e m can be s t a r t e d individually
and water pumped fronn the s u p p r e s s i o n channber through the
a p p r o p r i a t e supply lines to the outer isolation valve, tiien r e t u r n e d
to the s u p p r e s s i o n c h a m b e r .
3. E x e r c i s i n g and d e m o n s t r a t i n g operability of all motor operated

valves.
4. Blowing air into the containment spray h e a d e r s and inspecting

individual n o z z l e s .
5. Continuous indication in the control room of water level in the

suppression chamber.
6. Removal and setpoint t e s t i n g of safety valves in the low p r e s s u r e

carbon s t e e l lines of the c o r e spray s y s t e m .
E l e c t r i c a l Power
F o r p u r p o s e s of this example application the D r e s d e n - 3 a-c e l e c t r i c a l power

s y s t e m is a s s u m e d to be that shown in the single line schematic drawing of
F i g u r e 3 . 7 . When connpleted, D r e s d e n - 3 , as well as D r e s d e n - 2 , will be
tied to the Connmonwealth Edison 345 kv network through five 345 kv c i r c u i t s .
At D r e s d e n - 3 auxiliary a-cpower can be supplied from five s e p a r a t e and
independent s o u r c e s : Units 2 and 3, the 345 kv network via the 345 kv bus,
a standby d i e s e l g e n e r a t o r and a 34. 5 kv line. N o r m a l auxiliary power for
D r e s d e n - 3 is split between the unit auxiliary power t r a n s f o r m e r , T - 2 , which
is connected to the unit g e n e r a t o r and the r e s e r v e auxiliary t r a n s f o r m e r ,
T - 3 , which is connected to the 345 kv b u s . Each auxiliary t r a n s f o r m e r can
c a r r y the full auxiliary load for D r e s d e n - 3 .
Should the 345 kv bus and the unit generator fail, auxiliary power can be
supplied by the standby d i e s e l g e n e r a t o r or the 34. 5 kv line through auxiliary
t r a n s f o r m e r , T - 8 . E i t h e r of t h e s e s o u r c e s is capable of operating all s y s t e m s
r e q u i r e d to shut down and maintain the unit in a safe condition. The general
design r e q u i r e m e n t is to supply duplicate s e r v i c e s from different b u s e s . As
shown in F i g u r e 3. 7, it h a s been a s s u m e d that power for c r i t i c a l loads in the
p r i m a r y containnnent s y s t e m is supplied from 4160 v b u s e s 5 and 6 and from
480 V b u s e s s u b s i d i a r y to b u s e s 5 and 6. The diesel generator and the
34. 5 kv line may be connected to either or both bus 5 and 6 and through themi
to b u s e s 3 and 4. Switchgear for the 4 l 6 0 v buses is m e t a l - c l a d , indoor type
T h e r e a r e now t h r e e standby d i e s e l g e n e r a t o r s planned for D r e s d e n Units 2

and 3, one for each unit and one as a standby s p a r e to either unit. This example
c o n s i d e r s the original condition of only the standby g e n e r a t o r available to Unit 3.
3-12
with c i r c u i t b r e a k e r s operated by a 125-volt d-c, s t o r e d / e n e r g y m e c h a n i s m .
T r a n s f o r m e r s and switchgear for the 480 v b u s e s a r e located in the turbine
building.
With loss of nornnal a u x i l i a r y power, the d i e s e l generator s t a r t s automatically.

As soon as g e n e r a t o r voltage is nornnal, the generator connects to the
a p p r o p r i a t e low voltage b u s e s to supply e s s e n t i a l loads after inconning
b r e a k e r s and n o n e s s e n t i a l loads a r e t r i p p e d . Other loads may be d i s -
patched by the o p e r a t o r if the s y s t e m power i n t e r r u p t i o n p e r s i s t s . If
the d i e s e l g e n e r a t o r is not available, the 34. 5 kv supply can be selected
as the a l t e r n a t e s o u r c e . Fuel for the generator is contained in a day tank
and a larger tank for prolonged operation.
To protect against e n v i r o n m e n t a l conditions which could cause loss of outside

power the d i e s e l g e n e r a t o r is housed in a c o n c r e t e block cell in the turbine
building and equipment connecting the d i e s e l g e n e r a t o r and 34. 5 kv line to
c r i t i c a l loads is p r o t e c t e d by m e t a l e n c l o s u r e and underground location.
The g e n e r a t o r is air s t a r t e d and sized to support the loads listed in Table 3.3
Automatically connected loads listed in Table 3.3 will s t a r t without operator
intervention when n o r m a l bus voltage has been r e s t o r e d by the diesel g e n e r a t o r .
Other loads r e q u i r e d for shutdown will be manually connected by the operator
in a c c o r d a n c e with overload r e s t r i c t i o n s . To a s s u r e operability, this unit
will be periodically s t a r t e d and operated under load for sufficient t i m e to
a s s u r e adequate perfornnance during extended periods of operation.
D i r e c t c u r r e n t loads in the p r i m a r y containment will be supplied by a

125-volt, station b a t t e r y , capable of c a r r y i n g its r e q u i r e d connected load
for eight h o u r s without r e c h a r g i n g . All of the loads connected to the 125-volt
d-c system, except heavy duty loads, also can be supplied by one of two b a t t e r y
c h a r g e r s . The c h a r g e r s will be powered from s e p a r a t e a-c buses which a r e
operable from any a u x i l i a r y power s o u r c e .
The b a t t e r y is located in a ventilated b a t t e r y room having c o n c r e t e block

w a l l s . The 125-volt d-c s y s t e m o p e r a t e s ungrounded with a ground detector
a l a r m set to annunciate the f i r s t ground. Thus, multiple grounding, as a possible
mode of failure,is e x t r e m e l y unlikely. The n o r m a l mode of b a t t e r y failure is
a single cell d e t e r i o r a t i o n which is signalled well in advance by the routine of
t e s t s which will be p e r f o r m e d r e g u l a r l y on the b a t t e r y . Typical t e s t s and
s e r v i c i n g s include visual inspection for leaks and c o r r o s i o n , and checking
voltage, and the specific gravity and level of the e l e c t r o l y t e .
3-13
RELIABILITY CONSIDERATIONS
The reliability of the Unit 3 p r i m a r y containnnent m u s t be evaluated with

r e s p e c t to a specific p e r f o r m a n c e r e q u i r e m e n t . That i s , the number of
a s s e m b l i e s and components r e q u i r e d for successful containment will v a r y ,
depending on the type of radioactivity r e l e a s e o c c u r r i n g in this contain-
ment s u b s y s t e m . If the type of r e l e a s e is unspecified, it is probably best
t o consider the most s e v e r e r e l e a s e conditions that can develop in the p r i -
m a r y containment. In this example, a major r u p t u r e of the r e a c t o r
coolant s y s t e m is a s s u m e d , i. e. , a blowdown accident.
Once a r e l e a s e conditions has been identified, the design b a s i s r e q u i r e m e n t s

for operation of v a r i o u s p a r t s of the p r i m a r y containment must be d e t e r -
mined from the d e s c r i p t i v e m a t e r i a l s and available accident a n a l y s e s . In
the F e b r u a r y 1966 edition of the Unit 3 PDAR, the blowdown accident was
analyzed for a number of different containment operability conditions.
The r e s u l t s of t h e s e a n a l y s e s a r e shown as p r e s s u r e - t i m e curves in
F i g u r e 3. 8 and as operational a s s u m p t i o n s in Table 3, 4. As indicated in
Table 3 . 3 , the v a r i a b l e s in operational assumptions for the analyses w e r e
the nunnber of c o r e s p r a y and containment spray s y s t e m s in operation and
the extent of m e t a l - w a t e r r e a c t i o n .
The design b a s i s accident is c h a r a c t e r i z e d by the curve given for Case f

which a s s u m e s operation of one containment s p r a y loop, no core spray,
and t h e m a x i m u m m e t a l - w a t e r reaction of 27. 5 p e r c e n t . C a s e f has been
used as the b a s i s for the initial reliability analysis for the Unit 3 p r i m a r y
containment. That i s , the p r i m a r y containment reliability has been eva-
luated on the b a s i s that at least one containment spray functions
s a t i s f a c t o r i l y , and the p r i m a r y containment achieves and maintains a
status which allows only a m i n i m a l leakage. This reliability analysis
includes all equipment combinations which can be expected to maintain
containment p r e s s u r e below the design p r e s s u r e . Conversely, it can be
used to estinnate the probability of a containment p r e s s u r e g r e a t e r than
design given a blowdov/n accident.
An additional analysis has been made for the condition of at least one
containment s p r a y and one c o r e spray operating. This is approximately
equivalent to e s t i m a t i n g the probability of C a s e b, i. e. , one containnnent
s p r a y loop and one c o r e s p r a y loop operable in addition to an adequate
isolation condition. To i l l u s t r a t e the value of a s s u m i n g redundance, a
s u b s i d i a r y analysis has been run for the c o r e s p r a y alone in which both
c o r e s p r a y loops a r e r e q u i r e d to function. In each of the preceding
a n a l y s e s e m e r g e n c y a - c power has been included as an operational r e -
q u i r e m e n t by the a s s u m p t i o n that either bus 5 or bus 6 and their r e s p e c -
tive s u b s i d i a r y 480 v b u s e s , bus 2A or bus 2B, miust o p e r a t e .
3-14
RELIABILITY EVALUATION
The reliability model has been developed in a number of steps intended to

define all s y s t e m s and components c r i t i c a l to operation of the p r i m a r y
containment and to identify the t i m e dependent status of this equipment.
T h e s e steps can be s u m m a r i z e d as follows:
1. Review design
2. Review accident analysis and c h a r a c t e r i z e accident sequence
3. P e r f o r m failure mode and effect analysis
4. Identify c r i t i c a l components
5. Construct reliability block d i a g r a m
6. Identify reliability evaluation i n t e r v a l s
7. Identify component r e q u i r e m e n t s for each interval
Step 1 was accomplished by way of the preceding p r i m a r y containment

d e s c r i p t i o n . A d e s c r i p t i o n of the accident analyses is given in the Unit 3
PDAR. This d e s c r i p t i o n is g e n e r a l with r e s p e c t to c h a r a c t e r i z i n g the
component operation and sequence of events. It may be briefly s u m -
m a r i z e d as follows:
The r e a c t o r is operating at the design t h e r m a l output and the outlet

leg of a r e c i r c u l a t i o n loop is assunned to be instantly s e v e r e d in a
c i r c u m f e r e n t i a l b r e a k . Flow at c r i t i c a l velocity occurs at the b r e a k .
Immediately following the b r e a k , the large i n c r e a s e in c o r e void
fraction due to d e p r e s s u r i z a t i o n sharply d e c r e a s e s r e a c t o r power.
Scrann will be initiated in l e s s than a second by high drywell p r e s s u r e .
In about four s e c o n d s , the subcooled liquid m a s s below the c o r e will

begin flashing vigorously b e c a u s e of d e p r e s s u r i z a t i o n . This will
tend to force a s t e a m - w a t e r m i x t u r e up through the c o r e , as well
as backward through the jet pump diffuser pipes.
Calculations indicate that it will take n e a r l y 24 seconds to d e p r e s -

s u r i z e the v e s s e l . During a fraction of this t i m e , the bulk of the
c o r e will be cooled by a boiling two phase m i x t u r e . The r e c i r c u l a t i o n
pump in the other leg will continue to inject fluid into the v e s s e l for
approximately 4 seconds or at least until the subcooled fluid begins
to flash. Low w a t e r level in the r e a c t o r v e s s e l will initiate actuation
of the independent c o r e s p r a y loops about one minute after r u p t u r e .
3-15
These loops will begin injecting water into the c o r e when the r e a c t o r
p r e s s u r e falls below 150 psig.
The drywell p r e s s u r e will r i s e to about 39 psig in approximately

t h r e e seconds. In l e s s than 3 0 seconds after the b r e a k , the p r e s s u r e
in the p r e s s u r e s u p p r e s s i o n c h a m b e r and drywell will have equalized
to about 21 psig, as shown in F i g u r e 3. 8. The containment cooling
s y s t e m s a r e designed so that either of the full capacity independent
s y s t e m s will maintain the p r e s s u r e of the s u p p r e s s i o n c h a m b e r
below the 62 psig design p r e s s u r e . This analysis assunnes that
only one of the two independent containment s p r a y s y s t e m s o p e r a t e s .
F o r the c a s e in which no c o r e cooling is a s s u m e d the c o r e continues

to heat up and subsequently undergoes a complete meltdown. The
maximumi extent of m e t a l - w a t e r r e a c t i o n r e s u l t i n g from the m e l t -
down is e s t i m a t e d to be approximately 27. 5 percent of all the
available metal (channel boxes and cladding) within the c o r e region.
It is a s s u m e d that t h e r e is an unlimited amount of steann available
to support the m e t a l - w a t e r r e a c t i o n . The total duration of the
r e a c t o r c o r e meltdown is approximately one hour. However, the
r e a c t o r c o r e is effectively melted (90 percent) in about half an hour.
Table 3. 5 indicates the t i m e for various stages of meltdown and
m e t a l - w a t e r reaction.
On the b a s i s of the p r e c e d i n g accident sequence, the initial reliability

model will consider two t i m e i n t e r v a l s . The first interval will evaluate
the probability of achieving containmient isolation and s t a r t u p of at least one
containment cooling systemi. The second i n t e r v a l will consider operation
of the containment cooling s y s t e m until p r i m a r y containment p r e s s u r e has
decayed to essentially a t m o s p h e r i c p r e s s u r e . The second reliability
model is the s a m e as the first with the added r e q u i r e m e n t that one of the
core s p r a y loops also o p e r a t e s . The t h i r d , subsidiary model evaluates
the probability that both c o r e s p r a y loops will o p e r a t e .
Since t e s t frequencies have not been defined, it will be a s s u m e d for each

of the preceding models that the length of the first interval is one month or
720 h o u r s . This is equivalent to a s s u m i n g that the c r i t i c a l components,
which will be subsequently identified, may be assunned to be unmonitored
with r e s p e c t to operability for as long as 720 h o u r s .
The second t i m e i n t e r v a l has been e s t i m a t e d frona the p r e s s u r e - t i m e

h i s t o r y for the blowdown accident. Since the time at which the Case f curve
in F i g u r e 3. 8 decays to 0 psig is not given, the length of the second interval
3-16
has been a s s u m e d to be a p p r o x i m a t e l y 300 h o u r s . The existing curve
indicates a p r e s s u r e of a p p r o x i m a t e l y 17 psig at 278 h o u r s after rupture
and; t h e r e f o r e , the 300-hour i n t e r v a l m a y be somewhat optimistic.
E x a m p l e s of failure mode and effect analyses on p r i m a r y containment

components a r e given in F i g u r e 3 . 9 . Based on these analyses and d i s c u s -
sions of design, construction, and testing p r a c t i c e s contained in the
PDAR, it is a s s u m e d that the s t r u c t u r a l integrity of the containment
v e s s e l s and connecting lines will be high relative to components such as
drywell and s u p p r e s s i o n c h a m b e r c l o s u r e s e a l s , isolation valves in lines
open to the containment a t m o s p h e r e or the p r i m a r y s y s t e m and equipment
in the containment cooling s y s t e m s . These latter components will be
taken to be the c r i t i c a l components at this time. Reliability block d i a g r a m s
defining the logical operating r e q u i r e m e n t s for the c r i t i c a l components a r e
given in F i g u r e s 3. 10 through 3. 15.
The isolation valve r e q u i r e m e n t s were developed on the b a s i s of the guide-

lines given in Appendix F of this r e p o r t , the r e a c t o r protection s y s t e m
t r i p functions, and the isolation valve s u m m a r y in Table 3. 2. The r e l i a -
bility evaluation i n t e r v a l s w e r e previously defined. Referring to the
r e l i a b i l i t y block d i a g r a m s the functional r e q u i r e m e n t s for the reliability
analysis c a s e s in each of these i n t e r v a l s a r e as follows.
Operable Function R e q u i r e m e n t s
Interval 1
Case 1 - All drywell and s u p p r e s s i o n chamber c l o s u r e s e a l s

function; all isolation valves actuated by containment
isolation p r o t e c t i o n s y s t e m t r i p ; operating mode status
achieved in one loop of containment cooling system;
and e m e r g e n c y a-c power supplied to operable cooling
loop.
Case 2 - Same as Case 1 with added r e q u i r e m e n t that operating
mode status achieved in one loop of core s p r a y s y s t e m .
Case 3 - One of two c o r e s p r a y loops achieves operating mode
status along with a p p r o p r i a t e e m e r g e n c y a-c power t r a i n .
Case 4 - Both core s p r a y loops achieve operating mode status

and e m e r g e n c y a - c power t r a i n s on.
3-17
Interval 2
Case 1 - Operating mode status continued in one loop of contain-

ment cooling s y s t e m and appropriate e m e r g e n c y a-c
power t r a i n .
Case 2 - Same as Case 1 with added r e q u i r e m e n t that operating
mode status continued in one loop of core s p r a y
system.
Case 3 - One of two core s p r a y loops continues operation along
with a p p r o p r i a t e e m e r g e n c y a-c power t r a i n .
Case 4 - Both core spray loops and ennergency power t r a i n s
continue operation.
An important and final step in p r e p a r i n g for the m a t h e m a t i c a l r e l i a b i l i t y

evaluation is the selection of a p p r o p r i a t e failure r a t e s for each component
included in the m o d e l . In selecting failure r a t e s one m u s t consider the
operating environment for each component and the failure mode(s) of
importance in each i n t e r v a l . If a p p r o p r i a t e failure r a t e s cannot be identi-
fied from available r e l i a b i l i t y data s o u r c e s such as those listed in
Appendix D or f r o m operating experience sunamaries such as HN-185, then
it b e c o m e s n e c e s s a r y to a s s u m e failure r a t e s and later test the assumption.
Limits should be e s t a b l i s h e d on a s s u m e d failure rate values to evaluate the
sensitivity of s y s t e m r e l i a b i l i t y to changes in failure r a t e .
F o r the p r e s e n t all failure r a t e s have been assumed, as shown in Table 3. 6,

in order to complete the r e l i a b i l i t y evaluation illustration. Thus, the
reliability a n a l y s i s p r e s e n t e d h e r e is p r e l i m i n a r y with r e s p e c t to component
failure r a t e s . While the failure r a t e s are a s s u m e d , they do reflect some
consideration of the component s t a t u s , the a p p r o p r i a t e failure mode, and
past e x p e r i e n c e .
Although not a c o n s i d e r a t i o n in this e x a m p l e , it should be noted that not

all unmonitored components will be tested on the same interval. As a
r e s u l t some failure r a t e adjustment will be n e c e s s a r y when performing
a r e l i a b i l i t y a n a l y s i s using a p r o g r a m such as ARMM, which computes
s u c c e s s and failure p r o b a b i l i t i e s at the end of fixed i n t e r v a l s for all
components. That i s , the p r o g r a m computes the r e l i a b i l i t y of all c o m -
ponents under c o n s i d e r a t i o n in a tinne interval on the b a s i s that the
component is unmonitored during the time i n t e r v a l with r e s p e c t to the
failure mode of c o n c e r n . To compensate for the fact that components
a r e tested at different f r e q u e n c i e s , the component failure r a t e s should
3-18
be multiplied by a factor equivalent to the ratio of component test interval
to r e l i a b i l i t y evaluation i n t e r v a l .
RESULTS OF ANALYSIS
E a c h of the previously listed r e l i a b i l i t y analysis c a s e s , C a s e s 1 through 4,

has been evaluated by the ARMM c o m p u t e r p r o g r a m . The r e s u l t s of these
evaluations a r e s u m m a r i z e d in Table 3. 7. In this s u m m a r y . Case 1
c o r r e s p o n d s to Case f of the D r e s d e n - 3 PDAR. Case 2 is a slightly
l e s s r e s t r i c t i v e v e r s i o n of Case b in the PDAR; only one of the core s p r a y
loops is r e q u i r e d to o p e r a t e . C a s e s 3 and 4 provide insight into the effect
of r e q u i r i n g both core s p r a y loops to o p e r a t e .
As shown in Table 3. 7, the probability of achieving adequate isolation

and operation of one of the two containment cooling loops (Case 1) is
0 . 9 9 9 8 1 . If one of the c o r e s p r a y loops is required to operate as well
(Case 2), the probability of s u c c e s s is d e c r e a s e d to 0.99970. The difference
between Case 1 and Case 2 r e p r e s e n t s an i n c r e a s e in the probability of
failure of a p p r o x i m a t e l y 60 p e r c e n t .
In both Case 1 and Case 2, the probability failure in the f i r s t i n t e r v a l is

a p p r o x i m a t e l y t h r e e o r d e r s of magnitude g r e a t e r than that for the second
i n t e r v a l . Thus, if the r e l i a b i l i t y m o d e l and failure rate a s s u m p t i o n s a r e
c o n s i d e r e d adequate, the m o s t difficult aspect of containment operation
in a blowdown accident would be a s s o c i a t e d with initiating the containment
functions. This r e s u l t d e r i v e s p r i m a r i l y f r o m the reduction in the number
of operating components in the second i n t e r v a l , 162 to 23 in Case 1 and
204 to 31 in Case 2. Requiring a longer period of containment cooling
( e . g . , 720 instead of 300 hours) in Interval 2 would not significantly effect
this e s t i m a t e . Of c o u r s e , these r e s u l t s reflect a p r e l i m i n a r y analysis
and do not consider the effect of the accident induced environment on
component failure r a t e s . Data of this type is c u r r e n t l y unavailable.
C a s e s 3 and 4 provide an indication of the effect of a s s u m i n g redundancy

in the c o r e s p r a y s y s t e m operation. If such redundancy is not allowed,
then it is e s t i m a t e d that the r e l i a b i l i t y of the containment with core spray
r e q u i r e d would be reduced r a t h e r strongly from 0. 9997 to approximately
0. 9570. C o n v e r s e l y , the unreliability would be excepted to i n c r e a s e by
a factor of a p p r o x i m a t e l y 200. If Case b were selected as the design b a s i s
for the p r i m a r y containment, the preceding r e s u l t s indicate that it would be
d e s i r a b l e to design the core s p r a y s y s t e m and the containment s p r a y cooling
s y s t e m so that only one loop in each is r e q u i r e d for s a t i s f a c t o r y operation.
3-19
F u r t h e r insight on the p r i m a r y containment reliability can be obtained by
considering individual component contributions to s y s t e m failure. Table 3.8
l i s t s the 20 l a r g e s t c o n t r i b u t o r s to containment failure in C a s e s 1 and 2.
Contributions f r o m the r e m a i n i n g components a r e illustrated by the ARMM
output in F i g u r e 3. 16. S e v e r a l important conclusions a r e implied by this
data. F i r s t , m o s t of the components listed in Table 3.8 a r e associated
with the supply of e m e r g e n c y a-c power, p a r t i c u l a r l y at the 480 volt level.
This m a y be attributed p a r t l y to relative difference between the failure
r a t e s for e l e c t r i c a l and n o n e l e c t r i c a l components. It also r e s u l t s from
the s e r i a l a r r a n g e m e n t of these components in the containment and core
s p r a y loops where they provide motive power for proper alignment of
these loops. As indicated in Table 3. 8, the six l a r g e s t contributors
a r e the same in both C a s e s 1 and 2. These components provide 480 volt
power to Buses 2A and 2B. In these analyses it has been a s s u m e d that
these components independently operate the r e s p e c t i v e b u s e s ; components
150, 152, and 154 for Bus 2A, and components 238, 240, and 242 for
Bus 2B. If the s y s t e m was a r r a n g e d so that either set of the preceding
components could power e i t h e r b u s , then the s y s t e m unreliability could
be reduced by a p p r o x i m a t e l y 67 p e r c e n t for Case 2 and 78 p e r c e n t for
Case 1. This conclusion a s s u m e s that the equipment used to achieve
the redundancy would have an u n r e l i a b i l i t y of the order of 1 x 10"^ or
l e s s in these reliability m o d e l s .
The six major c o n t r i b u t o r s cited in the previous p a r a g r a p h w e r e also

found to contribute to a p p r o x i m a t e l y 62 percent of the s y s t e m failure
probability for Case 4, both c o r e s p r a y loops in operation. If an actual
design review were being conducted, this r e s u l t would give additional
e m p h a s i s to the need for improving the reliability of the 480 volt power
supply for checking the a n a l y s i s for overly conservative e s t i m a t e s of
failure r a t e s or for adding redundancy.
Additional information which can be used to scope reliability i m p r o v e -

ment or monitoring efforts is provided by the ARMM analysis s u m m a r y
given in Table 3 . 9 . This table shows that in Case 1 approximately
92 p e r c e n t of s y s t e m failure may be attributed to 8 out of 162 components.
S i m i l a r l y , in Case 2 fourteen out of 204 components contribute to
approximately 93 p e r c e n t of s y s t e m failure. These components a r e the
f i r s t 8 and the f i r s t 14 components for C a s e s 1 and 2, r e s p e c t i v e l y , in
Table 3. 8. If it was d e s i r e d to concentrate on achieving an o r d e r of
magnitude reduction in systenn failure probability, the group contributions
to s y s t e m failure given in Table 3. 9 could be used as a guide. F o r
e x a m p l e , an o r d e r of magnitude reduction in Case 1 would r e q u i r e
concentration of r e l i a b i l i t y i m p r o v e m e n t effort l a r g e l y on 28 of the 162
c o m p o n e n t s . Twenty of these l a t t e r components a r e listed in Table 3. 8.
3-20
In conclusion, this example application outlines m e a n s whereby potentially
t r o u b l e s o m e design and equipment can be identified by reliability analysis
of an engineered safeguard s y s t e m . This information can be used in turn
to make changes in s y s t e m design, to s e t reliability i m p r o v e m e n t goals
for specific equipment, or to suggest a l t e r e d testing and operational
p r a c t i c e s ; and. thereby m i n i m i z e the time during which component
failures may e x i s t .
3-21
CONNECTICUT YANKEE SAFETY INJECTION SYSTEM
Reliability a n a l y s i s of the Connecticut Yankee safety injection s y s t e m has

been p e r f o r m e d based on s y s t e m d e s c r i p t i o n s and the loss of coolant
incident analysis provided in the Facility Description and Safety Analysis
(FDSA) for the Haddam Neck P l a n t . Topical Report No. NYO-3250-5, dated
May 1966. This s y s t e m is one of s e v e r a l s y s t e m s which nnight be used to
provide e m e r g e n c y c o r e cooling wîth o c c u r r e n c e of a loss-of-coolant
incident.
A loss-of-coolant incident could be caused by rupture of any line or nozzle

connected to the r e a c t o r coolant s y s t e m by i m p r o p e r opening of a valve
or s e r i e s of v a l v e s , by allowing uncontrolled d i s c h a r g e from the high
p r e s s u r e coolant s y s t e m , or by m a t e r i a l failure in a pipe or component
of the r e a c t o r coolant s y s t e m .
F o r s m a l l leaks in the r e a c t o r coolant s y s t e m , the p r e s s u r i z e r level

control adjusts the charging r a t e to maintain a minimum level in the
p r e s s u r i z e r . Depletion of coolant in the volume control tank is c o m -
pensated by automatic makeup control in the chemical and volume control
s y s t e m . Should the automatic nnakeup malfunction, a low-level signal
from the volume control tank-level i n s t r u m e n t a t i o n would cause the charge
pumps to take suction from the refueling water s t o r a g e t a n k instead of the
volume control tank.
F o r l a r g e r b r e a k s , in w^hich the d i s c h a r g e r a t e exceeds the delivery

r a t e of the charge pumps for a prolonged period of t i m e , the level in
the p r e s s u r i z e r continues to d e c r e a s e , eventually exceeding the low-
level t r i p point for safety injection. Coincidentally, change in the
p r e s s u r i z e r s t e a m volume will cause an accompanying d e c r e a s e in
s y s t e m p r e s s u r e . R e a c t o r t r i p and turbine t r i p will occur due to low
p r e s s u r i z e r p r e s s u r e . The coincidence of low p r e s s u r i z e r p r e s s u r e
with low^ p r e s s u r i z e r level, r e q u i r i n g signals from two out of t h r e e
channels monitoring each p a r a m e t e r , actuates the safety injection s y s -
tem, which automatically d e l i v e r s borated water to the r e a c t o r v e s s e l
for cooling the c o r e . With n o r m a l incoming e l e c t r i c a l power available,
the s y s t e m will prevent melting of the fuel cladding for l o s s - o f - c o o l a n t
incidents up to and including c i r c u m f e r e n t i a l failure of the l a r g e s t r e a c t o r
coolant line, with only one of the two safety injection pumps, one of two
charging p u m p s , and one of two r e s i d u a l heat r e m o v a l pumps in operation.
If all outside power s o u r c e s fail, e m e r g e n c y power will be provided by

diesel g e n e r a t o r s in sufficient n u m b e r s to operate at least one r e s i d u a l
3-22
heat r e m o v a l pump (core deluge) and one of four s e r v i c e •water pumps (for
r e c i r c u l a t i o n cooling) along with other equipment deemed e s s e n t i a l for a
l o s s - o f - c o o l a n t incident. The s y s t e m ' s path of a c c e s s , mode of cooling
w a t e r d e l i v e r y , and design c h a r a c t e r i s t i c s a r e such as to a s s u r e core
cladding innmersion in s t e a m and cascading water so that core meltdown
and m e t a l - w a t e r r e a c t i o n s a r e highly unlikely.
A s u m m a r y of safety injection s y s t e m operation in r e l a t i o n to the type of

l o s s - o f - c o o l a n t incident is shown in Table 3.10.
SYSTEM DESCRIPTION
Equipment
The p r i m a r y side of the safety injection s y s t e m consists of one refueling

w a t e r s t o r a g e tank, t h r e e pumping t r a i n s , and a s s o c i a t e d valves to
p r o p e r l y align the s y s t e m as shown in Figure 3.17. P u m p s a r e provided
with one out of two redundancies in each pumping t r a i n , and the isolation
valves in all loops entering the r e a c t o r v e s s e l a r e also a r r a n g e d with
v a r i o u s d e g r e e s of redundancy. The r a t e d capacities of the safety injec-
tion and charge pumps a r e 1, 750 gpnn at 1, 500 psig and 360 gpm at 2, 300
psig, r e s p e c t i v e l y . These pumps a r e capable of injecting borated water
d i r e c t l y into the r e a c t o r v e s s e l . The r e s i d u a l heat r e m o v a l pumps have
r a t e d capacity of 2, 250 gpm at 500 psig. Thus the deluge cooling of the
r e a c t o r c o r e through the v e s s e l head can be provided only when the
p r e s s u r e in the r e a c t o r v e s s e l is below the d i s c h a r g e p r e s s u r e of the
r e s i d u a l heat r e m o v a l p u m p s .
Piping and m o t o r - o p e r a t e d valves a r e provided to supply water from the

refueling w a t e r storage tank to each pump, and from the containment
sump to the r e s i d u a l heat r e m o v a l p u m p s . Check valves a r e provided
throughout the s y s t e m to p r e v e n t backflow^ which might a d v e r s e l y affect
s y s t e m operation. AH stop valves provided for r e m o v a l of punnps and
other equipment for maintenance purposes are locked-open.
Heat r e m o v a l from the r e c i r c u l a t i n g w a t e r r e t u r n e d from the containment

sump is provided by a pair of r e s i d u a l heat e x c h a n g e r s . On the secondary
side, the heat exchangers a r e connected to a s e r v i c e water s y s t e m through
m o t o r - o p e r a t e d valves as shown in F i g u r e 3. 18. The s y s t e m u s e s four
s e r v i c e wâter pumps, each capable of delivering 6,000 gpm, to circulate
r i v e r w a t e r to plant cooling l o a d s .
3-23
P o w e r for the safety injection s y s t e m is normally supplied by two
t r a n s m i s s i o n lines one connecting with the Connecticut Light and Power
Company s y s t e m at the Montville generating station and Haddam substation
(line 12500) and the other with the Hartford E l e c t r i c Light Company
s y s t e m a t the Middletown generating station (line 772). These lines
along with the 115 kv/4,l60 v t r a n s f o r m e r s and 4, 160 v buses they s e r v e
a r e shown schematically in F i g u r e 3.19. One safety injection pump,
one charge pump, and four 4, 160/480 v station s e r v i c e t r a n s f o r m e r s
a r e s e r v e d by each of the two 4, 160 v b u s e s . Loss of n o r m a l supply to
either bus section will automatically t r a n s f e r the dead bus load to the
other bus by closing bus tie b r e a k e r 2T3.
The four station s e r v i c e t r a n s f o r m e r s in turn supply power to four

480 v b u s e s as shown in F i g u r e 3.20. One s e r v i c e water pump is
s e r v e d by each of the four 480 v b u s e s . One r e s i d u a l heat r e m o v a l
pump is s e r v e d by each of two 480 v b u s e s as a r e the twô s u b - b u s e s
(No. 5-5 and 5-6) which s e r v e all m o t o r - o p e r a t e d valves and s e m i - v i t a l
b u s e s for controls and i n s t r u m e n t a t i o n . Tie b r e a k e r s between 480 v bus
sections p e r m i t m a n u a l t r a n s f e r of supplies to adjacent bus s e c t i o n s .
They a r e automatically closed to e s t a b l i s h a single bus during an
e m e r g e n c y with a total loss of n o r m a l 480 v a-c power.
O n - s i t e , e m e r g e n c y power is provided by three ennergency g e n e r a t o r s

which s t a r t automatically if all n o r m a l 480 v a - c power is lost. Each
g e n e r a t o r has a r a t e d capacity of 400 kw. These synchronous g e n e r a t o r s
a r e d r i v e n by d i e s e l engines -which a r e equipped with d-c starting m o t o r s .
E a c h g e n e r a t o r is connected to a section of the 480 v bus by an electrically
operated c i r c u i t b r e a k e r .
Operation
Components which have been c o n s i d e r e d initially in evaluating s y s t e m

operation from a r e l i a b i l i t y viewpoint, a r e shown in F i g u r e 3.21.
Operation of the safety injection s y s t e m is initiated by an actuation

signal g e n e r a t e d as a r e s u l t of two out of t h r e e low p r e s s u r i z e r water
level signals coincident with two out of t h r e e low p r e s s u r i z e r p r e s s u r e
s i g n a l s . This actuation is fully automatic and consists of:
1. Opening the refueling w a t e r s t o r a g e tank supply valve.
2. Opening the safety injection isolation valves.
3-24
3. Opening the r e s i d u a l heat exchanger bypass value and throttling
value, and the core deluge isolation v a l v e s .
4. Opening the control valve and the isolation valves in the charge
lines to the r e a c t o r coolant loops.
5. Opening the valve in the charge pump suction from the refueling
water s t o r a g e tank, and closing the valve in the n o r m a l suction
line f r o m the volume control tank.
6. Starting the safety injection p u m p s , charge pumps, and r e s i d u a l
heat r e m o v a l p u m p s .
The s y s t e m m a y a l s o be actuated manually from the m a i n control r o o m .

To p r e v e n t automatic operation while the r e a c t o r is cold and d e p r e s s u r i z e d ,
the actuation signal is blocked manually when r e a c t o r coolant s y s t e m
p r e s s u r e is below 1, 700 psig. The signal is unblocked automatically
when r e a c t o r coolant s y s t e m p r e s s u r e r i s e s above 1, 700 psig.
Within 10 seconds after the initiation signal is generated, the two safety
injection pumps can deliver b o r a t e d refueling water at full rated flow to
a h e a d e r supplying four independent injection lines, one to the cold leg
of each r e a c t o r coolant loop. Suction of the two centrifugal charge
pumps is automatically t r a n s f e r r e d f r o m the volume control tank to the
refueling w a t e r s t o r a g e tank, and b o r a t e d refueling water is delivered
through the charge lines to the cold leg of loop 2 and the hot leg of loop 4.
Continued operation of the safety injection will depend upon the leak size
and hence the r e a c t o r coolant p r e s s u r e . F o r s m a l l b r e a k s , the s y s t e m may
maintain the r e a c t o r coolant p r e s s u r e at a level sxifficiently high to preclude
core deluge flow. In this c a s e , the c o r e deluge pumps will be secured and
the r e s i d u a l heat r e m o v a l loop will be realigned to provide high p r e s s u r e
r e c i r c u l a t i o n via the safety injection punaps and charge p u m p s .
F o r l a r g e r b r e a k s there may be no reliable indication that the core has

been covered with w a t e r . In this situation the operator will t e r m i n a t e
safety injection and begin low p r e s s u r e r e c i r c u l a t i o n via the c o r e deluge
piping f r o m 150, 000 gallons of borated water have been pumped from the
refueling water storage tank. This quantity i n s u r e s that the core has been
covered for any r u p t u r e up to and including a double-ended b r e a k of a
r e a c t o r coolant line.
3-25
High p r e s s u r e r e c i r c u l a t i o n via the safety injection pumps and charge
pumps p r o v i d e s a m e a n s of using the spilled r e a c t o r coolant to keep
the r e a c t o r c o r e covered with water after s m a l l leaks or r u p t u r e s occur.
The borated water draining f r o m a s y s t e m rupture is collected in a
sump located at the lowest point of the r e a c t o r containment lower operating
level. After s e v e r a l m i n u t e s of safety injection operation, sufficient
borated w a t e r will have collected in the sump to p e r m i t initiation of
r e c i r c u l a t i o n operation. R e c i r c u l a t i o n flow and cooling is accomplished
by the r e s i d u a l heat r e m o v a l pumps and heat e x c h a n g e r s . Remote
operated valves provide the m e a n s for (1) t r a n s f e r r i n g the r e s i d u a l
heat r e m o v a l pumps suction frona the refueling water storage tank to the
r e a c t o r containment s u m p , (2) directing the resulting flow through the
heat e x c h a n g e r s , (3) providing s e r v i c e water cooling to the heat exchanger,
and (4) t r a n s f e r r i n g d i s c h a r g e f r o m the core deluge header to the combined
safety injection and charging pump suction h e a d e r . The cooled borated
w a t e r is then r e t u r n e d to the r e a c t o r coolant s y s t e m via the safety injection
pumps and charge punaps.
If a l a r g e r u p t u r e o c c u r s , low p r e s s u r e r e c i r c u l a t i o n to the r e a c t o r
v e s s e l via the core deluge lines is established r e m o t e l y in the same
naanner as the high p r e s s u r e r e c i r c u l a t i o n except that the r e s i d u a l heat
pump d i s c h a r g e flow is d i r e c t e d to the core deluge line r a t h e r than to
the suction of the safety injection pumps and charging p u m p s .
Testing
The-safety injection s y s t e m m a y be tested at any time the r e a c t o r coolant

s y s t e m is p r e s s u r i z e d above the shutoff head of the safety injection pumps
(1,400 psig). Water in the safety injection lines is circulated from the
refueling w a t e r storage tank to the injection s y s t e m lines during pump
testing by using the r e c i r c u l a t i o n lines f r o m each safety injection branch
line. R e c i r c u l a t i o n of water in the safety injection lines i n s u r e s the p r o p e r
boron concentration in the l i n e s .
Motor operated isolation valves a r e tested by m a n u a l operation of each

valve f r o m the main control r o o m . Remote position indicators in,the
m a i n control r o o m p e r m i t a check of valve operation.
P e r i o d i c testing of the c o r e deluge including operation of the r e s i d u a l

heat r e m o v a l pump with e m e r g e n c y power is r e q u i r e d , and is a part of
the p e r i o d i c test of the safety injection s y s t e m .
3-26
The analysis of the l o s s - o f - c o o l a n t incident is presented in the FDSA and

s u m m a r i z e d in Table 3. 11 for b r e a k s i z e s corresponding to single ended
r u p t u r e of 1-1/2, 3, 4, 6, and 10-inch l i n e s , a 2 s q u a r e foot r u p t u r e , and
the hypothetical doubled ended r u p t u r e of a r e a c t o r coolant loop. In addi-
tion, a r u p t u r e of a c h a r g e line at the connection to the r e a c t o r coolant
s y s t e m and a s i m i l a r r u p t u r e of a safety injection line a r e analyzed. The
charge line r u p t u r e , in effect, allows all charge flow to spill on the con-
tainment floor. The safety injection line break i m p a i r s the delivery curve
of the injection s y s t e m . F o r this special break, delivery to the r e a c t o r
through the intact lines does not begin until r e a c t o r p r e s s u r e has reduced
to a value equal to the p r e s s u r e drop in the broken line.
In all c a s e s the r u p t u r e is a s s u m e d to be n e a r a safety injection connection

and a charge line connection to the r e a c t o r coolant s y s t e m . Conservatively,
1/3 of the safety injection flow and 1/2 of the charge flow is a s s u m e d to be
r e l e a s e d through the r u p t u r e . Delivery c u r v e s a r e adjusted to take this in-
to account. Calculations w e r e naade of p r e s s u r e and volume h i s t o r i e s for
the various b r e a k s i z e s , and cladding hot spot t e m p e r a t u r e t r a n s i e n t s for
those c a s e s in which significant c o r e uncovering o c c u r s . The clad hot spot
t e m p e r a t u r e is l e s s than the 2, 550 F . melting tenaperature in all c a s e s .
A typical p r e s s u r e and volunae curve is shown in Figure 3. 22 for a 3-inch
charge line break. One of the two safety injection pumps, one of two deluge
pumps, and one of two centrifugal charging pumps a r e a s s u m e d to be op-
erating.
F a i l u r e Mode and Effect Analysis
Based on the a s s u m p t i o n s and the s y s t e m d e s c r i p t i o n given in the FDSA,

a failure mode and effect a n a l y s i s was made as shown in Figure 3. 23 on
components considered e s s e n t i a l to the s y s t e m reliability.
The refueling water s t o r a g e tank is equipped with an externally-mounted

thernaosiphon r e b o i l e r - t y p e heat exchangers as shown in Figure 3. 17 d e -
signed to maintain a refueling water t e m p e r a t u r e of 55 F . with an outdoor
t e m p e r a t u r e of -1 5 F . The heating s t e a m is provided by the building s e r -
vice heating s y s t e m through the auxiliary s t e a m s y s t e m . Since adequate
time can be expected to exist to c o r r e c t a tank heating failure before the
freezing of 250, 000 gallons of borated water takes place, the failure r a t e
assigned to the tank was selected with this assumption in mind.
3-27
As for the outside power s o u r c e s , the possibility of failure of any p a r t i c u l a r
combination of interconnected t r a n s m i s s i o n s y s t e m s is v e r y r e m o t e . F o r
this r e a s o n a r e p r e s e n t a t i v e value for their failure r a t e was chosen.
P u m p s have different failure m o d e s , fail to s t a r t and fail to continue

running, and as such different failure r a t e s w e r e chosen accordingly.
As for v a l v e s , assigned failure r a t e s a r e those a s s o c i a t e d with the
failure to open or failure to close modes of operation. Other types of
valve failure naodes, such as failure to stay open or failure to stay closed,
a r e c o n s i d e r e d to occur at a r a t e at l e a s t one o r d e r of magnitude lower
than the f i r s t m o d e . Typical failure r a t e s of all components a r e listed
in Table 3. 12.
Reliability Model
The r e l i a b i l i t y model for this a n a l y s i s has been developed, as shown in

F i g u r e s 3.24 and 3. 25 to include all components c r i t i c a l to operation of
the safety injection s y s t e m under all types of loss-of-coolant incident.
Since m o t o r - o p e r a t e d v a l v e s , i n s t r u m e n t a t i o n and controls for the safety

injection s y s t e m as well as for other vital s y s t e m s r e q u i r e Buses No.
5 and 6 to be e n e r g i z e d at all t i m e s , the reliability block d i a g r a m was
considerably sinaplified by isolating components which a r e fed through
these buses from the power network reliability model. The only e x c e p -
tions to this approach w e r e twô s e r v i c e water pumps, since these w e r e
in redundancy with two other pumps connected to Buses No. 4 and 7.
Based on the failure mode and effect analysis and the reliability model,
loadsheets for an ARMM calculation wêre p r e p a r e d as shown in F i g u r e
3 . 2 6 . As far as the s y s t e m r e l i a b i l i t y is concerned, a case which r e -
q u i r e s longer time to initiate low^ p r e s s u r e r e c i r c u l a t i o n will yield
slightly lower reliability v a l u e s . T h u s , the case of a charge line r u p -
t u r e show^n in Figure 3.22 is d e m o n s t r a t e d in the calculation. All other
c a s e s will yield a better r e l i a b i l i t y even though the s e v e r i t y of an i n c i -
dent may be m o r e or l e s s .
Time i n t e r v a l s chosen w e r e based on information in the FDSA and

F i g u r e 3.22, and the functions a r e turned on and off accordingly.
The i n t e r v a l s w e r e :
Interval 1 - Since t e s t frequencies have not been defined in the FDSA,

it will be a s s u m e d that the length of the f i r s t interval is
one month or 720 h o u r s . This is equivalent to a s s u m i n g
that all components a r e unmonitored and that if a component
fails it will r e m a i n in a failed state until detected during a
safety injection t e s t .
3-28
Interval 2 - Safety injection is initiated, and after s e v e r a l minutes
(assumed 0. 1 hour) of operation sufficient borated w a t e r
will have collected in the sump to p e r m i t initiation of high
pressure recirculation.
Interval 3 - High p r e s s u r e r e c i r c u l a t i o n is initiated and approximately

1»400 seconds (~ 0. 4 hours) after initiating safety injection,
the r e a c t o r coolant p r e s s u r e will have dropped sufficiently
to p e r m i t low p r e s s u r e r e c i r c u l a t i o n through the r e a c t o r
v e s s e l head.
Interval 4 - Low p r e s s u r e r e c i r c u l a t i o n is initiated and continues for

24 h o u r s .
As shown in the block d i a g r a m in F i g u r e 3.24, t h e r e a r e a nunaber of

nonredundant v a l v e s , any one of which -would contribute significantly
to s y s t e m unreliability if t h e i r failure r a t e s w e r e not substantially
s m a l l e r than other components which a r e redundantly a r r a n g e d . In
o r d e r to improve s y s t e m r e l i a b i l i t y , one-out-of-two redundancies w e r e
added to these nonredundant components in a second case by using the
ARMM p r o g r a m capability for handling a limited number of p a r t i a l data*
changes without changing the basic input. To make this p a r t i a l data
change possible in a single run, additional load sheets w e r e p r e p a r e d
as shown in F i g u r e 3.27, to accomodate those nonredundant components
listed in the load sheets shown in F i g u r e 3.26.
In addition, a t h i r d c a s e was investigated whereby Interval 1 was

shortened to one wêek (l68 hours) simulating a s h o r t e r testing interval
or s h o r t e r i n t e r v a l in which f a i l u r e s could e x i s t . The p a r t i a l data
change is noted in the second half of data e n t r i e s in F o r m s A and G of
F i g u r e 3. 27.
RESULTS OF ANALYSIS
Table 3. 13 p r e s e n t s r e s u l t s of the a n a l y s i s for t h r e e c a s e s and four

different time i n t e r v a l s . The o v e r a l l systena unreliability of 0.388 x 10"
(Case 1) for the s y s t e m d e s c r i b e d in the FDSA was reduced by 97. 9
p e r c e n t to 0.831 x 10" (Case 2) for the improved v e r s i o n with all c r i t i c a l
i n - s e r i e s valves placed in one-out-of-two redundancies, and by 7 6 . 6 p e r -
cent to 0.908 X 10" (Case 3) for the s y s t e m with s h o r t e r testing i n t e r v a l .
Considering the different time i n t e r v a l s , the analysis shows that the
chance of failure at the end of the s t a r t i n g interval is roughly t h r e e o r d e r s
*See section on ARMM input data Field lOA, P a r t i a l Data.
3-29
of magnitude g r e a t e r than the change of failure of the subsequent safety
injection period of 24 h o u r s . Thus, if the s y s t e m initiates safety injec-
tion, the chance of subsequent failure to continue injection is renaote.
A s u m m a r y of component contributions to s y s t e m unreliability is shown

in F i g u r e 3.28 for C a s e s 1, 2, and 3. Components found l e a s t reliable
and contributing up to 99 p e r c e n t of o v e r a l l s y s t e m failure in Case 1 a r e
listed in Table 3. 14. In F i g u r e 3. 29, nonredundant valves were r e p r e -
sented by two fictitious valves with only one-half of the true failure r a t e .
Since each of these two valves belonged to a single function, the p r o b a b -
ility of function failure as shown in Figure 3. 29 c o r r e s p o n d s to that of a
r e a l valve. When these i n - s e r i e s valves were placed i n - p a r a l l e l with
one-out-of-two redundancies as in C a s e 2, their contributions to s y s t e m
failure dropped to as little as 1/3 to 1/10 of those in Case 1. In Case 3
their r e l a t i v e contributions to o v e r a l l s y s t e m failure have not changed
substantially since the only change was in the initial tinae interval.
3-30
CONNECTICUT YANKEE CONTAINMENT COOLING
The Connecticut Yankee plant contains two engineered safeguard s y s t e m s

designed to provide a sufficiently l a r g e heat sink to prevent the contain-
m e n t a t m o s p h e r e p r e s s u r e buildup resulting from the m a x i m u m credible
accident from exceeding design l i m i t s . These safeguard s y s t e m s a r e
the a i r r e c i r c u l a t i o n s y s t e m and the containment s p r a y system. The
following d i s c u s s i o n p r e s e n t s a p r e l i m i n a r y reliability analysis for these
systems.
The analysis is c a r r i e d to the limit; that i s , a reliability model is con-

structed for the containment cooling s y s t e m . This model is then used to
a r r i v e at a quantitative s t a t e m e n t for the probability that, in the event of
the m a x i m u m credible accident ( c i r c u m f e r e n t i a l failure of the 27. 5 inch
prinaary coolant line), the containment design p r e s s u r e will not be
exceeded.
SYSTEM DESCRIPTION
Air Recirculation Systena
The air r e c i r c u l a t i o n s y s t e m c o n s i s t s of four (4) 65, 000 cfm fan-cooling

coil units and a s y s t e m of distribution duct work (including inlet and outlet
danapers), i n s t r u m e n t a t i o n , and c o n t r o l s . A typical unit is shown in
F i g u r e 3. 30 . The fans a r e d i r e c t driven, centrifugal type, and the
cooling coils a r e t r a n s v e r s e flow, finned coil banks. The fans take s u c -
tion from the containment a t m o s p h e r e and d i s c h a r g e into the s y s t e m duct
work. The duct work d i s t r i b u t e s the cooled a i r to the individual r e a c t o r
coolant loop a r e a s , the refueling cavity a r e a , a n d the containment dome
a r e a . All four fans a r e n o r m a l l y in operation when the r e a c t o r coolant
s y s t e m is above 200° F . and 300 psig.
Two sets of inlet d a m p e r s a r e provided on each a i r r e c i r c u l a t i o n unit.

One set is located on the face of the f i l t e r s while the other set controls
bypass flow d i r e c t l y to the inlet of the cooling coils as shown in F i g u r e
3. 30 ,
During n o r m a l operation, the d a m p e r s on the face of the filters (incident

d a m p e r s ) a r e closed, while those leading d i r e c t l y from the containment
to the cooling coils a r e open. A high p r e s s u r e signal from the contain-
ment r e v e r s e s the d a m p e r positions, sending 50, 000 cfm through the
filter bank. In the n o r m a l operating position, each set of d a m p e r s is
3-31
held against a spring by an energized e l e c t r i c a l clutch. Loss of power
d e - e n e r g i z e s the clutch and the spring forces the d a m p e r s into the incident
position, i. e. , the incident d a m p e r s open and the n o r m a l d a m p e r s close.
The reliability block d i a g r a m c o n s t r u c t e d for a single fan unit is shown

in F i g u r e 3. 31 A. H e r e it was a s s u m e d that in the event of failure of the
incident flow path, the plant o p e r a t o r h a s the option of r e v e r s i n g the
d a m p e r p o s i t i o n s , thereby achieving full cooling effectiveness via the
n o r m a l flow path. Hence,the n o r m a l flow path is shown as redundant to
the incident flow path in F i g u r e 3. 31A. A failure mode and effect a n a l y s i s
for a fan unit i s shown in F i g u r e 3. 34A.
Containment Spray System
The containment s p r a y s y s t e m utilizes the r e s i d u a l heat p u m p s , the

r e s i d u a l h e a t exchangers,and a s p r a y h e a d e r j u s t inside the containment
liner to d i s t r i b u t e water throughout the containment. Spray water may
be drawn either from the refueling cavity water storage tank or from the
containment s u m p .
Containment s p r a y is not automatically initiated in the event of a loss-of-

coolant incident. The r e s i d u a l h e a t r e m o v a l pumps would n o r m a l l y deliver
water to the r e a c t o r v e s s e l in such an incident. To initiate s p r a y , the o p e r a -
tor m u s t close a valve in the line leading from the r e s i d u a l heat renaoval
pumps to the r e a c t o r v e s s e l and open a valve in the line leading to the
s p r a y h e a d e r s . The path taken by s p r a y water when the r e s i d u a l heat
r e m o v a l s y s t e m is in this configuration is shown in F i g u r e 3. 32. The
r e l i a b i l i t y block d i a g r a m c o n s t r u c t e d for the spray s y s t e m is shown in
F i g u r e 3 . 31 B a n d the failure mode and effect analysis in F i g u r e 3. 34B..
E l e c t r i c a l Power and Service Water Supply Systems
E l e c t r i c a l power for the fan m o t o r s , s e r v i c e water and r e s i d u a l heat

r e m o v a l pumps, and motor o p e r a t e d valves i s n o r m a l l y available through
the station s e r v i c e supply s y s t e m . In the event of loss of outside power,
t h r e e (3) d i e s e l g e n e r a t o r s a r e available in the plant to supply power.
Cooling w a t e r for the a i r r e c i r c u l a t i o n s y s t e m and r e s i d u a l h e a t exchangers

is provided by the plant s e r v i c e water s y s t e m . The capacity of any one of
the four (4) s e r v i c e water pumps i s a s s u m e d to be sufficient for this p u r -
p o s e . F i g u r e 3. 31C shows the reliability block diagram constructed for
these s y s t e m s .
3-32
Air R e c i r c u l a t i o n S y s t e m
F i g u r e 3. 33 (extracted from NYO-3250-5) shows the calculated p r e s s u r e

t r a n s i e n t in the containment following c i r c u m f e r e n t i a l failure of a 27. 5—
inch r e a c t o r coolant line. It a p p e a r s that the heat sinks provided by the
safety injection and c o r e deluge s y s t e m s a r e of s m a l l efficacy and that
the m a j o r burden in controlling the peak p r e s s u r e is placed on the a i r
r e c i r c u l a t i o n s y s t e m . F u r t h e r , a s far as the peak p r e s s u r e is concerned,
three (3) fans in operation a r e seen to be as effective as all four (4) fans in
operation. F r o m the point of view of a reliability a n a l y s i s , it would be
d e s i r a b l e to see s i m i l a r c u r v e s for 1 and 2 fans in operation. Lacking
this infornaation, a m a j o r (conservative) assumption regarding the
effectiveness of the air r e c i r c u l a t i o n s y s t e m was made in the reliability
a n a l y s i s . It was a s s u m e d that operation of at l e a s t t h r e e fan units is
r e q u i r e d to m a i n t a i n the p r e s s u r e t r a n s i e n t within design p r e s s u r e .
Containment S p r a y S y s t e m
The containment spray s y s t e m is installed as a backup for the a i r r e c i r -

culation s y s t e m for d e p r e s s u r i z a t i o n of the containment following a
l o s s - o f - c o o l a n t accident.
The s p r a y s y s t e m is not c o n s i d e r e d in the calculation of the containment

p r e s s u r e t r a n s i e n t . To quote from the Plant Design and Analysis Report
(NYO-32 50-5), "No quantitative c r e d i t is taken for the spray s y s t e m in
the a n a l y s i s of the hypothetical accident b e c a u s e the e x p e r i m e n t a l work
done to date is not c o n s i d e r e d extensive enough to a s s e s s a c c u r a t e l y the
effect of the s p r a y under the conditions which would exist in the contain-
ment after such an accident. " N e v e r t h e l e s s , in this study it was a s s u m e d
that the s p r a y s y s t e m is an effective standby s y s t e m for the a i r r e c i r c u l a -
tion s y s t e m and would be s t a r t e d in the event of failure of m o r e than one
fan unit.
Overall Reliability Block D i a g r a m
Based on the above d i s c u s s i o n of s y s t e m effectiveness, the reliability

block d i a g r a m for the complete containment cooling s y s t e m takes the
form shown in F i g u r e 3. 3ID.
3-33
Reliability Calculation
Two s e p a r a t e reliability calculations w e r e naade using the ARMM p r o g r a m ,

one for the combined power supply and s e r v i c e water supply systenas and
one for the combined a i r r e c i r c u l a t i o n and containment spray s y s t e m s .
The components w e r e "aged" for a period of 1, 020 h o u r s . This a s s u m e s
that there is a component testing i n t e r v a l of 1 month (720 hours) and that
coolant s y s t e m operation is r e q u i r e d for a period of 300 hours following
an incident.
F a i l u r e r a t e s assunaed for the conaponents of F i g u r e s 3.31A, B, and C

a r e shown in Table 3 . 1 5 .
The c r i t e r i a used for grouping of components into functions as shown in

F i g u r e s 3.31 A, B, and C was such as to lead to the mininaum number of
functions n e c e s s a r y for s y s t e m description in the ARMM input. All c o m -
ponents to the right of a function number (F. ) belong to that function.
F o r exanaple, in F i g u r e 3. 31B components 56, 57, 58, 59, 60, and 61 b e -
long to function F. - 5 1 , (the minus indicates that the function is listed in
standby capacity).
RESULTS OF ANALYSIS
Power Supply
As seen on F i g u r e 3.31C, there a r e seven paths, not all independent, by

which 480-volt power may be supplied. F a i l u r e of components 60, 90
(common to five of the paths) and 130 lead to systena failure. All other
component failure combinations resulting in s y s t e m failure a r e of higher
o r d e r ; * i. e. , they r e q u i r e four or m o r e conaponent f a i l u r e s . Since the
probability of failure of a typical single component is of the o r d e r of lO"'^,
it may be anticipated that the lowest o r d e r failure conabination contributes
m o s t of the total s y s t e m failure probability. This is c l e a r l y evident in
the r e s u l t s obtained in the p r e s e n t c a s e , as shown in Table 3. 16.
Service Water Supply System
The reliability, or c o n v e r s e l y the unreliability, of the s e r v i c e water supply

s y s t e m has been evaluated on the basis that the c r i t i c a l components a r e the
four s e r v i c e water p u m p s . Other components in the systena were a s s u m e d
*The o r d e r of a conaponent failure combination has been defined as the

number of components failed in o r d e r to achieve systena failure; e. g. ,
a third o r d e r combination is a unique combination of three failed c o m -
ponents which will c a u s e systena failure.
3-34
to contribute negligibly to the systena unreliability. System failure was
a s s u m e d to r e q u i r e failure of all four pumps (i. e. , one s e r v i c e water
pump was a s s u m e d to supply adequate cooling capacity to the tube sides
of the air r e c i r c u l a t i o n unit cooling coils and the r e s i d u a l heat exchangers).
The probability of all four s e r v i c e water pumps failing is calculated to be
0. 21 X 10"^.
Air Recirculation and Containment Spray Systems
This systena i n c o r p o r a t e s a high degree of redundancy. The three out of

four fan units operating condition on the air r e c i r c u l a t i o n s y s t e m with the
containnaent s p r a y s y s t e m in standby (See F i g u r e 3,3ID) implies that a
m i n i m u m of 3 components m u s t fail to r e s u l t in s y s t e m failure.
The failure probability of the combined s y s t e m was calculated in two ways.

F i r s t , a complete ARMM run was made with the containment spray s y s -
t e m d e s c r i b e d in standby capacity to t h r e e out of four air r e c i r c u l a t i o n
units. As anticipated, the run time was high due to the large number of
conaponent failure combinations that contribute to s y s t e m failure (in this
s y s t e m , 270 third o r d e r and 3,222 fourth o r d e r conabinations).
The r e s u l t s of the ARMM run a r e shown in Table 3.17A. The seventeen

components listed a r e those involved in third o r d e r failure conabinations.
They a r e seen to contribute over ninety percent of the total s y s t e m failure
probability. The remaining forty-four components comprising the s y s t e m
a r e involved only in fourth or higher o r d e r failure combinations.
Because of some u n c e r t a i n t i e s in the p r e s e n t ARMM t r e a t m e n t of standby

functions, an approximate hand calculation of the s y s t e m failure p r o b a -
bility, as d e s c r i b e d below, was m a d e . The simplifying assumptions made
a r e seen to eliminate a l m o s t all analytical difficulties, allowing the calcu-
lation to be readily p e r f o r m e d by hand. Without these a s s u m p t i o n s , the
calculation would have beconae prohibitive.
The probability of single component failure, q, is
q = 1 - e
q = Xt , Xt < < 1
3-35
where
X = component failure r a t e , and
t = operating or aging time.
In this p a r t i c u l a r p r o b l e m t = 1, 020 h r and Xmax = 1 0 x 1 0 " h r ,

hence, (X t)naax " 1. 02 x 10"^ , implying q = Xt within 1 p e r c e n t and the
e r r o r is c o n s e r v a t i v e . F u r t h e r , for n components in s e r i e s , each with
failure probabilities < 1 0 " 2 , the failure probability Q for the s e r i e s c o m -
bination is
n
Q = V q(i)
i=l
to within 1 p e r c e n t (again, the e r r o r is c o n s e r v a t i v e ) .
Using these approximations and the reliability block d i a g r a m shown in

F i g u r e 3. 3ID, the failure probability for a single air r e c i r c u l a t i o n unit
operating for time T (in m i l l i o n s of hours) is
Q u n i t = (X^^ + X^.+X^g) T + (Xi4 + Xi5)(Xô + X i l + X ^ 2 + ^ 1 3 ^ ^ '
= 1.53 X lO"^,
using T = 1, 020 h o u r s and X values from Table 3. 15.
F a i l u r e of the air r e c i r c u l a t i o n s y s t e m r e q u i r e s failure of two or m o r e fan

units. Hence, the failure probability of the a i r r e c i r c u l a t i o n system
Q , is given by
ars °
4
V 4! i 4=i
ars L i!(4-i)! unit unit
i^
~ 2
= 6Q . within 1 percent,
unit
Using the value computed above,
Q = 14 X 10~^
ars
3-36
or c o n v e r s e l y , the air r e c i r c u l a t i o n s y s t e m r e l i a b i l i t y is
R =0.9986
ars
Tho f a i l u r e p r o b a b i l i t y of the c o n t a i n m e n t s p r a y s y s t e m , to the s a m e l e v e l
of a p p r o x i m a t i o n a s a b o v e , i s
74 55 53 58 6l 65 69
Qcss = T^ Xi+T2{^ Xi2^ Xi+l^ Xi I Xi+l Xil Xi )
i=70 i=54 i=50 i=56 i=59 i=62 i=66
- 3. 8 X 1 0 ' ^ ,
w i t h T =1,020 h o u r s a n d X v a l u e s f r o m T a b l e 3. 1 5 .
C o n v e r s e l y , the c o n t a i n m e n t s p r a y s y s t e m r e l i a b i l i t y i s
R ^ 0 . 962
ess
T h e c o n t a i n m e n t c o o l i n g s y s t e m f a i l u r e p r o b a b i l i t y , Q, t h e n b e c o m e s
Q - Q a r s Q c s s ' ^ 5. 3 x 1 0 - 5
C o n v e r s e l y , the e s t i m a t e d s y s t e m r e l i a b i l i t y is
R = 0. 999947
T h i s a s s u m e s ( c o n s e r v a t i v e l y ) t h a t the s p r a y s y s t e m i s a l t e r n a t e to the
a i r r e c i r c u l a t i o n s y s t e m . If the s p r a y s y s t e m i s t r e a t e d in s t a n d b y c a p a -
c i t y the e s t i m a t e of Q w i l l be l o w e r , s i n c e c o m p o n e n t s in s t a n d b y a r e not
a g i n g u n t i l the s t a n d b y f u n c t i o n is r e q u i r e d to o p e r a t e .
The g e n e r a l e q u a t i o n f o r t h e s y s t e m f a i l u r e p r o b a b i l i t y w i t h the s p r a y
s y s t e m in s t a n d b y to the a i r r e c i r c u l a t i o n s y s t e m is
.T . ^T-t'
Q(standby) = i Q ^ r s \ Qcss ^t' dt . (Q = H r )
ô ''o
At f hu l e v e l of a p p r o x i m a t i o n b e i n g c o n s i d e r e d in t h i s c a s e , Q a r s * ^ *
and Qoss*^ t, i . e . , the t t e r m s in the e x p r e s s i o n for Q^nit ^ " ^ ^ c s s ^^^
n e ' - ^ i g i b l e . H e n c e , w i t h the c o n t a i n m e n t s p r a y s y s t e m in s t a n d b y
3-37
Q(standby) = j Q^^^ Q^^^
= 1.8 X 10-5
or the e s t i m a t e d s y s t e m reliability, with the containment s p r a y in standby

is
R(standby) = 0. 999982.
As previously indicated, t h e r e a r e 270 third order and 3, 222 fourth order

failure combinations resulting in s y s t e m failure. Table 3. 17B show^s thf^
e s t i m a t e d p e r c e n t a g e contribution of these combinations to the probabilit-/
of systera failure. This e s t i m a t e was a r r i v e d a*, as follows:
Within the f r a m e w o r k of the above a p p r o x i m a t i o n s , we may write
Q .^ = a- T + a^ T^
unit iu 4u
^ ^ ^2
Q = a_ T + a^ T
ess 3c 4c
where the a ' s a r e coefficients relating to the component X v a l u e s .
^^^''' Q(standby) cc (Q )^ (Q )
unit ess
Q(standby) = a,T^+ a.T^^ + a^T^ + a . T ^ .
3 4 5 o
•3
The T t e r m gives the contribution from third o r d e r f a i l u r e s . The

T 4 t e r m gives the fourth o r d e r contribution and so on.
C o m p a r i s o n of Tables 3, 17A and 3. 17B shows good a g r e e m e n t between
the ARMM and hand calculated allocation of s y s t e m failure probability to
third and higher o r d e r failure combinations. Both methods attribute
a p p r o x i m a t e l y 90 p e r c e n t of the s y s t e m failure probability to third order
failure combinations. However, the s y s t e m failure probability calculated
by ARMM is a factor of two higher than the hand calculated value. This
d i s a g r e e m e n t can be expected when considering the way ARMM p r e s e n t l y
handles standby functions.
3-38
Conclusions
The r e s u l t s displayed in Tables 3. 16, 3.17A , and 3,17B indicate the follow-
ing conclusions. In this complex s y s t e m containing redundant paths and
components with failure probabilities < lO"*^, the system unreliability may
be attributed a l m o s t entirely to those components involved in the lowest order
failure c o m b i n a t i o n s . It may be anticipated that components involved in
a higher o r d e r failure combination will contribute significantly to the
s y s t e m unreliability only if that combination contains a component whose
failure r a t e is at l e a s t an o r d e r of magnitude g r e a t e r than that of the
components in the lower o r d e r combination. This was not the case in the
p r e s e n t study.
In this model of the Connecticut Yankee containment cooling system, the

g r e a t e s t c o n t r i b u t o r s to the calculated s y s t e m unreliability turn out to
be the fans and fan m o t o r s in the a i r r e c i r c u l a t i o n units, (Components 17
and 18 in F i g u r e 3.31A) and the valves channeling coolant to the spray
h e a d e r rings in the containment s p r a y s y s t e m (Components 71 and 72 in
F i g u r e 3.31B). Hence,the s y s t e m reliability e s t i m a t e will be m o s t s e n s i -
tive to the p a r t i c u l a r a s s u m p t i o n s m a d e regarding these components.
Modification of these a s s u m p t i o n s will strongly affect the computed s y s t e m
reliability.
F o r example, it was a s s u m e d in the a n a l y s i s that the fans and fan m o t o r s

w e r e being aged over the whole testing interval (720 hours), as well as
during the period of incident operation (300 h o u r s ) . It could be argued
that since these components a r e in continuous operation during the testing
interval, their failure would be o b s e r v e d and r e p a i r would be effected.
Using this reasoning, t h e s e components might be considered to be aging
only for a period corresponding to the r e q u i r e d r e p a i r time (say, 1 day) plus
incident operating time. The total aging time for these components would then
be a factor of t h r e e ( ^^— J l e s s than previously a s s u m e d and the e s t i m a t e
of s y s t e m r e l i a b i l i t y would be i n c r e a s e d by a factor of approximately 10.
R e g a r d l e s s of the a s s u m p t i o n s used, the p r i m a r y contributors to system

failure a r e expected to be the fans, fan m o t o r s , and spray s y s t e m
v a l v e s . If i n c r e a s e d reliability is d e s i r e d in the containment cooling
s y s t e m , it a p p e a r s that this goal can be m o s t effectively gained through
1. Modifying these components to significantly reduce their

failure r a t e s , if further investigation of failure r a t e a s s u m p -
tions r e v e a l no significant e r r o r , and
2. Consideration of additional redundancy in spray loop valves,

if this redundancy will not significantly degrade the reliability
of e m e r g e n c y c o r e cooling functions.
3-39
SAN ONOFRE SAFETY INJECTION SYSTEM
The San Onofre safety injection s y s t e m is designed to limit c o r e damage

due to overheating following a l o s s - o f - c o o l a n t accident in the r e a c t o r
coolant s y s t e m and to i n s e r t negative r e a c t i v i t y , in the form of borated
w a t e r , during rapid cooldown of the r e a c t o r following a t u r b i n e - c y c l e - s i d e
s t e a m line r u p t u r e . Design c r i t e r i a used to a s s u r e a c c o m p l i s h m e n t of
these functions a r e :
1. The s y s t e m shall p r e v e n t r e l e a s e of fission products from the

fuel r o d s following a r u p t u r e of the r e a c t o r coolant s y s t e m for
any size b r e a k , up to complete s e v e r a n c e of the l a r g e s t line
connecting to the r e a c t o r coolant loops, i . e . , the 10-inch nominal
size p r e s s u r i z e r surge line.
2. The s y s t e m shall l i m i t fission product r e l e a s e for hypothetical

b r e a k sizes (-which a r e not c o n s i d e r e d credible), up to the c o m -
plete s e v e r a n c e of a r e a c t o r coolant pipe, assuming d i s c h a r g e
of coolant from both ends of the pipe.
3. The s y s t e m shall provide a m e a n s of cooling the core for extended

p e r i o d s , following a l o s s - o f - c o o l a n t accident,
4. The s y s t e m shall provide a m e a n s of i n s e r t i n g negative reactivity

following a los s-of-coolant or a t u r b i n e - c y c l e - s i d e steam line b r e a k .
5. The s y s t e m design shall a s s u r e that no inadvertent s y s t e m operation

can be postulated which would constitute a h a z a r d , such as would
r e s u l t from unlimited addition of unborated water ^.o the r e a c t o r
coolant s y s t e m .
6. The s y s t e m shall operate satisfactorily with s e c o n d - o r d e r m e c h a n i c a l

equipment f a i l u r e s , i . e . , with the l o s s - o f - c o o l a n t accident as a
f i r s t o r d e r condition; the failure of any component to respond actively
in the p r e s c r i b e d m a n n e r can be t o l e r a t e d without loss of ability to
provide the n e c e s s a r y protection. N u m e r o u s third order or multiple
failures can a l s o be tolerated, but the design is not intended to
cover all such c a s e s .
7. Power shall be continuously available to safety injection s y s t e m

equipment.
3-40
8. The design of the equipment in the safety injection s y s t e m and
supporting s y s t e m s shall be in a c c o r d a n c e with the s e i s m i c
ground nnotion c r i t e r i a e s t a b l i s h e d for the plant.
SYSTEM DESCRIPTION
The safety injection s y s t e m is made up of two essentially s e p a r a t e

s y s t e m s ; one for the initial injection of borated water to the r e a c t o r
coolant s y s t e m , and the other for subsequent cooling and r e c i r c u l a t i o n
of spilled water back to the r e a c t o r coolant s y s t e m for l o n g - t e r m r e m o v a l
of the c o r e r e s i d u a l heat. These two s y s t e m s a r e shown in F i g u r e 3. 35.
Injection
The injection s y s t e m c o n s i s t s of two s e p a r a t e and independent pumping

t r a i n s for delivery of water, b o r a t e d a t refueling concentration, into
the r e a c t o r coolant s y s t e m . This philosophy of equipment separation
has been extended so that equipment in each injection t r a i n is supplied
from independent 4,160-volt and 480-volt b u s e s .
Each injection t r a i n u s e s one of the two feedwater pumps which deliver

feedwater to the s t e a m g e n e r a t o r s during n o r m a l operation. These
pumps a r e B y r o n - J a c k s o n , Type DVMX, two-stage pumps with horizontally
split c a s e and double volute. P u m p design features a r e listed in Table 3. 18.
The pumps a r e designed to operate at any point over their delivery
curve from a m i n i m u m flow n e a r shutoff to flows in excess of the nominal
10, 500 gpm injection r e q u i r e m e n t . The pump design was selected for
its low net positive suction head r e q u i r e m e n t and its ability to continue
delivery a t high flow^s with some cavitation.
F o r safety injection s e r v i c e , the feedwater pumps a r e each supplied

with borated refueling wâter by o r e of the two safety injection p u m p s .
The safety injection pumps a r e s i n g l e - s t a g e , high-capacity, low head
u n i t s . As shown in F i g u r e 3.35, each pump is designed to supply 10, 500 gpm
of borated w a t e r from the refueling w a t e r s t o r a g e tank to one feedwater
pump at a p r e s s u r e sufficient to p r e v e n t feedwater pump cavitation.
Each pumping t r a i n obtains its borated wâter from the 240, 000-gallon
refueling water storage tank (approximately 11 times the r e a c t o r v e s s e l
volume) and d i s c h a r g e s into the injection h e a d e r , from which t h r e e
s e p a r a t e injection lines run into the containment s p h e r e and d i s c h a r g e
into each of the t h r e e r e a c t o r coolant loops. The injection lines between
the feedwater pump d i s c h a r g e isolation valves and the r e a c t o r coolant
s y s t e m isolation valves a r e always kept filled with borated w a t e r .
Similarly, the safety injection line to the suction of these pumps is also
kept filled with borated w a t e r .
3-41
Although the accident a n a l y s i s has shown additional injection flow to
be u n n e c e s s a r y , both centrifugal charging pumps in the c h e m i c a l and
volume control s y s t e m a r e placed in s e r v i c e to augment injection s y s t e m
flow^. The charging pumps, which a r e in s e r v i c e (one operating and
the other standby) during n o r m a l operation of the plant, inject into the
r e a c t o r coolant s y s t e m upon initiation of safety injection. As shown
in Table 3.18, r a t e d flow for each of the two centrifugal charging pumps
is 213 gpm. The combined output of both pumps fulfills the r e q u i r e m e n t
for purification flow plus the s e a l water flow r e q u i r e d when all r e a c t o r
coolant pumps a r e operating on breakdown bushings and both charging
pump bypass lines a r e open. The d i s c h a r g e p r e s s u r e of each pump
is indicated in the control r o o m and a p r e s s u r e switch on the pump
d i s c h a r g e h e a d e r automatically s t a r t s the standby pump if the header
p r e s s u r e falls below^ 2, 200 psig.
The charging flow is a r r a n g e d so that it can inject into each of the r e a c t o r

coolant loops, thereby providing t h r e e additional flow paths. A charging
pump alone will prevent the r e l e a s e of c o r e fission products for b r e a k
s i z e s up to approximately 6 inches and acts as a complete backup for
the safety injection s y s t e m in this r a n g e .
Additional injection flow can be provided by the refueling water pumps.

These pumps a r e a r r a n g e d so that they can inject into the r e a c t o r coolant
s y s t e m through the r e c i r c u l a t i o n l i n e s . F o r this s e r v i c e the pumps
have a capacity of 500 gpm. T h e i r p r i m a r y function, however, is for
containment spray. The injection function of these pumps is provided
p r i m a r i l y as a backup for r e c i r c u l a t i o n operation after the initial injection
p h a s e . Either r e c i r c u l a t i o n pump is capable of delivery of water at a
r a t e in e x c e s s of that needed for decay h e a t r e m o v a l . Design p a r a m e t e r s
for these pumps a r e listed in Table 3. 18.
Recirculation
The design b a s i s for r e c i r c u l a t i o n is to provide sufficient water to the

r e a c t o r c o r e for l o n g - t e r m , p o s t - a c c i d e n t cooling, when operation of the
injection s u b s y s t e m is discontinued. The equipment provided will
a c c o m p l i s h this basic purpose with any one component failing to respond
as r e q u i r e d .
The r e c i r c u l a t i o n systena c o n s i s t s of r e c i r c u l a t i o n pumps which take

spilled water from the containment sphere sump and pump it through the
r e c i r c u l a t i o n heat exchanger to the charging p u m p s . The charging
pumps then r e t u r n the w a t e r to the r e a c t o r coolant s y s t e m via a line
from each of the r e a c t o r coolant pump seal-water injection lines. The
r e c i r c u l a t i o n pumps a l s o supply water for long-term operation of the
containment s p h e r e spray s y s t e m .
3-42
The r e c i r c u l a t i o n pumps a r e c a n n e d - m o t o r , s u b m e r s i b l e units, designed
to pump spilled water from the containment sphere sump. Each pump
has a flow capacity approximately double that needed to compensate for
boil-off of water covering the c o r e due to r e s i d u a l h e a t generation. The
pump design also p e r m i t s periodic d r y - t e s t s t a r t s . Design p a r a m e t e r s
for these pumps a r e s u m m a r i z e d in Table 3.18. The r e c i r c u l a t i o n
h e a t exchanger is a shell and tube unit. It r e m o v e s decay h e a t from
r e c i r c u l a t e d water by h e a t exchange with component cooling water circulating
on the shell side. Operating conditions for this heat exchanger vary
according to the s e v e r i t y of the l o s s - o f - c o o l a n t accident and the equipment
available for operation following the accident. The design is conservatively
b a s e d on the set of p a r a m e t e r s stiown in Table 3. 19.
Electrical Power
E l e c t r i c power for safety injection s y s t e m operation is supplied by the

plant auxiliary e l e c t r i c power s y s t e m . As previously indicated, power
for each injection pumping t r a i n is supplied from independent 4, l60-volt
and 480-volt buses connected to the station switchyard. If an accident
requiring safety injection s y s t e m operation o c c u r s , power will continue
to be supplied to all e l e c t r i c a l l y powered safety injection equipment
(pumps, valves, and instrumentation) from the s a m e s o u r c e s supplying
the buses p r i o r to the e m e r g e n c y . No bus t r a n s f e r s a r e r e q u i r e d .
F o r this example application,the plant has been a s s u m e d to be provided
with two independent s o u r c e s of power for the auxiliary e l e c t r i c a l s y s t e m . *
These originate from:
1. The m a i n t u r b i n e - g e n e r a t o r unit at the San Onofre Nuclear

Generating Station and the Southern California Edison
Company's 220-kv s y s t e m .
2. The San Diego Gas & E l e c t r i c Company's 138-kv s y s t e m .
In the event of a loss-of-coolant incident the r e a c t o r will s c r a m , the turbine

will t r i p , and the m a i n b r e a k e r s tying to the 220-kv switchyard will
open. However, the 138-kv s y s t e m will continue to supply power to
the buses connected to safety injection equipment. As an emergency
safety injection operating p r o c e d u r e , the operator will r e s t o r e the
220-kv s y s t e m as an independent backup source of power into the plant
*The existing facility a l s o is provided with emergency d i e s e l generating

capability', however, the power s y s t e m defined in the Final Engineering
R e p o r t and H a z a r d Analysis has been used h e r e .
3-43
following r e a c t o r coolant pump coastdown operation. This source is not
r e q u i r e d for safety injection power supply, but is made available as standby.
Both the 138-kv and 220-kv s y s t e m s a r e adequate to supply the e l e c t r i c a l
power r e q u i r e m e n t s for safety injection. Safety injection s y s t e m power r e -
q u i r e m e n t s a r e s u m m a r i z e d in Table 3. 20. Figure 3. 36 is a single-line
d i a g r a m showing the e l e c t r i c a l power supply to the pumps in the safety in-
jection and r e c i r c u l a t i o n s y s t e m s . As shown, Bus 3 s e r v e s as an a l t e r n a t e
power s o u r c e to either of the n o r m a l l y used 480 v buses (Buses 1 and 2).
A l o s s - o f - c o o l a n t accident, coincident with the o c c u r r e n c e of major equip-

ment e l e c t r i c a l faults, is not c o n s i d e r e d credible. The e l e c t r i c a l s y s t e m
is a r r a n g e d , however, so that a l a r g e degree of protection if provided
should a major e l e c t r i c a l fault occur at some time following a safety in-
jection incident.
Injection System Operation
Operation of the injection s y s t e m is initiated automatically upon coincidence

of low p r e s s u r i z e r p r e s s u r e and low p r e s s u r i z e r water level, when the plant
is at power or in the hot shutdown condition. The safety injection signal will
initiate a r e a c t o r s c r a m if the r e a c t o r has not already s c r a m m e d from an
independent low p r e s s u r e signal.
To a s s u r e reliability of the injection signal and freedom from spurious

safety injection signals, the actuation circuit uses t h r e e independent p r e s -
s u r e channels and t h r e e independent p r e s s u r i z e r water level channels. A
signal initiating injection s y s t e m operation is generated when two out of
t h r e e low water level and two out of three low p r e s s u r e signals occur. This
arrangenaent allows testing of the actuation c i r c u i t r y during operation.
When the plant is at n o r m a l power operation, the feedwater pumps deliver

feedwater to the s t e a m g e n e r a t o r s . The safety injection signal s t a r t s the
two safety injection pumps and the standby charging pump, and stops ail
four condensate pumps and the two h e a t e r drain pumps. M o t o r - o p e r a t e d
valves a l s o a r e actuated to align the pumping flow path for safety injection
s e r v i c e and to isolate the feedwater condensate s y s t e m . All valves act i m -
m e d i a t e l y , with the exception of the valves at the point of feedwater pump
d i s c h a r g e into the injection h e a d e r (valves 851A and B). These valves a r e
interlocked to r e m a i n closed until the condensate isolation valves at feed-
water pump suction (valves 854A and B) have completely closed. This a r -
r a n g e m e n t a s s u r e s that borated w a t e r , from the safety injection pumps,
will r e p l a c e the significant portion of unborated water between the feed-
water pump isolation valves before a flow path to the r e a c t o r coolant loops
is opened. Should valve 854 fail to c l o s e , the interlock will prevent de-
livery of unborated water from the affected t r a i n into the injection h e a d e r .
3-44
Isolation v a l v e s , which must function in o r d e r to align the injection
s y s t e m for operation, a r e gate valves with Limitorque o p e r a t o r s .
E a c h valve is designed to o p e r a t e under the p r e s s u r e differentials
expected during safety injection and has a motor o p e r a t o r design
compatible with operating t i m e r e q u i r e m e n t s and, w h e r e applicable,
with p o s t - a c c i d e n t ambient conditions wîthin the containment s p h e r e .
Reliability of valve operation is a s s u r e d by a p r o g r a m of testing
both in the m a n u f a c t u r e r ' s shop and periodically throughout the plant
lifetime.
With the pumps s t a r t e d and the injection flow path aligned, the injection
s y s t e m d e l i v e r s refueling water at a r a t e dependent upon break size
and r e a c t o r coolant s y s t e m p r e s s u r e . The feedwater pumps can
begin d e l i v e r y at p r e s s u r e s as high as 1, 157 psig. A s y s t e m delivery
of approximately 7, 000 gpm is r e q u i r e d to meet performance c r i t e r i a
in the c a s e of the hypothetical s e v e r a n c e of a r e a c t o r coolant pipe.
The l a r g e feedwater pump capacity a s s u r e s this delivery even if
the hypothetical break o c c u r s at an injection line connection and one
injection t r a i n fails to function.
When the containment s p h e r e s u m p level indicator shows an adequate

w a t e r level for initiation of r e c i r c u l a t i o n , and when the water level
in the refueling water s t o r a g e tank indicates that an adequate amount
of refueling water has been d e l i v e r e d into the r e a c t o r coolant s y s t e m ,
injection flow will be t e r m i n a t e d by the o p e r a t o r and the r e c i r c u l a t i o n
s u b s y s t e m placed in operation. F o r s m a l l b r e a k s , the r e s t o r a t i o n
of wâter level in the p r e s s u r i z e r p r o v i d e s additional indication that
the r e a c t o r coolant s y s t e m has been refilled.
The o p e r a t o r t e r m i n a t e s injection s y s t e m operation by blocking the

automatic actuation signal, switching the four safety injection r e l a y s
to the off position, and then individually turning off the feedwater
pumps and the safety injection pumps in sequence. With o c c u r r e n c e of
a low level in the refueling w a t e r s t o r a g e tank an a l a r m will sound
in the control r o o m before the injection s y s t e m empties the refueling
w a t e r s t o r a g e tank.
R e c i r c u l a t i o n S y s t e m Operation
This phase of operation is initiated by the o p e r a t o r after the c o r e has

been covered with borated w a t e r by the injection s y s t e m and a sufficient
quantity of water has accumulated in the containment s p h e r e sump.
3-45
The r e c i r c u l a t i o n s u b s y s t e m is placed in operation by starting the
r e c i r c u l a t i o n pumps and operating a p p r o p r i a t e valves to open the
r e c i r c u l a t i o n flow p a t h s . The valve isolating the refueling water s t o r a g e
tank is closed. Containment s p r a y also can be initiated using the
refueling w a t e r pump.
The o p e r a t o r has ample t i m e to initiate r e c i r c u l a t i o n . The refueling

w a t e r s t o r a g e tank has a m i n i m u m of ten minutes supply of borated
w a t e r , even in the c a s e of the hypothetical break, when both feedwater
pumps deliver at t h e i r m a x i m u m capability. An additional t i m e of
approximately 10 minutes is available for initiating r e c i r c u l a t i o n
before the w a t e r in the r e a c t o r v e s s e l would be evaporated below a
level sufficient to a s s u r e c o r e cooling. F o r the credible ^mailer
piping r u p t u r e s , injection s y s t e m operation will continue for longer
periods before r e c i r c u l a t i o n s y s t e m operation is r e q u i r e d .
B a s e d on the p r e c e d i n g s y s t e m d e s c r i p t i o n s and operational information,

a p r e l i m i n a r y reliability a n a l y s i s has been p e r f o r m e d for the San Onofre
safety injection s y s t e m . The b a s i s which has been chosen for this analysis
is the probability of successful o p e r a t i o n in conjunction with a postulated
b r e a k in a 10-inch line in the r e a c t o r coolant s y s t e m . The a n a l y s i s is made
over t h r e e time i n t e r v a l s . The f i r s t interval is one month or 720 h o u r s ;
the second interval is 10 m i n u t e s ; and the third interval is 24 h o u r s . In
the f i r s t i n t e r v a l , the s y s t e m is in standby. The feedwater pumps a r e
operating to supply water to the s t e a m g e n e r a t o r s , and one of the charging
pumps is operating as p a r t of the c h e m i c a l and volume control s y s t e r r .
The other charging pump is standby to the f i r s t . The b r e a k in a 10-inch
line o c c u r s at the end of the first i n t e r v a l . During the second i n t e r v a l , the
safety injection s y s t e m pumps the b o r a t e d water from the refueling w a t e r
tank to the r e a c t o r coolant l o o p s . This r e q u i r e s the s t a r t u p of the safety
injection pumps and the alignment oi the flow path by m e a n s of operation
of the v a l v e s . Also, the refueling wâter pumps and the second charging
pump a r e turned on, although for this size break only the safety injection
pumping t r a i n s have the capacity to adequately cover the r e a c t o r c o r e .
However, the two charging pump t r a i n s and the two refueling pump t r a i n s
can contribute to s y s t e m u n r e l i a b i l i t y during this i n t e r v a l , since at l e a s t
one of them is r e q u i r e d in the t h i r d i n t e r v a l . If all four of these l a t t e r
pumps should fail in the second i n t e r v a l , they would not be available for
the t h i r d i n t e r v a l . During the t h i r d i n t e r v a l , the borated water which has
spilled from the b r e a k and collected in the containment sump is r e c i r c u l a t e d
into the r e a c t o r for the r e m o v a l of fission product decay h e a t . F o r this
p u r p o s e one of the two r e c i r c u l a t i o n p u m p s , which w e r e not on during the
f i r s t two i n t e r v a l s , must o p e r a t e and, as stated before, one of the charging
pump t r a i n s or refueling pump t r a i n s m u s t work.
3-46
During the second and third i n t e r v a l s , the flow through the s y s t e m is
changed by m e a n s of actuation of valves and the s t a r t u p of p u m p s . To
p r o p e r l y consider the contribution of these components to the unreliability
during this phase of their operation, they have been a s s u m e d to p e r f o r m
this operation at the end of the p r e c e d i n g i n t e r v a l . The pumps have been
assigned two failure r a t e s , one for their s t a r t u p and one for their con-
tinuing o p e r a t i o n . To do this using the ARMM p r o g r a m , the pumps a r e
d e s c r i b e d as two components, each with one of the failure r a t e s . The c o m -
ponent with the s t a r t u p failure r a t e is on during the preceding interval and
off the following i n t e r v a l s during which the component with the operating
failure r a t e is on. In effect, the failure r a t e for the s t a r t u p component
r e f l e c t s the effect of aging on the likelihood of a pump accomplishing a
successful s t a r t u p . Valves m u s t open or close to align the s y s t e m p r o p e r l y .
They have been a s s u m e d to p e r f o r m this operation at the end of the interval
p r i o r to the interval during which this p r o p e r alignnnent is r e q u i r e d . F o r
e x a m p l e , the safety injection loop valves m u s t be open during the second
i n t e r v a l , so they a r e a s s u m e d to open at the end of the first i n t e r v a l . Once
a valve has p e r f o r m e d its operation successfully, it is a s s u m e d to be
perfectly r e l i a b l e . F o r e x a m p l e , a valve which is r e q u i r e d to open will
not fail closed once it has opened. Its only failure is to fail to open in the
f i r s t p l a c e . F o r this r e a s o n , a valve is "on" only during the interval at
the end of which it is r e q u i r e d to function. T h e r e f o r e , in this example,
the valves on the safety injection loop do not contribute to s y s t e m un-
r e l i a b i l i t y in any but the first t i m e i n t e r v a l . As with the s t a r t u p of a pump,
the opening and closing of a valve is a cyclic operation. It is evaluated by
ARMM by using a continuous failure r a t e which a p p r o x i m a t e s the probability
of a single cycle failure at the end of the interval of i n t e r e s t .
The length of the f i r s t and t h i r d i n t e r v a l s w e r e chosen somewhat a r b i t r a r i l y .

The first interval of one-month duration was a s s u m e d to be the interval
between t e s t s for all components of the safety injection s y s t e m . This would
not be the p r o c e d u r e followed in the actual plant operation. The feedwater
p u m p s , for e x a m p l e , a r e operating continuously, so, in a s e n s e , they a r e
continuously monitored and t e s t e d . The only time they contribute to the
unreliability of the s y s t e m in the t e s t i n t e r v a l is within a length of time p r i o r
to a loss-of-coolant accident equal to the length of time it takes to r e p a i r or
r e p l a c e a failed pump, a s s u m i n g plant operation would continue with one
feedwater pump out of s e r v i c e . To reflect this condition in a reliability
analysis with ARMM, the failure r a t e s for these pumps would have to be
multiplied by the r a t i o of the r e p a i r t i m e to the interval length. The failure
r a t e s of other components which have m o r e frequent t e s t s than r e p r e s e n t e d
by the i n t e r v a l length would need to be multiplied by the ratio of their t e s t
interval to the p r o g r a m i n t e r v a l . This modification was not done in this
calculation. The ten minute duration of the second interval was based on the
m i n i m u m supply of borated w a t e r in the refueling water tank assuming the two
safety injection pumping t r a i n s operate at m a x i m u m capability. The length of
24 h o u r s for the third i n t e r v a l wâs, as stated above, a r b i t r a r y . It could
e a s i l y have taken any other value.
3-47
Using the p r e c e d i n g c o n s i d e r a t i o n s , a failure mode and effect analysis was
p e r f o r m e d on the safety injection s y s t e m components to identify the c r i t i c a l
nature of component f a i l u r e s . This a n a l y s i s is i l l u s t r a t e d for major s y s t e m
components in F i g u r e 3.37. Such an a n a l y s i s identifies the cause and effect
of component f a i l u r e s , the conditions under which the failures become
significant, and the actions which can be taken to eliminate or mitigate such
f a i l u r e s . The analysis also was used to a s s u r e that subsequent steps in
the r e l i a b i l i t y a n a l y s i s identify the important failure modes in the equip-
ment being c o n s i d e r e d .
Based on the preceding work a r e l i a b i l i t y block d i a g r a m was p r e p a r e d for

the safety injection s y s t e m as shown in F i g u r e 3.38. The d i a g r a m was used,
in t u r n , to guide p r e p a r a t i o n of a reliability model input for analysis by
the ARMM p r o g r a m . As shown in F i g u r e 3. 38, the number above each block
is the component ID used in the ARMM a n a l y s i s . Several pumps have two
ID n u m b e r s . These r e p r e s e n t the pump during its s t a r t u p and then during
the continuous operation which follows.
In the r e l i a b i l i t y block d i a g r a m in F i g u r e 3.38 each e l e c t r i c a l bus is placed

in line with the pump or pumps it p o w e r s , with one exception. In that c a s e ,
the 480 volt b u s e s (numbers 1 and 2) a p p e a r by t h e m s e l v e s and as a l t e r n a t e s
(in redundancy) to each other in the block d i a g r a m immediately following
the safety injection loop v a l v e s . This allows the reliability a n a l y s i s to
consider the possibility of failure of both b u s e s in this configuration during
the f i r s t i n t e r v a l . During the second and third i n t e r v a l s , these two buses
have this configuration combined with the twô r e c i r c u l a t i o n p u m p s . During
the f i r s t i n t e r v a l , these twô b u s e s a r e also combined with the refueling
w a t e r p u m p s . Howêver, in this combination they have as additional a l t e r -
nates the two charging pump t r a i n s .
F o r this a n a l y s i s the 220 kv s y s t e m wâs a s s u m e d to be connected to the

4,l60volt b u s e s , lA and I B , and from these buses to the two b r e a k e r s ,
l l C O l and 12C01, to the 4,160 volt b u s e s , IC and 2C. As previously indi-
cated in the s y s t e m d e s c r i p t i o n , the 220 kv s y s t e m is not reconnected until
after the r e a c t o r coolant pump coastdown.
The i n t e r v a l s during which each component contributes to s y s t e m unreliability

is given in Table 3 . 2 1 .
The failure r a t e s used for the components of the safety injection s y s t e m

a r e given in Table 3.22, As shown in Table 3. 22, the tank, sump, and
h e a d e r s wêre given v e r y low failure r a t e s since they w e r e not expected
to fail at r a t e s c o m p a r a b l e to those a s s i g n e d to other active components.
If the failure r a t e s for these static components wêre i n c r e a s e d significantly,
their s e r i a l location in the s y s t e m reliability model would make them major
c o n t r i b u t o r s to s y s t e m unreliability.
3-48
RESULTS OF ANALYSIS
The components which m a k e the l a r g e s t contribution to s y s t e m u n r e l i a -

bility a r e l i s t e d in Table 3. 23 for each time interval and for the total t i m e .
Included in the l i s t is the probability that each component nnight cause
s y s t e m failure and the p e r c e n t a g e contribution that a component might be
expected to m a k e to s y s t e m unreliability for the interval or for the
entire t i m e .
A c o m p a r i s o n of the data for I n t e r v a l 1 and for the e n t i r e time shows that

Interval 1 is the period of g r e a t e s t unreliability. T h e r e a r e s e v e r a l
r e a s o n s for t h i s . F i r s t , the length of the first interval is much g r e a t e r
than the two followîng i n t e r v a l s . This i l l u s t r a t e s the potential value of
i n c r e a s i n g the frequency of t e s t s . Another r e a s o n is the number of c o m -
ponents which w e r e c o n s i d e r e d during the f i r s t interval compared with
the number in the other two i n t e r v a l s . As shown in Table 3 . 2 1 , 70
components w e r e c o n s i d e r e d in the f i r s t i n t e r v a l , 42 in the second,
and 31 in the t h i r d .
The p r i m a r y c o n t r i b u t o r s to s y s t e m unreliability in the first interval a r e

the s t a r t u p components of the two safety injection pumps, the twô feed-
water pumps, the a u x i l i a r y t r a n s f o r m e r C, and the m a i n t r a n s f o r m e r .
Together they contribute 9 7 . 4 p e r c e n t of total unreliability during that
interval.
During the second i n t e r v a l the t h r e e m a j o r contributors a r e s e r i e s c o m -

ponents, i. e. , components not supported by a redundancy. In the third
i n t e r v a l , the m a j o r contributor, the r e c i r c u l a t i o n heat exchanger, is a l s o
a s e r i e s component.
This example a n a l y s i s has shown how the components which can be

expected to be major c o n t r i b u t o r s to the unreliability of a given s y s t e m
can be identified. F o r the San Onofre safety injection system, these
components a r e l i s t e d in the s u m m a r y of Table 3 . 2 3 . Within the a c c u r a c y
of the reliability model and failure r a t e a s s u m p t i o n s , these results point
out the components which either (1) need b e t t e r failure r a t e data, (2)
need to be r e d e s i g n e d or replaced, (3) need additional redundancy, or
(4) need m o r e frequent testing.
Because the m a j o r c o n t r i b u t o r s to the unreliability of the safety injection

s y s t e m a r e p a r t of redundant units. Number (3) above would not appear to
be the solution to b e t t e r reliability. B e c a u s e of the long duration of the
f i r s t i n t e r v a l . Number (4), m o r e frequent testing a p p e a r s to be the b e s t
solution (assuming the failure r a t e data is reasonably a c c u r a t e ) .
3-49
TABLE 3. 1
PRINCIPAL DESIGN PARAMETERS

FOR DRESDEN-3 PRIMARY CONTAINMENT
P r e s s u r e S u p p r e s s i o n C h a m b e r Internal Desi gn
Pressure 62 psig
-1 psig
Drywell Internal Design P r e s s u r e 62 psig
-2 psig
Initial S u p p r e s s i o n Chamber P r e s s u r e Rise 21 psi max.
Initial Suppression Chamber T e m p e r a t u r e R i s e 50° F .
Downcomer Vent P r e s s u r e L o s s F a c t o r 6.2
B r e a k A r e a / V e n t Pipe A r e a .019
Submergence of Vent Pipe Below P r e s s u r e
S u p p r e s s i o n Pool Surface 4 feet
Drywell F r e e Volume - 1 5 8 , 000 ft^
P r e s s u r e S u p p r e s s i o n Pool F r e e Volume ~ 119, 500 ft^
P r e s s u r e S u p p r e s s i o n Pool Water Volume ~ 106, 000 ft^
3-50
TABLE 3.2
PRINCIPAL PENETRATIONS OF PRIMARY CONTAINMENT

AND ASSOCIATED ISOLATION VALVES
Inner Isolation V a l v e s P e r Line O u t e r Isolation V a l v e s P e r Line

(Inboard of P r i m a r y Containment Shell) (Outboard of P r i m a r y Containment Shell)
Number Approx. Closure Closure
of Pipe Closing Time Normal Time Normal
Type of S e r v i c e Lines Size-inches Number Power Signal Sec. Status Number Power Signal Sec. Status
T o Isolation C o n d e n s e r (Steam) 14 AC E,B 60 Open DC E,B 60 Open

F r o m Isolation C o n d e n s e r (Water) 12 AC E,B 60 Open DC (A to open) Closed
Standby Liquid Control System 2 Check Closet' Check Closed
Feedwater 18 Check Open Check Open
F r o m R e a c t o r Cleanup 6 Check Opf AC Open
To R e a c t o r Cleanup AC B,I 40 Open DC B,l Open

Closed Cooling W a t e r Inlet Check Open
Closed Cooling W a t e r Outlet AC RM Open
Steam Lines 20 AC-DC B,C,D Open AC-DC B,C,D, Open
S t e a m Line D r a i n 2 AC B,C,D Closed DC RM Closed
S a m p l e Line - R e c i r c u l a t i o n Loop 1
Shutdown Cooling Inlet 14 AC B,J Closed DC RM Closed

Shutdown Cooling Outlet 16 AC B,J Closed DC RM Closed
Equipment D r a i n Sump 3 DC F 10 Open
D r y w e l l F l o o r D r a i n Sump 3 DC F 10 Open
S e r v i c e W a t e r Supply 3 Check Closed Check Closed
Control Rod D r i v e Inlet 185 1 e note AC

C o n t r o l Rod D r i v e Outlet 185 3/4 e note AC
Control Rod Hyd. Sys. R e t u r n 1 4 1 Check Check
C o r e S p r a y Inlet to R e a c t o r 2 10 1 Check Closed AC G Closed
Head S p r a y - R e a c t o r V e s s e l 1 2 1 Check Closed AC B Closed
Containment Cooling t o S u p p r e s s i o n Pool 2 8 1 Check Closed

C o r e S p r a y , Cont. Cooling f r o m Supp. Pool* ^ 3 20 0
Containment Cooling Inlet to S u p p r e s s i o n Pool ( T e s t Line) 2 16 -
Containment Cooling t o Drywell 2 16 1 Closed
Vacuum B r e a k e r - R e a c t o r Bldg. To Supp. Pool 1 20 0 1 Check
Vacuum B r e a k e r s - S u p p r e s s i o n C h a m b e r t o Drywell 6 24 None None
D r y w e l l Ventilation^ Inlet-Outlet to Drywell 2 18 - 2
—Air F,B Closed
Construction Drain 2 8 - Closed
- —
I n s t r u m e n t a t i o n and E l e c t r i c a l 12 None None ..
In s t r u m entatlon 1 None None
Instrumentation - T r a v e l i i ^ Incore Probe 5 6 1 Open 1
—
AC Closed
I n s t r u m e n t and B r e a t h i n g Air 2 1 None Check
P r e s s u r e Instrumentation 63 1 None 1
—
Check
Open
Denotes Suppression Chamber Location

P e r s o n n e l and Equipment Openings: Signals which c l o s e i s o l a t i o n v a l v e s :
D r y w e l l Head - 1 A - High R e a c t o r V e s s e l P r e s s u r e F - High Drywell P r e s s u r e 1 - Break, Clean-up System +
P e r s o n n e l A c c e s s Lock - 1 B - Low Low R e a c t o r V e s s e l W a t e r Level G - Low Low W a t e r Level in V e s s e l J • B r e a k , Shutdown Cooling J
Suppression Chamber Manholes - 2 C - High Radiation in Main S t e a m L i n e s and Low R e a c t o r P r e s s u r e c a u s e System
Equipment A c c e s s Hatch - 2 D - Main S t e a m Line B r e a k t h e s e v a l v e s to open RM R e m o t e Manual
E - High R e a c t o r Building P r e s s u r e H - R e m o t e m a n u a l c l o s u r e on high
radiation s i g n a l
NOTE: Control rod h y d r a u l i c l i n e s c a n be isolated by the solenoid v a l v e s outside t h e p r i m a r y c o n t a i n m e n t . L i n e s that extend outside the p r i m a r y c o n t a i n m e n t a r e of s m a l l s i z e and t e r m i n a t e
in a s y s t e m which i s designed t o p r e v e n t o u t - l e a k a g e . Solenoid v a l v e s a r e n o r m a l l y closed but open on r o d m o v e m e n t and d u r i n g r e a c t o r s c r a m .
(Conforming a m e n d m e n t of Unit 2 PDAR r e q u i r e d w h e r e indicated by t)
Taken from "Dresden Nuclear Power Station Plant Design and Analysis R e p o r t " dated February 1966.
TABLE 3. 3
DRESDEN-3 STANDBY DIESEL GENERATOR

LOADING REQUIREMENTS
ESTIMATED POWER
LOAD
REQUIRED (hp)
Automatically Connected Shutdown Loads

One Core Spray P u m p 700
Two Containment Cooling Pumps 700
Two Containment Cooling Service Water Pumps 880
Standby Gas T r e a t m e n t Equipment 150
All Power O p e r a t e d Valves Not on D-C 80
E m e r g e n c y A-C Lighting
(time delay t r a n s f e r from b a t t e r y ) 150
Instrumentation and Control M o t o r - G e n e r a t o r 25
Total 2,685 hp
Manually Connected Shutdown Loads

Standby Liquid Control P u m p 100
Drywell Cooling Blowers 80
Reactor Building Cooling Water System 400
Service Water System (that portion
connected to the r e a c t o r building cooling water) 900
Ennergency A-C Lighting 150
I n s t r u m e n t Air C o m p r e s s o r 150
Fuel Pool Cooling System 100
Battery C h a r g e r 40
Condensate T r a n s f e r P u m p 50
Control Valves as Required by Above Systems
but not included as b a t t e r y load 15
Instrumentation and Control M o t o r - G e n e r a t o r 25
Total 2,010 hp
3-52
TABLE 3.4
SLOWDOWN ACCIDENT SUMMARY
P e a k (1)
Containment C o r e Sprays Metal-Water Containment
Case Sprays On On Reaction, % P r e s s u r e , psig Consequences
a 2 2 < a. 5 39 Acceptable
b 1 2 < 0. 5 39 Acceptable
c 0 2 < 0. 5 >62 Unacceptable
d-1 2 0 0 39 Acceptable
d-2 2 0 27. 5 39 Acceptable
e-1 0 0 0 >62 Unacceptable
e-2 0 0 27. 5 62 Unacceptable
f 1 0 27. 5 42 Acceptable
(1) Containment designed for o v e r p r e s s u r e of 62 psig.

TABLE 3, 5
TIME SEQUENCE
FOR SLOWDOWN ACCIDENT
Time After Main

Event R e c i r c u l a t i o n Line Break
F i r s t P e a k in Drywell P r e s s u r e 3 sec.
(39 psig)
P e r f o r a t i o n of 1st Rod 8 sec.
End of Slowdown 24 s e c .
S t a r t of Containment Spray System 24 s e c .
Equalization of Drywell and S u p p r e s s i o n
C h a m b e r P r e s s u r e (21 psig) 30 s e c .
Completion of Containment Isolation
(longest valve c l o s u r e t i m e from end of
blowdown 60 s e c . ) 84 s e c .
Start of M e t a l - W a t e r Reaction 120 s e c .
Second P e a k in Drywell P r e s s u r e (42 psig) ~ 2000 s e c .
P e r f o r a t i o n of All F u e l Rods ~ 2900 s e c .
End of M e t a l - W a t e r R e a c t o r (~25 p e r c e n t
reaction) ~ 2500 s e c .
3-54
TABLE 3 . 6
FAILURE RATE ASSUMPTIONS
/ 6
Component F a i l u r e Mode Failure/10 Hr.
Hatch C l o s u r e Seals Leak E x c e s s i v e l y .01

P e r s o n n e l Lock Doors Open .1
P e r s o n n e l Lock Door Seals Leak E x c e s s i v e l y .1
P e r s o n n e l Lock Interlock No Door Lock .01
Air Operated Valves F a i l Open or . 0 5 (Designed to
(Normally Closed) Leaks fail closed)
Air Operated Valves F a i l Open or . 1 (Designed to
(Normally Open) Leaks fail closed)
Motor O p e r a t e d Valves F a i l Open or . 0 1 (Designed to
(Normally Closed) Leaks fail a s - i s )
Motor O p e r a t e d Valves (Designed to
(Normally Open) F a i l Closed fail a s - i s )
F a i l Open or . 5 (Designed to
Leaks fail a s - i s )
Check Valves (Normally F a i l to Seat or . 1 (Designed to
Closed) Leaks close with outflow
F a i l Open or 1.0 (Designed to
Leaks fail a s - i s )
Suction S t r a i n e r s F a i l Open or Clogged .01
P u m p s (Normally Off) F a i l to Start 10. 0
F a i l to Continue 5.0
Heat Exchanger Leak E x c e s s i v e l y or
Badly Fouled .1
Spray H e a d e r s Plugged .1
Slock Valves (Normally
Closed) F a i l Open 1.0
Automatic T r i p Devices Fail to T r i p 1. 0
Manual T r i p Devices Fail to T r i p 0. 1
3-55
TABLE 3.7
SUMMARY O F RESULTS FOR
DRESDEN-3 PRIMARY CONTAINMENT
Case V a r i a b l e s Case 1 Case 2 Case 3 Case 4
OPERATIONAL CONSIDERATIONS
Containment Isolation Achieved Yes Yes No No
Containment Cooling System On 1 of 2 Loops 1 of 2 Loops No No
Core Spray System On No 1 of 2 Loops 1 of 2 Loops 2 of 2 Loops
E m e r g e n c y AC Power On Yes Yes Yes Yes
PROBABILITY O F SYSTEM SUCCESS

Interval 1 0.99981 0. 99970 0.99977 0. 95746
Interval 2 0.99999 0.99999 0, 99999 0.99998
Overall 0.99981 0.99970 0. 99977 0. 95744
PROBABILITY O F SYSTEM FAILURE

Interval 1 0. 18599x10'^ 0.29780x10'^ 0.22831x10'^ 0.42544x10'^
Interval 2 0. 32450x10' 0.33073x10'^ 0. 32549x10' 0. 17925x10'
Overall 0,18602x10' 0. 29783x10' 0.22835x10' 0.42561x10'
NO. O F COMPONENTS CONSIDERED 162 204 66 66

TABLE 3 . 8
MAJOR CONTRIBUTORS TO PRIMARY CONTAINMENT FAILURE
CASE 1 1 CASE 2
ARMM Percent ARMM Percent
System I. D. ' Component System I. D. Component System
Rank No. Failure No. Failure
1 j 152 Transformer 6 25.8092 152 Transformer 6 20.6034

2 240 Transformer 7 16.0593 240 Transformer 7 15.1461
3 150 Bus 6 - T 6 B r e a k e r 11.3768 150 Bus 5 - T 6 B r e a k e r 9.2601
4 154 T6 - Bus 2A B r e a k e r 11.3768 154 T6 - Bus 2A B r e a k e r 9.2601
5 238 Bus 6 - T7 B r e a k e r 6.9255 238 Bus 6 - T7 B r e a k e r 6.7644
6 242 T7 - Bus 2B B r e a k e r 6.9255 242 T7 - Bus 2B B r e a k e r 6.7644
7 216 MOV-31 B r e a k e r 6.9255 328 MOV-20 B r e a k e r 5.9851
8 220 MOV-32 B r e a k e r 6.9255 294 MOV-10 B r e a k e r 5.9093
9 140 Service Water Valve B r e a k e r 0.8867 216 MOV-31 B r e a k e r 4.0008
10 144 Spray T e s t Valve B r e a k e r 0.8867 220 MOV-32 B r e a k e r 4.0008
11 224 MOV-22 B r e a k e r 0.5067 326 Relief Valve 1.4630
12 228 STV-21 B r e a k e r 0.5067 336 Manual Valve Switch 1.4630
13 232 SWV-2 B r e a k e r 0.5067 292 Core Spray Relief Valve 1.4119'
14 76 MOV-104 0.3782 302 Manual Switch 1.4119
15 170 Containment Cooling P u m p Motor 0.3344 140 Service Water Valve B r e a k e r 0.5122
1
16 172 Containment Cooling Punnp 0.3344 144 Spray T e s t Valve B r e a k e r 0.5122
17 182 Service Water P u m p Motor 0.3344 332 MOV-21 B r e a k e r 0.4596
18 184 Service Water P u m p 0.3344 298 MOV-11 B r e a k e r 0.4512
19 164 Containment Cooling P u m p Motor 0.3344 224 MOV-22 B r e a k e r 0.2927
20 166 Containment Cooling P u m p 0.3344 228 STV-21 B r e a k e r 0.2927
Total 98.0022 Total 95.9839
TABLE 3. 9
COMPONENT GROUPING BY P E R C E N T A G E CONTRIBUTION TO SYSTEM FAILURE
System Failure N u m b e r Of P e r c e n t Of P r o b a b i l i t y Of Percentage Contribution

Percentage Components All C o m p o n e n t s System Failure To System F a i l u r e
Group In G r o u p In G r o u p For Group Bv G r o u p
Case 1
20 - 30 1 0.6 0.480 X lO"^ 25.81

10 - 20 3 1. 9 0.7219 X 10-4 38.81
1 - 10 4 2.5 0.5152 X 10-4 -27.70
0. 1 - 1 20 12. 3 0. 1314 X 1 0 - 4 7.68
0 . 0 1 - 0. 1 15 9.3 0. 1000 X 1 0 - 5 7.68
0. 001 - 0 . 0 1 13 8. 0
< 0.001 106 65.4 1 <0. 1 X 10"^ 7.68
Case 2
20 - 30 1 0.05 0.6136 X 10"^ 20.60

10 - 20 1 0.05 0.4511 X 10-4 15. 15
1 - 10 12 5. 9 0. 1720 X 10-3 57.72
0. 1 - 1 23 11.3 0.1650 X 10-4 6.53
0. 01 - 0 . 1 23 11. 3 0.0266 X 10-5 6.53
0.001 - 0.01 10
<0.001 134
4.9
65.6 1< 0 . 1 X 1 0 - 5
J
6.53
TABLE 3.10
LOSS O F COOLANT INCIDENT AND

SAFETY INJECTION SYSTEM SUMMARY
Reactor Type of Pumping T r a i n Operating Assignment

Loss of Coolant Coolant Safety Safety Residual
Charge
Condition Pressure, Injection System Injection Heat Removal
Pumps
psig Operation Pumips Pumps
Makeup ^2250 None None VCS^^^ None
1 Incident
Small B r e a k 500to1500 High P r e s s u r e SIS(2) SIS SIS
Large Break <500 Low P r e s s u r e SIS SIS CDS(3)
(1) VCS = Volume Control System

(2) SIS = Safety Injection System
(3) CDS = Core Deluge S u b s y s t e m
TABLE 3.11
RUPTURED P I P E SIZES AND

SAFETY INJECTION SYSTEM OPERATION
Low P r e s s u r e
Safety Injection Ruptured
Ruptured Single or Recirculation
Initiation Time P i p e s Affecting
Pipe Size Double-Ended Initiation Time
After Rupture Safety Injection
(inches) Rupture After Rupture
(seconds) Performance
(seconds)
1-1/2 Single 150 NA(1) 1 Drain Header

3 Single 50 1200 1 Letdown Line
3 Single 50 1400 1 Charge Line(3)
4 Single 40 850 1 C o r e Deluge Line
4 Single 30 1000 1 Safety Injection Line
6 Single 10 350 1 Steam Bypass Line
10 Single <10 120 1 Charge Line(2)
27-1/2 Double < 10 10 1 R e a c t o r Coolant
Inlet and Outlet Line
1 Safety Injection Line
1 Charge Line(2)(3)
Break Single <10 10 Unspecified
2 sq.ft.
(1) Not Available

(2) Coolant Loop 2
(3) Coolant Loop 4
TABLE 3. 12
FAILURE RATE SUMMARY
F a i l u r e per
Component F a i l u r e Mode
Million Hours
Storage Tank Rupture or no flow 0. 1

Pump F a i l to s t a r t 10.0
F a i l to continue running 5.0
Motor Operated F a i l to open or close 10.0
Valve (designed to fail a s - i s )
Solenoid Valve F a i l to open 5.0
(designed to fail open)
Check Valve F a i l to seat 1.0
(designed to close
with backflow)
Heat Exchanger Rupture 0. 3
(designed to ASME
code)
Outside P o w e r F a i l to supply power 0. 1
Source
Transformer F a i l to supply power 5.0
Bus Tie F a i l to close 2.0
Automatic Switch F a i l to t r i p 5.0
Manual Switch F a i l to t r i p 5.0
P r e s s u r e Switch F a i l to t r i p 15.0
Level Switch F a i l to t r i p 15.0
3-61
TABLE 3.13
SUMMARY O F SYSTEM UNRELIABILITY
System Unreliability \
Interval
Interval Case 1 Case 2 C;i s e 3
Duration,
No. As -is Improved Percent Shorter Test Percent
"hours
System System Reduction Interval Reduction
1 720.0 . 3 8 8 X 10"-^ . 8 3 1 X 10'^ 97. 9

168. 0* . 908 X 1 0 ' ^ 76.6
2 0. 1 . 4 5 1 X 10"^ .510 X 10"^ 88.7 . 4 5 1 X 10-5 0
3 0.3 .603 X 10-5 . 3 0 0 X 10"'^ 99.5 .603 X 10~5 0
4 24.0 .252 X 10"^ .252 X 10-5 0 .252 X 10-5 0
Total 744.4 . 3 8 8 X 10-1 ,834 X 10-^ 97.8

192.4* 909 X 10-2 76.6
*Applies t o Case 3 only.

TABLE 3.14
MAJOR CONTRIBUTORS TO SYSTEM UNRELIABILITY
P e r c e n t System F a i l u r e |
Component
Case 1 Case 2 Case 3 1
Refueling Water Supply Valve 18.2 5.6(1) 18.4

Safety Injection R e c i r c u l a t i o n Valve 18.2 5.6(1) 18.4
Containnnent Sump Valve 18.2 5.6(1) 18.4
Residual Heat Throttle Valve 18.2 5.6(1) 18.4
R e s i d u a l Heat P u m p Suction Valve 9. 1 1.4(1) 9.2
Residual Heat Bypass Valve 9. 1 1.4(1) 9.2
Charge P u m p Suction Valve 2.7 .35(1) 2.7
Volume Control Valve 2.7 .35(1) 2,7
Charge Line Control Valve 1.8 .19^1) 1.8
Safety Injection Valves(2) .78 33.4 . 19
Refueling Water Storage Tank . 19 8. 1 ,21 1
(1) 2 valves with 1 out of 2 redundancy

(2) 4 valves with 3 out of 1 redundancy
T A B L E 3 . 15
CONNECTICUT YANKEE
CONTAINMENT COOLING SYSTEM
COMPONENT FAILURE RATES
Figure ARMM Component Failure Rate,

Number C o m p o n e n t I. D. F a i l u r e s p e r 10° h o u r
3.31A 10, 1 1 , 12, 13 1.0

3.31A 14 2.0
3.31A 15, 18 10.0
3,31A 16 0.1
3.31A 17 5.0
3.31B 50 0.0001
3.31B 5 1 , 52, 54, 7 1 , 72 10.0
3.31B 5 3 , 5 5 , 64, 6 8 , 7 0 , 5.0
7 3 , 74
3.31B 56, 58, 5 9 , 6 1 , 62, 1.0
65, 66, 69
3.31B 57, 60 30.0
3.31B 63, 67 0. 1
3.31C 10, 30 0. 1
3.31C 20, 40, 60, 70, 5.0
100, 110
3.31C 50, 80, 90, 120 2.0
3.31C 130, 140, 150 90.0
3.31C 160, 170, 180, 190 30.0
3-64
TABLE 3. 16
COMPONENT FAILURE COMBINATIONS LEADING TO POWER SYSTEM FAILURE"
Component Combinations
P e r c e n t a g e Contribution to Power System
(Component I. D. N u m b e r s Refer
Failure Probability
to F i g u r e 3. 31C)
60+90+130 (Third O r d e r ) 99.7 1

20+40+90+130 (Worst F o u r t h O r d e r ) 0. 15
All Others 0. 15
*Power System F a i l u r e P r o b a b i l i t y = 0.27 x 10

TABLE 3. 17A
COMPONENT CONTRIBUTIONS TO SYSTEM UNRELIABILITY
System: 3-Out-of-4 Air R e c i r c u l a t i o n Units P l u s

Containment Spray System in Standby
(ARMM Calculation)
Figure Component Contribution to System F a i l u r e

Number I. D. No. Probability (Percent)'"
3.31A 16 (4 identical .008

components)
3.31A 17 (4 identical 13.4
components)
3.31A 18 (4 identical 53.3
components)
3.31B 70 2.5
3.31B 71 8.0
3.31B 72 8.0
3.31B 73 2.5
3.31B 74 2.5
Total 90.5
• P r o b a b i l i t y of s y s t e m failure = 4. 11 x 10
System reliability = 0. 9999589.
3-66
TABLE 3. 17B
COMPONENT COMBINATIONS CONTRIBUTING

TO SYSTEM FAILURE
(HAND ESTIMATE)
Number of Components Contribution to System

Failed F a i l u r e Probability (Percent)'" |
3 90.5
4 9.5
5 or g r e a t e r Negligible
• P r o b a b i l i t y of s y s t e m failure = 1.8 x 10
System reliability = 0. 999982,
3-67
TABLE 3.18
COMPONENTS - MECHANICAL FEATURES
FEEDWATER PUMPS
Number of Units 2
Design Flow Rate (feedwater s e r v i c e ) 7, 000 gpm
Design Head 1, 825 feet
Shutoff Head 2, 360 feet
Maximum Flow Conditions
(safety injection service)
Flow Required 10, 500 gpm
Head 975 feet
NPSH (net positive suction head) 180 feet
T e m p e r a t u r e of Pumped Fluid
Feedwater 351 F
Safety Injection Water 40 F - 90 F
Basic M a t e r i a l Chrome Alloy Steel
SAFETY INJECTION PUMPS

Number of Units 2
Design Flow Rate 10, 500 gpm
Design Head 245 feet
Design P r e s s u r e 150 psig
Design T e m p e r a t u r e 250 F
Pumped Fluid Boric Acid Solution
T e m p e r a t u r e of Pumped Fluid 40 F - 90 F
Basic M a t e r i a l Stainless Steel
RECIRCULATION PUMPS
Number of Units 2
Design Flow Rate 800 gpm
Design Head 160 feet
Design P r e s s u r e 150 psig
P u m p e d Fluid Boric Acid Solution
T e m p e r a t u r e of Pumped Fluid 40 F - 271 F
Basic M a t e r i a l Carbon Steel
3-68
CHARGING PUMPS
Number of Units 2
Design Flow Rate 213 gpm
Design Head 5, 325 feet
Design P r e s s u r e 2,735 psig
P u m p e d Fluid Boric Acid Solution
T e m p e r a t u r e of Pumped Fluid
(normal plant operation) 130 F
Basic M a t e r i a l Stainless Steel
Note: The centrifugal charging punnps a r e part of the

c h e m i c a l and volume control s y s t e m . The following
p a r a m e t e r s a r e b a s e d upon r e q u i r e m e n t s of that s y s t e m .
3-69
TABLE 3. 19
RECIRCULATION HEAT EXCHANGER
Shell Side Tube Side
Fluid Component 1 7 . % - 2 . 2 % by
Cooling Weight Boric Acid
Water Solution
Flow Rate 1, 000 gpm 1, 600 gpm

T e m p e r a t u r e In 110 F 271 F
T e m p e r a t u r e Out 158 F 241 F
Operating P r e s s u r e 50 psig 100 psig
P r e s s u r e Loss,
Maximum 15 psi 10 psi
Design P r e s s u r e 150 psig 150 psig
Design T e m p e r a t u r e 200 F 300 F
Heat Exchanged Approximately r 2 3 . 8 x 1 0 ^ Btu/hour
3-70
TABLE 3.20
COMPONENTS - E L E C T R I C A L PARAMETERS
Pump Motor Horsepower Voltage
F e e d w a t e r Punnp 3500 4160

Safety Injection Pump 700 4160
R e c i r c u l a t i o n Pump 60 480
Charging Pump 600 4160
Refueling Water Pump 150 480
TABLE 3.21
INTERVAL COMPONENT CONTRIBUTES TO SYSTEM UNRELIABILITY
ARMM COMPONENT INTERVAL

ID 1 2 3
10 Refueling Water Tank X X
20 Safety Injection Header X X
30 MOV 850 A X
40 MOV 850 B X
1 50 MOV 850 C X
60 RMS for MOV 883 X
70 MOV 883 X
80 R e c i r c u l a t i o n Header X X X
90 Containment Sump X X X
100 R e c i r c u l a t i o n Heat E x c h a n g e r X
no FCV 1115 D X
120 MOV 356 X
130 FCV 1115 E X
140 MOV 357 X
150 FCV 1115 F X
160 MOV 358 X
250 Main T r a n s f o r m e r X X X
260 Axixiliary T r a n s f o r m e r C X X X
270 Circuit B r e a k e r 12C02 X X X
280 Circuit B r e a k e r 11C02 X X X
290 Tie B r e a k e r l l C l l X X X
300 Tie B r e a k e r 12C11 X X X

310 Auxiliary T r a n s f o r m e r B X X X
320 Auxiliary T r a n s f o r m e r A X X X
330 CB 11B04 X X X
340 TB 12C01 X X X
350 CB 11A04 X X X
360 TB l l C O l X X X
370 Safety Injection P u m p G50A (Start) X
380 Safety Injection P u m p G50A (Operate) X
390 MOV 853 A X
3-72
TABLE 3.21 (continued)
[ ARMM" i INTERVAL
COMPONENT
ID 1 2
1^ 1
400 F e e d w a t e r P u m p G-3A X X
410 MOV 854 A
420 MOV 852 A
1 X -^
430 MOV 851 A X
440 Interlock A X
450 CV 36 X
460 CV 875 A X
470 Safety Injection P u m p G 50B (Start) X
480 Safety Injection P u m p G 50B (Operate) X
490 MOV 853 B X
500 Feed Water P u m p G-3B X X

510 MOV 854 B X
520 MOV 852 B X
530 MOV 851 B X
540 Interlock B X
550 CV-37 X
560 CV-875 B X
570 Station Service T r a n s f o r m e r #3 X X X
580 Station S e r v i c e T r a n s f o r m e r #2 X X X
590 Station Service T r a n s f o r m e r #1 X X X
600 CB-llClO X X X
610 CB-12C10 X X X
620 CB-1102 X X X
630 CB-1202 X X X
640 CB-1303 X X X
650 TB-1103 X X X
660 TB-1203 X X X
670 Manual Start R e c i r c u l a t i o n P u m p s X
680 R e c i r c u l a t i o n P u m p G-45A (Start) X
690 R e c i r c u l a t i o n P u m p G-45B (Start) X
3-73
ARMM INVERVAL
COMPONENT
ID 1 2 3
700 R e c i r c u l a t i o n P u m p G-45A (Operate) X
710 R e c i r c u l a t i o n P u m p G-45B (Operate) X
720 MOV 866 A X
730 MOV 866 B X
740 Refueling Water P u m p G 27 (Start) X
750 Refueling Water P u m p G 27 (Operate) X X
760 Refueling Water P u m p G 27 S (Start) X
770 Refueling Water P u m p G 27 S (Operate) X X
780 CV 81 X
790 CV 112 X
800 MOV 880 X

810 MOV 1100 B X
820 MOV 1100 D X
830 Charge P u m p G 8A (Operate) X X X
840 Charge P u m p G 8B (Start) X
849 Charge P u m p G 8B (Operate) X X
850 Level Sensor #1 X
853 P r e s s u r e Sensor #1 X
856 Automatic Actuate of SIS X
857 Manual Actuate of SIS X
Total Number of Components Considered 70 42 31
3-74
TABLE 3.22
FAILURE RATE DATA USED

FOR SAN ONOFRE SAFETY INJECTION SYSTEM
FAILURE RATE
COMPONENT
PER MILLION HOURS
Pumps
Start 10
Operate 5
Valves
Open 0. 01
Close 0. 01
Auto T r i p Devices 1. 0
Manual T r i p Devices 0. 1
Level S e n s o r s 15
P r e s s u r e Sensors 15
Tank, Sump 0. 0001
Headers 0. 0002
Interlock 0. 01
Transformers 5
Circuit Breakers 5
Tie B r e a k e r s 5
Heat Exchanger 0. 1
3-75
TABLE 3.23
MAJOR CONTRIBUTORS TO UNRELIABILITY OF SAN ONOFRE

SAFETY INJECTION SYSTEM DURING THREE TIME INTERVALS
INTERVAL 1 (720 HOURS)
P r o b a b i l i t y of S y s t e m Success P r i o r to this Interval: 1.0

P r o b a b i l i t y of System F a i l u r e During this Interval: 1.279 X 10"^
MAJOR CONTRIBUTOR SYSTEM PROBABILITY PERCENT

S. I. P u m p G50A (Start) 4 . 176 X 10"^ 32.0
S, I. P u m p G50B (Start) 4.176 X 10-5 32.0
Feedwater P u m p G-3A 1.468 X 10-5 11.5
F e e d w a t e r P u m p G-3B 1.468 X 10-5 11.5
Axixiliary T r a n s f o r m e r C 6.986 X 10-^ 5.5
Main T r a n s f o r m e r 6.239 X 10-6 4.9
1 INTERVAL 2 (10 MINUTES)
P r o b a b i l i t y of System Success P r i o r to this Interval: 0.99987210

P r o b a b i l i t y of S y s t e m F a i l u r e During this I n t e r v a l : 3.518 x IQ-^
1 MAJOR CONTRIBUTOR SYSTEM PROBABILITY PERCENT 1

T R M S for MOV 883 1.670 X 10'8 47.5
Manual S t a r t R e c i r c . P u m p s 1.670 X 10-8 47.5
Refuel Tank Valve MOV 883 1.670 X 10-9 4.7
3-76
MAJOR CONTRIBUTORS TO UNRELIABILITY OF SAN ONOFRE

SAFETY INJECTION SYSTEM DURING THREE TIME INTERVALS
INTERVAL 3 (24 HOURS)
P r o b a b i l i t y of System Success P r i o r to this Interval: 0. 99987206

P r o b a b i l i t y of System F a i l u r e During this Interval: 2.436 x 10~"

R e c i r c u l a t i o n Ht. E x c h . 2.400 X 10"^ 98.5
Axixiliary T r a n s f o r m e r C 7.226 X lO'*^ 0.3
SUMMARY
P r o b a b i l i t y of S y s t e m S u c c e s s : 0.99986962
S. I. P u m p G50A (Start) 4 . 176 X 10-5 32.0

S. I. Pump G50B (Start) 4. 176 X 10-5 32.0
Feedwater P u m p G-3A 1.468 X 10'5 11.3
F e e d w a t e r P u m p G-3B 1.468 X 10-5 11.3
Auxiliary T r a n s f o r m e r C 6.993 X 10-^ 5.4
Main T r a n s f o r m e r 6.247 X 10-6 4.8
R e c i r c u l a t i o n Ht. E x c h . 2.400 X 10-6 1.8
3-77
^ I 1 I I
ELEVATOR
SHEET
METAL
STRUCTURE
^TOROmALSUPl^SIOK CHAMBER ^FLOOR DRAIN SUMP ÊQUIPMENT CRAtN'' ^TOROIDAL SUPRRESStON CHAMBER
t. ANDPUMPS(2) ^^^, SUMP AKD PUMPS(2)

109' J
FIGURE 3 . 1
SCHEMATIC CROSS-SECTION OF D R E S D E N - 3 CONTAINMENT
3-78
Primary
Containment
Pressure Isolation
Drywell Suppression Vent System Valve
Chamber System
Containment Core
Cooling Spray Service
Systems System Equipment
FIGURE 3. 2
FUNCTIONAL DIAGRAM - PRIMARY CONTAINMENT

OJ
I
00 Refueling Equipment
o Drywell Personnel
Access Access
Vessel Lock
Hatch Hatches
FIGURE 3. 3
FUNCTIONAL DIAGRAM - DRYWELL ASSEMBLY

Pressure
Suppression
Chamber
I
00
Toroidal
Vessel Access
Pressure
Supports Ports
Vessel
FIGURE 3. 4
FUNCTIONAL DIAGRAM - PRESSURE SUPPRESSION CHAMBER

FLOW OCXXVAkVC
UOT FULLY ClOBCD
>TD nUMMkSTE
FIGURE 3 . 5
DRESDEN-3 PRIMARY
Taken from "Dresden Nuclear Power Station Unit 3 P l a n t CONTAINMENT PENETRATIONS
Design and Analysis R e p o r t " dated F e b r u a r y 1966.
3-82
P-AIRTEST W I V E S ' ^
VrO
i , TO
UNJT«2
5. FROM
pi>^
TEST TAP )
LEGEND
a= MOTOR OPERATED VALVE

II II NORMALLY CLOSED
>i — NORMALLY OPEN
= INSTRUMENT WTERLOCKED VALVES
FIGURE 3 . 6
CONTAINMENT SPRAY COOLING SYSTEM
3-83
UNIT 3
GENERATOR
345kv5RID
® ( 5 OUTSIDE UNES)
3 4 5 Kv BUS
(JUUULAAAJ
T-2,
f'V'^
T-3
)
1
)
? )
BUS I(4160lw) BUS 2(4160 lev)
')ACB-SS
CORE CORE
LOOPl SPRAY SPRAY •LOOP 2
PUMPS PUMPS
(CONXMNMBJT ( _ / ^ » _ )CONTAtMMENT)
LOOP 1 i C0OL1N6 > COOLING > LOOP 2
( PUMPS ) PUMPS )
SERVICE SERVICE
LOOP I WATER WWER -LOOPS
PUMPS PUMPS
BUS2A(i80v)| BUS2BC480\»| J-^«-^
MOTOR OPERATED MOTOR OPERATED

VALVE ORCUIT BREAKERS VALVE CJRCUIT BREAKERS
R3R CORE SPRAY UXJP l 4 FOR CORE SPRAY LOOP 2 *
CONTAIKMENTCOOUMG CONTAWMENT COOUKS
WOP I tjOOP2
LEGEND
T = TRAMSFORMERS
ACB =« AIR QRCUIT BREAKERS
FIGURE 3. 7
SCHEMATIC OF E M E R G E N C Y A - C P O W E R
S U P P L Y FOR CORE S P R A Y A N D CONTAINMENT COOLING
3-84
u
CX)
>
o /
o 5-
/ /
a
u •—<
:S
•1-1
i*"*"**^ /
(U
•(-»
nJ
•iH 0£
N
O o _
o
10 •>• (0
CO
5
(ti
CO
s \
TO
O
d •2. «
o CM
Tl o
o
o o
u <
a:
J
LU
o • ^ \ \ . I-
u J— CNI
S
tJ.
<
a
a
c
CO
^
o
\ _l
\ _l
\ ^
(U
I—I
\ *
nJ
H
^ ^
<u
<u _J
w -I
o
2 X
3!Sd '3iJnSS3»d iN3WNIVlN03
FIGURE 3. 8
CONTAINMENT PRESSURE FOR VARIOUS AVAILABLE

ENGINEERED SAFEGUARDS
3-85
# #
System Containment Page 1 of 4

Subsystem P r i m a r y Containnnent
Assembly Containment Cooling System
Function Remove heat from p r i m a r y containment vessels to p r e s e r v e containment integrity and reduce driving force for leakage of
fission products in the event of a severe accident. Sized to remove all fission product decay heat.
Likeli- B AxB
hood Safety Over- Remarks
Component Component Component Failure Cause(s) Effect on Effect on
(No / Sig- all (Dependence on redundancy.
ID No. Name Function(s) Mode(s) of Failure 10^ Subsystem System nifi- Impor environmental factors,
corrective actions)
Hrs ) cance tance
SS-1.2,and Suction Strainer Prevents debris Clogs Accumulation of Cause pump failure Containment p r e s - 3 Design should attempt to preclude
3 from entering pump debris if other two strain- sure might r i s e abov< clogging,pool should be checked for
suction e r s clogged. design p r e s s u r e . construction debris,vent system de-
sign should preclude transmission
of debris to suppresssion chamber
Ruptures. Corrosion. Cause pump failure None unless 2 of 3 3 Use corrosion resistant m,aterial
if debris available pumps fail and a l t e r - in strainer design
to flow to pumps. nate pumping string
fails to operate.
CCP-11, 12 Containment Supplies water to Fail to start Contactors fail to No water to sprays None unless 2 of 3 3 Periodically test pumps to
13,21,22, Cooling Pump containment cooling close, punnp jammed. if 2 of 3 pumps fail pumps fail and a l t e r - exercise contactors and check
and 23 heat exchanger. in both strings. nate pumping string bearing lubrication
fails to operate
Fall to continue Motor failure, No water to sprays None unless 2 of 3
operation longer bearings seize. if 2 of 3 pumps fail pumps fail and a l t e r -
than 300 hours in both strings. nate pumping string
fails to operate
SWP-11,12, Reactor Service Supplies raw water to Fail to s t a r t Contactors fail to No cooling of None if 1 of 2 3 Periodically test pumps to
21 and 22 Water Pump renaove heat from close, brushes fail. containment. pumps works. exercise contactors and check
containment cooling bearing lubrication.
heat exchanger
Fail to continue Motor failure. No cooling of None if 1 of 2 3 Periodically test pumps to
operation longer bearings seize containment. pumps works exercise contactors and check
than 300 hours. bearing lubrication
MOV-31 Standby String Opens to allow use Fail to open. Valve motor failure. No spray from None if normal 3 Exercise valve to clear contacts
Inlet Valve for of standby string. valve binding with cor - standby string. string is operable. and valve corrosion product
Unit 2 rosionproduct a c - ace umulation
cumulation.
MOV-21 Standby String Isolates Unit 2 Fail to open. Valve designed to None provides None 1 None, inspect to a s s u r e valve is
Inlet Valve for suppression pool. fail as-IS. additional water closed.
Unit 2 source
(0) None (2) Minor (4) Major

(1) Neg (3) Intermediate
FIGURE 3 . 9
EXAMPLE OF FAILURE MODE AND E F F E C T S ANALYSIS

System Containment Page 3 _ of 4
Subsystem Prunary Containment
Function Remove heat from primary containment v e s s e l s to preserve containment integrity and reduce driving force for
leakage of fission products in the event of a severe accident. Sized to remove all fission product decay heat.
Likeli- B AxB
hood Remarks
Component Component Failure Cause(s) Effect on Safety Over-
Component (No / Effect on (Dependence on redundancy,
Function(s) Mode(s) Subsystem Sig- all
ID No Name of Failure 10^ System environmental factors,
nifi- [mpor
Hrs ) corrective actions)
cance tance
CCX-1 Contaimnent Cools suj^ression Shell rupture Material failure, Poor cooling of Poor cooling of
CCX-2 Cooling Heat pool water during corrosion containment cool- containment
Exchanger accident ing water
Tube leaks Loss of contammeni Decreased cooling Test tubes periodically at maxi-
cooling water to radioactivity mum expected pressure to
service water release to service assure no leaks
system water
SWV-1 Service Water Allows service Fail closed Valve normcdly open, Loss of cooling Loss of cooling if Inspect to assure that valve is
SWV-2 Return Valve water to return to designed to fail a s - i s both strings open
river from heat inoperable
exchanger, pro-
vides isolation
capability
Fail to close Motor failure. None for cooling, None for cooling, Exercise valve to assure
uncontrolled release uncontrolled release ope r ability
of activity with of activity with
tube rupture tube rupture
TTV-11. Test Tap Xsolaticc Provides means Fail open Normally closed None unless 2nd None unless 2nd Inspect to assure valve closed
12,21.22 Valve for testing contain- hand operated valve valve in series is valve m series is
ment cooling flow, open open
isolates cooling
system from
secondary contain-
ment
MOV-11 Drywell Spray Opens spray water Fail closed Valve normally open, Loss of drywell Drywell pressure Inspect to assure proper position
and 23 Supply Valve path to drywell, designed to fail a s - i s spray cooling for higher than design
provides isolation respective string if 3 other spray
with external water paths blocked
rupture of spray
supply line
Fail open Motor failure None on cooling, Leaky containment Exercise and inspect for final
possible loss of if spray supply position
drywell isolation line ruptured

(1) Neg. (3) Intermediate
FIGURE 3 . 9 (continued)
System Containment Page 3 of 4
Subsystem Primary Containment
Assembly Containment Coolmg System
Function See Page 1
Likeli- B AxB
hood Remarks
Cause(s) Safety Over-
Component Component Component Failure Effect on Effect on (Dependence on redundancy
(No / Sig- all
ID No Name Function(s) Mode(s) of Failure Subsystem System environmental factors,
106 nifi- trap or
cance tance
MOV-32 Standby Core Allows standby Fail to open Motor failure No containment Overpressure if 4 Exercise periodically, provide
Spray Unit 3 spray system cooling by standby normal spray manual backup to assure capa-
Inlet Valve water to go to system possible system does not bility to open
Unit 3 work
Fail to close Normally closed, None None 1
fails as-IS
MOV-22 Standby Core Prevents standby Faal to close Normally closed, Insufficient contain- Overpressure if 3 Inspect to insure closure
Spray Unit 2 spray system from fails as-IS ment cooling by normal spray s y s -
Inlet Valve going to Unit 2 standby spray tem doe s not work
system
Fail to open Motor failure None None 0 Should be exercised periodically
to assure that standby system
IS also available for Unit 2
MOV-12 Suppression Isolates suppressxi Fail to close Normally closed, Reduces spray None 1 Inspect to assure closure
and 24 Chamber Spray chamber, provides fails a s - i s efficiency in dry
Inlet Valve alternate spray weU.
path
Fail to open Motor failure Prevents spray Containment over- 2 Exercise periodically, provide
cooling if drywell pressure if other manual backup for valve opera-
isolated spray system tion
failed
DWS-1,2 Spray Header Distribute spray Plugged Debris in lines No cooling if other Some overpressure 2 Test by air flow
SCS-1,2 water 3 headers plugged
Leaks Corrosion or poor Reduced efficiency None 0 Inspect and test with water on
assembly initial installation
TTV-13, Spray Header Permit spray Fail open Left open Poor spray cooling Some overpressure 2 Inspect periodically to assure
14, 23 and Test Valve header test, pre- valve closed, provide lock on
24 vent spraywater valve
leakage
Fail closed Normally closed None None 0
- - - J
(0) None (2) Mmor (4) Major
(1) Neg. (3) Intermediate
System Containment Page 4
Subsystem P r i m a r y Containment
Function 5ee Page 1
Likeli- B AxB
Remarks
Component Component Component Failure Cause(s) hood Effect on Effect on Safety Over- (Dependence on redundancy
ID No Name Function(s) Mode(s) of Failure (No / Subsystem System Sig all environmental factors,
10^ nifi- Impor corrective actions)
Hrs ) cance tance
STV-11, Spray Test Valve P e r m i t spray flow F a i l open Motor operated valve No spray cooling Overpressure 3 Inspect to a s s u r e closed position.
-21 test, prevent spray fails a s - i s , normally provide key locked switch to
water diversion closed-spurious a s s u r e normally closed position
signal
Fail closed Motor failure,
normally closed None None 0
DPM Drywell P r e s s u r e Actuates s p r a y Fail to t r i p Relay failure No automatic spray None if manual 3 T e s t periodically, provide failure
Monitor T r i p system cooling trip works a l a r m s on sensors
Trip spuriously Relay failure None None 0 May cause water damage and
shutdown
RWL Reactor Low Low Actuates spray Fail to trip Relay failure No automatic spray None if manual 3 Test periodically, provide failure
Level T r i p system cooling t r i p works a l a r m s on sensors
T r i p spuriously Relay failure None None 0 May cause water damage and
shutdown
MSS-11 Manual T r i p Actuates spray F a i l to trip Operator e r r o r , No normal spray Overpressure 4 Test periodically
-21 system relay failure cooling
T r i p spuriously Operator e r r o r None None 0 Cause water damage and shut-
down
SAT Standby Automatic Actuates standby F a i l to trip Relay failure No standby spray Ncxie if manual Test with spray system test by
Trip spray cooling trip works actual shutdown of normal
system
T r i p spuriously Relay failure None None 0 Cause water damage

(1) Neg. (3) Inte rm e diate
FIGURE 3 . 9 (continued)
PERSONNEL
LOCK
DOOR
SEALS
DRYWELL EQUIPMENT EQUIPMENT PERSONNEL PERSONNEL 24 ACCESS ACCESS
vcodCL HAiun nniun LUUI\ LUOIX , runi ruKl
HEAD COVER COVER DOORS INTERLOCK , PDS-11 — , , SEALS SEALS
SEALS SEALS SEALS 1
1
10 1
1
1Î 1 18 1
1
22 28 1 36 1
1 40
1 1 1
1
OHS-1
1
EHS-11 EHS-21 PLD-1 PDS-12 H—
1
1
APS-11
1
APS-21
1
1 _ J 1
12 1 IE 2C1 2Ê 3C 32 - —r-
1 38 42
^
1
1 1
DHS-2 EHS-12 EHS-22 PLD-2 POI PDS-21 ^—^1 1 APS-12 APS-22
1
1 1 1 i 1
1 1 1 1 1
1 1 1 34 1 1
1 1 1
1 I ' PDS-22 — 1 1 1
1 1
1 1 1 1
1 1 i 1 1
FUNCTION NO. 10 I 15 1 20 1 25 ' 3 5 1 40
30
DRYWELL SUPPRESSION SUPPRESSION DRYWELL STEAM
VENT TO CHAMBER CHAMBER VENTILATION CONDENSATE
STACK VACUUM VENT INLET PRIMARY STEAM LINES DRAIN LINE
RELIEF TO STACK 1 1
44 48 52 56 6Q 1 64 1 68 72
1 1 1
1
AOV-100 AOV-202 AOV-204 MOV-100 MOV-101 MOV-102 MOV-103 1
NC NCh-» NC NO NO NO NO
1— 1
1 76
1
MOV-104
0- 46 50 54 58 62 66 70 74
1
1
1
NC
AOV-205 1
A0V-20D A0V-201 AOV-203 MOV-202 MOV-203 MOV-204 MOV-205 1
NC NO NC NC NO NO NO NO 1
1 1 1
1
1
45 50 55 60 65 1 70 1 75 80 1 85
1 1 1
1 1
NOTE:
1) NUMBER IN BOXES OENOTE ARMM COMPONENT ID NUMBERS.
2) NUMBERS BELOW BOXES DENOTE ARMM FUNCTION ID NUMBERS.
3) NO - NORMALLY OPEN; NC = NORMALLY CLOSED.
FIGURE 3. 10
RELIABILITY BLOCK DIAGRAM

CONTAINMENT ISOLATION AND COOLING
INTERVAL 1
3-90
EQUIPMENT FLOOR DRAIN RECIRCULATING
DRAIN SUMP SUMP PUMP TO CLEANUP
OUTLET OUTLET CLEANUP RETURN RECIRCULATING PUMP SHUTDOWN COOLING WATER SUPPLY
1 1 1 1 1 1
1 1 1 1 1
1
78 1 82 1 86 1 90 1 94 1 102 1
1
MOV-110 1 MOV-111
— AOV-206 AOV-208 MOV-109 CV-IOO
NO NO NO NC NC
(
'
1 <D
\
80 84 88 92 96 98 100 104 108 108
AOV-207 AOV-209 MOV-211 MOV-212 MOV-213 MOV-214 MOV-215 MOV-216 MOV-217 MOV-218
NO NO NO NO NC NC NC NC NC NC
1 1 1 1
1 1
1 1 1 1 1 1
90 1 95 1 100 1 105 1 110 1 115 1
RECIRCULATING PUMP SHUTDOWN COOLING WATER RETURN SUCTION

ISOLATION CONDENSER STRAINERS
INLET OUTLET 134
VALVES VALVES
1
1
SS-1
110 1 118 126 130
1 MOV-114
MOV-112 1
MOV-113 MQV-116
NC NC NO NO 136
112
SS-2 KD
114 116 120 122 124 128 132
MOV-219 MOV-220 M0V.221 MOV-222 MOV-223 MOV-224 MOV-226 MOV-227
NC NC NC NC NC NC NO NC
1
1
1
120 125 130 135 140
3-91
CONTAINMENT
SPRAY LOOP
ALIGNMENT
(s>
216 218 220 111 224 226 228 230 232 234 236 238 240 242
MQV-31 MOV-32 MQV-22 STV-21 CB-22 SWV-2 CCX-2 ACB-32 ACB.33
'GB-26 CB-28 CB-29 CB-25 T-7
NO NC NC NC NC
145
i"7T
3-92
CONTAINMENT CONTAINMENT CONTAINMENT CONTAINMENT
SPRAY SPRAY SPRAY SPRAY
ACTUATION PUMPING COOLING DISTRIBUTION
t 1
1
1
1
1
1
1
156 158 182 164 168 1 174 178 178 1 186 188 190 1
DPT — RWLT — ACB- 18 CCPM- 10 CCP- 10 ACB- 18 — SWPM- 10 SWP •10 CB- 13 MOV- 11 DWS -1 —
1—
1 1
16C 188 170 172 180 182 184 192 194 196
MSS- 11 1 ACB- •17 CCPM-•11 CCP •11 ACB- -19 SWPM -11 SWP- 11 CB- 14 — MOV- 12 SCS -1
1
.
(D — T - — - - 1 — -- — 1
244 248 250 252 260 262 264 272 274 276 1
SAS ACB- -26 CCPM •20 CCP -20 ACB •28 SWPM- 20 SWP •20 CB-•30 MOV- 23 — DWS •2
• 1
246 254 266 \

256 258 268 270 278 280 282
MSS- 21 ACB •27 CCPM •21 CCP •21 ACB •29 SWPM -21 SWP -21 CO -31 MOV--24 SCS -2
1
1
150 155 160 165

isli~" 1 ""185 ""l90"" 'l95 "'
3-93
POWER S U P P L Y SOURCES
208 210 212 214

345 Kv T-3 ACB-12 ACB-13
GRID
2oe 210 286 290

34.5 Kv
GRID T-3 ACB-22 ACB-23
170
a-'7^
CORE SPRAY LOOP ALIGNMENT
(I>
205_
'230
FIGURE 3. 11

CORE SPRAY - INTERVAL 1
(REDUNDANT OPERATION)
3-95
SPRAY SPRAY
LOOP LOOP SPRAY
VALVE PUMP LOOP
ACTUATION ACTUATION PUMPS
FUNCTION 225
(SAME AS FUNCTION 170)
FUNCTION 250
I (SAME AS FUNCTION 200)
21Q 215 220

235" 240" 245"
3-96
COOLING PERIOD
SPRAY PUMPING SPRAY COOLING POWER
360 362 368 370

CCPM-10 CCP-10 SWPM-10 SWP-10
148 ON ON ON ON
CCX-1
364 366 372 374 408 410
CCPM-n CCP-11 SWPM SWP-11 3 4 . 5 Kv T-8 ON

ON ON ON ON LINE ON
412
I DIESEL
GEN ON
376 378 384 386 414 416

CCPM-20 CCP-20 SWPM-20 SWP-20 345 Kv
T - 3 ON
236 ON ON ON ON GRID ON
CCX-2
380 382 388 390
CCPM-21 CCP-21 SWPM-21 SWP-21
ON ON ON ON
290
260 265
275 280
FIGURE 3.12
R E L I A B I L I T Y BLOCK DIAGRAM
CONTAINMENT COOLING
INTERVAL 2
CORE SPRAY PUMPING COOLING PERIOD
1 1 POWER
1 1
1 392 394 1
1
1
CSPM-10 CSP-10 1
1
396 398
CSPM-11 CSP-11
1
1
1
1
r
1 1 FUNCTION 290
1
1 1 1
1
1
1 1
1 400 402 1
CSPM-20 CSP-20
404 406
1
1
CSPM-21 CSP-21 1
1
— 280
285
1
F I G U R E 3 . 13
R E L I A B I L I T Y B L O C K DIAGRAM
(REDUNDANT OPERATION)
3-98
J I ^. I , ^ _ I
J FUNCTION 205 |—| FUNCTION 210 |—| FUNCTION 215 i — | FUNCTION 220 |—| FUNCTION 225
I
I L I i I J I !
L
I 1 r
(T> i FUNCTION 230 "I FUNCTION 235 , FUNCTION 240 FUNCTION 245 FUNCTION 250 f
1 I J I
FIGURE 3.14

(BOTH LOOPS REQUIRED)
1 FUNCTION 280 I 1 FUNCTION 285 j 1 FUNCTION 290 r
I I I « ! !
FIGURE 3.15
(BOTH L O O P S REQUIRED)
3-100
AUTOMATIC RELIABILITY MATH MUDfcL PAGE 1
DRESDEN 3 PRIMARY CONTAINMbNT CASE 2 ODOOOOOO, 1900 0000-00
PRIMARY CONTAINMENT CASE 2 CONSIDERS PRIM, CUNT. CASE I AND CORE
SPRAY CASE I TOGETHER
TWO TIME INTERVALS CCNSIDERhD
INTERVAL 1 ISOLATION AND INITIATION PHASE AT END OF 30 DAYS
INTERVAL 2 CONTINUED COOLING FOR 300 HR
VALVES,BREAKERS AND SWITCHES NOT CONSIDERED TO FAIL IN INTERVAL 2
V IF OPERATED PROPERLY IN INTERVAL I
o
NU'lutR uF COMPU;MENTS Û^'neR OF TIME I N T E R V A L S MISSION

L E N G T H OF
20t 2 1320.000
NUMoEK Ur FONCTIUNS NU'-IHER OF INTEGRATION INTERVALS PRI'JT-OUT INOICATTf-'

5o 10 I
MAXI.Û'-I ixJUrtoFR OF COMPONENTS RE I N I T I AL I 7.E

F A I L E D AT A TIME INDICATOR
2 0
FIGURE 3.16
AUTOMATIC RELIABILITY MATHEMATIC MODEL
DRESDEN-3 PRIMARY CONTAINMENT-CASE 2
AUTOMATIC i t L I A h f L I T Y MATH MODEL PAGE 77
DKESGtN 3 ^ - N I M A I ^ Y CLNT A IKMLNT CASE 2 JOOOOOOO, 1900 0000-00

SUMMARY
P'<lidA[ilLnY OF SYSTEM F A I L U R E = 0.29782 J89E-03
PRGrfABILITY OF SYSTEM SUCCESS = 0.999702Io
FUNi-TIbu IJ F J \ L T I f N NAMt P K G H A B I L I T Y UF r j N C T i c N FAILURE PERCENT OF SYSThM FAILURE RANK

10 L;.<YWELL hE^D S E A L 0.-+b85i)D35E-12 0.000 33
io fcUUlP HATCH S E A L 1 0.46f'505ibE-12 0.000 34
20 tWUlP MATCH SEAL 2 0.'t6S50D35F-12 0.000 35
30 PERSONNEL LOCK 2 0.51535?77E-10 o.ooo 29
33 ACCESS PORT StAL 1 0.'*6a505i5E-12 0.000 36
1^ ^0 ACuLSS PORT SEAL 2 J.4685)535E-12 0 . 000 37
1
1—' t5 GRYWELL STACK; VENT 0.11712220E-08 0.000 19
o iO SUP ChtJk V A C R L F 0.4t)d47l94E-0H 0.002 12
5i SUP CH6R STACK VNT 0.11712220E-C8 0.000 20
oO CRY'rtFLL vENT INLET 0. 11712220E-0P 0.000 21
b'i PxIM S T E A M L I N E 1 0.117Ua426E-U6 0.039 5
7J PRi;-! S T E A M L I N E 2 0.II70^426E-U6 0.039 6
TJ PR IM S I E A M L I N E J 0.11708426E-06 0.039 7
80 PRIM S T E A M LINt ^ 0. 1170B'+26E-U6 0.039 8
«6 STCA'1 C U N D . D R A I N 0.O507J213E-06 0.218 3
-^0 cWUlP DRAIN SuMP 0.46847194C-08 0.002 13
>5 FLUGR D K A I N SUMP 0.4:>847194E-08 0.002 14
1 JO 0. ll70:J426F-n6
KEGIRG T O C L E A N U P 0.039 9
1J5 0.23412o39F-06
CLCANUP RETURN 0.079 4
110 RECIRC CW SUPPLY I 0.14C55069E-09
0.000 23
115 0.14055J69E-09
R E C I R C CÎ S U P P L Y 2
0.14G55069E-09 0.000 24
120 K E C I R C CA R E T U R N 1 0.000 25
0.14055J69E-09
125 RECIRC CS RETURN 2 0.000 26
0.1l70842faE-06
130 I SOL CGND INLET 0.2342D984E-08 0.039 10
1 io ISUL CLNU OUTLET 0.001 18
DRESDEN 3 PRIMARY CONTAINMENT CASE 2 00000000, 1900 0000-00
SUMMARY
FUNCTION ID FUNCTION NAME P R O B A B I L I T Y OF FUNCTION FAILURE PERCENT OF SYSTEM FAILURE RANK

140 SUCTION STRAINER 0.33732044E-15 0.000 40
170 CGNT COOL BUS 5PWR 0.43163149E-10 0.000 30
-175 CONf COOL VALVES 0. 17040808E-03 57.217 1
-130 CONT COOL ACTUATE 0.49397111E-13 0.000 39
-185 CONT COOL PUMP 0.30741719E-08 0.001 16
-190 SERVICE WTR PUMP 0.30741719E-08 0.001 17
-195 CUNT COOL SPRAY 0.24990593E-10 0.000 31
-230 CORE SPRAY VALVES 0.12577020E-03 42.229 2
-2 3 5 VALVE ACTUATE 0.69597484E-10 0.000 ?7
-240 PUMP ACTUATE 0.69597484E-10 0,000 28
-245 CURE SPRAY PUMP 0.43383906E-08 0,001 15
I -2 70 CONT COOL PUMP ON 0.71309667E-09 0,000 22
-275 SERVICE V.TR PUMPON 0.71168031E-12 0,000 32
o -285 CORE SPRAY ON 0.13333664E-12 0.000 38
290 COOL PERIOD PWR 0.32349380E-07 O.Oll 11
MAJCR CONTRIBUTORS TO SYSTEM UNRELIABILITY

COMPONENT COMBINATIONS PROBABILITY PERCENT
152 240 0,20904720E-04 6.3435
152 238 0,11624881E-04 3.5276
152 216 0.11624381E-04 3.5276
150 240 0.11624381E-04 3.5276
154 240 0.11624381E-04 3,5276
152 328 0.11624881E-04 3,5276
1,!>2 242 0.11624881E-04 3.5276
152 220 0.11624881E-04 3.5276
294 240 0.11624881E-04 3.5276
150 220 0.64644687E-05 1.9616
AurOÂTIC RELIABILITY nAfH MODEL PAGE eo
DRcSOt\ 3 PklriARY CLNTAINMENT CASE 2 00000300, 1900 0000-00
SUMMARY
COMPONENT CONTRIBUTIONS TO UNRELIABILITY
Cui'iPUNENT FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEM

ID f;A-IE RATE*10**0 PH0BA'3ILITY PERCENT RANK PR3bABILITY PERCENT RANK
10, )J URYWELL HEAD SEALl 0.00 0.65394789E-06 0.0004 122 0.23425270E-12 0.0000 150
12.00 DRYWELL HEAD SEAL2 0.00 0.65394789E-06 0.0004 123 0.23425270E-12 0.0000 151
14.00 E U J I P HATCH SEALll 0.00 0.65394739F-06 0.0004 124 0.23425270E-12 0.0000 152
10,0 0 E Q J I P HATCH SEAL12 0.00 0.6D3<;47d9E-06 0.0004 125 0.23425270E-12 0.0000 153
18.00 EQUIP HATCH SEAL21 0.00 0.653947a9E-06 0.0004 126 0.23425270E-12 0 . 0 0 00 154
zo.do E J U I P HATCH SEAL22 0.00 0.653947S9E-06 0.0004 127 0.23425270F-12 0.0000 155
3 6 . 0 0 ACCESS PORT SEALll 0.00 0 . 6 5 3«;4 7,'19E-06 0.0004 128 0.23425270E-I2 0.0000 156
:J3.00 A C C c S b PORT SFAL21 0.00 0.65394789b-06 0.00J4 129 0.23425270E-12 0.0000 157
4 0 . 0 0 ACCESS PORT SEAL21 0.00 0.65394789E-06 0.0004 130 0.23425270E-12 0.0000 158
4 2 . 0 0 ACCESS PORT SEAL22 0.00 0.653S4789E-06 0.0004 131 0.23425270E-12 0.0000 159
OJ
I 4 4 . 0 0 AOV-lOO 0.05 0.32697394E-04 0.0134 85 0.53561105E-09 0.0002 35
4 6 . 0 0 A0V-200 0.05 0.326S7394E-04 0.0134 86 0.58561105E-09 0.0002 86
o 4 8 . 0 0 CV-200 0,10 0.65394788E-04 0.0368 76 0.23423600E-03 0.0008 74
t4^
5 0 . 0 0 AOV-2 01 0.10 0.65394738E-04 0.03c8 77 0.23423630E-03 0.0008 75
5 2 . J O AUV-202 0.05 0.32697394E-04 0.0134 87 0.58561105E-09 0.0002 87
5 4 . 0 0 AUV-203 0.05 0.32697394E-04 0.0134 38 0.535611056-09 0.0002 88
5 6 . 0 0 AOV-204 0.05 0.32697394E-04 0.0134 89 0.58561105E-09 0.0002 89
5 3 . 0 0 AUV-205 0.05 0.32697394E-04 0.0134 90 0.58561105E-09 0.0002 90
6 0 . 0 0 MOV-100 0.50 0.32697394E-03 0.1840 55 0.53542139E-07 0.0197 49
6 2 . 0 0 MOV-202 0.50 0.32697394E-03 0.1840 56 0.53542139E-07 0.0197 50
64.00 MUV-lOl 0.50 0.32697394E-03 0.1840 57 0.58542139E-07 0.0197 51
6 6 . 0 0 MUV-20J 0.50 0.32697394E-03 0.1840 58 0,58542139E-07 0.0197 52
6 8 . 0 0 MOV-102 0.50 0.32697394E-03 0.1840 59 0.58542139E-07 0.0197 53
7 0 . 0 0 MUV-204 0.50 0.32697394E-03 0.1840 60 0.53542139E-07 0,0197 54
7 2 . 0 0 MOV-103 0.50 0.32697394E-03 0.1840 61 0.53542139E-07 0,0197 55
7 4 . 0 0 MGV-2G5 0.50 0.32b97394E-03 0.1840 62 0.53542139E-07 56
0,0197
7 6 . 0 0 MOV-104 0.00 0.65394739F-06 0.0004 132 0.65070220F-06 0,2185 22
7 O . 0 0 A u V - 2 06 0.10 0.65394788E-04 0.0368 78 0.23423600E-08 0,0008 76
8 0 . OU A O V - 2 0 7 0.10 0.65394788E-04 79
0.0368 0.23423600E-08 0,0008 77

AUTOMATIC -IFLIABILITY MATH MODEL PAGE 81
UktSDF\ 3 PRIMAKY CONTAINMENT CASt 2 30000300, 1900 0000-00

NUMMARY
COMPONENT COMKlriUTIONS Tu UNRELIABILITY
COMPONcMI FAILU'^t SLKIAL i,ERIAL iEWlAL S Yi Tt M SYSTf-M SYSTEM

lU NAME '<A1E*I0**6 PRJriAiULITY PERCENT RANK P K J i l A b f L I TY t'FRCFNT RANK
82.00 AL'V-203 0 . 10 0.o539473BE-0t 0.036a 30 J.234236:)Jf-OH 3.3308 78
d4.00 AriV-^09 0 . 10 0.65J9473aC-04 0 . 0 3o3 31 0.23t2360'J<^-T3 3 . )0 ) 3 79
36.00 M0V-10:< 0.50 0.32697394E-03 0.1340 63 0.5HS421 3 i r - 0 7 0 . 3197 57
8 3.00 MU\/-2Il 0.50 0. 12697i94E-u3 3.1340 64 3.'>354/l 5) t - 0 7 ' J . 01 9 7 58
90. J J CV-lOO 1.00 0.653S4739F-03 0.3630 50 0.156084^7F-0o 3.0524 45
92.00 MOV-212 U.50 0.32697J94E-03 0 . 1 8 40 65 0.730421 37r-07 0.0262 46
9 4 . JO MoV-110 0.01 0.O5JS4738L-05 0.00i7 91 0. 7027S3'i3F-n 0 . 0 0 00 H I
96.0 0 Ml'V-2l3 0.01 0.65)947S8r-05 0 . 0 0 }7 9? 0.234^'51i3h-lU 0.30 3 128
9b. )0 N>0V-2 14 0.01 0.65394 r3dE-05 0.J017 93 0.?34?5ll3c-l ) 0 . )0 ) 0 W-
100.00 |M0»/-2 15 0.01 0.65394788E-05 0.0017 94 0.23426ll3e-l J 0 . 3 0 JO 130
00
1 102.00 MUV-IU 0.01 0.65394/38t-05 0.0037 95 0. 70^'75353L-1 ) 0 . 30 ) 0 1 12
104.JO hliJ-Zlo 0.01 0.65394738F-05 0.0037 96 0.234/511 3 f - l ) 0 . 0 0 30 I 31
o
OI lOo.OO MLy-217 0.01 0.65394733E-05 0.0037 97 3.23425113F-n 0.3300 1 32
I J3.00 M L ' 7 - 2 13 0.01 0.65394733E-05 0.0037 98 0.23425113F-1) J. 0030 133
0.0037 99 0 . 7J2753'S3F-1 ) 0 . 3 0 30 113
n o . vj N . W - l l ? 0.01 0.61i39'+733E-05
1 1 2 . 0 0 MuV-219 O.Ol 100 0.23425113F-1J 3 . 30 0 0 134
0.65194/3bE-05 3.0037
0.01 101 0.23425113&-1) I 35
1 1 4 . J O M L V - 2 20 0.6D39473dE-05 0.0037 0 . V)10
0.01 0.23425113t-l )
116.00 •'LV-221 0.65394738t-05 0.0037 102 0 . 1? i n 136
J.7J2753S3E-1J J . IHT-'
1 1 3 . J O M C / - 1 13 0.01 0.65}<;47>i8b-05 J.00J7 103 I 14
0.234251 1 3 t - l )
1 ^ 0 . 0 0 M U V - 2 22 0.01 U.e'j394 7-i8E-05 0.0037 104 O.'"" ) 0 0 137
0.234251l:ifc-l )
IZZ.OO ML'V-223 J.01 0.65i94738b-05 0.0037 105 .). 1 •m 1 3r^
0.234251l8t-l )
l . i t . 3 0 r',tiV-2 2 4 0.01 0.653947'i8E-05 0.3037 106 ) . )0 0 0 i 53
0 . 3 3 5 4 2 1 3->t-07
126.00 M 0 y - l i 4 0.50 0.32697394E-03 0.1840 66 ) . )1 9 7 •>'-,
0.53i4213Ê-07
1 ^ 3 . 3 0 MOV-^-^6 0.50 0.32o97394E-03 0.1840 67 J . 01 9 7 JO
0.229617^1E-0-<
I 30.30 SuV-116 0.50 0.326973V4E-03 0.IbÔ 63 3.')3^f Ml'
0.45923502F-10
1 3 2 . O J M U V - 2 27 0.01 0.65394738t-05 0 . 0 0 37 107 j.-mo 11-
0.16802122E-l^
1 5 o . J o G R Y A E L L PRESb T i l P 0 . 10 0.'35394738E-0't 0.03jb 32 ) . ) 1)') 16C
0.1630?12?e-l?
1 -J 8 . 0 0 VÂTtR L L V E L TH I P 0.10 0.6539'+746E-04 3.03D8 H3 ) . i'-i •>>; i6l
0 . 3 3 6 0 4 2 4 3 L - 1 •>
1 6 0 . 3 0 I'lAN S T A I N T S w I T t H 0.01 0 . 6 5 3 9'+7 3 8 E - 0 5 0.0037 108 ). )>i )i 1 'i

SUMMARY
COMPONENT C0NTRI3UTIONS TO UNRELIABILITY
COMPONENT FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEM

ID NAME 'ÂTE*10**6 PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
3 4 6 . 0 0 AUTO VLV S W I T C H 5.00 0. 0. 0 0.29086388E-10 0.0000 125
3 4 8 . 0 0 CSPM BKR 5.00 0. 0. 0 0.22953065E-09 0.0001 102
3 5 0 . 0 0 CUKE SPRAY PP MOTR 10.00 0. 0. 0 0.72095972E-09 0.0002 81
3 5 2 . 0 0 CURE SPRAY PP 10.00 0. 0. 0 0.72095972E-09 0.0002 82
3 5 4 . 0 0 CSPM BKR 5.00 0. 0. 0 0.22953065E-09 O.OOOl 103
3 5 6 . 0 0 CURE SPRAY PP MOTR 10.00 0. 0. 0 0.72095972E-09 0.0002 83
3 5 8 . 0 0 CORE SPRAY PP 10.00 0. 0. 0 0.72095972E-09 0.0002 84
3 9 2 . 0 0 CS PMP MOTR ON 5.00 0.13623914E-02 0.7667 41 0.16667031E-13 0.0000 172
3 9 4 . 0 0 CORE SPRAY PMP ON 5.00 0.13623914E-02 0.7667 42 0.16667081E-13 0.0000 173
3 9 6 . 0 0 CS PMP MJTR ON 5.00 0.13623914E-02 0.7667 43 0.16667031E-13 0.0000 174
3 9 8 . 0 0 CORE SPRAY PMP ON 5.00 0.13623914E-02 0.7667 44 0.16667081E-13 0.0000 175
4 0 0 . 0 0 CS MPM PMPR ON 5.00 0. 0. 0 0.16667081E-13 0.0000 176
4 0 2 . 0 0 CORE SPRAY PMP ON 5.00 0. 0. 0 0.16667081E-13 0.0000 177
4 0 4 . 0 0 CS PMP MOTR ON 5.00 0. 0. 0 0,16667081E-13 0.0000 178
4 U 6 . 0 0 CO<E SPRAY PMP ON 5.00 0. 0. 0 0.16667081E-13 0.0000 179
4 0 8 . 0 0 3 4 . 5 KV L I N E ON 10.00 0.27247829E-02 1.5335 30 0.77007144E-08 0.0026 71
^ 1 0 . 0 0 TRANSFORMER 8 ON 5.00 0.13623914E-02 0.7667 45 0.23454976E-08 0.0008 73
4 1 2 . 0 0 D I E S E L GEN ON 9.00 0.24523046E-02 1.3801 31 0.11152539E-07 0 . 0 0 37 67
4 1 4 . 0 0 3 4 5 KV G R I D ON 0.00 0.27247829E-06 0.0002 136 0.21195964E-15 0.0000 185
4 1 6 . 0 0 TKANSI-URMER 3 ON 9.00 0.24523046E-02 1.3801 32 0.11150631E-07 0.0037 68
2 2 . 0 0 PER LOCK DOOR 11 O.Ol 0.65394788E-05 0.0037 113 0.27684356E-10 0.0000 126
2 4 . 0 0 LOCK DOOR SEAL 1 1 0.01 0.65394738E-05 0.0037 114 0.12850369E-15 0.0000 186
2 6 . 0 0 LOCK DOOR SEAL 12 0.01 0.65394788E-05 0.0037 115 0.12850369E-15 0.0000 187
2 8 . 0 0 PE'^ LOCK DOOR 2 1 0.01 0.65394738E-05 0.0037 116 0.23425230E-10 0.0000 127
3 0 . 0 0 OOJR INTERLOCK 0.00 0.65394789E-06 0.0004 135 0.42591422E-12 0.0000 148
3 2 . 0 0 LUCK DOOR SEAL 2 1 0.01 0.65394788E-05 0.0037 117 0.11244076E-15 0.0000 188
3 4 . 0 0 LOCK DOOR SEAL 2 2 0.01 0.b5394788E-05 0.0037 118 0.11244076E-15 0.0000 189
1 3 4 . 0 0 SUCTION S T R A I N E R I 0.01 0.6539478aE-05 0.0037 119 0.11244015E-15 0.0000 190
1 3 6 . 0 0 SUCTION S T R A I N E R 2 0.01 0.65394788E-05 0.n037 120 0.11244015E-15 0.0000 191
1 3 8 . 0 0 SUCTIUN STRAINER 3 0.01 0.65394788E-05 0.0037 121 0.11244015E-15 0.0000 192
TOTAL S E R I A L U N R E L I A B I L I T Y 0 . 1 7 7 6 8 8 1 4 E 00
F I G U R E 3 . 16 ( c o n t i n u e d )
AUTOMATIC R E L I A B I L I T Y MATH MODEL PAGE 83

SUMMARY
CCMPGNEM CONTRIBUTIONS TO UNRELIABILITY
CUMPUNENI FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEM

ID NAME RATE*10*«& PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
144.00 SPRAY TEST VLV L>KR 1.00 0 . 6 5 3 9 4 7 8 9 E --03 0 . 3680 53 0.15256264E-05 0.5122 16
146.00 SPRAY TEST VLV 0.01 0 . 6 5 3 9 4 7 8 8 6 - -05 0 . 0037 112 0.28867524E-09 0.0001 100
148.JJ COMT COOL 1EXCHANGR 0.10 0 . 92642616fc- -04 0. 0521 75 0.23810471F-07 0.0080 61
150.JO B U S 5 - T 6 BKR 5.00 0 . 3 2 6 9 7 3 9 4 E - -02 1 . 8 402 23 0.27579226E-04 9.2601 3
152.00 TRANSFORMER 6 9.00 0 . 5 8 8 5 5 3 1 0 E --02 3. 3123 13 0.61363136E-04 20.6034 1
154.00 T 6 - J U S 2 A BKR 5.00 0 . 3 2 6 9 7 3 9 4 E --02 1 . 8402 24 0.27579226E-04 9.2601 4
216.00 M O V - 3 1 BKR 5.00 0. 0. 0 0.11915530E-04 4.0008 9
218.00 STOSY LOOP sue VLV 0.50 0. 0. 0 0.25475607E-06 0.0855 37
220.00 M U V - 3 2 BKR 5.00 0. 0. 0 0.11915530E-04 4.0008 10
222.00 STDBY LOOP D I S VLV 0.50 0. 0. 0 0.25475607E-06 0.0855 38
224.00 M O V - 2 2 BKR 1.00 0. 0. 0 0.87171913F-06 0.2927 19
226.00 S T J 3 Y LuOP I S O L V L V 0.01 0. 0. 0 0.16236259E-09 0.0001 104
228.00 S T V - 2 1 3KR 1.00 0. 0. 0 0.87171913E-06 0.2927 20
230.00 SPRAY TEST VLV 0.01 0. 0. 0 0.16236259E-09 O.OOOl 105
232.00 S w V - 2 BKR 1.00 0. 0. 0 0.87171913E-06 0.2927 21
234.00 SER WfR RTN VLV 0.01 0. 0. 0 0.16236259r-09 0.0001 106
236.00 CONT COUL 1EXCHANGR 0.10 0. 0. 0 0.13100754E-07 0.0044 65
238.00 B U S 6 - T 7 BKR 5.00 0. 0. 0 0.20146422E-04 6.7644 5
240.00 TRANSFORMER 7 9.00 0. 0. 0 0.45109661E-04 15.1461 2
242.JO T 7 - B U S 2 b BKR 5.00 0. 0. 0 0.20146422E-04 6.7644 6
244.00 STJBY AUTO STRT SW 0.10 0. 0. 0 0.11692726E-14 0.0000 181
246.00 MAN START :SW 0.10 0. 0. 0 0.11692726E-14 0.0000 182
248.00 CCPM BKR 5.00 0. 0. 0 0.15638201E-09 0.0001 107
250.00 LUAT CUOL 1?MP MUTR 10.00 0. 0. 0 0.49532018E-09 0.0002 91
252.00 CONT COOL 1PMP 10.00 0. 0. 0 0.49532018E-09 0.0002 92
254.00 CCPM BKR 5.00 0. 0. 0 0.15638201E-09 0.0001 108
256.00 CUNT COUL 1PMP MOTR 10.00 0. 0. 0 0.49532018E-09 0.0002 93
258.00 CUNT COOL 1PMP 10.00 0. 0. 0 0.49532018E-09 0.0002 94
260.00 SER WTR PP MTR BKR 5.00 0. 0. 0 0.15638201E-09 0.0001 109
FIGURE 3, 16 (continued)

SUMMARY

ID NAME RATE*10**6 PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
262.00 SER WTR PP MTR 10.00 0. 0. 0 0.49532018E-09 0.0002 95
264.00 SER WTR PP 10.00 0. 0. 0 0.49532018E-09 0.0002 96
266.00 SER WTR PP MTR BKR 5.00 0. 0. 0 0.15638201E-09 0.0001 110
268.00 SER WTR PP MTR 10.00 0. 0. 0 0.49532018E-09 0.0002 97
270.00 SER WTR PO 10.00 0. 0, 0 0.49532018E-09 0.0002 98
272.00 M O V - 2 3 BKR 1.00 0. 0. 0 0.21288046E-11 0.0000 147
274.00 DRYWELL SPRAY VLV 0.01 0. 0. 0 0.2350828dE-15 0.0000 184
27O.00 DRYWtLL SPRAY HDR 0.00 0. 0. 0 0.23586806E-17 0.0000 194
2 78.00 M O V - 2 4 BKR 5.00 0. 0. 0 0.10725236E-10 0.0000 144
280.00 SUP CHBR SPRAY VLV 0.01 0. 0. 0 0.87469176E-16 0.0000 193
232.00 SUP CHBR S P ^ Y HOR 0.00 0. 0. 0 0.87733366E-13 0.0000 195
284.00 T 8 - B U i 6 BKR 5.00 0. 0. 0 0. 0. 0
28{>.00 D G E N - B U S 6 BKR 5.00 0. 0. 0 0. 0. 0
288.00 T 3 - 8 J S 4 BKR 5.00 0. 0. 0 0. 0. 0
290.00 B U S 4 - 8 U S b BKR 5.00 0. 0. 0 0. 0. 0
360.00 LO'AX COOL PP MTRON 5.00 0 . 1 3 6 2 3 9 1 4 E --02 0 . 7667 33 0.33070159E-10 0.0000 116
362.00 CONT COOL PP ON 5.00 0 . 1 3 6 2 3 9 1 4 E - -02 0 . 7667 34 0.33070159E-10 0.0000 117
364.00 CONT COUL PP MTRON 5.00 0 . 1 3 6 2 3 9 1 4 E --02 0 . 7667 35 0.33070159E-10 0.0000 118
36a.00 CO.MT CUOL PP ON 5.00 0 . 1 3 6 2 3 9 1 4 E - -02 0 . 7667 36 0.33070159E-10 0.0000 119
363.JO SER WTR PP MTR ON 5.00 0 . 1 3 6 2 3 9 1 4 E --02 0 . 7667 37 0.33070159E-10 0.0000 120
370.00 S t R wTR PP ON 5.00 0 . 1 3 6 2 3 9 1 4 E - -02 0 . 7667 38 0.33070159E-10 0 . 0 0 00 121
372.00 SER WTR PP MTR ON 5.00 0 . 1 3 6 2 3 9 1 4 E - -02 0 . 7667 39 0.33070159E-10 0.0000 122
374.00 SER WIR PP ON 5.00 0 . 1 3 6 2 3 9 1 4 E --02 0 . 7667 40 0.33070159E-10 0 . 0 0 00 123
376.00 CCNT CUOL PP MTRON 5.00 0. 0. 0 0.14348443E-12 0 . 0 0 00 162
378.00 COMT COOL PP ON 5.00 0. 0. 0 0.14348443E-12 0.0000 163
380.00 COvIT COOL PP MTRON 5.00 0. 0. 0 0.14348443E-12 0.0000 164
382.00 CCMT COOL PP ON 5.00 0. 0. 0 0.14348443E-12 0.0000 165
384.00 SER WTR PP MTR UN 5.00 0. 0. 0 0.14348443E-12 0.0000 166
3a6.00 SER WTR PP ON 5.00 0. 0. 0 0.14348443E-12 0.0000 167
SUMMARY
COMPONENT CONTRIBUTIONS TO U N R E L I A B I L I T Y
C0MP0NEN1 FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEM

ID NAME RATE*10**6 PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
388.00 SER WTR PP MTR ON 5.00 0. 0. 0 0.14348443E-12 0.0000 168
390.00 SER WTR PP ON 5.00 0. 0. 0 0.14348443E-12 0.0000 169
306.JO MAN VLV SWITCH 2.00 0.13078953E-02 0.7 361 46 0.83322538E-08 0.0028 69
308.00 AUTO VLV S W I T C H 5.00 0.32697394E-02 1.8402 25 0.20830634E-07 0.0070 62
310.00 MAN PMP SWITCH 2,00 0.13078958E-02 0.7361 47 0.83322538E-08 0.0028 70
312.00 AUTO PMP SWITCH 5.00 0.32697394E-02 1.8402 26 0.20830634E-07 0,0070 63
314.00 CSPM BKR 5.00 0.32697394E-02 1.8402 27 0.16447568E-06 0.0552 43
316.00 CORE SPRAY PP MOTR 10.00 0.65394788E-02 3.6803 9 0.51646828E-06 0.1734 33
318.00 CORE SPRAY PP 10.00 0.65394788E-02 3.6803 10 0.51646828E-06 0.1734 34
320.00 CSPM 8KR 5.00 0.32697394E-02 1.8402 28 0.16440157E-06 0.0552 44
322.00 CORE SPRAY PP MOTR 10.00 0.65394788E-02 3.6803 11 0.51654239E-06 0.1734 31
324.00 CORE SPRAY PP 10.00 0.65394788E-02 3.6803 12 0.51654239E-06 0.1734 32
292.UO R E L I E F VLV 2.00 0.13078958E-02 0.7361 48 0.42944786E-05 1.4419 13
294.00 M O V - 1 0 BKR 5.00 0.32697394E-02 1.8402 29 0.17599574E-04 5.9093 8
296.00 SPRAY I N L E T V L V 0.50 0.32697394E-03 0.1840 69 0.39468931E-06 0.1325 36
298.00 M Q V - 1 1 BKR 1.00 0.65394789E-03 0.3680 54 0.U437097E-05 0.4512 18
300.00 SPRAY I N L E T V L V 0.10 0.65394788E-04 0.0368 84 0.19508176E-07 0.0066 64
302.00 MAN SWITCH 2.00 0.13078958E-02 0.7361 49 0.42944786E-05 1.4419 14
304.00 CORE SPRAY HDR 0.20 0.13078958E-03 0.0736 74 0.72798377E-07 0.0244 48
326.00 R E L I E F VLV 2.00 0. 0. 0 0^43573654E-05 1 . 4 6 30 11
328.00 M O V - 2 0 BKR 5.00 0. 0. 0 0.17825329E-04 5.9851 7
330.00 SPRAY I S O L VLV 0.50 0. 0. 0 0.40486960E-06 0.1359 35
332.00 M O V - 2 1 BKR 1.00 0. 0. 0 0.13687662E-05 0.4596 17
334.00 SPRAY I N L E T V L V 0.01 0. 0. 0 0.23039947E-09 0.0001 lOl
336.00 MAN VLV SWITCH 2.00 0. 0. 0 0.43573654E-05 1.4630 12
338.00 CORE SPRAY HOR 0.20 0. 0. 0 0.75731236E-07 0.0254 47
340.00 MAN VLV SWITCH 2.00 0. 0.. 0 0.11634555E-10 0,0000 142
342.00 AUTO VLV S W I T C H 5.00 0. 0. 0 0.29086388E-10 0,0000 124
344.00 MAN PMP SWITCH 2.00 0. 0. 0 0.11634555E-10 0.0000 143
AUTOMATIC RELIA B I L I T Y MATH MODEL PAGE 82
DRESDEN 3 PRIMARY CbNTAINMENT CASE 2 00000000, 1900 0000-00

SJMMAR Y
MPONENT FAILURE SERIAL SERIAL SERIAL SYSTFM SYSTEM SYSTEM

1 NAME RATE*I0**6 PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
1 6 2 . 0 0 CCPM BKR 5.00 0.i2697394E-0 2 1.8402 14 0.ia311600E-06 0.0615 39
1 6 4 . 0 0 CUNT COOL PMP MUTR 10.00 0.65394738E-0 2 3.6303 1 0.57527321E-06 0.1932 27
1 6 6 . 0 0 CONT COOL PN'P 10.00 0.65394738E-0 2 3.6803 2 0.57527821E-06 0.1932 28
1 6 d . J O CCPM BKR 5.00 0.32697394F-0 2 1.8402 15 0.18303352E-0b 0.0615 41
1 7 0 . 0 0 LL.HT CUOL PMP MOTR 10.00 0.65394738b-0 2 3.6RJ3 3 0.57536070E-06 0.1932 23
1 7 2 . 3 0 CONT COOL PMP 10.00 0.65394733E-0 2 3.6803 4 0.57536070E-06 0.1932 24
1 7 4 . O J SbR WTR PP KTR dKR 5.00 0.32697394E-0 2 1.84J2 16 0.13311600E-06 0.0615 40
1 7 6 . 0 0 S t R WTR PP MTR 10.00 0.65394738E-0 2 3.6303 5 0.57527821E-06 0.1932 29
1 7 8 . 0 0 S t R wTR PP 10.00 0.65394788E-0 2 3.68J3 6 0.57527821E-06 0.1932 30
1 8 0 . 0 0 S t R «iTR PP MTR BKR 5.00 0.32697394E-0 2 1.8402 17 0.18303352E-06 0.0615 42
1 3 2 . 0 0 SER WTR PP MTR 10.00 0.t)5394738t-0 2 i.6303 7 0.57536070E-06 0.1932 25
1 3 4 . 0 0 SER rtTK PP 10.00 0.6539't733E-J 2 3.6803 8 0.57536070E-06 0.1932 26
1 3 6 . 0 0 K O V - 1 1 BKR 1.00 0.65394739E-0 3 0.3630 51 0.25535184E-08 0.0009 72
1 8 3 . J O DKYrtELL SPRAY VLV 0.01 0.O5394738E-0 5 0.0037 109 0.23372733E-12 0.0000 149
1 9 0 . J O UR/WELL SPRAY HUR 0.00 0.65394789E-0 6 0.0004 133 0.23412137t-14 0.0000 180
1 9 2 . 0 0 M C V - i i : ; BK^ 5.00 0.32697394E-0 2 1.8402 13 0.12862219E-07 0.0043 66
1 9 4 . J O SUP CHBR SPRAY VLV 0.01 0.b5394738E-0 5 0.0037 no 0.11167793E-12 0 . 0 0 00 170
1 9 6 . 0 0 bUP CH3R SPRAY HDR 0.00 0.65394739E-0 6 0.0004 134 0.11208B60E-14 0.0000 183
1 9 8 . J O 3 4 . 5 KV L I N E 0.40 0.26157915C-0 3 0.1472 70 0.71942134E-11 0.0000 145
2 0 0 . 0 0 TKANStURMER 8 0.40 0.26157915C-0 3 0.1472 71 0.71942i34E-ll 0.0000 146
2 0 2 . 0 0 T t - d u S 5 6KR 5.00 0.32697394E-0 2 1.8402 19 0. 0. 0
2 0 4 . 0 0 U I E : > t L GfNiERATOR 0.40 0.26157915E-0 3 0.1472 72 0.14383437E-10 0.0000 140
2 0 6 . 0 0 0 G E N - b U S 5 BKR 5.00 0.32697394E-0 2 1.8402 20 0. 0. 0
2 0 8 . 0 0 3 4 b KV G k I D 0.00 0.26157915E-0 7 0.0000 137 0.215ol446E-13 0.0000 196
2 1 0 . 0 0 TRANSFORMER 3 0.40 0.2615791SE-0 3 0.1472 73 0.143B6279E-10 0.0000 141
2 1 2 . O J T 3 - 6 U S 3 BKR 5.00 0.32697394E-0 2 1.3402 21 0. 0. 0
2 1 4 . 0 0 b U S 3 - b U S 5 BKR 5.00 0.32697394E-0 2 1.8402 22 0. 0. 0
1 4 0 . 0 0 SFRV V.XR VLV BKR 1.00 0.t)5394789E-0 3 0.3630 52 0.15256264E-05 0.5122 15
1 4 2 . J O SFRV rtTK RTN VLV 0.01 0.65394783E-0 5 0.0037 111 0.28867524E-09 0.0001 99

5/66
i-t-WSfcl a i RCS REACTOR COOLANT SYSTEM
eves C H t M I C A L i VOLUME CONTROL SYSTtil
I N S I D E REACTOR O U T S I D E REACTOR
ACS A U X I L I A R Y COOLANT S Y S T E M
CONTAINMENT CONTAINMENT
*0S il/ASTE D I S P O S A L S Y S T E M
s SAFETY I N J E C T I O N A C T U A T I O N SIGNAi
D LOCAL D R A I N
DH D R A I N H E A D E R (<VDSI
V t N T TO A T M O S P H E R E
-W4-
-rt- —I
LOCKED OPEN
LOCKED CLOSED n
hit Ui 1
-M-
LOOP I
COLO LEG
(RCS)
•*•-
f i 1
I
I
S E A L E D C A P OVER
CONTROL SWITCH
t
«DS
t
LOCAL
'.II A
iP^—^-
I
.1.
r-C+Ct*! R E F U E L I N G i
TOIiAGc T A \ K
ATt
• - |
-•»- SAMPLE
-*-t;s5-~-1
3 I
LOOP 2 - - L 0
J
COLO LEG -
IRCSI
TTT ; 1
'LIA '
-I>K3- -U^
1 ^
LOOP 3
- M I M
1
f^-m—I ' I
C O L D LEG •
X NOTE I J L
1 VV^
CONDENSATE
IRCSI
RETURN
K>
I
-OW L/1-
LOOP 4
L 0 - ^ -
SAFETY
T^-^
INJECTION PUMPS
LuLAl
SAMPLE
COLO L E G ,
IRCSI 750 GPW cACI
REACTOR COOLANT AT 2 2 5 0 FT
REACTOR SHIELD
FILTER
(CVCSI
I - » ' i_M.1_ ^
X
j X . _ VOLUME CONIROJ.
C A V I T Y FILL
TANK ICVCS)
1-a-s
-, f
L C
I
I
LOOP 2
I 1*3 -{,'1 I
I
COLD LEG
IRCSI
«•--CT}—-L'V-
---1 -ii. -<'>- •7"
.J
iI REACTOR
COOLANT
I
A
FILTER •
f REGENERATIVE REFUELING WATER
LOOP 4 I J HlAT EXCHANGER »—— STORAGE TANK
--C4^3 Cl.->—t*j >--J (CVCSl
CHARGING
HOT LEG » - < + > — - i ' V — J ICVCSI
PUMPS ICVCS)
IRCSI
j CRINOTE 1
—Clj- •»- D+O—--

RcACTOR wos
VESSEL
HEAD
m—UO- I
IRCSI I
i
/ TR ;
I
REACTOR rr~ I
L 1+>- ["CtO—M-
VESSEL
HEAD
-u> r Lo —>-l L 0 T
IRCSI
T R E S I D U A L HEAT
I I ^ - ' L 0
r
j
NOTE I I
-I EXCHANGERS
IJ R E S I D U A L HEAT
I IS I
lACil LI..
I
RtWOVAL PUMPS
lACSI p-
I —th—I BORIC AGIO
RtACTOR
CONTAINMENT
SPRAY
'FICA; i A —1-1
I
I
I
I
I
puiips - " - - • C t t
ICVCSI
I—ct>- __XJ L 0 I L 0 ^ 1 _^_tô—I -*-

REACTOR COOLANT
LOOP 2 Uî L 0
L 0 V
FILTER A N D
DEMINERALIZERS
,J^4>(
¥ t ICVCSI r -
C O L D LEG -Cij CIO I
IRCSI I
r i I
PRESSURE REFUELING.
LOCKED
INTERLOCK - - CAVITY
CONTROL I
IRCSI
LOOP I 1^ I —C:4^3—•^—
PRIMARY
+ -'—- — - -MO-L-
HOT LEG
IRCSI
W3-
—wi--
LIA I
WATER - * - •
PURIFICATION
PUMP
I T"'CONTAINMENT[
I SUMP 1 T
1 I —
X I
I N S I D E REACTOR O U T S I D E REACTOR
CONTAINMENT CONTAINVIENT t D SK 298044 F
UO WK9TINOHOUSC ELICT1IIC CORmMA'nON

^ --^ 5 S'5 1" s l s " ^ ' III ATOMIC P O W n m v . rrTTSMHMM. nL. UMJL
CONNtCTICUT YANkEt PROJECT
'!' SAFETY INJECTION SYSTE\1
PROctSS FLOW DIAGRAM
5.*i^ •i''-yrf^ ill IR 293044-F
F I G U R E 3 . 17 3-111
P R O C E S S F L O W DIAGRAM - S A F E T Y I N J E C T I O N S Y S T E M
CONNECTICUT YANKEE
W-540-F-416 A
Residual Heat
Exckangers SW-MOV-5 P-37-1A
SW-MOV-6
h-" \-^ Q
W-540-F-416B
o
P-37-1B
P-37-1C
n—
E-4-1B o
. ^ l--r
SW-MOV-3 Li -,iJ P-37-1D
^ W-'^'vl
SW-MOV-4
Component Cooling
Heat E x c h a n g e r s
^r.
J
o
Service
Water
i I -i Pumps
-i-i
6000 gpm each
\ E-4-1A
River River
Water
FIGURE 3. 18 Water
SCHEMATIC FLOW DIAGRAM

RESIDUAL HEAT REMOVAL SECONDARY WATER SYSTEM
CONNECTICUT YANKEE
S.I. SAFETY INJECTION S.I. PUMP
S.S. STATION SERVICE P-15-IB
TRANS TRANSFORMER
CHARGE PUMP
P-18-IB
115 kv 115 kv/4160 V Bus 2 4160/480 V .^ Bus 4

Mi d d I e t o w n
LINE 772 S.S. TRANSFORMER 2 S.S. TRANS. 4
4160/480 V -». Bus 6

S.S. TRANS. 6
OJ
I
O BUS TIE
OJ jN.O. 2T3
Q
4160/480 V ^ Bus 5
S.S. TRANS. 5
MontviIle 115 kv 115 kv/4160 V Bus 3
Haddam LINE 12500 S. S. TRANSFORMER 3
4160/480 V _»» Bus 7
S.S. TRANS. 7
S.I. PUMP
P-15-1A
FIGURE 3.19
115 KV/4160 VOLT SCHEMATIC DIAGRAM CHARGE PUMP

FOR SAFETY INJECTION SYSTEM P-18-1A
I R E C I R C U L A T I O N FUN I
n F-I7-I I
S.«. PUMP
O N.O. BUS T I E HATER SUPPLY SAFETY INJECTION

4T5 ST-MOV-24 SI-M0V-B61C
O
R E C I R C U L t T I O N FtN CHARGE LIME SAFETY INJECTION
F-17-2 CL-yy-290 SI - M 0 V - 8 6 I D
EMERG. G E N . CHARGE LINE CORE DELUGE

EG-1« CL-VV-292 Cn-VY-8?IA
BUS 5-5
R.H. PUNP SAFETY INJECTION INJ RECIRCULATION

P-I4-U SI-M0V-86IA RH - M0y-B74
S.«. PUMP SAFETY INJECTION S E M I - V I T A L BUS

P-37-IB S I - M O V - 861 B FOR CONTROLS
BUS T I E
STB
)•••
_, R E C I R C U L t T I N G F«N SERVICE WATER C O N T A I N M E N T SUMP

I F-17-3 SM- M0« - 3 RH-MOV-22
EMERG. G E N . SERVICE WATER _{ CONTAINMENT SPRAY

EG-IB S « - MOV-4 I CS-MOV-23
BUS 5-6
R.H. PUMP SERVICE «ATER VOLUME CONTROL

P-14-IB SK-MOV-S BA-MOV-257
S.«. PUMP SERVICE HATER CHARGE SUCTION

P-37-1C SW-MOV-6 BA-MOV-373
BUS TIE R.H. SUCTION CORE DELUGE

N.O. 8T7 RH-MOV 21 C O - VV-B7IB
o /
RECIRCUIHTION FAN S E M I - V I T A L BUS
F-17-4 FOR CONTROLS
EMERG. GEM.
EG-IC
BUS 7
S.W. PUMP
P-37-1D
FIGURE 3.20
480 VOLT SCHEMATIC DIAGRAM

FOR SAFETY INJECTION SYSTEM
3-114
Loop 1 Refueling
Cold Leg Water
Storage
SI-CV-l Tank
P-15-1A
Loop 2
-u^
O
TK-4-1A
Cold Leg
SI -MOV
Loop 3 -861C SI -CV-2
Cold Leg P-15-1B ST-MOV-24
-U^
Loop 4
Cold Leg
O Safety Injection P u m p s
1750 gpm @ 1500 psig
CL-VV-290
CL-CV-l p.^g.iA
Loop 2 I ^ BA-MOV-257
Charge
O
Cold Leg U^ I /- "\ Volume
Control
Valve [^^J— ^t— Control
Tank
-EKl-
Loop 4 CL-CV-2
P-18-1B HXh
00
I
Hot Leg
CL-VV-292
-u^ BA-MOV-373
^^-^ Char ge P u m p s
RH-MOV-874 360 gpm @ 2300 psig
CD-VV-871A
Reactor
Vessel
Head
RH-MOV-21
Reactor -•-HX]
Vessel
Head
R e s i d u a l Heat
R e m o v a l Pximps
2250 gpm
RH-MOV-E2 @ 500 psig
F
Containment
Sump -x\
F I G U R E 3. 21
S C H E M A T I C DIAGRAM
leoor 8000
1400- 7000
St/0 1200 -^ 6000
2 1000 h ^5000
a.
VOLUME
OJ
to
>- 800k ^4000
I t/1
o
o o
o
<_J 600|- S3000
cc
o o
t—
I—
o <_>
•a: <c
400 - ^2000 -
TOP OF CORE
200 1000
BOTTOM OF CORE
X JL
200 400 600 800 1000 1200 1400 1600 1800
TIME AFTER RUPTURE, SECONDS
FIGURE 3.22
LOSS-OF-COOLANT INCIDENT
3 -INCH CHARGING LINE BREAK
Systenn Safety Injection Page,
Subsystem P r i m a r y Water
Assembly
Function Deliver borated water to reactor vessel for cooling reactor core following a loss-of-coolant accident
1 Likeli- B AxB
hood Remarks
Component Component Component Failure Cause{s) Effect on Safety Over-
(No / Effect on (Dependence on redundancy,
Sig- all
ID No Name Function{s) Mode(s) of Failure Subsystem System nifi- Innpor environmental factors,
10^
Hrs ) cance tance corrective actions)
TK-4-1A Refueling Water Water storage for Fail to hold a d e - Tank rupture, debris, 0 1 No water supply Complete system 1 0 1 Inspect interior of tank for
Storage Tank refueling and quate water supply low level, freeze failure corrosion and debris Periodi-
safety injection cally test level indicator and
heating unit
P-14-1A Residual Heat Supply water to Fail to start Contactors failed to 10 No water r e c i r c u - None unless both 1 10 l-out-of-2 redundancy Periodi-
and IB Removal Pump residual heat close, pumpjammed lation from con- pumps fail cally test pumps to exercise
(2) exchanger tainment sunap contactors and check bearing
lubrication
Fail to continue Motor failure, b e a r - 5 No water r e c i r c u - None unless both 1 5 Periodically test pumps to e x e r -
running ing seizure lation from, con- pumps fail cise contactors and check b e a r -
tainment sump ing lubrication
P-15-1A Safety Injection Supply water to Fail to start Contactors failed to 10 No water in safety None unless both 1 10 l-out~of-2 redundancy Periodi-
and IB Pump (2) safety injection close, pumpjammed injection loop pumps fail cally test pumps to exercise
loop contactors and check bearing
lubrication
Fail to continue Motor failure, b e a r - 5 No water in safety None unless both 1 5 Periodically test pumps to e x e r -
running ing seizure injection loop pumps fail cise contactors and check b e a r -
ing lubricat-ton
P-18-1A Charge Pump (2) Supply water to Fail to start Contactors failed to 10 No water m charge None unless both 1/6 1 5 l-out-of-2 redundancy P e r i o d i -
and IB charge line loop close pumpjamm,ed line loop pumps fail cally test punnps to exercise
contactors and check bearing
lubrication
Fail to continue Motor failure bear- 5 No water in charge None unless both 1/6 0 75 Periodically test pumps to e x e r -
running ing seizure line loop pumps fail cise contactors and check b e a r -
ing lubrication
ST-MOV- Refueling Water Allow flow to Fail to open Motor failure, valve 10 No water supply Complete system 1 10 Exercise valve to a s s u r e opera-
24 Supply Valve safety injection, binding Designed failure bility, provide redundant valve
charge, and to fail as-IS in parallel
residual heat
removal punnps
SI-MOV- Safety Injection Allow flow into Fail closed Normally closed 10 Loss of safety None unless 2 or 1 10 3-out-of-4 redundancy Exer-
B61A B, Isolation Valve reactor coolant injection more fail cise valve to a s s u r e operability
C and D (4) loop
FIGURE 3. 23
FAILURE MODE AND E F F E C T ANALYSES

System Safety Injection Pa^ge 2 of ^
Subsystem Prin:iary Water
Assembly
Function Deliver borated water to reactor vessel for cooling reactor core following a loss-of-coolant accident.
Likeli- B AxB
hood Remarks
Safety Over-
Component Component Component Failure Cause(s) Effect on Effect on (Dependence on redundancy,
(No / Sig- all
ID No Name Function(s) Mode(s) of Failure 10^ Subsystem System nifi- Imp or environmental factors,
BA-MOV- Volume Control Stop flow from Fail open Normally open, 10 Draw water from None unless 1/6 1.5 Exercise valve to a s s u r e
257 Valve volume control designed to f a i l a s - i s small volunne con- impossible to operability
tank. trol tank. close manually
BA-MOV- Charge Pump Allow flow to Fail closed Normally closed. 10 Loss of charge None unless 1/6 1.5 Exercise valve to a s s u r e
373 Suction Valve charge pump. line injection. impossible to operability.
close manually.
Charge Line Allow flow to Fail closed. Normally open. 5 Loss of charge None unless 1/6 1.0 Exercise valve to a s s u r e
Control Valve charge line. designed to fail open. line injection impossible to close operability.
manually.
CL-VV- Charge Line Allow flow into Fail closed Nornnaily closed. 10 Loss of charge None unless both 1/6 1.5 l-out-of-2 redundancy. E x e r -
290 and Isolation Valve reactor coolant designed to fa l i a s - I S . line injection valves fail. cise valve to a s s u r e operability.
292 (2) loop.
RH-MOV- Residual Heat Control flow to Fail open. Normally open. 10 Draw water from Deplete water 1/2 5 Exercise valve to a s s u r e
21 Rennoval Pump residual heat storage tank supply if not conn- operability, provide redundant
Suction Valve removal pump instead of contain- pletely closed valve in parallel
from water ment sump.
storage tank
RH-MOV- Containment Control flow to Fail closed. Normally closed 10 No recirculation Deplete water 1 10 Exercise valve to a s s u r e
22 Sump Valve residual heat of water. supply. operability, provide redundant
removal pump. valve in parallel.
RH-MOV- Safety Injection Control flow of Fail closed. Normally closed. 10 No recirculation Deplete water 1 10 Exercise valve to a s s u r e
374 Recirculation recirculation of water. supply. operability, provide redundant
Valve water valve m parallel.
Residual Heat Control flow of Fail to open. No signal, valve 10 No flow for core None unless low 1 10 Exercise valve to a s s u r e
Throttle residual heat failure deluge. p r e s s u r e safety operability, provide redundant
removal loop. injection required valve in parallel
Residual Heat Control flow to Fail to open. No signal, valve 10 No flow for core None unless low 1/2 5 Exercise valve to a s s u r e
Bypass Valve bypass residual failure. deluge p r e s s u r e safety operability
heat exchangers injection required

System Safety Injection Page
Subsystem P r i m a r y Water
As sembly
Function Deliver borated water to reactor vessel for cooling reactor core following a loss-of-coolant accident
Likeli- B AxB
Component Component Component Failure Cause(s) Effect on Effect on (Dependence on redundancy.
(No / Sig- all
ID No. Name Function(s) Mode(s) of Failure Subsystem System nifi- Impor environnnental factors,
10^
corrective actions)
Hrs ) cance tance
CD-VV- Core Deluge Supply water to Fail closed Normally closed 10 Loss of core None unless low 1 10 l-out-of-2 redundancy Exer-
871A and Isolation Valve reactor vessel head. deluge p r e s s u r e safety cise valve to a s s u r e operability
B (2) injection required
Safety Injection Stop backflow if Fail open Fail to seat 1 Loss of head p r e s - None unless one 1 1 Inspect valve to a s s u r e opera-
Pump Check pump fails properly sure for operating pump fails. bility.
Valve (2) pump (with other
pump failed)
Charge Pun^p Stop backflow if Fail open Fail to seat 1 Loss of head p r e s - None unless one 1/6 0 15 Inspect valve to a s s u r e opera-
Check Valve (2) punnp fails properly sure for operating pump fails. bility.
pump (with other
pump failed).
Residual Heat Stop backflow if Fail open Fail to seat 1 Loss of head p r e s - None unless one 1 1 Inspect valve to a s s u r e opera-
Pump Check pump fails. properly sure for operating pump fails. bility.
Valve (2) pump (with other
pump failed).
W-540-F- Residual Heat Cool recirculation Shell rupture Material failure 0. 3 No cooling of Loss of cooling 1 0 3 l-out-of-2 redundancy. Inspect
4 1 6 A and Exchanger (2) water. recirculation capability. shell plate for deterioration
B water
Tube leak. Corrosion. Loss of r e c i r c u l a - Radioactivity Test tubes periodically to a s s u r e
tion water to s e r - released to s e r - no leaks
vice water. vice water.

Subsystem Secondary Water
Assembly
Function Deliver service water to residual heat exchanger for cooling (primary) recirculating water
Likeli- B AxB
(No / Sig- all
ID No. Name Function(s) Mode(s) of Failure Subsystem System nifi- [mpor- environmental factors,
10^
tance
P-37-1A, Service Water Supply service Fail to continue Motor failure, Loss of cooling None unless all l-out-of-4 redundancy Periodi
B, C, and Pump (4) water to shell side running. bearings seizure. water. pumps fail. cally service pump and check
D of residual heat bearing lubrication
exchanger.
SW-MOV- Service Water Control flow to Fail open Normally open. Divert cooling None unless both 1/2 E x e r c i s e valve to a s s u r e o p e r a -
3 and 4 Valve (2) component cooling water. valves fail. bility
heat exchanger .
SW-MOV- Service Water Control flow to Fail closed Normally closed. Loss of cooling None unless both 10 l-out-of-2 redundancy Exer-
5 and 6 Valve (2) residual heat capability. valves fail. cise valve to a s s u r e operability.
exchanger.

System Safety Injection Page of
Subsystem P o w e r and Control
Assembly
Function P r o v i d e power and c o n t r o l to m e c h a n i c a l s y s t e m .
Likeli- B AxB
hood Remarks
Safety Over-
(No / Sig- all
ID No. Name Function(s) Mode(s) of F a i l u r e Subsystem System environmental f a c t o r s , i
nifi- Impor-
c o r r e c t i v e actions)
Hrs ) cance tance
772 and P o w e r Line P r o v i d e outside F a i l to continue L o s s of outside 0.1 Complete loss of None u n l e s s both 1 0.1 1 - out - of - 2 r e dundanc y.
12500 power s o u r c e . providing power. power s o u r c e . power and c o n t r o l . lines fail.
' 2 and 3 Station Service 115 KV/4160 volt. F a i l to supply L o s s of outside 5 Complete l o s s of None u n l e s s both 1 5 l - o u t - o f - 2 redundancy.
T r a n s f o r m e r (2) 4160 volt. power, t r a n s f o r m e r power and control. t r a n s f o r m e r s
failure. fail.
4, 5, 6, Station Service 4160/480 volt. F a i l to supply L o s s of 4160 volt. 5 L o s s of 480 volt None u n l e s s N o s . 5 1 5 Inspect p e r i o d i c a l l y .
i and 7 T r a n s f o r m e r (4) 480 volt. transformer failure. power and a l l con- and 6 fail.
trol.
1 2T3 Bus Tie Bus tie between F a i l to c l o s e . L o s s of automatic 2 P a r t i a l l o s s of None u n l e s s 1 2 Check automatic switching
4160 volt b u s e s . switching. 4160 volt (with Transfornner 2 or periodically.
Transformers 2 3 fails.
I or 3 failed).
4T5, 5T6 Bus Tie (3) Bus tie between F a i l to c l o s e . Switchgear F a i l u r e 2 P a r t i a l l o s s of None u n l e s s B u s e s 1 2 Check switchgear p e r i o d i c a l l y .
tv) and 6T7 480 volt b u s e s . 480 volt (with 5 and 6 a r e out of
Transformers 4 power.
5, 6, or 7 failed)
EG-IA, B Emergency P r o v i d e power if F a i l to s t a r t . Diesel engine or L o s s of 480 volt None u n l e s s m o r e 1 T e s t p e r i o d i c a l l y to a s s u r e ]
, and C G e n e r a t o r (3) outside power fails. starter motor fail- power. than OP" g e n e r a t o r operability.
u r e , lack of fuel. fails.
F a i l to continue Diesel engine or
running. generator failure,
lack of fuel.
Automatic Unblock automatic F a i l open. Relay f a i l u r e . 5 No initiation No safety injec- 1 5 T e s t periodically, provide
Permissive operation when signal. tion. failure i n d i c a t o r .
Switch r e a c t o r coolant
p r e s s u r e is above
1700 p s i g .
Manual Switch Allow m a n u a l F a i l to c l o s e . Contactor failed to 5 No initiation None u n l e s s a u t o - 1 5 Test p e r i o d i c a l l y .
actuation. close. signal. m a t i c operation
fails.
Premature opera- Operator e r r o r . None. None. Reactor shutdown.
tion.

Subsystem Power and Control
Assembly
Function Provide power and control to mechanical system.
Likeli- B AxB
hood Remarks
Component Failure Cause(s) Effect on Safety Over
Component Component (No / Effect on (Dependence on redundancy,
Function(s) Mode(s) Sig all
ID No Name of Failure Subsystem System environmental factors,
10^ nifi Impor-
tance
P S - 1 , 2, P r e s s u r e Switch Actuate safety Fail to trip Relay failure No initiation sig- None unless 2-out-of-3 redundancy,
and 3 (3) injection signal. nal. manual switch fails periodically.
Spurious t r i p . Relay failure. None unless two or
nnore level
switches trip
spuriously.
LS-1. 2, Level Switch (3) Actuate safety Fail to t r i p . Relay failure. No initiation sig- None unless 2-out-of-3 redundancy
and 3 injection signal nal. manual switch periodically
fails.
Spurious trip Relay failure None unless two
or m o r e p r e s s u r e
switches trip
spuriously.

(2)
115 (2) (4)
(1)
IDS 110 120 125 130
_L_
® — I TR-4-U — ST-IIOV-24 BA-KOV-373 CH.CONT.VALVE B«-tlOV-257 HH-IIOV-874 RH-MOV-21 H-IIOV-22 —(D
(5)
(2) (3) (3)(4) 160
(6)
UJ
45 50 161 163
I (3) (3)
135 140 CL-VV-290 CD-VV-B71A 1 I 1 SW-IIOV-3 ~ | 1 I 1 P-14-1A ~[ 1 | — I RH-CV-1/2
RH-CV-lT:
1
OJ
( D — THROTTLE V*LVE — BYPASS VALVE
CL-VV-292 —1 1— C0-VV-871B H
-
1 I
1 1 Sll-IIOV-4 [
U
1 I 1 P-14-1B I
- \ 162(6)
' '—I P-I4-1A P-14-ie
HOTE: (1) TYPICAL FUNCTION 1 . 0 . NO. FOR ARMM: REFER TO FIGURE 1 1 .

(2) FUNCTION HOT REQUIRED FOR CORE DELUGE ONLY ( i . e . WITHOUT SAFETY INJECTION)
(3) FUNCTION HOT REQUIRED FOR HIGH PRESSURE SAFETY INJECTION ( i . e . WITHOUT CORE DELUGE)
(4) FUNCTION NOT REQUIRED FOR LOW PRESSURE SAFETY INJECTION ( i . e . WITH CORE DELUGE)
(5) FUNCTION TO START

(6) FUNCTION TO CONTINUE RUNNING
(7) FUNCTION WITHOUT RECIRCULATION
FIGURE 3 . 2 4

SAFETY INJECTION SYSTEM
CONNECTICUT YANKEE
(7)
177
I—I 1 I - 5 4 0 - F - 4 1 6 A | — •
I—I W-540-F-416r|—'
170 <2)(5)
165 " > " > (2) ;,, (2)(6) (2)
166 ( ^ X " ) 173 175
— P-15-1A — I I SI-CV-1/2 I I P-18-1A — I I CL-CV-1/2 1 I W.540-F-4 SW-llOV-5
® -
—I P-15-IB I—I
M
I
187 ( ' ) ( 6 )
P-15-1A I 1 P-15-1B
[-
1 I 1 P-1B-1B |
W
1 I
11 7 2 ( 2 ) ( 6 )
P-18-1A P-18-1B —1 I 1 W - 5 4 0 - F - 4 16B SII-IIOV-6 Ch
OJ
I
h—'
4i-
195(2)
I— SI-I10V-861A SI-K0V-861B SI-M0V-B6IC
80 190
LINE 12500 TRANS. #3 SI-N0V-88lT~| 1 SI-IIOV-86Tc~| \ S l-NOV-BsTT
^D
LINE 772 TRANS. #2 TRANS. *2 LINE 12500 1 TRANS. # 3 I ' — SI-M0V-861A SI-II0V-86IC SI-II0V-86ID
-
H^ I-M0V-861A
H S1-M0V-861B S1-M0V-88ID
210 215
PRESS SW #1 PRESS SW #1 LEVEL SW #1 LEVEL SW #2
205
AUTO PERM SW PRESS SW #2 PRESS SW #3 LEVEL SW #2 LEVEL SW #3
tv
®- PRESS SW #1 PRESS SW #3 LEVEL SW #1
H
LEVEL SW #3
200 —<D
MANUAL SW

255 1 10 330
TRANS. #7 —1 6T7 5Tfi —_
280
260 265 282(6)
TRANS. #6 *•— TRANS. #6 — TRANS. #7 —1 TRANS. #5 —' P-37-1B —I
P-37-1C
325
6T7 P-37-1D
250
275
235 305 TRANS. #7 277(6)
TRANS. #6 —, 5T6 P-37-1B
(D-
C TRANS. #5 hC 240
TRANS. #5 TRANS. #6 320 P-37-1C
4T5
270
245 272(6)
TRANS. #4 P-37-1A
P-37-1B
220 300 315
TRANS. #5 4T5 5T6 P-37-1C
1— TRANS. #4
225
TRANS. #4 TRANS. #5 G 230
TRANS.
1 #6
Figure 3. 25
FIGURE 3, 24 (continued)
365 375
P-37-C
295
EG-IB EG-IB EG-IC
370 P-37-D
EG-IC EG-IA 6T7

P-37-1B
280
P-37-1C
P-37-1D
290
350 360 4T5 P-37-1A
EG-IA EG-IC 516

355 P-37-1C
275
EG-IB EG-IA EG-IB
P-37-1B
285
4T5 P-37-1A
FIGURE 3. 25

EMERGENCY POWER FOR CORE DELUGE SYSTEM
1 1^1
|38
It Si
5 10
11^ 15
II 1 20
1^15 ^
25 30 35 40 45 50 55 60 65 70 75 80
.1.1 ,4 1.4.4. A• , ,1 ,5i3 1,0 i ' ' 0 t.A..f.C .1 > f.A,F.C.7.Y. ,T.M..TE.C.7.I.*AI. ,-. .C.(^.HM V.AiN.tE.C. , J
J,l ,4 1A.4...4• , , 2 . ,^|3 l,(? 1 1 C.A./.C. .2. f.A.F.f.l.Y. .T.i4.J.F.C.T.I.*N. ,-. .<i.'t>.tl,n. . .V.A.N. If. F. F. . , ,10
l l l l i4 \,'\.l..A \- , ,2 r?l^ 10 1 1 CrA,J,F, . 3 . . . . .J,A.F.E.7.y. ,I.MJ.E.C,7.I .•.M. .-. .C.^.N.M . .V.AÎ.k.E.E. . , ,•,";
. 1 • f . . . . 1 . . • » 1 . . . . I . . . . t . . . . r . . . . I . . . . 1 , , ,
1 ' . 1
. 1 » I I • ' 1 • ' ' ' 1 • t , 1 1 , , , , 1 , , , . I , 1 , . ,
. 1
,4--.-,C,(J»J^,N.E.(.T.I.C.U.Ti , .Y.A.M,K.F.E,-.-,-.L.(^.J-..f, .*.F. .C.i.fLA.N.T. .I.M.Cl .D.E.N.T, . . . . . . . . . . . . . . . . . •1 • i ,?«

.4C./\.J.E, . 1 . . .
iJ.A.F.E.liY. .LfJ..l,E.C.7.l.<<'.M. .LM.1.7.1 .A.T.E.P. ,A .7. .7.H.C. .F.N.O. ,rf,F. .fN.F. ,M.{*.M. T.H. .J.f.'i.Ti . . ' . , / ,z,?
.4- rI,W7,E,llrV.A,L, . ih.l.G.H. iP.e.F.i J.U.t.E. .B.E.C.I .a.CiU.L.A.Ti .0>l. ,.f,TA.C:T.e.D. ,A.7, , t . ,M.l.(J.Ui7.e.i 1 , / ,10
•4 .A>l.P. .J.W.I.l.c.H.E.P. .7.*, .L.*.W ,P.e.F.JJ.U.R.e. .t.E.c.i .ll.C,U.L.A.7.l .0.N. .A7. .7.4. .M.I .lJ.a.7.E.i. . I 1 •/ M
A .A,F.7.E,(l.. .I>1.»7.I.A.TI.^.M.,, .^M.O. .Cflt.M.T.l .lO.O.F.P, .F.*.P. .2,4. .H.*.U.l2.J \ •/ ,4,0
.4C,A,J.g. , 2 . . . ..f.A,M,E, .A.J. .CALf.F. .i,.>E)(.C.6.P.7. .A.L.L, .C.a.l7.l .C.A.L. J.M.-.J~.E,E.l .PJ". .l/.A.L,J.e,/ 1 r/ ,4,J
. 4 . > 1 , , . . iAJ'J.U.M.I,M.6. . 1 . .*.07,'.*.F, .1 !tE.P,i;,l*iP,A,tt,C,| tE,J,., , , . , . , , . . , , , . , . 1\ 1 f1 .^.0
.4C,A,cf.E. . v . , .X,A,M,E, , A J , . C A L / . C . , 1 , , . ,E,X,C Erf ,7, ,7,Eii,l, ,LW.7,E.(L\<.A.L, .X,H,^.R,7,e,)J.e,p, ,7,0, iÂl.E, ,«/.e.E.k: ,f,5
1 1 1 1 t 1 1 1 1 1 1 r 1 1 1 1 t 1 1 I I t I 1 t 1 1 1 1 1 1 f 1 t 1 1 t 1 1 1 1 1 1 1 1 1 1 t 1 « 1 1 1 1 t 1 1 1 1 1 1 1 1 1 1
,y,
1 1 1 1 1 1 1 t 1 r 1 1 1 I 1 1 1 r 1 f 1 1 1 1 1 1 1 1 1 t I 1 1 1 1 » 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 I 1 1 1 1 1 1 f ) t 1 1 • 1
•f•
f 1 1 1 1 1 1 1 t r r 1 1 1 1 r 1 1 1 1 1 1 1 1 1 1 > 1 1 I 1 t 1 1 1 1 1 1 1 1 1 1 1 t 1 1 1 1 1 1 1 1 1 1 1 1 1 t t ( i t 1 1 1
•A•
1 1 t 1 1 1 t r
1 • • • > I • • • • > • • ' < t > ' • • I • > • • r . . . . 1
• A-
, / i \ .
,/ii
t t • 1 . t . . . . 1 . . . . 1
/' \
1
;i 1
r 1
1
1
1
1
1
1
I
f
1 t
1 1 1 ( 1 1 1 1 1 1 t 1 1 1 1 1 1 1 1 1 1
1
.
.
.
.
.
.
.
.
r
r
. .
. . .
1 .
.
1
1
.
.
.
.
.
.
.
.
1
r
t 1 . 1 I . . 1 1 t 1 1 1 1 1 1 • . 1 ^ If
/• 1
( 1 1 t t 1 I 1 1 1 1 1 I • ' 1 1 1 I ' ' }\
f t 1 1 1 1 1 1 r . . . . 1 . 1 . . 1 . , . . I 1
1 . . . . 1 . . . 1 1 . . . . 1
1 t I 1 t t r I 1 1 [ r 1 1 1 r 1 1 1 1 1 r 1 1 1 r 1 1 . . . . 1 1 . 1 . 1 . . . . r ^ , . 1 ,
l.zl 3 , 4 , 5 ) 6 , 7 , 8 , 9 , 10| 11,1 2 , 1 3 , U , 1 5(16,17,18,19,20(21 , 2 2 , 2 3 , 2 4 , 2 5 | 26,27 ,28j 29 J 0 l 3 l 32 33 3 4 55-56 37,38,39,40141,42,43,44,^5145 47, 48,49,50151, 52,53,54 ^55.% 57,sS.sgjeoLeiief^âif 4 S'-'U i / £8 6» "o|?172 73 t*il^.-^^l '8 p9 gC
FIGURE 3 . 2 6
ARMM INPUT LOADSHEETS - CASE 1

FuiOCTlOAl NAMC-
4
^11 % •3T i 5 CO 0-
5 10 2=; 30 35 40 45 50 55 50 ( 5 70 75 8C
,/ 1.0,J lAl.A7,eiR., ,JJ.^,(?.A6.F . , .1 , , iO . . • . .1.0 J
,/ ,i,iiO W.A.1,E,ll. .r,U,f,P.L,Y, . , , , , , 1 .1 , , id . .I.lfl
./ , i , i i J CH.A.e.CE, ,L,l,lO.E, , . . , , , , if? , . I.IJ
./ .1.1,0 J.W.F.E.l.Y, ,1,KJ,J, ,R.F.f,,l.a,C. , 1 ,1 . ,0 . \.l.C
,/ A,U H.t.^l.P, ,H,E,A,T, ,li,E,C,l,RC 1 , 1 1 1 iO .I.IJ
,/ ,\.T,,0 (,(^.N,TiA.I.N. ,.f,U,HP ,(?,F.C,l.e . , ,i , lO .1.1.0
J . l . l l J r,^,fZ.ei ,D,E.L,U,G,E, .L.I,M,C, , I , , , , ,fl • l.l.f
./ .1.4,0 R. .M. ih.K.C.H. ,e.y.P,A,s,i. , , 1 . . • ' .1 , ifl .1.4.0
,/ .1.4,J C,H,A,F,G,t, ,L,llî,e ,0,1,^7, , I . . i . , .1 , . ,0 1 t 1 .1.4.?
,/ , U , 0 Ci^.P.F, .O.F.U;,6,E ,0,1,^,7, , 1 , , '- 1 1 , l(? . Lr/)
./ . i . n r f.F.)2.y/,l,C,e y,A7.F.R. iD.l.O I • • ; . . .1 , l(? .IS J
j
,/ .1,1,0 R, ,H. ,P,U.KI', ,A,B. , - . ; I 1 / ^ . R : I 1 , 'i , |0 . \,ko
-
,/ AM\ 12., ,H, iP.U.KP, ,A.i5, .-.I?IU.N, . 1 , ,? . .B ,u,«
,/ X>[,{i li, ,H, iP,U,M.P. ,A.g. .-.?,a,M, , 1 . , , ,1 l,t,? ,!,t,l
,/-,l,(>,3 e, .H, iCM.l^.Ck, .yi.fl.U^îE, ,1,1 1 , , ,1 , ll I,(.,x ,l,<'.3
,/ ,1,U 1,K),J, iP.U.Hf, ,A,B, ,-,Xi7,A)l7 1 1 , (!. . , .1 . ,0 . . 1 . 1 ,l.t.r
,/ ,l,t,t 1,M,J, iP,U.M.p. .A.R, ,-.R,U,N. , 1 , A . ,0 ». .l,U
,/ ,i,l>n l.'vi.J, iP.U.KC, lA.B, ,-,/ZJU,M, , 1 1 |l 1 1 11 . ,1 I,l),% ,i,t7
./-,i.b,% 1.M.J, iC,H,t,c,iC, .\;.ft.i.\) ,E, , l,i 1 , ,1 . ,1 i,t,7 .!.(..«
,/ .l,TiO ^ H , .PiU.M.P, ,A,R. .-. .f J,A,R7 1 1 1 > , _l . ,0 1 • ,l.-?,n
1 .1.7.1
,/ , l , l i > C,H, ,PiU,M,P, ,AiS. .-. .E.iU,N. . 1 , i' . ,0
./ , l , l i l C,H, ,P,U.KP, ,A,B, ,-, .(f,U,M, , 1 1 , . ,1 1,7,^ MX
, / - , M i ^ C.H.A.CCF, ,C.IC, .\)A,L,\iiF, , \ , i - 1 1 1 , ll i,?,1- .17 3
,/ , l , l i i ^ .H, it,y,c,M, ,W,/,C,d^,L,l,M,& I I I ' !. , 1 ,1 , ,0 .171
1 .1.7.7
,/ ,1,1,7 e, ,H, iCj(,C,H. iW./,^,- ,Ci^,«5,L, 1 , A 1 l(?
, ' , l,?iiO P,(^,vJ,f.i\t, .'i.'i, 1 , , , . 1 , , , 1 , ,•! , lO . 1.4.0
,/ , l , f t i J F .(^.U), tlft-r , t , "}, 1 , , , , 1 , , , 1 , |l , ll ',1iC ,i,ft.r
1,2 3,4,5|0 7 1 B , 9 , , C | , , , I 2 , , 3 , , 4 , , 5 | , 6 , , 7 , i e , , 9 , ? 0 | ? l ,22,23,24 25|26,27,2 i 29,30|3,,32 33,34,35|36|37, 4 . , 4 2 . 4 , i' 45|.10j47|4 8|49,50|5I ,52153,54,55|56|57,58,59 eoje,,62.63.6465166*7 ,6 5 6 9 , 7 0 | 7 1 | 7 2 7
L^MV^ AiiO^ZSj7 7 ^ 8 .'.M
1
5
FU*)CTIOA1
10
NAMC
2=,
4\ 1 30 35 40
7?
k
45
•3:
50
V
55
i£
1 "^
60
i«5
oo
f55
*"
70
1
75 80
-\ f\P P,0,\A),E,(L .L.T.^. ,1 • 1 ,1 |1 , i,ft,!r . . . . 1 , , , I . 1 . I.IO
,l,îS J.A,F,E,7.Y, , I H J , ,0,I.S,T. A , 1 A ^0 , . . , 1 . . . 1 . . .
,1,0,0 MA.M,0,A,L, ..h^,ÂX\4i\ .1 . , .1 1^ , L 0 , ^ kt\.o Ai^.i.i^ . 1 , , 1 , to.d
.1,0,5 /\,U7,'^, .9^,P.G.(l,A.7,l,A'M, . ' , 1 , 1 ,i ,1 ,1,0,0 1 , . . 1 , , , I I . I 1 , , , ,io.d
,1.1,0 P,e,t,^,S,a,iL,C, iJ,e.M,5,(^,lL
iIihlT L,F.yy,F,L, ..r.e.i^,(.^,ii , , ,
A
A
, 1 ,1
, , X
ll
ll
,1,Q,0
.%0.0 , , , . 1 .
, , , , 1 . , ,
, , ,
1
t 1 .
' ' '
. , .
,tio|
.ii.d
.1,1*0 P,^,vl,E,IL ,4.5-, ,
A , 1 ,1 \\S ,^3,i- A. 1.4,0 Aii,4,j- Ai.7n
A,V,o A. 1,^.0 i^J.S /^.î^*,©
,\hS- A.l,4;0 A. 1 7 J- ,1.3,S A.l4.o| . i.i.,oj
. , 1
,1
^,W A. i^'&.o . 1 , .Z.t.l|
I'Z-iîS P.^.yAl,E,R.. , 4 5 , 1 , , , . , . , 1 ,1 ll .^.0.0 , . . , I . , , , , , . .i.i.sl
,l,SG P,.^,u/,e,iL. . / , . . . , , , , , . I ,1 1 1 .1 ,1 A.IS . . . , . , , 1 , , , , t t . t . 1 , , , ,1,3,0
,1,3 iS P.*.U.F,|l. .5.{,
. 1,4,0 P,<^,W,t,E., .J-.4. ,
, , A,1 , t ,1
. , . t
l"^
,1
.Z-LO
, ^ , 0 , ^
A.2,i,j- A, 1.3,0
, , ,
A. 1,7
, , .
.n • l.r.r
, , ,
A,^.(»,o A.LbJ A.Lft.O • 1 • ' .Us\
.1,4.0
' ' '
, lAu)' p,^,iAi,ei(t ,4 , , ,1 , 1 ,1 ,t ,].z.o 1 , , . 1 , , . 1 , 1 , ,^,4,/
,brio 9,(pM^\fL ,7, , 1 ,1 , , .1 ll ,3.1,^ 1 1 .
. t . , . , , , . . t 1 1 ' 1 1 . , 1 , , 2.Xo|
,^.T^ P,*,(/J,E,n, ,t.7
, 1 1 1 ( t 1 1 . . . 1 1 1 . .
1,
1 .
1
I
A , , ,) >1S .2,1,0 A. 1.1 J A, 1,3,0 A 1,7 .0 .!.-{,S A.L4D
A.1.4,0 A.L,7,J- , 1 3 , 1 A. 1*4.0 kis,o A,I,ft,o
A,l,4J A, 1 7 , 0
. 1 1 1 . .
,i,Jf
, 1 ,
,ij-.r|
.i.J-,t
, l , t i O P,*,U,E,tL. .(,.7. , ,1 . , ,1 ll .''.AD , , , , 1 , . , , , , , , 1 , .uol
,T.6,J- p,^,\^l,^»L. ,S, . 1 1 ,1 , 1 ,1 ll , 3 , 7 , 0 . 1 , ,
. 1 , , , , , 1 1 1 1 1 . . , , , ,^,6^
, ^ 7 i D J.F,R,V, ,U, ,f,U,M,p, .A.8,C. ,3 , , .1 1?) ,1,3.x- A. U . o A,i,vr,o ^,1|ft,0 .2.r,x A,i,li 0 A . U / A.i,?>.o , , , .1.1 .ol
.1,7 iJ .f,E,it,vl, ,W, ,P,u,V\.P. .B.c, , I'-i , . .1 lit .^^P A, 1,1,1 A.U,o A. 1,7.0 . U L P A, 1,4,0 A , I , 4 J A, 1 7 , 0 ,1,3,T ,7.7. 1
, , 1 . 1 r 1 . 1 1 1 1 1 1 • 1 1 . A, 1,4,0 A. i.X,o AlUP ,Ur,r ^ u ,0 A,i,b,r A, i,?>.o t t 1 , , , ,L7h
.I.îO vr,E(!-,\)i ,vl ,P,UM,P, ,B,cip, , , ,3 1 1 .1 1* ,%T^,0 ' \ . v , t j A,1,3,0 fi,in.o iMi^ A, U , o A,i.4,j- A, 1 7 0 ,Z?„o|
-,3.0iO P.f \/4e,g., ,4,T,5i , , , , , , , . .il , , ,1 ll ,1,1.x , . 1 , 1 , , , 1 ,?,o,o
' ' '
-,J,o^^ C,4>,UFitt-, ,J,'T;<> I , 1 , ,1 , I , 1 ll ,1,4,0 1 . . , , , , 1 , , , 1 , , 1
' ' '
.3.nj-
- , 3 , 1 , 0 p,<^,v4E,a., ,b,n;7i , , , , 1 , 1 , ,1 , , ,1 ll ,h^,o 1 , , , 1 , , , 1 , 1 , 1 1 , .3,i,o|
-,3,1 iT ?,</>,VJ.tiJZ. ,5,7,6, 1 , , t | , , ,1 ll ,-^3,0 1 , , , 1 , , , 1 , 1 , ,'?,'^
-,3,^10 Prf>,W,F.l, ,4,T,?i 1 , , l | , 1 ,1 ll , i,4,r 1 , , ' 1 1 , , 1 ,. I. 1. _., , i 1I v
' ' '
3,4,5|e 33,34 ,35|36 37,38,39.40 4 1 . 4 2 , 4 ^ 4
1 1,2 7,8, 9 , l O | l l , 1 2 , 1 3 , M , I 5 l l 6 , 1 7 , i e , l 9 , ? Q | ? I , 2 2 , 23,241251 26,27 ,281 2 9,30|3I,32 45|.'.o,47,48 4 9 , 5 0 | 5 1 , 5 S3.5dl4l5^ 57,58,59 |6oJ6,,62,63,6465166 f 7 ,68| 69,70|7lj72|7: ,74.75|76,7728^:aj<t|
•4: *•
^1
FuUCTIO/vI /V*«ff" ^ ^ 3
LTulH I 4
•3r
^
c
5 10 2b 30 • 35 40 45 50 55 60 (5 70 75 8C
- ] ^ ^ CAW.E.R. .yjj 1 , ,1 . 1 ,1 , . |1 1,1,0 , . , . Ms
-.3.).0 Pf.\A.^,U. .J.T.t. . . . 1 , ,1 . 1 ,1 . . ,1 2,(o,S . . . . .33 0
. . ,
1 '
-
*
1 1 1
1 1 'i , 1 ,
1 1 1 1 1 1
1 1 1
t 1 1
1 1 1
/ , 1. , . 1
7 , 0 , 9 , I&|l1,12,I3,l4,lt|ie,17,l8,?9,?0|?l ,22,23,24 J5|26,27,28 29,30|3I,32 33,3a,35|36 a t , a 2 , a3,4i aS|-u,d7,46 d9,50l5I ,52 53,54,551 56 57 58,59.60 6l,62f^3,6^^65|66,f7,63 f9,70|7l,72 7:j7J,75|76|77â.-<l?,
ll? 3,-1,^10 =Hi38,39^JO
FIGURE 3.Z6 (continued)

FC7/2A1 C
^? ^
4i 1 ^ 5c d §S3 iitr-oit
5 10 lb 20 ?S 1 30 35 40 45 50 55 60 65 70 75 8C
,-2 , , I ,SP,^ 5FT,*.n.A,6,G. .T.A.K1.1C . . 1 .0.. .1 1 .1 . .0 . . 1 . -T-O?
,-2 , . . .5.1,0 W,A.7.E.<L .S.O.P.r,LrY. .y/i^.l .\/.C . . AD...n 1 .1 . .0 1 . . , . .5"i.n
..2 . , 1 S,\S C,H.A,IL&.e. .^.O.CT. .\/,A,L,»/,t. . . 1 .1.. .r ! .1 . .z s.\s
,2 , , . .S.1.0 C,HA.(l.C,t. .C.dM.T.a. .^/A.L,\/,F , . r , . . . . .1.. 0 1 .1 , ,f . . 1 . .5.1.0
.2 . , . ,S.l^ U,(^,L,U,ME, X,^î^T,lL ,v/.4,\.(J,G , . . . 1.. 5 1 ,1 , ,9 . . . . ..CU
,2 . . . , 5 , ^ 0 .r. .Xt4,J. ,B.G,c.|.(L,c. .^;./^.L,J,E . . . I.O.. D 1 it . .0 . . I . .X.l.f
,-? 1 t 1 ,1,1 s R.E. .H.E.^7. ./.J.crr, ,v,A.L,o,e . , . S...D 1 ,1 , 0 . . . . .J.3/
,2 r^.o c,*,M.T.A.i.N. .j.o.Mp. .\l.A,L,g,e . . .1.0...O . .1 . .0 . . . . .J".4.0
,2 . , I JAS iLi ,H. TT•^t'«-'>.^.^. I'C. .\/.A.L,\/.E . . .l.n...o 1 .1 1 ,0 . . . . J!4-.r
i^ , . 1 v f . r o di ,H. ,K,ViP,AS,<, .V,A.L,\/,fi . , , . .X..0 1 . 1 , ,9 , . r 1 S,S,1
,2 , , 1 , r , r . r C,H.A.R.f..e, .V.A.v..y/C. .W.O, . . . . .1.. J t . 1 . .0 . . . .• . . . . ..f.rj
,-? r.Ljo c,H,A.D.r..t. . U . L , \ l . e , .V'^.^r . . . . .I...r 1 .1 1 ,(? . . 1 . ./;(».o
,2 r 1 I iSî^J t?iE,L.U,6,F. ,\/,A,L,\/.e. .A, , I , . . .1.O...0 1 ,1 . ,P x.tj
,2 , r 1 ,S',l0 piF,L,0.r„Pr .U,A.L.JrP, ,R i , . . .1.O...0 1 il . .0 . . . . .vT.l.^
,2 , , 1 .vTjJT i i P . M , .vi »/,AL.ÎF. .3, , , , r.>D 1 .1 . .0 , . . . ..pi.r
,2 . , 1 -r.fto •FiEli-.v;, ,W. V A . L . i l i E , .4, . 1 . . . I s,.,o 1 il . n . . . . X8a
,z 1 1 1 i.r.Aij C. ,U ,P,\JiM,f,i ,A. .-, ,j;,7,AilL7 . . .l,0,..fl 1 ,i . ,0 . . . . .T.8J
,2 ,r,%pX,.,o,i Hi ,u, ,p,oitA,p, ,A, I-, .e.awi • . . r ..r..o 1 I?- . .0 . .5A.r...0.(
,2 . . I ,T(\ n e.1 ,H, ,P,UiM,p, ,8, I-, ,J,T,ftiR.,l . . ,\.Q...O 1 il . .0 . . . . .JSO
,z •J-,1iO,.,0,l Ri ,H, ,P,0,>^P, ,B, . - . .Lv/.H. , . . . J".. .0 • . .r,'i.o...t>.
, • I , , 1 .; . .0
,z , , 1 .lA.i ei ,H. -t.HrE.L.k. .\/iA,L,\),6, i l . r . . 1 .\,..o 1 il 1 ,0 . . . ...Xf\x
,2 . . 1 liM,Ji ,P.UiM,P, ,A. r , ,571,^10.1
.TAS , , .1.0...0 t ,1 , rP . . I . .J.'lx
,2. .r,'\^...o,\ I1M.J, ,P,U.M.P, .A, I-, . t y . M i , 1 1 1 .sT.iO r , 1 , ,0 . .J-.1.r...0J
. . 1 . U o o L U . J . .P.OiM.p, ,B, r , .^.T.AIUTT . . il.O.v.O 1 .1 . .r K.0.0
,^ ,b,0.0,.,0.« L,M.J", ,p,UiMP, ,R. 1-, ,R.v).Mi , t , 1 |J".V . 0 1a , ,0 . .(,.0.0...0.1
,2 , , . ,b.n l^^,T, ,cii,e,c,it, ,\),A,L,(/,e, , i , t . . . .i...n 1 .1 . lO . . . . .fc.O.l
_,£ , , 1 ,b,0,J CiH,R, ,P,u,MP, ,A, r , ,S,T,Ailirr 1 1p . . . i,.,j 1 ll .0 • . 1 . .(>.6J
i^- 3,',5|6,7,8,9 IO|n,12,13,14,15|l6,17,18,l9j?0|2l t3.1$-li^lS2<»t. It 2>30|11,32 3 3,34,35|36,37,3)3,39 40|41,42,i 5M'-5rl»ar«<il*» tol53 6*#5-<66t60,69,70|7,.72|7

u vt a FO/2AI C
i
CoMPoi^^f^T NAME ? if ^.! ^ AiZ^M
5 ti HI 4
4t 4 ^
5 10 \b 20 ?S 30 35 40 45 50 55 60 65 70 75 8C
,^ ,b.o,r,.,n.i C,H,R, ,9,U,H.P. .A, ,-, X^H, . . . ,0.,."?.I 1 i"!- , ,P . .h,0.3^..().\
i2 , . . L i . o CrH,e, , P , 0 , M , P , , B , 1 - , irfAfLTT . , . .1...5 . ,1 1 ,0 . . . . ,().| 0
,2. t , 1,0, .,0,1C,H,t, ,P,0,H,P, ,B, ,-, ?.^ VJi . , . ,o,.,i,r 1 1 ^ 1 lO . .6.1.0., .0.1
,2 , , > ,(>,i ,1C,H,2, ,C,H,k, ,V,A,i.r\i,C ,\ 2i , . , ,0...i.f 1> l , ,0 , . 1 . .6.1.1
,z , , , , t , i , j li, ,M, ,e,jt,c,H, ,A, , , , . . ,i?,,,j I ,""- . ,1 , . . . ,6,1 J
,2 , , 1 .^.l.O e, ,H, ,F,)^,c,H, ,e, , , , , • ,0,.,3 1 ,t , ,1 . . . . .t.lD
,^ , , , ,(.,l.J- j.E,)t.\), ,w, ,v,fl,L,\;,e, S| t r 1 1 , , .l.0..,0 1 .1 , if) . , 1. .Lis
,2 , 1 ,(.,V0 f,g,n-,j, ,\AJ, ,\/,A,L\),f. (,, . , ,l.o..,o 1 .1 ,,(; f..3 0
,2 , , , t , ] , X L.i,M,E, , i n , i , , , , . , . . .0.. J I .? , ,1 i\s
r2 , 1 ,t,4,o Lii,w,e, , i i i , j , o , o , 1 , , , , .0,.,l 1 i'^ ,," , . , , ,l,.4-,0
,2 , , .t,4x T,)L,A,Ki,s,f,sr,a-,Me,n, ,1 . . 1 .JT.D 1 1^ , ,0 , . . , .(f,4.r
,2 , . ,(.,J« Tll^/^,M,«,h(i,lL,Âe,(Ll ,? , , 1 .S-.-S) 1 ,1 1 ,0 . . , . .iJ-.O
,2 , . ,ksj I5|U,S, ,7,1 lE, ,'!-,7,3, , , . 1 ,1..0 . iD . . 1 . .LS.J
,2 1 , ,t,(-,o IiM.T, ,\/,AiL,UE, ,Ai , , , .l,0...O 1 ,V , . , , ,b.6P
,2 , . , t , 6 j 1»0X, ,V,At,vy,e, ,Bi , , , , U,.,n , ,(? , , 1. , U J
,2 , , ,4,1,0 XiN,3-, ,\/,AiL,>»,E, ,Q , r 1 1 1 1 1 , , 1 |,n,.,f) 1 ,0 , , , , ,b1n
,2 , 1,M,T, ,M,Ail,\;,E, ,D, ,
1 ,in,j- 1 t 1 1 , , 1 1,0,.,( , ,0 (>.l/
,2 , , ,b,^,o M,fl,«)),A,L, ,J,W,I,1,C,H , , 1 ,-r;,,0 1 ,0 3, , , . h,^b
,2
,2
, 1 ,t,%,r A,0,T,^, ,PiE,lL,M,|,4rS,\
, . ,t,'^,o Pi(i,E,j,r,Ui(Ve, ,^,vii ,1
u <Sui ,
,
, 1 iS", ,,D
, 11KT, . ,0
1 if?
, <(7 , . . , ,U.t>
(•vU
,2 , 1 ,b,'<jP,<L,t,s,s,u,a,e, ,J,\A* ,1 . , . \s,..o 1 ,0 , b.qj

,2 , 1 , T , 0 , 0 PiR,E,^,<,Oiat, ,<Ji ,3 1 1 r , , il,X,.,0 , ,0 , . . , . .10,0
_i2_ , 1 ,7,o.r lit,\/,e,L, iS,u ,/, 1 , , , 1 i.r,. .0 , p . . , . .i.or
,2 , 1 ,1,10LiE.y.ei, ^,\A ,1,1 , , , 11 J - , . , 0 1 If) . . . . .1.10
,2 , 1 .IAS L,e,v,e,L, I<;,VAI ,-3, i , 1 ( 1 , , >i.r...o , ,0 . . . . .TIT
,2 , 1 , 1 , 1 * 0 l.rLfl,w,s,Fi/f,»rME,i2:i ,4 . . . .S.^ ,0 1 ,? , ,f? , , 1 , 4, . 1 , l.U}
• ^ , , ,1,1, J1IIL,A,M,S,FI^,ZM,E,RI ,5 1 ' 1 1 f . 1 „r 1 lO
. 1 J " , . ,0 , , 1 , , , 1. 1 1-^S
1,2 J j 4 , 5 1 6 , 7 , 8 , 9_ 1 0 | 1 1 , 1 2 , 1 3 , M , I 5 | 1 6 , 1 7 , I 8 , 1 9 , ? 0 | 2 I
^^^,r^f*hff•tes^.4ad ^•^'srlsiariJlutA
XJ.t3-»lS2l.nig 2 J 3 0 | 3 1 , 3 Z 3 ^ 3/I,35|36,37,3( ,39 40|41,42, A 3 6^tstnnk,nMujAi

1ÎII
FC>/2M C
J i i
f 1
1 ^ ^ ^
CoMPoNe*^r Nf^MB
^1
^ <
4t 11 §5 c it
^
§
1 -J Ik
-
5 10 tb 20 2=; 30 35 40 45 50 55 60 65 70 75 8C
/ , , . ,1,?£) ^^^h^ J,F,#>.a.M.E,ft, f>, , , I . J"., 0 I J , ,0 . . 1 . . . . , , . . .1,3 P

,2 , , . . l . ) , I Tfc.A.Ki t , F . < ^ i i h e , m 7, , -S',-0 3 0 73/
1 ,7,4,0 h^ 5, 7,I,E, ,4,7J-, t,.,o 1 Q 74,c
,2 , ,1,4, J 3,u ^^ 1,I,E, ,J-,TC, i, 0 3 0 lA-f
.2 1 , l , r , o B[U s, 7 i f c , ,(>,T,7, ^' 0 ^ Q 1X,(
,2 , , 7 J J [i^F Piv ,\^),A,i,E,e. .p ^;,M,P lA 1 .r,- 0 1 Q 4, IrT.-J
,2 , ,-|,l,.o - ' l ^ K,W ,W,A,1,E,R, .Pu,M,P |g 5",. 0 3 0 1 i l,t,0
,2 . .i.is JiF B,U ,W.A,7,E,B., ,PJU>A.P |C S",. 0 ) Q t . l.f^nf
,2 1 , 1 , 1 , 0 ;F U ,V1,A,T,E,L ,P,U,KP il> ?,, 0 1 Q 77,0
,2 1 1 t r 1 1 r r
,2 ,
,2 1
,2 1 t t 1 , f
,2 f
,2 l i l t 1 r
,2 1 1 1 1 1 1 1 ' '
,2 , 1
,2 1
,2 1
,2 1 1 1 1 1
,2 1
,2 1 1 1 1 I 1 .,
_ , J f 1 1 J
l i l t 1 1 1 L»J > 1 J
,2 1 .-J
,2 1 , .,.,. L-J
, , , , , , 1 1 • I 1 1 1 J _I • »— 1-^
3 , 4 , 5 | 6 , 7 , 8 , 9 Hlh i M i ,4,l5|,6,l7,,a,19,?fi|2l S £ < 9 2 f 2fA^ _?; t t P_a-LU.32 33
k3«& liM* ^£L & ti^^ ^^ f&s^m^ 52,53, 54 ^^'^sr s^& 6#^3 64^^67 77
FoUn p
1M *4
-s
t i, 1 ^ 4 1 J £ 5 1^
<
LO S k r
5 10 15 20 :5 30 35 40 45 50 55 60
—
65 70 75
-.1.1,0 - l ^ . ^ i f . , , . . .vTlfe
l-.j-.i.r . . . . .r.i.
p.l.^J . , 1 . . . . .6,1 JL\
Kt>.3,0 . . . . .^,^-.
-•^.'^rr , , > . .6,3.4
\~ .^ ,J",o 6.4.,
I I I
t i l
f f 1
1
I f f
I I I _j X j-
I I I
,
I I I t I 1 f r r r
• • 1 • • I •
l i t
• , , ! , , , ,
, I ,
l i l t t 1 t
1 1 1
\ ' ' 1
I I I 1 , , 1
1 ' ?-i-3j_l 5 1 6 , 7 , 8 9, Kl|ll|l? M j M j I ' p Q 17,16,19,20 21 ,22,23,24 25|26,27,2a 29,10131,32 33,34,35|36 37 38,39,40 4I|42,43,4 45|')6,47,48 49,S0|51,S 53i54,Sj|^';8 57,S8,S9,6o|6l,62^3,64 65h6p|68 f9j70j[71|72 7-^74j7«[-c,77^!l,7<»a
FuUCTlOM FU.UCT-IO/O Pu.»JCT-«0»-» Puwcrtoo fuKscnot-^ FlcMCTlOO
SuPPoerrp Su.rpocrfD SuPPoomo SuPPoareo Su ppoaret Suppt>aTWo SurpoatKc .S'uPPoe-rvD
| e J^^
^CR
i^ ^ ^ ^ 1 e (l.
^ ^ ^ ^ ^ ^ ^ ^ ^ J
5 10 15 20 25 30 35 40 45 50 55 1 s. 1 65" 70 75 »-
i.(?.,r J 1 1 - rnt
1.1.0 , , . . . . . . . X.) .1
1,1 ^^ 1 1 5:i.7
l.i,r '• .f.iz

i,i,r ' ' .5-.l,b
1,1,0 .... .J.?.!
i,?.,r r.jA
1.7 ,f) ' 1 ,r.4..i
l.3,X ' 1 f.4.1.
1,4,0 S'.r.t
l,4,J" .^.s^.c
»,4,i 1 I . . . . . . .5,6.1
i,r,o . . . . . . .s-.t.t
i.r.o > 1 ll i 1 . . , , . , S.T.i
i,'^,^ 1 1 . . . . . . .5:7.t
l,,^5 1 1 5.6,1
1,6,0 1 t . , , . . . .S.i,t,
l,b,l l,t,L , , ,1 , ,, . . . .J-,ft.6...0!,
l,W,o . , •, X.^J.I
l,m l,t,l , , ,1 . . . .r,'^.i...o,t
l,l»,^ I T . , , . . . J-.q,5
1,1, ,r ...... ,J:^.6
l,^t l,t,l , , ,1 , ,, , . . .sr,'i.b,..o.i
liLr 1 1 h.A.I
i,t,b l,t,l , , ,1 , 1 , 1 , 1 1 1 . j - j _ ...1.. 1 _ , . . .b,o.l,. ai
l,b.* . . . . . . .(..0.5
in,o 1 1 , ,, t.o,(.
I:.,2,3,4,516,7 a 1 9_jK 1,12,13,14 15|l6,17 ^2?!^' '•" ?^j23,24 25|26j?7|JJ 2<?, «J3J^ 32,33,34,35 36,37,38 39,40|41,42 43,44,4,- -16,47 48,49 gJS, 52 53,54,S5| 56 57.58.59 60|61|6?,63 64|65|66 B7 ,68,69,7o|7t,72.7171,75|76.77.78 }<> ?'
FUMCT.OJO Fuuc-rion Fuiocrio<J FitloCT-tOAJ Puwcrioo FuKJCTVOtO 1 fuiaCTlO*3
1 SuPPoerro Su-PpoercD Su^'PoDTCO SaPPonreD 1 SUPPORTED 1 SuepoavFo 1 SuPPoarec 1 s-uPPotTdD 1 .S'uPPoe-reo 1 Su^VoftTfD.
b
1
« l . ft
pi ^
10
0.
5
15
^ k
20
^
25 1 30
^ L -^
3 5|
^
,
40
^
1
^
45
^
u
50
Hd i h°
55 1 Ol^ 1 6?
^
70| 75 "'
1.1,1 l.-».i 1. _ ! 1 J _1_> . , , . .Lok.o\
1.7,0 1 1
, . . . .(y.\ 1
1,7,1 1,1,1 1 1 , I .6.I.I...0.1

M,3 1 ,
, , . 1 . .6.11,1
i7,r 1,1,1 > r , I . . . .fc.ll
\,1,^ '.••.I I , , . .U.t
'7^^ ! 1 I 1 , . , . .b.U
in,/ 1 I 1 , , , , ,L3.I
l,'?),0 *,•?),/ ) 1 , . . , .l.-Jll
liftiP I,W 1 1 , , 1 ,6,4,l[
1,^,0 i,ft«r 1 . , . , . .6.4.d
»,%," l,U 1 1 1 . . , .bX.l
i.<^.o , , . . . .L.rt
* .
1,'^/ [ , . . . .b.b.l|
1,*^/ , , 1 , . . .Lhh\
\fif 1 , . 1. .Lii
i,^„r 1 , . , . .6.1 i.
ko,o 1 , . . . ,4.«,l|
|l,o,.f 1 , . , . .b.%.t|
1.1 ,0 1 , . . , .t.^.i
k-,1,0 1 , kfS.i>
ki.c 1 , . . . .1.0,1
K,i „r [ , 1 . . . .Loi
ki,i 1 , . . . .1.1.f
kiii.ir i , 1 f L . l 1 . . . ,ll,L
ii+,r ,
k,iD 1,1 X _J 1 ,1 1 1 1 . I . .1.X.I
k-»-,o 111/ , (1 ,¥/ i) 1,4,0 ,1 Ib^r 1 I A 1 1 r 1 r , 1 . , . . . .Tit

L>,J,3,4,5|6,7 6,9,,r U12,13,14 15116J7 ie,i9 ?'!zi 2^2^24 iMSif ,ZI I ' l «l3_ 32,33.34,3 m^ 38 39, ôM'."l-ai" 4'" A6 47
'hi. bo]51 52 53*5^ 55|S6 57,ai^59 60|6 1,62,6 |6 4|65|66 B7 68.69,70P.,72,717 4,75176.7778:7a.,'

FuUCTlOM FiAMCT-lOAi fuuCrtOfJ PuMC7"tO<0 FuwcTiopo TLÎOCTIOW FuiocTiots
SuPPoerro SuPPooreo SuPPoereo Su ppoares .Su ppoaTSo C SuPôiTeo Su PpoA-reD SuPPotXSD
(l. t
|e ^ 5 ^ k ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ *"
5 10 15 20 25 30 35 40 45 50 55 O'v 65" 70 75 °
M/? ws . , .1 1,4,0 1 1 ll i,r.J j^_.l 1,6,0 ll 1 1 1 . , . . . . . . M\
lifiO ^fj , , ,1 tfbiO , , ,1 . . . . . . .l.U
),o,o U P , , ,1 1 , 1 , 14.,l
3,0,/ 3, I.r , , ,1 3|3iO , , ,1 . , , . . . .l.i^k
3,1,0 J,v , , ,1 1 , ' 1 I , ,?.r.i
t,7,o t I r , . , . . • .l.jr.f,
Mo ^.•>.r , . ,1^ ^ , 0 , , ll 7.6,1
M,o Trl/ , , ,1 1,^0 , . ,1 I.tjb
U,o 1 , 1.7.;
1 ,
1 1 . ,
1 ,
1 t 1 ,
1 ,
, ,
t ,
1 1 1 ,
r ,
1 ,
1 , . , , . . , , , ,
1 I , , , , , , , , ,
r , , , 1 1 1 t t 1 1 1 1 1 t 1
1 ,
1 , , 1 1 , ^, 1 I 1 t 1 1 t 1
1 ,
, 1 1 T 1 1
25126^77,18 10, "-'la. 32 i^ .3''.3S 36,37^36 40|4I,4 2 4144,4^ 45,47 4 8 ^ | g ) j 5 l y

tl,2,3,4,5|6,7 8^9^K, 1,12,,3,14 I5|16,I7 28,29,>' !/i
'I^V^ ^ l i 54,55|56 57,58,59 60|61,6?,63 64|65|66^7 ,68,69,70171,72,7:^74|75|76|77|78 .-i -'
.5 ,1
5 10
0,. ,0
X 15 20 25 30 35 40
1 Hi
Li
^
45
. ,1
1 I
6
a
I.F.fT
I
• 1
5
H
+
I
- l . b i l - I.b.t - 1.6,7
l.t-i
60
H > h
65
1
<^ X
0
0.
75
,&, 1 o
80
,3 .1 1 . . .7.2.0..,0 1.1 - l.'.S" - 1.3.9- I 4 i 5 •- I.5-.0 l.&.c ,ft.t.O

,3 ,3 , . , ,1,1.0,.,1 .5 ^ 1,2,5 - 1,'i.O- i.4i(?-- 1.7,5 —l,Q,Q .fiD
.3 ,4 , . . .1,1.0...4 ,1 - 1,1,0 - '(^. P U.o
\,3 . , . .1.4,4,.,4 ,ft,50
,3 .2 . . . .l,b.e»..,o i\.ijD
,3 .3 . . . .i.t.%...i '\.Z.O
,3 ,4. . . , .l.b.6...4 4.3,0
Ir^ 1 , . .1.1.1..,4 14,0
i^ 1 1 f 1 1 1 1 t 1 I 1 t 1
,3 1 , , . . 1 , .
,^ 1 > , < , 1 , ,
,3 1 , . . , 1 , ,
,3 1 , , , , , , • ' " 1
.3 . , , , , , , , 1 •
,* 1 , 1 , , 1 , ,
,3 1 , , , , 1 . . , 1 > > ' 1 1 ' 1 ' « '

.3
,3 1 1 , , , 1 1 ,
4 1 , , , , 1 , , 1 >
,3 ,
.3 _ i _ 1 , , 1 , 1 , , , . . 1
1,2 3, 4 5 | 6 , 7 , 6 , 9 , , 0 | . , , . 2 , , 3 , 4 , 1 E | 1 6 , I 7 , 1 8 I 9 , 2 0 | 2 1 , 2 2 | 2 3 , 2 4 | 2 5 | 2 6 , 2 7 . 2 a , 2 9 , 3 0 | 3 . , ] 2 33,14,35136 , 3 7 , 3 « , 3 9 , 4 0 | 4 . ,42

j ^ i5^*p 47 4r.41 9 S<,St,*i M 54:14, | 5 e | 5 9 , 6 0 | 6 < | 6 2 | 6 3 , 6 4 , 6 5 | 6 6 57 . 6 8 , 6 9 7 0 | 7 1 , 7 2 liifjan. 1T,7r,Tf.S0

1
T 1=5
+
1
o
H
10
+
1
I?
o
t-l
\
20
H
+
1
H
25
1
30
+
1
H
•V
^^
1
-J
+
1
40
H
+
1 8
45
1
H \
50
a
H
55
1
H 4:
\
60
a
H \
65
o
H
* 3
70
K 75
Af2MH
8^
,-?- 1.1.1 - 1 ,7,1 . . . . .6.1 .1
,3 l,b,l l,b,i - l,t,? l,b,(> lib,7 - l i l i P 1,1,' 1,1,1 - 1,1,S - i|0,5 - 1,1 |0 - i l l , 5 . . . . .S.II
,3 , .
,3 1 , , , , ,
,3 , ,
,3 ,
,3
,3
,3
,5"
,5
,5
,3
,3
,3
,3
,3
,3
,5
,3
|3
,3
,3 , 1
,3 , ,
,>? 1 1 1 , , 1
,3 1 1 1 1 1 1 1 1 1
,3 1 1
1 2 , 3 . + , 5 1 6 , 7 , 0 , 9,IO|l,,t2,,3,,4^,5|l<;|17,I8,19,20|21 , 22, 23,24,25| 26,?7 ,28 , 29,30|31,32 , 33, 34,35|36 , 37,38|39 , 40|41,42, 4144, 45|46,47, 4a,49,50|51 , 52,53.54 ,55l 56,57^58,59 ,60|6 1,62,63,64,65|56p ,68,69 |7o|7 1,72, 7174|75!76j7J2a29_f J

—N ^ 3
1
CoMPOfJ^f^r NfiHE .2
«^4
^
5
4t 5
3
0
1 ^
t
>i
1' d
filZHM
5 10 1^ 20 7^ 30 35 40 45 50 55 60 65 70 75 8C
/ . , S.[.(i W,A,7.F,!l, .r.U.P.f'.L.Y, .\/,A.L .l/.E . I , , , , , , 5...0 , ,1 , ,0 . . ( . . . . . .5-. 1.0
,2 , , ,?,l,2 W.A,l,E,il, .J,'J.f,lM.V, ,\i,A.L.\;,P. , 1f),-,f? 1 ,0 .yi 1
.2 , , ,1,1,2 W,A,l,e,ll ,.r,U,P,P,L.Y, ,\/,A,l.\/.F 5, .,0 1 ,f^ .s.\x
,2 , , .r.-^.o J, ,'IA),J, ,R,r-,C,i ,1.C, ,V/,A,L,i/,F s,uO 1 M ,5,?D
,2 , , , 5 , ] ^ J, ,T,KJ,J, ,R,E,C,!,(l,r, ,\;,A,L,\;,t 1 i0,.,0 j ,f? 1 ,i",3i
,2 , , ,5,],7 L .y.-vJ.J, ,ll,E,c, i,tt,t, ,U,A,L,v/,E Sr,0 1 ,Q .-r.31
,2 , , .S,].^ R.f, .H,e,A,i, ,1,0,c,T, ,\/,A,L,,;,E 2,.,5 1 ,Q ,.?,7J
,2 , , , / , 3 1 PiE, ,H,t=,A,l, , / 0 , M . .\/.A,L,\/,t r,.,o 1 ,f? ,^,3 7
,2 , , ,1,5 1 e,E, ,H.E,A,1, ,J,0,c,T, ,V,A,L,v;,E • » - , - / 1 iC .J ,3 7
,2 , , ,5,4,0 C,0,H,T,A'i^V ,^,vi,M,P, ,\;,A,L,V,E f,.,0 1 ,0 ,.r,4o
,2 , , ,J4-,1 (:,<^,,vi,-r,/\, h-J, ,i,o,M,ic, ,\j,A,L,yi,E ,1 O i . O 1 ,0 ..r.4.1
,2 , , ,r,4,i' ('.^.KlTa IIKJ, ,.f,l),Mf, ,'AA,\.,vi,E s,.,o 1 ,0 ,/.4l
,2 , , ,J,f,F e, ,H, ,'T,l-'i<L,o,l,l,\.,e, ,\i,A,L,aE 4,.,0 1 ,0 ,/4,J
,2 > 1 , / , 1 , 1 ej ,H, ,7,HilLo,T,7, Ijt, ,VA L,\/,e l l 0,-,0 1 ,0 ,14,7
,2 , , ,r,'J,i Rj ,M, ,l,H,<l,a,7,1,L,f, ,\;,A,i-i\J,t x,.,o 1 ,0 I ,j-:4.7
,2 , 1 KHro (?, ,H, ,R,V,P,A^,'i, ,\y,A,L,aF, , ^ 1 - / 1 ,c ,X,.r,n
,2 , 1 , r , j , i R, ,H ,K,y iF,A,5,S, i\/,A, mi,Ei , J,. 0 1 ,Q ,/„r,i
,2 , , , i , j , i 1^1 ,H, ,R,ViP/^,'.,S, ,\/,A,L,\/,E, , 1, , r 1 ,0 ,XJ-,I
,2 , , ,5,1,5 CiM,A,R,(),Gi ,i,U,C,T, ,\/,A,L,\;,E, |0 • i l l ? 1 ,1 ,r,',5
,2 , 1 .S.L'b îH,K,n.,G,e, ,J,U,(.,T, ,\;,A,L,yiE, - I,.,5 1 ,2 I ,5 ^t,. .0
,2 , 1 , 5 - , ! , % CiH,A,R,6,E| ,S,U,trTi ,v/,A,L,ViE, \0 • ,7,5 1 ,2 1? 1 , * , . 0
,2 , . , ? , 2 , 0 CiH,A,».,(.,Gi ,c,*,M,T,R. ,\/,^,Ul^',e o,-,y 1 ,1 , 5. Z,0
,2 , 1 , 5 , Z , 3 C|H,A,R,6,F| ,C,j*,N,Tie, ,V,ft,L|\/,g 1 1 J l,.,0 , ,1 ,? 1.1,.,0
,2 , 1 ,s,i.->>CiH,A,R,<i,E| ,C,^,iM,T|R, ,1/,»\,>_|\/,E 1 0,.,5 1 ,1 15 i . 3 , . , 0
,2 , , ,5,1.5 \;,<<>,L,U,M,E, ,c,.^,N,T,B, ,V,A,L|v;,E 1 1 |0 -.7.? 1 ,P ,-^,V
,2 , , , 5 . 1 . % \/.^,L,0,M,E, ,c,<^M,T,a,
,y,A,\.i\^,E 1 1 1 1..,? 1 ,0 ,5 ^ . ' & , . .0
,^ V^,(*,L,0,M,Ei ,C,i^,N,TiR. ,v/,A,C,\;,E
, 1 ,5,1% 1 \ • 1 1 ' .0 .,7,y 1 , ,0 ..ij
,5 h'^rP
' i '
4 ^ 5 J ^ . , 7 , 8 , 9K.|ll,12,I3,14,15|l6,17,ia,19,2',|2l ttiJatlSatZl K 2 » 30|,1,32 33 ^ 35|36,
L^
38,39 "Cl"',
iL Ji ^ ^^ ^ 4 7 ^ 5 9 1 5 1 , - ^ 2 , 53,54 îi ds ^ £ ^ ^3 (.ttSiUfl ^ fO.70|7I
22.7174,.7f|76,
FIGURE 3.27
ARMM I N P U T LOADSHEETS - CASE 2

Li- wi 4- 1 Pc?/«M 6
FuMCTiooJ N/*tê
1r 1
t 1 ^ <0 t
5 10 25 30 35 40 45 50 55 60 1 65 1 70 75 8C
i.l.O l*J.A,l,E,R .x.a.p.o.L.v 1 1 •t . 1 ,1 , , iP , , , . . l . l . . . 1 . . . . .l.iO
.\,t,0 J,A,F,E,T V, ,-r,v)j. , t e . c , i,L.c 1 , , if? 1 1 1 1? 0
, l.liJ L t , 5 , h P ,H,P,A,7, ,(l,t,c. I,«.c tl , lO .(r?,r
,\?>P f.i6^7,A >,M, ,/.UMp, ,ii.e,c,i fi 2. , lO \ 1,3,0
,\,\,s C,0,a,E. P,E,L,0,&,E, ,L,i,tO,E, 1 , IP (,^/
,1,4,0 (L ,M, iF -iXM. .6.Y.P A,^.S. , T- , |0 f,4,n'
, i , l i 5 C,k,A,R.G c. .L.i,N.e ,1 , |0 \AA
, , . , , , .
, . 1 , , , 1
, . 1 , , , 1 1 1 1 1 1 1 1 1 1 r 1
, . 1 , , , 1
, , 1 , , , 1
> 1 1 > , , 1
•
, T 1 , , , 1 t t 1 1 r ( t 1 1 t 1 1
, , 1 , , , 1
, , , 1
, 1 I 1 , , 1 1 1 1 f 1 r 1 1 1 1 1 1 I 1
, , 1 , , , 1
, ' 1 , , , ,
. , 1 , , , 1 1 1 1 1 1 1 I 1 1 1 1 1 1
, 1 1 1 , , 1 t 1 1 1 1 1 • 1 1 1 1 t
< , 1 , , < 1 [ 1 f I 1 1 I 1 1 1 1 1 1
, , 1 , 1 , 1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . 1 , , , 1
1 1 ,
1 . 1 , , 1 1 1 1 1 ( 1 1 1 1 1 1 1 1
1 1 I , , , 1 1 ' 1 . 1 , 1 r 1 . 1 ' 1
1,2 3 , 4 , 5 | .
'I'.'iL^lli, I 2 , 1 3 , M , 1 5 | l 6 , 1 7 , l 8 , t 9 , 2 0 | 2 I ,22,23,24 25|26,27 2S 29,.10|3I,32
a 34,35|36 37,38, 3 9 , 4 0
?:^f'• i!\f^ 45|-10,47,48 4 9 , 5 0 | 5 I , 5 2 53,54,55| 56 5 7 | 5 8 | 5 9 , 6 o | 6 I , 6 2 ^ 3 , 64165166^7.68169,70171,72 7V^7.|76J7,7_6 .79 SC 1

Foan V
it -s i ^ 1 ^ ^ 1 1 c 1 ^ S ? <
^
5 10 IS 20 5 30 35 40 45 50 55 60 65 70 75 go
-.?.1.3 -|5.1.% 1 . . 1 1 . . . .y.l.ft.. 1
-.5.1.« I 1 1
1 F 1 . . .5.1.3.. .1
_j -L-i.
t t 1 t I I I
, , . . , , ,
1 . . ,
, I 1
••LOxi. M6,7,8 9,10|ll,1? '5,1<_JL5|,6 .7,18,.9,20 2.,22,23,24 2 5 | 26,27,28 29,30|3I,32 33,34,35136 37,38,39,40 4. ,42, 4 1 4 ' 45|46,47,48 49,50|51.S2|53,S4,S5|56 57,58.59,6oJ6l,62jS3.64|65l66*7 68 S2^°ii^^^7174,75176,77 78 79 K

FuUCTlOM FutJCfioio FUtJcrtoi.j Puwcnoo Fuio<mo»i FUiocTioio rUfcJCTtOO Fu,iocTio»>
SuPPoerro Su-rpoercD SuPPoare^D SaPPOBxeD SuPPoB.rei> Su ppoareo SuPPoarec SuPPo'TBD SuP9oa.rei> SuPfoKTSb. foeM e
a. ^)2.M/^
is pi ^ 5 ^ ^ £; ^ ^ ^ ^ ^ ^ ^ ^ ^ i -? *^
1 10 15 20
,
25 30 35 40 45 50 55 C. 1 6? 70 75 80
1.1,0 J _l_l-. S"I3
i,2.,0 5-.33
1,2,5 .S-,3,8
1,3,0 ,S-,4,3
l,3,S ,r,48
1,40 ,s^^s>
1,1,5 5 1,%,. 1
l,«,5 , , , , , ? 1,3.. .1
1,1,5 5 l,b,.,t
, 1 I
1 1 1
1 t ( 1
, , ,
.LJ_
1 , 1 '
1',',^,",'!^^ a , 9, ,r. ' ' | ' 2 , ' 3 , M ,5|,6,I7 18,2?,?' !z. 22,23,24 25|26j27,24 z*» n | 3 . 32,33,34,35 36,37,38 39,40|4I,42 43j4 4,4'; 16,47, 48,49fO|51 i2 53,54, 55| 56 57.58.59 60|61,6?,63 6 4|6 5|66|57|68,69,70pij72, 7^74,75176 msj.' -

AUTOMATIC RELIABILITY MATH HOOCL IÂGE 39
CASE 1 . SAFETY INJECTION - CONN. YANKEE 00000000. 1900 0000-00

SUMMARY
10 NAME RATE»10«»6 PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
505.00 STORAGE TANK 0.10 0.66160061E-04 0.0310 59 0.72973454E-04 0.1883 23
510.00 WATER SUPPLY VALVE 5.00 0.32023185E-02 1.5007 29 0.352710S6E-02 9.0992 1
512.00 WATER SUPPLY VALVE 5.00 0.32023185E-02 1.5007 30 0.352710566-02 9.0992 2
515.00 CHARGE SUCT VALVE 0.75 0.48008106E-03 0.2250 47 0.S2958684E-03 1.3662 13
518.00 CHARGE SUCT VALVE 0.75 0.48008106E-03 0.2250 48 0.52958684E-03 1.3662 14
520.00 CHARGE CONTR VALVE 0.50 0.32005404E-03 O.ISOO 51 0.35308967E-03 0.9109 17
523.00 CHARGE CONTR VALVE 0.50 0.32005404E-03 0.1500 52 0.35308967e-03 0.9109 18
525.00 VOLUME CONTR VALVE 0.75 0.48008106E-03 0.2250 49 0.529586a4E-03 1.3662 15
528.00 VOLUME CONTR VALVE 0.75 0.48008106E-03 0.2250 50 0.52958684E-03 1.3662 16
530.00 S INJ RECIRC VALVE 5.00 0.32023185E-02 1.5007 31 0^352710S6E-02 9.0992 3
532.00 S INJ RECIRC VALVE 5.00 0.3202318SE-02 1.5007 32 0.35271056E-02 9.0992 4
535.00 RE HEAT SUCT VALVE 2.50 0.16004925E-02 0.7500 39 0.17644I82E-02 4.5518 9
537.00 RE HEAT SUCT VALVE 2.50 0.16004925E-02 0.7500 40 0.17644182E-02 4.5518 10
540.00 CONTAIN SUMP VALVE 5.00 0.32009849E-02 1.5000 33 0.35256637E-02 9.0955 5
542.00 CONTAIN SUMP VALVE 5.00 0. 32009849E-02 1.5000 34 0.35256637E-02 9.0955 6
545.00 R H THROTTLE VALVE 5.00 0.32005404E-02 1.4998 36 0.35251832E-02 9.0942 7
550.00 R H BYPASS VALVE 2.50 0.16004925E-02 0.7500 41 0.17644182E-02 4.5518 11
552.00 R H BYPASS VALVE 2.50 0.16004925E-02 0.7500 42 0.17644182E-02 4.5518 12
555.00 CHARGE VALVE 290 1^50 0.96016212E-03 0.4499 43 0.57149072E-0* C.0015 44
560.00 CHARGE VALVE 292 1.50 0.96016212E-03 0.4499 44 0.57149072E-06 0.0015 45
565.00 DELUGE VALVE A 10.00 0.64010809E-02 2.9997 9 0.25244723E-04 0.0651 26
570.00 DELUGE VALVE B 10.00 0.64010809E-02 2.9997 10 0.25244723E-04 0.0651 27
575.00 SERV W VALVE 3 5.00 0. 0. 0 0. 0. 0
580.00 SERV W VALVE 4 5.00 0. 0. 0 0. 0. 0
585.00 R H PUMP A - START 10.00 0.64010809E-02 2.9997 It 0.2S244723E-04 0.0651 28
505.01 R H PUMP A - RUN 5.00 0.10846277E-03 0.0508 55 0.80746634E-08 0.0000 58
590.00 R H PUMP B - START 10.00 0.64010809E-02 2.9997 12 0.25244723E-04 0.06S1 29
590.01 R H PUMP B - RUN 5.00 0.10846277E-03 0.0508 56 0.80746634E-08 0.0000 59
FIGURE 3. 28

CASE I. SAFETY INJECTION - CONN. YANKEE OCOOOOOO, 1900 0000-00
SUMMARY
C0MP0NEN1 FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEM

10 ÂME RATE»10*»6 PROBABILITY PERCENT RANK PROBABILITY PERCENT RANK
592.00 R H CHECK VALVE 12 1.00 0. 0. 0 0.46142885E-09 c.oooo' 62
595.00 INJ PUMP A - START 10.00 0.64010809E-02 2.9997 13 0.25244723E-04 0.0651 30
595.01 INJ PUMP A - RUN 5.00 0.10846277E-03 0.0508 57 O.80746634E-0fl C.COCO 60
600.00 INJ PUMP B - START 10.00 0.64010809E-02 2.9997 14 0.25244723E-04 C.0651 31
600.01 INJ PUMP B - RUN 5.00 0.10846277E-03 0.0508 58 0.aC746634E-0e C.OOOO 61
602.00 INJ CHECK VALVE 12 1.00 0. 0. 0 0.46142885E-09 0.0000 63
605.00 CHR PUMP A - START 1.50 0.96016212E-03 0.4499 45 0.57149072E-06 C.C015 46
605.01 CHR PUMP A - RUN 0.75 0.16269415E-04 0.0076 62 0.18169866E-09 C.COOO 64
u> 610.00 CHR PUMP B - START 1.50 0.96016212E-03 0.4499 46 0.57149072E-06 C.0015 47
1 610.01 CHR PUMP B - RUN 0.75 0.16269415E-04 0.0076 63 0.1816986fcE-09 0.0000 65
4^ 612.00 CHR CHK VALVE 12 0.15 0. 0. 0 0.1038329CE-1C 0.0000 70
O^ 615.00 R H EXCH A 0.30 0.19854019E-03 0.0930 53 0.67175526E-07 C.C002 54
620.00 R H EXCH B 0.30 0.19854019E-03 0.0930 54 0.67175526E-07 C.0002 55
625.00 SERVf W VALVE 5 10.00 0.64019698E-02 3.0001 7 0.26720431E-04 0.0689 24
630.00 SERV1 W VALVE 6 10.00 0.64019698E-02 3.0001 8 0.26720431E-04 0.0689 25
635.00 LINE: 772 0.10 0.66180061E-04 0.0310 60 0.99503046E-08 C.OOOO 56
640.00 LINE: 12500 0.10 0.66180061E-04 0.0310 61 0.99503046E-0e C.OOOO 57
645-00 TRANSFORMER 2 5.00 0.33090032E-02 1.5507 19 0.84050844E-05 0.0217 34
650.00 TRANSFORMER 3 5.00 0.33090032E-02 1.5507 20 0.84050844E-05 0.0217 35
655.00 BUS TIE 2T3 2.00 0. 0. 0 0.15490359E-05 C.0040 40
660.00 INJ VALVE A 10.00 0.64010809E-02 2.9997 15 0.75734169E-04 C.1954 19
665.00 INJ VALVE B 10.00 0.64010809E-02 2.9997 16 0.75734169E-04 0.1954 20
670.00 INJ VALVE C 10.00 0.64010809E-02 2.9997 17 0.75734169E-04 0.1954 21
675.00 INJ VALVE D 10.00 0.64010809E-02 2.9997 18 0.75734169E-04 C.1954 22
680.00 MANUAL SW 5.00 0.32009849E-02 1.5000 35 0.71631931E-05 C.0185 38
685.00 AUTC) PERMISSIVE SW 5.00 0.32005404E-02 1.4998 38 0.63339216E-05 0.0163 39
690.00 PRESSURE SW 1 15.00 0.96016213E-02 4.4995 1 0.34865525E-06 0.C009 48
695.00 PRESSURE SW 2 15.00 0.96016213E-02 4.4995 2 0.34865525E-0e C.0009 49
700.00 PRESSURE SW 3 15.00 0.96016213E-02 4.4995 3 0.34865525E-06 C.0009 50
CASE 1 . SAFETY INJECTION - CONN. YANKEE OOOOOOOOt 1900 0000-00

SUMMARY
COMPONENT CONTRIBUTIONS TO U N R E L I A B I L I T Y

(jj ID NAME RATE«10»»6 PROBABILITY PERCENT RANK PROBABILITY PeRCENT RANK
1 7 0 5 . 0 0 LEVEL SW 1 15.00 0.96016213E-02 4.4995 4 0 .34865525E-06 0.0009 51
1^
7 1 0 . 0 0 LEVEL SW 2 15.00 0.96016213E-02 4.4995 5 0 .34865525E-06 0.0009 52
^ 7 1 5 . 0 0 LEVEL SW 3 15.00 0.96016213E-02 4.4995 6 0 .34865525E-06 0.0009 53
7 2 0 . 0 0 TRANSFORMER 4 5.00 0.33090032E-02 1.5507 21 0 .81559856E-05 0.0210 36
7 2 5 . 0 0 TRANSFORMER 5 5.00 0.33090032E-02 1.5507 22 0 .16311971E-04 0.0421 32
7 3 0 . 0 0 TRANSFORMER 6 5.00 0.33090032E-02 1.5507 23 0 .16311971E-04 0.0421 33
7 3 5 . 0 0 TRANSFORMER 7 5.00 0.33090032E-02 1.5507 24 0 .81559856E-05 0.0210 37
7 4 0 . 0 0 BUS T I E 4T5 2.00 0. 0. 0 0 .14521144E-05 G.0037 41
7 4 5 . 0 0 BUS T I E 5T6 2.00 0. 0. 0 0 .14521144E-05 C.0037 42
7 5 0 . 0 0 BUS T I E 6T7 2.00 0. 0. 0 0 .145211446-05 0.0037 43
7 5 5 . 0 0 SERV WATER PUMP A 5.00 0.33090032E-02 1.5507 25 0 .4089641CE-10 0.0000 66
7 6 0 . 0 0 SERV WATER PUMP B 5.00 0.33090032E-02 1.5507 26 0 .40896410E-10 0.0000 67
7 6 5 . 0 0 SERV WATER PUMP C 5.00 0.33090032E-02 1.5507 27 0 .4C8964106-10 C.OOOO 68
7 7 0 . 0 0 SERV WATER PUMP D 5.00 O.33090032E-02 1.5507 28 0 .408964106-10 0.0000 69
TOTAL SERIAL U N R E L I A B I L I T Y 0 . 2 1 3 3 9 3 3 9 E 00
CASE 2 . SAFETY INJECTION - CONN. YANKEE OCOilOCCC, 1900 oooc-cc

SUMMARY
C0MP0NEN1 FAILURE SERIAL SERIAL SERI AL SYSTEM SYSTEM SYSTEM

ID NAME RATE»10««6 PRCBABILITY PERCENT RANK PRCBABILITY PERCENT RANK
505.00 STORAGE TANK 0.10 0.64960165E-04 0.0267 59 0.67436652E-C4 6.0850 5
510.00 WATER SUPPLY VALVE 10.00 0.62865806E-02 2.5828 7 0.23232622E-04 2.7854 8
512.00 WATER SUPPLY VALVE 10.00 0.62865806E-02 2.5828 8 0.23232622E-04 2.7854 9
515.00 CHARGE SUCT VALVE 1.50 0.94246351E-03 0.3872 43 0.14727094E-C5 C.1766 34
518.00 CHARGE SUCT VALVE 1.50 0.94246351E-03 0.3872 44 0.1472709'Ê-(55 C.1766 35
520.00 CHARGE CONTR VALVE 1.00 0.62830900E-03 0.2581 51 0.7S493982E-06 C.0953 42
523.00 CHARGE CONTR VALVE 1.00 0.628309C0E-03 0.2581 52 0.794g3982E-06 C.0953 43
525.00 VOLUME CONTR VALVE 1.50 0.94246351E-03 0.3872 45 0.1A727094E-05 0.1766 36
528.00 VOLUME CONTR VALVE 1.50 0.94246351E-03 0.3872 46 0.14727094E-05 C.1766 37
I
I—, 530.00 S I N J RECIRC VALVE 10.00 0.62865e06E-02 2.5828 9 0.23232622E-0^ 2.7854 10
532.00 S I N J RECIRC VALVE 10.00 0.62865806E-02 2.5828 10 0.23232622E-04 2.785A 11
00
535.00 RE HEAT SUCT VALVE 5.00 0.31419813E-02 1.2909 37 0.5829C827E-05 €.6988 29
537.00 RE HEAT SUCT VALVE 5.00 0.31419813E-02 1.2909 38 0.5829C827E-05 0.6988 30
540.00 CONTAIN SUMP VALVE 10.00 0.62839626E-02 2.5818 11 0.23232618E-0A 2.7854 12
542.00 CONTAIN SUMP VALVE 10.00 0.62839626E-02 2.5818 12 0.232226ieE-04 2.781.4 13
547.00 R H THROTTLE VALVE 10.00 0.62830900E-02 2.5814 16 0.23232617E-0'4 2.7854 15
550.00 R H BYPASS VALVE 5.00 C.31419813E-02 39
1.2909 0.5e29C827E-05 C.6988 31
552.00 R H BYPASS VALVE 5.00 0.31419813E-02 1.2909 40 0.5e29C827E-05 C.6988 32
555.00 CHARGE VALVE 2 9 0 0.94246350E-03
1.50 0.3872 47 0.52594C5eE-C6 C.0631 44
560.00 CHARGE VALVE 2 9 2 0.94246350E-03
1.50 0.3872 48 0.52594058E-0t C.0631 45
565.00 DELUGE VALVE A 0.62830900E-02
10.00 2.5814 17 0.23232616E-04 2.7854 16
570.00 DELUGE VALVE B 0.628309C0E-02
10.00 2.581^ 18 0.23232616E-04 2.7854 17
575.00 SERV W VALVE 3 0.
580.00 SERV W VALVE 4
5.00 0. 0 0. 0. c
0.
585.00 R H PUMP A - START
5.00 0. 0 0. C. 0
585.01 R H PUMP A - RUN
10.00 0.628309CCE-02 2.5814 19 0.232326ieE-04 2.7854 18
590.00 R H PUMP B - START 5.00 0.10646348E-03 0.0437 55 0.83932753E-0E C.OOIO 56
590.01 R H PUMP B - RUN 10.00 0.62830900E-02 2.5814 20 0.23232616E-04 2.7854 19
5.00 0.10646348E-03 0.0437 56 0.83932753E-oe C.COIO 59
AUTOMATIC RELIABILITY MATH MODEL PAGE 'iC
CASE 2. SAFETY INJECTION - CONN. YANKEE OCOCCCCC, 1900 CCCC-CC
SUMMARY
COMPONENT FAILURE SERIAL SERIAL SERIAL SYSTEM* SYSTEM SYSTEM
ID NAME RATE»10»»6 PRCBABILITY PERCENT RANK PRCBABILITY PERCENT RANK
5 9 2 . 0 0 R H CHECK VALVE 12 1.00 0. 0. 0 0 .<t7963602E-0S C.CCCl 62
5 9 5 . 0 0 I N J PUMP A - START 10.00 0.62830900C-02 2.5814 21 0 .23232616E-04 2.7854 20
5 9 5 . 0 1 I N J PUMP A - RUN 5.00 0.10646348E-03 0.0437 57 0 .e3932753E-0e C.OOIO 6C
6 0 0 . 0 0 I N J PUMP B - START 10.00 0.62830900E-02 2.5814 22 0 .232226ieE-04 2.7854 21
6 0 0 . 0 1 I N J PUMP B - RUM 5.00 0.10646348E-03 0.0437 58 0 .83932753E-Ce C.CCIO 61
6 0 2 . 0 0 I N J CHECK VALVE 12 1.00 0. 0. 0 0 .47963603E-CS C.OOOl 63
6 0 5 . 0 0 CHR PUMP A - START 1.50 0.94246350E-03 0.3872 49 0 .52594058E-06 C.0631 46
6 0 5 . 0 1 CHR PUMP A - RUN 0.75 0.15969521E-04 0.0066 62 0 .1888691TE-C? C.OOOO 64
oo 6 1 0 . 0 0 CHR PUMP B - START 1.50 0.94246350E-03 0.3872 50 0 .5259405eE-C6 C.0631 47
1
1—. 6 1 0 . 0 1 CHR PUMP B - RUN 0.75 C.15969521C-04 0.0066 63 0 .ie886817E-09 C.CCCO 65
>(^ 6 1 2 . 0 0 CHR CHK VALVE 12 0.15 0. 0. 0 0 .1C79299CE-1C C.COCO 7C
vO
6 1 5 . 0 0 R H EXCH A 0.30 0.19488050E-03 0.0801 53 0 .61824332E-07 C.0074 54
6 2 0 . 0 0 R H EXCH B 0.30 0.19488050E-03 0.0801 54 0 .61824332E-07 C.C074 55
6 2 5 . 0 0 SERV1 W VALVE 5 10.00 0.62839626E-02 2.5818 13 0 .2459C70'iE-04 2.9482 6
6 3 0 . 0 0 SERV/ W VALVE 6 10.00 0.62839626E-02 2.5818 14 0 .2A590704E-0'<i 2.9482 7
6 3 5 . 0 0 LINE; 7 7 2 0.10 0.64960165E-04 0.0267 60 0 .91585156E-Ce C.OOU 56
6 4 0 . 0 0 LINEi 1 2 5 0 0 0.10 0.6A960165E-04 0.0267 61 0 .9158515£E-Ce C.COll 57
6 4 5 . 0 0 TRANSFORMER 2 5.00 0.324800a4E-02 1.3344 27 0 .77362577E-05 C.9275 24
6 5 0 . 0 0 TRANSFORMER 3 5.00 0.32480084E-02 1.3344 28 0 .77362577E-05 C.9275 25
6 5 5 . 0 0 BUS TIE 2T3 2.00 0. 0. 0 0 .I'i25772€£-C5 C.17C9 38
6 6 0 . 0 0 I N J VALVE A 10.00 0.62830900E-02 2.5814 23 0 .69697e48E-C4 8.3561 1
6 6 5 . 0 0 I N J VALVE B 10.00 0.62830900E-02 2.5814 24 0 .69697848E-04 6.3561 2
6 7 0 . 0 0 I N J VALVE C 10.00 0.62830900E-02 2.5814 25 0 .69697848E-04 8.3561 3
6 7 5 . 0 0 I N J VALVE D 10.00 0.62830900E-02 2.5814 26 0 .69697846E-04 8.3561 4
6 8 0 . 0 0 MANUAL SW 5.00 0.31419813E-02 1.2909 41 0 .6e49524eE-C5 C.7972 28
6 8 5 . 0 0 AUTC: PERMISSIVE SW 5.CO 0.31415450E-02 1.2907 42 0 .5e29C823E-05 C.6988 33
6 9 0 . 0 0 PRESSURE SW 1 15.00 0.94246349E-02 3.8721 1 0 .32C8660CE-C6 C.0385 46
6 9 5 . 0 0 PRESSURE SW 2 15.00 0.94246349E-02 3.8721 2 0 .32O8660CE-C6 C.0385 49
7 0 0 . 0 0 PRESSURE SW 3 15.00 0.94246349E-02 3.8721 3 0 .3208660CE-C6 C.0385 50

CASE 2. SAFETY INJECTION - CONN. YANKEE OCOGOCCO, 1900 OOOC-CC

SUMMARY
COMPONENT CCMRIBUTIONS TO UNRELIABILITY

10 NAME RATE«10«»6 PRCBABILITY PERCENT RANK PRCBABILITY PERCENT RANK
705.00 LEVEL SW 1 15.00 0.94246349E-02 3.8721 4 0.32O8660CE-C6 0.0385 51
710.00 LEVEL SW 2 15.00 0.94246349E-02 3.8721 5 0.3208660CE-0£ C.0385 52
00 715.00 LEVEL SW 3 15.00 0.94246349E-02 3.8721 6 0.3208660CE-06 C.0385 53
720.00 TRANSFORMER 4 5.00 0.32480084E-02 1.3344 29 0.75069807E-05 C.9000 26
725.00 TRANSFORMER 5 5.00 C.32480084E-02 1.3344 30 0.15013961E-04 1.80CC 22
o 0.32480084E-02
730.00 TRANSFORMER 6 5.00 1.3344 31 0.15013961E-04 1.80C0 23
735.00 TRANSFORMER 7 5.00 0.32480084E-02 1.3344 32 0.75C69807E-05 C.9CC0 27
740.00 BUS TIE 4T5 2.00 0. 0- 0 0.13365635E-05 C.16C2 39
745.00 BUS TIE 5T6 2.00 0. 0. 0 0.13365635E-05 C.16C2 40
750.00 BUS TIE 6T7 2.00 0. 0. C 0.1336563;E-05 C.16C2 41
755.00 SERV WATER PUMP A 5.00 0.32480084C-02 1.3344 33 0.37636805E-1C C.COCO 66
760.00 SERV WATER PUMP B 5.00 0.32480084E-02 1.3344 34 0.37636805E-1C C.COOO 67
765.00 SERV WATER PUMP C 5.00 0.32480084E-02 1.3344 35 0.37636805E-1C O.OOCC 68
770.00 SERV WATER PUMP 0 5.00 0.32480084E-02 1.3344 36 0.37636805E-1C C.COCO 69
TOTAL SERIAL UNRELIABILITY 0.24339731E 00

CASE 3- SAFETY INJECTION - CONN. YANKEE OCCCOCCC, 19C0 CCOC-CC
SUMMARY
COMPONENT FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEf
ID NAME RATE*I0«*6 PRCDABILITY PERCENT RANK PRCBABILITY PERCENT RANK
5 0 5 . 0 0 STORAGE TA.NK 0-10 0.186985010-04 0.0335 59 0.19146147E-04 C.21C6 19
5 1 0 - 0 0 WATER SUPPLY VALVE 5.00 0.81830240E-03 1.4677 29 0.e38C5773E-03 9-2166 1
5 1 2 . 0 0 WATER SUPPLY VALVE 5.00 0-8183024CE-03 1.4677 30 0.e38C5773E-03 9-2166 2
5 1 5 . 0 0 CHARGE SUCT VALVE 0.75 0.12245380E-03 0.2196 47 G-12545616E-03 1.3797 13
5 1 8 . 0 0 CHARGE SUCT VALVE 0-75 0.12245380E-03 0.2196 48 0.12545616E-C3 1.3 79 7 14
5 2 0 . 0 0 CHARGE CONTR VALVE 0.50 0-8 1635870E-04 0.1464 55 0.e363S197E-04 C.9198 17
5 2 3 - 0 0 CHARGE CONTR VALVE 0-5C 0.81635870E-04 0.1464 56 o.e363<;ig?E-04 C-gi98 18
5 2 5 . 0 0 VOLUME CONTR VALVE 0.75 0.1224538CC-03 0.2196 49 0.12545616E-03 1.3797 15
5 2 8 . 0 0 VOLUME CONTR VALVE 0-75 0-12245380E-03 0.2196 50 C.12545616E-03 1.3797 16
5 3 0 . 0 0 S I N J RECIRC VALVE 5.00 0.8 1830240E-03 1.4677 31 0.838C5773E-03 9.2166 •X
00 5 3 2 . 0 0 S I N J RECIRC VALVE 5-OC 0.8183024GE-03 1.4677 32 0-838C5772E-03 9-2166 4

1—1 5 3 5 . 0 0 RE HEAT SUCT VALVE 2.50 0.4CS42231E-03 0.7325 39 0.41837246E-03 4.6011 9
Ul 2-50
5 3 7 . 0 0 RE HEAT SUCT VALVE 0.4C842231E-03 0.7325 40 0.4183734eE-G3 4.6011 10
5 4 0 . 0 0 CONTAIN SUMP VALVE 5.00 0-8 1684462E-03 1.4650 33 0.e3657137E-03 9.2CC2 5
5 4 2 . 0 0 CONTAIN SUMP VALVE 5.0C 0.81684462E-03 1.4650 34 0.e3657137E-03 S-20C2 6
5 4 5 . 0 0 R H THROTTLE VALVE 5.00 0.8163587CE-03 1.4642 36 0.836C7591E-03 g-1948 7
5 4 7 . 0 0 R H THROTTLE VALVE 5-00 0-81635870E-03 1-4642 37 G.836C7591E-G3 9-1948 8
5 5 0 . 0 0 R H BYPASS VALVE 2.50 0-4C842231E-03 0.7325 41 0.41837346E-03 4-6011 11
5 5 2 . 0 0 R H BYPASS VALVE 2-5C 0.4C042231E-03 0.7325 42 0-41837346E-03 4.6011 12
5 5 5 . 0 0 CHARGE VALVE 290 1.50 0.24490761C-O3 0.4393 43 0.316C8976E-07 C.0003 44
5 6 0 - 0 0 CHARGE VALVE 292 1-50 0-2449O761E-O3 0.4393 44 0.31608976E-G7 C.0OG3 45
5 6 5 - 0 0 DELUGE VALVE A 10.00 0.16327174C-02 2.9283 9 0-1402e391E-05 C.G154 26
5 7 0 - 0 0 DELUGE VALVE B 10.OC 0.16327174E-02 2-9283 10 0.140283giE-05 C.0154 27
5 7 5 - 0 0 SERV W VALVE 3 5.00 0. 0- 0 0- C. C
5 8 0 . 0 0 SERV W VALVE 4 5-00 0- 0- 0 0- G. 0
5 8 5 . 0 0 R H PUMP A - START 10.00 0-16327174E-02 2-9283 11 0-140263giE-05 C.0154 28
5 8 5 . 0 1 R H PUMP A - RUM 5.00 0.11056638E-03 0.2127 51 0-e323899CE-06 C.CCCl 46
5 9 0 . 0 0 R H PUMP B - START 10.00 0-16327174E-02 2.9283 12 0-14G28391E-05 C.0154 29
5 9 0 . 0 1 R H PUMP B - RUM 5.00 0-11856638E-03 0.2127 52 0.83238g9CE-G6 C.COCl 49
CASE 3. SAFETY INJECTION - CONN. YANKEE OCOGOCCO, 19C0 OOOC-CC

SUMMARY
COMPONENT FAILURE SERIAL SERIAL SERIAL SYSTEM SYSTEM SYSTEf

10 NAME RATE*10*»6 PRCBABILITY PERCENT RANK PRCBABILITY PERCENT RANK
5 9 2 . 0 0 R H CHECK VALVE 12 1-00 0. 0. 0 0.47567149E-09 C.GOCO 62
5 9 5 . 0 0 I N J PUMP A - START 10.00 0.16327174E-02 2.9283 13 0.1402e391E-05 C.0154 30
5 9 5 . 0 1 I N J PUMP A - RUN 5.00 0.1ia56638E-03 0.2127 53 0.8323899CE-0e C.COGl 50
6 0 0 . 0 0 I N J PUMP B - START 10.00 0.16327174E-02 2.9283 14 0.14C28391E-05 C.0154 31
6 0 0 - 0 1 INJ PUMP B - RUN 5.00 0-11856638C-03 0-2127 54 G-8323899CE-08 G.GOCl 51
6 0 2 . 0 0 INJ CHECK VALVE 12 I.00 0- 0. 0 0.47567149E-09 C.COCO 63
6 0 5 . 0 0 CHR PUMP A - START 1.5G G-24490761C-03 0.4393 45 0.316G8976E-07 C.CCG3 46
6 0 5 . 0 1 CHR PUMP A - RUN 0.75 0-17784957E-04 0.0319 62 0.18730704E-09 C.GGGO 64
6 1 0 . 0 0 CHR PUMP B - START 1-50 0.24490761C-03 0-4393 46 0-31608976E-C7 C.0003 47
6 1 0 . 0 1 CHR PUMP B - RUN 0.75 G-17784957E-04 0.0319 63 0.ie73C704E-09 C.COCO 65
OJ 6 1 2 . 0 0 CHR CHK VALVE 12 0-15 0- 0. 0 0.1C7C3785E-1C C.COCO 66
6 1 5 - 0 0 R H EXCH A 0.30 0-56095504E-04 0.1006 57 G.37438642E-G6 C.COOO 58
Ul
IN)
6 2 0 . 0 0 R H EXCH B 0.30 0.56G95504C-04 0.1006 58 0.37438642E-Ge C.GOCO 59
6 2 5 . 0 0 SERV/ W VALVE 5 10.00 0-16336892E-02 2.9301 7 0.1484625CE-G5 C.0163 24
6 3 0 . 0 0 SERV' W VALVE 6 10.00 0.16336892E-02 2.9301 8 0.1484625CE-05 C.0163 25
6 3 5 . 0 0 LINE ; 772 0.10 O.ie698501E-O4 0.0335 60 0.56091G0GE-09 C.GGGO 6C
6 4 0 . 0 0 LINE; 12500 0-10 0.18698501C-04 0.0335 61 G.5609100CE-G5 C.GOCO 61
6 4 5 . 0 0 TRANSFORMER 2 5-00 0.93492507E-03 1.6768 19 0.47455974E-0e C.CG52 35
6 5 0 . 0 0 TRANSFORMER 3 5-OG G.934925G7E-03 1.6768 20 0.47455974E-06 C.C052 36
6 5 5 . 0 0 BUS TIE 2T3 2.00 0. 0. 0 0.87357445E-07 C.COIO 4C
6 6 0 . 0 0 INJ VALVE A 10.00 0.16327174C-02 2.9283 15 0.42085172E-G5 C.0463 20
6 6 5 . 0 0 INJ VALVE B 10.00 0.16327174E-G2 2.9283 16 0.42G85172E-05 C.G463 21
6 7 0 . 0 0 I N J VALVE C 10.00 0.16327174E-02 2.9283 17 0.42085172E-05 C.G463 22
6 7 5 . 0 0 I N J VALVE D 10.00 0.16327174C-02 2.928 3 18 0.42085172E-05 C-0463 23
6 8 0 . 0 0 MANUAL SW 5.00 0.81684462C-03 1.4650 35 0.851C0454E-06 C.C094 34
6 8 5 . 0 0 AUTC; PERMISSIVE SW 5-00 0.81635870E-03 1.4642 38 0.351C0442E-06 C.C03g 39
6 9 0 . 0 0 PRESSURE SW 1 15-00 0.24490761C-02 4.3925 1 0.45394765E-0e C.COCO 52
6 9 5 . 0 0 PRESSURE SW 2 15-00 0-24490761E-02 4.3925 2 0.4539476SE-0E C.COCO 53
7 0 0 . 0 0 PRESSURE SW 3 15-00 0-24490761E-02 4.3925 3 G.45394765E-08 C.GOCO 54
CASE 3- SAFETY INJECTION - CONN- YANKEE OCOGOCCO, 1900 OOOC-CC

STJMHAIW
"COMPUNENT XDNTIfllUTTlWS^TinJFrRELIABmTY
COMPONENT FAILURE SEittAL SER«r~" ÊR^TAL ^YSTET< SYSTEM SYSTEf*

ID NAME RATE*10**6 PROBABILITY PERCENT RANK PRCBABILITY PERCENT RANK
ttmp^ i€VEf. sit 1 15700 0.24490761¥-^2 4.119^5" ir.45394T65E-08 C.OOCO 55
7 i | ^ 0 t.eV6i SM 2 15.00 0.2449676IE-02 4.3925 5 0.45394765E-08 C.COCO 56
7 1 5 . 0 0 LEVfCTW 3 15.00 0724490T6IF-02 4.3925 6 0.45394T65E-0e C.COOO 57
7 2 0 . 0 0 TRANSFORMER 4 5-00 0-93492507E-03 1.6768 21 0.4605C939E-06 C.C051 37
5700 0.934925O7E-0r ITFTSr Z2 O.92r0T877E-06 C.OIOI 32
5.00 0.93492507E-03 1.J.768 23 0.921ClS77E-0e C.OICI 33
oo
im
735.00 TRAJISFORMER 7 5.00 0 . 9 3492 507f^^03 1.6768 24 074605C9ME-06" C.C051 38
7 4 0 . 0 0 BUS TIE 4T5 2.00 0. 0. 0 0.81896192E-07 C.C0C9 41
tm>m 8«s t i t SI* "270r ~o; ^ JT D^ffl8^61^21-in C.00C9 42
fjOoCt Bttf t i l 6^»
2.00 0'- 0. 0 0.81896192E-0T C.C0C9 43
~0793^9F5Tmf-03 "T7676T^ 25 0.123781746-12^ C.OOOO 67
~T5f.OO SEft^ uATEft PUMP A~ 0.12378174E-12
5.00 0.93492507E-03 1.6768 26 C.OOOO 68
7 6 0 . 0 0 SERV WATER PUMP B
5.00" 0 . 9 3 4 9 2 f 0 7 E - d S 1.6768" 27 O.T237«T4E=-TJ O.OOOO 69
5.00 0.934925071-03 1.6768 28 0.12378174E-12 C.OOCO 70
TOTAL ERIAL UNRELIABILITY 0.5S7$$603£-01

CASE 1. SAFETY INJECTION - CONN. YANKEE OOOOOOOOt 1900 0000-00

SUMMARY
PROBABILITY OF SYSTeM FAILURE 0.38762840E-01
PROBABILITY OF SYSTEM SUCCESS 0.96123715
FUNCTION ID FUNCTION NAME PROBABILITY OF FUNCTION FAILURE PERCENT OF SYSTEM FAILURE RANK
105 WATER STORAGE 0.729734386-04 0.188 9
110 WATER SUPPLY 0.705421026-02 18.198 1
115 CHARGE LINE 0.28245263E-02 7.287 7
120 SAF6TY INJ ReCIRC 0.70542102E-02 18.198 2
125 R6SID H6AT RECIRC 0.352883596-02 9.104 5
130 CONTAIN SUMP RECIR 0.705132656-02 18.191 3
I ,J 135 CORE DELUGE LINE 0.705036536-02 18.188 4
1 140 R H EXCH BYPASS 0.352883596-02 9.104 6
Ul 145 CHARGE LINe OlST 0.114298136-05 0.003 25
4^ 150 C0R6 D6LUGE 01 ST 0.504894406-04 0.130 ll
160 R H PUMP AB -START 0.504894406-04 0.130 12
161 R H PUMP AB -RUN 0.138421476-07 0.000 28
-163 R H CH6CK VALV6 12 0.276856606-08 0.000 30
165 INJ PUMP AB -START 0.504894406-04 0.130 13
166 INJ PUMP AB -RUN 0.138421476-07 0.000 29
-168 INJ CH6CK VALVE 12 0.276856606-08 0.000 31
170 CH PUMP AB -START 0.114298136-05 0.003 26
171 CH PUMP AB -RUN 0.3114fi008E-09 0.000 32
-173 CHARGE CK VALVE 12 0.62299584E-10 0.000 34
175 R H EXCH W/C00LIN6 0.53575156E-04 0.138 10
177 R H EXCH W/0 COOL 0.49a36486E-10 0.000 35
180 POWER 23 0.13194936E-04 0.034 14
-190 POWER 2T3 0.518416726-05 0.013 19
195 SAFETY INJ DIST 0.302936636-03 0.782 8
200 MANUAL OPERATION 0.48061415E-06 0.001 27
FIGURE 3.29
FUNCTION CONTRIBUTIONS TO UNRELIABILITY
ALTCMATIC RELIABILITY MATH MODEL PAGE 36
CASE 2 . SAFETY INJECTION - CONN. YANKEE OCCCCCCO, 1900 CCCC-OO
SUMMARY
PROBABILITY CF SYSTEM FAILURE = 0.834C9745E-03

PROBABILITY CF SYSTEM SUCCESS = 0.9991659C
FUNCTION ID FUNCTION NAME PROBABILITY OF FUNCTION FAILURE PERCENT CF SYSTEM FAILURE RANK
105 WATER STORAGE 0.67436637E-04 8.C85 2
110 WATER SUPPLY 0.46465238E-04 5.571 4
115 CHARGE LINE G.74807162E-05 C.e97 18
120 SAFETY INJ RECIRC 0.46465238E-04 5.571 5
125 RESID HEAT RECIRC 0.11658164E-04 1.398 15
130 CONTAIN SUMP RECIR 0.46465230E-04 5.571 6
135 CORE DELUGE LINE 0.46465229E-04 5.571 7
140 R H EXCH BYPASS 0.11658164E-04 1.398 16
145 CHARGE LINE DIST 0.10518810E-05 0.126 25
150 CORE DELUGE DIST 0.46465226E-04 5.571 8
160 R H PUMP AB -START 0.46465226E-04 5.571 9
161 R H PUMP AB -RUN 0.14388334E-07 0.C02 28
-163 R H CHECK VALVE 12 0.28778088E-08 O.CCO 30
165 INJ PUMP AB -START 0.46465226E-04 5.571 IC
166 INJ PUMP AB -RUN 0.143883346-07 C.C02 29
-168 INJ CHECK VALVE 12 0.28778G88E-08 O.CGO 31
170 CH PUMP AB -START 0.10518810E-05 0.126 26
171 CH PUMP AB -RUN 0.32377052E-09 O.CCC 32
-173 CHARGE CK VALVE 12 0.64757814E-10 C.CCC 34
175 R H EXCH W/COOLING 0.49304999E-04 5.911 3
177 R H EXCH M/O COOL 0.518G2944E-10 o.coo 35
180 POWER 23 0.12144962E-04 1.456 11
-190 POWER 2T3 0.47716412E-05 C.572 19
195 SAFETY INJ DIST 0.27879136E-03 33.424 1
200 MANUAL OPERATION 0.49957641E-06 0.C6C 27

i
AUTOMATIC RELIABILITY f&TH MODEL PAGE 36

CASE 3. SAFETY INJECTION - CONN. YANKEE OCOCOCCO, 1900 OCCC-CC
SUMMARY
PROBABILITY CF SYSTEM FAILURE = 0.909293C5E-02
PROBABILITY OF SYSTEM SUCCESS = 0.99090707
FUNCTION I D FUNCTION NAME PROBABILITY OF FUNCTION FAILURE F SYSTEM FAILURE RANK

105 WATER STORAGE 0.19146139E-04 0.211 8
no HATER SUPPLY 0.16761153E-02 18.433 1
115 CHARGE L I N E 0.66910295E-03 7.258 7
120 SAFETY I N J RECIRC 0.16761153E-02 la.'ias 2
125 RESID HEAT RECIRC 0.83674685E-03 9.202 5
130 CONTAIN SUMP RECIR 0.16731426E-02 18.400 3
135 CORE DELUGE L I N E 0.16721516E-02 18.39C 4
140 R H EXCH BYPASS 0.83674685E-03 9.202 6
145 CHARGE L I N E D I S T 0.t3217946E-07 C.COl 24
150 CORE DELUGE D I S T 0.28056779E-05 0.C31 11
160 R H PUMP AB -START 0.28056779E-05 C.C31 12
161 R H PUMP AB - R U N 0.14269404E-07 O.COO 28
-163 R H CHECK VALVE 12 0.28540217E-08 C.COO 30
165 I N J PUMP AB -START 0.28056779E-05 0.031 13
166 I N J PUMP AB - R U N 0.14269404E-07 G.COC 29
-168 I N J CHECK VALVE 1 2 0.28540217E-08 C.COO 31
170 CH PUMP AB -START 0.63217946E-07 0.001 25
171 CH PUMP AB - R U N 0.32109434E-09 O.COO 32
-173 CHARGE CK VALVE 12 0.64222547E-10 O.CCC 33
175 R H EXCH W/COOLING 0.29766860E-05 C.G33 IC
177 R H EXCH H/O COOL 0.51374757E-10 O.COO 34
180 POWER 2 3 0.74522764E-06 0.C08 14
-190 POWER 2 T 3 0.29237095E-06 C.CC3 2C
195 SAFETY I N J D I S T 0.16834067E-04 0.185 9
200 MANUAL OPERATION 0.49545842E-06 C.C05 19
NORMAL INLETS Flow ^ D I U )
AIR
NORMAL-TEPOOCfJt
OUTLET
INOTEMT-NIL
-J mCIDEHTFlOWIMLET
MORMAL-NtL
!HCIDEirr-4<iO0OCEM:
>
BYPASS Hosir Of iqooo V.J j
- — -4 • I'
CEM. GIVES OTU. ACCESS ACCESS
FAN
INCIDENT COOLING DOOR DOOR
FlOWfOFSCÔOOCOt
ITOT fflll
iiiniiniiiiiiiiiiiiiMiiiiiniiiiiiiiiiiiiniiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiuiiiiiiMiiii IIIIIIIIIJIUII wnnnnnnniinnHiiTHmnnfitiTinimnmni!!^^
MOllsTkjHE PARTICOLATi CHARcIc CJOOUNIS
SEPARATOR FILTERS
RS"^ COILS
. — % •
FIGURE 3 . 3 0
AIR RECIRCULATION F A N - COOLING COIL UNIT

CONNECTICUT YANKEE
CIO CJ2 C.13
INCIDENT FLOW MOISTURE SEPARATOR PARTICULATE FILTER CHARCOAL FILTER

INLET DAMPER (1 PER ASSEMBLY) (40 PER ASSEMBLY) (80 PER ASSEMBLY)
F.IO
^
C.14 C.15
00
1
00
SWITCH FROM INCIDENT NORMAL FLOW
TO NORMAL FLOW INLET DAMPER
C.1B C.17 CIS
F.11
Q> COOLING COILS FAN FAN MOTOR
F I G U R E 3 . 31A
C O N N E C T I C U T Y A N K E E - AIR R E C I R C U L A T I O N UNIT
C.50 C^l C.52 C.53 C ^ C ^ C ^ CJ^ C.B3 C ^ C ^
REFUELING RESIDUAL HEAT RESIDUAL
-50 WATER TANK BLOCK LINE BLOCK LINE CHECK RHRP INLET RHRP OUTLET RHE INLET HEAT EXCHANGER RHE OUTLET RHE OUTLET
VALVE REMOVAL PUMP
STORAGE TANK VALVE VALVE VALVE 1(1.0.) 1 VALVE K L . O . ) VALVE K L . O . ) 1 CHECK VALVE 1 VALVE K L . O . )
F.-51 F.-52
C.54 C.55 C.59 C.60 C.61 C.66 C.67 C.68 C.69
-®
CONTAINMENT RHRP INLET RESIDUAL HEAT RESIDUAL
SUMP CHECK RHRP OUTLET RHE INLET RHE OUTLET RHE OUTLET
SUMP VALVE 2 (L.O.) REMOVAL PUMP VALVE 2(L.O.) HEAT EXCHANGER
BLOCK VALUE VALVE VALVE 2(L.O.) 2 CHECK VALVE 2 VALVE 2(L.O.)
2
C.70 C.71 C.72 C.73 C.74
(D^- -53 CONTAINMENT SPRAY INLET CONTAINMENT SPRAY REACTOR VESSEL CONTAINMENT CONTAINMENT SPRAY
W LINE CHECK VALVE INLET LINE BLOCK VALVE HEAD BLOCK VALVE SPRAY HEADER RING 1 HEADER RING 2
FIGURE 3.31B
CONNECTICUT YANKEE
CONTAINMENT SPRAY SYSTEM
3-159
F. C.IO C.20 C.30 C.40 CIO C.20 C.60 C.160
Hj 115KV 115KV/4160V 115KV 115KV/4160V 115KV 115KV/4160V 110 4160V/480V
LINE 12500 TRANS.3 LINE 772 TRANS. 2 LINE 12500 TRANS3 S.W.PUMP 1
TRANS. 6
F C.70 C.80 C.90 C.170

NO 20 4160V/480V BUS TIE BUS TIE
C.30 C.40 C.50 S.W.PUMP 2
TRANS. 4 BUS 4 TO BUS 5 BUS 5 TO BUS 6
F
90 115 Kv 115KV/4160V 180
BUS TIE - BUS 2 TO BUS 3
LINE 772 TRANS.2 C.IOO C.90 C.180
30 4160V/480V BUS TIE S.W.PUMP 3
TRANS. 5 BUS 5 TO BUS 6
C.llQ C.90 C.120 C.190

F.
40 4160V/480V BUS TIE BUS TIE
— S.W.PUMP 4
TRANS.7 BUS 5 TO BUS 6 BUS 6 TO BUS 7
C.130
F..150
EMER.GEN.IB
C.140 C.90
F.-1B0 BUS TIE
EMER.GEN.IA
BUS 5 TO BUS 6
C.150 C.90 C.120

F.-170 BUS TIE BUS TIE
EMER.GEN.IC BUS 5 TO BUS 6 BUS 6 TO BUS 7
FIGURE 3 . 3 1 C
CONNECTICUT YANKEE
POWER SUPPLY AND SERVICE WATER SYSTEM P U M P S
3-160
4 Air Recirculation Units
(3 Out Of 4 Units Must Function) 1
(See Fig. 3. 31 A)
Service Water
Power Supply
Supply System.
(See Fig. 3.31C)
(See Fig. 3.31C)
I
Containment Spray System

o
(Standby)
— (See Fig. 3.31B)
FIGURE 3.31D
CONTAINMENT COOLING SYSTEM

RELIABILITY BLOCK DIAGRAM - CONNECTICUT YANKEE
Reactor
I
Vessel —Xh r-CXJ—1--1-
Head Residual Residual Heat
Heat Exchanger Removal P u m p s -i^'-hHXJJ
Reactor I—IXh -X—' L-X]—U^
Containment xy-cx}—^
Spray Header Containment
Rings Sump
-^X TM-
FIGURE 3. 32
RESIDUAL HEAT REMOVAL SYSTEM IN CONTAINMENT SPRAY MODE

CONNECTICUT YANKEE
U tk Ul 01 vl 0) (0 . N 0) ^jioiNiaxc 10 U 4^(JI())sJUIID- 10 u) AJiavjODV)^ N U iwUlai>l(D«0
10' 10-
TIME FROM START OF INCIDENT - SEC
FIGURE 5.5i
CONNECTICUT YANKEE CONTAINMENT PRESSURE TRANSIENT

System Containment Page 1
Subsystem Containment Cooling
Assembly Air Recirculation Unit
Function Provide containment atmosphere heat sink for containment p r e s s u r e relief following loss-of-coolant accident.
Likeli- B AxB
hood Remarks
Component Cause(s) Safety Over-
Component Component Failure Effect on Effect on (Dependence on redundancy,
(No / Sig- all
ID No Name Function(s) MQde(s) of Failure Subsystem System environmental factors,
10^ nifi- [mpor
Hrs ) tance corrective actions)
cance
10 Incident Flow Directs air flow to Damper fails Spring failure. Incident flow path No filtration of Full flow available to cooling
Inlet Damper filter banks closed. unavailable for containment a t m o s - coils via norinal inlet d a m p e r s .
containment cool- phere.
ing.
11 Moisture Removes moisture Clogged Excess nnoisture and P a r t i a l or total Containment Manual r e v e r s a l of damper
Separator from a i r r e c i r c u - particulate matter loss of contain- overpressure positions reestablishes full
lated via incident m flow ment cooling (see rem,ark). containment cooling effectiveness.
flow path (see r e m a r k ) .
12 Particulate Removes particu- Clogged. Excess moisture and P a r t i a l or total Containment over- Manual r e v e r s a l of damper
Filter late matter from particulate matter m loss of contain- p r e s s u r e (see positions reestablishes full con-
air recirculated flow. ment cooling remark). tainment cooling effectiveness
via incident flow (see remark)
path.
13 Charcoal Removes iodines Clogged. Excess moisture and P a r t i a l or total Containnnent over- Manual r e v e r s a l of damper
Filters from incident particulate matter m loss of contain- p r e s s u r e (see positions reestablishes full con-
flow flow. ment cooling remark). tainment cooling effectiveness
(see r e m a r k ) .
15 Normal Flow Directs air flow to Fail to open Damper m.otor P a r t i a l loss of Containment over-
Inlet Dannper cooling coils failure. containment p r e s s u r e if m o r e
cooling if incident than one unit
damper not open. fails as specified
14 Dan:iper P o s i - Switch flow from Fail to actuate. Switch failure, P a r t i a l loss of Containment over-
tion Reversal incident to normal operator e r r o r . containment cool- p r e s s u r e if nnore
Switch path ing if incident than one unit
damper not open fails as specified.
16 Cooling Coils Cool recirculation Fail to cool Service water systen-i Loss of p r e s s u r e Containment over-
flow failure, coil rupture. control capa- p r e s s u r e if m o r e
bility. than one unit fails
17 Fan Provides driving Stopped Motor failure, Loss of p r e s s u r e Containnaent over-
force for flow. coupling failure. control capa- p r e s s u r e if nnore
bility. than one unit fails.
18 Fan Motor Drives fan. Stopped. Loss of power. Loss of p r e s s u r e Containment over-
control capa- p r e s s u r e if m o r e
bility than one unit fails.
FIGURE 3. 34 A
FAILURE MODE AND E F F E C T ANALYSIS

CONNECTICUT YANKEE - CONTAINMENT SPRAY SYSTEM
System Containment Page i of 2.
Subsystem Containnnent Cooling
Assennbly Containment Spray System
Function Provide containment atmosphere heat sink for containnnent p r e s s u r e relief following loss-of-coolant accident.
Likeli- B AxB
Remarks
hood Safety Over-
Component Connponent Component Failure Cause(s) Effect on Effect on (Dependence on redundancy,
(No / Sig- all
ID No Name Function(s) Mode(s) of Failure Subsystem System nifi- Empor environmental factors,
10^
50 Refueling Water Coolant water Burst. Seismic disturbance Loss of tank Loss of contain- Requires loss of air recirculation
Storage Tank storage. coolant supply. nnent p r e s s u r e system, and containment sump
control if air recir- water supply to beconne significant
culation system
has failed.
Leak badly. Corrosion,
51,52 Refueling Water Refueling water F a i l to open. Motor failure, Loss of tank Loss of contain- Requires loss of a i r recirculation
Storage Tank storage tank operator e r r o r . coolant supply. ment p r e s s u r e system and containnnent sump
and Tank Lme isolation. Valve binding due to control if air r e c i r water supply to become significant
Block Valves corrosion. culation system
(motor operated) has failed.
53 Refueling Water Prevent back flow Fail closed. Valve binding due Loss of tank Loss of contain- Requires loss of air recirculation
Storage Tank to storage tank. to corrosion. coolant supply. ment p r e s s u r e system and containnnent sump
Line Check Valve control if air r e c i r - water supply to become significant,
culation system
has failed.
54 Containnnent Containment sunnp Fail closed. Motor failure, Loss of contain- Loss of contain- Requires loss of air recirculation
Sump Line Block isolation. operator e r r o r . ment sump coolant ment p r e s s u r e system to become significant.
Valve (motor Valve binding due supply. control if air recir-
operated) to corrosion. culation system
has failed.
55 Containment Prevent back flow Fail closed. Valve binding due Loss of contain- Loss of contain- Requires loss of air recirculation
Sunnp Line Check to containnnent to corrosion. ment sump coolant ment p r e s s u r e system to become significant.
Valve sump. supply. control if air r e c i r -
culation system
has failed.
56,58,59,61 Residual Heat pumps and heat F a i l closed. Operator e r r o r . Loss of spray Loss of contain- Requires valve failure on each
62.65,66,69 Removal Pumps exchangers isola- coolant flow. ment p r e s s u r e redundant path to become
and Residual tion control if air recir- significant.
Heat Exchangers culation system
Inlet and Outlet has failed.
Valves (locked
open)
FIGURE 3.34B

CONNECTICUT YANKEE - AIR RECIRCULATION UNIT
System Containnnent Page 2 of 2
Subsystem Containment Cooling
Assembly Containment Spray Systenn
Function Provide containment atmosphere heat sink for containnnent p r e s s u r e relief following loss-of-coolant accident.
Likeli- B AxB
(No / Sig- all
ID No Name Function(s) Mode(s) of Failure Subsystem System environmental factors,
10^ nifi- Impor
corrective actions)
Hrs ) cance tance
57, 60 Residual Heat Punnp spray systenr Fail to continue Motor failure, Loss of spray Loss of contain- Requires loss of air r e c i r c u l a -
Removal Pumps flow during running. bearings seized coolant flow. nnent p r e s s u r e tion systenn to become significant
accident. control if air r e - Both pumps must fail to beconne
circulation system significant.
has failed.
64, 68 Residual Heat Prevent backflow Fail closed. Valve binding due to Loss of spray Loss of contain- Both valves must fail to become
Rennoval Pump to pumps. corrosion. coolant flow. ment p r e s s u r e significant.
Check Valves control if air r e -
circulation system
has failed.
54 Containnnent Containment sunnp Fail closed. Motor failure, Loss of contain- Spray water supply
Sunnp Block isolation. operator e r r o r . ment sump cool-
Valve ant supply.
55 Containment Prevent backflow Fail closed. Loss of contain- Spray water supply
Sunnp Check to containnnent ment sump cool-
Valve sump. ant supply.
70 Containment Prevent backflow Fail closed.
Spray Inlet Line in inlet line.
Check Valve
71 Containnnent Containment spray Fail closed. Motor failure,
Spray Inlet Line header ring isola- operator e r r o r .
Block Valve tion.
72 Reactor Vessel Reactor vessel Fail open. Motor failure,
Head Block head isolation. operator e r r o r .
Valve
FIGURE 3.34B (continued)

REFUELING
WATER
TANK
LOOP C
- REMOTE
•ÔVl MANUAL
883 y SWITCH
^ ^ NORMALLY O P E N
^M NORMALLY CLOSED
CONTAINMENT
SUMP
FIGURE 3.35
SCHEMATIC OF SAN ONOFRE SAFETY INJECTION SYSTEM
3-167
220 KV
MAIN TRANbtORMCH ciJLu

• KV
nrrn
A U X I U A R Y THANt>rohMER OLLU AUX1UIAH1 IRAN^fOHMKK
41«0 V
•JS«,
J IICII
^3
t J U U U S FA riON SERVICE
5 i 'Trp rtTTi TRANSroRMCR NO.
S \s'
j^_
as
U
a
FIGURE 3.36
ELECTRICAL POWER TO SAFETY INJECTION SYSTEM - SAN ONOFRE
3-168
System Reactor Cooling Page 1 of _
Subsystem Safety Injection
Assembly Injection and Recirculation Equipment
Function To provide emergency core cooling with loss or leakage of reactor
coolant and to provide secondary means of nuclear shutdown.
Likeli- B AxB
Component Connponent Component Failure Cause(s) Effect on Effect on (Dependence on redundancy,
(No / Sig all
ID No. Name Function(s) Mode(s) of Failure Subsystem System environnnental factors,
10^ nifi Impor-
tance
Refueling Water Contains 240. 000 Large leak Disaster causes tank No water for safety No emergency core
Tank gallons borated to crack. injection. cooling available.
water.
Safety Injection Combine flow fronn Rupture. Corrosion, accident. No safety injection No ennergency core Test by flow.
Header safety injection cooling available
trains and d i s t r i -
bute to three
coolant loops.
MOV-850A. Safety Injection Direct safety injec- Fail to open, Stuck from corrosion; Failure if two Possible core Exercise periodically.
850B, Loop Valves tion to three failed motor. valves fail. melting with loss
850C coolant loops. of coolant.
Mam Trans - 220 Kv/18 Kv Cease to operate. F i r e in transformer, No direct power to No effect a s long
former open windings. 4160 voltBuses as there is power
l A a n d IB. to 4160 volt Buses
IC and.26
Auxiliary T r a n s - 18 Kv/4160 volt Cease to operate. F i r e in transformer, No direct power to No effect as long
fornners AandB Buses l A and IB open windings. 4160 volt Buses as there is power
l A a n d IB to 4160 volt Buses
IC and 2C
Auxiliary T r a n s - 138 Kv/4160 volt Cease to operate. F i r e in transformer, No direct pow^ ô No effect if there
former C Buses IC and 2C. open windings. 4160 volt Buses IS power to Buses
IC and 2C IC and 2C through
the main trans -
former and Buses
lA and/or I B .
CB-11A04, Circuit Breakers Connect power to Fail to close and Broken p a r t s , No direct power to If ties work, there
11B04, 4160 volt Buses stay closed. overcurrent. corresponding a r e alternate
11C02, lA. IB, IC. and 4160 volt bus. sources of power
12C02 2C. to each bus.
T B - l l C l l , Tie Breakers Tie 4160 volt buses Fail to close. Broken p a r t s , No tie between Reduced redun-
12C11, together. overcurrent buses if backup dancy in power.
llCOl, needed.
12C01

(1) Negligible (3) Intermediate
FIGURE 3.37

SAN ONOFRE - SAFETY INJECTION SYSTEM
System R e a c t o r Cooling P a g e _2 of 5_
Subsystem Safety I n j e c t i o n
Assennbly Injection and Recirculation Equipment
Function T o p r o v i d e e m e r g e n c y c o r e c o o l i n g w i t h l o s s o r l e a k a g e of r e a c t o r
c o o l a n t a n d t o p r o v i d e s e c o n d a r y m e a n s of n u c l e a r s h u t d o w n .
Likeli- B AxB
Rennarks
hood Safety O v e r -
Connponent Connponent Connponent Failure Cause(s) E f f e c t on E f f e c t on ( D e p e n d e n c e on r e d u n d a n c y ,
(No / Sig- all
ID No. Nanne Function(s) Mode(s) >f F a i l u r e Subsystem System environmental factors,
10^ n i f i - Innpor'
corrective actions)
Hrs ) tance
SST 1 , 2 , 3 Station Service 4160 v o l t / 4 8 0 volt. C e a s e to o p e r a t e Open windings,fire N o p o w e r to c o r r e s - R e d u c e d r e d u n -

Transformers p o n d i n g 480 v o l t dancy
bus.
CB-llClO, Circuit Breakers Connect power F a i l to c l o s e . Broken parts, Prevent direct Reduced redun-
12C10, f r o m 4160 volt overcurrent. p o w e r t o 480 v o l t dancy.
1102, b u s e s t o 480 v o l t buses.
1202, buses
1303
TB-1103. Tie B r e a k e r s T i e 480 v o l t B u s e s F a i l to c l o s e Broken parts, No tie between Reduced redun-
1203 1 and 2 to Bus 3 . overcurrent. b u s e s so no backup dancy
when needed.
G50A, Safety Injection Inject borated F a i l to s t a r t . C o n t a c t o r s f a i l to L o s s of o n e s a f e t y No e m e r g e n c y
G50B Pumps w a t e r into c o r e c l o s e , b r u s h e s fail i n j e c t i o n t r a i n for c o r e c o o l i n g if
f o l l o w i n g l o s s of e a c h punnp f a i l e d . both, t r a i n s f a i l ,
F a i l to continue Motor failure,
coolant accident possible core melt
operating. bearing seized
G-3A, Fpedwater Pumps A s s i s t in injecting F a i l to o p e r a t e Motor failure, L o s s of o n e s a f e t y No e m e r g e n c y c o r e
G-3B b o r a t e d w a t e r into bearing seized. injection t r a i n for c o o l i n g i£ b o t h
each pump failed t r a i n s fail, possible
core melt.
MOV-851A, Motor - O p e r a t e d O p e n to d i r e c t F a i l to open. Stuckfronn corrosion, N o flow t h r o u g h No ennergency c o r e Exercise periodically.
851B, Valves flow a l o n g s a f e t y failed m o t o r . one o r both p u m p - c o o l i n g if b o t h
8 5 3A, i n j e c t i o n punnping ing t r a i n s . t r a i n s fail, p o s s i b l e
853B trains. core melt.
MOV-852A, M o t o r - O p e r a t e d C l o s e to s t o p flow F a i l to c l o s e . Stuck from c o r r o s i o n ; Interlock prevents No e m e r g e n c y c o r e Ebcercise p e r i o d i c a l l y .
852B, Valve s. from h e a t e r s . failed m o t o r flow t h r o u g h c o o l i n g if hotki
8 54 A, corresponding t r a i n s fail, p o s s i b l e
854B safety injection core melt
train
Interlocks A and P r e v e n t MOV-851 F a i l to l e t MOV-851 Blocked Safety No e m e r g e n c y c o r e Test periodically.
B A or B from open- A or B open a f t e r Injection T r a m A c o o l i n g if b o t h
ing until MOV-854 MOV-854 A or B or B. t r a i n s fail, possible
A Or B c l o s e s have closed c o r e nnelt.
respectively.

System Reactor Cooling Page 3 of
Subsystenn Safety Injection
Function To provide emergency core cooling with loss or leakage of reactor
coolant and to provide secondary means of nuclear shutdown.
Likeli- B AxB
hood Safety Rennarks
Over-
Component Connponent Component Failure Cause(s) Effect on Effect on (Dependence on redundancy.
(No / Sig- all
ID No. Name Function(s) Mode(s) of Failure 106 Subsystem System nifi- Impor environmental factors,
CV-36, Control Valves To cut off flow Fail to close. Stuck fronn c o r r o s i o n , Drain part of water None unless a c c i - 1 Exercise periodically.
37, from feedwater from flow to c o r e . dent requires full
875A, pumps to condenser capacity of safety
875B hotwell and r e c i r c u - injection systenn.
lation back to refuel-
ing water tank
Recirculation Combine flow from Rupture Corrosion, accident. No recirculation No decay heat 4 Test by flow.
Header charging pumps and removal
refuel pumps and
distribute to three
coolant loops.
FCV-1115D, Flow Control Direct r e c i r c u l a - Fail to open. Stuck from corrosion. Block recirculation If flow to two loops 3 Exercise periodically
1115E, Motor -Ope rated tion to three to one or m o r e 18 blocked, no
1115F Valves coolant loops. Loops. effective decay
MOV-3 5 6. heat removal.
357,
358
Containment Collect spilled Fail to hold spilled Natural d i s a s t e r . No water for No decay heat 4
itump water for r e c i r c u - water. recirculation. removal
lation.
Recirculation Cool recirculation Rupture and leak. Corrosion, accident. Inadequate coolmg Inadequate decay 3 Check periodically for leaks.
Heat Exchanger water fronn sump. of water heat removal.
MOV-883 Motor-Operated To stop flow from Fail to close Motor failure, stuck Uncertain, assume Assume system 2 Install check valve (wîch is
Valve refueling water tank from corrosion. loss of r e c i r c u l a - failure actually the case) though not
to refuel and charge tion. considered in this analysis.
punnps and prevent
flow of r e c i r c u l a -
tion water back
into tank
Remote Manual Actuate MOV-883 Fail to connect. Poor contacts. Uncertain, a s s u m e Assume system 2 Test periodically.
Switch broken line. loss of r e c i r c u l a - failure.
tion.

System Reactor Cooling Page 4 of 5
Function To provide ennergency core cooling with loss or leakage of reactor
coolant and to provide secondary nneans of nuclear shutdown.
Likeli- B AxB
hood Rennarks
Component Safety Over-
Component Connponent Failure Cause(s) Effect on Effect on (Dependence on redundancy.
(No / Sig- all
ID No. Nanne Function(s) Mode(s) of Failure io6 Subsystem System nifi- Innpor environmental factors,
G-8A. Charging Pumps Punnp r e c i r c u l a - Fail to s t a r t , fail Contactors fail to Reduced r e c i r c u l a - If refuel pumps 2 Monitor frequently.
8B tion water to to continue close, brushes fail, tion continue to operate,
coolant loops. opera tmg motor failure, no effect
bearing seized.
MOV- Motor-Operated Open to allow flow Fail to open. Stuck from corrosion, Charge pumps out Reduced decay 2 Exercise periodically
llOOB Valve to charging pumps. nnotor failed. of operation if both heat removal
HOOD valves fail. reliability.
CV-81, Control Valves Refuel water Fail to open Stuck fronn corrosion. No flow from Reduced decay 2 Exercise periodically
112 pumps discharge corresponding heat removal
valves. refuel water pump. reliability.
G-27. Refueling Water Share r e c i r c u l a - Fail to s t a r t . Contactors fail to Reduced redun- Reduced decay 2 Test periodically.
27S Pumps tion duty with close, brushes fail. dancy in r e c i r c u l a - heat rennoval
charging punnps. tion reliability.
F a i l to continue Motor failure,
operating. bearings seized.
MOV-880 Motor-Operated Directs flow from Fail to open Same as other valves. No flow to r e c i r c u - Reduced decay 3 Exercise periodically
Valve refueling water lation through heat removal
punnps to recircula refuel pump. reliability.
tion header.
Manual Start Start recirculation Fail to actuate. Relay failure No pumping fronn No recirculation, 4 Test periodically.
pumps. operator e r r o r . sump. no decay heat
removal.
G-45A Recirculation Pump spilled water Fail to s t a r t . Contactors fail to No recirculation. No decay heat 4 Test periodically.
45 B Punnp from sump through close, brushes fail. removal.
recirculation Fail to operate. Motor failure,
system. bearing seized.
MOV-866A, Motor-Operated Recirculation Fail to open. Stuck by corrosion. Block flow fronn No recirculation. 4 Exercise periodically.
866B Valves pump discharge sump no decay heat
valves. rennoval.
LS 1.2,3 Level Sensors Sense low p r e s - Fail to sense 2 out Disconnected cable. No actuation of No emergency core 4 Monitor frequently
surizer water of 3, safety injection cooling, possible
level. system. melt.
1 - ^ ~ — -1 — 1

Systenn Reactor Cooling Page
Function To provide ennergency core cooling with loss or leakage of reactor
coolant and to provide secondary nneans of nuclear shutdown
Likeli- B AxB
hood Safety Over Remarks
Connponent Component Connponent Failure Cause(s) Effect on Effect on (Dependence on redundancy,
(No / Sig all
ID No Name Function(s) Mode(s) of Failure Subsystem System environnnental factors,
10^ nifi Innpor-
Hrs ) tance corrective actions)
PS 1,2.3 P r e s s u r e Sensors Sense low p r e s - Fail to sense 2 out Disconnected cable. No actuation of No ennergency core Monitor frequently.
surizer p r e s s u r e of 3 safety injection cooling, possible
systenn. melt
Automatic Upon signal from Fail to trip Relay failure. No safety injection No ennergency core Test periodically.
Actuate of Safety sensors actuate if nnanual fails. cooling if nnanual
Injection System safety injection actuate also fails.
system
Manual Actuate. If autonnatic fails, Operator e r r o r No safety injection No emergency core Test periodically.
perfornn its func- relay failure. cooling, possible
tion melt
U>
00

270
260 450
CONDENSER
HOTWELL
VALVE
370 START
CV-36
857 300 380 OPERATE 390 400 410 420 430 440
TB SAFETY FEEDWATER FEEDWATER HEATER HEATER FEEDWATER
MANUAL INJECTION INLET PUMP _J OUTLET INLET _ DISCHARGE
ACTUATE i2cn — PUMP VALVE G-3A VALVE VALVE VALVE
SIS G-50A 853A 854A 852A 851A
(E1
460
FEEDWATER
250 310 330 340 RECIRCU-
LATION
AUX TB TB VALVE
MAIN - TRANS CV875A
TRANS 11804 12001
B
850 851 853 851
LEVEL LEVEL PRESSURE PRESSURE 4160 VOLT BUS 2C
SENSOR — SENSOR -] - SENSOR SENSOR
I 2 1 2
10 850 SD2 853 855 856
REFUELING LEVEL LEVEL PRESSURE PRESSURE AUTOMATIC

WATER SENSOR SENSOR SENSOR SENSOR ACTUATE
TANK 1 3 1 3
851 852 280

85i; 855
LEVEL LEVEL PRESSURE PRESSURE
SENSOR — SENSOR - — SENSOR SENSOR
2 3 2 3
260
550
CONDENSER
HOTWELL
VALVE
300 CV-37
470 START
TB 480 OPERATE 490 500 510 520 530 540
12CI1 SAFETY FEEDWATER HEATER HEATER FEEDWATER INTERLOCK
FEEDWATER
— INJECTION INLET PUMP OUTLET INLET f—l DISCHARGE!—
PUMP VALVE VALVE VALVE VALVE B
G-50B 853B G3B 854B 852B 851B
560
250
FEEDWATER
320 350 360 RECIRCU-
LATION
AUX CB TB VALVE
MAIN TRANS CV875B
TRANS I1A04 llCOl
4160 VOLT BUS 1C

FIGURE 3.38

SAFETY INJECTION SYSTEM
3-174
250 320 350 360
J MAIN LJ AUX LJ TB J CB 1
1 TRANS ri TRANS r 11C01 nA04
A 1 CArv
yov
cf\r\ cOA
280 STATION
[H SERVICE -\
CB
—\
CB I
TRANS ncio 1102 1
J CB 1 1
1 11C02 1
260 270 300 290

J
-\
AUX
TRANS L-L
J CB 1 J TB 1
1 12C02 r1 12C11 r
J ^^ U
C 1 ncn 1
30 to
S.I. LOOP S.I.LOOP 270 300 570 6W 650
VALVE — VALVE
850A 850B J CB 1 J TB 1 J STATION
SERVICE L .
CB TB
r] 1103 1
!•
1 12C02 1 1 i2cn 1 1 TRANS

3
P 1303
30 50 DU /u ou
REMOTE
S.I.LOOP S.I.LOOP MANUAL VALVE AT RECIRCU-
— VALVE - — SWITCH REFUEL. TK — LATION
VALVE 480 VOLT BUS # 1 FOR HEADER
850A 850C MOV-883 MOV-883
tc) 50
S.I.LOOP S.I.L0OP
B C
VALVE 1 VALVE
8^0B 850C
ZbO 310 330 3H0
J MAIN 1 J AUX
TRANS L
1
J ^11804
^ L 11
TB 1
I2C01 j
i TRANS r B
DOU DIU 030
270 STATION CB CB [_
SERVICE [-
[— TRANS
12C10 1202 1
J CB 1 1 ^
u
260 280 290 300
AUX
TRANS UJ
c n
1 CB 1
1 11C02
J ^^1
J TB 1
1 i2cn 1
1 ncn
280 290 570 mo 660
1 CB 1J TB
1 nco2 ["1 ncn
STATION
_J SERVICE 1
- i TRANS
J1 ^1303
h
^ I I
TB
1203
1^ 1
480 VOLT BUS # 2 FIGURE 3.38 (continued)
250 320 350 360
MAIN
TRANS
600 590 620

CB STATION CB
SERVICE
IICIO TRANS 1102
1
680 START
700 OPERATE 720
260 RECIRC. RECIRC.
PUMP PUMP
DISCH.
AUX 645A VALVE
— TRANS M0V-866A
120 130 C
no mo
FCV1115D MOV-356 FCVin5E MOV-357
RECIRC. RECIRC. RECIRC. RECIRC
LOOP LOOP LOOP LOOP 270 300 570 640 650
A A B B
CB TB STATION CB TB
SERVICE
12C02 12C11 TRANS 1303 1103
3
no 120 150 160
FCVin5D MOV-356 FCVin5F MOV-358 480 VOLT BUS 1
RECIRC. RECIRC. RECIRC. RECIRC.
dy LOOP LOOP LOOP LOOP
A A C C
130 140 150 160

FCVmSE M0V357 FCVni5F M0V358
RECIRC. RECIRC RECIRC. RECIRC
LOOP LOOP LOOP LOOP 330 340
6 B C C
CB TB
11B04 12C01
610 580 630
270 CB STATION CB
SERVICE
12C10 TRANS 1202
2
690 START
710 OPERATE 730
280 290 300 RECIRC
RECIRC. PUMP
CB TB TB PUMP DISCH.
6t(5B VALVE
nco2 iicn 12C11 M0V-866B
280 290 570

CB TB STATION
_J SERVICE
nco2 ncn TRANS
FIGURE 3. 38 (continued) 480 VOLT BUS 2

250 320 350 360
MAIN AUX CB TB
TRANS h-1 TRANS
A nA04 11 COI
600 590 620
CB STATION CB
SERVICE
ncio TRANS 1102
1
740 START
750 OPERATE 780
260 270 300 290 REFUELING DISCHARGE
WATER VALVE
AUX CB TB TB PUMP
TRANS G-27 CV-81
C 12C02 12Cn ncn
270 300 570 640 650

CB TB STATION CB TB
— SERVICE
12C02 i2cn TRANS 1303 1103
3
®- 480 VOLT BUS 1
630
CB
1202
760 START
770 OPERATE 790
REFUELING D SCHARGE
WATER — VALVE
PUMP
6-275 cv-n2
480 VOLT BUS 2 FIGURE 3 . 3 8 (continued)
3-ni
270 290 300
CB TB TB
12C02 ncn i2cn
250 320 350 360
MAIN AUX CB TB
TRANS TRANS
A HAW 11 COI
4160 VOLT BUS 1C
270
260
840 START
280 290 300 849 OPERATE
CB TB TB CHARGING
MPUMP
nco2 ncn i2cn G-8B
250 310 330 340
MAIN AUX CB TB
TRANS TRANS
B 11604 12C01
4160 VOLT BUS 2C

a-iT^
APPENDIX A
PRESENT DATA COLLECTION PRACTICES IN

OPERATING NUCLEAR POWER PLANTS
APPENDIX A
P R E S E N T DATA COLLECTION PRACTICES IN

OPERATING NUCLEAR POWER PLANTS
Data management at five operating nuclear power plants in the United

States has been reviewed to d e t e r m i n e the applicability of c u r r e n t
in-plant f o r m s and p r o c e d u r e s to the generation of r e l i a b i l i t y data. The
plants included w e r e :
1. D r e s d e n Nuclear Power Station Unit No, 1.

2. Yankee Atomic P o w e r Station.
3. Indian Point Station.
4. Humboldt Bay Unit No. 3.
5. Shippingport Atomic P o w e r Station.
As indicated in the following d i s c u s s i o n , much of the in-plant information

n e c e s s a r y for reliability data is now being collected and r e c o r d e d .
F u r t h e r m o r e , f o r m a t s closely paralleling the failure event f o r m
suggested in this study a r e now in u s e . The remaining r e q u i r e m e n t s
for adapting p r e s e n t data m a n a g e m e n t p r a c t i c e s to r e l i a b i l i t y data
generation a r e minor modifications and use of one or, at m o s t , two
existing f o r m s for the b a s i c r e l i a b i l i t y data input and specification of
p r o c e d u r e s which a s s u r e c o n s i s t e n t , total adherence to conapletion of
these f o r m s .
DRESDEN NUCLEAR POWER STATION
Operating and Outage S u m m a r y R e p o r t s
Monthly Operating R e p o r t s - Each month data f r o m the preceding logs

and r e p o r t s , as well as v a r i o u s p r o c e s s data s h e e t s , a r e used to p r e -
p a r e a s u m m a r y of o p e r a t i o n s . P r e p a r a t i o n of this monthly r e p o r t
includes inputs from the c h e m i s t r y , t h e r m a l , and nuclear e n g i n e e r s on
the technical staff as well as maintenance s u m m a r i e s by the m e c h a n i c a l ,
e l e c t r i c a l , and i n s t r u m e n t maintenance g r o u p s . E m p h a s i s is given to
r e p o r t i n g and evaluation of plant and r e a c t o r p e r f o r m a n c e during both
n o r m a l operation and t e s t s and includes a d a y - b y - d a y listing of significant
e v e n t s . P l a n t radiation protection, including radwaste i n v e n t o r i e s , and
plant c h e m i s t r y data a r e p r e s e n t e d in s e p a r a t e sections of the r e p o r t .
A-1
Outage R e p o r t s - These a r e special r e p o r t s detailing work p e r f o r m e d
and r e s u l t s of t e s t s made during extended outages such as refuelings. They
a r e w r i t t e n by the plant engineering staff.
Annual R e p o r t s - Subsequent to the first year of operation after r a t e d

power t e s t s , the D r e s d e n staff h a s p r e p a r e d annual r e p o r t s for the A E C .
These r e p o r t s , as did the q u a r t e r l y r e p o r t s in the f i r s t year of operation,
d e s c r i b e operating experience pertinent to nuclear safety and changes in
facility design, p e r f o r m a n c e c h a r a c t e r i s t i c s , and operating p r o c e d u r e s
during the r e p o r t i n g period.
F a i l u r e R e p o r t s and Maintenance Requests
Maintenance Requests - Dresden u s e s a s y s t e m of "maintenance r e q u e s t s "

to define work to be done on plant components and to provide a d m i n i s t r a t i v e
control of such work. These maintenance r e q u e s t s reflect w o r k perfornaed
on all plant equipment except during outages at which time they a r e
supplanted by outage s c h e d u l e s .
Equipment Maintenance F i l e s - Two s e p a r a t e files exist on equipment

m a i n t e n a n c e , one on i n s t r u m e n t maintenance and the other on m e c h a n i c a l
and e l e c t r i c a l m a i n t e n a n c e . These files r e p r e s e n t an organized r e c o r d
of work p e r f o r m e d on specific p i e c e s of equipment. They a r e p r i m a r i l y
derived from maintenance r e q u e s t c o m p l e t i o n s .
Maintenance r e q u i r e m e n t s a r i s i n g during t e s t s and checking operation,

or during n o r m a l operation, a r e r e c o r d e d and t r a n s m i t t e d by maintenance
work r e q u e s t s . As shown in F i g u r e A, 1, these r e q u e s t s m a y be
originated by anyone on the station staff. Most frequently they a r e
w r i t t e n by the r e a c t o r o p e r a t o r s or the shift e n g i n e e r s . Few work
r e q u e s t s originate in the maintenance staff. Following the flow shown
in F i g u r e A . l , work r e q u e s t s a r e w r i t t e n in quadruplicate and submitted
to the shift engineer who forwards those r e q u e s t s r e q u i r i n g action to
the station operating e n g i n e e r s for authorization. The station operating
e n g i n e e r s authorize the r e q u e s t s and indicate action to be taken including
a s s i g n m e n t to e l e c t r i c a l , m e c h a n i c a l , or i n s t r u m e n t maintenance
g r o u p s . Since the station maintenance engineer m a y not be p r e s e n t at
D r e s d e n on a continuous b a s i s due to sinailar c o m i n i t m e n t s at other
power s t a t i o n s , the m a s t e r mechanic d i r e c t s action on all m e c h a n i c a l
and e l e c t r i c a l work r e q u e s t s at D r e s d e n . I n s t r u m e n t maintenance is
p e r f o r m e d by the i n s t r u m e n t m e c h a n i c s under the e l e c t r i c a l station
operating e n g i n e e r ' s d i r e c t i o n . Action on a work r e q u e s t m a y be
d e f e r r e d , when p o s s i b l e , to the next major outage when it is scheduled
with other maintenance a c t i v i t i e s .
A-2
Upon completion of the r e q u i r e d m a i n t e n a n c e , the four copies of the
w o r k r e q u e s t s a r e signed and dated by the r e s p o n s i b l e m e c h a n i c . Unusual
maintenance r e q u i r e m e n t s m a y be noted on the work r e q u e s t ; however,
n o r m a l l y only the date of completion is noted. Completed work r e q u e s t s
a r e distributed to the shift e n g i n e e r , the m a s t e r m e c h a n i c , and the
a p p r o p r i a t e station operating e n g i n e e r . The operating e n g i n e e r s and
m a s t e r mechanic maintain files of the completed r e q u e s t s by number
and y e a r .
YANKEE ATOMIC POWER STATION
Operation Report - This r e p o r t p r e s e n t s a s u m m a r y of g e n e r a l operations

including the status of construction and nonoperating activities such as
r e c e i p t and shipment of fuel. Only m a j o r maintenance activities a r e
r e p o r t e d ; and, in g e n e r a l , this information r e p r e s e n t s some e n l a r g e m e n t
on s i m i l a r information in the weekly r e p o r t s . S u m m a r y data includes
plant c h e m i s t r y ; turbine plant p e r f o r m a n c e ; r e a c t o r plant p e r f o r m a n c e ;
radiation exposure and radioactivity r e l e a s e ; and in-plant training a c t i v i t i e s ,
p r i m a r i l y for sponsor company technical p e r s o n n e l . Other information
included in the operation r e p o r t on an a s - a v a i l a b l e b a s i s a r e special
r e p o r t s on r e a c t o r p e r f o r m a n c e t e s t s and s u m m a r i e s of scheduled and
unscheduled plant shutdowns.
A b n o r m a l O c c u r r e n c e R e p o r t s - These r e p o r t s provide d e s c r i p t i o n s ,
a n a l y s e s , and c o r r e c t i v e actions taken for a b n o r m a l or unusual events
which a r e of significance in plant o p e r a t i o n s . Many of the events
included have been r e p o r t e d to the AEC under r e a c t o r operating license
r e q u i r e m e n t s , but this r e c o r d is not r e s t r i c t e d to r e p o r t a b l e i n c i d e n t s .
E x a m p l e s of a b n o r m a l o c c u r r e n c e s a r e control rod malfunctions,
p r i m a r y coolant leaks or s p i l l s , and turbine throttle valve malfunctions.
F a i l u r e R e p o r t s and Maintenance R e q u e s t s î
Maintenance Requests - Equipment deficiencies or malfunctions noted

by plant p e r s o n n e l are r e p o r t e d on maintenance r e q u e s t s . These
r e q u e s t s a r e provided with spaces for equipment identification,
d e s c r i p t i o n of defect, work to be done, m a t e r i a l s used, work done,
and the n a m e s and dates a s s o c i a t e d with each of the preceding i t e m s .
C o r r e c t i v e maintenance is implemented p r i m a r i l y by use of maintenance

r e q u e s t s and to a l e s s e r extent by inspection activities a s s o c i a t e d with
A-3
outage s c h e d u l e s . The flow of maintenance r e q u e s t s is i l l u s t r a t e d in
F i g u r e A. 2, and a blank r e q u e s t f o r m is shown in F i g u r e A^ 3. Most
maintenance r e q u e s t s a r e w r i t t e n by the shift s u p e r v i s o r s ; however,
all plant p e r s o n n e l m a y initiate such r e q u e s t s . The r e q u e s t s a r e used
p r i m a r i l y as a tool to initiate and control maintenance work. Their
value as a h i s t o r i c a l r e c o r d is limited to information t r a n s f e r r e d frona
the r e q u e s t s to equipment h i s t o r y c a r d s . The r e q u e s t s a r e ultimately
r e t u r n e d to the originator who g e n e r a l l y disposes of t h e m . The r e q u e s t s
also a r e used by the maintenance s u p e r v i s o r s as a guide to maintenance
work loads, both past and p r e s e n t .
Equipment History File - Repair and p a r t s r e p l a c e m e n t for all plant

m e c h a n i c a l and e l e c t r i c a l equipment, except i n s t r u m e n t a t i o n , is
r e c o r d e d in a c a r d file maintained by the a d m i n i s t r a t i v e a s s i s t a n t .
The file is indexed according to the p a r a g r a p h numbering e s t a b l i s h e d
in the F i n a l Hazard S u m m a r y R e p o r t . The maintenance information is
obtained from completed maintenance r e q u e s t s and, as a r e s u l t , is
dependent on the c o m p l e t e n e s s of information in naaintenance r e q u e s t s
and the c o r r e c t handling of the r e q u e s t s . The c o m p l e t e n e s s of informa-
tion contained on these c a r d s has improved with t i m e when conapared to
information in other plant r e c o r d s such as the r e a c t o r log and weekly
report.
I n s t r u m e n t Maintenance File - R e c o r d s of p a r t s r e p l a c e m e n t or r e p a i r
in components of the i n s t r u m e n t a t i o n s y s t e m a r e maintained in a c a r d
file by the control engineering d e p a r t m e n t . Information included
on the c a r d s indentifies the i n s t r u m e n t , the date of each m a i n t e n a n c e ,
and the p a r t r e p l a c e d or r e p a i r p e r f o r m e d . Information is r e c o r d e d on
the c a r d s by the control engineer or technical a s s i s t a n t s . The m a i n t e -
nance file r e c o r d s a r e augmented by special s u m m a r i e s of significant
maintenance activities p r e p a r e d by the control engineer as time allows.
INDIAN POINT STATION
Monthly Report - This r e p o r t contains a s u m m a r y of plant p e r f o r m a n c e

data, major e v e n t s , and significant health physics data for company
m a n a g e m e n t . These r e p o r t s a r e p r e p a r e d by the production staff and
approved by the g e n e r a l superintendent. They s e r v e as one input for
semiannual r e p o r t s .
A-4
Semiannual Report - Plant operations (including shutdowns and unusual
operating conditions), test r e s u l t s , maintenance and design c h a n g e s , r a d i o -
c h e m i s t r y data, and health physics s t a t i s t i c s a r e sunamarized each six
months. The r e p o r t is p r e p a r e d by Consolidated Edison for the AEC
in accordance with r e q u i r e m e n t s in the P r o v i s i o n a l Operating L i c e n s e .
Outage Report - Significant testing and maintenance p e r f o r m e d during

major outages a r e s u m m a r i z e d subsequent to the outage. Important
safety information includes r e p a i r and r e p l a c e m e n t data on safety s y s t e m
and safeguard conaponents which m a y not be r e c o r d e d e l s e w h e r e .
Unit H i s t o r y - A continuous s t a t i s t i c a l h i s t o r y of operations is maintained

in t e r m s of major unit availability, outage c a u s e s , and protective s y s t e m
t r i p s . This r e c o r d is developed from operating logs by the production
operating staff.
F a i l u r e R e p o r t s and Maintenance R e q u e s t s
Maintenance M e m o r a n d a (MM) - These m e m o s or work r e q u e s t s , a copy

of which is shown in F i g u r e A . 4 , identify equipment found in need of
r e p a i r by the operating staff. The m e m o s a r e valuable not only in the
identification of equipment malfunctions but a l s o as a r e c o r d of r e p a i r s
found n e c e s s a r y .
The use of MM in the initiation and control of routine maintenance m a y

be t r a c e d along one of two paths depending upon whether the work
r e q u e s t e d involved production maintenance p e r s o n n e l or t e s t b u r e a u
p e r s o n n e l . In either c a s e , the m e m o r a n d a a r e w r i t t e n by the m e n a b e r s
of the operating staff when deficiencies a r e noted during i n s p e c t i o n s ,
checkoffs, n o r m a l o p e r a t i o n s , or t e s t s . Blank menaoranduna f o r m s
a r e retained in single books in the c e n t r a l control r o o m and c h e m i c a l
s y s t e m s control r o o m and a r e filled out in t r i p l i c a t e (white, yellow,
and pink) c o p i e s . Although it is possible for other production staff
m e m b e r s to write MM, only the g e n e r a l watch f o r e m a n or watch foreman
m a y sign and t h e r e b y initiate the m e m o .
F o r w o r k involving the production maintenance group, the MM flow is

as shown on Figure A . 5 . With the f o r e m a n ' s s i g n a t u r e , the white
copy of e a c h m e m o is forwarded to the r e a c t o r engineer or superintendent
to receive final approval and p r i o r i t y n u m b e r . The pink copy is placed
in the g e n e r a l watch f o r e m a n ' s "Maintenance M e m o r a n d a Pending" file.
Where the r e q u e s t e d r e p a i r is b e s t suited to outage time and m a y be
postponed, the r e a c t o r engineer naay a s s i g n the m e m o work to the
next a p p r o p r i a t e outage. With a s s i g n m e n t of p r i o r i t y the white copy
of the m e m o is forwarded to the production maintenance group.
A-5
When the maintenance requested on a menao is completed, the g e n e r a l
maintenance f o r e m a n moves the pink copy of the m e m o from the
"Maintenance Memoranda Pending" file to the "Maintenance M e m o r a n d a
Completed by Maintenance" file in the g e n e r a l watch f o r e m a n ' s office
noting the work done on the m e m o . These completed MM a r e reviewed
by the g e n e r a l watch f o r e m a n and then r e t u r n e d to the production
office where they a r e c o m p a r e d with the third (yellow) copy of each MM
which is retained in exhausted MM books from the control r o o m s . The
completed MM a r e also used to compile equipment h i s t o r i e s .
If an MM i t e m is completed by shift maintenance p e r s o n n e l r a t h e r than

the production maintenance group, the g e n e r a l watch foreman r e m o v e s
the pink copy from the "Maintenance M e m o r a n d a Pending" file, initials
the copy, and p l a c e s it in the "Maintenance Memoranda Completed
by the Watch" file. The production naaintenance f o r e m a n checks this
file e a c h m o r n i n g to eliminate completed w o r k f r o m the collection of
MM r e c e i v e d . The pink copies in the "Maintenance M e m o r a n d a
Completed by the Watch" file a r e also forwarded to the production
office for final checkoff and equipnaent history data. The white copies
of these m e m o r a n d a a r e retained by the g e n e r a l maintenance f o r e m a n .
F o r work involving test b u r e a u p e r s o n n e l (instrument and c o n t r o l r e p a i r ) ,

the MM flow is as shown in Figure A. 6. Briefly the flow is the s a m e
as for the production naaintenance MM through the a s s i g n m e n t of work
p r i o r i t y . Test b u r e a u MM a r e identified by m a r k i n g the " T e s t B u r e a u "
at the top of e a c h applicable f o r m . After a s s i g n m e n t of p r i o r i t y the
pink and white copies of the MM a r e sent to the production staff
technician who f o r w a r d s the white copy to the test b u r e a u for action
and files the pink copy under " T e s t Bureau MM" for subsequent follow-up.
With completion of the r e q u e s t e d w o r k the test b u r e a u notifies operations
and the production staff technician who notes the information on the
r e s p e c t i v e MM pink copies and keeps the r e a c t o r engineer and s u p e r i n -
tendent infornaed of the work s t a t u s . The white copy of the t e s t b u r e a u
MM is r e t a i n e d by the t e s t b u r e a u which maintains r e c o r d s of all w o r k
done on c o n t r o l s and i n s t r u m e n t a t i o n .
In actual p r a c t i c e , some minor routine maintenance is p e r f o r m e d

without writing an MM. This w o r k includes adjustment and s e r v i c i n g
by operating m e c h a n i c s in the shift c r e w s and i n s t r u m e n t technicians
working in the anaplifier r o o m . If this m i n o r maintenance is significant
to safety or o p e r a t i o n s , it will be r e c o r d e d in the g e n e r a l watch forenaan's
log or the t e s t b u r e a u log maintained in the amplifier roona. As a
r e s u l t of these p r a c t i c e s , complete equipment h i s t o r i e s a r e available
A-6
<
'J A ur.lv t/y a*-jivl..U(i a (1 . .uv f of I'fiorna. f... - .H ..fl,«. ...^rl> t r u e

ivir .in.iitt ain-n u«» flux ttrnphiior rcf/iae I'UIL-AIB . ,«iiw u^ u^jcruliVig
tV.i fhaiuv J uur.rn, aLifcn when t..i' U'ai v>.rfau i». tri-wv-.u,..^ ^.n- oii Uul'/,
'...uBf rt'iîuLi'menU ACH notoci *J. ii.tj t"'^*"*«*l wutch lui-t^n.atiâ l o ^ but
•llrty nut ti^Jjjoar ifi tt;»l ijufnttu focortjo,
Xiujur muiuUTtrtnci;, lAclutLn^ lulifjjv w^^rK, i s i4..iiai< ., L / ii»ûi«.o

jjrot.uLtio,. (.t j.^rtrnt-nt rruintununct.' orcjera to the '»t^..i'a coABtruclxon
ar.d t.ho,io (ii ,.âruin)nt. AM a r e c o r q uf tty»>tena»» pc-riOi ,n«...^c and r e i i a -
oiiity, r.'.c MM a r e n*ort! irr.portant sinco Lhcy a r u u, r e c o r d of o p e r a t i n g
u i i ' u c u l t i u . whiiu ihu nûmtenacu ordort* r e p r e t t o n t a ii^.^^li/ai^^xi ui
wor.^ n - q u i r c d at. a rocUit of opcralin^j difficult.ca or d e s i g n c h a n g e s
fj.rcviuuHiy recorrlud in otuor fcUtion r e c o r d t i .
PI ...>• F.i^.i., iTn-nt Hiatori<>H - A t o c n n i c i a n in the adiTiinibtrative s e r v i c e *

g r o u p p u r . o c u c a i i y r e / l e w a A'.M «..d outage re^yorts u-.u r e c o r o a cat**
i.-om tiit oc docunu;nt» in e q u i p m e n t h i s t o r y f i l e s (loooo-leaf n o t e b o o k s )
CO cstablitoii co.npleti- h i b i o r i o a on m a j o r c o m p o n e n t o ».". U.^^ p r o c e s s
s y s t c n i b . I n b t r u m c n t a t i o n and c o n t r o l hietoriOfa a r e kept in the t e s t
b u r e a u i.i^„s, T'nis r e c o r d i n g p r a c t i c e is intenuod us ^n aid in s c h e d u l i n g
rraiAicnonce and identifying t r e n d s in niulntena.'iCe r e q a l r o n i e n t s . It
<i^bo b c r v e b tib a quick m e a n s of identifying w e a k c o m p o n e n t s m v a r i o u s
btxii j,uard b y s t e r n s ,
OI.rVT LAY UNIT NO. 3
O p r r a t ).,, uf.d Qi.t ../• .Sumrnafy i\ ..frtw
>.'onthIv H.-t-'Oi-i^ ( Q i t r t o r l y H<'port..j - T h e s e rt-j.o/ia a r e a s u m m a r i z a t i o n

of o p e r a t i o n s , t e s t i n g a c t i v i t i e s , and s i g n ' . c a n t m e t h a n i c a l , e l e c t r i c a l ,
and i n s t r i . m e n l m a i n t e n a n c e p e r f o r m e d a u r i n g e a c h li.onlh. T h i s r e p o r t
is p r e p a r e d for i n t e r n a l u s e by P G & E . O t h e r m a t e r i a l included in the
r e p o r t *» a m a s t e r log which is a d a y - b y - d a y l i s t of t e s t s , s a f e l y s y b t e m
t r i p s , and e q u i p m e n t m o d i f i c a i i o n s and m a i n t e n a n c e . O t h e r i n f o r m a t i o n
contained in the m o n t h l y r e p o r t s i n c l u d e s i n d i v i d . 1 r e p o r t s of e a c h
s c r a m and outage o c c u r r i n g d u r i n g the r e p o r t p e r i o d , a d a y - b y - d a y
b u m m a r y of plant p e r f o r m a n c e ( F o r m 51) w h i c h i» taken f r o m the d a i l y
sumnTiaries, and s u m m a r i e s of w o r k p e r f o r m e d d u r i n g e a c h outage
inclaCii.ng w o r k c h r o n o l o g i e s w h e n e v e r the outage it» e x p e n s i v e . As of
J a . , a a r y i 9 6 5 , m o n t h l y r e p o r t s w e r e changed to q u a r t e r l y r e p o r t s
Litcdubc the r e g u l a r i t y of o p e r a t i o n did not justify r e p o r t i n g on a m o n t h l y
pif.oa.
HI
'!
Semiannual R e p o r t s to the AEC - The provisional operating license for
Unit No. 3 r e q u i r e s a semiannual r e p o r t of o p e r a t i o n s . This r e p o r t is
p r e p a r e d by the on-site staff and the g e n e r a l office and is edited by
the g e n e r a l office. It contains g e n e r a l operating data on facility u s e ,
e l e c t r i c a l output and shutdowns and data on radiation m e a s u r e m e n t s ,
coolant c h e m i s t r y , radioactive m a t e r i a l r e l e a s e s , d i s c h a r g e s and
s h i p m e n t s , maintenance and facility c h a n g e s , t e s t s and test r e s u l t s ,
and m e t e o r o l o g y . This data p r i m a r i l y d e r i v e s from daily and monthly
r e p o r t s written for i n t e r n a l u s e .
Annual Operating Report - Operations during each calendar y e a r a r e

s u m m a r i z e d in an annual r e p o r t for i n t e r n a l use by PG&E. This r e p o r t
is p r e p a r e d by the on-site staff from naonthly or q u a r t e r l y r e p o r t data
and includes s t a t i s t i c a l s u m m a r i e s of plant p e r f o r m a n c e in t e r m s of
average r a t e s of o c c u r r e n c e or l e v e l s . Estinaates of fuel usage a r e
a l s o included.
S c r a m and Outage R e p o r t s - PG&E p r a c t i c e s r e q u i r e p r e p a r a t i o n of

individual r e p o r t s covering the c i r c u m s t a n c e s surrounding e a c h s c r a m
and outage. Data included in each s c r a m r e p o r t a r e time of s c r a m ; type
s c r a m (planned or unplanned, naanual or a u t o m a t i c , r e a l or spurious);
cause and effect of s c r a m ; and c o r r e c t i v e action, if any. Data included
in outage r e p o r t s a r e time of outage, duration of outage, type of outage
(scheduled or unscheduled), and r e a s o n s for outage.
F o r m s 23's (Work Requests) - Maintenance r e q u i r e m e n t s noted by the

operating staff during e a c h shift a r e n o r m a l l y forwarded to the a p p r o -
p r i a t e maintenance group by use of a F o r m 23 or w o r k r e q u e s t . This
f o r m indicates equipnaent involved; observed malfunctions or operating
p r o b l e m s ; and, when completed, the work p e r f o r m e d by the maintenance
staff. Work r e q u e s t s a r e used to initiate naaintenance according to the
r e q u e s t flow d i a g r a m shown in F i g u r e A. 7. These work r e q u e s t s a r e
p r i m a r i l y a monitoring tool to initiate and a s s u r e p e r f o r m a n c e of the
d e s i r e d maintenance including the p r e p a r a t i o n of outage work s c h e d u l e s .
They a r e retained as a r e c o r d until no further surveillance of the
pertinent maintenance is n e c e s s a r y , and then they a r e d i s c a r d e d after
t r a n s f e r r i n g maintenance data to the a p p r o p r i a t e logs or maintenance
c a r d f i l e s . The completed work r e q u e s t s a l s o a r e used by the
miaintenance foremen or i n s t r u m e n t e n g i n e e r s to p r e p a r e s u m m a r i e s
of naaintenance work for each monthly r e p o r t .
A-8
Maintenance Card F i l e s - Each component in the plant has a maintenance
c a r d file provided for r e c o r d i n g r e p a i r s , r e p l a c e m e n t s , and modifications.
Routine or scheduled s e r v i c i n g s a r e not indicated on these c a r d s u n l e s s
a r e p a i r or r e p l a c e m e n t is r e q u i r e d during the s e r v i c i n g . The format
for the c a r d s v a r i e s according to the type of component, e . g . , m o t o r s ,
p u m p s , v a l v e s , and e l e c t r o n i c instrunaents; but in all c a s e s a s t a n d a r d
e n t r y is provided for the date and work done (see F i g u r e s A. 8 and
A. 9 ) . The i n s t r u m e n t a t i o n c a r d s a r e kept in a file which visually
indicates whether maintenance is being p e r f o r m e d by the p r e s e n c e or
absence of the c a r d . This file also m a y be used to schedule routine
t e s t s and s e r v i c i n g s .
SHIPPINGPORT ATOMIC POWER STATION
Operating and Outage Sunamary R e p o r t s
Sunamary information on experience of significance to safety m a y be

found in incident r e p o r t s , monthly (now q u a r t e r l y ) operating r e p o r t s ,
q u a r t e r l y technical p r o g r e s s r e p o r t s , and sunamary r e p o r t s covering
a p p r o x i m a t e l y the period f r o m s t a r t u p on one seed to s t a r t u p on the
next seed. The monthly operating r e p o r t s and s u m m a r y r e p o r t s for
the operating period of each seed a r e based on o b s e r v a t i o n s and data
accumulated in r e c o r d s of daily operation, m a i n t e n a n c e , and periodic
checks and t e s t s .
R e p o r t s of incidents provide conaplete a n a l y s e s of unusual o c c u r r e n c e s

p r i m a r i l y in the r e a c t o r plant. These incident r e p o r t s a r e s u m m a r i z e d
in monthly operating r e p o r t s and s u m m a r y r e p o r t s of seed o p e r a t i o n s .
The status of investigations into each incident is monitored by issuance
of a q u a r t e r l y incident status r e p o r t which indicates incidents that have
o c c u r r e d , planned or accomplished c o r r e c t i v e a c t i o n s , and c l o s e s
out incidents which w e r e resolved since issuance of the preceding
status r e p o r t .
P l a n t maintenance activities a r e r e c o r d e d and regulated by use of w o r k

i t e m c a r d s and equipment h i s t o r y c a r d s . The equipment h i s t o r y c a r d s ,
shown in F i g u r e A. 10a, s u m m a r i z e identification n u m b e r s , name plate
specifications, and significant r e p a i r s or s e r v i c i n g s on m e c h a n i c a l and
e l e c t r i c a l components and all i n s t r u m e n t a t i o n . These 5 x 8 c a r d s a l s o
a r e provided with monthly edge m a r k s to enable use of the c a r d s in a
color coded, tickler file for scheduling preventive m a i n t e n a n c e .
A-9
Maintenance data entered on the c a r d s is taken from work item c a r d s
by a c l e r k . Only data selected by the foremen or e n g i n e e r s is t r a n s f e r r
to the equipment h i s t o r y c a r d s . The equipment h i s t o r y c a r d s w e r e kept
c u r r e n t from their initiation in 1961 until the end of Core 1 operation.
Since that t i m e , reduction in the station complement has caused some
lag in the t r a n s f e r r a l of work i t e m data to the equipment h i s t o r y c a r d s .
The work itenas or work r e q u e s t s a r e 8-1/2 x 11 c a r d s filled out by

f o r e m e n in different plant a r e a s to r e q u e s t and r e c o r d preventive
and c o r r e c t i v e maintenance on equipment. Servicings such as l u b r i c a -
tion or oil changes a r e not e n t e r e d as work i t e m s but a r e initiated frona
r e c o r d s kept in the control roona. Information provided on the work
i t e m c a r d s includes identification and location of equipment, nature
of work or trouble, time and m a t e r i a l r e q u i r e m e n t s , and d e s c r i p t i o n
of work p e r f o r m e d . A blank work item c a r d is shown in F i g u r e A. 10b.
The w o r k item c a r d s a r e reviewed and signed by a p p r o p r i a t e s u p e r -
v i s o r y p e r s o n n e l ; and, g e n e r a l l y , they a r e retained if they contain
significant maintenance information. As previously indicated, this
information is t r a n s f e r r e d to the equipment h i s t o r y c a r d s at the
d i r e c t i o n of the f o r e m e n or e n g i n e e r s .
A-10
ACTION FLOW
Maintenance r e q u i r e m e n t Member of
noted and r e q u e s t w r i t t e n Operating, Maintenajice,
T e c h n i c a l , or
Administrative Groups
Reviews and a u t h o r i z e s r e q u e s t
and f o r w a r d s r e q u e s t to
I
Shift
Engineer
I
a p p r o p r i a t e Station Operating
Engineer
Approve r e q u e s t s , assign Station Operating

p r i o r i t i e s , and forward r e q u e s t s Engineers.
I
to a p p r o p r i a t e maintenance group
or assign t h e m to outage schedules
Outage Master
Schedule Mechanic
Perform required repairs, Electrical

note w o r k completion on Instrument and
r e q u e s t s and forward w o r k Mechanics Mechanical
r e q u e s t copies to a p p r o p r i a t e Mechanics
individuals
Review completed w o r k and Station Operating E n g i n e e r s

file r e q u e s t s on annual b a s i s Shift Engineer,
M a s t e r Mechanic
FIGURE A. 1
MAINTENANCE REQUEST FLOW
A-11
Equipment
Defect Noted
Maintenance
Request Written
I
Maintenance Request
Reviewed by Chief
Engineer for Authorization
and Assignment
Authorized Mechanical Authorized

and E l e c t r i c a l MR I n s t r u m e n t MR
I
Maintenance Supervisor
I
Control Engineer
Assigns MR to Mechanic Assigns MR to Technician
and Indicates P r i o r i t y and Indicates P r i o r i t y
and Work to be Done and Work to be Done
Unauthorized
Required Maintenance MR R e q u i r e d Maintenance
P e r f o r m e d by Mechanic P e r f o r m e d by Technician
and Recorded on MR and Recorded on MR
Completed MR R e t u r n e d Completed MR Returned

to Maintenance S u p e r v i s o r to Control Engineer
to Indicate Action Taken to Indicate Action Taken
MR Information
MR Information R e c o r d e d
R e c o r d e d on Equipment
on Equipment History F i l e
H i s t o r y Card
Completed MR R e t u r n e d
to Originator
FIGURE A. 2
MAINTENANCE REQUEST FLOW
A-12
YANKEE ATOMIC ELECTRIC COMPANY
MAINTENANCE REQUEST
EQUIPMENT
NATURE OF D E F E C T
R E P O R T E D BY DATE
ACTION TAKEN
INVESTIGATION BY_
WORK TO BE DONE
WORK ASSIGNED TO
WORK COMPLETED BY DATE
DESCRIPTION OF WORK DONE
MATERIAL USED
TO BE E N T E R E D ON EQUIPMENT CARD_ YES NO

RETURN TO
FIGURE A. 3
MAINTENANCE REQUEST FORM
A-13
6 B, OO. o r N. Y.. IHC.
N9 81913
DATE-
WATCH , .
APPARATUS WORK
>
I
1—'
1*^
REPORTED BY-
WATCH POMMAN
APPROVED FOR INTEROEPARTMENTAL WORK REQUEST.

i s - e o ( E A . ) 7-62 PRODUCTION
F I G U R E A. 4
ACTION FLOW
Maintenance requirement C e n t r a l Control ® ® Chemical Systems

noted aiid m e m o w r i t t e n Room Control Room
G e n e r a l Watch F o r e m a n
Review^s and i n i t i a t e s
or
memo
Watch F o r e m a n
®r 1©
Reactor Engineer Maintenance
A s s i g n s p r i o r i t y to m e m o or Memorandum
Superintendent Pending F i l e
©,,
A s s i g n s m e c h a n i c to -work G e n e r a l Maintenance
r e q u e s t e d in m e m o Foreman
® ®
P e r f o r m s w o r k and e n t e r s Operating M e c h a n i c s
d e s c r i p t i o n on m e m o on Da> s or Watch
Notes work on pink copy and © Completed by

a d v a n c e s copy to c o m p l e t e d G e n e r a l Watch Maintenance F i l e
w o r k files; r e t a i n s white Foreman o r Completed by
copy in m a i n t e n a n c e files Watch F i l e
®
P r o d u c t i o n Maintenance
File ®
Reviews completed work G e n e r a l Watch F o r e m a n
and f o r w a r d s m e m o to or
P r o d u c t i o n Office Watch F o r e m a n
T r a n s f e r s work data to
equipment h i s t o r i e s and P r o d u c t i o n Staff
files m e m o s Technician
P r o d u c t i o n Office
File
Y - Yellow copy
P — Pink copy
W - White copy
FIGURE A. 5
MAINTENANCE MEMORANDUM FLOW

FOR E L E C T R I C A L AND MECHANICAL WORK
A-15
ACTION FLOW
Maintenance r e q u i r e -
ment noted on i n s t r u -
m e n t s , "Not Working Central Control ® ® Chemical Systems Control
P r o p e r l y " tag placed Rooms Room
on equipment and
m e m o r a n d u m written. ® ® ® ®
Reviews and initiates General Watch F o r e m a n

memorandum. or
Watch F o r e m a n
®i©
Assigns priority to Reactor Engineer
memorandum. or
Superintendent
®
Forwârds white copy
to Test Bureau and Production Staff ®
r e t a i n s pink copy for Technician
follow-up.
P e r f o r m s work,
r e c o r d s completed ® ©
work in log, r e p o r t s
completed work to Production Staff
Production Staff Test Bureau
Follow-up F i l e s
Technician and
Watch and r e m o v e s
"Not Working @)
P r o p e r l y " tag.
Test Bureau
Files
©
Reports status of
T e s t Bureau work
to Reactor Engineer Production Staff
or Superintendent Technician
and files completed
memos, ®
Y - Yellow copy
Production Staff
W - White copy
Files
P - Pink copy
F I G U R E A. 6
TEST BUREAU MAINTENANCE MEMORANDUM FLOW
A-16
ACTION FLOW
Work r e q u e s t m a d e out in t r i p l i c a t e O p e r a t i n g Staff or

and individual copies f o r w a r d e d . Unit S u p e r v i s o r s
O p e r a t i o n s r e t a i n s 1 copy for followup; Mechanical,

m a i n t e n a n c e group r e c e i v e s second Electrical,
copy for scheduling; A s s i s t a n t S u p e r - Instrument, Assistant
intendent or P o w e r P l a n t E n g i n e e r or Control Superintendent
r e c e i v e s t h i r d copy, a p p r o v e s r e q u e s t , Operations Technician and/or Power
a s s i g n s p r i o r i t y , and p r o v i d e s any Group Plant Engineer
additional w o r k d i r e c t i v e s needed by
maintenance groups.
A s s i g n s w o r k to m e c h a n i c s , e l e c t r i c i a n s ,
il
Maintenance
or t e c h n i c i a n s . Forenr.an, or
Instrument
Engineer
P e r f o r m s approved work; enters work

d e s c r i p t i o n in m a i n t e n a n c e log or c a r d file Mechanic,
and on both copies of w o r k r e q u e s t ; f o r w a r d s Electrician
both copies of completed r e q u e s t s . or T e c h n i c i a n
C o m p a r e s o r i g i n a l r e q u e s t to c o r r e s p o n d - k£
ing completed c o p i e s ; d i s c a r d s o r i g i n a l ; Operations
r e t a i n s 1 completed copy; f o r w a r d s other
c o m p l e t e d copy.
A s s i s t a n t Superintendent r e v i e w s and Assistant

Operations
then d i s c a r d s c o m p l e t e d w o r k r e q u e s t s ; S upe r inten dent
o p e r a t i o n s r e t a i n s completed r e q u e s t s
until no further s u r v e i l l a n c e c o n s i d e r e d
n e c e s s a r y and then d i s c a r d s r e q u e s t .
F I G U R E A. 7
W O R K R E Q U E S T ( F O R M 23) F L O W
A-17
EQUIPMENT DESIGNATION MANUFACTURER
MODEL NO. SERIAL NO.

^ \ \
P . ft 1 . 0 . NO. BECHTEL I N S T . NO. P G. ft E. REF. DWG. NO.

\ \
MFG. REF. DWG. NO. REF. MATERIAL LOCATION

\
EQUIP. RANGE
\
CONTROL ft ALARM SETTINGS

RED GREEN
SPECIAL PRECAUTIONS
1 27
REMARK St
2 28
DATE WHY WORK WAS DONE D E S C R I P T I O N OF WORK M.H. BY

3 29
4 30
5 31
6 32
7 33
8 34
9 35
10 3 6
11 3 7
12 3 8
13 3 9
14 4 0
15 41
16 4 2
17 4 3
18 4 4
19 4 5
20 46
21 4 7
22 48
23 49
24 50
2 5 51
26 52
a.S X I I . 7 5 "
Copliguc, L I N Y PACIFIC GAS & ELECTRIC CO. - HUMBOLDT UNIT NO. 3 •1132
W I 2 7 2 . A V AP 8 KILLCO. 2-12395
FIGURE A. 8
EQUIPMENT MAINTENANCE RECORD FORM
A-18
PACIFIC GAS AND ELECTRIC COMPANY
MOTOR MAINTENANCE RECORD
SERVICE LOCATION Fl LE
MAKE H.P. CLASS TYPE CODE FRAME MODEL SOURCE OF FOWER
VOLTS AMPS. F . L . AMPS. START AMPS. FREE HUN SERIAL NO.
PHASE FREQ. R.P.M. T E M P . RISE EFFICIENCY MOUNT POWER FACTOR
ROTATION INBOARD END MAG, CENTER UNLD.

BRGS; INBOARD NO, OUTBOARD NO. MFR. PARTS BUL. NO. MAINTENANCE PERIOD DATE
GENERAL REMARKS!
INSULATION TEST - MEGOHMS

TEMP.
DATE WORK DONE MOTOR MOTOR
1 MIN. 10 M I N . P.I. AND C I R . °C BY
62-3943 ia—M
FIGURE A. 9
MOTOR MAINTENANCE RECORD FORM

' COMPONENT
NAME PLATE DATA

k
E. S K C NO. WORK ITEM
Equip. No.: Equip, Nnme : ^
Equip. Location_ Stii. Shutdown Req'd:
Malnt. Sys. No.: Reported B y : Date.:

rt^-^
COMPONENT DRAWING NO*S.
^^" I Nature of Work or Trouble:
DATE IN SERVICE
Work Item
EQUIPMENT HISTORY
MAiyTENANCE USE OBLY
Est. Manhours; Actual Manhours; CD Mat'l Req'd: Y e 8 _ No^ Unknown
Workmen: Start: Finish:
Work Performed:
> AY«TEM 1 [COMPONENT \

I LOCATION
ITEM NO \ J NAME PLATE DATA

O
DATE EQUIPMENT HISTORY "*' '***" WORK ITEM
t<^^
^^
••>««
Equipment H i s t o r y C a r d
Work Item C a r d
F I G U R E A . 10
MAINTENANCE RECORD FORMS

APPENDIX B
DATA M A N A G E M E N T PRACTICES IN RELATED AREAS

APPENDIX B
DATA MANAGEMENT PRACTICES IN RELATED AREAS
S e v e r a l r e l i a b i l i t y data classification a n d / o r collection p r o g r a m s r e l a t e d

to the n u c l e a r , utility, a e r o s p a c e , and m e r c h a n t m a r i n e i n d u s t r i e s
have been reviewed to e s t a b l i s h guidelines and f o r m a t s for the r e l i a -
bility monitoring p r o g r a m data m a n a g e m e n t s y s t e m . Of these p r o g r a m s ,
the following have provided the m o s t useful background m a t e r i a l s :
1. United Kingdom Atomic E n e r g y Authority (UKAEA)

R e a c t o r Fault Reporting System.
2. P M - 1 Data Evaluation P r o g r a m .
3. M a r i t i m e Administration (MARAD) Maintenance and
Reliability P r o g r a m .
4. Edison E l e c t r i c Institute (EEI) Equipment Availability
Program.
5. I n t e r s e r v i c e Data Exchange P r o g r a m (IDEP), Guided
Missile Data Evaluation P r o g r a m (GMDEP), and F a i l u r e
Rate Data P r o g r a m (FARADA).
6. Uniform Subject Index for Nuclear P o w e r D e m o n s t r a t i o n
(NPD) P r o j e c t .
7. AEC Unifornm S y s t e m of Accounts.
As the name i m p l i e s , the AEC Uniform S y s t e m of Accounts was prinaarily

developed for cost accounting and e s t i m a t i n g p u r p o s e s . However, since
the breakdown in this s y s t e m is by functional s y s t e m s , p a r t i c u l a r l y
those r e l a t e d to the r e a c t o r plant, it has been reviewed with s p e c i a l
interest.
A brief d e s c r i p t i o n of each of these p r o g r a m s follows.
UKAEA REACTOR FAULT REPORTING SYSTEM
Under the UKAEA Fault Reporting System instituted in 1961, details of

r e a c t o r faults and incidents which occur on UKAEA r e a c t o r s a r e sent to
the Safeguards Division of the Authority Health and Safety B r a n c h (AHSB)
located at R i s l e y . The details a r e then coded and s t o r e d on punched c a r d s
according to the UKAEA data classification s y s t e m for use in the a n a l y s i s
B-1
of r e a c t o r fault c a u s e s and t r e n d s . This s y s t e m has been in operation
since Septemiber 1964 with some minor modifications of the original c l a s s -
ification code. ^
The UKAEA classification systenm is based on an 80-column punch c a r d .

Column allocation is designated as shown on Table B. 1, and some s a m p l e s
of further breakdowns a r e shown in Tables B. 2 through B . 7 , Except for
those columns that a r e s e l f - e x p l a n a t o r y , d e s c r i p t i o n of column allocations
is as follows:
P l a n t Type
In the United States plant type generally would be r e f e r e d to as a s y s t e m

and subsystern. level of functional equipment classification. The
s y s t e m and s u b s y s t e m in which a fault o c c u r r e d a r e identified in these
c o l u m n s . The f i r s t level breakdown in this classification is:
1. Reactor.
2. S t e a m Raising Units.
3. Power Plant.
4. P l a n t Containnaent.
5. Rigs and Isotope Handling.
6. E l e c t r i c a l P o w e r Supplies.
7. Ancillary Equipment.
Since the classification under " R e a c t o r " e n c o m p a s s e s c o n s i d e r a b l y m o r e

equipment than what might be n o r m a l l y classified at this level in the
United S t a t e s , this p a r t i c u l a r level is further amplified as follows:
1. P r e s s u r e Vessel.
2. Core.
3. Shield.
4. Reactivity Control Devices.
5. Heat Exchange C i r c u i t .
6. Control E l e c t r i c a l Systena and Instrumentation Control
Circuitry.
As an e x a m p l e , a p a r t i a l coverage of the control e l e c t r i c a l s y s t e m is

shown in Table B. 2.
B-2
Component Type
These columns itemize the components and p a r t s on which the fault

o c c u r r e d . The f i r s t - l e v e l breakdown, along with a p a r t i a l coverage of
the component type as shown in Table B. 3, i l l u s t r a t e s the coverage
provided by component type classification.
1. Electrical.
2. Industrial Instrumentation.
3. Mechanical.
4. Chemical Plant.
5. Civil Engineering Work.
6. Component Not Identified.
7. Shielding.
Fault Importance
This portion of the data classification s y s t e m deals with the safety a s p e c t s

of each fault. It is b a s i c a l l y divided into four broad c a t e g o r i e s ; namely:
A. Lack of safety.
B. F a u l t s or actions which reduce r e a c t o r safety,
C. F a u l t s or actions which do not reduce r e a c t o r safety.
D. Events which have no safety significance w h a t s o e v e r .
The definitions and details of the fault inaportance code a r e s u m m a r i z e d

c o m p l e t e l y in Table B. 4. These definitions w e r e developed during two
y e a r s of negotiation with r e a c t o r o p e r a t o r s ; and although r a t h e r detailed
in development, they have been proven w o r k a b l e . The p r i m a r y r e a s o n
for the extended negotiations on definition of fault classification is
attributed to the fact that power r e a c t o r o p e r a t o r s and r e s e a r c h
facility o p e r a t o r s tended to have somewhat different attitudes when
faced with a given fault. As a r e s u l t of the c l a s s i f i c a t i o n s shown in
Table B . 4 , m o s t faults will fall in the B and C c a t e g o r y c l a s s .
In g e n e r a l , a s s i g n m e n t of a fault to one of these c a t e g o r i e s is decided as

follows:
B-3
If the r e a c t o r protective s y s t e m functions c o r r e c t l y and the
resulting drift or t r a n s i e n t is in all r e s p e c t s within the safe
operating limit approved for the s y s t e m , it is a C a t e g o r y C
fault. If the r e a c t o r protective s y s t e m functions c o r r e c t l y
but the r e s u l t i n g drift or t r a n s i e n t exceeds a safe operating
limit approved for the s y s t e m in any r e s p e c t , it is a C a t e g o r y B
fault.
If, in addition to the initiating event, there o c c u r s any naalfunction of

protective equipment, the fault would be c l a s s e d as Category B whether
any operating limit i s exceeded and despite any m a n u a l c o r r e c t i v e action
which has been taken by the o p e r a t o r (unless he takes it so quickly as to
p r e v e n t a protective c i r c u i t action).
F a u l t Type
Columns 32 to 36 of the classification d e s c r i b e the nature of a fault.

F a u l t types a r e g e n e r a l l y divided into nine b a s i c c a t e g o r i e s a s follows:
1. Electrical.
2. I n s t r u m e n t Effects.
3. Mechanical.
4. Design F a u l t .
5. Human E r r o r or Maloperation.
6. Undiagnosed F a u l t .
7. Chemical.
8. Radioactivity.
9. Other F a u l t s .
Subclassifications within each b a s i c fault-type c a t e g o r y a r e i l l u s t r a t e d

by Table B . 5-
P M - 1 DATA EVALUATION PROGRAM
The U. S. Air F o r c e has e s t a b l i s h e d a data collection and classification

s y s t e m for evaluating operating data obtained f r o m land-based m.ilitary
n u c l e a r power p l a n t s . The s y s t e m u s e s a data m a n a g e m e n t p r o g r a m
that catalogs plant p e r f o r m a n c e data in a m a s t e r file and allows
c o m p u t e r i z e d information r e t r i e v a l and s y s t e m a n a l y s i s . ' Although
B-4
capable of being applied to any m.ilitary plant, t h e P M - 1 n u c l e a r power
plant was chosen as the pilot plant for application of this data m a n a g e m e n t
p r o g r a m . The p r o g r a m is capable of producing output r e p o r t s which
a s s e s s the reliability, availability, safety, and p e r f o r m a n c e of the plants
as follows:
Reliability - Reliability of individual components and plant s u b -

systenas.
Availability - Availability of r e a c t o r and generating equipment.
Safety - All failures having a potential safety effect.
S y s t e m P e r f o r m a n c e - P e r f o r m a n c e data with r e s p e c t to
s t e a m and e l e c t r i c a l output, plant c h e m i s t r y , radioactive
waste production, c o r e lifetime, and e c o n o m i c s .
Input to the m a s t e r file c o m e s from data obtained from the power plant
logs. These data a r e s e p a r a t e d by type and grouped into packets of
c a r d s , each packet going to form one tape r e c o r d in the m a s t e r file.
While all data a r e important in a s s e s s i n g plant p e r f o r m a n c e , only those
portions of the p r o g r a m which r e l a t e d i r e c t l y to r e l i a b i l i t y and safety a r e
described here.
The r e l i a b i l i t y and safety data r e q u i r e p r e p a r a t i o n of a malfunction

packet consisting of three punched c a r d s . The f i r s t c a r d is a h e a d e r
c a r d which identifies the type of packet. The second and the third
c a r d s , column allocation of which is shown in Tables B . 8 a n d B . 9, a r e
b a s i c a l l y for identifying the p a r t of the plant in which the fault o c c u r r e d
and the type of fault which was caused by the p a r t malfunction.
A code designation is provided for all s u b s y s t e m s and components of

consequence i n P M - 1 . Code designations a r e also provided for all major
shutdown c a u s e s and all m a j o r c a u s e s of equipment f a i l u r e . In addition,
all f a i l u r e s a r e categorized in accordance with their effect on plant safety.
Descriptions of column allocation for each data field a r e shown in Tables
BT 8 and B. 9. With the exception of those fields which a r e self-explanatory
the type of information r e q u i r e d is d i s c u s s e d below.
Subsystena and Component Codes
All plant equipment is classified at two levels; s u b s y s t e m and component.

All s u b s y s t e m s and components a r e identified by a two or t h r e e
alphabetic code. F o r e x a m p l e , the s u b s y s t e m code for the feedwater
B-5
s y s t e m is FW, while the component code for an e l e c t r o p n e u m a t i c
t r a n s d u c e r is E P T . Additional examples of s u b s y s t e m and component
codes a r e given in Table B. 10.
Malfunction, Safety, and Shutdown Codes
As shown in Table B . l l , the malfunction and safety codes a r e developed

to designate the effect of faults on r e a c t o r operation and safety. The
shutdown code r e l a t e s the cause or r e a s o n for a shutdown event.
F a i l u r e Code
The failure code used in the p r o g r a m d e s c r i b e s component or s y s t e m

faults in t e r m s of four m a j o r c a t e g o r i e s of equipment f a i l u r e . These
c a t e g o r i e s a r e m e c h a n i c a l , e l e c t r i c a l , i n s t r u m e n t a t i o n , and o t h e r s .
The f i r s t three c a t e g o r i e s a r e further divided into 20 s u b c a t e g o r i e s , as

shown in Table B. 12. In effect the s u b c a t e g o r i e s a r e an open-ended listing
of equipment failure d e s c r i p t i o n s . More t e r m s can be added as different
types of equipment failures a r e encountered.
A computer p r o g r a m h a s been developed to compile input data taken f r o m

P M - 1 r e c o r d s and to g e n e r a t e a number of s u m m a r y r e p o r t s . With
r e s p e c t to this study the m o s t important of these r e p o r t s a r e the Safety
R e p o r t , and the F a i l u r e Shutdown and Availability R e p o r t . Typical
printouts of these r e p o r t s a r e p r e s e n t e d in F i g u r e s B. 1 and B . 2 .
MARITIME ADMINISTRATION MAINTENANCE AND RELIABILITY

PROGRAM
As a r e s u l t of i n c r e a s i n g costs in the construction and operation of ships

subsidized by the United S t a t e s , the M a r i t i m e A d m i n i s t r a t i o n (MARAD)
has developed a s y s t e m a t i c approach for evaluating the operating
data obtained from these s h i p s . The goal of this p r o g r a m , the MARAD
Maintenance and Reliability P r o g r a m , ' ' ^^' is to collect data and
p e r f o r m detailed analyses of shipboard maintenance and r e p a i r p o l i c i e s ,
in o r d e r to identify a r e a s where economies m a y b e achieved.
In developing the MARAD p r o g r a m it was found that existing c l a s s -

ification s y s t e m s w e r e p r i m a r i l y developed for filing and accounting
use and w e r e unsuitable for the objectives of the maintenance and
r e l i a b i l i t y p r o g r a m . F u r t h e r m o r e , t h e r e were few s o u r c e s of
information concerned with ships in which the n o m e n c l a t u r e agreed
B-6
with the p r o g r a m needs; and nomenclature commonly in use was found
to be inconsistent. F o r e x a m p l e , complete h i e r a r c h i e s of systenas within
systenas could often be found. It was n e c e s s a r y , t h e r e f o r e , to develop
a new classification s y s t e m .
In the new classification s y s t e m , a h i e r a r c h y of ten levels was

established as shown in Table B - 1 3 . The f i r s t two levels identify the
ship and its environment. Levels t h r e e through ten provide the
functional relationship of the e l e m e n t s of the ship's equipment and
structure.
Between the levels the v e r t i c a l r e l a t i o n s a r e established on the b a s i s

of the v a r i o u s d e g r e e s of complexity; e l e m e n t s at the same level a r e
expected to have the same degree of complexity.
The basic or fundanaental levels in the equipment and s t r u c t u r a l

h i e r a r c h y a r e Level 3-Systena, Level 6-Components, and Level 9 - P a r t s .
Internaediate levels a r e provided p r i m a r i l y for convenience in
deternaining v e r t i c a l r e l a t i o n s between fundamental l e v e l s . E v e r y
s y s t e m contains an e l e m e n t at the s y s t e m level and one or naore at the
component level. Other elenaents in the intermediate levels a r e
included to provide a complete classification of n o r m a l l y identifiable
equipment. In classifying a systena, e l e m e n t s at the component level
a r e listed first; and then i n t e r m e d i a t e levels a r e filled, as n e c e s s a r y .
F i n a l l y , to naaximize c o n s i s t e n c y , any r e f e r e n c e to e l e m e n t s within
the h i e r a r c h y from s y s t e m to part includes the name of their level.
F o r e x a m p l e , the steana d r u m a s s e m b l y is within the boiler component
which is in the s t e a m supply unit of the s t e a m s u b s y s t e m of the power
and propulsion systena.
At the s y s t e m level. Level 3, each s y s t e m is organized according to

the ability of its elenaent to p e r f o r m , as a group, one of the n e c e s s a r y
functions of the ship. A set of 14 g e n e r a l functions have been identified
including one for autonaatic c o n t r o l . At the component level. Level 6,
all the elenaents which a r e to be considered components under their
r e s p e c t i v e systenas a r e defined. After Level 6 is conapleted. Levels
5 and then 4 a r e conapleted by combining the e l e m e n t s into natural
groupings following the a p p r o p r i a t e definitions.
Below Level 6, the nornaal c o u r s e would be to identify the e l e m e n t s

at the p a r t s level. Level 9, and then fill the internaediate L e v e l s , 8
and 7. There a r e , however, an e x t r e m e l y large number of e n t r i e s
B-7
at the p a r t s level; and they a r e subject to v a r i a t i o n s reflecting m a n u -
f a c t u r e r s ' alternative d e s i g n s . F u r t h e r m o r e , this amount of detail
was not n e c e s s a r y in the e a r l y stages of the MARAD p r o g r a m . T h e r e f o r e ,
the components w e r e naerely s e p a r a t e d into their a s s e m b l i e s at Level 7,
and the classification was not c a r r i e d beyond that point.
Although this classification p r o c e s s is r e a s o n a b l y s t r a i g h t f o r w a r d ,

there a r e some complicating factors which should be naentioned. F i r s t ,
t h e r e a r e invariably e n t i r e s which belong at a given level but do not
exactly m e e t the definitions provided for that level. An example at
the component level is piping. That heading is used to collect a s s e m b l i e s
such as pipes and fittings, v a l v e s , t r a p s , s t r a i n e r s , e t c . , into a group
which together p e r f o r m a specific operation.
However, piping is not a conaponent in the u s u a l sense of the word.

The heading "Piping" at the conaponent level, then, is a convenience
heading. Other convenience headings include the v a r i o u s accomnaodation
s p a c e s of " a s s o c i a t e d e q u i p m e n t . "
Another complication a r i s e s because t h e r e a r e some s y s t e m s whose

functions a r e not s e p a r a b l e into s u b s y s t e m s . That i s , all the units
in these s y s t e m s support the function of the s y s t e m d i r e c t l y .
Finally, t h e r e a r e a few e l e m e n t s which function within one s y s t e m

but which a r e s t r u c t u r a l l y or operationally within another s y s t e m .
In classifying these elenaents, each portion of the e l e m e n t which
uniquely supports the function of a s y s t e m is classified within that
system.
S y s t e m s Classification Code
The code which is used with the preceding classification method is

in four p a r t s . The f i r s t is a "prefix" consisting of the r e g i s t e r e d
hull number designated in the Record of the A m e r i c a n Bureau of
Shipping (ABS). This prefix allows all data for any one ship at any
level to be quickly r e t r i e v e d . Following the prefix, the coding
method for Levels 1 and 2 c o n s i s t s of the MARAD design number and
trade route n u m b e r . F o r Level 3 and below a l e t t e r code is assigned
to e a c h s y s t e m , each s u b s y s t e m within a systena, and each unit within
the s u b s y s t e m , A list of s y s t e m s and subsystenas and their identifying
l e t t e r s a p p e a r s in Table B. 14.
B-8
E a c h conaponent is assigned a t h r e e - d i g i t component index number
which identifies it and also indicates whether the component is unique
to a given unit, commonly o c c u r s in s e v e r a l units within a p a r t i c u l a r
systena or can occur in any systena. Some conaponents, such as
punaps, occur in s e v e r a l s y s t e m s . Since it naay be interesting to
collect all data on such components, each is given a number from a
specific set allotted to that component as shown by the exanaple in
Table B. 15.
A second p a r t of this code allows each p a r t i c u l a r type of conaponent

to be identified; for e x a m p l e , as shown in Table B, 16 sectional h e a d e r ,
bent tube, and top fired b o i l e r s can be distinguished by component type
codes C, D, and E ,
The third p a r t of the code is a two-digit assenably index number,which

provides information on the relation of a s s e m b l i e s to conaponents, s i m i l a r
to that which the component index provides on the relation of conaponents
to unit.
Finally, the fourth p a r t of the code identifies the specific component

anaong the s e v e r a l identical components to which the data a p p l i e s .
An illustration of the coding using the ship SS P r e s i d e n t A r t h u r , whose

r e g i s t e r e d hull number is 264704, MARAD design number C 4 - S - 1 , and
t r a d e route number 12, follows. The code number for the s t e a m d r u m
assenably of the bent tube boiler on the s t a r b o a r d side is to be
d e t e r m i n e d . The b o i l e r s a r e classified in the power and propulsion
s y s t e m , P ; s t e a m s u b s y s t e m , B; and s t e a m supply unit, B. The b o i l e r s
a r e component 001 in their unit, and the bent tube b o i l e r s a r e designated
component type D. The s t e a m d r u m has 02 a s s e m b l y designation, and
as a rule the s t a r b o a r d boiler is nunabered 0 1 .
The conaplete code can be w r i t t e n as
264704/C4S1/12/PBB 001 D 02 01
Data Collection P r o g r a m
The m a j o r obstacle in achieving the objectives originally set forth

in the M a r i t i m e Adminstration p r o g r a m was the lack of adequate data.
As a r e s u l t , a p r o g r a m was established for collecting the r e q u i r e d
data in the field through d i r e c t observation and through cooperative
B-9
efforts of o p e r a t o r s . The p r o g r a m specified the data to be r e p o r t e d ,
its f o r m a t , and the p r o c e d u r e s to be used. Two stepwise a p p r o a c h e s
to data collection w e r e instituted on a t r i a l b a s i s ; (1) initial e x p e r i m e n t a l
data collection p r o g r a m by U, S, Merchant Marine Academy cadets during
their training year at s e a , and (2) subsequent data collection by chief
e n g i n e e r s or other operator p e r s o n n e l during the c o u r s e of their n o r m a l
duties.
Evaluation of the r e t u r n s made it apparent that the fornas needed to be

consolidated and simplified to avoid the confusion. Ambiguous
i n s t r u c t i o n s also were identified. Given improved f o r m s , it was concluded
that at least half of the cadets and probably m o r e would produce usable
r e p o r t s . Although in some instances the cadets w e r e h a m p e r e d by
officers in their efforts to collect data, this difficulty was t r a c e d to
inadequate communication with m a n a g e m e n t - - a factor which was expected
to disappear after the p r o g r a m had become w e l l - e s t a b l i s h e d .
Another r e s u l t of this t r i a l application was the observation that a large

number of the cadets w e r e obviously alnaost wholly dependent on the
officers for much of their information and frequently seemed to act
m a i n l y as t r a n s c r i b e r s . Thus, the s h i p ' s officers might in m a n y c a s e s
have been able to c a r r y out the data task t h e m s e l v e s in l e s s time
than was r e q u i r e d for their " a d v i s o r y " r o l e . R e s u l t s of the subsequent
e x p e r i m e n t a l data collection p r o g r a m using chief e n g i n e e r s supported
such a c o n j e c t u r e . The use of cadets as a continuing source of
information can lead to undesirable discontinuities in the data since
few ships have cadets p r e s e n t on e v e r y voyage. As a r e s u l t , r e l i a n c e
on randona voyage s a m p l e s m a k e s it inapossible to c h a r a c t e r i z e events
a c c u r a t e l y whose nornaal cycle a p p r o a c h e s or exceeds the n o r m a l
voyage length--and a significant amount of the information r e q u i r e d is
of that c h a r a c t e r . The p r o b l e m is p a r t i c u l a r l y acute for r e l i a b i l i t y
calculations on equipment having M T B F ' s on the o r d e r of a year or
more. In this c a s e , an u n r e p o r t e d failure during a naission voyage
naight double the apparent time between failures; and because the total
sample size is s m a l l for infrequent e v e n t s , the e r r o r introduced by
a m i s s i n g datum is c o r r e s p o n d i n g l y l a r g e r .
While p r o b l e m s w e r e encountered which led to revision of the data

collection f o r m s to the f o r m a t s shown in F i g u r e s B. 3 and B. 4, the
r e s u l t s indicated that collection of shipboard maintenance and
r e l i a b i l i t y data is feasible given p r o p e r f o r m s , i n s t r u c t i o n s ,
indoctrination, follow-through, and e n c o u r a g e m e n t from naanagement.
B-10
Based on initial t r i a l s of the data collection p r o g r a m , an integrated
data naanagement systena has been envisioned, as depicted by the flow
c h a r t shown in F i g u r e B . 5 .
EDISON ELECTRIC INSTITUTE (EEI) EQUIPMENT AVAILABILITY

PROGRAM
The P r i m e Movers Committee of the E d i s o n E l e c t r i c Institute (EEI) h a s

been collecting outage data based on equipment availability r e p o r t s
submitted by approximately 90 of its m e m b e r utility conapanies for a
number of y e a r s . The p r o g r a m c o v e r s m o r e than 500 turbines and
b o i l e r s for units having a name plate capacity of 50 m e g a w a t t s or l a r g e r
and with initial s t e a m conditions of at l e a s t 800 psi or 900 F . Of the
total, 91 p e r c e n t of the units have a single boiler per turbine a r r a n g e m e n t .
In the near future, the institute plans to r e p o r t availability and outage
data in connection with nuclear u n i t s .
Outages a r e r e p o r t e d by type according to the classification shown in Table

B. 17, The cause or r e a s o n for each outage is classified as shown in
Table B. 18. The g e n e r a l code n u m b e r s in Table B; 18 a r e designated 100
for b o i l e r s , 200 for t u r b i n e s , 300 for g e n e r a t o r s , 400 for c o n d e n s e r s ,
and 500 for unit outages not caused by any of the previous four c a t e g o r i e s .
Although the list a p p e a r s to be a component classification, since in
m a n y instances the nanaes of equipncient a r e used to d e s c r i b e the code
designation, a c l o s e r examination r e v e a l s an intermixing of component
and event data pertaining to a major piece of equipment. A typical
s u m m a r y of forced outages is shown in F i g u r e B.-6. Using the data
collected in the EEI p r o g r a m a n a l y s e s of availability r e p o r t s ^ ' ' ' have
been p r e p a r e d for use by power utility e n g i n e e r s engaged in design,
s y s t e m planning and production naanagement, and by m a j o r equipment
m a n u f a c t u r e r s . Basically these r e p o r t s provide information on
equipment availability and r e p a i r . As p r e s e n t e d , the data in these
r e p o r t s do not lend t h e m s e l v e s to generating c o m p o n e n t / p a r t failure
r a t e data.
INTERSERVICE DATA EXCHANGE PROGRAM (IDEP). GUIDED MISSILE

DATA EVALUATION PROGRAM (GMDEP). AND FAILURE RATE DATA
PROGRAM (FARADA)
The Inter s e r v i c e Data Exchange P r o g r a m (IDEP) was e s t a b l i s h e d in

1958 for the free exchange of p a r t s / c o m p o n e n t s data among the Department
of Defense ballistic m i s s i l e a c t i v i t i e s . Its p r i n c i p a l function is to
r e p r o d u c e and distribute t e s t r e s u l t s submitted by c o n t r a c t o r s . E a c h
B-11
participating c o n t r a c t o r s u m m a r i z e s the r e s u l t s of his t e s t in a standard
r e p o r t sunamary sheet which is forwarded, with the complete t e s t
r e s u l t s , to the cognizant IDEP office. By multilith p r o c e s s the information
on the standard r e p o r t s u m m a r y sheet is t r a n s f e r r e d to a r e p o r t
s u m m a r y c a r d . In addition, the t e s t data is printed and distributed
s e p a r a t e l y on l 6 m m r o l l film. A sample of a r e p o r t s u m m a r y c a r d
is shown in F i g u r e B. 7.
In 1959 the Navy's Guided Missile Data Evaluation P r o g r a m (GMDEP),

s i m i l a r in purpose and intent to the IDEP, was initiated a t the F l e e t
Missile S y s t e m s Analysis and Evaluation Group (FMSAEG), Corona,
California. The significant difference between this p r o g r a m and IDEP
is that its prinae purpose was to exchange data generated by those Navy
c o n t r a c t o r s engaged in the r e s e a r c h , development, and production of
guided m i s s i l e s . As p r e v i o u s l y indicated, IDEP covered the interchange
of b a l l i s t i c m i s s i l e and space s y s t e m infornaation. In July 1964, GMDEP
was officially consolidated with I D E P .
Late in I960 the Naval Ordnance Systems Command r e q u e s t e d the F l e e t

Missile S y s t e m s Analysis and Evaluation Group (FMSAEG) at Corona,
California, to perforna a component p a r t study a s s o c i a t e d with and as a
subtask to the Navy Guided Missile Data Exchange P r o g r a m (GMDEP).
This study was (1) to d e t e r m i n e whether failure r a t e data was available
and if it could be obtained on a selected list of e l e c t r i c a l , e l e c t r o n i c ,
m e c h a n i c a l , e l e c t r o m e c h a n i c a l , p n e u m a t i c , hydraulic, and pyrotechnic
p a r t s / c o m p o n e n t s , and (2) to develop a method for the collection,
a n a l y s i s , compilation, p r e s e n t a t i o n , and distribution of failure r a t e
data.
Initially,the p o s s i b i l i t y of placing failure r a t e data on the r e p o r t s u m m a r y

c a r d s being c i r c u l a t e d in the existing IDEP and GMDEP p r o g r a m s was
explored. However, it was found that t e s t and failure r a t e data being
c i r c u l a t e d in those progranas lacked sufficient a n a l y s i s and sumnaarization
to facilitate the extraction of failure r a t e s with r e s p e c t to time and
e n v i r o n m e n t . The approach used in GMDEP and IDEP to p r e s e n t r e s u l t s
of individual s h o r t - t e r m qualification t e s t s p e r f o r m e d on p a r t s / c o m p o n e n t s
did not lend itself to p r e s e n t i n g a r a t e of failure on those p a r t s / c o m p o n e n t s .
As a r e s u l t of the study, it was d e t e r m i n e d that modified or new f o r m s

and p r o c e d u r e s would be r e q u i r e d to obtain this information and to p r e s e n t
it uniformly. P l a n s w e r e then formulated to include as naany organizations
as w e r e willing to forward a resunae of failure r a t e infornaation frona
their v a r i o u s in-house p r o g r a m s to a F a i l u r e Rate Data (FARADA)
B-12
Information Center at Corona. The Air F o r c e , Naval Ship S y s t e m s
Command. A r m y , and NASA also b e c a m e s p o n s o r s of the FARADA
p r o g r a m . ' ' Flow of FARADA information is shown s c h e m a t i c a l l y
in F i g u r e B. 8. Qualified data which a r e submitted to the FARADA
Infornaation Ceneter a r e s c r e e n e d , s u m m a r i z e d , compiled, and
published in FARADA handbooks. F i g u r e s B. 9, B. 10, and B. 11
i l l u s t r a t e conapleted sanaple f o r m s of data contribution. Use of these
f o r m s by data c o n t r i b u t o r s , however, is optional since the FARADA
Information Center will accept generated data from p a r t i c i p a n t s in
whatever in-house format available. The FARADA handbooks provide
reliability e n g i n e e r s , design e n g i n e e r s , and maintainability e n g i n e e r s
with failure r a t e infornaation in a convenient f o r m .
The FARADA handbooks conaprise five volunaes e n c o m p a s s i n g m o r e than

30,000 line e n t r i e s of tabulated failure r a t e data; over 2,000 e n t r i e s of
failure mode distribution data; and s t r e s s c u r v e s on e l e c t r o n i c p a r t s /
components. Each volume is updated q u a r t e r l y , and the p r e s e n t a t i o n of
failure data is as follows:
Volume lA Computer printout of e l e c t r i c a l and e l e c t r o n i c

failure rate data. See F i g u r e B . 12.
Volume IB Conaputer printout of m e c h a n i c a l , h y d r a u l i c , p n e u m a t i c ,

and pyrotechnic failure r a t e data. See F i g u r e B. 13,
Volunae 2 F a i l u r e rate data p r e s e n t e d as s t r e s s c u r v e s with

environmental and application f a c t o r s .
Volume 3 F a i l u r e rate data background information to

support Volumes lA, I B , 2 , and 4.
Volunae 4 F a i l u r e naode data to implement application of the

failure r a t e data of Volumes lA, I B , 2, and 3.
See F i g u r e B. 14.
Although the IDEP/FARADA p r o g r a m s a r e not power plant or systenas

oriented, their g e n e r i c code s y s t e m is of value when considering
collection of manufactured data.
In the FARADA component code, the f i r s t three digits a r e the major

classification corresponding to the p a r t / c o m p o n e n t designation. These
digits a r e followed by t h r e e additional two digit s u b c l a s s groups which
identify s e r v i c e , function, operation, e t c . A p a r t i a l l i s t of major and
B-13
subclassifications is shown in F i g u r e s B. 15 and B. 16, F o r e x a m p l e ,
frona F i g u r e B. 17, the index number for a common globe valve m a y be
925.60. 7 5 . 8 4 .
Since s e v e r a l s u b c l a s s e s , such as s e r v i c e , p r e s s u r e r a n g e , power r a t i n g ,

e t c . , a r e applicable to a nunaber of p a r t s / c o m p o n e n t s , common s u b c l a s s i -
fications have a l s o been used according to the breakdown given in
F i g u r e B. 17. In some c a s e s , it was n e c e s s a r y to b r e a k down the two
digit s u b c l a s s e s to the point where each digit gives a subclassification
d e s c r i p t i o n . F o r e x a m p l e , in the second s u b c l a s s for the globe valve
mentioned above the f i r s t n u m e r a l d e s c r i b e d the p r e s s u r e range and
the second nunaeral d e s c r i b e d the function.
UNIFORM SUBJECT INDEX FOR NUCLEAR POWER DEMONSTRATION

(NPD) P R O J E C T
In 1958, a Uniform Subject Index (USI) was e s t a b l i s h e d for the Nuclear

P o w e r Demonstration (NPD) project in order to b e t t e r coordinate files and
accounts between different functional groups such as engineering,
p u r c h a s i n g , accounting, operating, and m a i n t e n a n c e . P r i o r to
establishing this index, a careful review was made of the H y d r o - E l e c t r i c
P o w e r Comnaission (HEPC) breakdowns for hydraulic and t h e r m a l
p r o j e c t s and the Uniforna S y s t e m of Accounts of the U. S. F e d e r a l Power
C o m m i s s i o n ( F P C ) . Subjects p e c u l i a r to nuclear power stations w e r e
considered and an index was selected which r e q u i r e d naininaal changes
from project to p r o j e c t .
The resulting USI breakdown is based on a five digit coding s y s t e m

using nunabers r a t h e r than l e t t e r s and is limited to 0 to 9 at each level.
F o r a given s y s t e m , the n u m b e r s 1 through 9 a r e used to r e p r e s e n t the
r e a l physical breakdown. Alternative nonphysical breakdowns which
an engineer m a y d e s i r e a r e often provided as a software breakdown in
the " 0 " or g e n e r a l s e r i e s . This provides further flexibility in extending
the index s y s t e m without affecting the breakdown based on the r e a l
physical s y s t e m s .
Level 1 Breakdown
The Level 1 breakdown fundanaentally reflects the naajor divisions for

other p r o j e c t s in the H E P C , and is as follows:
0 - General
1 - Site and Improvement
B-14
2 - B u i l d i n g s , S t r u c t u r e s , and S h i e l d i n g
3 - S t e a m G e n e r a t i o n ( R e a c t o r - b o i l e r and a u x i l i a r i e s )
4 - T u r b i n e - G e n e r a t o r and A u x i l i a r i e s
5 - Electrical
6 - I n s t r u m e n t a t i o n and C o n t r o l
7 - C o m n a o n P r o c e s s e s and S e r v i c e s
8 - Plant Construction
9 - Indirect Costs
The s c o p e of e a c h of t h e s e m a j o r l e v e l b r e a k d o w n s a r e e x p e c t e d to fit
f a i r l y w e l l w i t h a n y type of n u c l e a r p o w e r s t a t i o n . I t e m 6 i s a m a j o r
e x c e p t i o n t o the F P C p r a c t i v e on w h i c h the USI i s b a s e d . H o w e v e r ,
s i n c e I t e m 6 i s f u r t h e r s u b d i v i d e d a c c o r d i n g to the conanaon p r a c t i c e ,
identification b e c o m e s e a s i e r .
S h i e l d i n g w h i c h d o e s not f o r m a p a r t of a c o n v e n t i o n a l s t a t i o n h a s b e e n
i n c l u d e d a s a n e x t e n s i o n t o Itena 2. The m a i n g e n e r a t o r w h i c h i s
c o n v e n t i o n a l l y h a n d l e d a s p a r t of the t u r b i n e g e n e r a t o r c o u l d h a v e b e e n
i n c l u d e d in e i t h e r I t e m 4 o r 5. It h a s b e e n i n c l u d e d u n d e r I t e m 4 .
One o t h e r e x c e p t i o n is the c i r c u l a t i n g w a t e r s y s t e m . It w a s c o n s i d e r e d
e c o n o m i c a l l y advantageous to c o m b i n e w a t e r supply r e q u i r e m e n t s , so
the c i r c u l a t i n g w a t e r s y s t e m h a s b e e n i n c l u d e d u n d e r w a t e r s u p p l i e s
in I t e m 7.
Level 2 Breakdown
The L e v e l 2 b r e a k d o w n i s s e t up to c o n f o r m to a b r e a k d o w n s u i t a b l e
for a p a r t i c u l a r type r e a c t o r . A b r e a k d o w n w h i c h w o u l d be t o a l a r g e
e x t e n t the s a m e for d i f f e r e n t p r o j e c t s e m p l o y i n g a h e a v y w a t e r
type of n u c l e a r p o w e r g e n e r a t i n g s t a t i o n .
T h e L e v e l 2 b r e a k d o w n , a s a g e n e r a l r u l e , c o r r e s p o n d s to a g r o u p of
r e l a t e d s y s t e m s a s s h o w n in the e x a m p l e b e l o w :
71 Water Supply S y s t e m s
72 Drainage Systems
73 Ventilation Systenas
B-15
Level 3 Breakdown
As a g e n e r a l r u l e , the Level 3 breakdown c o r r e s p o n d s to a p a r t i c u l a r

systena; for exanaple:
711 Intake Water System

712 Circulating Water System
713 P r o c e s s Water S y s t e m
714 Standby Water S y s t e m
715 Domestic Water Systena
Level 4 and Level 5 Breakdowns
F u r t h e r breakdowns into s u b s y s t e m s and types of equipment have been

made to suit the needs of Level 3 b r e a k o u t . As an e x a m p l e , a standard
breakdown of fluid systenas is shown below:
0 General
1 Heat e x c h a n g e r s , h e a t e r s , c o o l e r s
2 P u m p s , fans
3 Valves
4 Tanks, r e c e i v e r s
9 Piping, ducting
Deficiency R e p o r t s
Based on an operating philosophy of nainimizing paper work, deficiency

r e p o r t s have been relied on to collect input data for r e l i a b i l i t y a n a l y s i s .
Experience has shown that these r e p o r t s a r e the b e s t source of data and
r e q u i r e a m i n i m u m amount of i n t e r p r e t a t i o n .
Deficiency r e p o r t s , a sample form of which is shown in F i g u r e B. 18, a r e

used when deficiencies a r e noted in equipment, design, p r o c e d u r e s
or operation to provide:
1. A m e a n s of reporting a deficiency to a work unit in

o r d e r to have it c o r r e c t e d , and
2. A m e a n s of r e c o r d i n g deficiencies and c o r r e c t i v e a c t i o n s , with
mininauna details n e c e s s a r y for evaluating systena r e l i a b i l i t y .
B-16
Deficiency r e p o r t s are handled according to the flow shown in F i g u r e B. 19.
The originator completes the upper portion of the f o r m by identifying the
s y s t e m , including its failure mode and shutdown r e q u i r e m e n t s and
describing the deficiency itself. The white original and the yellow copy
a r e forwarded to an a p p r o p r i a t e work unit which will take c o r r e c t i v e
action, and the pink copy is retained in the control roona for information
and follow-up p u r p o s e s . Upon completion of the work r e q u e s t e d , the
work unit completes the lower portion of the form and f o r w a r d s the
yellow copy to the originator and his shift s u p e r v i s o r . The white copy is
g e n e r a l l y retained in the work unit files. If the work has been completed
to the satisfaction of the originator and the s u p e r v i s o r , the pink copy is
r e m o v e d from the pending file and d e s t r o y e d . The yellow copy is placed
in the p e r m a n e n t file by the c l e r i c a l unit for future r e f e r e n c e and review
including that by the reliability e n g i n e e r . A space is provided at the
bottona of the f o r m for c o m m e n t s by any p e r s o n during routing,
AEC UNIFORM SYSTEM OF ACCOUNTS
In the development of different nuclear power plant d e s i g n s , many

economic data have been submitted to AEC in p r o p o s a l s and studies by
i n d u s t r i a l organizations; however, d i r e c t c o m p a r i s o n between different
designs w e r e often v e r y difficult since a common set of ground r u l e s
for a s s u m p t i o n s , site c r i t e r i a , and format for p r e s e n t i n g data w e r e
g e n e r a l l y lacking. In 1962 the AEC Division of Reactor Development
authorized the publication of the first edition of a Guide to Nuclear
P o w e r Cost Evaluation^"' to fulfill this need.
In the Guide, a uniform s y s t e m of accounts is developed for estimating

and reporting construction c o s t s for nuclear power and r e l a t e d t r a n s -
m i s s i o n and g e n e r a l plant f a c i l i t i e s . This s y s t e m was designed by the
AEC Division of Finance to provide the m e a n s for standard distribution
of nuclear power plant costs and to facilitate the comparative economic
a n a l y s e s of various nuclear power plant concepts.
The d i r e c t cost accounts have been keyed to the E l e c t r i c P l a n t Accounts

established by the U, S. F e d e r a l P o w e r Conamission (FPC) as shown by
the example in Table B. 19.
The AEC s y s t e m of accounts is designed to facilitate cost e s t i m a t e s and

production cost a n a l y s e s for proposed nuclear power plant concepts as
well as for completed nuclear power p l a n t s . The principal difference
between the AEC s y s t e m of accounts and that of the FPC is that the latter
is designed for use in recording c o s t s of completed plants after the
B-17
allocation of indirect construction c o s t , w h e r e a s the AEC s y s t e m is
designed for use during the construction period p r i o r to the allocation
of indirect construction c o s t s ; and, t h e r e f o r e , provides s e p a r a t e
accounts for these c o s t s (account nos. 98 and 99).
A s u m m a r y of the AEC classification of construction accounts is shown in

Table B . 2 0 . An example of a detailed listing of the AEC accounts, together
with a brief d e s c r i p t i o n of the equipment, m a t e r i a l s , and s e r v i c e s covered
by each of the naajor accounts is shown in Table B . 2 1 .
B-18
REFERENCES
1. P a r k e r , E . and K. C. Rushton, "AHSR Reactor F a u l t Reporting

System Reactor F a u l t Code, " AHSB(S)R76, UKAEA, 1964.
2. Ablitt, J . F . , "The Contribution of Systematic Incident Evaluation

of the Achievement of R e a c t o r Safety, " AHSB(S)R89, UKAEA, 1965.
3. "Computer P r o g r a m to Evaluation of Data from Military Nuclear

P o w e r P l a n t s , " AFWL T R - 6 5 - 1 4 , Westinghouse E l e c t r i c
Corporation, Atomic Power Division, July 1965.
4. Hanifan, D. T. , R. A. Westland, L. B. Sklar, and D. A. Atkins,

" M a r i t i m e Administration Maintenance and Reliability P r o g r a m , "
Vols. I - I V , MA-3402, Dunlap and A s s o c i a t e s , I n c . , 1965.
5. Atkins, D. A. and A. W. Harbaugh, "Merchant Ship Maintenance

and Reliability, " Society of Naval A r c h i t e c t s and M a r i n e E n g i n e e r s ,
Southern California Section, F e b r u a r y 11, 1965.
6. "Analytical R e p o r t of Equipment Availability for the Seven-Year

P e r i o d 1955-61. " E E I No. 63-42, Edison E l e c t r i c Institute,
May 1963.
7. " R e p o r t on Equipment Availability for the F i v e - Y e a r P e r i o d

1960-64, " EEI No. 65-35, Edison E l e c t r i c Institute, May 1965.
8. " A r m y , Navy, Air F o r c e , and NASA F a i l u r e Rate Data (FARADA)

P r o g r a n a , " Revision 1, May 1966, U. S. Naval F l e e t Systems
Analysis and Evaluation Group, Corona, California.
9. "Guide to Nuclear P o w e r Cost Evaluation, " K a i s e r E n g i n e e r s ,

TID-7025, M a r c h 15, 1962.
10. "Uniform System of Accounts P r e s c r i b e d for Public Utilities and

L i c e n s e s of the F e d e r a l P o w e r Comnaission, " J a n u a r y 1, 1961.
B-19
TABLE B. 1
UKAEA FAULT CLASSIFICATION SYSTEM
Data Column Allocation
F a u l t Number 1 - 5
Date
Day 6 - 7
Month 8 - 9
Year 10 - 11
R e a c t o r Identification 12 - 13
P l a n t Type 14 - 21
Conaponent Type 22 - 27
Fault Importance 28 - 31
F a u l t Type 32 - 36
Effect 37 - 38
Site Reference Number 41 - 46
Site Run Number 46 - 50
Time Since Start of Run
Hours 51 - 53
F r a c t i o n of Hours 54
Time R e a c t o r Out of Operation
Hours 55 - 57
F r a c t i o n of Hours 58
R e a c t o r Power at O c c u r r e n c e of F a u l t 59 - 61
Fraction 62
Unit of P o w e r (MW, KW, or W) 63
Whether Poisoned Out 64
Method of Shutdown 65 - 66
M a r k Number of Faulty Component 67 - 68
Unused Columns 39-40, 69-74
B-20
TABLE B.2
P A R T I A L L I S T O F P L A N T T Y P E S*
Control E l e c t r i c a l System and Instrumentation 1 6

Control C i r c u i t r y r 6
Reactor 1 6
Safety Circuits 1 6
S t a r t Guard Sequence 1 6 1
Alarms 1 6 2
Emergency Trips 1 6 3
Shutdown Button 1 6 3 1
Reactor T r i p s 1 6 4
P o w e r Setback 1 6 5
Interlocks 1 6 2
Warnings 1 6 3
L a m p Indication 1 6 4
Position Indication (Safety Rods) 1 6 5
Position Indication (Control Rods and Arms) 1 6 6
Operating Controls 1 6 7
Bypass Circuits 1 6 8
Control A r m Misalignment Circuit 1 6 9
Ancillary Equipment 1 6 2
Door System Indicator 1 6 2 1
E x t r a c t F i l t e r and Seal System 1 6 2 2
Make-up P l a n t 1 6 2 3
M. O. W, or Dewhirst Gear 1 6 2 4
Nucleonic Channels 1 6 2
Reactor Control 1 6 2
P e r i o d Channels 1 6 2
T r i p Unit 1 6 2 1
1 6 2 2
1 6 2 3
1 6 2 4
P e r i o d Meter 1 6 2 5
Reactivity T r i p Circuit 1 6 2 6
Flux Channels 1 6 2 2
L i n e a r Power 1 6 2 2
Low Level 1 6 2 2 1
High Level 1 6 2 2 2
Change-over Mechanism 1 6 2 2 3
T r i p Unit 1 6 2 2 4
1 6 2 2 2
Log Power 1 6 2 2 3
Low Level 1 6 2 2 3 1
High Level 1 6 2 2 3 2
T r i p Unit 1 6 2 2 3 3
Integrated Flux 1 6 2 2 4
Neutron Source 1 6 2 3
Position Indicator 1 6 2 3 1
1 6 2 4
1 6 2 5
* C o d e n u m b e r s left a d j u s t e d b e g i n n i n g w i t h C o l u m n 14.
B-21
TABLE B . 3
PARTIAL LIST OF COMPONENT TYPES*
Not Applicable (
Electrical
Control Equipment ]
Switche s
Limit 1
Micro 2
Anti -Vibration 3
Reset Position 4
Range Selector 5
Relays ] 2
Contacts 2 1
Winding 2 2
Sealed 2 3
Moving Coil 2 4
Meters 3
Frequency Meter 3 1
Indicating L a m p s 4
Ordasign 4 1
Alarms 4 2
Overrun Lights 4 3
Voltage Regulators ] 5
Variacs 5 1
Synchro Equipment ] 6
Magslips 7
Transmitters ] 7 1
Receivers 7 2
Drives 7 3
General Equipment ]L 2
Distribution Board Links ]L 2 1
Starters L 2 2
Motor Starters ]L 2 2 1
Interlocks ]L 2 2 1 1
U/V Solenoid ]L 2 2 1 2
Auxiliary Contacts ]I 2 2 1 3
Overload Protection L 2 2 1 4
Crane Controllers ]L 2 2 2
Drum Segments L 2 2 2 1
Commutators L 2 3
Components ]L 2 4
Transformers ]L 2 4 1
Rectifiers L 2 4 2
Suppressors ]L 2 4 3
Transducers ]L 2 4 4
Pressure ]L 2 4 4 1
Circuit Protection Systems ]L 2 5
Fuses ]L 2 5 1
Heaters ] 2 6
Switche s ]L 2 7
*Code numbers left adjusted beginning with Column 22.
B-22
TABLE B . 4
FAULT IMPORTANCE*
A. Faults or actions which place the reactor in a dangerous state. 1 0

A. 1 Faults or actions resulting in significant hazard or damage to plant. 1 1
A. 1. 1 Faults or actions resulting in significant hazard or damage to plant
and injury to personnel. 1 1 1
A. 2 Faults or actions prevented from resulting in significant hazard or damage
to plant or personnel by circumstances outside those envisaged in the
equipment design. 1 2
A. 3 Faults or actions prevented from resulting in significant hazard or damage
to plant or personnel by the ultimate available protection. 1 3
B. f a u l t s or actions which reduce reactor safety. Z 0

B.l Failure to operate of any trip equipment which reduces reactor safety. 2 1
B. 1. 1 Failure to operate of any trip equipment which reduces reactor
safety and results in personnel hazard. 2 1 1
B.2 Faults or actions affecting the correct functioning of important plant
equipment (other than trip equipment) which reduces reactor safety. 2 2
B. 2. 1 Faults or actions affecting the correct functioning of important
plant equipment (other than trip equipment) which reduces reactor
safety and results in personnel hazard. 2 2 1
B.3 Incorrect adjustment of plant trip levels which reduces reactor safety. 2 3
B. 3. 1 Incorrect adjustment of plant trip levels with the result that the
reactor actually trips at a level above the correct value, reducing
reactor safety and resulting in personnel hazard. 2 3 1
B.4 Faults or actions which by themselves have not reduced reactor safety but
have occurred so frequently as to raise doubts on the safety of the system,
whether mechanical or human. 2 4
B.5 E r r o r by operator in the control of important plant equipment which reduces
reactor safety. 2 5
B. 5. 1 E r r o r by operator in the control of important plant equipment which
reduces reactor safety and results in personnel hazard. 2 5 1
C. Faults or actions which do not reduce reactor safety. 2 0

C. 1 Faults or actions which do not reduce reactor safety when considered
separately (N. B. , if they occur frequently, they may come within Category B. 4). 2 1
C.2 Reactor trip. 2 2
C . 2 . 1 From power. 2 2 1
C. 2. 2 When at shutdown. 2 2 2
C.3 Loss of operating time. 2 3
C. 3. 1 Prevention of startup. 2 3 1
C . 3 . 2 Deliberate shutdown. 2 3 2
C.4 Faults found during routine testing. 2 4
C.5 Giving rise to high maintenance attention. 2 5
C.6 Incorrect displayed information (recorders). 2 6
C.7 Incorrect displayed information (electronic instruments). 2 7
C.8 Incorrect displayed information (all other reactor displays). 2 8
C.9 Unexpected activity levels. 2 9
D. Events which have no safety significance whatsoever. 3
B-23
TABLE B. 5
PARTIAL LIST OF FAULT TYPES*
Electrical 1
Mains Supply 1 1
Failure 1 1 1
Local to Component 1 1 1 1
Surge Effects 1 1 2
Voltage Variations 1 1 2 1
Synchronization Faults 1 1 3
Standby Supply 1 2
Failure 1 2 1
Surge Effects 1 2 2
Synchronization Faults 1 2 3
E x p e r i m e n t a l F a c i l i t i e s and Rigs Supply 1 3
Failure 1 3 1
Surge Effects 1 3 2
Fault on Component (or Plant) 1 4
Failure 1 4 1
Defective 1 4 2
Overheating 1 4 2 1 1
Arcing 1 4 2 2
Short Circuit 1 4 2 3
Open Circuit 1 4 2 4
Faulty Operation 1 4 2 5
No Operation 1 4 2 6
Reduced P e r f o r m a n c e 1 4 2 7 1
Insulation Breakdown 1 4 2 8
Adjustment 1 4 2 9
I n c o r r e c t Item 1 4 3
Blown F u s e 1 4 4
Damaged 1 4 5
Timing and Sequence Faults 1 4 6
E a r t h Faults 1 4 7
Wiring 1 5
Defective 1 5 1
D r y Joints 1 5 1 1
Lack of Continuity 1 5 1 2
Damaged 1 5 1 3
I n c o r r e c t Item 1 5 2
I n c o r r e c t Layout 1 5 3
Faulty Connections 1 5 4
Circuit Faults 1 6
Assembly Faults 1 7
Faults Causing Spurious Operation 1 8
Control Systems and Instrumentation 1 8
Mains Interference 1 8 1
E l e c t r i c a l Pickup 1 8 2
E a r t h Faults 1 8 3
Faulty Connections 1 8 4
Others 1 8 2
B-24
TABLE B. 6
EFFECTS*
Reactor P o w e r Effects 1
Fluctuations 1 1
Overshtjot 1 2
Reduction 1 3
F u e l Handling Effects 2
E l e m e n t Dropped 2 1
E l e m e n t Lowered Inadv ertently 2 2
E l e m e n t R a i s e d Inadvertently 2 3
Damage to Adjacent P l a n t or Equipment 3
F u e l Defects 4
Canning F a i l u r e s 4 1
Fitment Failures 4 2
E l e m e n t Bowing 4 3
R e a c t o r P r e s s u r e C i r c u i t Effects 5
Depres s u r i z a t i o n 5 1 1
*Code n u m b e r s left adjusted beginning with Column 37.
B-25
TABLE B.7
MISCELLANEOUS COLUMN ALLOCATIONS*
Whether
Power Poisoned Out
M (Megawatts) P (Poisoned)
K (Kilowatts)
W (Watts)
Method of T r i p R e a c t o r State
0 0 0
Auto T r i p 0 1 Warning Only 0
Manual T r i p 0 2 Steady 0
Control Shutdown 0 3 Full Power 0
No Shutdown 0 4 Raising Power 0
No Startup 0 5 Startup 0
Controlled P o w e r , Reduction 6 6K's (Low P o w e r ) 0
P o w e r Setback °0 7 Subcritical 0
Moderator Dumped 0 8 E x p e r i m e n t a l Run 0
M o d e r a t o r P a r t i a l l y Dumped 0 9 Shutdown 0
Critical 1
Reducing P o w e r 1
Being Shutdown 1
P a r t i a l Dumped 1
*Code n u m b e r s a s s i g n e d to columns as indicated in Table B. 1-
B-26
TABLE B.8
PM-1 MALFUNCTION PACKET CARD NO. 2
Data Column Allocation
P a c k e t C a r d Number 1 - 2
Malfunction P a c k e t Identification 3 - 4
R e a c t o r Identification 5 - 9
Code Number 10 - 11
Day 12 - 13
Month 14 - 15
Year 16 - 17
Subsystem Code 18 - 20
Component Location 21 - 22
Component Code 23 - 27
Time of O c c u r r e n c e or Discovery 28 - 31
R e p a i r T i m e , Hours 32 - 35
Time G e n e r a t o r Off, Hours 36 - 39
Time R e a c t o r Not C r i t i c a l , Hours 40 - 43
Malfunction Code 44
P e r c e n t Power Cutback 45 - 46
Safety Code 47
Shutdown Code 48
Description of Shutdown 49 - 78
B-27
TABLE B. 9
MALFUNCTION PACKET CARD NO. 3
Data Column Allocation ]
Same a s C a r d No. 2 3-17
Cost of R e p a i r , Dollars 18-23
Cost of Repair by Outside Contract, Dollars 24-29
F a i l u r e Code 30 - 31
Description of F a i l u r e Code 32-78
B-28
T A B L E B . 10
P A R T I A L L I S T O F S U B S Y S T E M AND COMPONENT CODES
SUBSYSTEM CODES
CA Coolant C h e m i c a l Addition
CC Coolant C h a r g i n g Systena
CP Coolant Purification System
CW Cooling Water S y s t e m
DB Decontamination Building and E q u i p m e n t
DC V i t a l AC a n d DC S y s t e m s
DH Decay Heat Removal System
DV Coolant D i s c h a r g e and Vent S y s t e m
EP Emergency Power System
ES Extraction Steam System
FC F u e l Cask and Cooling S y s t e m
FP F i r e Protection and A l a r m System
FW Feedwater System
HC R e a c t o r P l a n t Heating and Cooling S y s t e m
HV Heating, Air Conditioning, and Ventilating S y s t e m s
IA I n s t r u m e n t Air System
LS Lighting D i s t r i b u t i o n Systena
MC Main Condenser and Condensate System
MS Main and Auxiliary Steam System
COMPONENT CODES
AB Auxiliary Boiler DOR Door

AC Air Conditioner DRY Dryer
AD Air Dryer DS Desuperheater
AE Air Ejector EPT Electropneumatic Transducer
AL Alarm EV Evaporator
AM Amplifier EXC Exciter
AN Annunciator EXT Extinguisher
AS Air Sampler FA Fan
AU Auctioneer FGB Blind F l a n g e
BA Battery FH F u m e Hook
BAL Balance FI Filter
B-29
TABLE B. 11
MALFUNCTION, SAFETY, AND SHUTDOWN CODES
MALFUNCTION CODE
01 N o r m a l Shutdown
02 S c ram
03 P o w e r Cutback
04 None of the Above
SAFETY CODES
01 Actual E x t e r n a l R e l e a s e of Radioactivity
02 P o t e n t i a l E x t e r n a l R e l e a s e of Radioactivity
03 Actual I n t e r n a l R e l e a s e of Radioactivity
04 P o t e n t i a l I n t e r n a l R e l e a s e of Radioactivity
05 Actual Inadvertent I n c r e a s e in R e a c t o r Reactivity
06 P o t e n t i a l I n c r e a s e in R e a c t o r Reactivity
07 No Effect
SHUTDOWN CODES
01 Schedule for Maintenance

02 Schedule for Training or D e m o n s t r a t i o n
03 Schedule for T e s t
04 Refueling
05 Component Malfunction
06 Operator E r r o r
07 Not Used
08 Other
B-30
•
TABLE B. 12
FAILURE CODES
Mechanical Electrical Instrumentation
01 Leak E x t e r n a l 21 Short C i r c u i t 41 E l e c t r o n i c Tube F a i l u r e

02 Leak Internal 22 Open C i r c u i t 42 Transistor Failure
03 Rupture or C r a c k E x t e r n a l 23 Gr ound 43 Geiger Mueller Tube
04 Rupture or C r a c k I n t e r n a l 24 Insulation F a i l u r e 44 BF3 Chamber F a i l u r e
05 Bearing F a i l u r e 25 Brush F a i l u r e 45 Ion Chamber F a i l u r e
06 Clog 26 L o s s of Sensitivity 46 Alignment or C a l i b r a t i o n
07 J a m m e d or Stuck 27 Diode F a i l u r e 47 Connectors--Terminal Fail
08 Gasket F a i l u r e 28 Relay F a i l u r e 48 Resistor Failure
09 Mechanical Linkage F a i l u r e 29 Overload Heater 49 P o w e r Supply F a i l u r e
10 Packing 30 Coil F a i l u r e 50 Cable-Radiation Damage
11 Seal F a i l u r e 31 Contact F a i l u r e 51 Controller--M62
12 Corrosion 32 Switch F a i l u r e 52 Capacitor F a i l u r e
13 Valve Seats 33 Overload 53 D - P Cell F a i l u r e
14 S c o r e - - S t e m or Shaft 34 P h y s i c a l Dam.age 54 Transformer
15 Tube F a i l u r e 35 Power Cable 55 Drive or Torque Motors
16 Lagging 36 Control Cable 56 Clean and Adjusted
17 Adjustment and Clean 37 57 Synchro-Dr. or R e c .
18 Piping F a i l u r e 38 58 Control Cable
19 39 59
20 Mechanical--Other 40 Electrical--Other 60 Instrumentation--Other
Oth e r s
61
62
63
64
65
TABLE B. 13
LEVELS OF MARAD CLASSIFICATION
EXAMPLES (Showing functional r e l a -

T,EVEL DEFINITION
tions in the h i e r a r c h y )
1, Identification/ Identification of the ship and c h a r a c t e r i z a t i o n MARAD Design Number
De sign of the d e s i g n .
2. Environment C h a r a c t e r i z a t i o n of the s h i p ' s e n v i r o n m e n t . T r a d e Route
3. System Collection of s u b s y s t e m s a n d / o r units which P o w e r Supply and P r o p u l s i o n

t o g e t h e r p e r f o r m a m a j o r function of the ship.
4, Subsystem Collection of r e l a t e d units and components

which p e r f o r m a m a j o r subfunction of the Steam Drive
system.
5. Unit Set of one o r m o r e highly r e l a t e d components

and a s s e m b l i e s which a r e a m a j o r portion of Steeun Supply Steam E x p a n s i o n
a subsystem.
6. Component P i e c e of equipment which p e r f o r m s some Main Steani High P r e s s u r e

specific b a s i c o p e r a t i o n . Boiler
Piping Drive Turbine
7. A s s e m b l y Set of s u b a s s e m b l i e s a n d / o r p a r t s which is a Steam

Valves Rotor
m a j o r p a r t of a component and which is usually Drum
replaceable.
8. SubcCssembly Connected s e t of p a r t s which i s a removable Main Steam

p o r t i o n of an a s s e m b l y . Stop Valve
Stop Valve
9. P a r t B a s i c e l e m e n t which o r d i n a r i l y cannot be Drum Body Blade
further disassembled.
Inlet
10. S u b p a r t Specific c h a r a c t e r i s t i c portion of a p a r t . Flange Root
TABLE B. 14
SYSTEMS AND SUBSYSTEMS
System and
Subsystem System and Subsystem
Letter
A Automatic Control System

C Communications System
CB E x t e r n a l Communications Subsystem
CC Internal Communications Subsystem
E E l e c t r i c a l System
EB Generation Subsystem
EC Distribution Subsystem
F Fuel Oil and Ballast System
-i. Cargo System
KB Dry Cargo Subsystem
KC Liquid Cargo Subsystem
L Life Support System
LB Accommodation Subsystem
LC Life Saving Subsystem
M Mooring System
N Navigation System
NB Position Subsystem
NC Safety Subsystem
P Power and P r o p u l s i o n System
PB Steam Subsystem
PC Drive Subsystem
R P r e s e r v a t i o n and Repair System
RB Damage Control Subsystem
RC Maintenance and Repair Subsystem
RD P r o t e c t i o n Subsystem
S Steering System
SB Main Steering Subsystem
SC Auxiliary Steering Subsystem
T S t r u c t u r a l System
V Environmental Conditioning System
VP Accommodations Subsystem
VC Machinery Spaces Subsystem
VD Cargo Spaces Subsystem
VE Refrigeration Spaces Subsystem
W Water System
WB F r e s h w a t e r Subsystem
WC Saltwater Subsystem
B-33
TABLE B. 15
COMPONENT AND ASSEMBLY LIST
Component Assembly
Index 1 Index 3
Assigned N u m b e r s Assigned N u m b e r s Component/Assembly
240-259 Pumps
250 P u m p s , Disposal
255 P u m p s , Hydraulic
01 1 Pump
02 Coupling
98 Controller
99 Motor
260-279 Ducts
01 Ducts and Fittings
02 Dampers
03 Terminals
96 Insulation and Lagging
280-299 Fans
281 F a n s , Intake
282 F a n s , Exhaust
01 Fan
98 Controller
99 Motor
300-319 Instruments
95 Gauges and T h e r m o m e t e r s
320-339 Compressors
321 C o m p r e s s o r s , Liquid
322 C o m p r e s s o r s , Air
01 Compressor
02 Condenser
03 Coupling
98 Controller
99 Motor
B-34
TABLE B. 16
COMPONENT TYPE LIST (INDEX 2)
Component
Type Code Component and Type
Index 2
A Used to indicate no distinguishable types.

B Used to indicate a l t e r n a t e type which is not lis>ted.
Boilers
C Sectional Header
D Bent Tube
E Top F i r e d
Capstans
C Electric
D Electrohydraulic
E Steam
Compressors
C Centrifugal
D Rotary
E Reciprocating
C o n d e n s e r s and Heat E x c h a n g e r s
C Single P a s s
D Double P a s s
E Multiple P a s s
Cranes
C Revolving
D Overdeck Gantry
E Underdeck Gantry
Deaerators
C V e r t i c a l STM J e t , D i r e c t Contact
D Flash
B-35
TABLE B. 17
EEI - TYPE OF OUTAGE
Code
Type of Outage Description
No.
1 F o r c e d Outage An outage which r e q u i r e s a m a j o r piece

of equipment be taken out of s e r v i c e .
2 Scheduled Shutdown An outage which can be planned in
advance or for which the starting date
is controllable beyond the weekend of
the week during which component
trouble o c c u r r e d .
3 R e s e r v e Shutdown Shutdown in which the complete unit
or its turbine, g e n e r a t o r , or boiler
could be operated, but is placed on
r e s e r v e b e c a u s e of fuel economy or
any other r e a s o n .
4 Not Used At P r e s e n t
5 F o r c e d P a r t i a l Out- A reduction in m a x i m u m capacity
age available to the systena of 30 Mw or
m o r e lasting for 1 hour or m o r e .
6 Scheduled P a r t i a l P a r t i a l outage which, by definition.
Outage not a forced p a r t i a l outage.
B-36
TABLE B. 18
FAILURE TYPE
BOILERS
Code Code
100 Boiler 125 Acid Cleaning

101 Water Walls 126 Boiler Casing, Breeching and Ducts
102 Generating Tubes 127 Soot Blowers
103 Superheater 128 Boiler Circulating Pumps
104 Reheater - F i r s t 129
105 Reheater - Second 130 Precipitator - E l e c t r i c a l
106 Economizer 131 Precipitator - Mechanical
107 Air P r e h e a t e r - Tubular 132 Burners (including cyclones)
108 Air P r e h e a t e r - P e r .erative 133 Demineralizer
109 Induced Draft Fans 134 Boiler Control**
110 Forced Draft Fans 135 Miscellaneous
111 Recirculating Fans 136 Furnace Slagging
112 De superheaters and Attemperators 137 Superheater Fouling
113 Bypass Dampers 138 Reheater Fouling
114 Furnace Refractory 139 Air Heater Fouling
115 Safety Valves 140 Induced Draft Fan Fouling
116 Steam Valves and Piping 141 Precipitator Fouling
117 Valves and Piping - Feedwater and 142 Wet Coal
Blowdown 143 Poor Quality Coal (low BTU)
118 Gage Glasses 144 Boiler Water Condition (silica control)
119 Slag and Fly Ash Disposal System 145 P u l v e r i z e r Capacity Limited (due to
120 Stack wear or outages)
121 Pulverizers 146 Ashpit Trouble
122 Stokers 147 Fly Ash Disposal Trouble
123 Fuel Handling Equipment (gas-oil-coal)
124 Fireside Cleaning
TURBINES
200 Turbines 209 Wheels or Spindles

201 Bolting or Casing Dismantle and 210 Buckets or Blades
Reassembly 211 Vibration of Turbine Generator Unit*
202 Governors 212 Lube Oil System and Bearings
203 Control, Turbine, and Reheat (except bearing vibration)
Stop Valves 213 Turbine Control**
204 Shaft Packing 214 Miscellaneous
205 Nozzles and Nozzle Blocks 215 Blade Fouling
206 Nozzle Bolting (1st Stage) 216 Shell Leaks
207 Diaphragms 217 Seal Leaks
208 Shaft
B-37
TABLE B. 18 (continued)
GENERATORS
300 Generator 307 Generator Control**

301 Oil Leakage 308 Exciter
302 Cooling System - Air 309 Miscellaneous
303 Cooling System - Hydrogen 310 Cooling System Fouled - Water Side
304 Cooling System - Liquid 311 Cooling System Fouled - Gas Side
305 Stator (including windings, iron 312 Hot Spots in Windings
bushings, and terminals) 313 Shaft Seals Leaking
306 Rotor (including windings, iron 314 Hydrogen P r e s s u r e Low
collector, and brush rigging)
CONDENSERS
400 Condenser 405 Air Removal Pumps

401 Cleaning 406 Shell
402 Tube Failure (including leakage) 407 Controls for Condenser and Its
403 Condenser Cooling Water Pumps (including Auxiliaries**
piping) 408 Miscellaneous
404 Condensate Pumps 409 Air Leakage
^Vibration - Include all balancing of the unit as Code 211.

**Control - Codes 134, 213, 307, and 407 are to be used when the control associated with
the major piece of equipment is directly responsible for the outage or is being worked on.
OUTAGES CAUSED BY OTHER THAN MAJOR EQUIPMENT
500 This code is to be used whenever there is an outage which causes the turbine and/or
boiler to be unavailable but is not directly chargeable to the turbine, generator,
condenser, or boiler. This code is to show outages for such incidents as operating
errors, floods, earthquakes, failure of transmission lines, l o s s of main transformer,
loss of feedwater heaters, or the failure of any equipment other than the turbine,
generator, condenser, or boiler.
500 Other 503 Main Transformer Trouble
501 Feedwater Heaters - Leaking 504 Switchgear Trouble
502 Feedwater Heaters - Dirty 505 Boiler Feed Pumps (including
drivers and coupling)
NOTE; The boilers, turbines, generators and condensers are referred to as "Major Equipment."
The coded items referred to under each piece of major equipment are referred to as "Components. "
B-38
TABLE B. 19
EXAMPLE O F A E C - F P C ACCOUNT NUMBER CORRELATION
AEC FPC
Account Account
Description Number Numiber
Nuclear Production Plant

Land and Land Rights 20 320
S t r u c t u r e s and I m p r o v e m e n t s 21 321
R e a c t o r P l a n t Equipment 22 322
T u r b i n e - G e n e r a t o r Units 23 323
A c c e s s o r y E l e c t r i c Equipment 24 324
M i s c e l l a n e o u s P o w e r P l a n t Equipment 25 325
Transmission Plant
Land and Land Rights 50 350
Clearing Land and Rights-of-Way 51 351
S t r u c t u r e s and I m p r o v e m e n t s 52 352
Station Equipment 53 353
T o w e r s and F i x t u r e s 54 354
P o l e s and F i x t u r e s 55 355
O v e r h e a d Conductors and D e v i c e s 56 356
Underground Conduit 57 357
Underground Conductors and D e v i c e s 58 358
Roads and T r a i l s 59 359
General Plant
Communication Equipment 97 397
B-39
TABLE B. 20
AEC CLASSIFICATION OF CONSTRUCTION ACCOUNTS

NUCLEAR POWER PLANTS
Account ^——-^——-——-——-———.~——
Number
NUCLEAR PRODUCTION PLANT
20 Land and Land Rights
201 Land and privilege acquisition

202 Relocating highways and r a i l r o a d s
203 Relocating telephone and power l i n e s
21 S t r u c t u r e s and Improvennents
211 Ground i m p r o v e m e n t s
212 Buildings
218 Stacks
219 R e a c t o r containment s t r u c t u r e
22 R e a c t o r P l a n t Equipment
221 R e a c t o r equipment
222 Heat t r a n s f e r s y s t e m s
223 F u e l handling and s t o r a g e equipment
224 F u e l p r o c e s s i n g and fabricating equipment
225 Radioactive waste t r e a t m e n t and d i s p o s a l
226 I n s t r u m e n t a t i o n and control
227 F e e d w a t e r supply and t r e a t m e n t
228 S t e a m , condensate and feedwater piping
229 Other r e a c t o r plant equipment
23 T u r b i n e - G e n e r a t o r Units
231 Turbine-generators
232 Circulating w a t e r s y s t e m s
233 Condensers
234 C e n t r a l lubricating s y s t e m
235 Turbine plant b o a r d s , i n s t r u m e n t s and controls
236 Turbine plant piping
237 Auxiliary equipment for g e n e r a t o r s
238 Other turbine plant equipnnent
B-40
TABLE B. 20 ( continued)
Account
Number
24 A c c e s s o r y E l e c t r i c Equipment
241 Switchgear
242 Switchboards
243 P r o t e c t i v e equipment
244 Electrical structures
245 Conduit
246 P o w e r and control wiring
247 Station s e r v i c e equipment
25 Miscellaneous P o w e r P l a n t Equipment
251 C r a n e s and hoisting equipment

252 C o m p r e s s e d a i r and vacuum cleaning s y s t e m s
253 Other power plant equipment
TRANSMISSION PLANT
50 Land and Land Rights
51 C l e a r i n g Land and Rights-of-Way
52 S t r u c t u r e s and I m p r o v e m e n t s
521 General yard improvements

522 Substation buildings
523 Outdoor substation s t r u c t u r e s
53 Station Equipment
531 Switchgear
532 P r o t e c t i v e equipment
533 Main conversion equipment
534 Conduit
535 P o w e r and control wiring
536 Station s e r v i c e equipment
B-41
TABLE B. 20 (continued)
Account
Number
54 T o w e r s and F i x t u r e s
55 P o l e s and F i x t u r e s
56 O v e r h e a d Conductors and D e v i c e s
57 Underground Conduit
58 Underground Conductors and Devices
59 Roads and T r a i l s
GENERAL PLANT
97 Communication Equipment
DISTRIBUTIVES
98 I n d i r e c t Construction Costs
981 E n g i n e e r i n g , design, and inspection

982 G e n e r a l and adnninistrative
983 Other i n d i r e c t c o s t s
984 E a r n i n g s and e x p e n s e s during c o n s t r u c t i o n
985 I n t e r e s t during construction
99 Miscellaneous Construction Costs
991 Construction inventories

992 T e m p o r a r y construction facilities
993 Construction equipment and tools
994 Construction c l e a r i n g accounts
CONTINGENCY
B-42
TABLE B . 2 1
EXAMPLE O F DETAILED ACCOUNT LISTING
Account
Number
Reactor Plant Equipment

221 Reactor equipment
Reactor vessel and supports, core supports and retainers
within vessel, shielding, control rods including absorbers
and drives, moderator and reflector, shutdown cooling
facilities, and vapor containers when installed withm a
building.
. 1 Reactor vessel
, 11 Vessel supports
12 Vessel
13 Vessel internals, removable, including core
supports and r e t a i n e r s , thermal shields, steam
scrubbers and driers
.2 Reactor controls
21 Control rods, including absorber sections
, 22 Housing, guide tubes and shrouds
23 Drive mechanisms or systenns
24 Supplementary control systems
25 Neutron source
.3 Reactor shielding
. 31 Thermal neutron shields including shield tanks
32 Biological shield
. 33 Blast shield (if other than biological shield)
. 34 Shield cooling system
.4 Reactor auxiliary cooling and heating systems
.41 Safety injection system
42 Emergency shutdown cooling system
. 43 Decay heat removal systenn
.44 Component cooling system
.45 Preheating system
, 46 Post-incident cooling systenn
,47 P r e s s u r e suppression system
5 Reactor plant containers in the form of tanks installed
within a building
. 51 Containers, including supports
. 52 Floors and b a r r i e r s
. 53 Drainage systems
. 54 Ventilation and cooling systems
6 Moderator and reflector including cladding, if any,
except fluids serving as both moderator and coolant
(Account 222. 6)
. 61 Moderator
. 62 Reflector
7 Reactor plant cranes and hoists
222 Heat transfer systems
Reactor coolant system, intermediate coolant systenn,
coolant charging and discharging systems, coolant
sampling and purification equipnnent, steam generators,
and superheaters
. 1 Reactor coolant system
. 11 Pumps and drives
12 Coolant piping and valves
. 13 External steam drums and/or separators when
integral with reactor coolant system for direct
cycle water reactors
.2 Intermediate coolant systenn
21 Pumps and drives
. 22 Piping and valves
. 23 Internnediate heat exchangers
.3 Steam generators and superheaters, including steam
drums and/or separators for indirect cycle plants
. 31 Steann generators
. 32 Superheaters
, 33 Steam drums and internals
34 Steam separators
Taken from TID-7025
B-43
SAFETY REPORT
COVERS P E R I O D FROM 4 1 1 6 3 to 3 1 1 0 6 4
Plant Date Component F a i l Type Shutdown Safety H a z a r d
PMl 41163 SUS 17 No 7

PMl 41163 SC 18 No 7
PMl 51163 MJ 12 Yes 2
PMl 51163 PP 11 No 7
PMl 51163 PP 11 No 7
PMl 51163 MJ 12 Yes 2
PMl 51163 MJ 12 Yes 2
PMl 51163 MJ 12 Yes 2
PMl 51163 MJ 12 Yes 2
PMl 51163 MJ 12 Yes 2
PMl 61163 IM 41 No 7
PMl 61163 LA 60 No 7
PMl 61163 LA 60 No 7
PMl 61163 SC 18 No 7
PMl 71163 IE 10 No 7
PMl 81163 IM 46 No 7
PMl 91163 PS 42 No 7
PMl 91163 PS 42 No 7
PMl 91163 PS 42 No 7
PMl 111163 VL 10 No 7
PMl 111163 VL 10 No 7
PMl 111163 VG 10 No 7
PMl 111163 VG 10 No 7
PMl 121163 AM 42 No 7
PMl 121163 RF 2 No 7
PMl 131163 IM 47 No 7
PMl 161163 CH 48 No 7
PMl 181163 WD 22 No 7
PMl 181163 IM 49 No 7
PMl 191163 PHM 41 No 7
PMl 191163 ND 50 No 7
PMl 201163 VL 13 Yes 5
PMl 201163 VL 13 Yes 5
FIGURE B. 1
SAMPLE SAFETY R E P O R T
B-44
(ALL Tlie IN MOURS)
PLANT PMl
DATE 30036S
PERIOD OF REPORT 41163 TO 311064
PLANT STARTUP DATE 210262
PRESENT CORE STARTUP DATE 210262
TOT. AV. TOT. AV. MAX.

COMP. NO. IN FAIL. TOT. DOWN DOWN CUTBACK REPAIR FAIL. DOWN
CODE «!UeSVST6H TYPE FAIL. TIME TIME TIME TIME RATE SHUTDOWN CLTBACKS SHUTDOWN SCRAMS
SUS 6 17 1 0 0 0 7 0 U 0 0
SUS 6 20 2 0 0 0 30 0 U 0 0
SUS 6 61 1 0 0 0 165 0 U 0 0
SUS 6 40 1 0 0 0 2 0 U 0 0
TOTAL 5 0 0 0 46 .00019 0 0 0 0
RF 2 2 1 0 0 0 44 • 0 0 0 0
TOTAL 1 Q 0 0 44 .00011 0 0 0 0
PP 1 20 1 0 0 0 33 0 0 0 0
1
PP 1 40 1 0 0 0 12 0 0 0 0
(JI
TOTAL 2 0 0 0 22 .00045 0 0 0 0
FL 2 20 ,S 0 0 0 100 0 u 0 0
TOTAL 3 0 0 0 100 .00034 0 u 0 0
DOR 7 20 1 0 0 0 6 0 u 0 0
TOTAL 1 0 0 0 6 .00003 0 u 0 0
COS 1 20 2 0 0 0 24 0 0 0 0
TOTAL 2 0 0 0 24 .00045 0 0 0 0
TOTAL FOB SUBSYSTEM SB 14 0 0 0 48 0 0 0
SC 4 18 U 0 0 14 0 0 0
SC 4 20 I 0 0 0 8 0 0 0
SC 4 1 Q 0 0 1 0 0 0
Taken from AFWL T R - 6 5 - 1 4 .

FIGURE B. 2
SAMPLE FAILURE, SHUTDOWN, AND AVAILABILITY REPORT
AVAILABILITY REPORT
SHUTDOWN NUMBER OF MIN. PERIOD MAX. PERIOD AV6. PERIOD LONSEST SHORTEST
TYPE SMUTDOWNS SET. SHUTDOWNS BET. SHUTDOWNS BET. SHUTDOWNS SHUTDOWN SHUTDOWN
7 7 1 336 53 600
8 6 0 0 U 51
1 7 8 792 218 2300
5 8 1 5586 V78 123
2 0 0 0 u 0
0 0 0 0 J 0
0 0 0 0 J 0
0 0 0 0 0 0
TOTAL SHUTDOWNS 28
OVERALL MINIMUM PERIOD BETWEEN SHUTDOWNS 1
OVERALL MAXIMUM PERIOD BETWEEN SHUTDOWNS 5586
I OVERALL AVERA6E PERIOD BETWEEN SHUTDOWNS 416
OVERALL LONGEST SHUTDOWN 2300
OVERALL SHORTEST SHUTDOWN 7
PLANT AVAILABILITY .542
REACTOR AVAILABILITY .991
SIX WORST COMPONENTS NO. FAILURES

IH 12
IE 11
ND 11
MJ 11
AB 9
PP 8
•••END OF FILE^**
Taken from AFWL T R - 6 5 - 1 4 .
FIGURE B . 2 (continued)
M A I N T E N A N C E / K B PA m / I N S P K C T ION REPORT
A. SHIP IDENTIFICATION
© Ship Nam* 0ltagtalarad Hull No. _ 0 J o h No._
I I I I I I I rm
B. COMPONENT/A.SSEMBLY IDENTIFICATION
© Coda No. © CMnpoaanl/AaaamUy daacrip<toa
(7) MawufaclMrar , (i) Mamifacturar'a Medal or Typa No.,
— @ U Typa Coda A or B, daacrlba typa_
MAINTENANCE. REPAIR, AND mSPECTIOT ACTIVITY DATA
Tiroa Data oi Activtiy (Chack andfllloutaaetlea IS, 14. and/or 15. t
Q Activity Bagan O riRapair O •fta.uUtoTV Inanactlon Q QUowttoo Inapaction/Malntananca/SarTictai

a. Raaaoal a, Typa of Inapacttow a. Raaaom lor inapnctien/Maintananca/Sarvldng:
Data Tima
§
Cainplata teUura
Dagradad parformaaca
IncMaBl fallura:
DABS
Dusco
B
QCompany policy
Mamifacturar'a auggaatad policy
ChUI Ei^lnaar'a policy
QPttbUc Haaltit Dothar
tf^ Activity Complalad JAbnormal tamp., Milaa, vibration, ate. QOtbar
Data Tim a
. Condition dtacovarad during: b. Sbip dalay doa to b. Normal achadula lor thla inapac, /maint. /aarvicing action:
inapactlon. U any.
rm ^ OOparaUona:
8At aaa
In pert
QReutliM tnapac. /malnt./aatvtctag
Evary: ^^^^^^^^^ hour (a)
day (a)
waak(a)
month(a)
^ Activa Tima Spant DOtbar rapalr work _______^___ voyaga(a)
On Activity QLab or ethar apacial toala/axatnlnatlona yaar(a|
Ihowra) '^Bagvlatery tnapac tion
QRagnli
DOthar
Action (Complata (or rapalr, ragulatary inapactien and reutlnn Inapoctlen/malnlananco/aarvlclni.)
j{^ Immadiata Action ?^ Subaaquapt Action O Typa of Actinn (Ckack ona or mora aa ^pllcabla.) ^ Raault of Action
QContlnua oparatlon of affactad aquipmant
QShutdown affactad aqulpmanli
a. Location of Actten:
SAdjuatntant
Raplacamant with another
aaoembly/part;
DUnfoul
QCl**"
Q Lubricate/change lubricant
D No effect of operation of
affected equipment
O'uoctien not naadad during ihutdown

OPuncHoa naadad during aluildown/
B
At aaa
Docfcaldo • ta port
BDockatda - aUpyard
QMew
QKecendltlenad
QRawork/Ovevhanl enlaUng
DDIeaaaanbIa/reaaaambia
for repatr/malnt./aarvlce
DK*plAC*/•**<*•*/A^^ eapen-
D Temporary Interruption of
normal operations
D Operable, but degraded
awltch to baclûp or altamatlva aquip- Drydeck aaaamUy/pbrti dabla a lam ant/material parfermanca (laaa than
QRamovad (rem ahlp to: QCompleto er extanalva Iflltar alement, chemical rated operating condition)
compound, ate.): daacrlba
OFunctlon naadad during ahutdown, but
no back-tv a' altarwHva aqulpmant
avatlabia
S Deekalda akop/tncUlty
Contractor ahop
BSh^yard ahop 8 Patch er plug
Rajain (anldar, weld,
bolt, etc.)
D Opan/lnapect/cloaa up
D Unrepairable/inoperable
(hold for arrival in port
or Bh^yard)
Mamitactnrar DKameve aampla e<
Dothar D Temporary repair
b. Action parlarntad by: for analyale/axaminatlen by
QShlp'a craw DP*"*)anant repair
QShoro gang Pother
O * * • *>)t* •ctioB « follow-up on I
yCentractor craw recent temporary repair?
O Shipyard craw ^ 9 Daacrlba action _
Q Manufacturer DHo
D V«» (Job Na. i
^p What ia the related preventive maintenance policy, U anyf_

@ What is the related inapectlen achedula?
D. FAILURE DATA (CompleU for repair aciivitiea only.)
0 Failure Typa O r « » w * Cauae ^ Effect on Syatom 0 Effect on Shtp'a Prograaa

^y Fallura Occurrence D Nornial uaa
Date Time Dwaar: Qlmpropat eparatien
DNormal O Reduced to half D Delayed (in port)
I I I I CZZI D Abnormal
PVibraUon
DP'eaaure bulld-19 rated performance How long^
DBurn out D Environmental aiqraaura D Reduced to quarter D Reduced apeed (at
^ Reatoratlon to Service O Cer ro alon/ Dale r io r atlen Ororaign abraaive material rated performance
Date Time D Fouling/Accumulation of DlitA^quate preventive maln- D Total loaa of function
foreign material tananc e/aerviclng/ele anlng:
I I I I I 1 DFracMre D l^ck of lube
• Other
D Deformation
Ofiop'oper previoua repair/ ^ Deacriba failure _
£& Previoua Aaaembly Failure QElectrical (ahorl. open) Inatallatlon
Date Dothar
M M DManufacturer'a defect
D ^ o o ' deaign
^^ Deecrlba failure cauae
Pother
COMMENTS/RECOMMENDATIONS
FIGURE B . 3
SAMPLE SHIPBOARD DATA COLLECTION FORM

( F i r s t of Two Sheets)
B-47
MAINTENANCE/REPAIR/INSPECTION REPORT SUPPLEMENT
COST DATA
Shoreaide Activity Cost

(J^ Labor Cost
Cost due to access, close-up_

Cost for actual repair
Total of above, if not
broken down
37 Material Cost
Description of Part Cost
38 Reseon for using shoreside facility:
^y Additional Co«t« or Fee* (not covered above)

Deecription Coat Deecription Cost
FIGURE B. 4
SAMPLE SHIPBOARD DATA COLLECTION FORM

(Second of Two Sheets)
B-48
DECISION INFORMATION NEEDED FOR:
• Design
• Policy
• Regulatory
Requirements
I
SHIPBOARD DATA
DATA ANALYSIS PROGRAM COLLECTION
PROGRAM
• Statistical Analysis
• Application of Maintenance SHORESIDE DATA
and Reliability Design and COLLECTION
Policy Optimization Models PROGRAM
SPECIAL
DATA COLLECTION
ACTIVITIES
PERIODIC REPORTS
I PARTICIPANTS
Optimum Ship and C o m - • M a r i t i m e Administration
ponent Design Approaches
• Other Regulator Bodies
Optimum Maintenance and
Operating P o l i c i e s • Shipping Line O p e r a t o r s
and Owners
Revised Regulatory
• Management
Requirements
• Operating P e r s o n n e l
F l e e t Maintenance and
Reliability Reports • Classification Societies
Guidelines for Planned • Shipyards
Maintenance Systenns • Unions
• Manufacturers
• Naval A r c h i t e c t s
FIGURE B. 5
MARAD MAINTENANCE AND RELIABILITY PROGRAM
B-49
FORCED OUTAGES Boiler Turbine Generator
1. Number . . . . . . . Total(a) 1,415 229 75

2. Nttaber . . . . . . . Per Unit(a) 3.2 0.5 0.2
3. Duration . . . . . . Hrs/Unlt Rept'd 156 36 19

4. Duration . - . . _ - Hrs/Outage 48 69 111
MAINTENANCE
5. Manhours (Total) Per Onit(b) 5,706 2,258 761
6. Manhours (Forced) Per nnlt(b) 490 97 67
BREAKDOWN OF PRINCIPAL COMPONENTS

BI SIZE AND STEAM TEMPERATURE
SIZE - MW TEMP. - F
50- 90- 130. 200. 390. 900. 1000. 1040. 1100.
89 129 199 389 599 955 1010 1060 1200
TOTAL NO. OF UNITS REPORTED IN EACI1 CATEGORT(a) 50 124 143 119 2 16 263 153 6
CODE NO. 5TOTAL

f OF AVERAGE TOTAL FORCED OUTAGES
DnRATION(c)
BOILER
101 Water Halls 310 21.9 44 4 55 128 107 14 5 102 188 13

103 Superheater 408 28.8 73 50 105 154 97 0 25 152 228 11
104 Reheater 184 13.0 42 14 50 76 45 0 7 70 102 6
TOTAL 902 63.7
TURBINE
203 Contr. Valves 54 23.6 38 1 13 14 25 1 0 21 32 0

210 Buckets i Bids. 10 4.4 553 0 1 2 5 0 2 3 6 1
211 Vibration 47 20.5 26 0 7 8 30 0 0 22 24 1
212 Oil Sjat. i Brgs. 16 7.0 77 1 5 2 8 0 2 6 7 2
TOTAL 127 55.5
GENERATOR
305 Stator 6 8.0 610 0 4 1 1 0 2 3 1 0

306 Rotor 5 6.7 210 1 0 1 2 0 0 3 2 0
307 Gen. Control 7 9.3 3 0 2 1 3 0 0 5 3 0
308 Exciter 24 32.0 16 4 9 6 6 0 0 14 8 2
TOTAL 42 56.0
NOTES:
(a) Based on total of 438 units reported.
(b) Based on total of 371 units for which manhours were reported.
(c) Total forced outage hours for each component divided by the number of outages.
Taken from EEI No. 65-35 "Report on Equipment Availability for the
Five-Year Period 1960-1964, " Edison Electric Institute, May 1965.
FIGURE B. 6
ANALYSIS OF COMPONENT FORCED OUTAGES FOR THE YEAR 1964

CONVENTIONAL DRUM TYPE UNITS ONLY
B-50
-. .'î. P>18U9 I 1 of
I PUOOHAM OR XL APUN SYSTEM
I CUui'UNlNl PARI NAME PER GENERIC CODE BD
Hounddog
Vavos-Cas, NOC, 100-1000 PSIG, Relief,
i ORIGINATOR'S REPORT NO.
Pressure IM
MD 63-110
4. ORICMATOR't REPORT T I T L E
t TEST T Y P E . E T C .
« t * T ce«*L 20 irjM
Design Proof Tests, Safety Relief Valves
Design Proof
r THIS TEST (SUPERSEDES) (SUPPLEMENTS) REPORT NO,'

,?,. lA PART T Y P E . SIZE. RATING. LOT. E T C . t. VENDOR IB. VENDOR PART Hp. I I . IND./COV. STP. NO. <l',S',fi,
3/6" Line, 750 PSI Diaphragm BL, SIV, BRT 77-NAA-086 10

Proof PresBore
U . INTERNAL SPEC^ ETC REO'D TO UTILIZE REPT ENCL SENT WITH REPORT NO. 14 MIL. SPECS. STDS REFERENCED I N U C
A MC28A-00i2 925.50.73.07-Fl-OlS JL >q?r&-5g7a
ISA " SPEC. PARAGRAPH.-

TEST OR ENVIRONMENT TEST LEVELS, DURATION AND OTHER DETAILS
METHOD CONDITION •f«»re • • i i . i c
1& Ammonia and Helium

Leakage Para 4.5.2 Increments of 50, 350, & 700 PSIG 10
lbI High
Temperature Para 4.1.1 Procedure I 160°F For 50 Hra.
lb| Low Procedure II - SOOF for 48 Hrs - 65**
Temperature " 4.2.2 For 24 Hrs at Ammonia Pressure 50 PSIG
IbJ Life
Test " 4.5.a 7000 Cycles Per Para 2.6 of this report
w Vibration A^
" 4.5.7
" 4.7.1
Procedure 1, ^ to 2000 CPS at i lOg
Per Para 2."7 of this report ^
laI Diaphragn
Burst Para 4.5.3 0-700 PSIG Per Para 2.8 of this report 10
zr tovim
U . SUMMARY OF REPORT, NATURE OF FAILURES AND CORRECTIVE ACTIONS TAKEN:
53
The above specimens are acceptable for the intended function. •«o
Vendor's coninents are included In this reports vn
C3
If r i i T i o SITONO
' VCNOOe CATALOe I •
i
'Mttff-t
MAR 5 - 1 9 6 * ^
CONTMACTOM ItWeCOHTMAC T o e
3
•inqin
••ICI.ICATIOMS I • NAA-S&IO . Jl
REPRODUCTION OR DISPLAY OF THIS MATERIAL FOIP&ALES OR PUBLICITY PURPOSES IS PROHIBltEO
FIGURE B. 7
R E P O R T SUMMARY SHEET
B-51
Primary Sources and Types of Failure Rate Data
Sponsored by Army, Navy, Air Force, and NASA
Prime Contractors and Major

Government Subcontractors on Military Testing
Activities Weapons and Space Programs Laboratories
Data Collection, Screening, Analysis

Summarization, Compilation, Distribution
FARADA Information Center

Corono, California
Part/Component Failure Rate Data Handbooks
Participating Contractors' Engineering Groups

in An Aid to
Design, Development, Application
Reliability, Maintainability, Service Use
FIGURE B. 8
FARADA INFORMATION FLOW CHART
B-52
SACKGROUNO INFORMATION ON FAILURE RATE DATA - FARADA PfiOCRAM
UNO FMSAt* M M 4 IIO.M)
TO WPPORT "TASUtAI FAILUHI RATI DATA tUMMARY"

A(IIVMt • f POST NUMSIS W IDFN(iriC«linN ^1til I HPIiBI ' " "
fiC^f- 0>*^t»'"i
I. DESCRIPTION OF EQUIPMENT(S) TESTED OR UNDER SURVEILLANCE
\ mSCRIPIION » ^ I I M IVPI INIINrill>l<-N( IION
AN|/FSQ-7- Z.«ii^<|e hii|h &|0ecd diY'wl eoiwpMTe*- TO** «A««, II
0 PSOOUCTIOM STATUS fProAcf'OM P'.fot,^*. fc,Mdb«wdJ
fVc»fco"^*^p«-
C ACC or I0UIP«EHT M PRIOR TOCOHMfNCfUftj! (if f f S I OR SuRVHLlANf f 0 VINTAGE OF E0UIPMCN1 tY,». .«•#•*••.•«•/ «
j<}frZ
II CONDITION Of TEST f o r >.,rv*.M.i.c*f
A DATl AND DURATION
ft ENVIRONMENT (««*vnrf, •.>fc*fA«, lefc*r«f*fr " • • « • / f «!• •»*<••••••• M««l«.a«a.# ! . ( • .(c ofl«f«>» .ttrrf ^•C«<#>'*M .nelwW"^ faAfr^liic*) l*r«>.»«l
building rt*t: A clAS&iTftcci Joc^Ti^n .
C MAM1ENANCE r^sw*./.* r«*lace

MANCE rt«w*>/>« r«»l«e «nrf'«»••>
•••rf'•»•.• •'«••*•«««•.•,
•'«.«.«««.,•, vtc
MC ) • i ^ « J .
rfcpUcc and irftp»i»« _^ <

til. SYSTEM STATISTICS
A TOTAL SYSTEMS (nu-.fc*' . f
( Co»Mp**'t« S\«
B TOTAL OPERATING TWE AND IIUE SASC ( f l . ^ t hM'B hMi*'hews •«u.0»*«> h.Mst
C STSTEMMEANTIME, T01A1 MUMStR OF f AlluSl S
iV FAILURE REPORTING SYSTEM

A CONIROLLEOORUNCONTIIOLLCD,
OLLEDOR UNCONTROLLED, METHOD OF REPOflTINC.
METHOOOF REPORTING. PERSONNEL
PERSONNEL A I A^ H
-iaeî u>^6*<^ iU% tmmm.6iekic. Aur weiM«»ic«. o f piroT«Mi«*t«f

3.
£ ««rsoHricl
DEFINITION OF FAILURI
rtnotUct- c«"^p»«c»rt- «v«vlo«<i, « t c i " n o - d e f e c t - f o « * « lOIAL FAILURf S REPOHTED
<95 -io i O O , ^
FIGURE B. 9
SAMPLE OF C O M P L E T E D
"BACKGROUND INFORMATION ON FAILURE RATE DATA" FORM
B-53
V. PART FAILURE MODES (h, Mch p«. , „ » . ).» <.i<». m^l,. W n».ik« >( port! biling in Mcd H K I A )
PART IDENTIFICATION FAILURE MODE NO OF FAILURES
S^miconAxAAôv Diodes Q}*" 1^1

k M
^Vi^vied 67
M «
Bacif RW&tU'anu. Un^rl«.>£b> /.J.1 zz.
•1 ••
L/HcfaUe £
•1 II
Tetal £SS
R>tMvi TvwMsister, iilicoH Oo«^ 7
VI. PART FAILURE TIMES f l m t w n «.iliic« utrni lot »«di fe.lW part. »*«r« yomH.)
PART IDENTIFICATION OPERATING TIME NO OF FAILURES
jOpAil \f>y^ Cc y a ' * n c 7^*^^ hcKi-ji
•S«'ti«»eo»icL*cre»', Dtodfc , 6ermaiii«<» 02LS houri
ft^%>>. Tyâwaister ^ £ilteo>i ZOOO-ZSOO ho^î

ASDO-UOOO htfUi^S
CpKiîoi^ .^ Ga»'i>o»i ^QwipOBiTigj. ySgO-8S00 hour's
VII. SPEQAL ENVIRONMENTAL_ COMDtTJOHS f L . i . l l ifewwnli Iff j i y n on "Tpfcwlf Fmtlur» Hwtm Dota iimmofy'*)
-{o i^t. AN/F<5-7 occurred «ipprvxii*i^teli| "i- i'lr^ts ptv
.t»^<. TU«»«. aup^cs i u « « . «» Hi^î as ISO pe<^c«*»T
f^
VIII. ADDITI0f4AL INFORMATION (ramiirn* on aWnmiwI I I I M H . I f.<uiiW) •
.s#
&ucc«.«diVjc <i**.c pe^-itxis (l?*f«v«MC«$ « W b , *-««peetivel.f ) . Tlic "t'ô
av0Mp5 « ^ d a t a t-Jrre. iViTe<ji^«»teO into tV\** J I I M ^ I * . I'cpoi'T sine*.
t^»«M d««cv»b« + U c »«m«. «ûiV»»"eint • ^ d tl«t cOHr,(jOMC.^t fwilwrc
yntcs Mcrc -t»«'^n «i»MiUr.
IX. REFERENCES
FERENCES _ . . . . .
«) C b c T ' C , " A^ P*xl»»«i'»-<*'«r »€li«bilit«; ^nalijws <rf the. ^ W ^ - 7 0»ipK+e»',
fVoe««aiV%<)s df tUfc I Z * • ^ i i o ^ l S,^»».fio*;i**i on ?«li«b\li-^ «njlH«;, pp 7 5 - 8 2
1M».rMiAI64M0/> (1044) (•ACK)
FIGURE B. 9 (continued)
B-54
ss-g
>
w
c!
ts
l-H
WM
to
> O o
Wo G
d o W
>
>
en
w
>
i
•^
o
to
FAIUmE MODE DISTRIBUTIONS FAILURE MOOES BY PERCENT OF TOTAL FAILURES
IWLPwmG M W I I (2-M)
iSl
t
1-
2
•I z O
5
s1
8 •1
1
lu OBSERVED O lU M at
•>
u 1-
PART COMPONENT DESCRIPTION
ENVIRONMENT z
a
u
? J X
O i %^ T * ^
o
I
INTENDED
APPLICATION
i31 ,ji
a w o
2
1
^
1
i <•
X
5?
r \ 1
3
^ « p M c i \ . o v , r i x e a , Pttper , -47 Z(. I S lO
MIL-C- 2^244
5 U 4 ^ Zl IB «»
2 N I 0 4 6 , &ilie«»i - N P M ,
3rA/sHiraowa> •7 41 <7 M IS
R«.la.j, D P D T , Ke Sijc Cr.,»t«l
JOVDC 2A iood , Zfr^VDC

a
i
«M5c«Arr tfT afr 7
Mblve , F u e l , S k , 4 * f r . A)leH«<l z(p
Actu«-t.OH. M I L - V - 6 t l O ,
.SSPSX , 1^-30 VDC
BUIEPS FAILURE RATE DATA PRCuRAM
FIGURE B. I I
SAMPLE OF COMPLETED
"FAILURE MODE DISTRIBUTIONS" FORM
FMSAEC-COROMA.CALIF. ftlME^S FAILURE RATE DATA FRnCRAi* MAR t,L9«6
URE RATE DATA
TABLE-A-ELECTKICAL ELECTRONIC COMPONENT PART FAILURE PARTS- NUM- COMP-
HOURS BER CNENT
OBSERVED ENVI- DATE OF FAILURE RATE- IN OF PART
SOU- RONMENT/INTENOEO REPORT FAILURES PER MILLION MILL- FAIL- POPU-
PARTS/CONPONENTS RCE APPLICATION MO-VR OPERATING HOURS IONS URES LATION
SEMICONOUCTORS,DIODES. 1N2S0B,SILICON,POWER 210 GROUND 08-64 .092 43.608 4 5640

SENICONOUCrORS.OIOUES. 1N2$1.SILICON 209 LAB.GNO.SUll/SUB 09-65 .0666IC-AND-0) 209.99 14 40446
SEMICONDUCTORS.DIODES. 1N251.SILICON 209 LAB.GNO.SUS/SUR 09-6S .14SIC1-AND-01) 124.13 V> 23544
SENICONDUCTORS.OIODES. 1N270,GERMANIUM 209 LAB.GND.SUB/SUB 09-65 .02S5tC-AN0-0) 117.19 3 22572
SEMICONDUCTORS.DIODES. 1N276,GERMANIUM 209 LAB.GND.SUtt/SUll 09-65 .0278IC-AND-D) 1469.6 41 283068
SEMICONDUCTORS,DIODES.1N276,GERMANIUM 209 LAB.GND.sua/sua 09-65 .0421IC1-AND-01) 1068.2 45 202608
SENICONOUCrORS.DIODES. 1N277,GERMANIUM,GOLD-BOND 210 GROUND 08-64 .234 5463.1 1280 689724
SENICONOUCTORS.OIOOES. 1N277(JAN).GERMANIUM 217 LAB/GRUUNO 01-65 9.53ILT)I77F) .1049 0 27
SIrHICONDUCTORS.DIODES.1N277(JAN),GERMANIUM 217 LA9(ALI/GRUUN0 01-65 16.4ILnil25F) .0609 0 15
SkMICONDUCTORS,DIODES. 1N277IJAN),GERMANIUM 217 LABIAL)/GROUND 01-65 16.4ILT)I-25F) .0609 0 15
SEMICONDUCTORS,DIODES. 1N429,SILIC0N 217 LAB/GROUND 01-65 1SILT)I77F) .0667 0 20
SEMICONDUCTORS,DIODES. 1N429,SILICON,REFERENCE 210 GROUND 08-64 2.36 1.6949 4 212
SEMICONDUCTORS.DIOOES. lNA57,SILIC0N,0tFFUSED 210 GROUND 08-64 .164 170.92 28 20793
SEHICON0UCTORS,DIO0ES. 1N458,SILICON,DIFFUSED 210 GROUND 08-64 .345 14.51 5 1855
SEMICONDUCTORS,DIODES. IN459,SILICON 217 LAB/GROUND 0.1-65 .292ILT)I77F) 3.424 0 856
SbHICONOUCTORS,DIODES. 1N4$9,SILICON,DIFFUSED 210 GROUND 08-64 22.8ILT) .04387 0 5
S L N I C O N D U C T O R S , D I O D E S . IN474A,SILICON,REFERENCE 210 GROUND ^ 08-64 1.12 39.381 44 4705
SEMICONDUCTORS,DIODES. IN«83B,SILICON 217 LAB/GR''^-* V 01-65 3.5SILr)l77F) .2816 0 78
SEMICONDUCTORS,DIODES. 1N483B.SILICON 217 tA" a^MS* V 01-65 6.991125F) .143 1 30
td SbMICQNDUCTORS,DIODES.1N483B.SILICON 217 01-65 6.99tLT)l-2SF) .143 0 30
I
-J
SEMICONDUCTORS,DIODES. IN538,SILICON.RECTIFIER
SCMICONDUCTORS,DIODES. 1N538(JAN).SILICON
210
217
^m#
t^V* -.iND
08-64
01-65
.084
1.35ILT)I77F)
344.07
.7392
29
0
47321
184
SEMICONDUCTORS,DIODES. 1NS38(JAN).SILICON 217 -lAL)/GROUND 01-65 14.5ILT)I125F) .069 0 6
SbNICONOUCrORS,DIODES. INSSaiJANI,SILICON 217 LAB IAD/GROUND 01-65 14.5ILT)I-25F) .069 0 6
StNICONOUCTORS,DIODES. 1N540,SILIC0N 217 LAB/GROUND 01-65 .268ILT)I77F) 3.7263 0 1028
SEMICONDUCTORS,DIODES. 1N540.SILICON,RECTIFIER 210 GROUND 08-64 1.79 3.9041 7 566
SEMICONDUCTORS,DIODES. 1N547(JAN),SILICON 217 LAB/GROUND 01-65 76.3ILT)I77F) .0131 0 6
SEMICONDUCTORS,DIODES. 1N629,SILICON,SMITCHINC 210 GROUND 08-64 2.18 52.333 114 7580
SbMICONOUCTORS,DIODES. 1N645,SILICON,RECTIFIER 210 GROUND 08-64 .055 274.9 15 34532
SbHICONOUCTORS,DIODES. IN645(USAF),SILICON 217 LAB/GROUND 01-65 9.64|LT)I77F) .1037 0 27
SEMICONDUCTORS,DIODES. 1N64S(USAF),SILICON 217 LABIAL)/GROUND 01-65 33ILT)I125F) .0303 0 5
SEMICONDUCTORS,DIODES. IN645(USAF),SILICON 217 LABIAD/GRUUNO 01-65 33ILr)l-25F) .0303 0 5
SEMICONDUCTORS,DIODES. 1N647,SILICON 217 LAB/GROUND 01-65 2.59ILT)I77F) .3864 0 lie
SbMICONOUCTORS,DIODES. IN6S8,SILICON 209 LAB.GND.SUS/SUO 09-6!» .413IC1-AN0-01) 9.6801 4 1836
SEMICONDUCTORS.DIODES 1N658,SILIC0N 217 LAB/GROUND 01-65 1.4alLT)l77F) .6746 0 186
SEMICONDUCTORS,DIODES .1N658,SILIC0N 217 LABIAD/GROUND 01-65 4.72ILT(U2SF) .2119 0 50
SbMICONOUCTORS,DIODES .1N6»8,SICIC0N 217 LAB IAD/GROUND 01-6b 4.72ILT)I-25F) .2119 0 50
SbHICONUUCTORS.DIODES IN65B(USA),SILICON 217 LAB/GROUND 31-65 45.5ILT)I77F) .022 0 5
SEMICONDUCTORS.DIODES .1N658(USA),SILICON 217 LABIAD/GRUUNO 01-65 45.?ILT)I125F> .022 0 5
SEMICONDUCTORS,DIODES 1N6S8(USA),SILICON 217 LABIAL)/CRUUND 01-6^ 45.5ILr)|-25F) .022 0 5
SEMICONDUCTORS.OIUOES IN691.SILICON.SWITCHING 210 GROUND 011-64 .076 145.92 11 19637
FIGURE B.12
TYPICAL PAGE OF FARADA COMPUTER PRINT-OUT FROM VOLUME l A
PARTS- NUM- COHP-
HOURS BER ONENT
OBSERVED ENVI- DATE OF FAILURE RATE- IN OF PART
SOU- ROHMENT/INTENDED REPORT FAILURES PER MILLION MILL- FAIL- POPU-
PARTS/COHPUNENTS RCE APPLICATIOKl MO-YR OPERATING HOURS IONS URES LATION
PUMPS 118B AIRCRAFT 11-63 214IB) .03267 7 ISO

POMPS 138 LAB 10-63 13.5
PUMPS 193A GROUNO/MISSILb 06-65 58.8 .017 1 9
PUMPS.AIR-TURBINE-hOTUR-DAIVEN.HYOR-PWR-SPLY 114 AIRCRAFT 02-63X 814.33IA) .075 61 50
PUMPS.AIR-TURBINE-MOTOR-DRIVEN.HYOR-PHR-SPLY 198 AIRCRAt-T 12-63 826IA) .08478 70 50
PUMPS.ALCOhOL 61 GENERAL/AIRCRAFT ...03-58, _ 200
PUMPS.AUXILIARY.ELECTRICAL.HYDR-PHil-SPLV 114 AIRCRAFT 06-63X 691.561b) .088 61 102
PUMPS.AUXILIARY.EL£CTKICAL.HY0R^PNK-SPLY 114 AIRCRAFT 06-63X IIOO.IIIE) .015 17 68
PUMPS.AUXILIARY.ELECTRICAL.HVDR-PHR-SPLY 198 AIRCRAFT 03-65 623IB) .12691 79 50
PUMPS.AUXILIARY.ELECTRICAL.HYDR-PMR-SPLY 198 AIRCRAFT 03-65 834IE) .11637 97 100
PUMPS.BOOSTER.AOXILIAKY.FOEL-SYSTEM 114 AIRCRAFT 02-63X 160.17IA) .149 24 100
PUMPS.BOOSTER.AUXILIARY.FUbL-SYSTEM 114 AIRCRAFT 06-63X 255.0318) .176 45 204
PUMPS.BUUSTER.AUXILIARY.FUEL-SYSTEM 114 AIRCRAFT 06-63X 97.CUE) .031 3 136
PUMPS.BOOSTER.AUXILIARY.FUEL-SYSTEH 198 AIRCRAFT 03-65 339IB) .25382 86 100
POMPS.BOOSTER.AUXILIARY.FUEL-SYSTEM 198 AIRCRAFT 03-65 241IE) .23274 56 200
PUMPS.BOOSTER.EXTERNAL.DISTRIBUTION.FUEL-SYSTbH 114 AIRCRAFT 06-63X 64.67IE) i'031~ 2 136
PUMPS.BOOiTER.EXTERNAL.OISTRIBUT ION.FUEL-SYSTtH 199 AIRCRAFT 03-65 98.BIE) .23274 23 200
PUMPS.BOOSTER.FUEL 17 GENERAL/AIRCR*FT 01-60 175
PUMPS.BOOSTER.FUEL 22 CEN/AIRCRP"^ SS 06-61 1900IB)
PUMPS.BOOSTER.FUEL 80 »IRCR»-^% V 09-61 13.52 .222 3 1280
PUMPS.BOOSTER.FUEL 144. . 05-64 99.99 .18969 19 366
PUMPS.BOOSTER.FUEL
PUMPS.BOOSTER.FUEL.ENGINE
196
110 e \ W ^ • 06-65
06-59
19.4
625.13
6.6413'
.037
129
23 128
I PUMPS.BOOSTER.FUEL.POWER-PLANT
PUMPS.BOOSTER.FUEL.TANK.EMERGENCY 80
vM***
1S5L . ^ l ^ V
A .KAFI
06-65
09-61
532
10.23ILT)
.21597
.01
lis
0
126
50
00
PUMPS.BOOSTER.FUEL-SYSTEM 114 AIRCRAFT 02-63X 33.37IA) .299 10 200
PUMPS.BOOSTER.FUEL-SVSTEN 114 AIRCRAFT 06-63X 82.17IH) .353 29 408
PUHPS.BOOSTER.FUEL-SYSTEH 114 AIRCRAFT 06-63X 48.5iE) .062 3 272
PUMPS.BOOSTER.FUEL-SYSTEM 179 AIRCRAFT 12-64 91.3 .17532 16 812
PUMPS.BOOSTER.FUEL-SYSTEH 198 AIRCRAFT 03-65 51.6IE) .46548 24 400
PUMPS.BOOSTER.FUEL-SYSTEM 198 AIRCRAFT 12-63 29.5{A) .33912 10 200
PUMPS.BOOSTER.FUEL-SYSTEM 198 AIRCRAFT 03-65 116IB) .50763 59 200
PUMPS.BOOSTER.GTC.AUX-POWER-PLANT 114 AIRCRAFT 02-63X 253.61IA) .075 19 50
PUMPS.BOOSTER.CTC.AUX-POWER-PLANT 198 AIRCRAFT 12-63 236IA) .08478 20 50
PUMPS.B00STER.LH2.GR-TRAIN/H202-DRIVEN-TURBINE 171 GROUND/MISSILE 12-64 1430pO0{L7)ia) .ooooi: 0
PUMPS.BOOSTER.LH2.GR-rRAIN/H202-0RlVEN-TURBINE 171 CROUNO/HISSILE 12-64 61700tLT)|A) .00002 0
PUMPS.BOOSTER.PYLON-TANK.FUEL-SYSTEM 198 AIRCRAFT 12-63 177IA) .16956 30 100
POMPS.CHARGE-SCAVENCE.CONSTANT-SPEED-ORIWE dO AIRCRAFT 09-61 28.63ILT) .035 0 320
PUMPS.COMPRESSOR 82 AIRCRAFT 11-61 2150 .007 IS
PUMPS.COMPRESSOR 84 AIRCRAFT 11-61 447 .114 51
PUMPS.COMPRESSOR.RECIPROCATING 111 AIRCRAFT 02-63 1256.59 .012 15 31
PUMPS.COOLING.CONSTANT-SPEEO-DRIVE 80 AIRCRAFT 09-61 28.63ILT) .035 0 320
FIGURE B . IS
TYPICAL PAGE OF FARADA COMPUTER PRINT-OUT FROM VOLUME I B
P A R J I R E AOOe DiSTRIBUTIOMS FAILURE MOOES BY PERCENT OF TOTAL FAILURES
VMKUMiat)
OBSERVED O lu
ENVIRONMENT/ lU 3
ADDITIONAL PART/COMPONENT DESCRIPTION
INTENDED m d So
ni J2L
APPLICATION
"'
§2 3=
(A M ii
iMl.auiteff.Cat* 123 AUciAn 40 59
tlMt.Shutaff.Gtt«.lbter-Aeenkt.d 123 AMCHAFT 237 4A «A 28
AMi.shntoff.WL-r-sas.TScm-iux. 0-«0 KIC 213 Rzucorm
flMl.9nite£<.SolaiaU-ietiuetaa.Kn.-V-8610.
1SFSI.U-30VDC 2U HELICOFIER
nMl.Sel«iiaU.Di»l-«lec.lin.-r-<tlS. 2SVDC.
O-tOKIO 215 REUcopm
rMl/Otl.Coatml.SwiiHl-AetiiatlaB 198 AIXCRAFT
raat/OU.Caatrol/Slnitaff.CaiVlBC-AetiiaCiaa 198 AXKtAR 12 2
rial/OU.Coaczol/SliateH.Elutrle-liBtac/
IslaasU-ietaatlon 198 AIKIAFT 1
Ibcl/Otl.Caatxol/Shutoff.Mnu«l/Meclumleal-
ietuatloB 198 AIiaAR 93 1
nMl/OU.CoBCzol/Shataff.Iimsatle-Aetuatlaa 198 AIIOAR
laal/Otl.Shuteff.niild-AetuacloD 198 AUCKAR 2
Cljcel .Cheek 80 AZICEAFT
Cl]reat.ABU-Ie*-nuU 80 AKCIAFT 67
B,0,.T.nk-rt«isiiTlaatlen 207 eEOUHD/MISSItE
^fdimaXicChmclt 80 AIBCEAFT u 2
•ydtaulle.Qicek 191 GBDOHD/AHaAFT
•ydnulle.CoBtiol .CoBplncWketvacian 198 ADCIAFT 2 1
•jrdxaulie.CoatrolJItraetlQnsl 191 CEOOII) ICOC
Rfdnulte.Coatrol.taBZienevWtC-Poiicr 80 AUCBAn SOF
^fdmttte.Caatrot.ScrTO.Varl-HaBp 80 AnCBATt
^dxaul le.CoBttDl/Shucoff.Electrical •Aeciwtlon 198 AIECIAFT
^draullc.Caatrel/Shatoff.Brdraullc-Actuation 198 AIEdAFI
•jdtaulle.Coatxol/stuitatf.Hanual-Actuation 198 AIBOAR
^draullc.micr.AcctanalatoT 80 AnCBAR t
Rydtaulie.lalay.Bxaka 80 AnCBAFT 73 U 7A 2B
Rydxaulie.laliaE.Fnamra 123 370
lar
AUCBAFT 29A 29A 42
Rydaulie.lallaf.fTaaaun 123 AHOAFT IS 42 17A 33
•fdtaaUe.laUaf.rca«auzn.AmatiB(.4aar-
Saûaactnt 123 ilBCBAR 14 7A 7
Rydnalle.lallaf.tTaaaura.aoaa-Uhaal 123 AIRCBAR 17 17A 8A 33
Rrtraulic.laliaf.Ftaaaura.FoiMr^ônctol-STataa 123 AIBCBAR 70 48A 22
Rydnulls.laUaf.Spend-Bcaka 80 ADUaUR 3 33
^TauUc.lalief.traaanxn.Speed-STake-SyateB 123 AIBCBAR 117 18A 27
•ydxaalie.lellat.ftnanzn.Ihanal.HlatfoM 123 AIBCBAR 117 27
Rydnalie.leliaf.lhetBal-Vent 80 AIBCBAR S 20A
||draulle.lellnf.lTea8urn.atilicx-S7«t«n 123 AIKBAR 70 22
^ritaalle.laatrletnr.lalief.Cruise •Oraap 123 AnCBAR 4 SOA SO
^ r m a l l e . l a a t r l c t a r . l e l i e f . l a a l t i i t •Droop 123 AIBCBAR 7 14A 14A IS
Rrdraullc.lestrictot.lellef.bnllas-Oraop 123 AIBCBAR C 17A 33
Rfdraulle.leaerletaT.lalief.Idindtiig-Oroap 123. AIBCBAR 3 34A 33A 33A
l^nulte.SalecC9r.4-tla]r.SolaD0U-Aetuatloa 123 AIBCBAR 28 32
M t E P I FAH.88E RATE DATA FRCiiRA*
FIGURE B. 14
TYPICAL PAGE OF FARADA FAILURE MODE DISTRIBUTIONS
A c c e l e r o m e t e r s (See 852)
025 Accumulators
027 Actuators
051 Amplifiers (Electrical or Electronic)
081 Antennas
082 I n a c t i v e (See 081)
085 A t t a c h i n g , M e t h o d s and M a t e r i a l s
091 Audio D e v i c e s
101 Batteries, Nonrechargeable
102 Batteries, Rechargeable
104 Bearings
115 Bellows
117 Brakes
121 Blowers and Fans
124 I n a c t i v e (See 511)
141 Boards, Printed Circuit
151 I n a c t i v e (See 152)
152 Capacitors, Fixed
161 Capacitors, Variable
C h o p p e r s (See 601 R e l a y s )
C i r c u i t B r e a k e r s (See 341)
170 C i r c u i t s , E v a l u a t i o n of
181 Coils, Inductance, Fixed
182 Coils, Inductance, Adjustable
191 C o m p u t e r and R e c o r d i n g E l e m e n t s
201 Connectors, Electrical
232 Counters
241 Crystals
271 Delay L i n e s
301 Electron Tubes
303 I n a c t i v e (See 306)
306 Environmental Simulation Equipment
307 Fasteners
321 Filters, Electrical
326 Filters, Nonelectrical
331 F i n i s h e s and S u r f a c e T r e a t m e n t s ( M a t e r i a l s and P r o c e s s e s )
336 F i t t i n g s , Tubing and H o s e
337 Fluids
338 I n a c t i v e (See 337)
341 F u s e s and C i r c u i t P r o t e c t i v e D e v i c e s
345 Gaskets and Seals
G e a r s (See 511)
347 G e n e r a l T e c h n i c a l Data
358 Gyros
361 H a r d w a r e ( M e c h a n i c a l and E l e c t r o m e c h a n i c a l )
FIGURE B. 15
PARTIAL LIST OF MAJOR CLASSIFICATIONS
OF THE FARADA PART/COMPONENT GENERIC CODE
B-60
SERVICE. MEDIA H/\NDLED VOLTAGE RATING
.10 Cryogenic Fluids .10 Under 1 MV
.20 F u e l , Exocic .20 1-10 MV
.30 Fue1,Hydrocarbon .30 10 MV-1 Volt
.40 Cas, ilot .40 1-30 V o l t s
.50 Cas, NOC .50 30-109 V o l t s
.60 Hydraulic Fluid .60 109-240 V o l t s
.70 Oxidizers, NOC .70 240-1.000 Volts
.80 Pneumatic .80 1 - 1 0 KV
.90 Oil .90 Over 10 KV
PRESSURE RANGE CORE MATERIAL & CONSTRUCTION

.10 0 - 2 5 BmHg A i r , Encapsulated
.20 2 5 - 3 5 mmHg " , Hermetically Sealed
.30 35-225 mnHg ( 7 0 . 0 " , NOC
.40 2 2 5 - 7 6 0 nnHg ( 3 0 . Diamagnetic, Encapsulated
.50 S. L. o n l y , Henaecically Seeled
.60 0-100 p s l g , HOC
.70 100-1000 p s i g F e r r o m a g n e t i c , Encapsulated
.80 1000-5000 p s i g '. 8 , Hermetically Sealed
.90 Over 5000 p s i g . 9 , HOC
POWER RATING ntEQUENCY RANGE

. 0 6 Less Chan . 1 UatC .02 D.C.
. 0 8 . 1 0 - . 1 2 5 WatC .05 60 Cycles Only
. 1 2 . 1 2 5 - . 2 5 Wstt .06 400 Cycles Only
. 1 4 . 2 5 - . 5 0 WRtt .07 0-3 Kc Audio 7raq.
. 1 6 . 5 0 - 1 Watt .10 3-30 Kc
. 2 0 1-2 Watts .20 30-300 Kc Low
. 3 0 2 - 1 0 Watts .30 300-3.000 Kc Medium
. 4 0 10-100 Watts .40 3-30 Mc High
. 5 0 1 0 0 - 1 , 0 0 0 Watte .50 30-300 Mc Very Nisb
. 6 0 1-10 KW .60 300-3.000 Mc Ultra •I
.70 10-100 KW .70 3.000-30.000 Me Super
. 8 0 1 0 0 - 1 , 0 0 0 KW .80 Over 30,000 Mc Extremely
. 9 0 Over 1 MegavaCC
CONTACT ARRANGEMENT Notet
. 0 5 SPST (NC)
. 1 0 SPST (NO) 1. NOC - Not Otherwise Classified
. 1 2 SPOT 2. Range: The Range i s define*) to be
. 2 0 DPST (NC) greater than the lower v a l u e , up
. 2 5 DPST (NO) to and including the larger value.
. 3 0 DPOT Sample! Voltage Rating 1-10 mv
. 4 0 3PST (NC) Any voltage greater than 1 mv, up
. 4 5 3PST (NO) to and including 10 av.
. 5 0 3 POT
. 6 0 4 PST (NC)
. 6 5 4PST (NO)
. 7 0 4 POT
. 8 0 6PST (NC)
. 8 5 6PST (NO)
. . 9 0 6 POT
. 9 5 M u l t i p l e Pole
FIGURE B. 16
FARADA COMMON SUBCLASSIFICATION
B-61
925 VALVES
925.£0 S e r v i c e , Media Handled (Common)
925.00.00^ P r e s s u r e Range (Common)
92.5 . 0 0 Function
. 1 Check
. 2 Multifunction
. 3 Relief
. 4 Servo
. 5 Shutoff
. 6 3-way Selector
. 7 4-way Selector
925. 00. 00.£0 P r i n c i p l e of Operation

.10 Ball
.20 Butterfly
.30 Flapper
.40 Poppet
. 50 Sleeve
. 60 Slide or Gate
.70 Spool
. 80 Globe
. 90 Needle
9 2 5 . 0 0 . 0 0 . 00 Actuation or Control
4 Manual
5 Motor
6 Pilot
7 Pressure
8 P y r o t e c h n i c or Explosive
9 Solenoid
FIGURE B.17
EXAMPLE OF FARADA
PART/COMPONENT CLASSIFICATION CODE
B-62
81198
NPD O.S. aav. ii-ss.

^(1^ To Work Uid DEFICIENCY REPORT
nlM to vOlwOl RoftM WORK UMT COPY
TOi •UUICT
cvvtm
"""
•An
MIUHM
HAJoa
CAfmom
MINMI
.••
•MO-Ok
no
OnMIMATBD
1
STAna**"^ -ComcNMiDeteripHon. llMulH,Cmnmmh, Etc
oATt mcaivco
1
woiiK av
—m
Hounn
•.T
e e a i Mmia.
raaioa
AUCHIVS N O .
DWa. CHAN*!
•unnviaaii
OTHBI COMMENTS •HirTauTCii.«eeapr
omnmaToM
N9 12670
FIGURE B . 18
SAMPLE DEFICIENCY R E P O R T
B-63
O r i g i n a t o r F i l l s in
Deficiency R e p o r t .(P)
I
(W) (Y)
_4_
Work Unit Work Unit C o r r e c t s Retained in
File Deficiency and D e s c r i b e s Control Room
C o r r e c t i v e Action for Follow-up
(Y)
i
Shift S u p e r v i s o r
and O r i g i n a t o r
Review and Approve
(Y)
1
Permanent File
for Review by
Reliability E n g i n e e r
(W) - white original

(Y) - yellow copy
(P) - pink copy
FIGURE B . 1 9
DEFICIENCY REPORT FLOW CHART
B-64
APPENDIX C
E X A M P L E OF LOADSHEET PREPARATION
AND DATA REDUCTION
APPENDIX C
EXAMPLE OF LOADSHEET PREPARATION

AND DATA REDUCTION
Loadsheet p r e p a r a t i o n and data reduction for failure r a t e a n a l y s i s will be

d e m o n s t r a t e d b y the use of a simple pumping s y s t e m as shown s c h e m a t i c a l l y
in F i g u r e C. 1 .
SYSTEM DESCRIPTION
The pumping s y s t e m (system code 21.341) belongs in the r e a c t o r portion

(system code 20) of a hypothetical power plant (I. D. No. 0123). It c o n s i s t s
of one 50 gpm pump, one flow s w i t c h ' , and t h r e e loops each containing
one motor operated control valve all as listed in Table C. 1 , During plant
operation it is a s s u m e d that the pump is operated continuously and
the water flow in e a c h loop is a u t o m a t i c a l l y adjusted by a motor operated
valve. Automatic operation of the valves is controlled by a s e n s o r
m e a s u r i n g tenaperature or p r e s s u r e . The s e n s o r is not shown for
simplicity.
F a i l u r e of any one valve in the closed position will not r e s u l t in a s y s t e m

f a i l u r e . F a i l u r e of any two valves in the closed position will r e s u l t in a
systein failure; and failure of the punap or all three valves will r e s u l t in the
actuation of the low flow switch which in t u r n will s c r a m the r e a c t o r plant.
The flow switch is tested daily during operation.
S\ s t e m History
It is assunaed that the pumping s y s t e m has p r e v i o u s l y completed

approximately five y e a r s or 43, 800 hours of operation with s e v e r a l
component f a i l u r e s . During the next r e p o r t i n g p e r i o d , which is on a
t h r e e - m o n t h i n t e r v a l shown s c h e m a t i c a l l y in F i g u r e C. 2, the r e a c t o r plant
was operating at the beginning of J a n u a r y 1966, and continued operation
through the month of F e b r u a r y until a s c r a m o c c u r r e d on M a r c h 20, 1966.
It was s t a r t e d up again on M a r c h 24, 1966, and continued operation through
the end of the r e p o r t i n g period, March 3 1 , 1966. During this period
Flow switch belongs in System Code 26. 121, I n s t r u m e n t a t i o n and Control
C-1
t h e r e w e r e two c o n c u r r e n t valve failures r e s u l t i n g in total loss of
s y s t e m p e r f o r m a n c e (effect code 3) and one valve failure causing no
loss of p e r f o r m a n c e (effect code 1). A pump failure, which r e s u l t e d
in s y s t e m loss (effect code 3) and plant scrana, also was r e p o r t e d .
Although operation of the example punaping s y s t e m is c o r r e l a t e d to

the r e a c t o r plant (system code 20) in F i g u r e C. 2, the operation of
the t u r b o - g e n e r a t o r (T/G) plant (system code 30) is a l s o shown t o
d e m o n s t r a t e how it is t r e a t e d s e p a r a t e l y . The use data of a s y s t e m
whose operation is r e l a t e d to the T / G plant would use T / G data to m o r e
a c c u r a t e l y derive "time to f a i l u r e " e s t i m a t e s .
LOADSHEET PREPARATION
Loadsheets a r e p r e p a r e d in order to provide infornaation on individual

failure events as well as t o enable data reduction l a t e r by either manual
conaputation or by computer p r o g r a m m i n g . The m a n n e r in which a group
of line e n t r i e s within each r e p o r t i n g period a r e made is as follows:
Step 1: F i r s t naake a s e p a r a t e line entry for r e a c t o r and T / G

operating status at the beginning of the r e p o r t i n g
period (lines 1 and 2 of F i g u r e C. 3).
Step 2: E n t e r all failure events in chronological o r d e r until
plant shutdown or s c r a m occurs (lines 3, 4, 5, and 6
of F i g u r e C. 3).
Step 3: Make a s e p a r a t e line entry for r e a c t o r and T / G
shutdown or s c r a m (lines 9 and 10 of F i g u r e C. 3).
Step 4: Make a s e p a r a t e line entry for r e a c t o r and T / G
s t a r t u p (lines 9 and 10 of F i g u r e C. 3).
Step 5: Repeat line e n t r i e s s t a r t i n g with Step 2.
Step 6: Finally naake a s e p a r a t e line entry for r e a c t o r and T / G
operating status at the end of the r e p o r t i n g period
(lines 11 and 12 of F i g u r e C. 3).
F i g u r e C. 3 i l l u s t r a t e s the conapletion of input data loading for a q u a r t e r l y

r e p o r t i n g period on the exanaple s y s t e m . The e n t r i e s in F i g u r e C. 3
w e r e naade as follows:
Line 1: This is the status (use code 2) of the r e a c t o r plant

(system code 20) on J a n u a r y 1, 1966.
C-2
Line 2: This is the status (use code 2) of the T / G plant
(system code 30) on J a n u a r y 1.
Line 3: Two valve failures o c c u r r e d on F e b r u a r y 4 r e s u l t i n g in
loss of systena p e r f o r m a n c e (effect code 3) but no plant
shutdown (use code 2). F a i l u r e mode was that of
prenaature operation (mode code 6) c a u s e d by m a i n t e -
nance e r r o r (cause code 34). R e c o v e r y of the s y s t e m
operation was made on the s a m e day with six h o u r s
of total r e p a i r t i m e . This entry is for one of the valve
failures.
Line 4: This entry is for other valve failures indicated in
Line 3 discussion.
Line 5: Another valve failure o c c u r r e d on F e b r u a r y 20 with
no loss of s y s t e m p e r f o r m a n c e (effect code 1 and use
code 2); however, r e p a i r was not perfornaed until two
days l a t e r .
Line 6: On March 20 a punap failure o c c u r r e d which r e s u l t e d in
systena loss (effect code 3) and r e a c t o r s c r a m (use code 4).
F a i l u r e naode was that of e r r a t i c operation (naode code 8)
c a u s e d by high operating t e m p e r a t u r e (cause code 31). A
new pump (new I. D. No. 5KY558AA1) from a different
manufacturer (code 543) was installed and r e p a i r
completed on March 21 with a total r e p a i r t i m e of 20
hours.
Line 7: Reactor s c r a m o c c u r r e d following the pump failure.
Line 8: T / G shutdown o c c u r r e d following the punap failure.
Line 9: After r e m a i n i n g shut down for 3 m o r e days another
r e a c t o r s t a r t u p was naade on March 24.
Line 10: T / G s t a r t u p followed 4 days l a t e r on March 28.
Line 11: The r e a c t o r plant was operating at the end of r e p o r t i n g
period March 31.
Line 12: The T / G plant was operating at the end of r e p o r t i n g
period.
DATA REDUCTION
Using data p r e s e n t e d in the input loadsheet, data reduction is possible

by either naanual computation or by conaputer p r o g r a m m i n g . Two
types of infornaation that a r e provided in the output data sheet a r e as
follows:
C-3
Type 1: Listing of p a r t i c u l a r components that have failed during
the reporting p e r i o d . This information will provide the
b a s i s for deriving failure r a t e s and distribution functions
for components of s i m i l a r kind.
Type 2: S u m m a r y of failure r a t e data of all components of i n t e r e s t
as of the end date of the r e p o r t i n g p e r i o d . These data
a r e c a r r i e d over to the next r e p o r t i n g p e r i o d .
A s u m m a r y of failure r a t e data frona the previous r e p o r t i n g p e r i o d s

is shown in F i g u r e C . 4 . The listing of component failures and
sunamary of failure r a t e data for the c u r r e n t r e p o r t i n g period a r e
shown in F i g u r e s C. 5 and C. 6. The output data sheet listing
component failures for the r e p o r t i n g period is produced from infor-
mation on the c u r r e n t input loadsheet and the previous r e p o r t p e r i o d s .
Subsequent to t h i s , a sunamary of failure rate data is g e n e r a t e d .
Components a r e grouped by their g e n e r i c code and also by the s y s t e m
code in which they belong. This e n t i r e p r o c e s s can be handled by
machine p r o c e s s i n g with conaponent f a i l u r e s and failure r a t e infor-
naation being stored on tape for data update and for s p e c i a l s e a r c h e s
such as examination of failure distribution functions.
C-4
Manufacturer's Plant Generic
Component Type
Code I. D. No. Code
Pump 50 g p m , s t a i n l e s s 345 5C50A 221: 56.22

steel, centrifugal
Flow Control 1 inch, s t a i n l e s s 5 67 871A01T42 202: 5 6 . 2 4 . 2 2
Valve steel, m o t o r -
operated gate
Flow Control 1 inch, stainless 5 67 871B01T42 202: 5 6 . 2 4 . 2 2
operated gate
Flow Control 1 inch, stainless 567 871C01T42 202: 5 6 . 2 4 . 2 2
o p e r a t e d gate
Flow Switch Industrial instru- 789 FS971 500: 0 1 . 4 0
ment
T A B L E C. 1
L I S T O F C O M P O N E N T S IN A S I M P L E P U M P I N G S Y S T E M
No Flow S c r a m
Gate Valves
cJo
Pump
FIGURE C. 1
SIMPLE PUMPING STATION
C-6
System/Component J a n u a r y 1966 F e b r u a r y 1966 M a r c h 1966
Reactor Plant
Pumping System
Pump
—I
Valve (A)
H
Valve (B)
•I—
Valve (C)
H--H
Flow Switch
T/G Plant
^ Operation
No operation
Component failure and repair period
FIGURE C. 2
OPERATIONAL HISTORY OF A SIMPLE PUMPING SYSTEM
— -s
Ol
CO
Is V
TB
REPAIR OR EVENT
5s •i
t^
DESCRIPTION
r^
O i •a - - - - - -
r*
OF
s
a •
»
w
LL <«r»
- 1
K ^" V)"
in
to
>< «Q
5: >i ' fsl
«>
to
1 v x v a asm «sl ^4 N o4 M >- V > •s.
-., CM N 1s
loaaaa «) «i V . "> s
asnvo > - - - - - - - -
l: < •
Jlii ' • • •
K"
1 aaon' ' r-
-
NS
H
N4
• ^ 0«
• - - • - • - - - - 5
•n
H Ui > O -
> >-
s • - - • - • - • - - "
s
g - O" ^ ^ • - - • • - - • • •
•
^. ^ >:
f^ S £3 •
- •
- • : • • : :
M S S "5
Q Q ' • " n
rt H
ri • • •
1few Q
> >" ; ; ^ w
3o> <5> ^4 S- CS •v.' 5
en w
- - to
- - re
CO
- - - ; -
•
a O
; ; ; 8 Q
w <
— m
Pi O
D ^
" tn
o H
fxi
1-1
0
<n
^
- - - - - - - - - - - Z
• s
-V a"
s
O .
i rsi .si 1
in
O -
w .
o —
'
la, -
'A
- - - - - - - g
8 0" ^
cn
CO
\o1
•
- - - - -
Is >
•V.
'_
o: 0"
-
<N4 ir>1 csT
•0 •n ~
" - tn
< - -
• —
„ _ *, .
^ 0 cS CT <5 CT CS
(O
v» vS
v5
•41
v5 VJ s*
- - - - - - - -
5§2 2 CT ss S C5 5 - - - - - - - - ;
L:•o^[ aui-i;
g C5
^rOfO
$ <5
>
*si
Q G.
• ^ i n s O h - o o o ^ O ' - « ( M
>
2 - - - - - - - -
\I
C-8
ABC NUCLEAR POWER PLANT
PLANT I.-D. NO. 0123
REPORTING PERIOD
311065 TO 311265
SUMMARY OF FAILURE RATE DATA
ACCUMU-
LATIVE FAILURE ACCUMU
TIME IN PER STANDARD LATIVE MEAN
COM- NO. OF HOUR MILLION, MILLION, DEVIATION, REPAIR REPAIR STANDARD
PONENT COM- FAILURE NO. OF OR HOUR OR HOUR OR HOUR OR TIME, TIME, DEVIATION,
I. D. NO. PONENTS MODE FAILURES CYCLE CYCLE CYCLE CYCLE HOUR HOUR HOUR
COMPONENTS IN SYSTEM CODE 21341
871A01T42 1 1 1 Hour .043780 2.3 10 10

o 871B01T42 1 0 Hour .043800 0 0
•
871C01T42 1 0 Hour .043800 0 0
COMPONENT CODE 202562555 1 Hour .131380 7.6
SC50A 1 3 1 Hour .043775 22.8 25 25
COMPONENT CODE 2215622 1 Hour .043775 22.8 25 25
FS971 1 5 2 Cycle .001828 109 4

COMPONENT CODE 5000140 2 Cycle .001828 109 4
FIGURE C . 4
TYPE 2 OUTPUT DATA SHEET

PAST SUMMARY OF FAILURE RATE DATA
ABC NUCLEAR P O W E R PLANT
PLANT I. D. NO. 0123
REPORTING PERIOD
010166 TO 310366
LISTING OF COMPONENT FAILURES
TIME TO ACCUMU-
FAILURE LATIVE
IN TIME IN
DATE COM- MANU- HOUR MILLION, MILLION, REPAIR
O
I OF PONENT FACTURER'S FAILURE OR HOUR OR HOUR OR TIME, DESCRIPTION O F
REPORT I. D. NO. CODE MODE CYCLE CYCLE CYCLE HOUR REPAIR
040266 871B01T42 567 6 Hour .044640 .044640 6 Motor r e p l a c e d .

040266 871C01T42 567 5 Hour .044640 .044640 4 Contactor adjusted
200266 871C01T42 567 5 Hour .000384 .045024 8 Contactor adjusted
200366 SC50A 345 8 Hour .020696 .045696 20 Pump replaced.
FIGURE C.5
T Y P E 1 OUTPUT DATA SHEET

CURRENT LISTING OF COMPONENT FAILURES
ABC NUCLEAR POWER PLANT
PLANT I. D. NO. 0123
REPORTING PERIOD
010166 TO 310366
SUMMARY OF FAILURE RATE DATA
ACCUMU-
LATIVE FAILURE ACCUMU-
TIME IN PER STANDARD LATIVE MEAN
COM- NO. OF HOUR MILLION, MILLION, DEVIATION, REPAIR REPAIR STANDARD
PONENT COM- FAILURE NO. OF OR HOUR OR HOUR OR HOUR OR TIME, TIME, DEVIATION
L D. NO. PONENTS MODE FAILURES CYCLE CYCLE CYCLE CYCLE HOUR HOUR HOUR
871A01T42 1 1 1 Hour .045838 21.8 10 10
o1
871B01T42 1 6 1 Hour .045858 21.8 6 6
1—' 871C01T42 1 5 2 Hour .045810 43.6 12 6
COMPONENT CODE 202562555 4 Hour .177506 22.6 9.4 28 7
SC50A 1 8 1 Hour .045676 21.4 45 22.5
5KY558AA1 1 0 Hour .000168
COMPONENT CODE 2215622 1 Hour .045844 20.7 25 25
FS971 1 5 Cycle ,001914 105

COMPONENT CODE 5000140 Cycle 001914 105
FIGURE C. 6
TYPE 2 OUTPUT DATA SHEET

CURRENT SUMMARY OF FAILURE RATE DATA
APPENDIX D
S E L E C T E D FAILURE RATE DATA

APPENDIX D
S E L E C T E D FAILURE RATE DATA
This appendix p r e s e n t s a list of failure r a t e data in Table D. 1 for selected

e l e c t r i c a l , e l e c t r o n i c , and mechanical p a r t s or conaponents. In Table D. 2
a list of r e f e r e n c e s is given for additional information on values given in
Table D. 1 as well as for additonal failure r a t e data, p a r t i c u l a r l y on e l e c t r i c a l
and electronic p a r t s .
The values given in Table D. 1 a r e provided to indicate the g e n e r a l level for

failure r a t e s on the p a r t s listed. They a r e not n e c e s s a r i l y the b e s t values
for a p a r t i c u l a r application since the r a t e s must be adjusted according to the
operational and environmental s t r e s s e s imposed on the p a r t s . F a c t o r s
accounting for t h e s e s t r e s s factors may be found in most of the r e f e r e n c e s
listed in Table D. 2.
As a final c o m m e n t , i t s h o u l d b e noted that the data in Table D. 1 and the

r e f e r e n c e s cited in Table D. 2 a r e p r i m a r i l y derived from equipment a s s o c i -
ated with e l e c t r o n i c and s p e c i a l i z e d e l e c t r i c a l s y s t e m s found in m i l i t a r y ,
a e r o s p a c e , and nuclear r e a c t o r instrunaentation s y s t e m s . Data for heavy
e l e c t r i c a l and naechanical equipnaent found in nuclear power plants is s p a r s e
to nonexistent.
D-1
REFERENCES
1. Green, A. E. and A. J . Bourne, "Safety A s s e s s m e n t with Reference

to Automatic P r o t e c t i v e S y s t e m s for N u c l e a r R e a c t o r s , P a r t 3, "
AHSB(S)R117, UKAEA, 1966.
2. E a r l e s , D, R. , "Reliability Application and Analysis Guide, "

M I - 6 0 - 5 4 (Rev. 1), The M a r t i n Company, July 1961.
3. M i l i t a r y Standardization Handbook "Reliability S t r e s s and F a i l u r e

Rate Data for E l e c t r o n i c Equipment, " MIL-HDBK-217A, D e p a r t m e n t
of Defense, D e c e m b e r 1, 1965.
4. Schmudde, A. A . , " E n g i n e - G e n e r a t o r Sets Meet S t r i c t Reliability

L i m i t s , " P o w e r , April 1967.
5. M c G r a w - H i l l Book Company, "RADC Reliability Notebook, "

R A D C - T R - 5 8 - 1 1 1 , October 30, 1959.
D-2
TABLE D-1
FAILURE RATE DATA ON S E L E C T E D
ELECTRONIC, ELECTRICAL, AND MECHANICAL EQUIPMENT
FAILURE RATE, F a i l u r e s / 1 0 ^ hr
SOURCE AHSB(S) MI • 6 0 - 5 4 - ( R e v 1)
R 117 High Mean Low others*
Accumulators 19.3 7.2 .4

Actuators 13.7 5. 1 .35
Alternators 7 2. 94 .7 .033
Baffles 1.3 1. 0 . 12
Batteries 1. 0
Rechargeable 14.29 1.4 .5
Bearings
Ball
Heavy Duty 2.0 3. 53 1.8 .072
Light Duty 1. 0 1.72 .875 .035
Roller 5.0 1.0 .5 .02
Sleeve 5.0 1. 0 .5 .02
Bellows 5.0 4.38 2.237 . 040
Blowers 3. 57 2.4 .89
Buzzer 1.30 .60 .05
Circuit Breakers 2.0 .40 . 1375 .045
Thermal .50 .3 .25 1.0 (3)
Magnetic .5(3)
Coils . 088 . 050 . 033
Connectors, E l e c t r i c a l
General, each pin .2 .47 .2 .03
Contactors 3 .4/c .25/c • l/c
Covers
Dust .01 . 006 . 002
Protective . 061 .038 .015
Cylinders .1 .81 .007 . 005
Hydraulic . 12 .008 .005
Pneumatic . 013 .004 . 002
Diaphragms 9.0 6.00 . 10
Metal 5
Rubber 8
Ducts 1 1.3 .5125 .21
Fans
Exhaust 90 9.0 .225 .21
Fasteners
Bolts .02
Nuts .02
Screws 5
Filters .8 .3 . 045
Blockage 1
Leakage 1
Fuse 5 .82 .5 .30 .1(3)
Gaskets .5
D-ring .2 . 03 .02 .01
Phenolic . 07 .05 . 01
Rubber .03 .02 . Oil
Generators 2.41 .9 .40
d. c. 9 6.27 .9 .30
D i e s e l , Battery start 89 (4)
Heaters, Electrical
Elements . 04 .02 .01
Heat Exchangers 18.6 15.0 2.21
Hose 3.22 2.0 .05
Heavily S t r e s s e d 40
Lightly S t r e s s e d 4
See Table D-2 for reference sources
D-3
TABLE D. 1 (continued)
F A I L U R E R A T E , F a i l u r e s / 1 0 ^ hr
SOURCE AHSB(S) MI - 6 0 - 5 4 - ( R e v I)
R 117
High Mean Low Others
Instruments
Electrical 5.77 1.375 1.35
Pressure
Gage 10 7.8 4.0 0. 135
Sensor 6.6 3.5 1.7
Temperature
Bulb 3.30 1.0 0.05
Sensor 6.4 3.3 1.5
M e t e r s (moving coil) 3
Recorders 25
Lannps 35.0 8.625 3.45
Fluorescent 10
Incandescent 32.0 8.0 5.20 1.0 (3)
Indicator 5
Neon 2 18. 8 10.25 4.50 . 2 (3)
Motors 10 7.5 .625 . 15
Blower 5.5 .2 .05
Electrical .58 .3 . 11
Hydraulic 7. 15 4.3 1.45
Servo .35 .23 . 11
Stepper 5 .71 .37 .22
Mechanisn:!, P o w e r T r a n s m i t t a l
Belts 40 15.0 3.875 . 142
Clutches 1. 1 .4 .06
Friction 3
Magnetic 6 .93 .6 .45
Slip .94 .3 .07
Coupling 5
Flexible 1.348 .6875 .027
Rigid .049 .025 .001
Gear .20 . 12 .0118
Helical 10 .098 .05 .002
Spur 'l 4.3 2. 175 . 087
Shafts .62 .35 . 15
Heavily S t r e s s e d .2
Lightly S t r e s s e d .02
R a c k and P i n i o n 2
Mounts, Resilient 9 1.60 .875 .20
Orifices
Fixed 2. 11 . 15 .01
Variable 3.71 .55 .045
Pumps 24.3 13.5 2.7
E l e c t r i c Drive 27.4 13.5 2.9
Piping
Pipes .2
P i p e joints . 5
Union and J u n c t i o n s .4
Pressure Vessels
General 3
High S t a n d a r d 0.3
Regulators 5.54 2.14 .70
Flow and P r e s s u r e 5.54 2. 14 .70
Pneumatic 6.21 2.40 .77
Relays
General .48/c .25/c . 10/c
E a c h Coil .3
E a c h Contact P a i r .2
High Speed 5
Heavy Duty 5 .81/c .5/c .30/c
H e r m a t i c a l l y Sealed . 5 . 19/c .04/c .02/c
Miniature .25/c .06/c .03/c
High Speed 1. 13/c .7/c .42/c
Power 4. 10/c .3/c . 15/c
P . O . Type
General 2
Fully Tropicallized 1
Restrictors 5 .983 .59 . 197
D-4
FAILURE R A T E , F a i l u r e s / l O ^ hr
SOURCE AHSB(S) M I - 6 0 - 54-(Rev 1)
R 117
High Mean Low Others
Seals
R otating 7 1. 12 .7 .25
Sliding 3 .92 .3 . 11
Solenoids .55 .05 .036
Springs .221 . 1125 .004
Heavily s t r e s s e d 1
Lightly s t r e s s e d .2
Hair 1
Calibration .42 .22 .009
Creep 2
Breakage .2
Switches .14/c .5/c .009/c
G e n e r a l , e a c h contact .2
Micro 2 .50/c .25/c .09/c
P u s h Button .5 .U/c .063/c . 043/c
Rotary 2 .660/c .175/c . 118/c
Thermal .261/c .161/c . 114/c
Heater 1
Contacts 1
Toggle . 123/e .06/c .015/c
General 1
E a c h P a i r Contact .2
Synchros 8 .61 .35 .09
Tanks .27 . 15 .083
Pressure, small .324 . 18 . 10
High P r e s s u r e , s m a l l . 144 .08 .044
Tachometers 5 .55 .3 .25
Transducers 45.0 30.0 20.0
Liquid L e v e l 3.73 2.6 1.47
Light 6.66 4.7 2.70
Photoelectric Cells 15
Pressure 15 52.2 35.0 23.2
Radioactivity
Beta Ray 21.3 14.00 6.70
Ion Chamber and Leads 5
Strain
Gage 25 20.0 12.0 7.0
Temperature 6.4 3.3 1.5
Thermistors 28.00 15.0 10.0 .30(3)
Thermocouples 10
Transformers 2.0 .2 .07
General, e a c h winding .3
Mains
Encapsulated 5
Oil F i l l e d 1
Power 2.08 1.04 .46
Low V o l t a g e .60 .3 . 13
High Voltage 1.88 .94 .407
Pulse 1.5
Low V o l t a g e .235 . 15 .065
High V o l t a g e
Variable 1 .31 . 1 .035
A. F . 0.3 .04 .02 .01
L F. 1 .31 . 1 .035
AIEE C l a s s (3)
.21 - 10.00
o .20 - 19. 50
A
B .22 - 12.00
H .21 - 18. 50
C .20 - 1.00
D-5
FAILURE RATE, Failures/10° hr

SOURCE AHSB(S) M I - 6 0 - 5 4 - ( R e v 1)
R 117 High Mean Low Others
Valves 8.0 5. 1 2.00

Ball 7.7 4.6 1. 11
Butterfly 5.33 3.4 1.33
Check 8. 10 5.0 2. 02
Control 30 19.8 8. 5 1.68
Relief 14. 1 5.7 3.27
Leakage 2
Blockage 0.
Shut off 15 10. 2 6.5 1.98
Solenoid 30 19. 7 11.0 2.27
Selector 19. 7 16.0 3.70
3-Way 7. 41 4.6 1.87
4-way 7. 22 4.6 1.81
Vibrators 80 .5 .4
Wiring
Join t s
Soldered .02 .005 ,004 , 0002
Wrapped .01
Terminals . 5 .27 ,05 .041
Wires . 1 . 12 ,015 .008
D-6
TABLE D. 2
R E F E R E N C E SOURCES FOR FAILURE RATE DATA
Type of Equipmen Included 1

Reference Author Title Document Number Date of njiectrical tilectrical Mechanical MechanicaJ
No. or Publication Publication Electronic Light Heavy Light Heavy
1 A. E. Green and A. J Bourne Safety Assessment with Reference to AHSB (S)R 117 1966 X X X
Automatic Protective Systems for Nuclear
Reactors, Part 3
2 D R. Earles Reliability Application and Analysis Guide MI-60-54-(Rev 1) July 1961 X X X
3 Department of Defense Reliability Stress and Failure Rate Data MIL-HDBK-217A Dec 1, 1965 X X X
for Electronic Equipment
4 A. A. Schmudde Engine-Generator Sets Meet Strict Power (Magazine) April 1967 X X
Reliability Limits
5 McGraw-Hill Book Company RADC Reliability Notebook RADC-TR-58-111 Oct 30, 1959 X X X
6 Radio Corporation of America Reliability Stress Analysis for Electronic TR59-416-1 Jan. 15. 1959 X X X
Equipment
7 R. L. Harrington and Reliability Engineering Applied to the Marine Technology October 1964 X X
R. R. Riddick, Jr. Marine Industry (Journal)
B ARINC Research Corporation Prediction of Field Reliability for Publication Dec 31, 1962 X X X
Airborne Electronic Systems No. 203-1-344
9 D. R. Earles and M. F. Eddms Failure Rates Proceedings, Ninth January 1963 X X X
National Symposium oi
Reliability and Quality
Control
10 Vitro Corporation Reliability Prediction and Measurement Report No. 98 April 15, 1957 X X X
of Shipboard Electronic Equipments
11 U.S. Naval Fleet Missile Systems Bureau of Naval Weapons Failure Rate SP-63-470 Revised X X X X X
Analysis and Evaluation Group, 1^ -landbook (Available only qualified Quarterly
Corona, California contractors and government agencies)
12 ARINC Research Corporation Reliability Engineering (pp. 308-310) Prentice-Hall, Inc. 1964 X X
^
APPENDIX E
S A F T E - I SOURCE PROGRAM LISTING

06/^6/67
MAIN - EFN SOURCE STATEMENT - IFN(S) -
C ••••••••••••*••«••••••••••••••••••••••••••••••••
C • •
C • •* SAFTE-1 •» •
C • •
C • SYSTEMS ANALYSIS BY FAULT TREE EVALUATION. •
C • HOLMES+MARVER.INC. •
C • •
C » APRIL 1967 •
C • •
C ••••••••••••••••••••«»«»«»*»»**«»*«^«»«**««««««»
c
C
CMONTE CARLO FAULT TREE SIMULATION
CbXPONENTIAL FAILURE AND CAUSSIAN REPAIR
C
CSPECIFICATION STATEMENTS
C
DIMENSION ARRAYI90,90),XMTTF(90),XMTTR(90),TTF(90),TTR(90),XIN0(90
H,DUMM(90),SIG(90),SIGll90),SIG2(90»,CONS(90)tTF(90),SYSPOF(250»,
2PTHCDF«20),PTHPDF(20,250),PSEUD(90),VARAY(3,500 )tKl(3),ISUMO)•
3BIN(100)
4.C0MPt90)
LOGICAL X(90)tY(90),A(90)fB(90),G(9C)*T0P
C
C
COMMON NTRIAL.IMXtTMAX>N0INT»SIG,SI6ltSIG2,AAtBB>CC»X»Y,A.BtGiT0Pt
1ARRAY,XMTTF,XMTTR,TTF,TTR,XIND,DUMM,CONStTF,SYSPDF,PTHCDFfPTHPDF,
2SYSCDF,NC0NS,C0E,ARGtDELT,DUMHY,N,IJK,WHT
3,I,J,IN0,KK,PSEU0,NPTH
4«KltISUM,VARAY,BIN
5,C0MP
C
203 REA0(5,1) NTRIAL*IMX,NOINT.NCONS.NPTH
KEA015,2) TMAX.AA.BB.CC
READ(5,2) (XMTTF{I),I=1,IMX»
REA0(5,2) (XMTTR(I),I=I,1MX)
READ(5,2) (SIG(I),I=1,IMX)
READ(5,2) (CONS!lit 1=1,NCONSJ
REA0(5,l) (K1(I),I=1,3)
C
CNTRIAL=NUMBER OF TRIALS
CIMX=NUM8ER OF COMPONENTS(MAX. 90)
CN01NT=NUM8ER OF TIML INTERVALS!MAX. 2501
CNCONS=NUMBER OF SIDE CONSTRAINTS(MAX. 90)
CNPTH=NO. OF CRITICAL PATHS
C1MAX=LENGTH OF TIME BEYOND WHICH TRIAL IS TERMINATEDCHOURS)
CAA=8IASING PARAMETER FO TIME TO FAILURE CALCULATIONS. VALUES OF AA GREAT
C TER THAN 1.0 CAUSE SHOTR TTFS TO BE EMPHASIZED.
CB8=BIASING PARAMETER FOR TIME TO REPAIR CALCULATION. VALUES OF BB GREAT
C ER THAN l.O CAUSE SHORT TTRS TO BE DE-EMPHASIZED.
CCC=BIASING PARAMETER FOR TIME TO REPAIR CALCULATION.VALUES OF CC GREAT
C ER THAN 1.0 CAUSE LONG TTRS TO BE EMPHASIZED.
CXMTTF=MEAN TIME TO FAILURE(HOURS).
CXMTTR=M£AN TIME TO REPAIR(HOURS).
E-1
CSIG=STANDARD DEVIATION FOR TIME TO REPAIR DISTRIBUTIONS.
CCONS=SIDE CINSTRAINTS.
CK1(I)=INTERVA NOS. FOR WHICH DETAILED ERROR ANALYSIS IS PERFORMED
C
WRITE(6,3)
W R I T E { 6 , 4 ) NTRIAL
^ R I T E { 6 , 5 ) IMX
W R I T E { 6 , 6 ) NOINT
W R I T E ( 6 , 7 ) NCONS
W R I T E ( 6 , 2 7 5 ) NPTH
W R i r E ( 6 , 8 ) TMAX
W R I T E ( 6 , 9 ) AA
W R I T E ( 6 , 1 0 ) BB
W R I T e ( 6 , l l ) CC
WRITE(6,3)
WRITE(6,I2)
DO 1 3 1 = 1 , I M X
WRnE(6,14) XMTTFID.XMTTRII )
1 3 CONTINUE
DO 1 5 1 = 1 , I M X
SIG1(I)=SIG(I)/BB
SIG2(I)=SIG(I)»CC
1 5 CONTiriUE
WRITE(6,3)
HRITE(6,16)
00 1 8 1 = 1 , I M X
WRITE(6,17) SIG(I),SIG1(I),SIG2(I)
1 8 CONTINUE
WRIT£(6,3)
WR1TE{6,19)
DO 2 1 1 = 1 , N C O N S
WRITE(6,20) CONS(I)
2 1 CONTIMUE
WRITEC6,401) {Kl(I),I=1,3)
C
1 FORMAT{5I5)
2 F0RMAT(6E12.5)
3 FORMAT(lHl)
4 F0RMAT(8H0NTtÎAL=I5/)
5 F0RMAT{5H0IMX=I5/)
6 F0RMAT(7H0N0INT=I5/)
7 FORMAT(7HONCONS=I5/)
8 F0RMAT(6HDTMAX=E12.5/)
9 F0RMAT(4H0AA=E12.5/)
10 F0RMAT(4H0BB=E12.5/)
11 F0RMAT(4H0CC=E12.5/)
12 F0RMAT(27H0 MTTF MTTR /)
14 F0RMAT(E12.5,2X,E12.5)
16 F0RMAT(40H0 SIG SIGl SIG2 /)
17 F0RMAT(E12.5,2X,K12.5,2X,ei2.5)
19 F0RMAT(17H0SI0E CONSTRAINTS/)
20 F0RMAT(3X,E12.5)
275 F 0 R M A T ( 2 3 H 0 N 0 . OF C R I T I C A L P A T H S = I 5 / )
401 F0RMAT<7H0K1(I)=3I5/)
C
CSET SCORING ARRAYS EQUAL TO ZERO-
E-2
06/26/67
MAIN - EFN SOURCE STATEMENT - IFNJS) -
DO 402 1=1,IMX
COMP(n = 0.
402 CONTINUE
SYSCDF=0.
DO 258 K=l,NOINT
SYSPDF(K)=0.
00 2 59 KM=1,NPTH
PTHPDF(KM,K)=0.
259 CONTINUE
258 CONTIHUE
DO 2 6 0 KM=1,NPTH
PTHCDF(KM)=0.
260 CONTINUE
ISUM(1)=0
ISUM(2)=0
ISUM(3)=0
C
DUMMY=0.
N=349
CALL RANDINCDUMMY)
IJK=0
C
CCOMPUTE TIME INTERVAL SIZE
C
DELT=NOINT
DELT=TMAX/OELT
C
DO 100 KK=1,NTRIAL
COE=l.
ARG=0.
WHT=1.
C
CALL LOGICAL VARIABLES ARE INITIAiLY SET FALSE FOR EACH TRIAL
C
CALL SETLOG
C
CCQMPUTE TIME TO FAILURE(TTF) AND TIME TO REPAIR(TTR) FOR EACH COMPONENT
C
DO 9 9 1=1,IMX
R=EXPRN(DUMMY)
TTF(I)=XMTTF(I)«R/AA
TFU )=TTF(I)
R=GAUS(N)
IF(R)277,277,278
27 7 R=-R
278 R1=FLTRN(DUMMY)
IF(Rl-0.5)97,98,98
98 X I N 0 ( I ) = 1 . 0
TTR(I)=XMTTR(I)+SIG2(I)«R
GO TO 9 9
97 X I N D I I ) = - 1 . 0
TTR(I)=XMTTR(I)-SI61(I)»R
IF(TTR(I))96,99,99
96 T T R ( I ) = 0 .
99 CONTINUE
E-3
06/26/67
MAIN - CFN SOURCE STATEMENT - IFN(S) -
C
DO 403 1=1,IMX
C
CUETERMINE IF RIGHT OR LEFT GAUSSIAN WAS USED TO COMPUTE TTR(I).
C
IF(XIND(I))33,33,34
C
CLEFT GAUSSIAN
C
33 C 0 E = C 0 E « S I G 1 ( I ) / ( A A « S I G { I ) )
ARG=ARG+(-(l.-AA)»TF(I)/XMTTF(I)-0.5»(TTR(I)-XMTTR(I))»(TTR(I)-
IXMTTR(I))»(1./(SIG(!)«SIG(I))-1./(SIG1(I)»SIG1(I))))
GO TO 4 0 3
C
CKIGHT GAUSSIAN
C
34 C0E=C0E*SIG2(I)/(AA»SIG(I))
ARG=ARG+(-(l.-AA)*TF(I)/XMTTF(I)-0.5»(TTR(I)-XMTTR(n»»(TTRII)-
IXMTTR(I) )«(l./(SIG(I)»SIG(I))-l./(SIG2!n»SIG2(I))))
403 CONTINUE
C
WHT= WHT»COE«EXP(ARG)
C
CAN INITIAL SET OT TTFS AND TTRS HAVE BEEN COMPUTED FOR TRIAL NO. KK.
CITFS ARE NOW SEQUENCED ACCORDING TO INCREASING TIME TO FAILURE AND
CSTORED IN A TWO-DIMENSIONAL ARRAY ACCORDING TO COMPONENT NUMBER AND
CURDER OF FAILURE
C
101 CALL SEQNCE
C
CEXAMINE ARRAY
C
J=l
C
CEXAMINE JTH FAILURE TO DETERMINE COMPONENT NUMBER.
C
40 00 30 1=1,IMX
1=1
IF ( ARRAY(I,J))30,30,31
30 CONTINUE
C
CDETERMINE IF JTH FAILURE EXCEEDS MAX.OPERATING TIME
C
31 IF(ARRAY(I,J)-TMAX)32,32,100
C
CJTH FAILURE DOES NOT EXCEED MAX. PORATING TIME AND LOGICAL X I D I S
CSET .TRUE.
C
32 X(I)=.TRUE.
35 JK=J-i
C
CtXAMINE FAILED COMPONENTS TO DETERMINE WHICH IF ANY SHOULD BE REPAIRED.
C
38 IF(JK)36,36,37
C
CCURRENT FAILURE IS FIRST IN SEQUENCE.
E-4
06/26/67
C
3 6 CALL LOGIC 21
IF(TQP)GO TO 39
J=J+1
GO TO 40
39 CALL SUM 21
GO TO lOO
C
CCURRENT FAILURE I S NOT FIRST OF SEQUENCE.
C
3 7 DO 2 8 IK=1,IMX
IK = IK
IF(ARRAY(IK,JK))28,28,2 7
28 CONTINUE
27 IF(X(IK) )G0 TO 26
JK=JK-1
GO TO 38
26 IF(ARRAY(I,J)-TTF(IK)-TTR(IK))25,25,202
25 JK=JK-1
GO TO 38
C
CIT HAS BEEN DETERMINED THAT ONE OF THE FIRST J FAILURES DO
CNOT OVERLAP. THE NON-OVERLAPPING COMPONENT X(IK) IS ^
CREPAIRED. A NEW TTF AND TTR ARE COMPUTED AND SEQUENCED INTO ARRAY!I.J).
C
202 R=EXPRN(DUMMY) 24
TF(IK)=XMTTF(IK)»R/AA
TTF( IK) = TTF(IK)+TTR(IK) + TF(IK)
R=GAUS(N) 2^^
R1=FLTRN(DUMMY) 2f
IF(Rl-0.5)22,23,23
23 XIND(IK)=1.0
TTR(IK)=XMTTR(IK)+SIG2(IK)»R
C0E1=SIG2(IK)/(AA»SIG(IK))
ARGl=+(-(l.-AA)»TF(IK)/XMTTF(IK)-0.5«(TTR(IK)-XMTTR(IK))»(TTR(IK)-
1XMTTK(IK))«(1./(SIG{IK)»SIG(IK))-1./(SI62(1K)»SIG2(IK))))
WHT=WHT«C0E1»EXP(ARG1) 26
GO TO 2 0 0
2 2 XIND( I K ) = - 1 . 0
TTR(IK)=XMTTR(IK)-SIG1(IK)»R
IF(TTR(IK))400,410,410
400 TTR(IK)=0.
410 C0E1=SIG1(IK)/(AA»SIG(IK))
ARGl=+(-(l.-AA)»TF(lK)/XMTTKIK)-0.5»(TTR(IK)-XMTTR(IK))»(TTR(IK)-
1XMTTR(IK))»(1./(SIG(IK)»SIG(IK))-1./(SIG1(IK)»SIG1(IK))))
WHT=WHT»C0E1«EXP(ARG1) 21
2 0 0 CALL SETLOG 2'
GO TO 1 0 1
100 CONTINUE
CALL EDIT 2?
GO TO 203
END
E-5
04/05/67
SETLG - EFN SOURCE STATEMENT - IFN(S) -
SUBROUTINE SETLOG
C
CSETLOG SETS ALL LOGICAL VARIABLES EQUAL TO .FALSE. AT THE BEGINNING
COF EACH TRIAL..
C
C
DIMENSION ARRAY(90*90)tXMTTF(90),XMTTR(90),TTF(90),TTR(90),XINO( 90
1),OUMM(90),SIG(90),S1G1(90),SIG2(90),CONS(90),TF(90),SYSPDF(250),
2PTHCDF(20),PTHPDF(20,250),PSEUD(90),VARAY(3,500 ),Kl(3) ISUM(3)
3BIN(100)
4 C0MP(90)
C
LOGICAL X(90),Y(90},A(90),B(90},G(90),T0P
C
COMMON NTRIAL,IMX,TMAX,NOINT,SIG,SIGl,SIG2,AA,BB,CC,X,Y,A,B G TOP
iARRAY,XMTTF,XMTTR,TTF,TTR,XINO,DUMM,CONS,TF,SYSPOF,PTHCDF,PTHPOF,
2SYSC0F,NCONS,COE,ARG,CELT,DUMMY,N,IJK,WHT
3,I,J,IN0,KK,PSEUD,NPTH
4,K1,ISUM,VARAY,BIN
5,C0MP
C
CSET LOGICAL VARIABLES=FALSE
C
DO 62 1=1,IMX
X{I)=.FALSE.
Y( I) = .FALSE.
A( I)=.FALSE.
B( I) = .FALSE.
G( I)=.FALSE.
62 CONTINUE
TOP=.FALSE.
RETURN
END
E-6
04/05/67
SEQ - EFN SOURCE STATEMENT - IFN!S) -
SUBROUTINE SEQNCE
C
CSEUNCE ZEROS OUT ARRAY!I,J)AND THEN ARRANGES CURRENT LIST OF TTFS
CIN ARRAY!I,J). I SUBS. DENOTES COMPONENT NUMBER AND J SU8RS. DENOTES
CStyUENCE OF FAILURE.
C
CSPfcCIFlCATION STATEMENTS
C
DIMENSION ARRAY(90,90),XMTTF!90),XMTTR!90),TTF!90),TTR(90),XIND!90
1),DUMM(90),SIG!90),SIG1!90) SIG2!90),CONS!90),TF!90),SYSP0F!250),
2PTHCDF{20),PTHPDF!20,250),PSEUD!90),VARAY!3,500 ),K1!3),I SUM!3),
3BIN(100)
4,C0MP!90)
C
LOGICAL X!90),Y(90),A(90),BJ90),G(90),T0P
C
COMMON NTRIAL IMX TMAX NOINT,SIG,SIGl,SIG2,AA,BB,CC,X,Y,A,B,G,TOP,
lARRAy,XMTTF,XMTTR,TTF,TTR,XIND OUMM CONS TF SYSPOF PTHCDF PTHPOF
2SySCDF,NCONS,COE,ARG,DELT,DUMMY,N,IJK,WHT
3,I,J,IN0,KK,PSEUD,NPTH
4,K1,ISUM,VARAY,BIN
5,CQMP
C
IJK=IJK£1
C
CSET ARRAY!I J)=0.
C
00 50 1=1,IMX
DO 49 J=1,IMX
ARRAY(I,J)=0.
49 CONTINUE
50 CONTINUE
C
CPLACE TTF!I) LIST IN DUMM(I).
C
DO 51 1=1,IMX
0UMM(I)=TTFII)
51 CONTINUE
C
CPLACE DUMM!I)) IN ARRAY!I,J) IN ORDER OF INCREASING TIME TO FAILURE
C
DO 52 J=1,IMX
J=J
1=1
53 IF(DUMM(I))54,54,55
54 I=1&1
GO TO 53
55 DUM1=DUMM(I)
IJ = 1
56 K=I£,1
IF!K-IMX)57,57,58
57 IF!0UMM!K))59,59,60
59 1=161
GO TU 56
60 DUM2=0UMM(K)
E-7
04/05/67
SEQ - EFN SOURCE STATEMENT - IFN(S) -
IF!DUM1-DUM2)59,59,61
61 DUM1=DUM2
IJ=K
GO TO 59
58 ARRAY!IJ,J)=0UM1
OUMM!IJ)=0.
52 CONTINUE
RETURN
END
E-8
04/28/67
LOGICl - EFN SOURCE STATEMENT - IFN(S) -
SUBROUTINE LOGIC
C
CUKESOEN EMERGENCY POWER SYSTEM
C
CTHE FUNCTION OF LOGIC IS TO EXAMINE CURRENT COMPONENT FAILURES AND
CUETERMINE IF THE UNOESIRED EVENT HAS OCCUREO.
C
C
DIMENSION ARRAY(90,90),XMTTF(90),XMTTR(90),TTF(90),TTR(90),XIND(90
1),DUMM(90),SIG(90),SIG1(90),SIC2(90),CaNS(90),TF(90),SYSPOF(250),
2PTHCDF!20),PTHPDF!20,250),PSEUD!90),VARAY!3,500 ),K1!3),ISUM!3),
3BIN!100)
4,COMP(90)
C
LOGICAL Xi90),Y!90),A!90),Bi90),G!90),TGP
C
COMMON N T R I A L , I M X , T M A X , N O I N T , S I G , S I G l , S I G 2 , A A , B B , C C , X , Y , A , B , G , T O P ,
1ARRAY,XMTTF,XMTTR,TTF,TTR,XI NO,OUMM,CONS,TF,SYS PDF,PTHCDF,PTHPOF,
2SYSCOF,NC0NS,COE,ARG,DELT,OUMMY,N,IJK,WHT
3,I,J,!ND,KK,PSEUD,NPTH
4,K1,ISUM.VARAY,BIN
5,C0MP
C
A!1)=X!1).0R.X(2)
Ai2)=X!3).0R.X!4)
A!3)=A!1).0R.A!2)
A!4)=XI5).0R.X(6)
A!5)=A!3).0R.A!4)
A ! 1 2 ) = X! 1 3 ) . 0 R . A I 5 )
A(13)=X(14).0R.X!15)
A!14)=A!12).0R.A!13)
A!15)--^X! 1 6 ) . 0 R . A ! 1 4 )
A ! 1 6 ) = XI 1 7 ) . O R . A I 1 5 )
C
A!6)=XI2).0R.X(7)
A!7)=XI8).0R.X!9)
A!8)=A!6).0R.A(7)
A!9)=X!10).0R.A!8)
A!10)=X!11).0R.A!9)
A l l ! ) =XI12).OR.A!10)
C
B!1)=A111).AN0.A!16)
A(18)=X!19).QR.X!20)
A!19)=A!18).0R.B!1)
C
A!20)=X(23).0R.X(24)
A!21)-=X!21).OR.X!22)
A122)-Â(20).0R.A!21)
C
A!23)=X!25).0R.X!26)
A!24)=X!27).0R.X!28)
A!35)-X(38).0R.XI39)
A!25)=X!29).OR.A!35).OR.A!24)
A!26)Â!23).0R.A!25)
E-9
04/28/67
LOGICl - EFN SOURCE STATEMENT - IFN(S) -
B(2)=A(19).AN0.A(22).AND.A(26)
C
A(31)=^X(34).0R.X(35)
A(29)=X(32).0R.X(33}
A(30)=A(9).0R.A!29)
A!17)=X!18).0R.A!15)
A(27)--=X!30).0R.X(31)
A(28)=A(17).0R.A(27)
B!3)=AI28).AND.A(30)
A(32)=A(31).0R.B(3)
C
A!33)--=X!36).0R.X!37)
AI34)=A!20).0R.A!33)
C
Ai36)=X(40).0R.X(41)
A!37)=A!25).0R.A!36)
B!4)=A!32).AND.A!34).AND.A!37)
C
B!5)=B12).AND.B!4)
C
A!38)=X!42).0R.X!43)
A(39)=A(38).0R.B(2)
A(40)^X!44).0R.Ai39)
A!41)=X!45).0R.X!46)
A!42)=A!40).0R.A!41)
A!43)=X!47).0R.A!42)
AI44)='X!48).0R.X!49)
A!45)-=A!43).0R.A!44)
C
A(52)=X!56).0R.X!57)
A!46)=^Xi50).0R.X(51)
A(47)=A(46).0R.B(4)
A(48)=X!52).0R.A|47)
A!49)=X!53).0R.X!54)
A!50)=A(48).0R.A!49)
A!51)=A!50).0R.A!55)
A!53)=A(5l).0R.A!52)
C
Bi6)=A!45).AND.A!53)
C
B!7)=B!5).AN0.B!6)
C
T0P=B(7)
IND=1
RETURN
END
E-10
04/28/67
SUMl - EFN SOURCE STATEMENT - IFN(S) -
SUBROUTINE SUM
C
CTHE PURPOSE OF SUM I S TO TO RECORD TRIAL WEIGHT IN THE APPROPIATE
CARAYS AT THE END OF EACH TRIAL.
C
C
DIMENSION A R R A Y ( 9 0 , 9 0 ) , X M T T F ( 9 0 ) . X M T T R ( 9 0 ) , T T F ( 9 0 ) , T T R ( 9 0 ) . X I N D ( 9 0
l),DUMM(90),SIG!90),SIG1190),SIG2i90),CONS(90),TF!90),SY$P0F(25O),
2PTHCDF!20),PTHPDF!20,250),PSEUD!90),VARAY(3,500 ),K1(3>,ISUM(3),
3BIN(100)
4,C0MP(90)
C
LOGICAL X ( 9 0 ) , Y ( 9 0 ) , A ( 9 0 ) , B ( 9 0 ) , G ( 9 0 ) , T O P
C
COMMON N T R I A L , I M X , r M A X , N 0 I N T , S I G , S I 6 1 , S I G 2 , A A , B B , C C . X , Y , A , B , G , T 0 P ,
lARRAY,XMTTF,XMTTR,TTF,TTR,XI NO,DUMM,CONS,TF,SYSPOF,PTHCDF,PTHPOF,
2SYSCOF, NCONS,COE, ARG,DELT,DUMMY, N, UK,WHT
3 , I , J .INO,KK,PSEUD,NPTH
4,K1,ISUM,VARAY,BIN
5,C0MP
C
TIME=ARRAY(I,J)
CHECK-=DELT
DO 255 K = l,NOINT
K=K
IF(TIME-CHECK)256,256,257
257 CHECK=--CHECK+DELr
255 CONTINUE
256 SYSPDF(K)=SYSPDF(K)+WHT
SYSCDF=SYSCDF+WHT
PTHPOF{IND,K)=PTHPDF!INO,K)+WHT
PTHCDF!IND)=PTHCOF!IND)+WHT
DO 260 1 = 1 , 3
IF!K-K11I))253,253,260
253 I S U M ! 1 ) = I S U M ! I ) + 1
IFiISUM!I)-500 )2S4,254,260
254 I N O = I S U M | I )
VARAY(I,IND)=WHT
260 CONTINUE
C
CCOMPONENT I IS RESPONSIBLE FOR CATASTROPHIC FAILURE
C
1 C0MP(1)=C0MP(I)+WHT
RETURN
END
E-11
04/05/67
EOITl - EFN SOURCE STATEMENT - IFN(S) -
SUBROUTINE EDIT
C
CTHE PURPOSE OF EDIT IS TO PERFORM THE NECESSARY OPERATIONS ON ARRAY
CCONTENTS AT END OF RUN TO ENABLE INTERPRETATION IN TERMS OF FAILURE
CFREQUENCYfiCUMULATIVE FAILURES.
C
CTHIS SUBROUTINE LOOKS AT THE DETAILED STATISTICAL ERRORS IN THE CUMU-
CLATIVE FAILURE DISTRIBUTIONS FOR SELECTED OPERATING TIMES
C
C
DIMENSION ARRAY(90,90),XMTTF(90),XMTTR(90),TTF(90),TTR(90),XINO(90
I),OUMM(90),SIG!90),SIGl!90) SIG2(90),C0NS(90),TF(90),SYSP0F(250),
2PTHCDF!20),PTHP0F(20,250),PSEU0(90),VARAY(3,500 ),K1(3),ISUM(3),
3BIN(100)
4,C0MP(90)
C
LOGICAL X!90),Y(90),A<90),B(90),G!90),T0P
C
COMMON NTRIAL,IMX,TMAX,NOINT,SIG,SIGl,SIG2,AA.BB,CC,X,Y,A,B,G,TOP,
1ARRAY,XMTTF,XMTTR,TTF,TTR,XINO,OUMM,CONS,TF,SYSPOF,PTHCDF,PTHPOF, .
2SYSCDF NCONS COE ARG DELT DUMMY,N,IJK,WHT
3,I,J,I NO,KK,PSEUD,NPTH
4,K1,ISUM,VARAY,BIN
5,C0MP
C
TRIAL=NTRIAL
0ELT1=0ELT*TRIAL
SYSCDF=SYSCDF/TRIAL
WRITE!6,261)
WRITEI6 262)SYSCDF
DO 2 6 3 1 = 1 NOINT
SYSPOF!I)=SYSPDF!I)/OELTl
DO 264 J=1,NPTH
PTHPOF!J,I)=PTHPDFIJ,I)/OELTl
264 CONTINUE
263 CONTINUE
DO 265 J=1,NPTH
PTHCDFIJ)=PTHCOF!J)/TRIAL
265 CONTINUE
WRITE!6,266)
WRITE(6,267)(SYSPOF!I),1=1,NOINT)
SYSPOF!1)=SYSPDF(1)*DELT
DO 450 1=2,NOINT
SYSPOF(I)=SYSPDF(I-l)&SYSPDF(I)•DELT
450 CONTINUE
WRITE!6,261)
WRITE!6,451)
WRITE!6 267»!SYSPDFII) I»l NOINT)
WRITE!6,261)
WRITE(6,268)
WRITE(6,269)
00 270 1=1,NPTH
WRITE(6,271)I,PTHCDF!I)
270 CONTINUE
E-12
04/05/67
EDITl - EFN SOURCE STATEMENT - IFN(S) -
211 CONTINUE
SUM1=SUM1/TRIAL
SUM2=SUM2/TRIAL
VAR2=SUMl-SUM2*SUM2
IF(VAR2)111.111,212
111 DEV2=0.
GO TO 213
212 DEV2=VAR2**0.5
213 W R I T £ ( 6 , 2 1 4 ) VAR2
WRITE(6 2 1 5 ) 0EV2
IF<D£V1)223,223,224
223 W R I T E i 6 , 2 2 5 )
RETURN
224 DO 218 K I = 1 , 4 8
BIN{KI)=0.
218 CONTINUE
00 219 J=1,IND
VARAY(I,J)=VARAY{I,J)/(TRIAL*XMEAN*0.25*0EV1I
WRITE(6,229) VARAY(I,J)
CHECK=XMEAN-5.75*DEV1
DO 220 KI=1,48
KI=KI
IF!CHECK-VARAY(I J ) ) 2 2 1 222 222
222 6 I N I K I ) = B I N ( K n & V A R A Y ( l J )
GO TO 219
2 2 1 CHECK=CHECK£0.25*DEV1
220 CONTINUE
219 CONTINUE
WRITE(6,226) K l ( I )
CHECKl=XMEAN-5.75*DEV1
CHECK2=XMEAN-6.0*DEV1
CHECK3=CHECK2&0.125*DEV1
WRITE(6,227)
DO 228 K I = l , ' , o
EXACT=1.0/(DEV1*2.508)
EXACT=EXACT*EXP (-CHECK3*CHECK3/(2.0*VAR1))
WRITE(6,229) CHECK2,CH£CK1,BIN(KI),EXACT
CHECK1=CHECK1£0.25*DEV1
CHECK2=CHECK2£0-25*DEV1
CHECK3=CHECK3&0.25*DEV1
228 CONTINUE
200 CONTINUE
C
261 FORMAT!IHl)
262 FORMAT(43H0PR0BABILITY OF SYSTEM FAILURE BEFORE THAX=E12.5/)
266 FORMAT(25H0SYSTEM FAILURE FREQUENCY/)
267 F0RMAT(5E12,5)
268 FORMAT(SOHOPROBABILITY OF DISCRETE PATH FAILURES BEFORE TMAX/)
269 F0RMAT124H0 PATH NO. PROBABILITY/)
271 F0RMAT(I6,6X,E12.5)
273 FORMAT(26H0FAILURE FREQUENCY OF PATH 14/)
281 F0RMAT(7H0ASTEP=E12.5)
451 FORMAT(25H0CUMULATIVE FAILURE DIST./)
453 FORMAT(33H0CUMULATIVE FAILURE 01 ST.OF PATH 14/)
C
225 F0RMAT(14H0EFF.ST.DEV.=0/)
E-13
04/05/67
EOITl - EFN SOURCE STATEMENT - IFN(S) -
DO 272 1=1 NPTH

WRITE!6 261)
WRITE(6,273)1
WRITE!6.267)(PTHPDF(I,J),J=1,N01NT )
PTHPOFII,l)=PTHP0F(I,1}*OELT
DO 452 J=2,NOINT
PTHPOFII,J)=PTHPDF(I,J-1)£PTHPDF(I,J)*DELT
452 CONTINUE
WRITE(6,261)
WRITEI6,453)1
WRITE!6 2 6 7 ) ( P T H P D F ( I J» J=l,NOINT)
272 CONTINUE
XIJK=IJK
ASTEP=XIJK/TRIAL
WRITE(6,281) ASTEP
WRITE(6,261)
WRITE(6,500)
500 FORMAT(30H0C0MP. ID NO. OF FAILURES //)
00 501 1=1,IMX
1=1
COMP(I)=C0MP(I)/TRIAL
W R I T E ! 6 , 5 0 2 ) I.COMPII)
501 CONTINUE
502 F0RMAT(I6,6X,E12-5)
C
CSTATISTICAL ERROR ANALYSIS OF CUMULATIVE FAILURE GIST. FOR SELECTED
COPERATING TIMES.
C
DO 200 1=1,3
WRITE!6,261)
SUM=0.
IF!K1(I))200,200,201
201 IND=ISUM(I)
DO 202 J=1,IND
SUM=SUM£VARAY(I J)
202 CONTINUE
XMEAN=SUM/TRIAL
VAR1=0.
DO 203 J=l,IND
VAR1=VAR1€(VARAY(I,J)-XMEANI**2.
203 CONTINUE
VAR1=VAR1/!TRIAL-1.)
IF(VAR1)208,208,209
208 DEV1=0.
GO TO 210
209 DEV1=VAR1**0.5
210 WRITE(6,204) K K I )
WRITE(6 216) ISUM!I)
WRITE(6,205) XMEAN
WRITE(6,206) VARI
WRITE(6,207) DEVI
SUM1=0.
SUM2=0.
DO 211 J=1,IND
SUM1=SUM16VARAY(I,J)*VARAY(I,J)
SUM2=SUM2£VARAY(I,J)
E-14
04/05/67
EOITl - EFN SOURCE STATEMENT - IFNIS) -
204 FURMAT!30H0ERR0R ANALYSIS FOR INTERVAL 15//)
205 FORMAT!16H0fcFF.MtAN VALUE= E12.5/)
206 FORMAT!14H0EFF.VARIANCE= E12.5/)
207 FORMAT!24H0EFF.STANDARD 0EVIATI0N= E12.5/)
214 FORMAT!18H0M0N.CAR.VARIANCE= E12.5/)
215 FORMAT!17H0M0N.CAR.ST.0EV.= E12.5/)
216 FORMAT(24H0N0.OF NON-ZERO SAMPLES= I5/J
226 FORMAT(37H0NCRMALIZE0 SAMPLE DIST.FOR INTERVAL 15/)
227 FORMAT!57H0 INTERVAL SAMPLE EXACT
I //)
229 F0RMAT!2E13.5 3X 2E12.5?
RETURN
END
E-15
DbHO RANI 02/17/67 PAGE 28
ASSEMBLED TEXT.
$TEXT RANI RANlOOOl
BINARY CARD (NOT PUNCHED)

00000 1 OCOOO 0 00005 10001 RNGEN SAVE(1,2,4)
00001 0774 00 2 00000 10000
00002 0774 op 1 00000 10000
00003 0774 00 4 00000 10000
00004 0020 00 4 00001 10000
00005 0634 00 4 05000 10011
00006 0634 00 4 00545 10001
00007 0634 00 4 00003 10001
00010 0634 00 1 00002 10001
00011 0634 00 2 00001 10001
00012 4520 00 0 00066 10001 NZT 1X62
00013 0020 00 0 00123 10001 TRA NFE
00014 0600 00 0 00065 10001 STZ 1X62
00015 0500 60 4 00003 10000 CLA» 3,4
00016 0100 00 0 00137 10001 TZE BLO
00017 0621 00 0 00064 10001 STA IX
00020 0534 00 4 00064 10001 LXA IX,4
00021 0534 00 2 00547 10001 LXA =25,2
00022 1 00001 4 01001 10011 LOP TXI *Sl.4,l
I BINARY CARD (NOT PUNCHED)

00023 0500 00 4 01000 10011 CLA *.4
00024 0340 00 0 00067 lOOOI CAS IXC3
00025 0020 00 0 01002 10011 TRA *E2
00026 0020 00 0 00022 10001 tRA LOP
00027 0601 00 0 00067 10001 STO IXG3
00030 0760 00 0 00003 10000 SSP
00031 0501 00 2 00123 10001 STO BUFS1,2
00032 2 00002 2 00022 iooQi TIX LOP,2,2
00033 0634 00 4 00064 10001 SXA IX,4
00034 0534 00 1 00547 10001 LXA =25,1
00035 0534 00 2 00547 10001 LXA =25,2
00036 0550 00 0 00122 10001 LDQ BUF
00037 0500 00 0 00070 10001 CLA WS
00040 4320 00 0 00550 10001 LPl ANA =03000015
00041 0400 00 0 00550 10001 ADO =03000015
00042 4734 00 4 00000 10000 PDX 0,4
00043 0521 00 0 01003 10011 STA *E3
00044 0500 00 0 00070 10001 CLA MS
00045 4755 00 0 00022 10000 LP2- LGR 18
BINARY CARO (NOT PUNCHED)

00046 4773 00 0 00000 10000 RQL 0
00047 4763 00 0 00022 10000 LGL 18
00050 0400 00 2 00123 10001 ADD BUFE1,2
00051 2 00001 2 01002 10011 TIX *E2,2,1
00052 0534 00 2 00547 10001 LXA =25,2
00053 2 OOOOI 4 00045 10001 TIX LP2,4,1
00054 0140 00 0 01001 loou TOV *£1
00055 0162 00 0 01002 TQP *E2
00056 0760 00 0 00005 10011
10000
00057 0750 00 0 00003
con
10000 SSP
DEMO RANI 02/17/67 PA6E 29
ASSEMBLED TEXT.
00050 0601 00 1 00123 10001 STO BUFEl.l

00051 0601 00 0 00070 10001 STO WS
00062 2 00001 I 00040 10001 TIX LPl,1,1
00053 0020 00 0 00137 10001 TRA BLO
00064 000000000000 10000 IX DEC 0,25,15,0
00055 000000000031 10000
00056 000000000017 10000
00067 000000000000 10000
00070 314251527545 10000 SS OCT 314261527545,0

00071 000000000000 10000
00072 212372516470 10000 OCT 212372516470,254525046356,234404214245,234070205046
00073 254525046356 10000
00074 234404214245 10000
00075 234070^06045 10000
00076 052556470063 10000 OCT 052555470063,3173022 52357,074030425135,052537654125
00077 317302262367 10000
00100 0746364261JS 10000
00101 062537564126 10000
00102 ' 3306540140A4 10000 OCT 330554014044,056475235564,256545754555,377116552640
00103 0 5 6 4 7 6 2 3 5 5 5 4 10000
iSCTU?—2B6546754666 TTOtJO
00105 3 7 7 1 1 6 5 5 2 5 4 0 10000
00105 3 5 U 7 6 6 1 1 2 7 3 nSTJOT OCT 3 5 U 7 U 1 1 2 7 i , 2 2 0 7 3 7 1 5 3 5 5 4 , l 4 U 6 3 4 $ 4 2 3 l . 0 3 7 2 t ^ 5 2 6 6 2 3
00107 220737153554 10000
00110 144403454231 10000
00111 0 3 7 2 7 2 5 2 5 0 2 3 10000
00112 0S7O12270401 rOTOT OCT 057012270401,154527204220,245321541143,355113317526
00113 155527204220 10000

00114 246321541143 17^555
00115 355113317525 10000
50TI6 340261^52715 nJ5S5 (5CT 340261252715,221724170022,000154101036,030701073715
00117 221724170022 10000
" 00120 060154101035 HJOTS
00121 030701073715 10000
roT72—253477371574 YUUm BUF OCT 253477371574
00123 0500 00 0 00055 10001 NFE CLA IXEl
0 0 1 2 4 — 0 1 0 0 00 0 00020—lOTin rzE LOP-z
00125 0 7 3 4 00 1 00000 10000 PAX 0 , 1
OTJTTS—0500 0 0 1 00123—nTOTT CLA BUFEl,! '
00127 0771 00 0 00011 10000 ARS 9
OTTTTO—0430 0 0 0 00551—nnnJT ADD = 1 . 0 ' '
00131 0302 00 0 00551 10001 FSB = 1 . 0
i5(n35—1 77777 1 OlOOl—njTJTI Txl * f i l , l , - l '
00133 0634 00 1 00065 10001 SXA I X E l . l
DtJTS? RETURN RNGEN,0 '

00137 0500 00 0 0 0 5 4 7 10001 BLO CLA =25
C0140. 0020 00 0 00125 njUUT TRA NFEe2
00141 1 00000 0 00145 10001 GAUS SAVE 1 , 2 , 4
00142 6774 00 2 00000—DJOTS
00143 0774 00 1 00000 10000
DEMO RANI <yZf\lfbl
ASSEMBLED T E X T .
00144 0774 TO 4 00000 10000

00145 0020 00 4 OOOOI 10000
00146 0634 00 4 05000 10011
00147 0634 00 4 0054S 10001
00150 0634 00 4 00144 10001
00151 0634 00 1 00143 10001
00152 0634 10 2 00142 10001
00153 4520 00 0 03162 10001 NZT GE2
00154 0020 !0 0 00160 10001 TRA G
00155 0600 00 0 0016? 10001 STZ GE2
00156 0500 00 4 00003 10000 CLA 3,4
00157 0621 10 0 00163 10001 STA GE3
00160 0074 00 4 02000 10011 G TSX RNGEN,4
00161 0020 00 0 01003 10011 TRA *E3

00162 0000 00 0 00017 10000 HTR 15
00163 0000 00 0 00000 10000 HTR 0
00164 0601 00 0 00177 10001 STO X
00165 0601 00 0 00200 10001 STO XEl
00166 0302 00 0 00552 10001 FSB =0.5
00167 0120 00 0 00203 10001 TPL G2
00170 0600 00 0 00200 10001 STZ XEl
00171 0500 00 0 00177 10001 CLA X
00172 0601 00 0 00201 10001 STO X62
00173 0300 00 0 00552 10001 FAD =0.5
00174 0601 00 0 00177 10001 STO X
00175 0760 00 0 00002 lOdOO CHS
00176 0020 00 0 00205 10001 TRA G3
00177 000000000000 10000 X DEC 0,0,0,0
00200 000000000000 10000
00201 oooooooooooo lonoo
00202 oooooooooooo 10000
00203 0601 00 0 00201 10001 G2 STO XE2
00204 0502 00 0 0O177 10001 CLS X
00205 0300 00 0 00551 10001 G3 FAD =1.0
00206 0131 00 0 OOOCO 10000 XCA
00207 0260 00 0 00177 10001 FHP X
00210 0601 00 0 00202 10001 STO X63
00211 0500 00 0 00177 10001 CLA X
00212 4300 00 0 00553 10001 UFA =0232000000000
00213 4773 00 0 00010 10000 RQL 8
00214 0774 00 1 00011 10000 AXT 9,1
00215 0763 00 0 OOOOI 10000 G4 LLS 1
00216 0760 00 0 OOOOI 10000 LBT
00217 0020 00 1 00233 10001 TRA H,l
00220 2 OOOOI 1 00215 10001 TIX G4,l,l
00221 0020 00 0 00404 10001 TRA 19
00222 0020 00 0 00235 10001 TRA U
00223 0020 00 0 00255 10001 TRA 12
00224 0020 00 0 00274 10001 TRA 13
00225 0020 00 0 00300 10001 TRA 14
00226 0020 00 0 00323 10001 TRA 15
00227 0020 00 0 00347 10001 TRA I6E1
DEHO RANI 02/17/67 PAGE 31
A ^ S E M S L E D tEXt.
00230 0020 00 0 00346 lOQOl TRA 16
00231 0020 00 0 00400 10001 TRA 17
00232 0020 00 0 00402 10001 TRA 18
00233 000000000000 10000 H DEC OfO.O
00234 000000000000 10000
00235 000000000000 loooo
00236 4 7 M 00 0 00000 10000 11 PXD QtO
00237 0763 00 0 00003 10000 LLS 3
00240 0734 00 2 00000 10000 PAX 0t2
00241 0560 00 0 00177 lOOOl LOQ X
00242 4600 00 0 00234 lOOOl STQ H U
5o?53—0260 00 0 00177—wsisx pam
00244 0131 00 0 00000 10000 G5 XCA
55245 0260 Oo 2 00544 lOOOl FMP B3,2
00246 0601 00 0 00233 10001 STO H
00247—0560 00 0 00234—r555t LDQ H £ 1
00250 0260 00 2 00513 lOOOl FMP B2.2
5 U 7 n — 0 3 0 0 00 0 00233—15551 FIB-R
00252 0300 00 2 00462 10001 FAD 91,2
BINARY CARD (NOT PUNCHED!
55753—4520 00 0 00200—lUTOI NZT Xtl
00254 4760 00 0.00003 10000 SSM
"^ 557F5 RETURN SAUS
00256 4754 00 0 OOOCO 10000 12 PXD 0,0
00257 0763 00 0 00002 10000 LLS 2
00260 0734 00 2 00000 10000 PAX 0,2
TOTST—0500 00 0 00201—TOtKn CLA XS2
00262 0241 00 0 00202 10001 FDP Xe3
00263 4600 00 0 00234—15551 STQ H"gl
00264 000000000000 00010 CALL SQRT(X&3)
00264—0074 00 4 U40C0—nnm
00265 1 00001 0 01003 10011
00266—0 00545 0 00232—nmns
00267 0 00000 0 00202 10001
05775—0601 00 0 00202—15551 STtrxn
00271 0500 00 0 00201 10001 CLA X62
55772—0241 00 0 00202—15551 FOP XS3
00273 1 00010 2 00245 10001 TXI G5ei,2,8
00274—4754 00 0 00000—15555 H PXD 0,0
BINAftV CARD (NOT PUNCHED)

00275 0763 00 0 00002 10000 LLS 2
55275—0734 00 2 00000—UHSm PAX 0,i
00277 1 00004 2 00261 lOOOl TXI 12(3,2,4
55555—4754 10 0 00000—15555 T? PXD 0,0
00301 0763 00 0 00001 10000 LLS I
55152—0734 00 2 00000—15555 PAX 072
00303 05J0 00 0 00201 10001 CLA X£2
5535^—0241 00 0 00202—TOStn FOP XS3
00305 4600 00 0 00234 10001 STQ H£l
I 00306—000000000000 00010 CALL S0RT(X£3)
00306 0074 00 4 04000 10011
55157—1 00001 0 01003—15511
00310 0 00545 0 00251 10100
PAGE s ^
00311 0 or.ooo 0 00202 10001
00312 0601 00- 0 00202 10001 STO XS3
00313 00300000000J 00310 CALL SQRT(X£3)
00313 0074 30 4 04000 10011
00314 1 00001 0 01003 10011
00315 0 0C545 0 00253 10100
BINARY CARO (NOT PDNCHEOI

00316 0 OOOJO 0 J3202 10001
0O317 0601 00 0 00202 lOJOl STU X£3
00320 0500 00 0 03201 10001 CLA X62
00321 0241 00 0 00202 lOpOl FDP XE3
00322 1 0OO2O 2 00245 10001 TXI G5£l,2,16
3C323 4754 00 0 03000 10000 15 PXD 0,0
00324 0763 00 0 00001 10 300 LLS 1
00325 0734 03 2 00000 10000 PAX 0,2
00326 00000)000030 00010 CALL S0RT(X£3)
0C326 0074 00 4 04000 10011
00 327 1 30301 0 01003 10011
00330 0 00545 0 00263 10100
00331 0 DOOOOL 0 00202 10001
00332 0601 00 0 00202 10001 STO X63
00333 0500 )0 0 00201 10001 CLA XS2
CG334 0241 00 0 00202 10001 FDP X£3
00335 4600 00 0 00234 10301 STQ Htl
00356 00 3000000000 00010 CALL S0RT(X£3)
00336 0074 00 4 04000 10011

00337 1 00001 0 01003 10011
00340 0 00545 0 00270 10100
00341 0 00000 0 00202 10001
00342 0601 00 0 03202 10001 STO X£3
00343 0500 00 0 00201 10001 CLA XtZ
00344 0241 30 0 00202 10301 FOP Xt3
C0345 1 00022 2 00245 10001 TXI G5£l,2,18
00346 0765 00 0 00001 10000 16 LRS 1
00347 0765 00 0 00001 10000 LRS 1
00350 4754 00 0 00000 10300 PXD 0,0
00351 0753 00 0 03002 10000 LLS 2
00352 0734 30 2 00000 10000 PAX 0,2
00353 000000000000 00310 CALL SQRT(X£3)
00353 0074 00 4 04000 10011
00354 1 00001 0 01003 10011
00355 0 C0545 0 00302 10100
00356 0 00000 0 00202 10001 -
00357 0501 00 0 00202 10001 STO XK3
00360 0500 00 0 00201 10001 CLA X£2

00361 0241 00 0 00202 10001 FOP X£3
00362 4600 00 0 00234 10001 STQ H61
00353 000000000000 00010 CALL SQRT(XS3I
00363 0074 00 4 04000 10011
00364 1 COOOl 0 01003 10011
00355 0 00545 0 00307 10100
DEMO RANI 02/17/67 PAGE 33
ASSEMBLED TEXT.
00366 0 00000 0 00202 10001

00367 0601 00 0 00202 10001 STO X£3
00370 000000000000 00010 CALL SQRT(X(:3)
00370 0074 00 4 04000 10011
00371 1 00001 0 01003 10011
00372 0 00545 0 03311 10100
00373 0 000)0 0 00202 10001
30374 0501 00 0 00202 10001 STO X£3
00375 0530 00 0 00201 10001 CLA Xt2
00376 0241 00 0 00202 10001 FDP X63
00377 1 00024 2 00245 10001 TXI 0561,2,20
00400 0774 30 2 00003 10000 17 AXT 3,2
0C401 0020 00 0 00353 10001 TRA I6t5

00402 0774 00 2 00004 10000 IS AXT 4,2
00403 0020 00 0 00353 10001 TRA I6£5
00404 0774 00 2 00005 10000 19 AXT 5,2
00405 0500 00 0 00424 10001 CLA BB
00406 0601 00 0 00233 10001 STO H -
00407 0020 00 0 00415 10001 TRA 191
00410 OOOOOOOOOOOO 00010 CALl. SQRT(X63)
00410 00 74 00 4 04000 10011
00411 1 03001 0 01003 10011
I 00412 0 00545 0 00326 10100
00413 0 00000 0 00202 10301 -
t\j
00414 0601 00 0 00202 loOol STO Xfi3
00415 0500 00 0 00201 10301 191 CLA XCZ
U0416 0241 00 0 00202 10001 FOP X£3
00417 0260 00 2 00432 10001 FMP BB£6,2
00420 0300 00 0 00233 10301 PAO H
00421 0601 00 0 00233 10001 STO H
00422 2 OoOOl 2 00410 10001 TIX 1964,2,1
00423 0020 00 0 00253 10001 TRA G5£7

00424 603577741204 10000 6fs DEC - 6 . 9 9 9 0 6 1 8 , 1 . 6 6 8 7 8 1 1 E - 0 8 , - 6 . 4 1 8 4 7 3 1 E - 0 4
00425 147436543423 10000
00426 566520406447 lOooo
00427 176772760277 10000 DEC 0 . 2 4 7 5 4 3 6 9 , - 6 . 4 5 1 0 4 0 1 , 2 2 . 1 7 2 3 9 4
00430 603634673535 10000
00431 205542604201 10000
00432 5774 75323755 10,100 DEC -0.3099746,-0.5916167,-3.7765925,-0.01092^4,-0.7713425
00433 600456720611 10300
00434 600615473041 10000
00435 600637143601 10000
00436 600612732636 10000
00437 573542457223 10000 DEC - 0 . 0 2 1 6 4 2 6 , - 0 . 0 7 1 5 7 3 5 , 0 . 0 6 3 4 2 4 8 , 0 . 0 1 2 3 0 3 6 , 0 . 2 7 6 2 6 0 1
0o440 575445124404 10000
C0441 1 7 5 4 0 3 6 2 3 3 4 4 10000
00442 172623124117 10300
00443 177432707666 10000
J0444 176645730301 10000 DEC 0.2060169,0.1548094,0.1167513,0.0766115,0.0431227
00445 1764750 30277 10000
0U446 175736155162 10000
OEMQ RANI 02/17/57 PAGE 34
ASSEMBLED TEXT.

00447 175471631754 10300
0045C 1745412C5555 13J00
00451 173603721413 lOOOC DEC 0.0236761,0.0124941,-3.0421306,-0.3968161
00452 172631320155 10300
00453 574531104427 lOjOO
00454 577625255727 lOUOO
0C455 60051206O767 10)0C DEC -0.5447 1^1,-".8245707,-3. 96r 0543,-1.C555 321,-1.15064<=0
00456 600546165364 10330
00457 600753430363 lOJOO
00460 601420615331 10300
00461 501445441573 10000
00452 601470o?3i00 10000 Bl DEC -1.2218275
00463 57357140105) 10000 DEC -0.02314 09,-0.0317872,-0.0400265,-0.0421472,-0.3 386395
00464 574404315134 10300
00465 574507713236 10300
00466 574531212127 10300
00467 574474421635 looon
00470 575572434030 10300 DEC -0.2liC912,-0.2348252,-0.0130209,-0.0123572,-0.0746127
00471 576740730043 10000

00472 572510272634 13300
00473 572625177137 lOOOO
00474 575461472131 10000
00475 575566150676 in 000 DEC -0.3913586,-3.10 75076,-0.1229900,-3.1444779,-0.171354 6
00476 575670263517 10-00
00477 575757633463 loroo
00 500 576447710036 10000
00501 575536750635 1C300
00502 576620137066 10000 DEC -0.19540 32,-0.21668 31,-1.2 315865,-0.2454071,0.4752560
00503 576673605433 10000
00504 60147J222403 10300
00505 575766457776 10000
00506 177746523011 10000
00507 201405763775 10000 DEC 1.023345 9,1.4563484,1.8114948,2.1140442
00510 201564546377 10000
00511 201717574176 lonoo
00512 202416452000 10000
C0513 202460710477 10000 B2 DEC 2.3819675
00514 202627055173 13000 DEC 3.1803778,3.5303623,3.7827146,3.8338347,3.7687329

00515 202703705646 10000
00516 202744137770 10000
00517 202752556142 10000
00520 202742313534 10000
00521 202431000165 IOJOO DEC 2.1953160,2.2842329,1.7392134,1.815 2241,1.0041919
00522 202444303372 13000
00523 201675172134 10.100
00524 201720545033 10000
C0525 201401045342 lOOOO
00526 20l43437l0l4 lOiOO DEC 1.1112749,1.2034196,1.2834617,1.3838077,1.4932303
00527 201464045472 10000
00530 201510441711 10000
00531 201542202343 10000
OEMQ RANI 02/\llbl PAGE 35
ASSEMBLED TEXT.
00532 201576210535 10000

00533 201624200555 10000 DEC 1.5791C7C,,1.5470113,2.916107 2,2.2 306061,1.7068 55 8
00534 201645505041 10000
- 00535 202565206001 10000
C0536 202435411001 10000
00537 201654751002 10000
BINARY CARO 1 NOT PUNCHED)

00540 201512074002 10300 DEC 1.2895203,,0.9432983,0.6443520,0.3754978
00541 200742757773 10000
00542 200511721005 10000
00543 177600404773 10000
00544, 175771257726 10000 S3 DEC 0.1233749
00545 OOOOOOOOOOOO 10000 *L01R
00546 5i2l450l606O 10000
00547 000000300031 10000 *LORG
00550 O00O0330O015 lOOOO
00551 201400000000 10000
00552 200400000000 10000
00553 232000000000 10000
00000 Ollll tND
DEMO RDMCB OZ/n/67 PAGE 40
ASSEMBLED TEXT.
STEXT RDMCB ROMCOOOl
RANDOM NUMBER PACKAGE

CALLING; SEQUENCES FOR THE RANDOM NUMBERS
R = FLTRN(OUMMY)
R = SFLRAN(OUHHY)
R = EXPRN(DUMMY)
CALL AZIRN(SINE,COSINE)
CALL POLRNtSINE,COSINE)
CALL GTIS0(X,Y)
R = RNMAX(XMAX)
R = FISRN(DUMMY)
CALL RANOIN(CONS)
PCC
ENTRY RANOM
ENTRY GENRA
ENTRY FLTRN
ENTRY SFLRAN
ENTRY EXPRN
ENTRY AZIRN
ENTRY POLRN
ENTRY GTISO
ENTRY RNMAX
ENTRY FISRN
ENTftY RANDIN
BINARY CARD ( NOT PUNCHED)

00000 343277244615 10000 GENRA OCT 343277244515
00001 343277244515 •lOOOO RANOM OCT 3143277244615
<lfLOATING POINT RANDOM NUMBER GENERATOR -
00002 0560 00 0 03000 10011 FLTRN LDQ RANDM
O0003 0200 00 0 02000 10011 MPY GENRA
0O0O4 4600 00 0 03000 - loOU STQ RANDM
00005 0500 00 0 00352 10001 CLA =0170000000100
00006 4763 00 0 00034 10300 LGL 28
00007 0300 00 0 00352 10001 FAD =0170000000100
00010 0140 00 4 00001 10000 TOV 1,4
* SIGNED RANDOM NUMBER GENERATOR
OOOll 0560 00 0 03000 10011 SFLRAN LOQ RANDM
00012 0200 00 0 02000 10011 MPY GENRA
00013 4600 00 0 03000 10011 STQ RANDM
00014 4773 00 0 00001 10000 RQL 1
00015 0500 00 0 00353 loooi CLA -0200
00016 0763 00 0 00033 10000 LLS 27
00017 0300 00 0 00352 10001 FAD =0170000000100
00020 0020 00 4 00001 10000 TRA 1,4
* CHOOSE FROM AN EXPONENTIAL DISTRIBUTION
00021 0600 00 0 00054 lOOOl EXPRN ST7 E..INT
00022 0560 00 0 03000 10011 E.... A LDQ RANOM
•

00023 0200 00 0 02000 10011 MPY GENRA
00024 4600 00 0 00051 10001 STQ e....x
00025 4600 00 0 00053 lOooi E....B STQ E....Z
00025 0200 00 0 02000 10011 MPY GENRA
00027 4600 00 0 00052 10001 STQ E....Y
DEMO RDMCB oznifbi PAGE 41
ASSEMBLED TEXT.
00030 0500 00 0 00053 10001 CLA E....Z

00031 0040 00 0 00041 10001 TLQ
00032 4600 00 0 03000 10011 STQ RANDM
00033 0500 00 0 00051 10001 CLA E....X
00034 0771 00 0 00010 10000 ARS 8
00035 0400 00 0 00354 10001 ADD =0200000000000
00036 0300" 00 0 00054 10001 FAD E..INT
00037 4100 00 4 00001 10000 TNZ 1,4
00040 0020 00 0 00022 10001 TRA E....A
00041 0200 00 0 02000 10011 E C MPY GENRA
00042 0500 00 0 00052 lOOOl CLA
00043 0040 00 0 00025 10001 TLQ E....B
OO044 4600 •00 0 030OO 10011 STQ RANDM
00045 0500 00 0 00054 10001 CLA E..INT

00046 0300 00 0 00355 10001
FAD"
00047 0501 00 0 00054 10001
STO E..INT
00050 0020 00 0 00022 lOOOl
TRX~ E....A
00051 0 OOOOO 0 OOOOO 10000
E....X
00052 0 OOOOO 0 OOOOO 10000
E....Y
00053 0 OOOOO 0 OOOOO 10000
E....Z
00054 0 OOOOO 0 OOOOO 10000
E..INT
* SINE D COSINE OF RANDOM AZIMUTHAL ANGLE (0 TO 2PI )
00055 0534 00 4 OOIOO 10001 AZIRN SXA A. . . • A,4
00056 0074 00 4 05000 10011 A....B TSX SFLRAN,4
00057 0601 00 0 00110 10001 STO A...Rl FIRST RANDOM NUMBER
00060 0131 00 0 OOOOO 10000 XCA
5555T—0260 Oo 0 OoUO—TSSSl FMP~ A...R1
00062 0601 00 0 00112 10001 STO A.RISQ Rl**2
00053 00 74 00 4 04000 10011 TSX~ FLTRN,4
00064 0601 00 0 00111 10001 STO A...R2 SECOND RANDOM NUMBER
55555 0131 00 0 OOOOO lOOOO X55~
00066 0260 00 0 00111 10001 FMP A...R2
00067 0601 00 0 00113—TocSoT STTT A.R2SQ R2**2
00070 0300 00 0 00112 10001 FAD A.RISQ

5557T—0601 00 0 00107—05551 575" ASUMSQ Rl**2tR2**2
00072 0402 30 0 00355 10001 SUB =1.
55573—0120 00 0 00056—15551 TIH^ A....B
00074 0560 00 0 00110 10001 LOQ A...R1
55575—0260 00 0 00111—nJTOI FHP~ A...R2
00075 0361 00 0 00356 10001 ACL =0001000000000
00077 0241 00 0 00107—nJ5T5T F5P~ ASuMSQ
00100 0774 00 4 OOOOO 10000 A....A AXT **,4
00101 4600 60 4 00003 10000 5T^* "574 SINE PHI £-2*Rl*R2/(Rl**2£R2**2)
00102 0500 00 0 00113 10001 CLA A.R2SQ
55T53—0362 00 0 00112—05551 FTT^ A.RIS'Q
00104 0241 00 0 00107 10001 FDP ASUMSQ
00105 4600 60 4 00004 10000 STO*' T7^ COSINE PHI (R1**2-R2**2)/IR1**2£R2**2)
00106 0020 00 4 00001 10000 TRA 1,4
00107 0 OOOOO 0 OOOOO 10000 ASuHSQ
00110 0 OOOOO 0 OOOOO 10000 A...R1
00111 0 OOOOO 0 OOOOO 10000 A...R2
00112 0 OOOOO 0 OOOOO 10000 A.RISQ
DEHO RDMCB 02/17/67 PAGE 42
ASSEMBLED TEXT.
00113 0 OOOOO U OOOOO 10000 A.R2SQ
I * SINE AN D COSINE OF RANDOM POLAR (0,PI)
BINARY CARD (NOT PUNCHED) ,
00114 0634 00 4 00135 10001 POLRN SXA P....A,4
00115 0074 00 4 04000 10011 P....B TSX FLTRN,4
00116 0601 00 0 00147 10001 STO P...R1
00117 0131 00 0 OOOOO 10000 0<CA
00120 0260 00 0 00147 10001 FMP P...R1
00121 0601 00 0 00151 10001 STO P.RISQ
00122 0074 00 4 04000 10011 TSX FLTRN,4
00123 0601 00 0 00150 10001 STO P...R2
00124 0131 00 0 OOOOO 10000 XCA
00125 0260 00 0 00150 10001 FMP P...R2
00125 0601 00 0 00152 10001 STO P.R2SQ
00127 0300 00 0 00151 10001 FAD P.RISQ
C0130 0601 00 0 00153 10001 STO P....E
00131 0560 00 0 00147 10001 LDQ P...RI
00132 0250 00 0 00150 10001 FMP P...R2
00133 0361 00 0 00356 10001 ACL =0001000000000
00134 0241 00 0 00153 10001 FDP P....E
00135 0774 00 4 OOOOO 10000 P....A AXT **,4
00136 4600 60 4 00003 10000 STQ* 3,4
w
I BINARY CARD (NOT PUNCHED)
C>J 00137 0260 00 0 00357 10001 FMP =1.5396
O^ 00140 0402 00 0 00153 10001 SUB P....E
I 00141 4120 30 0 10000 10011 TMI POLRN
00142 0500 00 0 00152 10001 CLA P.R2SQ
00143 0302 00 0 00151 10001 FSB P.RISQ
00144 0241 00 0 00153 10001 FDP P....E
00145 4600 60 4 00004 10000 STQ* 4,4
00145 0020 00 4 OOOOI 10000 TRA 1,4
00147 0 OOOOO 0 OOOOO 10000 P...R1
00150 0 OOOOO 0 OOOOO 10000 P...R2
00151 0 OOOOO 0 OOOOO 10000 P.RISQ
00152 0 OOOOO 0 OOOOO 10000 P.R2SQ
00153 0 OOOOO 0 OOOCO 10000 P....E
* GTISO GETS RANDOM ISOTROPIC VECTOR
00154 0634 00 4 00210 10001 GTISO SXA G....A,4
00155 0074 00 4 04000 10011 G....B TSX FLTRN,4
00156 0601 00 0 00231 10001 STO G....Z
00157 0131 00 0 OOOOO 10000 XC3
00160 0260 00 0 00231 10001 FMP G....Z
00161 0601 30 0 00234 10001 TfO G..ZSQ
BINARY CARD'(NOT PUNCHED)
00162 0074 00 4 05000 10011 TSX SFLRAN,4
00163 0131 00 0 OOOOO 10000 xcX
00164 0260 30 0 00236 10001 FMP G. .CON
00155 0601 00 0 00227 10001 STO G....X
00166 0131 00 0 OOOOO 10000 XCA
00167 0260 00 0 00227 10001 FflP G....X
00170 0601 30 0 00232 10001 STO G.^XSO
00171 0074 00 4 05000 10011 T5Ji SFLRAN,4
00172 0131 00 0 OOOOO lOOOO XCA
DEMp RDMCB 02/17/67 PAGE 43
ASSEMBLED T E X T .
00173 0260 00 0 00236 10001 FMP G..CON

00174 0601 00 0 00230 10001 STO G....Y
00175 0131 00 0 OOOOO 10000 XCA
00176 0260 00 0 00230 10001 FMP G....Y
00177 0601 00 0 00233 10001 STO G..YSQ
00200 0300 00 0 00232 10001 FAD G..XSQ
00201 0601 00 0 00232 10001 STB G.XYSQ
00202 0300 00 0 00234 10001 FAD G..ZSQ
00203 0601 00 0 00235 lOOOl Tro G....D
0Q204 0131 00 0 OOOOO 10000 XCA
B I N A R V CARD (NOT PUNCHED)

00205 0260 -55-TT 00235 10001 FMP G... .D
00206 0402 00 0 002 31 10001 SUB G. . . . Z
00207 0120 00 0 00155 10001 TPL G. . . . B
00210 0774 30 4 OOOOO 10000 G.. ..A AXT **,4
00211 0500 00 U 00231 10001 CLA G Z
00212 0400 00 0 00356 10001 ADD =01000000000
00213 0241 00 0 00235 10001 FDP e D
00214 4600 00 0 00231 10001 STQ G...ZD
00215 0260 00 0 00227 10001 FMP G X
00216 0601 60 4 00003 10000 STO* 3,4
00217 0560 00 0 00230 10001 LDQ G V
00220 0260 00 0 00231 10001 FMP G...ZO
00221 0601 60 4 00002 10000 STO* 2,4
00222 0500 00 0 00234 10001 CLA G..ZSQ
00223 0302 00 0 00232 10001 FSB G.XYSQ
00224 0241 00 0 00235 10001 FDP G.. ..D
00225 460U 6U 4 U0U04 lOUOO SIU* 4,4
00225 0020 00 4 OOOOI 10000 TRA 1,4
U0227 0 OOOOO 0 UOUOO 10000 G.. ..X
BINARV CARO (NOT PUNCHED)
00230 0 OOOOO 0 OOOOO 10000 G....Y
00231 0 OOOOO 0 OOOOO—10000—577777
00232 0 OOOOO 0 OOOOO 10000 G..XSO
05273—5-55555-5755555—10000 G..YSO
00234 0 OOOOO 0 OOOOO 10000 G..ZSQ
00235—0 OOUOO 0 OOOOO—10000—5777715
00232 G.XYSQ SYN G..XSQ
00231 (i...2D SYN G....Z
00235 200537736000 10000 G..CON OCT 200537736000
S HAXWtLL BULUHANN
00237 0634 00 4 00273 10001 RNMAX SXA M....A,4
OU240—00 74 00 4 06000—10011 TST EXPKN,4
00241 0601 00 0 00305 10001 STO M....X
0 0 2 4 2 — 0 5 2 0 00 0 00301 lOOUl ZET H..BIN
00243 0020 00 0 00276 10001 TRA M.FLOP
UU244—UO/4 U(J 4 U40C0 1 5 5 1 1 — H . . . . C I SX FLIRN,4
00245 0601 00 0 00302 10001 STO M.RISQ
557?fS—0131 00 0 OOOCO—15555 XCTS
00247 0260 00 0 00302 10001 FMP M.RISQ
05735—0601 00 0 U0302—lOOUl STB H.KISU
00251 0074 0 0 4 04000 10011 TSX FLTRN,4
5 5 7 5 2 — 0 6 0 1 0 0 0 00303—175551 5TD H.R2SQ
DEMO RDMCB 02/17/67 PAGE 44
ASSEMBLED TEXT

00253 0131 00 0 OOOOO 10000 XCA
00254 0260 00 0 00303 10001 FMP M.R2S0
00255 0601 00 0 00303 10001 STO M.R2SQ
00256 0300 00 0 00302 10001 FAD M.RISQ
00257 0601 00 0 00304 10001 STO MSUMSQ
00260 0402 00 0 00355 10001 SUB = 1.
00261 0120 00 0 00244 10001 TPL M....C
00262 0074 00 4 06000 10011 TSX EXPRN,4
00263 0241 00 0 00304 10001 FDP MSUMSQ
00264 4600 00 0 00304 10001 STQ MSUMSQ
00255 0250 00 0 00302 10001 FMP M.RISQ
00266 0601 00 0 00301 10001 STO M..B1N
00267 0550 00 0 00304 10001 LOQ MSUMSQ
00270 0260 00 0 00303 lOOOl FMP H.R2SQ
00271 0300 00 0 00305 10301 M. ...B FAD M....X
00272 0131 00 0 OOOCO 10000 XCA
00273 0774 00 4 OOOOO 10000 M. ...A AXT **.4
00274 0260 60 4 00003 10000 FMP* 3,4
00275 0020 00 OOOOI 10000 TRA 1,4

00276 0500 00 0 00301 10001 M, FLOP CLA M..BIN
00277 0600 00 0 00301 10001 STZ M..BIN
00300 0020 00 0 00271 10001 TRA M....B
00301 OOOOOOOOOOOO 10000 M. .BIN DEC 0
00302 0 ooooo 0 OOOCO 10000 M.,R1S0
00303 0 ooooo 0 ooooo 10000 M.,R2SQ
00304 0 ooooo 0 OOOCO 10000 MSUMSQ
00305 0 00030 0 ooooo 10000
* WATT FISSION SPECTRUM
00306 0634 00 4 00330 10001 SXA F....A,4
00307 0074 00 4 05000 10011 FISRN TSX SFLRAN,4
00310 0601 00 0 00335 10001 STO F...MU
00311 OOOOOOOOOOOO 00010 CALL RNMAXIF T)
00311 0074 00 4 12000 lOOll
00312 1 OOOOI 0 01003 loon
00313 0 00350 0 00353 10100
00314 0 OOOOO 0 00332 10001
00315 0601 00 0 00335 10001 STO F..VSQ
00316 OOOOOOOOOOOO 00010 CALL SQRT(F..VSQ)
00316 0074 00 4 150C0 lOOll

J0317 1 OOOOI 0 01003 10011
00320 0 00350 0 00355 10100
00321 0 OOOOO 0 00335 10001
00322 0131 00 0 OOOOO 10000 XCA
00323 0260 00 0 00333 10001 FMP F...JF
00324 0131 00 0 OOOOO 10000 XCA
00325 0260 00 0 00336 10001 FMP F...MU
00326 0300 00 0 00335 10001 FAD F..VSQ
00327 0330 00 0 00334 loooi FAD F..FSQ
00330 0774 00 4 OOOOO 10000 F. ...A AXT **,4
00331 0020 00 4 OOOOI 10000 TRTJ TT?
00332 275631711715 10300 F....T DEC 1.846E£18
DEMO RDMCB 02/17/57 PAGE 45
ASSEMBLED TEXT.
00333 237741405150 10000 F. ..2F DEC 2.0196F£9

00334 274704761114 10000 F. • FSQ DEC 1.020E£18
00335 0 OOOOO 0 ooooo 10000 F. .vso
00336 0 ooooo 0 ooooo 10000 F.
C0337 0500 60 4 00003 10000 ..MU CLA*
RANDIN 3,4
00340 0100 00 0 00345 10001 TZE R A
00341 076C 00 0 00003 10000 SSP

00342 0601 60 4 00003 10000 STO* 3,4
00343 0501 00 0 03000 10011 STO RANDM
00344 0020 00 4 OOOOI 10000 TRA 1,4
00345 0500 00 0 03(JOO lOOll R. ...A CLA RANDM
00345 0601 60 4 00003 10000 STO* 3,4
00347 0020 00 4 OOOOI 10000 TRA 1,4
C0350 OOOOOOOOOOOO 10000 *LDIR
00351 512444232260 10000
00352 170000000100 10300 *LORG
00353 00-^000000200 10000
00354 203000000000 10000
00355 201400000000 10000
0O355 001000000000 10000
00357 201612106347 10000
OOOOO Ollll END
APPENDIX F
TENTATIVE GUIDELINES FOR RELIABILITY

ANALYSIS OF CONTAINMENT
ISOLATION VALVE SYSTEMS
APPENDIX F
TENTATIVE GUIDELINES FOR RELIABILITY

ANALYSIS OF CONTAINMENT
ISOLATION VALVE SYSTEMS
A s s e s s m e n t of isolation valve s y s t e m reliability can be based on the

a s s u m p t i o n that at l e a s t one isolation valve m u s t close or r e m a i n
closed on each piping penetration; and, subsequently, t h e s e valves
m u s t maintain a c e r t a i n degree of leak t i g h t n e s s . The question then
a r i s e s , "should one consider all penetrations or only p a r t i c u l a r l y c r i t i c a l
p e n e t r a t i o n s ? " This c o n s i d e r a t i o n is especially important for containments
with a l a r g e number of p e n e t r a t i o n s . F o r example, the D r e s d e n - 3
drywell or p r i m a r y containinent s y s t e m is p e n e t r a t e d by approximately
488 pipes or tubes and 6l e l e c t r i c a l or i n s t r u m e n t a t i o n c a r t r i d g e s .
Of the piping p e n e t r a t i o n s , 370 a r e control r o d - d r i v e hydraulic lines
which t e r m i n a t e outside the drywell in the control rod hydraulic s y s t e m .
To attack the p r o b l e m of a s s e s s i n g isolation valve reliability, the

p e n e t r a t i o n s and the a s s o c i a t e d valves have been classified according
to importance by the d e g r e e of s e p a r a t i o n they afford between potentially
radioactive s y s t e m s and the a t m o s p h e r e or the s e c o n d a r y containment.
T h e s e c l a s s e s in o r d e r of d e c r e a s i n g i m p o r t a n c e a r e :
1. P e n e t r a t i o n s open to containment and t e r m i n a t i n g in s y s t e m s

not sealed to a t m o s p h e r e .
2. P e n e t r a t i o n s open to p r i m a r y coolant s y s t e m and t e r m i n a t i n g

in s y s t e m s not sealed to a t m o s p h e r e .
3. P e n e t r a t i o n s originating in s y s t e m s s e p a r a t e d from p r i m a r y
coolant or containment a t m o s p h e r e by one or m o r e i m p e r m e a b l e
m e m b r a n e s and t e r m i n a t i n g in s y s t e m s not sealed to a t m o s p h e r e ,
4. P e n e t r a t i o n s open to containment and t e r m i n a t i n g in sealed

systems.
5. P e n e t r a t i o n s open to p r i m a r y coolant s y s t e m and t e r m i n a t i n g

in sealed s y s t e m s .
6. P e n e t r a t i o n s originating and t e r m i n a t i n g in sealed s y s t e m s .
T h e s e penetration c l a s s e s a r e sumnnarized in Table F . 1 along with

isolation valve classifications based on n o r m a l valve s t a t u s , i . e . ,
n o r m a l l y open and n o r m a l l y closed v a l v e s .
F-1
With the preceding breakdown the m o s t c r i t i c a l isolation valves a r e
n o r m a l l y open valves on C l a s s 1 p e n e t r a t i o n s ; e . g . , containment
ventilation lines which communicate with the a t m o s p h e r e during
n o r m a l operation. Such lines a r e used in s o m e e a r l y power r e a c t o r
designs ( e . g . , Shippingport and D r e s d e n - 1 ) but a r e not included in
r e c e n t f a c i l i t i e s . As developed, the classification s y s t e m says that
isolation valve reliability is most important on lines which do not r e q u i r e
a second o r d e r failure (i. e. , r u p t u r e of a sealed s y s t e m ) to r e s u l t
in leakage to the a t m o s p h e r e , and that lines which r e q u i r e a t h i r d
o r d e r f a i l u r e , i. e. , r u p t u r e of two sealed s y s t e m s , a r e the least
i m p o r t a n t . Using this ranking, the isolation valve reliability model
can be simplified to focus on the m o r e important lines with knowledge
that other lines have even l e s s probability of becoming a leakage path,
since they will r e q u i r e second or t h i r d o r d e r failures to become significant.
F-2
TABLE F . I
PENETRATION CLASSIFICATION
Class T e r m i n a t e s Within T e r m i n a t e s Outside

Designation Containment In Containment In
1 Line open to containment Line or apparatus not

atmosphere sealed to a t m o s p h e r e
2 Line open to prinaary Line or apparatus not

coolant s y s t e m sealed to a t m o s p h e r e
3 Equipment s e p a r a t e d f r o m Line or apparatus not'

p r i m a r y coolant or contain- sealed f r o m a t m o -
ment a t m o s p h e r e by one sphere
i m p e r m e a b l e menabrane
4. Line open to containment Equipment s e p a r a t e d

atmosphere f r o m a t m o s p h e r e by
one i m p e r m e a b l e
membrane
5 Line open to p r i m a r y Equipment s e p a r a t e d

coolant s y s t e m f r o m a t m o s p h e r e by
one i m p e r m e a b l e
membrane
6 Equipment s e p a r a t e d Equipment s e p a r a t e d
f r o m p r i m a r y coolant f r o m a t m o s p h e r e by
or containment a t m o s - one impernneable
p h e r e by one i m p e r - membrane
meable m e m b r a n e
Valve Classification
Description
NO Valves open during n o r m a l plant operation

includes check valves on in -flowing l i n e s .
NC Valve closed during n o r m a l plant operation

includes check valves on st agnant l i n e s .
F-3
APPENDIX G
GLOSSARY
V
APPENDIX G
GLOSSARY
This g l o s s a r y is a r e f e r e n c e for definitions of reliability t e r m s and

p h r a s e s which a r e used throughout this r e p o r t . F o r b r o a d e r coverage
of reliability n o m e n c l a t u r e , the r e a d e r is r e f e r r e d to handbooks,
r e p o r t s , and texts such as those listed at the end of this appendix.
P r o g r e s s is closely a s s o c i a t e d with the ability to communicate especially

in t e c h n i c a l fields. At the beginning new concepts and ideas a r e e x p r e s -
sed in many different w a y s , but in t i m e they a r e a m a l g a m a t e d into a
single word or p h r a s e which greatly i n c r e a s e s the understanding between
different groups of people. As concepts, i d e a s , and philosophies change,
old words take on new m e a n i n g s . So it is with the words included in this
g l o s s a r y ; they reflect p r e s e n t concepts and i d e a s , but as the field
p r o g r e s s e s , t h e s e words will acquire new m e a n i n g s .
Automatic Reliability M a t h e m a t i c a l Model (ARMM) - A g e n e r a l purpose

c o m p u t e r p r o g r a m for deriving and solving a m a t h e m a t i c a l model of the
reliability of complex systeims based on a sequential application of the
conditional probability t h e o r e m (Bayes' T h e o r e m ) to the probability of
s y s t e m failure. The p r o g r a m can handle up to a m a x i m u m of 300
functions and 500 connponents and has a built-in capability to handle
dependent components, standby components, and mutually exclusive
failure m o d e s .
Coimponent - A self-contained unit which p e r f o r m s a distinctive function

in the o v e r a l l operation of a s y s t e m and which can be d i s a s s e m b l e d , r e -
a s s e m b l e d , or r e p l a c e d . F o r example, count r a t e amplifier, high
voltage power supply, centrifugal pump, and solenoid operated valve.
Confidence Level - The probability that a given s t a t e m e n t is c o r r e c t or

the chance that a given value lies within a stated n u m e r i c a l r a n g e . F o r
e x a m p l e , a stated reliability of 99 percent at a confidence level of 75 p e r -
cent means t h e r e is a 75 percent probability that the actual r e l i a b i l i t y is
at least 99 percent (lies between 99 and 100 p e r c e n t ) .
Derating - The p r o c e s s , in design or t e s t , of employing a component

which will c a r r y a g r e a t e r load, or is m o r e a c c u r a t e , or will provide
a l a r g e r output than is n e c e s s a r y for the application.
G-1
Derating F a c t o r - A nunnerical m e a s u r e of the design nnargin provided by
d e r a t i n g . If a punnp with a design head of 500 feet is used where only a
250-foot head is r e q u i r e d , the derating factor b e c o m e s 2.
Degradation - A gradual d e t e r i o r a t i o n in perfornnance, strength,

resistance, etc.
Environnnental S t r e s s - The s t r e s s or load innposed on a component by a

given set of environmental conditions. Conditions which d e t e r m i n e
environmental s t r e s s include humidity, power, p r e s s u r e , t e m p e r a t u r e ,
and voltage. Variations in these conditions tend to affect the failure r a t e
of equipment.
Exponential F a i l u r e Density Function - A failure density function which

r e p r e s e n t s the probability of failure in a population composed of units
experiencing a constant failure r a t e . It is of the form
f(t) = \e'^*
Exponential F a i l u r e Distribution - The distribution d e s c r i b i n g the

probability of failure before t i m e t in a population with a constant
failure r a t e . It is of the form
F(t) = 1-e'^*
F a i l u r e - The o c c u r r e n c e of any condition which r e n d e r s an itenn incapable

of operating within its specified p e r f o r m a n c e p a r a n n e t e r s .
F a i l u r e Cause - That which made the component fail the way it did. Cause
d e s c r i p t i o n usually involves s e v e r a l levels which a r e difficult to identify.
If an amplifier fails, the i m m e d i a t e cause may be a malfunctioning diode.
However, the b a s i c cause nnay be conditions or events such as a t n i s -
application of the diode in the c i r c u i t r y or inadequate inspection of the
diodes employed in a s s e m b l i n g the amplifier.
F a i l u r e Data - A collection of d i s c r e p a n c y and malfunction data derived

from field and t e s t e x p e r i e n c e .
F a i l u r e Density Function, f(t) - The probability that a unit will fail per
unit t i m e at t i m e t. Thus
m - ^
s o m e t i m e s called the failure frequency function.
G-2
F a i l u r e Distribution Function, F(t) - The probability that a unit will fail
by tinne t. Thus
t
F(t) = J f(t) dt
o
This is sometinnes called the cumulative distribution function and is also

recognized as the unreliability function.
F a i l u r e Effect - What happened to the s y s t e m when a component failed

the way it did.
F a i l u r e Event - O c c u r r e n c e of failure as r e l a t e d to point in t i m e .
F a i l u r e Mode - The physical d e s c r i p t i o n of the inanner in which a conn-

ponent failed. F o r example, a valve failed to open; a punnp failed to
continue operation; and a bistable annplifier t r i p unit operated p r e m a t u r e l y .
F a i l u r e R a t e , X - The probability of failure per unit t i m e in a given t i m e

i n t e r v a l . F o r an exponential failure distribution (constant failure r a t e ) ,
the failure r a t e is the r e c i p r o c a l of the mean time between failures for
r e p a r a b l e components and the mean t i m e to failure for i r r e p a r a b l e
components. F a i l u r e r a t e is n o r m a l l y e x p r e s s e d in nunnber of failures
per nnillion h o u r s .
Fault T r e e - A graphical p r e s e n t a t i o n of a fault t r e e analysis which

displays the sequential arrangennent of events interconnected by logic
o p e r a t o r s (or gates) that ultinnately lead to an undesired event.
Fault T r e e Analysis - The analysis of a functional s y s t e m to e s t a b l i s h

the logical sequence of events leading to an undesired event. The analysis
includes a detailed understanding of systenn design and operation, the
construction of a fault t r e e , and the nnathennatical simulation of fault t r e e
logic to e s t a b l i s h the likelihood of and individual failure contributions to
an undesired event.
Malfunction - Any o c c u r r e n c e of unsatisfactory perfornnance. It need not

constitute a failure if readjustment of o p e r a t o r controls can r e s t o r e an
acceptable operating condition.
G-3
Mean Life, 9 - The arithnnetic a v e r a g e of the life tinnes of all i t e m s
c o n s i d e r e d . It is equivalent to
= jtf(t) dt
Mean Time Between F a i l u r e , M T B F - The a v e r a g e t i m e between failures

which can be expected for a r e p a r a b l e component during the portion of
its life cycle in which the exponential failure distribution applies.
Mean Time to F a i l u r e , M T T F - The average or mean life of an

i r r e p a r a b l e component.
Mean Time to R e p a i r , MTTR - The a v e r a g e t i m e to r e p a i r a failed

component including detection of failure, definition of c o r r e c t i v e action,
p e r f o r m a n c e of c o r r e c t i v e action, and t e s t i n g before r e t u r n to s e r v i c e .
N o r m a l Distribution - Sanne as Gaussian distribution. A distribution

defined by
1
f(t) = e 00 < t < + oo
CTV 27r
where
CT = s t a n d a r d deviation
Operating E r r o r - An e r r o r that is t r a c e a b l e principally to some human

action or inaction o c c u r r i n g in any activity subsequent to design and
fabrication.
Operating Time - The time period between t u r n - o n and turn-off of a

systenn, s u b s y s t e m , or component during which operation is as specified.
Total operating time is the sunnnnation of all operating t i m e p e r i o d s .
P e r f o r m a n c e - Operation with Sonne degree of effectiveness.
Population - The total collection of i t e m s from a connmon s o u r c e .
Probability of F a i l u r e , P(A) - The likelihood that A will fail during a

specified period of t i m e under a given environment.
G-4
Probability of S u c c e s s , P(A) - The connplement of the probability of
f a i l u r e . Thus
P(A) = l-P(A)
Random F a i l u r e - Any failure which occurs by chance, in an accidental,

c a s u a l , or haphazard nnanner. Sonnetimes called chance failure.
Redundancy - The existence of nnore than one means of p e r f o r m i n g a

function in o r d e r to prevent an o v e r a l l failure in the event that all but
one of the means fail. P a r a l l e l redundancy is the application of two or
m o r e means of p e r f o r m i n g a function, all cf which a r e functioning at
the s a m e t i m e but each of which is capable of p e r f o r m i n g the function
in the event of a failure to the other i n e a n s . Standby redundancy applies
w h e r e t h e r e is an a l t e r n a t e means of p e r f o r m i n g a function which is
held in abeyance until a failure of the prinnary means is sensed and the
a l t e r n a t e means is actuated to p e r f o r m the s a m e function.
Reliability, R(t) - The probability of p e r f o r m i n g a r e q u i r e d function

under specified conditions for at least a given length of t i m e t. F o r
exponential failure distribution
R(t) = e'^*
Systenn - A combination of components joined together to p e r f o r m a

specific operational function or functions. For example, r e a c t o r
coolant s y s t e m , r e a c t o r control systenn, and safety injection systenn.
S y s t e m s Analysis by Fault T r e e Evaluation (SAFTE-1) - A Monte C a r l o

fault t r e e sinnulation p r o g r a m capable of handling exponential distribution
for component failure and n o r m a l distribution for connponent r e p a i r .
Unreliability - The connplennent of reliability, namely, l-R(t).
Use Data - Data which d e s c r i b e the accumulated use by which successful

operation of a plant or s y s t e m is m e a s u r e d .
Wear out - The point at which the continued operation and r e p a i r of a

connponent b e c o m e s unecononnical due to the i n c r e a s i n g frequency of
failures.
G-5
Weibull F a i l u r e Density Function - F a i l u r e density function of the form
Q
f(t) = Pat^-'e-''^
where
a = Scale p a r a m e t e r
jS = Shape p a r a m e t e r
If /3 = 1, f(t) beconnes exponential function
and OC is equivalent to failure r a t e , X,
G-6
REFERENCES
1, Ire son, W. G. , et al. , Reliability Handbook, McGraw-Hill,

New York, 1966.
2, Von Alven, W. H. , et al. , Reliability Engineering, P r e n t i c e

Hall, New J e r s e y , 1964.
3, Definitions of Reliability T e r m s , AD-480164, Defense Docunnent

Center, Virginia, August 1962.
4, Reliability G l o s s a r y , North A m e r i c a n Aviation, Autonetics

Division, Fourth Edition, April 1967.
G-7
APPENDIX H
RELIABILITY ESTIMATES WITH CONFIDENCE LEVELS

APPENDIX H
RELIABILITY ESTIMATES WITH CONFIDENCE LEVELS
In e s t i m a t i n g component and s y s t e m r e l i a b i l i t i e s the question a r i s e s , "what

is the potential e r r o r a s s o c i a t e d with reliability estinnates made from
available reliability data? " That i s , one wishes to know the probability
that the probability e s t i m a t e is c o r r e c t . In safety applications confidence
level estinnates a r e generally one-sided and state the probability that the
reliability is at least the level e s t i m a t e d , or the failure r a t e is equal to or
lower than the value used. Confidence levels can be r e a d i l y e s t i m a t e d for
failure r a t e s or r e l i a b i l i t i e s of either single components or simple s y s t e m s .
F o r complex s y s t e m s , the p r o b l e m of assigning a confidence level to a
s y s t e m reliability e s t i m a t e , based on connponent r e l i a b i l i t i e s and confidence
l e v e l s , is not as s t r a i g h t f o r w a r d . The p r o b l e m h e r e is that the failure
d i s t r i b u t i o n function for the s y s t e m is not n e c e s s a r i l y the s a m e as that for
the components nor is it easily obtainable.
This appendix p r e s e n t s analytical methods for d e t e r m i n i n g component

failure r a t e s or r e l i a b i l i t i e s at specified confidence l e v e l s . In addition,
two techniques a r e d i s c u s s e d for using component data in e s t i m a t i n g
s y s t e m r e l i a b i l i t i e s with c e r t a i n confidence l e v e l s .
COMPONENT LIFETIMES
An infinitely l a r g e component s a m p l e size would allow one to predict the

t r u e value of a m e a s u r e d paranneter with 100 percent confidence. F o r the
finite or p a r t i c u l a r l y s m a l l s a m p l e s i z e , an e s t i m a t e of the mean life with
a c e r t a i n confidence level is all that can be obtained. The methods outlined
in the following d i s c u s s i o n can be used to c o r r e l a t e the a c c u r a c y of an
e s t i m a t e with the size of the sannple from which it is obtained. These
methods a r e s e p a r a t e d , for c l a r i t y , into two c l a s s e s - standby and
operating.
Standby Components
Following R o b e r t s , let us consider a population whose individual units

have an exponential failure distribution with m e a n life of 9 Q . Then the
reliability (probability of successful operation) to t i m e t for each unit is
-t/e
R(t) = e ° . (1)
H-1
Hence the failure probability is
-t/e
F(t) = l-R(t) = 1-e ° . (2)
If n such units a r e t e s t e d for a c e r t a i n t i m e t, the probability that c

or fewer units fail is
c
Q ~-l i.(^'i). ^^<*)^' [ R ( t ) f ' ' . (3)

i=0
The confidence level P then can be d e t e r m i n e d from
P S 1-Q . (4)
F o r the c a s e of no f a i l u r e s , which is of i m p o r t a n c e in this study.
Equation (4) yields
P S 1 -i:R(t)]''. (5)
Equation (5) is r e a d i l y solved for P , given t and n. However, for

c S 1, Equation (4) does not have a simple r e p r e s e n t a t i o n , and the r e l a -
tion of c, t, n, and P must be obtained n u m e r i c a l l y .
N u m e r i c a l Computation - If P is specified, c and t can be chosen and

an i t e r a t i v e approach used to obtain n from the equality given by
Equation (4). Hence for some n we w r i t e
i=0
Now assuining a t r u n c a t e d Taylor s e r i e s of the form
dQ
1-P« Q + - r ^ An,
n dn
this yields as a c o r r e c t i o n for n

( l - P ) -Q
n
dn
H-2
Thus if n is used for the j ' ' i t e r a t e , then (n+An) should be used in the
ij+lf^ iterate.
Using S t i r l i n g ' s formula for n ! and neglecting t e r m s in —

n
Qn[l"H(t)-^]
dn
c +1 c
[fif] ^ Hr
This e x p r e s s i o n is used in calculating the denominator of Equation (6).
Using t h i s method. F i g u r e H. 1 was obtained for the 75 p e r c e n t confidence
level c a s e .
Exannple - As an example of the use of F i g u r e H. 1 in obtaining lifetime

e s t i m a t e s , consider the following p r o b l e m . All components in an
e m e r g e n c y cooling s y s t e m a r e t e s t e d p e r i o d i c a l l y . The most c r i t i c a l
components a r e t e s t e d by conducting functional t e s t s p r i o r t o each
r e a c t o r s t a r t u p . Other components a r e t e s t e d annually. T h e s e t e s t s
a r e a s s u m e d t o show that the component can or cannot p e r f o r m adequately
under accident conditions.
Functional t e s t s w e r e conducted 24 t i m e s with an a v e r a g e t e s t i n g i n t e r v a l

of 38. 4 d a y s . An e s t i m a t e will be made for the mean t i m e t o an unsafe
failure of a c e r t a i n component with an a s s o c i a t e d confidence level P of
75 p e r c e n t . F o r a component with no r e p o r t e d failures during the e n t i r e
operating period, c = 0 and n = 24-1 = 23. We find from F i g u r e H. 1
-T— S 0. 060 and 6^ i s , t h e r e f o r e ,
ô °
ô ^ o ^ = ^^° ^^y'
which is equivalent t o a failure r a t e X of
^ - T640
7 ? rX
~ "24
7r = 65xlO'^hr"\
H-3
Since t h e r e a r e s e v e r a l components generically and operationally s i m i l a r ,
the t e s t data from t h e s e components may be pooled t o g e t h e r . F o r two
s i m i l a r components with no r e p o r t e d failure, c = 0 and n = 2 3 x 2 = 46.
At a confidence level of P = 0. 75, 6 b e c o m e s
' o
ô ^ r ^ - 1'280 days
or
X S 32.6 X 10"^ h r " \
Thus doubling the number of components has doubled the lifetime e s t i m a t e

at the s a m e confidence level.
Suppose the second component failed once during the e n t i r e period. Then
for c = 1 and n - 46
or
X S 65 X 10"^ h r ' \
S i m i l a r e s t i m a t e s can be made for annually t e s t e d components. In t h i s

example, annual t e s t s w e r e conducted five t i m e s with an averaged
t e s t i n g i n t e r v a l of 324. 5 d a y s . F o r a component t e s t e d annually with
no failure r e p o r t e d during the e n t i r e period, c = 0, n = 5-1 = 4, and
324 5
e § -±3iji - 954 (Jays
o 0. 34 ^
or
X ^ 44 X l O ' hr"\
Operating Connponents
Consider n s i m i l a r connponents which operate for a t i m e t. The point

estinnate of the mean life of t h e s e components, 9 , when c f a i l u r e s
occur, is
H-4
(2)
Confidence Level - An a l t e r n a t i v e e s t i m a t e of 6^ can be made b a s e d on
y \J
the c h i - s q u a r e (x )* distribution. In this c a s e , it can be specified with
a c e r t a i n confidence that 9 will lie between two nunnbers, the upper an
lower confidence level e s t i m a t e s . F o r a given confidence level P
2nt S e S ~ (8)
2 o
f - , 2c+2 ^ - T ' 2^
where
Q = l-P.
Equation (8) is useful provided c S 1.
In r e l i a b i l i t y a n a l y s i s , a one-sided e s t i m a t e of the m e a n lifetime is often

of p a r t i c u l a r i n t e r e s t . That i s , the m i n i m u m value of 6Q can be s p e c i -
fied at a given confidence level. Thus
8 S —^ (9)
o c.
^ Q , 2c+2
This e x p r e s s i o n holds for c S 0.
A family of c u r v e s for operating t i m e nt v e r s u s g- is plotted in

o
F i g u r e H. 2 for 0 to 6 f a i l u r e s with 75 p e r c e n t confidence level. Note
that \_ is equivalent t o failure r a t e X.
K
Example - Consider a s y s t e m which has been operated 17, 604 h o u r s and
which contains six s i m i l a r pumps with no r e p o r t e d f a i l u r e s . E n t e r i n g
F i g u r e H. 2 with c = 0 and nt = 6 x 17,604 = 105,624 h o u r s , the failure
r a t e is e s t i m a t e d t o be
-~- = X S 13.3 X 1 0 ' ^ h r " \

o
DISCUSSION
It can be shown that the method used for the lifetime e s t i m a t e s of

standby components is equivalent to that used for continuously operating
*The values of x ^^^ obtained from probability t a b l e s .
H-5
c o m p o n e n t s . In fact, many continuously operating components can be
c o n s i d e r e d as standby in that they a r e cyclically nnonitored by an
operator or operate cyclically and t h e r e f o r e can be t r e a t e d in the
m a n n e r for standby components.
Example
Consider the previous example in which six pumps operated for

17, 604 h o u r s with no failure and yielded
X = 13. 3 X lO' hr"'^
according to t h e continuous method.
T r e a t i n g each hour as a successful t e s t , i, e. , pump operation is

monitored once each hour
n = 6x17,604 - 105, 624 t e s t s

c = 0
t = 1 hour.
Extrapolating from F i g u r e H. 1
- ^ = 13.3 X 1 0 ' ^
o
or
X = -J- = 13,3 X 10"^ hr''^ .

o
S i m i l a r l y if each day is t r e a t e d as a successful t e s t
n = 105,624/24 = 4,401 tests

c = 0
t = 24 h o u r s .
We find from F i g u r e H. 1
- ^ = 0.000316
o
H-6
or
_— - __ _ i^^ 2 x 1 0 hr
9 24
T h e d i f f e r e n c e i s due t o r o u n d - o f f .
SYSTEM LIFETIMES
C o n f i d e n c e l e v e l e s t i m a t e s for i n d i v i d u a l c o m p o n e n t s a r e q u i t e s i m p l y
o b t a i n e d for e i t h e r o p e r a t i n g o r n o n o p e r a t i n g c o m p o n e n t s . S i m i l a r
e s t i m a t e s of c o n f i d e n c e a r e difficult for t h e r e l i a b i l i t y of a s y s t e m w h e n
b a s e d on t h e p r o b a b i l i s t i c b e h a v i o r of c o m p o n e n t s . In f a c t , s u c h a n a l y t i -
c a l e s t i m a t e s a r e p r e s e n t l y l i m i t e d t o a n a r r o w c l a s s of s y s t e m nnodels
and p r o b a b i l i t y d i s t r i b u t i o n s . T h i s difficulty r e s u l t s f r o m t h e fact t h a t
s y s t e m r e l i a b i l i t y i s s t r o n g l y d e p e n d e n t on t h e s t r u c t u r e of t h e s y s t e n n
f u n c t i o n a l l o g i c a s w e l l a s connponent r e l i a b i l i t y .
T a k e n a g a (3) h a s a n a l y z e d s y s t e m s c o n n p o s e d of 10 c o m p o n e n t s in s e r i e s
with all components a s s u m e d to have exponential failure distributions.
He h a s found, for e x a m p x e , for a s e t of c o m p o n e n t s a l l h a v i n g f a i l u r e
r a t e e s t i m a t e s at t h e s a m e c o n f i d e n c e l e v e l , t h a t t h e s y s t e m c o n f i d e n c e
level behaves as follows:
Component Confidence Level System Confidence Level
40% 13.5%
50% 31.3%
60% 62.35%
70% 90, 0%
80% 99. 9%
F a i l u r e d a t a a r e g i v e n i n R e f e r e n c e (3). A n o t h e r m e t h o d for e s t i m a t i n g
t h e c o n f i d e n c e l e v e l on s y s t e m i r e l i a b i l i t y w i t h s e r i a l l y a r r a n g e d comi-
p o n e n t s h a v i n g e x p o n e n t i a l f a i l u r e d i s t r i b u t i o n s i s g i v e n in R e f e r e n c e (4).
(5)
Kniss has i n v e s t i g a t e d s i m p l e s y s t e m s which contain c o m p o n e n t s in
p a r a l l e l a s w e l l a s i n s e r i e s . He o b t a i n s s y s t e m c o n f i d e n c e l e v e l s by
g e n e r a t i n g r a n d o m v a l u e s of t h e c o m p o n e n t c o n f i d e n c e l e v e l s and u s i n g
t h e s e t o g e n e r a t e r a n d o m v a l u e s of t h e s y s t e m r e l i a b i l i t y . H i s r e s u l t s
a g r e e w i t h t h o s e o b t a i n e d by a l t e r n a t i v e a n a l y t i c a l m e t h o d s i n t h r e e
simple cases.
H-7
of c o u r s e , if a s y s t e m w e r e c o n s t r u c t e d , then data on its r e l i a b i l i t y
c h a r a c t e r i s t i c s could be easily obtained through t e s t i n g the s y s t e m .
However, it should be possible t o predict s y s t e m reliability based on a
knowledge of its components and s t r u c t u r e . The two a p p r o a c h e s mentioned
above a r e attempts to solve t h i s p r o b l e m . The l a t t e r approach a p p e a r s
p r o m i s i n g since one is not r e s t r i c t e d t o analyzing s e r i a l systenns. How-
e v e r , t h i s technique may become costly for complex s y s t e m s . F u r t h e r
work in t h i s a r e a is needed.
H-8
REFERENCES
1, R o b e r t s , N. H. , "Mathematical Methods in Reliability Engineering, "

McGraw-Hill, New York, 1964.
2, Bazovsky, I, , "Reliability Theory and P r a c t i c e , " P r e n t i c e Hall, Inc. ,

Englewood Cliffs, New J e r s e y , 1961.
3, Takenaga, R. , " P r e d i c t i n g System Reliability With Associated

Confidence Level F r o m Component Test Data, " AD 459713,
4, Von Alven, W, H. , "Reliability Engineering, " Arinc R e s e a r c h

Corporation, p. 320, P r e n t i c e Hall, Inc, , Englewood Cliffs,
New J e r s e y , 1964,
5, K n i s s , J, R, , "Reliability E s t i m a t i o n for Multi-Component

S y s t e m s , " AD 633163,
H-9
iaiSsSsiiiiiipnhiiiiiSiiiusii:: iiiiiiiii.
IMiiiiiiiiiiiiiiiiiiiiiiiiiiiiEiiiiiii:
Sample Size, n
FIGURE H. 1
LIFETIME ESTIMATE FOR STANDBY COMPONENTS
AT 75 P E R C E N T CONFIDENCE L E V E L
H-10
: [ | i [ : [ M j i;i;jii:;;liii:!|§;::;;:||||||
11^^!!!! i ! !!i!:'!ii!lii!"!!llii"!!!!''!!"!iiil!i:!!
!:::?:;;: !!• iiiiiiN::i',;ii:!Eii:!iii;:iii:î!ii:'
II • • • ^ ' « » Illll.-Illlllill,.-Iltllllll, >lill.-llll.''li. 'Mllli
•••••••:Hih:^-i;; •••
lllliilf ;f!!Hii:
i
m\M-. yiiiiiiiiiiiiiiiiiiiiiiilii
•g
4 6
7^' ""lO" ^j'cf ^10'
Operating' Time, nt
FIGURE H. 2
LIFETIME ESTIMATE FOR OPERATING COMPONENTS
AT 7 5 P E R C E N T CONFIDENCE LEVEL
H-11

Reliability Analysis OF Nuclear Power Plant Protective Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reliability Analysis OF Nuclear Power Plant Protective Systems

Uploaded by

Copyright:

Available Formats

HN-190

AEC RESEARCH &

S Sac' > '^ I- h

HOLlVtES & NARVBFl, INC. since 1933

This report was prepared as an account of work sponsored by an

Portions of this document may be illegible in

P r e p a r a t i o n of this r e p o r t has involved the cooperation and advice of

Special a p p r e c i a t i o n is ejrtended to M r . D. E. B r i m l e y for consultation

Much has been said about the safety of n u c l e a r r e a c t o r s c o m p a r e d

How then does one go about making p r e c i s e and quantifying so

Finally, we m u s t a s k o u r s e l v e s how the r e s u l t s of g r e a t e r quantifi-

(1) B. J . G a r r i c k , W. J . Costley, and W. C. Gekler, "A Study

We should also look for i n d i r e c t benefits, not the l e a s t of which

It is our hope that this work will be used to r e a l i z e these and

SUMMARY AND CONCLUSIONS 2

CHAPTER 1 - RELIABILITY DATA MANAGEMENT SYSTEM 1-1

CHAPTER 2 - RELIABILITY ANALYSIS TECHNIQUES 2-1

Autonnatic Reliability Mathematical Model (ARMM) P r o g r a m 2-3

CHAPTER 3 - EXAMPLE APPLICATIONS OF RELIABILITY

Reliability Evaluation 3-15

System Description 3-41

APPENDIX A - PRESENT DATA COLLECTION PRACTICES

APPENDIX B - DATA M A N A G E M E N T PRACTICES IN

APPENDIX C - EXAMPLE OF LOADSHEET PREPARATION

APPENDIX D S E L E C T E D FAILURE RATE DATA D-1

APPENDIX E S A F T E - 1 SOURCE PROGRAM LISTING E-1

APPENDIX F - TENTATIVE GUIDELINES FOR RELIABILITY

APPENDIX G GLOSSARY G-1

APPENDIX H - RELIABILITY ESTIMATES WITH CONFIDENCE

2. 1 P o s s i b l e F a i l u r e Combinations Considered by ARMM

TABLES (continued) PAGE

3. 17B Component Combinations Contributing to System

B, 1 UKAEA Fault Classification System B-20

C. 1 List of Components in a Simple Pumping System C-5

D. 1 F a i l u r e Rate Data on Selected E l e c t r o n i c , E l e c t r i c a l ,

1, 1 C o m p a r i s o n of Data Management Information 1-23

FIGURES (continued) PAGE

3. 1 Schematic C r o s s - S e c t i o n of D r e s d e n - 3 Containment 3-78

FIGURES (continued) PAGE

3. 10 Reliability Block D i a g r a m Containment Isolation

FIGURES (continued) PAGE

3. 3ID Containment Cooling System Reliability Block

A. 1 Maintenance Request Flow A- 1]

B, 1 Sample Safety Report B-44

FIGURES (continued) PAGE

B, 11 Sample of Completed " F a i l u r e Mode D i s t r i b u t i o n s "

C, 1 Simple Pumping Station C--6

Data and analytical r e q u i r e m e n t s for a reliability monitoring p r o g r a m

The data collection plan u s e s a t w o - s t e p r e c o r d i n g p r o c e s s to enable

The a c c u r a c y and flexibility of the Autonnatic Reliability Mathematical

Applications of both techniques t o sannple p r o b l e m s using e s t i m a t e d

It is concluded that reliability analysis can contribute to a m o r e

In an e a r l i e r study it was noted that the usefulness of r e a c t o r operating

In this r e p o r t , the nnaterial has been a r r a n g e d in the o r d e r of c o n s i d e r a -

G a r r i c k , B. J , , W. C, Gekler, and H, P , P o m r e h n , "An Analysis

Reliability analysis can contribute to a nnore quantitative s y s t e m s -

As noted in the P r e f a c e , a reliability monitoring p r o g r a m can benefit

The r e q u i r e m e n t s and techniques a s s o c i a t e d with p r o p e r t r e a t m e n t of

In Chapter 1, a data management s y s t e m has been defined for collection

With r e s p e c t t o data collection, it has been found that c u r r e n t p r a c t i c e s

As p r o p o s e d , the data collection plan entails a t w o - s t e p r e c o r d i n g

A number of m a t h e m a t i c a l techniques or machine codes have been

The ARMM p r o g r a m p o s s e s s e s nnany attributes d e s i r a b l e in evaluating