ML070610293

WASH-10
7- ýv-'
4.,
Reactor a fety Study
An Asses sment of
Accident Risks. in U.S. Commercial
Nuclear Power Plants
United States Nuclear Regulatory Commission
October 1975
NOTICE
This report was prepaied as an account of work sponsored bv

the United States Government Neither the United States nor
the United States Nuclear Regulatory Commission, nor any of"
their employees, noi any of their contractors. subcontractois,
or their employees, makes any warranty, express ot implied,
norassumes any legal liability or responsibility for the accuracy,
completeness or usefulness of any information, apparatus, pro-
duct or process disclosed, nor represents that its use would
not infringe privately owned tight,.
Available from
National Technical Information Service
Springfield, Virginia 22161
Price- Printed Copy $6 00 .Microfiche $2 25 Second printing
WASH- 1400
INUREG-75/014)
FAILURE DATA
APPENDIX III
to
REACTOR SAFETY STUDY
U.S. NUCLEAR REGULATORY COMMISSION

OCTOBER 1975
Appendix m
Table of Contents
Section Page No.

1. FAILURE DATA ....................................................... III-1
1.1 Discussion of Contents ........................................ III-i
1.2 Definition and Explanation of Terms ........................... III-i
1.3 General Data Considerations .................................. 111-2
2. DATA BASE ASSESSMENTS ......... ; .................................... 111-5
2.1 Overall Data Tabulation ....................................... 111-5
2.2 Data Assessment Comparison ................................... 111-5
3. CURRENT NUCLEAR EXPERIENCE ........................................ 111-15
3.1 Introduction ................................................. 111-15
3.2 Nuclear Experience Statistics ................................ III-15
3.3 Operating Incidents Used for Statistical Analyses and
Individual Failure Analysis .................................. 111-19
3.4 Individual Failure Analysis Listing .......................... 111-25
REFERENCES ............................................................... 111-33
4. EXPANDED FINAL DATA ASSESSMENT .................................... 111-39
4.1 Introduction ................................................. 111-39
4.1.1 Notes on Pumps ......................................... 111-39
4.1.2 Notes on Valves ...................................... 111-40
4.1.3 Notes on Pipe - Testing .............................. 111-41
4.1.4 Notes on Motors ...................................... 111-41
4.1.5 Notes on Relays - Failure Modes ...................... 111-41
4.1.6 Notes on Switches - Failure Modes..... .................. 111-41
4.1.7 Notes on Batteries - Failure Modes ................... 111-41
4.1.8 Notes on Solid State Devices ......................... 111-41
4.1.9 Notes on Diesels ..................................... 111-42
4.1.10 Notes on Instrumentation - Failure Modes ............. 111-42
4.1.11 Notes on Wires and Terminal Boards - Failure
Modes................................................ 111-42
4.2 Summary of Post Accident Assessments ......................... 111-42
4.2.1 Notes on Containment Hardware - Test ................. 111-42
4.2.2 General Data Behavior .................................. 111-42
REFERENCES ............................................................... 111-43
5. TEST AND MAINTENANCE DATA AND APPLICATIONS ................... ..... 111-53
5.1 Introduction ............................................ .1..... 11I-53
5.2 Corroboration of the Model Results............................ 111-54
6. SPECIAL TOPICS .................................................... 111-59
6.1 Human Reliability Analysis ................................... 111-59
6.1.1 Introduction ......................................... 111-59
6.1.2 Human Performance Data ............................... 111-59
6.1.3 Performdnce-Shaping Factors .......................... 111-62
III-i
Table of Contents (Continued)
Section Page No.
6.1.3.1 Level of Presumed Psychological

Stress ...................................... 111-63
6.1.3.2 Quality of Human Engineering of Controls
and Displays ................................ 111-63
6.1.3.3 Quality of Training and Practice ................ 111-64
6.1.3.4 Presence and Quality of Written
Instructions and Method of Use ................. 111-64
6.1.3.5 Coupling of Human Actions ...... . ................ 111-65
6.1.3.6 Type of Display Feedback ........................ 111-66
6.1.3.7 Personnel Redundancy ............................ 111-66
6.1.4 A Sample Hunan Reliability Analysis ...................... 111-67
6.2 Aircraft Crash Probabilities ................................. 111-69
6.2.1 Number and Nature of Aircraft Movements ................. 111-70

6.2.2 Determination of Plant Vulnerable Area .................. 111-70
6.2.3 Damage Potential ..................................... 111-70
6.2.4 Typical Damage Calculation (Surry 3 and 4) .............. 111-70
6.2.4.1 Source ...................................... 111-70

6.2.4.2 Source ...................................... 111-70
6.3 Total Loss of Electric Power ................................. 111-71
6.3.1 Total Loss of Electric Power at LOCA ..................... 111-71

6.3.2 Total Loss of Electric Power During a LOCA ............... 111-72
6.3.3 Summary .............................................. 111-73
6.4 Pipe Failure Data ............................................ 111-74
6.4.1 Plant Parameters ..................................... 111-75

6.4.2 Nuclear and Nuclear-Related Experience .................. 111-75
6.4.3 U.S. Non-Nuclear Utility Experience ...................... 111-76
6.4.4 United Kingdom Data .................................. 111-77
6.4.5 Other Reported Pipe Failure Rates ........................ 111-78
6.5 Failure Rates Compared With Log Normal ........................... 111-78
REFERENCES ............................................................... 111-78
7. REFERENCES ........................................................ 111-91
7.1 Discussion of References ..................................... 111-91

7.2 General Sources .............................................. 111-91
7.3 Special Sources .............................................. 111-91
III-ii
List of Tables
Table Page No.
III 2-1 Data Assessment Tabulation ....................................... 111-7/8
III 2-2 Comparison of Assessments with Nuclear Experience ................ 111-11/12
III 2-3 Comparison of Assessments with Industrial Experience ............. 111-13/14
III 3-1 Number of Failures by Plant Showing Failures During Standby

and Operations ................................................... 111-35/36
III 3-2 Number of Failures by Plant Component/System ..................... 111-35/36
III 3-3 Averaged Failure Rate Estimates (Rounded to Nearest Half

Exponent) ........................................................ 111-35/36
III 3-4 Averaged Demand Probability Estimates (Rounded to Nearest

Half Exponent) ................................................... 111-35/36
III 3-5 1972 Failure Categorization Into Random Versus Common Mode ..... 111-37/3.8
III 3-6 Common Mode Effects and Causes ................................... 111-37/38
III 4-1 Summary of Assessments for Mechanical Hardware ................... 111-45/46
III 4-2 Summary of Assessments for Electrical Equipment .................. 111-47/48
III 4-3 Summary of Post Accident Assessments ............................. 111-49/50
III 5-1 Summary of Test Act Duration ..................................... 111-55/56
III 5-2 Summary of Major Maintenance Act Duration (Raw Data)....-....... 111-55/56
III 5-3 Log-Normal Modeled Maintenance Act Duration ...................... 111-55/56
III 6-1 General Error Rate Estimates ..................................... 111-81/82
III 6-2 Aircraft Crash Probabilities ..................................... 111-81/82
III 6-3 Comparison of Probability of an Aircraft Crash for Various

Types of Aircraft ................................................ 111-81/82
III 6-4 Crash Probabilities at Various Sites ............................. 111-81/82
III 6-5 Summary of Transmission Line Outages (Based on Bonneville

Power Administration Data--1970 Statistics) ..................... 111-83/84

Power Administration Data--1971 Statistics) ...................... 111-83/84

Power Administration Data--1972 Statistics) ...................... 111-83/84
III 6-8 Probability of Total Loss of Electric Power After A LOCA ......... 111-83/84
111-83/84
III 6-9 Pipe Failure Assessed Values ....................................
Reported Pipe Failure Rates ...................................... 111-85/86
III 6-10
III-iii
List of Figures
Figure Page No.

III 4-1 Relative Failure Rate Assessments - Switches....................... IEI-51/52
III 4-2 Relative Failure Rate Assessments - Valves........................ 111-51/52
111 4-3 Relative Failure Rate Assessments - Pumps.......................... 111-51/52
III 4-4 Demand Probabilities of Classes of Hardware ...................... 111-51/52
III 4-5 Leak and Rupture Assessments for Passive Hardware ................ 111-51/52
III 5-1 Observed Repair Times and Theoretical Distribution - Pumps ....... 111-57/58
III 5-2 Observed Repair Times and Theoretical Distribution - Valves ...... 111-57/58
III 5-3 Observed Repair Times and Theoretical Distribution -
Diesels .......................................................... 111-57/58
III 5-4 Observed Repair Times and Theoretical Distribution -
Instrumentation .................................................. 111-57/58
III 6-1 Hypothetical Relationship Between Performance and Stress ......... 111-87/88
III 6-2 Motor Operated Valve (MOV) Switches on Control Panel ............. 111-87/88
III 6-3 Probability Tree Diagram for Step 4.8.1 .......................... 111-87/88
III 6-4 Cumulative Outage Duration Distribution Curve .................... 111-87/88
III 6-5 Histogram - Restoration of Transmission Line Outages ............. 111-87/88
III 6-6 Log-Normal Distribution - Pumps .................................. 111-89/90
III 6-7 Log-Normal Distribution - Valves ................................. 111-89/90
III 6-8 Log-Normal Distribution - Clutch - Electrical .................... 111-89/90
III 6-9 Log-Normal Distribution - Diesels ................................ 111-89/90
III-iv
Section 1
Failure Data
In the quantitative system probability 3. A discussion of nuclear power plant

estimates performed in this study, experience that was used to validate
component behavior data in the form of the data assessment by testing its
failure rates and repair times are applicability as well as to check on
required as inputs to the system models. the adequacy of the model to incor-
Since the goal of this study is risk porate typical real incidents.
assessment, as opposed to reliability (section 3)
analysis, larger errors (e.g. order of
magnitude type accuracy) can be 4. An expanded presentation of the data
tolerated in the quantified results. assessment giving information on ap-
This has important implications on the plicability considerations. Detail-
treatment of available data. In ed characteristics are also given
standard reliability analysis, point for utilization of the data in the
values (i.e., "best-estimates") are gen- random variable approach. Graphs
erally used for both data and results in are finally presented showing trends
quantifying the system model. and class behaviors. (section 4)
in risk assessment, since results 5. A discussion of test and maintenance

accurate to about an order of magnitude data including comparisons of models
are sufficient, data and results using with experience data. (section 5)
random variable and probabilistic
approaches, can be usefully employed. 6. Special topics, including assess-
The base of applicable failure rate data ments required for the initiating
is thus significantly broadened since event probabilities and human error
data with large error spreads and data and modeling. (section 6)
uncertainties can now be utilized. The
data and associated material that were 1.2 DEFINITION AND EXPLANATION
assembled for use in this study and that
are presented here are to be used in the OF TERMS
random variable framework (which will be
described). The data and the accompany-
ing framework are deemed sufficient for Listed below are definitions of terms
the study's needs. Care must be taken, which will be employed in the discus-
however, since this data may not be suf- sions. Certain of these definitions are
ficiently detailed, or accurate enough listed elsewhere, but have been restated
for use in general quantitatige relia- here since they have pertinence with
bility models. regard to data assessment.
1.1 DISCUSSION OF CONTENTS Failure Probabilitx: the probability

that a system, subsystem, or component
The items listed below summarize the will suffer a defined failure in a
detail sections which follow. specified period of time. In context of
the defined failure, the failure
probability is equivalent to the
1. A listing of definitions and a unreliability.
discussion of the general treatment
of data within the random variable
approach as utilized by the study. Unavailability: the probability that a
(section 1) system, sustem, or component will not
2. A tabulation of the assessed data be capable of operating at a particular
base containing failure classifica- time, i.e,, will be in a failed state.
Availability is the complement of
tions, final assessed ranges utiliz- unavailability. Point unavailability
ed in quantification and reference and interval unavailability are treated
source values considered in deter- as being equivalent here (see the fault
mining the ranges. Additional discussion for
tables, extracted from the main tree quantification
table, are also given showing the further details).
assessed ranges and comparing them
with industrial and nuclear experi- Active Devices: those operating devices
ence. (section 2) such as pumps, valves, relays, etc.,
III-1
that run, transfer, or change state to pertinent, the demand data Qa can be
perform their intended function. associated with standard cyclic data or
can be interpreted as a general unavail-
Passive Devices: those inert devices ability. Human error data can also be
such as pipes, vessels, welds, etc. associated 'with demand probabilities
that are generally inactive but whosel (i.e. per action) as discussed in the
failure will affect system behavior. human evaluation section.
Operatingl Failure Rates: for those com-
Test Time: the total on-line time ponents required to operate or function
required to test a system, subsystem, or for a period of time, the probability
component. This total includes the (per hour) of failure is denoted by Xc,.
active test time plus the on-line time For those components affected by acci-
required to reconfigure before and after dent environments, additional failure
testing. rates applicable to the pertinent
accident environment are given.
Maintenance Time: the total on-line
time required to maintain a system Standby 'Failure Rates: for those
subsystem, or device. Analogous to the passive-type devices such as pipes,
previous test definition, the on-line wires, etc., which are normally dormant
maintenance period includes actual or in standby until tested or an
maintenance time plus any adjustment or accident occurs, the probability (per
check-out time associated with the hour) of failure is denoted by Xs.
maintenance.1~
The above definitions involve the
Test Interval: the length of time standard terminologies and concepts
be-tween tests of systems, subsystems, employed in reliability theory. Test
and components. For the applications and maintenance data in general consists
here, this interval is often 720 hours, of the test and maintenance times and
(".1l month), although there are the test and maintenance intervals.
exceptions, and relevant test intervals Component failure data in general
must be obtained for each component. As consists of the demand probabilities,
will be further discussed, test inter- operating failure rates, and standby
vals are treated as being periodic. failure rates. The characteristics
which have been described are by no
means exhaustive. Also, many equivalent
Maintenance Interval: the length of bases can be constructed. The charac-
time between maintenance on systems, teristics as defined here, however, are
subsystems, or components. The interval sufficient for the applications in the
depends upon whether the maintenance is study.
of periodic, non-periodic, scheduled or
non-scheduled nature. For the applica-
tions here, the maintenance interval is 1.3 GENERAL DATA CONSIDERATIONS
generally treated as being non-scheduled This section describes certain basic
and hence non-periodic. concepts involving the probabilistic, or
random variable approach used in the
Demand Probabilities: the probability study and its implications with regard
that the device -will fail to operate to the establishment of a data base.
upon demand for those components that
are required to start, change state, or The quantitative evaluation of a system
function at the time of the accident. can involve one of two types of
The demand probabilities, denoted by 0 d, calculations: a point calculation, or a
incorporate contributions from failure random variable evaluation. The point
at demand, failure before demand, as and random variable types of evaluation
well as failure to continue operation differ with regard to basic goals and
for a sufficient period of time for approaches and how to input data must be
successful response to the need. When prepared. With point value calculations
the general goal is to derive a best
value for the system parameter of
interest, usually the system unavaila-
Th term "on-line", as standardly used, bility or failure probability (unrelia-
denotes the time actually impacting the bility). In point calculations one
system unavailability or failure attempts to obtain the input data with
probability. The "on-line" phrase is great accuracy since, the computed
often deleted with the understanding results are to represent an exact type
that only test or maintenance tine of value. In reality, of course, point
actually affecting the system is values are never exact but are computed
included. as precisely as possible.
111-2
Because of the need for highly accurate rameter which is input to a calculation,
component assessment, point calculations such as a failure rate, is thus now
generally require extensive input data treated as being a random variable and
which classify each component according the range of values gives the various
to particular characteristics,' known as possibilities for the random variable.
the "pedigree" of the component. As a last step, probability distribution
Examples of these characteristics are: is associated with the random variable
to describe the probability associated
a. Generic type of component (relay, with various possible values.
motor, etc.) one of the simplest ways to obtain
b. Component manufacturer necessary data for the random variable
approach is to estimate ranges for each
Component failure mode (i.e., opens, piece of data which is to be used. In
c. reliability applications of the random
closes, ruptures, etc.) approach, failure data is
variable
d. Component specifications (i.e., treated as being a random variable and
hence estimation involves obtaining
voltage, flow rate, etc.) ranges for each component failure rate
and each demand probability.
e. Component environment (i.e., temper-
ature, humidity, etc.)
The random variable approach was chosen
a single value in the study for several reasons. The
In point calculations, reliability results which were computed
for each component failure rate or de- were to apply to a population of reactor
mand probability is obtained. Once plants (100) and hence it was desired to
obtained, these values are then substi- model the component failure variability
tuted into the reliability equations to from plant to plant. Also, data which
then obtain the point value for the sys- does exist is not precise but shows
tem result. In practice, to obtain a large uncertainty and variability and it
single failure rate or demand probabili- was desired to incorporate this
ty value for a particular component, new uncertainty and variability.
failure data is collected in the form of
samples, and statistical point estima-
tion techniques are used. treating data as random variables is
sometimes associated with the Bayesian
approach where the data distributions
In practice, an exact match of the are treated as priors. The system fail-
pedigree characteristics is not always ure probability and its unavailability
possible, and a failure rate is derived are subsequently treated as conditional
from data which matches, as closely as probabilities and the overall marginal
possible, the important characteristics distribution is obtained by integration
of the problem. Engineering judgment is over the data priors. Because the data
used to determine the applicability of distributions were associated with a
the various data. The source data used population (the 100 reactor plants) the
in point evaluations may be obtained data and system characteristics were
from handbooks, field experience, or treated by the study as being simply
from specially designed sampling random variables, however the Bayesian
experiments. interpretation can also be used where
the data distributions are treated as
The second approach, the random variable given Bayesian priors.
technique, is not commonly discussed and The failure rates and demand probabili-
treated in reliability texts but is a ties used in the study were derived from
standard general technique in statisti- handbooks, reports, operating experi-
cal and probabilistic modeling. in the ence, and nuclear power plant experi-
random variable approach, one point val- ence. The data sources involved
ue for an input data parameter is seen Department of Defense data (Navy, Air
as being insufficient to describe the Force, etc.), NASA data and general
applicable situation. Instead a range industrial operating experience as well
of values is determined which describes as nuclear power plant data. The as-
the variability and randomness associ- sessment process entailed an amalgama-
ated with the parameter. The data pa- tion of this information to obtain final
ranges which described regions in which
the data had a high probability of
lying.
1tndr approaches involve parametric
estimation techniques, such as maximum Examination of the various sources of
likelihood, component data showed that, in assess-
111-3
ment of the final data base, only order since diverse data sources were used and
of magnitude accuracy would be generally since a large number of components were
feasible. However, these accuracies involved in the assessment, a number of
were sufficient for the risk calcula- iterations were involved in obtaining
tions since only order of magnitude the actual assessed ranges. In
results are required. In arriving at assessing the ranges, data points were
the final data assessment, the fact that selected from the various sources,
ranges were assigned to each data vari- including nuclear experience, and a
able gave latitude for the incorporation range was then overlayed to cover
of differing data source values. A approximately 90% of the points. As
heuristic illustration is shown below of described in Appendix II, the calcula-
the range type of assessment. The range tions are not sensitive to the precise
type of assessment has the advantage of 90% definition, for example little
rendering the calculations and results differences were obtained if the range
to be insensitive to fine distinctions was actually 85% or 95%. The range
of the applicability of any particular determinations involved data plotting
bit of data. with decisions made on the weight of
each source data point. The assessment
decisions were based upon the experience
of individuals involved in reliability
and nuclear power plant operation.
x x x i Data Source Values
-*-Data Range-.P- Range Assessment Because of the order of magnitude ranges
and accuracies, components were general-
ly classified only to generic type.
When extreme behaviors existed, compo-
nent failure definitions were further
detailed. When available, actual nucle-
As discussed in Appendix II, the log ar plant experience was used as the
normal distribution was used to describe principal basis in determining and
the data variability. Since the log checking the final assessed ranges.
normal has two parameters (the mean and Nuclear component variability from plant
standard deviation, say);, the two end to plant that was observable was not
points of a s'uitably defined range inconsistent with the final range
determine the unique, applicable log widths. (This variability was also not
normal. A 90% range was selected for inconsistent with the random variable
the assessments with the lower range end approach utilized.)
point being the 5% bound and the upper
end point the 95% bound. The range
which was assessed for each failure rate
and demand probability thus coincided
with this 90% definition (there was thus The tables and discussions which follow,
a 90% probability that the data value present the basic data, assessed ranges,
would be in this range). and comparisons involving the assessed
ranges. This hopefully will aid the
reader in determining for himself the
validity of the data ranges that were
employed.
Even though the data sources used, rep-
resented diverse conditions and applica-
tions, with some sources apparently more
applicable than others, the data sources In the tables and discussions, the ex-
were in general agreement within one to tractable failure modes are given for
two orders of magnitude accuracy. The each component classification. Failure
final assessed ranges were thus general- rates are in units of per hour HR-1 and
ly one to two orders of magnitude in demand probabilities (unavailabi.lities)
width to represent this degree of data are in units of per demand D'-.The
consistency. Because of the order of lower and upper bounds which are given
magnitude accuracies, range end points coincide with the approximate 5% and 95%
were determined to the nearest half in- range end points (to half integer
teger on the exponent scale, i.e. a scale). The ranges and upper and lower
failure rate end point being 10-1 or bounds can be interpreted as a confi-
10-1-5, etc. This half integer exponent dence on the data, however, this must be
scale coincided with the assignment of a done so within the random variable (or
3 or 1 for the significant number, i.e. Bayesian) framework in which the data is
1 x 10-1 or 3 x 10-2, etc. to be applied.
111-4
Section 2
Data Base Assessments
2.1 OVERALL DATA TABULATION ranges as compared to obtainable nuclear

experience values and extreme values
Table III 2-1 shows the final assessed from industrial experience. The nuclear
ranges employed by the study and the values were computed from current nu-
principal, raw input values that formed clear experience as discussed in the
the bases for the assessed ranges. subsequent section. The industrial
bounds represent the extreme minimum and
2.2 DATA ASSESSMENT COMPARISON maximum values obtained from the raw in-
dustrial source inputs (which are deter-
Tables III 2-2 and III 2-3 contain ex- ministic type bounds) and are compared
tractions from Table III 2-1 and show with the assessed ranges (which are
more explicitly the final assessed defined at 90% probability).
111-5
YAIA112-1 Uata AssO103.iteiL .
NA NA 010 NA- NA NA NA NA NA NA NA
4
@Wl.- 3
1 04 NA NA NA
P.*Tft1 .3 .i
U.*"10 I1040M %w3 IW0.4 3,ll3 3w.1&3 1.i04 N1&@
60 N A NA N N NA
M .04
NA N- I NA A
.43.140 4 *.,1 ).0
_Ni N .1041 1l 3. 3.1044.. INl i11.N was
~r ~l- NA NA NA NA NA NAl• NA0" *.i0.
- - N NA NA0. NA N
NA NA1• NA A I
I" NA NA 314
.03
-1 z 2.a
F-h-i T. NA1• NA1• NA1
NA NA 1.0 30"
NA NA•'
NA NA NA NA
3.I44 1.10".3 x0" NA %A 1.1*-
3.I3II1•0.3mm,10"+m10.I Il~fOI0 NA ... 03 NA N&
gm
T .y 3
3.10N - N043
. .0sl0 .Ol•
N .3 3.10N3
-0.3 3.1003.14.03 W03 N hI.N
& To300 A NA NA N NA
NA N %. NA
N NA NA NA
N A NA N
NA-
NA 3.NA
44.V1./ |S,.l-1. 3.10-3. 1004
0
NA N"A NA NA NA NA - 13410 N0
NA NNA A 2ANA
NA NA NA NA NA
NA 1.10A
.1o 3.304 00340
NA
SL&.
To 3lRI04M II 10"
NA NA NA A A
N NA NA NA m1"
A
NA N.
NA NA
N A
NANA NA NA NA NA
0" l0" NA] NA1• NA0. NA *.A NA NA NA
NA NA NA NA .,A NA
/50? * 3.030 313104 NA 334
N.t NA 4030 3.I NA NA
PAATON.N.l .1
i3i04/0 l.iNrl
3110IN I .1
0 41o~ 4.1, ii 0"
A .'I' NA NA NA,, N 3.s
NA NA NA NA
N N NAt %
NA NA NA
NA NA N NA NA 34
N A NA0us NA NA NA
1 NAf 3 .14• S. NA NA NA
304 3 0 *IA NA
14001Te ONN 1.1 01/0 3I.3I0.I
NA N A NA
NA N A NA
NA,0 NA NA
NA NA M
NA 0 A NA A
01.10.1 3.0 A A
L I .I4hi0l Il0". NA NA NA NA NA NA NA
0.U-N. NA NA NA %. NA NA NA
11101 NA 3A A NA 1A NA
I NA
0 N0 I .l I NA.I..
111"~lO 11 I
O-04II .0I.. .A.I. A NA A A i
i i..04 A
0I 54 NA ". NA NNA
NA N NA N NA
1.100 NA NA NA
.10 NA
.14.N..10? 3. 10 1 N 1
F*. t L
0o N 1.10110 3 NA 1A10A
NA NA A NA NA
N . 04 N A N A
NA NA NA NA
N A
l.10.I0 .l 0|OI
IV- $1toAHo
NA -A" NA NA NA NA NA NA N" NA
1.l04 NA NA NA NA NA NA NA NA NA
t 0.10"1.10.' NA NA
• lli01l.
.W
PO. ..
00.-II
NA N
NA NA NA NA NA AA NA NA NA
NA NA NA NA Ne NA NA NA
01 NA
WA
1 /1.NA i10.0
0. ION I0 N. 1.04 I 4.4.4

A .10"- 3410N
P i01 4 5
IZ . 10
4
NA NA NA NA NA NA
N NA .3A1Q104NA NA NA
NA113.10'N NA NAMA NA NA
N 4.3A5N3,N Ni0 NA" NA.
1.1.0 * . .16.4 2. 0 140NA
303.0NA
Im ]U•NM1.14410 "'.iS
.0 3 41 .
iN NIN
NA- - - - -
- -YR -8 PIA -A
NA NA NA NA NA NA NA NA NA NA
N104 111
C_~4- L-k & .,Sw NA1 NA NA' NA NAO NA NA NA
0 0 .101M.
1.,14144 3.1013.1100
,&NA NA 10
3
NA NA NA NA NA NA OK
NA NA NA NA U3 NA NA
NA 0 00 NA N4A NA NA
g..04 3.104 N"0~ 1.1 NA
0 • L 4 3 10.4l13N ,.. * l ,.,I
,I m"mk
-MA -
NM A - -N.A
- NA M - A- 1%
k ý
N kA
NA NAM NA N -.
iNANA0 43 - NA- NA
04s
NA 3,304 1.10 3.10A- NA
CNNS-oS 0410,
I3Memo
1.-i./N.4 310 1A1011.10.0
1,1 110 0' 1
3.0 1111
1.- 0
N N A N A A N A
100
A NA
NA NA
N.. .0
NA
NACp 4.&3 N
.104 A N.N A N A
NA AA NA A NA NA NA NA
3. ,04 NAtw NA NA NA NA NA
4 . .104M/ ' w&3
we NA NA
A NA N A NA NA- A A NA kA0 1.10

A 130. NA NA A A NA NA N N
3fA~V 3~93 .4434 A
3344.34
Table IlI 2-1 (Sheet 1 of 2)

111-7/B
TA1LE II124 (Continued)
.. ] ,."I,
101 31
NA
11
I N. .A
. 1~ 1 A
I NA 1 lw3
1 42
NA
4 1 4.441
NA NA NA
41,
14
.A "A
NA 3 NA NA
.I.-4-
I-e,
3.104M9 1 g4l. ,&3A-I 3.W 1~Z.,941 4..,3 .... 1 1 -a' N

P- I-i-.. I- -4-4-- - - - +- 4- +- + -1-4-- -
- I-
9
-i-I-I- I-- - t- -
I .
-
NA A
- -
NA
-
NA N*A "A NA INA NA NA
NA
04.7
-1.14414 i .1 0
7l-we'
0
N I NA I l '13-04 1 j 2.104 1N 10 1 A NIA NA "A NA I A ..
NA I
NA NA NA NA NA NA A
INA NA NA NA N NA N NA NA NAN
2.,&00 j 2-03 0 NA NA
0* 1 o4w 3. 14,1" WS.204-.;0
CLUTCH _____ _____ NA -
NA - - N NA
NA NA NA
-o -0 NA NA I- -
flA -
NA NA --
NA A NA A NA NA NA NA-A NA NA NA N N NA
1.10C.1 -
2.3A104 -
.Inl4 -
*.103 -0 .1.o2 m..04 NA NA
N o..s..1owo. i, . . no
NA NAANA
P IANA
IA NA •A NA A NNA
1A NA A NA NA NA NA NNA
'4 21I0s-
., NA NA N N.Ai; NA N NA NA NA
ROD@
NOO[ 'N
10440 togwlwl
1
h lll
10"10 311 0--
4
NA NA NA NA NA NA 7NI0" 3,104 2014
1.10 A.1SA NA NA NA NA 1.10 NA 2.10'
wv$ .. 0, Il'04 1.i04 NA 21.10"4 1.104 .10
mm 3. 1041 I •• 2.104,0
WII-- .0 1
NA NA NA NA NA NA NA NA & 1.0 1,04
3,144 1.104 NA NA NA NNA N.10
l.
1.1014 106 &.0.0 NA 6.104 2..o4 i.106
'01o01 pmA.MR. fl
mI.IO 3i.1 0 O--3.10 1.104)"R 2.106 2,10
NANA NA - MA N
NA - NA NA A A
.10N 4 NA NA1NA
NA Iu
A A NA NA Nw NA NA NA
,10. 1-0. 02 3l0,1 NA NA
F -••..mn -. iN2 l.0 h.1a2 .5NA
NA NA NA A 3.A NA NA NA 3*74"
NtA NA NA 1., ? 3.w?4
N"A w ,A NA
1.. .1'a, I I0"4 NA WOi0 U10,
:;C P. ..
0N 1.10"0 - .-O11041. 10-400 1.107 - - - - - I -
- - - - - - -
- - - - - - - - - - -
- - - - -
1
1il 2.10 .
A .NA NAw NA NA NA NA NA 6.10'
,o,.0 .A NA NA 2.10' A AN
.NANA A
0le
3,o- ,.m
N. NA A NA NA NA NA NA NA I NA 1.10
NA 1.A %A0 NA NA NA NA NA NA NA
... A0403.104-.1.10'" 104 I.104 .0 NA
NOINCCO..S
NA NA NA NA NA NA NA NA twe0l
IA. NA NA NA NA 7I NA NA NA -04
l.wa--4NN 310,0 NA NA
A .NA
- iCCN,
Fa.Ol 1W4/0 10 3
NA NA NA1 NA NAA A .10,
2I,7A
N NA NA NA NA NA NA
N.A NAl04 11. NA NA NA N
3.I A I0-] l .I0'l l 2.i0 1 .10'
.TNA : 07106Arn I.10',0
NA NA NA2.'0
A.0
M.2 C-IP4IOl NS
Y4IftT8M• .l00
.10, 2.IOS-2.I0' 3110'
0'3.1.02 O ~4~N
-100 .010" -. N0,; NA
A1.1 00 NA '.00
Nt2 N NA NA
ANA NA NA NA
1.0,
A NA
.0
NA NA NA NA NA A NA NA NA NA
NA N.,
3.1042 NA
NA A - NA A I . - l s-
-l-- .-- 0-- - - - , - -.
N- 10- A - A
1.10 3- I:0 -4 ly. "A- -..- '.103 3-10-
Clam" 3.0-.10-3 1-103M
NA NA NA N - NA NA . A NA NAAU
NA 2.1A' N0
A NAA
NA NA NNA
l 1'.
1 6 . 80 2.,0,
3 .0 .
11 61 . I IA 21100
3
SNIA K0 NS AJ
3. 10,7-)..04 NA 5.10, 1.10, way" HA 3.u10' 51041 NA NA NA MA NA "A llA &

2.10 NA NA NA
MA 10A.
I NA ~ NA NA • 410-11
g -• Gm.I
10
m A WA "A NA NA
M
NA 70"
We NA N& NA
NA H NA A NA NA
w11s 10 m
lwo--s1m
•/ -06O,0 NA NA NA
fwlilo ýb
NA A NA NA NA NA NA NA NA .0
NA N A NA NA NA NA NA
Ili0..I1t. I2.107. Nl0Q,
10, - MA -W
NA -A -A
w9 -.
Cil,0,N -A 0 A-A -.
-0 A 1A NA
3.03.0 0 -,0M -0 -.
01NOV1 N NA NA NA NA NA NtA NA '.0
NA NA NA NAO NA NA N.104 NA 'A
A .l0l NA NA NA NA
.'04'".
lNAEN 2.l.-2.104 1.10410 .0 110
1,0 0
NA MA NA NA NA NA NA .170,0
-IA
7 A NO NA NA NA 1A NA NA NA
. 10 .1a, 2.0 NA 1.103 A.NA h.t
NA
t% l 1
I.0"-A -.I00.1001 1 ,
NA NA NA NA MA104 NA NA NA 4,104
NA
NAMA NNA 2.10" NA NA NA 7.0
.'10Q4 .10 NA
N 2A" 4A N& NA NA N A NA NA N NA • NA NA NA
F O
OFMnClKI .010, 2.&l0"-321&14-A1,0, 7' NA .0 14
NA NA NA NA NA NA NA 1410'
06¢
I~q 310106111 l.10;. l. 100s ,I +,04,N 1.1041
NA NA A NA N NA NA NA NA
ANNA "N A NA NA NA NA NA NA
O10 . NA NA NNA
A..0 00
SOFLO .0"I0 3i104,.i100 l.10'
NA NA4 14¢_
1.104• NA NA N .0
NA NiA I..0 NA NA NA NA
NA NA NA NA NA NA 3.10
N
S I'mll pq i10,;4•o 31I0'•-1104 .,0 1.104I 1.1'
NA "A NA NA NA NA NA
N NA NA
NA NA NA N"NNA
NA NA
.404044m 1.10i-1110' 1.101 I.I NA NA NA NAA
mqn1"1 NA NA -A NA A NA
1. ~rp104,06 .1 0
4..0 .7.70 0A .. NA NA NA NtA NA .A NA NA "A
Table 1II 2-1 (Sheet 2 of 2)
111-9/10
TABLE Ill 2-2 COMPARISON OF ASSESSMENTS WITH NUCLEAR EXPERIENCE
Component/Primary Assessed Values Nuclear(a

Failure Modes Lower Bound Upper Bound Experience
Mechanical Hardware
Pumps
Failure to start, Qd: 3 x 10-4/d 3 x 10- 3 /d 1 x 10- 3 /d
6
Failure to run, X0 : 3 x 10-6/hr 3 x 10- 4/hr 3 x 10- /hr(b)
(Normal Environments)
Valves
Motor Operated
3 x 10-3/d 1 x 10- 3 /d
Failure to operate, Qd: 3 x 10-4/d 3 x 10- 4/d
5
Plug, Qd: 3 x 10- 5 /d 3 x 10- /d(c)
Solenoid Operated
3 .x 0- 3 /d
Failure to operate, Qd: 3 x 10-4 /d 3 x l0-4 /d 1 x l0-3
5
Plug, Qd: 3 x 10-5 /d 3 x 10- /d(c)
Air Operated 1 x 10- 3 /d

4
Failure to operate, Qd: 1 x 10- 4 /d 3 x 10-4/d 1 x 10 /d
5 /d(c)
Plug, Qd: 3 x 10- 5 /d 3 x 10
Check 3 x 10- 4/d

5 1 x 10-4 /d
Failure to open, Qd: 3 x 10- /d
Relief 3 x 10-5 /d
Failure to open, Qd: 3 x 10-6 /d 1 x 10~ 5 /d
Manuhl 3 x 10-4 /d
5 3 x 10-5/d
Plug, Qd: 3 x 10- /d
Pipe
Plug/rupture 3 x 10- 8/r
£ 3" diameter, X : 3 x 10-11/hr 3 x 10- 9/hr 1 x 10- 9/hr
> 3" diameter, X0: 3 x 10- 12/hr 1 x 10- 1 0 /hr
Clutches
Mechanical
Failure to engage/
disengage 1 x 10-4/d i x 10- 3/d 3 x 10- 4 /d
Electrical Hardware
Electrical Clutches
3 x i0-4/d
Failure to operate, Qd: 1 x 10- 4 /d 1 x 10-3/d
TABLE 111 2-2 (Continued)
Component/Primary Assessed Values Nuclear

Lower Bound Upper Bound Experience (a)
Failure Modes
Motors
4
Failure to start, Qd: 1 x 10- 4/d 1 x 10- 3/d 3 x 10- /d
Failure to run
(Normal Environments), 3 x 10-6/hr 1 X 10-6 /hr(d)
A : 3 x 10- 5/hr
0
Transformers 3 x 10- 7/hr 1 x 10- 6/hr

Open/shorts, A0
0 3 x 10- 6/hr
Relays 3 x 1-5/hr
3 x 10- 5/d 3 x 10-4/d -5
Failure to energize, Qd:
3 x 10 /d
Circuit Breaker 3 x 10 -4/d 3 x 10- 3/d -3
Failure to transfer, Qd: 1 x 10 /d
Limit Switches Sx 10-4 /d 1 X 10-3/d -4

Failure to operate, Qd: 1 x 10 /d
Torque Switches 3 x 10-5/d 3 x 10- 4/d

1 x 10-4/d
Failure to operate, Qd:
1 x 10-4/d
Pressure Switches 3 x 10- 5/d 3 x 10- 4/d
Manual Switches 3 x 10- 6/d 3 x 10- 5/d 3 x 10- 5/d

Battery Power Supplies

Failure to provide 3 x 10- 7/hr(e)
proper output, As 1 x 10- 6/hr 1-x 10- 5/hr
Solid State Devices

5 1 x lo- 6/hr
Fails to function, A00 3 x 10- 7/hr 3 x 10 /hr
Diesels (complete plant) 3 x 10-2 /d

Failure to start, Qd: 1 x 10- 2/d 1 x 10- 1 /d 1 x 10- 3/hr
4
-2
Failure to run, A0 3 x 10- /hr 3 x 10 /hr
0
Instrumentation 1 x 10- 6/hr
5
Failure to operate Xo0 1 x 10- 7/hr 1 x 10- /hr
(a) All values are rounded to the nearest half order of magnitude on the exponent.
(b) Derived from averaged data on pumps, combining standby and operate time.
(c) Approximated from plugging that was detected.
(d) Derived from combined standby and operate data.
(e) Derived from standby test on batteries, which does not include load.
Table III 2-2
111-11/12
TABLE III 2-3 COMPARISON OF ASSESSMErNTS I'ITH INDUSTRIAL FXPERIENCE
Active Mechanical Hardwarc

Component/Primary Lower Bounds ()Upper Bounds
Failure Modes Assessed Industrial(a) Assessed Industrial~a)
Pumps
3 3
Failure to start, Od 3 x 10- 4 /d 5 x 10-
5
/d 3 x 10- /d 5 x 10- /d
Failure to run, Y 3 x 10- 6 /hr 1 x 10- 7/hr 3 x 10-4/hr 1 x 10- 4/hr
(Normal Environments)
Failure to run, X.:
o
(Extreme Environment) I x 10-4/hr i x 10- 4/hr 1 x 10- 2/hr 1 x 10- 3/hr
Valves
Motor Operated
3 x 10-3/d
Failure to operate, Qd: 3 x 10-4/d 2 x 10-4 /d 3 x 10- 4/d 7 x 10-2 /d(b)
5
Plugs, Qd: 3 x 10- /d 6 x 10-5/d (a) 3 x 10-4/d (a)
Solenoid Operated
3
Failure to operate, Qd: 3 x 10- 4/d 2 x L0- 5 /d 3 x 10 /d 6 x 10-3/d
Air Operated
4 3
Failure to Operate, Qd: 1 x 10- /d 1 x 10-6/d 1 x 10- /d 2 x 10-2/d(c)
Check
5 4
Failure to open, Od 3 x 10" /d 2 x 10- 5 /d 3 x 10-4/d 3 x 10- /d
Reverse leak, X.:
7
1 X 10- /hr
7
1 x 10- /hr 1 x 10- 6 /hr 1 x 10-6/hr
Vacuum
Failure to operate, Qd: 1 x lo-
5
/d 1 x lO- 5/d Sx lO- 4/d 1 x 10- 4 /d
Relief
5
Failure to open, Qd: 3 x 10- 6 /d 1.4 x 10- 5 /d 3 x 10- 5 /d 3.6x lO- /d
Manual
5
Plug, Qd x lo- /d 3 x lO-4/d(d) 3 x 10-4/d 3 x lo-4/d(d)
Pipe
Plug/rupture, ).o:
3"1diameter 11 5 x 10-6/hr(e)
3 x 10 - /hr 2 x 10-9/hr 3 x lo-8 /hr
3" diameter 1 2 1 0 9 6
5 x 10- /hr (e)
3 x 10- /hr 1 x 10- /hr 3 x 10- /hr
Clutches
Mechanical
Failure to engage/ 1 : 10- 4 /d I x 10- 4/,d 3
disengage, Od: 1 x 10- /d 4 x 10-3/d
TABLE 111 2-3 (Conti-nued)
Component/Primary Lower Bounds Upper Bounds

Failure Modes Assessed Industrial? Assessed Industrial(a)
Clutches, electric
I x 1- 10 /d ! X !0-3/d
Failure to cperate, Q8 : 10- 4/d x 10- 3/d 4
10-3/d )
Motors, electric 10- 5 /d
I 7 ! 10-3/d
Failure to start, Q S 10- 4/d X
X 3
Failure to run, given
start
(Normal environments),
0 110 5/hr 5 x 10- 7 /hr 3 x 10- 5 /hr I x 10-4/hr
Failure to run, given
start
(Extreme Environments),
A: 10-2/hr 2
0
* 104 /hr 10- 4/hr 3 3 x 10- !hr
Transformers 10- 6/hr

Open/shorts, ý0 * 10- 7/hr 10- 7/hr 3 I x 10-6/hr
0
Relays
Failure to energize, QG: x 10-5/d lo-5/d 3 10-4/d x
10 /dg)
Circuit Breakers 10- 5/d 10- 3/d

Failure to transfer, QG: x 10-4/a 3 3 X o-3 /d
Limit Switches 10-5 /d 10-3/d
x 10-4/d
Failure to operate, G : 7 x 10- 4/d
Torque Switches 10- 4/d

Failure to operateQd: X 10 /d 2 x 10- 5/d 3 Ix lo- 4 /d
Pressure Switches 10-4/d
5 ×In-5/a
Failure to operate, Qd: x 10-5 3 I x 10- 3/d
Manual Switches 10- 5/d

10- /d
Failure to transfer, Q.: S 3 10- /a 3 .7 x 10-4/d(h)
Battery Power Suppl:es
Failure to provide 6 X lo-6/hr
proper output, As S 6
/hr 1 x l0-'/hr
i x 10- 1 x 10- 5/hr
Solid State Devices

Fails to function, 3 x 10-'/hr 2 x 10- 6 /hr 3 x 10- /hr I x 0-4 /hr(i)
0
(Hi power applicat-on)
Fails to function, X : 5
I x 10-7 /hr 2 x 10-7/hr Ix 10- /hr 2 x 10-6/hr
(Low power applizatiSn)
TABLE III 2-3 (Continued)
Component/Primary Lower Bounds ()Upper Bounds

Failure Modes Assessed Industrial(a) Assessed Industrial(a)
Diesels
Failure to start, Qd: 1 x 102/d 1 x 10-3/d 1 x 10-1/d I x 10-1/d
osat d 04
-alr -4 -2 -3
Failure to run, AO: 3 x 10 /hr I x 10 /hr 3 x 10 /hr 1 x 10 /hr
0
(emergency loads)
Instrumentation 5
Ao: 1 x 10-7/hr 3 x 10- 7/hr 1 x 10- /hr 6 x 10-5/hr(j)
Failure to operate,
(a) Some demand values derived from data on continuously operating systems.
(b) Derived for values in high temperature sodium environment.
(c) Includes failures due to improper air supplies.

(d) These values derived from data on continuously operating system; only one
industrial source listed this mode.
(e) Due to the varying unit of pipe lengths in the different sources (per foot, per
section, per plant, etc.), the failure rates from the industrial sources have
extremely wide ranges. For detailed comparison of pipe failure rates see the
special assessment section of this appendix.
(f) This value obtained from high temperature liquid metal test reactor applications.
(g) Data from average of all modes of relay failures.

(h) Data from average of all modes of switch failures.
Wi) This value derived from experimental reactor experience.
(j) Data from chemical industry.
Table III 2-3
111-13/14
Section 3
Current Nuclear Experience
3.1 INTRODUCTION level, where actual f ailure incidents

were examined. With regard to the f ault
As an input t6 the range assessments, tree and event tree models, the inci-
current, commercial, reactor experience dents were examined to determine if the
was examined for component data. There general failure definitions in the
was a definite problem in obtaining us- models included such particular occur-
able data since reactor history has been rences. With regard to the data base,
recorded with little view toward the incidents were examined to see if
quantitative evaluations. Sufficient such mechanisms and causes were given
quantitative characteristics are not coverage by the total failure rate and
generally recorded for the failure oc- demand probabilities and their associa-
currences,, there is little categoriza- ted ranges.
tion and classification for statistical
.and behavioral (trend) evaluations, and The experience examined in these failure
there is little systematic storage of investigations included 1971-1973 reac-
the data for quantitative evaluation and
retrieval. tor incident files and operating occur-
rence reports (including certain perti-
Ha4 more accurate nuclear data been nent earlier failures), Nuclear Safety
available, the ranges that were assessed Information Center files, environmental
in the data base could-have had narrower reports, National Technical Information
values. Precise detailed component'in- Services files, RESPONSA information,
formation was not obtainable; instead individual published reports, and other
gross, averaged statistics were esti- pertinent sources. These sources are
mated. Because of the random variable included in the reference and bibliogra-
approach, however, the averaged nuclear phy listings given in this appendix,
statistics could be incorporated as im- with brief sumiriaries of their use. A
portant data for the assessed data tabulated listing is given at the end of
ranges. this section to show the nature of the
investigations performed and the
In the assessment proce'dure, involving cons iderat ions undertaken.
the study's data base, the assessed
ranges were compared with the nuclear
data values to ensure that the nuclear 3.2 NUCLEAR EXPERIENCE STATISTICS
data were consistent with the defined
ranges and that the nuclear values did Since experience history tended to be
not contradict the range assessments, more quantitatively deficient the earli-
er it was recorded, recent 1972-73 ex-
The averaged nuclear data values were perience was examined for the sample
obtained by examining operating history estimates of averaged statistics. In
of nuclear power plants and manually ex- particular, the one year period from
tracting data estimates, i.e., failure Jan. 1, 1972 through December 31, 1972
rates and demand probabilities, using was used to evaluate the summarized and
standard reliability evaluation tech- averaged nuclear data statistics, which
niques. Comparisons of the nuclear data in turn were used in the range
with the assessed ranges have been given comparisons and consistency checks.
in the previous tables. The evaluations Preliminary analysis of the experience,
performed to obtain the nuclear data consisting of the period in 1973 to
values are reviewed in this section. date, gave no gross differences compared
Sunmmarized listings also are provided of to the one year period sample.
the raw data employed in the evalua-
tions. Also given are certain addition- In addition to the averaged statistical
al trend analyses which were performed evaluation, detailed nuclear history,
in conjunction with the data estimation including experience earlier than 1972,
and which were considered in the. range was examined on an individual failure
assessments. In addition to the aver- level. As stated, the failure analysis
aged estimations that were performed, served as a check on the fault tree
which served as the basic data, other models and event tree models which had
investigations were performed in order been constructed. Analysis of the
to check model and data adequacy. These failure modes also served to check the
were done on an individual failure adequacy of the failure rates and demand
111-15
probabilities which had been definite. where
At the end of this section, a tabulated
listing is given summarizing the inves- nf number of failures observed
=
tigations which were done. Np=number of plants (17)
Nc average number of components
The tables which follow are self- per plant
explanatory. The 1972 experience, used
for the statistical analyses, was ob- T = observed (standby) time period
tained from the listings which have been (8760 hr)
recently assembled by the Directorate of
Regulatory Operations, Office of Since safety systems were examined, Nc
Operations Evaluation. The data listed is thus in general the average number of
are those reported by the utilities in components associated with the safety
accordance with Regulatory Guide 1.6 and systems in an individual plant. For
the Technical Specifications in the AEC each class of failure, Nc was estimated
license for the applicable reactors. based on average plant statistics which
constituted sufficient accuracy with
For the 19/2 time period, a total of regard to data resolution and assessed
approximately 700 failures and anomalies range widths.
were reported. Because of the constant Instead of failure rates, the failure
failure rate assumption, consideration statistics can also be expressed in
was restricted to those plants which had terms of failure upon demand probabil-
operated for the entire one year period. ities (or simply demand probabilities),
Also, only those failures which were
relevant to the data base categoriza- Qd, which were obtained by using the
tions were considered (i.e. safety rela- standard binomial estimate,
ted failures). The total number of
failures and anomalies evaluated was
then reduced to 303. d NpN cNT
Table 111 3-1 lists the 17 plants which

were operational for the 1972 one year where N and Nc are as defined previous-
period and which formed the data base ly and 9, is the average number of tests
for the evaluations. of the 17 plants, (demands) performed per component per
8 were pressurized water reactors (PWR) year. (The averaged demand probability
and 9 were boiling water reactors (BWR). has an additional factor of 0.5.
The table lists the number of failures Because of the half-exponent rounding
occurring, subcategorized into those procedure, this was not included.)
occurring while the plant was in standby
status and in operation status. The op- Tables 111 3-3 and 111 3-4 give the
erating times have been rounded to one failure rates and demand probabilities
year, which is sufficient for the accu- for pumps, piping, control rods, die-
racies being considered. sels, and valves, using the above formu-
las and the summarized failure statis-
tics in Table 111 3-2. Standard proce-
Table 111 3-2 categorizes the 303 fail- dures, such as chi-square evaluations,
ures into generic component classes and can be used to obtain approximate confi-
exemplifies the type of categorizaton dence bounds on the component estimates.
that was performed to obtain statistical Such bounds at 90% were in general of
estimates of averaged failure rates and the order of a factor of 3 to 10 in
demand probabilities. For these stati*s- width. These bounds are not particular-
tical estimates, further detailed sub- ly pertinent nor applicable since they
classifications were not performed since represent the spread on the averaged
the accompanying details were masked by estimate and do not account for the
the basic data uncertainties and were errors due to the averaging process
covered in the assessed ranges. itself (i.e., lumping failures of
different modes different component
pedigrees, etc.) .1
The averaged (standby) failure rate
estimates were obtained by using the
standard equation, in applicable form tshould be noted that these bounds
1
here:
are classical, confidence bounds and
are not random variable related (i.e.
nf for the classical bounds, the data are
treated as parameters and not random
5 NP NcT variables).
111-16
The estimates in Tables III 3-3 and Common mode failures, which involve
III 3-4 have been rounded to the nearest common causes, can be categorized in a
half exponent to conform with the number of ways. One such categorization
assessment scale used in the study was given by Williams (Ref. 1) and with
(i.e., 10-1.5 or 10-1, etc. giving 1 or certain modifications is used here.
3 as a significant figure for the fail- Four classes can be definedwith regard
ure rates and demand probabilities). At to gross system and component hardware
the end of this section is a tabulated effects:
listing of the failures used to obtain
the various averaged nuclear estimates
which served as input to the assessed a. Component Effect - A single failure
ranges. (The failures were also part of which causes a group of redundant or
those examined on an individual level similar components to fail.
for model checking).
b. System Effect - A single failure,
In addition to the averaged estimates, which can be a Single component
nuclear operating experience was used to hardware failure, that causes a
check relative orderings of the assessed defined system or combination of
ranges (highest failure rate, second systems to fail (entailing loss of a
highest, etc.). This ordering check defined function).
aided in determining whether the compo-
nent failure rates were properly as- c. Interaction Effect - A single common
sessed on a relative scale. mode failure or single hardware
failure, which causes a protection
The relative ordering investigations en- function to be required and at the
tailed an ordering of nuclear estimates same time renders that protection
and then comparing this ordering with unavailable.
the ordering of the study's assessed
ranges. The data used were those in d. Questionable Effect - As in general
Table III 3-2 and those listed at the with data analyses, there is also a
end of this section. Checks were made fourth class which contains those
on recent 1973 experience, revealing no failures with too little information
significant changes from the data al- for specific categorization.
ready used. With regard to absolute
failure occurrences from the nuclear In addition to effects, common mode
history, valves dominated, contributing failures involving common causes can
34% of the failures followed by instru- also be categorized with regard to their
mentation 16%, pumps 8%, control rods basic origin.
(all failures) 8% and diesel generators
7%. Miscellaneous and human failures a. Design and Manufacturing Cause -
formed the remaining contribution. Failures which are due to defects
These statistics were in general agree- and errors in design, manufacturing,
ment with those obtained from the quality control, etc.
assessed 1 ranges and fault tree
results. b. Human Cause - Failures which are due
to operator errors, testing, and
Finally, with regard to nuclear experi- maintenance errors and lack of
ence statistics, common mode surveys procedure.
were performed to investigate component
failure and dependencies in order to c. Environment Cause - Failures which
gain additional perspective on the ade- result from conditions and causes
quacy of the models and coverages given which are environmentally related,
to common mode effects. The surveys such as those beyond design
performed here served as checks on the environments.
common mode treatments of component
failures including the quantitative d. Hardware Cause - Failures which are
coverages given. (More details on the due to inrierent component failures,
model treatments are given in Appendix which may include "infant mortali-
IV.) ties" (burn-in failures).
e. Questionable Cause - Failures for
which there is insufficient
information.
IMore formally, from a statistical point
of view and when statistical tests were The aforementioned four group and five
performed, the nuclear data did not group categorizations are still somewhat
contradict (reject) the model results general, and overlappings can therefore
and data assessment values. exist, perhaps causing problems with
111-17
regard to uniquely classifying the e All main steam line high-flow
failure. However, the categorization is switches failed due to the use of
useful in general behavior and trend lead-base sealant in switch assembly.
analyses and when overlapping questions (B-5)
arose, judgement was made on the domi-
nant failure characteristic and the e Four flow switches failed because of
failure was accordingly classified. The a jeweled bearing, which supports the
classifications and indentifications of torque tube in each, became contami-
common modes have further impreciseness nated; the bearing housing was
due to data deficiencies; however, the redesigned. (D-5)
results were deemed sufficient for the
general, overview purpose used. * During the start-up from cold shut-
down, fuses in power supplies for IRM
Table III 3-5 shows a breakdown of the channels BD & F were blown; no cause
1972 experience into common mode and given. (D-5)
non-common mode ("random failure")
contributions by reactor. In general, o Three LPCIS delta pressure switches
of the PWR failures 10.5% were classed drifted out of technical specifica-
as common mode failures and of the total tion requirements (reactor at 100%
BWR failures, 11.1% were assessed as power). (D-5)
common mode. Thus approximately 10% of
the occurring failures were classified e With reactor at 85% power low-low
as common mode, and though this number reactor pressure switches drifted
is not precise it indicates an order of below technical specification limits.
magnitude type of contribution. (D-5)
The breakdown of the common mode

failures into the effect and cause
categories is given in Table III 3-6. e Water hammer in a cross-over line
The tabulation of the common mode caused tack welds in 11 hangers to
failures, is provided in the following break; heavier tack welds were
pages. The code in parentheses beside required to correct problem. (D-5)
each failure refers to the assessed
effect class (the alphabetic character) o Suction .and discharge valves to off-
and the assessed cause class (the numer- gas samples were left closed; the
ical character), where these characters procedure was changed and the valves
refer to those previously used in the were altered to make them "locked-
defined classifications. open" valves. (D-2)
The following are reported events which * Breaker interlock prevented one pump
were assessed to be common mode or to from starting on signal when the
have high potential for causing common other pump breaker is racked out.
mode effects. (A-2)
" The high flow isolation switches for e Ten valves failed to close following
the high pressure coolant injection test due to weak "torque switch tor-
system (HPCIS) drifted above the sion springs"; the weak springs, pre-
technical specification limits. vented the contacts to return to a
These switches were not of the lock- closed position. (D-l)
ing type. Installation of locking
switches corrected the problem. e Indicating lamps shorted out and
(A-1) actuated circuit breaker in power
line to motor and controller; used
" All low pressure permissive switches 24v in lieu of 120v lamps to solve
had drifted above technical specifi- problem. (D-5)
cation limits. Switches were changed
to locking type. (A-l) o Two reactor core isolation cooling
system (RCICS) valves failed to open
" Trip setting for emergency core due to inability of the 250v dc
cooling system (ECCS) was found to be breaker to pull in. (D-5)
too low because of absence of any
type of a locking device. (A-l) * During testing all four low-low reac-
tor water level sensors were found to
a Flow switches on two low pressure be out of adjustment. All had been
coolant injection system (LPCIS) calibrated by the same person. (C-2)
pumps failed due to breakage of
paddles; heavier duty switches * During testing of main steam line low
installed. (A-5) pressure switches, all 4 were found
111-18
set (and locked) below technical * Failure of an overpower rod stop and
specification limits of 850 psig. a reactor trip bistable resulted from
(D-2) an incorrectly sized zener diode in
the regulated power supply. (D-5)
" The magnetic mercoid switches for the
main condenser vacuum sensorb were " Pressurizer level instrumentation;
set too high. Sensing lines and three narrow range level transmitters
vacuum header piping contained en- were incorrectly calibrated. (D-2)
trapped condensate. (D-5)
" Six steam generator (SG) blow down
* All low pressure switches on main isolation valves failed to respond to
steam line found set below technical safety injection system signals.
specification limits after recent Temporary jumpers had been installed
calibration. (D-2) and technician failed to remove them.
(D-2)
" Two solenoid operated isolation
valves in torus sampling system * Linkages on six solenoid valves that
failed to close on signal. Dust ac- control main steam stop valves were
cumulation on valve intervals had sticking because of dirt accumulation
caused valve pistons to bind. (D-3) in the area of the plunger on the
solenoid. (D-3)
" The 2" check valves on HPCIS turbine
exhaust drain line let water into the * Zero settings for all narrow gauge
drain trap. Loose rust particles pressurizer level transmitters were
caused valve plugs to bind. (D-3) found 5% below indicated value; the
cause not determined, it could be
drift or incorrect calibration.
" The pump start permissive relay (D-5)
failed to energize because the relays
used were not designed for 125 dc " Cracks were found in welded joints of
operation, and the air gap on both both feedwater lines for steam
relays was too large, requiring ex- generators A and B; the investigation
cessive pull in voltage to energize is continuing. (B-5)
relay. (D-5)
" Water dripped into rod control 3.3 1972 OPERATING INCIDENTS USED
cabinets from main steam generator FOR'STATISTICAL ANALYSES AND
feedwater flow lines and grounded
control power to stationary gripper INDIVIDUAL FAILURE ANALYSIS
coil causing rods to drop into core. Listed on the following pages are one-
(A-l) line summaries of the failures incorpor-
ated in the statistical analyses. The
* With plant at 90% power 3 control figures cover a spectrum of severities;
rods dropped into core due to failure however, all were of sufficient magni-
of a multiplexing thyristor in the tude to warrant reporting as incidents.
movable gripper coil circuit. (D-l)
a. Control Rods
" Feedwater control valve (valve for
loop "C") failed, introducing feed- Control rod (CR) No. 19 failed to
water transients into primary system fall into crie during startup.
which resulted in a low pressure
transient, a reactor shut down, and CR No. 19 failed to drop fully and
initiation of safety injection system CR No. 18 dropped slowly.
operation. (B-5)
CR No. 19 failed to insert fully and
" During pre-operational testing of subsequent slow insertion time.
Turkey Point Unit #4 a design error
in Unit #3 caused a simultaneous ac- CR No. 19 fell from 90" to 24" fol-
tuation of Emergency Core Cooling lowing plant trip.
System for both units. (D-1)
CR inspection showed several missing
" In the emergency core cooling system, bolts and locking cups.
a leak in the upper diaphragm of a
pilot valve on the nitrogen pressure CR No. 19 hung up at 36" withdrawn
regulator caused the regulator to due to embrittled spiral pin.
close and the redundant regulator
could not maintain the overpressure. CR No. 20 hung up at 36.5" withdrawn
(C-5) during scram time measurements.
111-19
Four CR's dropped 150 steps into DG failed to start due to oil on
core and initiated load runback. distributor points.
Four CR drives latched at 6" with- DG failed to start due to oil lube
drawn due to dirt, broken carbon pressure switch setting drift.
seals.
DG failed to come up to voltage due
Three CR's dropped into core due to to failed exciter armature.
multiplexing thyristor.
DG malfunctioned due to improperly
Three CR's dropped into core due to connected plug at one of the termi-
multiplexing thyristor. nals.
CR drive stopped to 02 position dur- DG failed to start twice due to de-

ing scram, had to be manually driven fective air start motors.
in.
DG failed to start due to defective
CR failed to fully insert due to ex- air start motors.
cessive leakage across stop-piston
seals. DG startup terminated due to high
crankcase pressure.
CR drive 22-31 automatically scram-
med to the 02 position. DG shut down due to high crankcase
pressure. DG spurious trip due to
CR drive 22-31 seated at 02 position high crankcase pressure.
during scram due to excessive leak-
age across stop-piston seals. DG spurious trip due to high crank-
case pressure.
CR drive 22-31 seated at 02 position
during scram. DG spurious trip due to high crank-
case pressure.
CR drive malfunctioned due to failed
seat on stationary face. DG failed to start due to rust par-
ticles restricting bleed orifice in
CR drive No. 19 malfunctioned due to air relay.
primary coolant leakage.
DG failed to start due to dirt in
CR drive after scram following manu- pilot valve in the governor assem-
al scram apparently due to scored bly.
guide tube during CRDM repairs.
Output fluctuations of DG due to
dirty contacts in droop relay.
CR No. 26 failed to be withdrawn due
to open circuit on motor brake DG tripped during hot standby due to
wires. loss of fuel supply.
CR failed to stop; replaced 3 CRDM DG failed to take additional load

motors and retested fourth. due to mechanical blockage.
CR failed to withdraw due to brake DG malfunctioned due to high temper-
dragging. ature of engine cooling water.
CR failed to withdraw due to defec-
DG malfunctioned due to failure of
tive brake operation. the cooling radiator shutters.
b. Diesels
c. Instrumentation
DG No. 3 failed to start on remote
signal.
Low-flow scram signal failed to trip
DG failed to start during test. turbine.
DG radiator coolant hose tore loose Low-trip settings for condenser vac-
from recirculating heater outlet. uum below spec. due to water in
sensing line.
Propane engine-drive generator mal-
functioned twice due to dirt in Radiation monitor alarm due to un-
coil. known causes.
111-20
Both neutron-monitoring startup turbine load mismatch due to broken
channels failed due to faulty triax wire at connector to solenoid.
cable.
Isolation condenser flow switch out
Low-low reactor water level sensors of 7specification due to drifted set
were out of technical specifications points.
(TS).
Reactor pressure switches tripped
Line-break sensors hooked up back- above TS limits.
wards valving "B" isolation conden-
ser into service. Reactor-level switch tripped out of
TS limits.
"A" and "B" isolation condensers
failed to be activated due to gauge High-flux trip from pressure tran-
caught up scale. sient caused by plugged filter in
the pilot valve.
Air pressure in scram valve pilot
header lost due to de-energized LPCI low pressure switch switch
backup scram solenoid. failed to signal injection permis-
sive.
High flow differential pressure
switch failed. Water level trip point drifted below
TS minimum.
Scram-dump-volume level switch fail-
ed to actuate high level alarm. DP switch for high-flow steam supply
to isolation condenser failed.
Pressure bistable failed to de-
energize due to bad soldered joint. Reactor vessel high-pressure-scram
pressure switch tripped above TS
Two pressure switches for spray in- limits.
jection system (SIS) drifted above
TS limit of 350 psig. Time-delays in APRM logic tripped
above TS limits.
Low pressure scram switches in tur-
bine EHC control system drifted Level trip switch found out of TS
below TS limits. limits.
Low pressure switches on main Turbine lockout occurred due to in-
streamline (MSL) found below TS stabilities in the pressure regula-
limits. tor.
MSL low pressure switches drifted Position switch out of adjustment

below TS limits. for the clean-up system aux-pump
suction valve.
MSL low pressure switches trip set-
tings found below TS limits. Sensor relay to the logic cabinet of
CRD system found inoperable.
Switch in MSIV "hi-flo" circuit
rusted shut due to water drainage High temperature isolation set point
from room cooler. drift.
Flow switch torus-to-drywell vacuum
Two high pressure scram switch set- breaker failed in untripped condi-
points drifted above TS limits. tion.
Refueling interlock failure due to High-flow isolation sensor in main

limit switch failure as a result of steam line failed.
misalignment.
RPS relay for No. 2 turbine stop
valve failed to de-energize. APRM channels indicated lower than
actual core thermal power.
Instrumentation for initiation of
core spray and LPCIS - admission High-flow switch on isolation con-
valves found out of TS limits. denser found over TS limits.
Turbine control valve closure failed Low-pressure permissive switch set

to initiate scram for generator- points drifted above TS limits.
111-21
High steam-flow switch on isolation Containment isolation valve failed
condenser above TS limits. to close due to solenoid valve air
leakage.
Reactor pressure scram setpoint
found drifted out of specifications. Containment purge exhaust bypass
isolation valve air leakage due to
Low-pressure switch for ECCS found cracked yoke.
greater than TS limits.
Containment purge exhaust bypass
Pressure switch on MSLOB below TS isolation valve air leakage due to
limits. cracked yoke.
Off-gas monitor set point found in Main steam isolation valve (MSIV)
excess of T.S. limits. leakage due to pilot valve stem
misalignment.
Startup pressure channel failed.
Condensate return valve failed to
open due to burned out motor.
Main steam isolation valve failure

d. Valves due to AC control unit.
Core spray valve CS-lI failed to Main steam isolation valve leakage
open due to improper limit switch due to pilot valve stem misalign-
setting. ment.
Emergency condenser system valves Main steam isolation valve failed to
MO-101 and 102 failed to open due to close due to sticking pilot valve.
high torque switch settings.
Electromatic relief valve failed to
ECCS, SIS nitrogen pressure regula- reset due to foreign material in
tor upper diaphram pilot valve leak. valve seat.
Air-operated containment isolation Main steam isolation valve leaked.
valve failed to operate due to the
SOV-432 solenoid pilot valve fail- Main steam isolation valve leaked.
ure.
Suction recirculation pump valve
Emergency condenser condensate re- failed due to inoperable valve oper-
turn valve motor power supply break- ator.
er tripped.
Recirculation system valve leakage
Condensate return valve on emergency due to packing leakage.
condenser failed to operate.
Suction recirculation pump valve
Emergency condenser Limitorque con- failed due to damaged valve opera-
densate return valve failed to oper- tor.
ate.
MSIV closure due to pressure vessel
Containment isolation valve failed overfill and relief valve failure.
to close due to defective solenoid
valve SV-4876 in the controller. Safety relief valve relieved below
design pressure.
Loop "C" feedwater valve faulty.
Retainer valve leakage due to dam-
Discharge valve to the refueling- aged disc-retainer and valve-body
water storage tank failed due to threads.
excessive binding of packing and
stem. Feedwater check valve and air-
operated butterfly valve leaked due
Containment isolation valve in fuel to worn rubber seats.
pool/reactor drain line to radwaste
failed to close due to defective HPCI inboard steam isolation valve
solenoid valve SV-4876. failed to open.
Recirculation isolation valve failed Air-operated primary containment

to open due to over-torquing of sample return isolation valve failed
clutch shaft. to close due to physical bindinq.
111-22
HPCI motor-operated valve failed to Turbine control valve failed to
open due to valve jamming afainst operate due to faulty load-mismatch
seat. relay.
HPCI motor-operated valve failed to Primary containment rubber-seated
open due to burned relay coil. vent valve leaked due to cracked
seat.
LPCI valve failed to close due to
disconnected wiring.
Primary containment rubber-seated
vent valve leaked due to cracked
LPCI valve failed to operate due to seat.
tripped thermal valve motor overload
breaker.
Containment sump isolation valve
Main stop valve/control valve slow failed to operate due to incorrect
closure due to broken wire. mounting.
HPCI valve failed to operate due to

Air-operated primary containment broken disk.
sample return isolation valve failed
to close due to physical binding on MSIV failed to close due to binding
the valves. in latching mechanism.
No. I turbine control valve fast- failed to operate.
acting solenoid failed to actuate
due to contamination. Containment sump isolation valve
failed to operate.
Containment isolation valve leaked.
MSIV slow operation due to sticking failed to operate due to air leakage
pilot valve. past regulator.
Safety valve leakage. Feedwater control valve erratic op-

eration due to dirt in air supply.
No. 4 turbine control valve fast-
acting solenoid failed to actuate. LPCI valve failed to open due to
improperly adjusted position switch.
Inboard isolation valve failed to
close due to tripped motor overload MSL stop control solenoid valve
breaker. linkages fouled due to dirt.
HPCI electromatic relief valve fail- Power-operated relief valve stuck

ed to open. open.
HPCI steam valve in drywell failed Diesel generator solenoid pilot

to open during reactor startup. valve failed to open due to dirt
particles.
Isolation condenser valve failed to
open due to faulty valve operator. MSIV closed completely du e to
sheared pin in the linkage.
MSIV in "BI steam line failed due to
oil leak in fitting. MSIV closed completely due to
Inboard steam-isolation valve failed
to close due to tripped breaker. MSIV closed completely due to
HPCI electromatic relief valve fail-
ed to open due to scored disc. Power operated relief valve fjaiied
to close due to scored guide.
Vacuum pump suction valve failed to
close fully. Stop valve failed due to limit
switch setting.
No. 4 turbine control valve failed.
HPIC valve malfunction caused by
LPCI torus spray isolation valve plastic pipe cap oil hydraulic con-
failed to operate due to galling. trol system.
111-23
HPIC turbine control valve malfunc- Low-flow feedwater containment iso-
tion due to plastic pieces in pilot- lation valve leak due to cut seat
valve oil inlet. surface.
HPCI turbine exhaust check valve Main steam stop valve on SG failed
leaked. to close due to faulty, motor opera-
tor.
ECCS outboard head spray-isolation
valve failed to close due to adjust- Main steam isolation valve on SG
ment. failed to open due to short of
drive-motor windings.
Stop-check valve failure due to disc
rupture. Main steam stop valv'e failed to
close due to worn gear.
Containment isolation valve seat MSIV inoperable due to broken drum
leakage. on limit switch.
HPCI outboard steam isolation valve Limitorque valve inoperable due to
failed to close due to motor fail- broken support bearing for gear
ure. shaft.
HPCI exhaust check valve disc found Pump emergency primary makeup system
separated from valve hinge. steam-admission valve failure due to
linkage.
HPCI steam-supply isolation valve
failed to close due to packing leak- Relief valve failure in primary make
age. up system.
HPCI exhaust check valve disc rup-
e. Pipes
ture.
Desuperheating water line of the
Group I relief valve malfunction. secondary steam system failed due to
a crack.
Outboard main steam drain isolation
valve failed to close due to loose Reactor vent line failure due to
mounting screws. leaky fitting of reducer nipple.
Recirculation pump discharge valve Drain line from coil of second stage
stuck due to damaged threads. reheater failed due to cracks at
weld edge.
Relief valve "A" failed to reseat
due to rust particles lodged across Bent line to MSIV weld failure due
valve orifice. to cracks as a result of excessive
line motion.
Relief valve failed to close due to
deposits on second-stage piston ori- Discharge line of the emergency
fice. service water pump failed due to a
rubber expansion joint rupture.
Primary system relief valves re-
placed due to spring problems. Recycle line to the floor drain
system leakage due to erosion of the
Safety relief valve failed to oper- carbon steel elbow.
ate due to drift in setpoints.
Small indentations on piping.
Safety relief valve malfunction.
Defective fittings on the feedwater
Torus-to-drywell vacuum-breaker flow DP cell.
valve problems due to binding in
valve operators. Hanger tack welds failed as a result
of water hammer in the cross-over
Air-operated vacuum-breaker valve line.
boot seals found depressurized.
Atmospheric control system 18"
Air-operated vacuum-breaker boot header cracked.
seals found depressurized due to
excessive clearance between actuat- Carbon steel elbow leaked downstream
ing arm and pilot valve. of steam-trap.
111-24
f.. Pumps Feedwater pump failure due to over-
heating of hydrostatic bearings.
Shaft thread wear on the feedwater
oil pump. Charging pump secured due to crack
in sbcket weld.
Excessive steam leakage past the
control slide valve. Recirculation pump failed due to
seal leak.
Primary coolant leakage due to pump
seal leakages. Sample pump "A" removed from service
due to faulty motor leads.
ECCS core spray pump failed due to
circuit breaker binding and burned
out check switch contacts. 3A INDIVIDUAL FAILURE ANALYSIS LISTING
Fire in oil supply line to turbine Listed here are investigations and con-
driven feedwater pump. siderations that were given to incidents
that have occurred in nuclear operating
ECCS core spray pump failed due to experience. The tabulations are a sam-
circuit breaker misalignment and ple and serve to illustrate the type of
burned out latch-check switch con- analyses that were performed in checking
tacts. the fault trees and calculations against
actual, individual failure experience.
ECCS containment-spray pump start In contrast to the previous statistical
failure as a result of corroded analysis of the incidents, the incidents
breaker contacts. in this phase of the analysis were exam-
ined in a more individual engineering
manner for model checking purposes.
Pump failed to operate due to faulty
interlock. 1. Connecticut Yankee Atomic Power Co.
(Connecticut Yankee) #96
Pump in SIS loop failed to start due
to improper wiring. a. Problem. During a routine op-
eration inspection several
LPCI pump failed to start due to seismic support hold-down bolts
intermittent breaker contacts. on the sliding supports for the
steam generators were. loose.
Standby sampling pump inoperative Subsequent investigation found
due to fouled oil lubricator. eight bolts broken and fifteen
others suspected of being
Sample pump tripped prematurely. broken. There are a total of
256 hold-down bolts on the four
Excessive leakage to primary con- steam generators.
tainment due to recirculation pump
"A" seal leakage. As noted by the incident report
this is the second instance of
Containment spray pump failed to significant bolt failure rela-
rotate freely due to galled impeller tive to seismic supports.
ring.
b. Reactor Safety Study (RSS)
ECCS pump failure due to faulty Action. Questions related to
pump-start permissive relay. re-'-dequacy of the seismic
design for Category 1 structure
Standby liquid control pump failed systems and components were
to develop sufficient head. investigated by the study on a
sample basis. The results of
Residual heat removal system (RHR) this work are reported in Ap-
pump failure due to ground fault by pendix X.
air deflector.
2. Consolidated Edison Co. (Indian
RHR pump failure due to upper gland Point 2) #49
seal overtightness.
a. Problem. Eight anchor bolts
Standby liquid control pump failed failed in tension and 1200 of
to develop sufficient head. the weld which joins the roof
dome to the tank wall of the
Sample pump tripped due to personnel condensate storage tank failed.
error. This tank provides the source
111-25
of make up water to the secon- some flow blockage within the
dary system. At the time of core and cause fuels to over-
failure the tank contained more heat. As noted in Appendix I,
than 31,000 gallons but less the study gave consideration to
than 80,000 gallons of water. potential consequences result-
(Design capacity is 600,000 ing from flow blockage.
gallons). Ambient temperature
was 200 to 25OF and the wind 4. Rochester Gas & Electric Co.
was from the east to southeast (Ginna) #53
with heavy gusts up to 35 MPH.
a. Problem. Dynamic stress analy-
b. RSS Action. Consideration of ses of the pressurizer safety
passive failures of the conden- valve installation in the pri-
sate tank and supply lines to mary system indicate higher
the auxiliary feed system has reaction forces during safety
been given in fault tree analy- valve discharge than originally
sis of the auxiliary feed sys- considered, preventing isola-
tem. tion in the event of a failure.
3. Duke Power Co. (Oconee) #51 The analyses also indicate that
an overstressed condition would
a. Problem. Twenty-one of the exist on virtually all of the
fifty-two inconel in-core in- 3" and 4" pipe and fittings
strument stub tubes (0.75 inch- between the pressurizer nozzles
ID schedule 160) that penetrate and the safety valves.
the bottom of the reactor ves-
sel broke off inside the ves- b. RSS Action. The PWR event
sel. The break occurred in the trees for small LOCA:
vicinity of the weld that joins
the stub tube to the bottom of " Specifically recognize the
the vessel. One additional failure possibility of safe-
stub tube had failed at the ty valve headers, inadver-
same location but was not com- tently stuck open safety
pletely sheared. Five addi- valves and relief valves.
tional tubes had failed in the
vicinity of the flow distribu- " Specifically define combina-
tor plate and several others tions of safety features
were bent at a point 2-3 inches (ECCS) that would be re-
above the seal weld. In addi- quired to operate in case of
tion a thermocouple guide ex- the pressurizer vapor space
tending from the top vessel LOCA.
head had failed and one accel-
erometer used in measuring vi- " Have numerical estimates on
bration had become detached. the failure probability for
such ECCS combinations as
Pieces of the failed stub tubes would be required for the
were found throughout the reac- vapor space LOCA, since such
tor coolant system, ranging in a LOCA could cause unique
size from small buckshot to ECCS actuation characteris-
pieces approximately 2" in di- tics which are also recog-
ameter. This caused extensive nized and considered in the
damage to the tube sheet and RSS event trees.
tubes in steam generator "A"
and lesser damage to the tubes 5. Consumer Power Co. (Palisades) #55
projecting above the tube sheet
in generator "B". a. Problem. During inspection of
the primary side of Steam
b. RSS Action. Failure of the in- Generator "B" a foreign object
core tubes caused loose parts believed to be the head and
to occur within the reactor "shoulder of one of the bolts
coolant system (RCS). In this which lock the ring shim in the
particular case, which involved upper guide structure assembly
the first of a line of vendor was found. The bolts were 304
plants, the hydraulic design SS 2 1/4" long with a nominal
deficiencies were found in ini- 1/2" thread and a 3/4" x 1"
tial plant operations and cor- shoulder. Preliminary metal-
rected. The occurrence of lurgical examination indicates
loose parts within the RCS the failure mechanism as fa-
could potentially result in tigue.
111-26
b. RSS Action. Refer to previous 8. Consolidated Edison Co. (Indian
comment on item 3 (incident Point) #65
51).
a. Problem. Removal of the entire
unirradiated core from the
6. Consolidated Edison Co. (Indian reactor vessel. The core con-
Point 2) #57 and #59 sists of pressurized fuel rods
which have experienced cladding
a. Problem. Mechanical binding of collapse during long term irra-
three control rods during test- diation. The collapse of the
ing at operating temperature cladding has been attributed to
conditions were experienced. densification of the pellets
Apparent cause of this incident after prolonged service.
is attributed to a guide sheath
undersized condition. Boro- b. RSS Action. The impact of fuel
scopic examination revealed densification as it concerns
evidence of scratching, metal fuel cladding temperature mar-
galling and conditions that gins during plant accidents and
have the appearance of weld transients is covered in the
splatter. AEC's licensing process and by
the AEC's acceptance criteria
b. RSS Action. This type of fail- for the design and performance
ure contributed to the data of emergency core cooling sys-
base for control rod failures. tems. These analyses establish
The fault trees also identify conservative thermal margins
mechanical binding as a possi- for full performance where den-
ble failure mode for components sification is significant.
where appropriate.
9. Georgia Power Co. (Hatch #1) #52
7. Virginia Electric Power Co. (Surry-
1) 163 a. Problem. Flaws discovered at
two recirculation inlet nozzles
a. Problem. While attempting to of the Reactor Pressure Vessel.
control the reactor primary On one nozzle a crack having an
coolant temperature by venting approximate dimension of 0.6
steam from the secondary side inches in the through-wall di-
of the steam generators to the rection, located in the heat
atmosphere, the operator at- affected zone between the weld
tempted to open the three atmo- metal and vessel plate materi-
sphere steam power relief al.
valves; however these valves
failed to open. An attempt was b. RSS Action. This particular
then made to initiate venting type of incident is accounted
through the back up decay heat for predicting the probability
release system. When the decay of pressure vessel failure.
heat relief control valve was
opened, the valve discharge 10. Commonwealth Edison Co. (Quad
nozzle (4 1/2" OD) disengaged Cities 2) #56
from the exhaust vent as a
result of the initiating reac- a. Problem. Failure of four pipe
tion force permitting the re- hangers that support the 24N
lease of secondary steam to a ring suction header located
small room of the turbine outside of the pressure sup-
building. pression pool (Torus).
b. RSS Action. This condition was b. RSS Action. Failures of this

considered as a contributor to type were examined to assess
the failure of the auxiliary their contribution to pipe
feedwater system since the pos- failure data. Failure of the
sibility of steam discharge header appeared as a potential
into the room where the secon- failure mode of the vapor sup-
dary safety/relief valves are pression system.
located, could interact with
the auxiliary feedwater system 11. Commonwealth Edison Co. (Quad
which could be needed to con- Cities 1) #58
trol plant heat removal follow-
ing such high energy line a. Problem. The rapid closing of
breaks. two-circulating water system
111-27
reverse flow valves caused the 13. Commonwealth Edison Co. (Quad Cit-
rupture of an 8 foot diameter ies 2) #62
rubber expansion joint in the
discharge line. As a result of a. Problem. A fire in a cable
the failure approximately tray resulted in the loss of
600,000 gallons of river water "B" recirculation pump and
entered the turbine building. erratic indication on some of
The flooding of the turbine the control room process in-
building resulted in the loss strumentation and damage to 24
of safety related equipment, electric cables. A controlled
i.e., cooling water pumps for reactor shutdown was initiated.
two of the three station emer-
gency diesel generators, all b. RSS Action. The routing and
four service water pumps for separation of safety system ca-
unit 1 residual heat removal bles in trays has been covered
system and the station seismo- in the common mode failure
graph. analyses.
b. RSS Action. Pumps, valves and 14. Commonwealth Edison Co. (Quad Cit-
other equipment associated with ies 2) #64
Engineered Safety Systems have
been examined as to their ele- a. Problem. The "B" recirculation
vations and physical locations pump tripped due to a problem
relative to important sources in the speed control unit.
of water and included in fault
trees where appropriate. b. RSS Action. This type of
transient is within the normal
12. Northern States Power Co. (Monti- plant operating capability.
cello) #61 However, this transient could
result in a demand for reactor
a. Problem. Loss of generator shutdown and is included in the
excitation caused a turbine data for initiating events for
trip and reactor scram. A the transient event trees.
group 1 isolation signal of
undetermined cause was re- 15. Commonwealth Edison Co. (Dresden 2)
ceived, resulting in the clos- #66
ing of the main steam isolation
valves. During the ensuing a. Problem. In service inspection
pressure transient the reactor (Radiography) of "B" main steam
reached a maximum pressure piping showed the main steam
level of 1140 psig. Relief flow restrictor to have failed
valves A, B, and C operated but at the weld securing the down-
relief valve "D" failed to stream cone. The loose cone
operate. The "A" safety valve lodged immediately upstream of
operated (1220 psig setpoint) the inboard MSIV.
and the thermocouple for the
"D" safety valve showed a tem- b. RSS Action. This weld failure
perature increase indicating resulted in a loose part within
that it may have leaked a small the reactor coolant system.
amount of steam. A high dry- Loose parts that might inter-
well pressure alarm was also fere with the operability of
received. The Emergency Core systems and components, e.g.,
Cooling systems, with the ex- valves, were considered in the
ception of the High Pressure fault tree analyses.
Coolant Injection system (HPCI)
which was isolated for surveil- 16. Commonwealth Edison Co. (Dresden,
lance testing started automati- 1, 2, and 3) #69
cally.
a. Problem. Failure of 40-50 feet
b. RSS Action. Relief valve fail- of the dike for the 1275 acre
ures have been identified as a cooling lake. Condenser cool-
failure event on the automatic ing water supply was transfer-
depressurization system (ADS) red to the Illinois river.
tree and failure of the HPCI
system to operate due to isola- b. RSS Action. Loss of pump basin
tion for surveillance testing water as been identified as a
has been identified on the HPCI failure event on the high pres-
fault tree. sure service water (HPSW) and
111-28
emergency service water (ESW) 20. Vermont Yankee Nuclear Power Corp.
fault trees. (Vermont Yankee) #73
17. Millstone Point Company (Millstone a. Problem. A fire occurred in
i) #70 the' station unit auxiliary
transformer following a turbine
a. Problem. Two of the four feed- trip and subsequent motoring of
water spargers contained cir- the main generator. Cause of
cumferential cracks in the the fire was apparent failure
vicinity of their attachment of mal-operation of protective
welds. One sparger crack ap- breakers for the generator and
peared to penetrate the full turbine.
wall thickness and was, at
least, one-half of the sparger
circumference in length. b. RSS Action. Failure of major
electric components that can
result in failure of the elec-
b. RSS Action. Cracks such as tric power system to engineered
these could potentially lead to safety features is • identified
failure of the spargers. The on the fault trees and in com-
sparger failur'e could lead to mon mode analyses.
loss of the feedwater system.
Failure of the feedwater system 21. Niagara Mohawk Power Corp. (Nine
is included in the 'transient Rile Point 1) #75
event trees. Operating data
were used to estimate transient a. Problem. Premature actuation
events with loss of feedwater. of a-safety valve resulted in
release of primary steam to the
18. Boston Edison Co. (Pilgrim 1) #71 containment drywell. A turbine
trip also occurred.
a. Problem. After experiencing a
flow-biased flux scram the b. RSS Action. Turbine trips or
operator manually opened one inadvertent safety valve actua-
relief valve to reduce system tions have been covered by the
pressure, the, valve failed to transient event tree analysis.
reseat. Approximately 10,000
gallons of water (primary) was 22. Vermont Yankee Nuclear Power Co.
discharged to the torus. (Vermont Yankee) #76
b. RSS Action. Operation of a a. Problem. Turbine gland seal
relief valve and subsequent failure while turbine was on
failure of the valve to close the turning gear caused a small
represent a small LOCA if the quantity of primary steam to
feedwater system fails to make- leak from the turbine seals
up the coolant inventory. The into the turbine building.
transient event tree analysis
included stuck-open relief b. RSS Action. This type of fail-
valves for both success and ure could potentially result in
failure of the feedwater system a reactor shutdown which is
to supply make-up inventory. accounted for in the transient
event tree analysis.
19. Vermont Yankee Nuclear Power Corp.
(Vermont xankee) 172 23. Vermont Yankee Nuclear Power Corp.
(Vermont Yankee) #77
a. Problem. An increase in stack
release rate was experienced a. Problem. Failure of a start up
while operating at 100% power transformer caused the loss of
(1593 MWT). Maximum release station electric power and a
rate reached was 20,000 UCi/ resultant scram. During the
sec. Reactor power was reduced ensuing primary system tran-
to 70% and release rate reduced sient three of four relief
to 18,000 uCi/sec. valves actuated but one could
not be verified to have opened
b. RSS Action. This type of due to a thermocouple malfunc-
incident pertains to routine tion.
effluent releases and is not
See comment for
relevant to the RSS study of
reactor accidents.
b. item Action.
RSS 14.
111-29
24. Vermont Yankee Nuclear Power Corp. 28. Boston Eidson Co. (Pilgrim 1) #87
a. Problem. Strike against Boston
a. Problem. While calibrating the Edison Co. by the Utility
pump speed control system an Workers of America (UWUA Local
increase in speed of one recir- 387).
culation pump occurred. The
ensuing transient resulted in a b. RSS Action. Not applicable to
primary system pressure in- the considerations defined in
crease and an increase in the the Reactor Safety Study.
stack release rate from 0.05
Ci/Sec to 2.5 Ci/Sec.
b. RSS Action. See comment for (Vermont Yankee) #89
item 19.
a. Problem. Lightning struck the
top of the ventilation stack
disabling one of the two stack
25. Millstone Point Co. (Millstone gas monitoring systems and the
Point 1) #80 area gamma radiation monitor.
The lightning also caused an
a. Problem. A manufacturing error explosion in the off-gas holdup
to provide a specified chamber system.
at the junction weld between
the control rod blade sheath b. RSS Action. See comment for
and the control rod blade lim- item 19.
iter casting could result in a
ledge that would interfere with 30. Commonwealth Edison Co. (Quad Cit-
fuel assemblies when the blade ies 2) #82
is within one inch of the fully
inserted position. a. Problem. A lightning strike
caused failure of a rupture
b. RSS Action. This anomaly does disc in the off-gas holdup
not appear as a fault condition
system.
on the fault trees because in-
sertion to one inch of full b. RSS Action. See comment for
insertion is deemed adequate. item 19.
26. Jersey Central Power & Light Co. 31. Commonwealth Edison Co. (Dresden 2)
(-Oyster Creek) #78 #83
a. Problem. A malfunction relief a. Problem. Explosion in the off-
valve caused a blowdown of the gas system while making modifi-
primary system following a re- cations.
actor scram. During the ensu-
ing transient one relief valve b. RSS Action. See comment for
failed to reseat discharging item 19.
50,000 gallons of primary
coolant to the torus.
b. RSS Action. See comment for
item 18. a. Problem. Lightning struck the
ventilation stack disabling
both stack gas monitors and the
area gamma radiation moni'or
27. Millstone Point Co. (Millstone 1) also causing an explosion in
#85 the off-gas holdup system.
a. Problem. During inspection of b. RSS Action. See comment for
the reactor internals, cracks item 19.
were discovered in the NE and
NW feedwater spargers. The 33. Iowa Electric Light & Power Co.
maximum crack was estimated to (Duane Arnold) #92
be 4 inches long and 1/32
inches wide. a. Problem. Possibility that the
fuel bundles have a manufactur-
b. RSS Action. See comment for ing defect in the lower tie
item 17. plate castings.
111-30
b. RSS Action. Defects of this Investigation revealed that an
type potentially involve con- adjacent control rod was in the
siderations pertinent to flow fully withdrawn position.
blockage and emergency core
cooling functionability. See b. RSS Analysis. Events such as
Appendices I and V. this one are not significant in
the overall accident analysis.
(Vermont Yankee) 497
39. Baltimore Gas and Electric Co.
a. Problem. Inspection of fuel (Calvert Cliffs) #67
bundles revealed cracks in 5 of
the fuel bundle channels. a. Problem. A concrete void in
the-area of the containment
b. RSS Action. See comment for vertical tendon bearing plates
item 33. on the inside rings was detect-
ed. One void has a depth of 12
35. Millstone Point Co. (Millstone inches encompassing a surface
Point 1) #90 area of 15 square inches ex-
tending to the proximity of an
a. Problem. Assembly errors which adjoining bearing plate. In a
led tothe inverted installa- second bearing plate a concrete
tion of some control rod void 6 inches deep over a
blades. surface area of 10 square
inches with a crack at the
b. RSS Action. Analysis indicates bottom of the void.
that the fission process can be
adequately controlled event b. RSS Action. Lack of concrete
with blades installed in this consolidation and voids were
fashion. construction deficiencies iden-
tified during plant construc-
36. Boston Edison Co. (Pilgrim 1) #94 tion and prior to plant opera-
tion. This detection and
a. Problem. Inadvertent opening control is indicative of imple-
of the "D" target relief valve mentation of a program of qual-
and failure to reseat. ity assurance during the con-
struction phase. If this type
b. RSS Action. See comment for of deficiency had remained
item 18. undetected in contruction, it
could have affected the
37. Jersey Central Power and Light Co. strength of the containment
(Oyster Creek) #95 barrier if the containment were
subjected to high overpressures
a. Problem. During routine after a loss of coolant acci-
switching of electric loads to dent. Consideration was given
the startup transformer result- to the possible existence of
ed in temporary loss of elec- such containment deficiencies
trical power to essential in the study's estimation of
equipment due to an improperly predictable containment failure
set tap on a differential cur- pressures. See Appendix VIII.
rent relay.
b. RSS Action. The fault tree for 40. Virginia Electric and Power Co.
the electrical power system ASurry 1) #68
identifies faults which could
cause an outage of power to a. Problem. A bonnet gasket on a
safety system equipment includ- T14inch main feedwater line
ing operator error for wrong check valve failed releasing
set points. approximately 1000 gallons of
secondary system water into the
38. Vermont Yankee Nuclear Power Corp. containment building.
b. RSS Action. Data on gasket
a. Problem. During control rod failure and valve external
friction drive tests on one leakage are a part of the data
control rod with the reactor base where calculations have
vessel head removed, a scram been performed to predict
occurred from high flux levels. failure rates.
111-31
41. Yankee Atomic Electric Co. (Yankee) ferential current protection
#74 relay. This resulted to a loss
of all offsite power into the
a. Problem. Indications of bind- plant, and the contributing
ing uring operations of the fault was attributed to improp-
cruciform control rods prompted er grounding of protection sys-
visual inspections which re- tems for the main station
vealed two control rods had generator. The emergency on-
been displaced and that tie site power source (provided by
down bolts for the shrouds had two diesel generators) started
separated and were located on and operated the necessary
the vessel lower core support plant heat removal equipment.
plate. After about 3/4 of an hour
operation, a malfunction in
b. RSS Action. See comments under voltage regulator for one
item 6 regarding control rod diesel generator resulted in an
binding and under item 3 re- overload trip of both the
garding loose parts. emergency onsite power sources.
A momentary (about 1 minute)
42. Southern California Edison Co. (San interruption of the emergency
Onofre 1) #81 power source occurred as a
result of this common fault.
a. Problem. An earthquake with a
magnitude of 5.2 on'the Richter b. RSS Action. Considerations
scale was detected by seismic (through fault trees, event
detectors. No damage was re- trees and data application)
ported. were given to such types of
faults that could result in an
b. RSS Action. The Design Ade- interruption and loss of both
quacy portion of the Reactor the offsite and onsite sources
Safety Study checked the capa- of electrical power for the
bility of a plant to carry the plant. Assessment of the prob-
design stresses produced by an ability and consequences from
earthquake. See Appendix X. such an event as loss of all
electric power to a plant was
43. Florida Power and Light Co. (Turkey an important part of this study
Point 3) #84 effort.
a. Problem. Loss of power from an 45. Consumers Power Company (Palisades)

Exide inverter while instrumen- #98 and ROE 74-3
tation was in a 1 out of 2
scram logic condition causing a. Problem. Mechanical Vibrations
reactor shutdown and loss of of Reactor Internals. Inspec-
offsite power. tion revealed the following:
b. RSS Action. Analysis of this

type of incident is covered in 1. All expansion-compensating
the electrical power system ring bolts were found bro-
fault trees because the failure ken.
causes reactor shutdown. Tur-
bine trip has been evaluated 2. Measurements in the proxim-
for its contribution to loss of ity of the upper guide
offsite power to the plant. structure reveal that the
Its contribution to transient core support barrel is
initiating events is covered by nominally 1/4" lower than
the transient event tree. as-built drawings specify.
44. Southern California Edison Co. (San 3. The core support barrel
Onofre 1) #88 flange has worn a ledge in
the vessel flange permit-
a. Problem. While the reactor was ting the core support
shWutdown and maintenance was barrel flange to be verti-
being performed on one of the cally displaced.
offsite electrical sources for
the plant, the alternate off- 4. A groove approximately
site electrical feed to the 1/16" deep and 1/4" wide
plant was interrupted by the was worn into the reactor
inadvertent actuation of a dif- vessel head flange when the
111-32
compensating ring made appears to be associated with a
contact with the vessel fillet weld, joining the end
head. plate of the containment pene-
tration bellows assembly to the
b. RSS Action. Analysis indicates feedwater line.
this relates to ECCS functiona-
bility questions which are b. RSS Action. Pipe ruptures for
covered in Appendix V. all systems show on individual
system fault trees. Pipe leaks
46. ýFlorida Power and Light Co. (Turkey and ruptures are also covered
Point 3 & 4) #99 by the data base.
a. Problem.- Utility workers on 49. Virginia Electric Power Co. (Surry
strike with threats of sabotage 1) #103
of a main generator at the a. Problem. Loss of flow in the
plant.
UXAImain coolant loop due to a
b. RSS Action. Potential acci- broken pump shaft in Reactor
dents due to sabotage have not Coolant Pump (RCP) "A". The
been an explicit part of the break was 15 inches above the
Reactor Safety Study. impeller, between the thermal
barrier and the lower pump
47. Consumers Power Co. (Milford 1 & 2) bearing.
b. RSS Action. This event result-
a. Problem. Deficiencies in ed in a loss of flow in one RCS
Cadweld splicing of concrete loop. Such transients are
reinforcing bars. accounted for in the plant
design. Potential shutdowns of
b. RSS Action. See comment for the reactor are covered by the
item 39. transient event tree.
48. Consolidated Edison Co. (Indian 50. Duke Power Co. (Oconee 2) #106
Point 2) #102
a. Problem. The failure of a re-
a. Problem. A crack in the 18 actor coolant pump seal caused
inch feedwater line to steam leakage of primary water to the
generator #2 resulted in the floor of the containment build-
discharge of water and steam to ing.
the containment vessel. The
crack was not isolatable from b. RSS Action. Leakage due to the
the steam generator. The crack failure of a coolant pump seal
is located several inches is within the capability of
inside the containment vessel, normal RCS inventory make-up
is circumferential, extends ap- systems. The event trees con-
proximately one half the cir- sider small LOCA conditions
cumference of the pipe, and more severe than this event.
Reference
1. Williams, HAL., "Reliability Evaluation of the Human Component in Man-Machine

Systems", Electrical Manufacturing, 1958, 4, 78-82.
111-33
TABLE 111 3-i NUMBER OF FAILURES BY PLANT SHOWING FAILURES DURING STANDBY A•;D
OPERATIONS
1972
DATA
Months rours
Plant Oper. Oper. %
Reactor Type Standby Oper. Time Time Standby Oper.
Dresden 1 BWP. 1 2 12 8760 33.4 66.6

Yankee PWR 8 5 12 8760 61.5 38.5
Indian Point 1 PWR 7 12 12 8760 36.8 63.2
Humboldt Bay 3 BWR 5 7 12 8760 41.7 58.3
Big Rock Point BWR 4 3 12 8760 57.1 42.9
San Onofre I PWr 3 7 12 8760 30.0 70.0
Haddam Neck PWR 0 3 12 8760 100.0
Nine Mile Point 1 BWR 7 13 12 8760 35.0 65.0
Oyster Creek BWR 10 19 12 8760 34.5 65.5
Ginna PWR 1 5 12 8760 16.7 83.3
Dresden 2 BWR 8 20 12 8760 28.6 71.4
Point Beach 1 PWR 2 4 12 8760 33.3 66.7
Millstone 1 BWR 7 22 12 8760 24.1 75.9
Robinson 2 PWR 3 17 12 8760 15.0 85.0
Monticello BWR 10 34 12 8760 22.7 77.3
Dresden 3 BWR 4 22 12 8760 15.4 84.6
Palisades PWR 6 22 12 8760 21.4 78.6
86 217 204 148,920 xxxx xxxx
TABLE Il 3-2 NUMBER OF FAILURES BY PLANT COMPONENT/SYSTEM"
VR i w 1 14 0
0 P oin4 r-' 0 20 . 1
=4 U C 3 0 c U~ C E
Humbold1 U)3 1 524 w 12
Bg0o o' * 214
=.1 r 0244
nor 12 to X 4j $4 C 14 wM -M4 t 01
4' 0 4' 4' to U to 0 4j 4' C 0 w I . A >. M. U '
41e C C C wie 3 3 14 =
Reactor
M 0 0 0 w C 1 -4 0 044 W 0 4 20
m0 U in 0 w v3 w 0 H~ C A. a. 0. 0 E- E- : N. v
Dresden 1 1 2 3
Yankee Rowe 5 3 1 1 2 13
IndianPoint1 2 2 0 2 1 2 1 8 1 19
Humboldt Bay 3 1 2 1 1 1 3 3 12
Big RockhPoint 2 2 1 2 7
SanM nofre 1 1 2 2 3 1 1 10
Connecticut Yankee 3 3
NineMilePoints 2 1 1 1 8 4 3 20
Oyster Creek 1 1 2 5 4 3 1 6 3 3 29
Ginna 1 1 1 1 2 6
Dresden 2 3 11 10 4 28
Point Beach 1 1 1 2 1. 1 6
Millstonel1 1 12 2 2 1 3 1 6 29
Robinson 2 2 3 1, 1 1 7 1 4 20
Monticello 5 2 1 1 5 1 21 6 2 44
Dresden 3 7 1 115s 226
Palisades 7 3 1 3 1 9 3 1 28
TOTALS 2 0 23 1 21 3 4 4 7 48 14 11 2 7 1 3 102 24 26 303
TABLE III 3-3 NVERAGED FAILURE RATE ESTIMATES
(Rounded to nearest half exponent)
PWR FR COHtEINED
Component T NN
pc n.- ks/hr T Npcc
N nf Xs/hr T KP 1 nf Xs/hr
Pumps 8760 400 6 1 x 10-6 8760 450 18 3 x 10- 6 8760 850 24 3 x 10-6
Piping(a) 8760 280k 3 1 x 10 9 8760 315k 8 3 x 10 9 8760 595k 11 1 x 10-9
8760 400 4 1 x 10-6 8760 1350 2 1 x 10-7 8760 1700 6 3 x 10-7

Control rods(b)
-55
Diesels 8760 24 9 3 x 10- 8760 27 12 3 x 10 8760 51 21 3 x 10-
Valves 8760 2312 32 1 x 10-6 8760 1467 70 3 x 10-6 8760 3842 102 3 x 10-6
Instruments 8760 2560 6 3 x 10-7 8760 3042 44 1 x 10-6 8760 5613 50 1 x lo-6
(a) Failure rate given in units of per hour per foot, where 280k denotes approximately 280,000 ft.
(b) Failure rate per hour per rod, for failure to enter.
TABLE III 3-4 AVERAGED DEMAND PROBABILITY ESTIMATES

(Rounded to nearest half exponent)
PWR BWR COMEINED
T Qd nf p c T Qd nf P T
Component nf NpNc
Pumps 6 400 12 1 x 10-3 18 450 12 3 x 10-3 24 850 12 1 x 10-
Control Rods 4 400 12 1 x 10 2 1350 12 1 x 10 6 1700 12 3 x 10-
Diesels 9 24 12 3 x 10-2 12 27 12 3 x 10-2 21 51 12 3 x 10-2
Valves 32 2312 12 1 x 10-3 70 1467 12 3 x 10-3 102 3842 12 1 x I0-3
Instruments(a) 6 2560 1.5 1 n 10-3 44 3042 1.5 1 x 10-2 50 5610 1.5 3 x 10-3
(a) Average number of instrumentation tests obtained from histogram of test distributions for safeguard
instrumentation.
Table III 3-1 - Table III 3-
111-35/36
TABLE III 3-5 1972 FAILURE CATEGORIZATION INTO RANDOM VERSUS COMMON MODE
PWR BWR
Random Comnmon Mode Random Common Mode
Reactor Number Percent Number Percent Number Percent Number Percent
Dresden 1 3 100.0
Yankee Row 12 92.3 1 7.7
Indian Point 1 19 100.0
Humboldt Bay 3 10 83.3 2 1E.7
Big Rock Point 5 71.4 2 28.6
San Onofre 1 9 90.0 1. 10.0
Haddam Neck 3 100.0
Nine Mile Point 1 17 E5.0 3 15.0
Oyster Creek 27 93.1 2 6.9
Ginna 4 66.7 2 33.3
Dresden 2 24 85.7 4 14.3
Point Beach 1 4 66.7 2 33.3
Millstone 1 28 96.6 1 3.4
Robinson 2 18 90.0 2 10.0
Monticello 37 84.1 7 15.9
Dresden 3 25 96.2 1 3.8
Palisades 25 89.3 3 10.7
TOTAL 94 11 176 22
TABLE III 3-6 COMMON MODE EFFECTS AND CAUSES
PWF. BWR
(percent) (percent)
A. Component Effect 9.1 22.7

B. System Effect 18.1 4.5
C. Interaction Effect 9.1 4.5
1. Design, etc. Cause 27.3 13.6

2. Human Cause 18.2 18.3
3. Environment Cause 9.1 13.6
4. Hardware Cause ---- 6.3
(OTHERS QUESTIONABLE)
Table III 3-5 - Table III 3-6
111-37/38
Section 4
Expanded Final Data Assessment
4.1 JINTRODUCTION variations in the times required to

complete the act from plant to plant
Tables 111 4-1 and 111 4-2 in this sec- or situation to situation. Testing
tion present as a separate tabulation times include the time required to
the final assessed data base utilized in make the minor repairs incidental to
the study. The information is extracted the tests.
from the tables in section 2 and in-
cludes further elaboration on applica- Testing the pumps within the safety
bility considerations for safeguard systems requires isolation of the
related components. Except for pumps, pump under test in the majority of
the applicable environment for these cases. This results in a contribu-
tables consists of standard operational tion to unavailability due to pump
nuclear power plant conditions (as char- downtime. In general, the probabi-
acterized in the model descriptions). listic contribution is derived from
The assessed ranges cover variations the test act duration time which
which can occur in these environments. ranges (90%) from 15 minutes to 4
Pump failure to 'run, given successful hoursi under a log-normal distribu-
start, was also assessed for extreme tion.' From this range, the mean
temperature and pressure conditions test duration time (downtime) is
characterizing a severe accident. Table thus 1.4 hours (tD =1.4 hours for
111 4-3 gives additional data assess- test).
ments for post-accident conditions for
certain other components relevant to the Maintenance on the pumps ranges in
study. A discussion is provided for a duration from 30 minutes to several
component when further relevant details days. From this range the mean
are applicable. maintenance act duration tD is 37
hours. maximum outage during pow-
The tables contain the assessed ranges ered operation may be limited to 24
for the data, the median value of the hours on pumps other than those
range and the error factor. The range located inside containment. Use of
represents a 90% probability, or ("con- the 24 hour limit as an upper bound
fidence level"), associated with the gives a mean maintenance act dura-
random variable approach. The median is tion, (tD), of 7 hours. Pumps lo-
a reference value for the range; there cated inside the containment vessel
is a 50-50 chance that the data value is are permitted by specification to be
either higher or lower than the median down singly for a maximum of 72
value. The error factor is the upper hours during plant operation. The
limit of the range divided by the median associated mean duration time for
value. Since the median is the geomet- these particular pumps is tD = 19
ric midpoint, the error factor is also hours.
the median divided by the lower limit.
The values given in the tables are In general, the test period for
rounded to the nearest half exponent safety system pumps is fixed by the
value (i.e., 1 or 3 appearing as the specification at monthly intervals.
significant figure). Units for the data The test frequency is theref'ore ap-
are probability per demand, "d", or per proximately constant at 1 'act per
hour, "hr". month. The nominal test contribu-
tion to unavailability, OT, is the
4.1.1 NOTES ON PUMPS ratio of mean test act duration time
(tD), to test interval.
a. Test and Maintenance.
Generally, those test and mainte- tD
nance situations where an override QT= _#Hr~s7Month
feature can automatically return the
pump (or other devices) to opera-
tional status, given demand will
have no test and maintenance contri-
bution to unavailability. Distribu- 1
tions on test and maintenance act See section on test and maintenance
durations are used to account for data.
111-39
Non-routine maintenance ranges from sulation after exposure, possibly
monthly to yearly with a mean pump degrading pump performance given
maintenance interval of 4.5 montht/ survival of the initial 24-hour per-
act or a mean frequency of mainte- iod. To account for the potential
nance of 0.22 acts/month. The main- degradation, a failure probability
tenance contribution to unaVailabil- between normal and abnormal condi-
ity QM is a function of the tions is assigned with sufficient
maintenance frequency (f), mean associated uncertainties to account
maintenance act duration (tD), and for the possibility of deviations.
maintenance interval. The equation
for QM is given by the equation
4.1.2 NOTES ON VALVES
tD
oM - f x D/ a. Failure Modes.
Failure of a valve to operate
when tD is now the average mainte- includes changing state from closed
nance downtime. Substituting values to open or open to closed. Failure
into the above equations will give to remain open (plug) refers to
numerical values for QM. reduction of flow to an unusable
level due to foreign material or
b. Environments. gate failure, etc. Not included in
the data is the contribution for an
The safety pumps located outside inadvertent or false signal driving
containment are not likely to be valves closed. Instances of valve
subjected to abnormal environmental gates separating from drive stems
conditions in the event of the and lodging in a closed position
assumed loss of coolant accident (while the valve monitors continued
with the exception of a temporary to indicate open) have been reported
change in temperature and radiation in nuclear operating experience.
level of the pumped fluid. Since
these pumps are designed for such b. Test and Maintenance.
conditions, the assessments for
outside pumps are based on perform- Motor operated valve test act dura-
ance data from similar pumps operation times range from 15 minutes to
ting under design-conditions. 2 hours (90% range) with a mean test
time tD of 0.86 hours (log-normal).
The pumps located inside containment No downtime test contribution is
may be subjected to a much more obtained if the valve has a test
severe environment during the period override feature which automatically
from the accident to the time that returns the valve to an operational
the safety system can reduce the status given demand. The position
temperature, pressure, humidity, and monitors used on automatic valves
radiation levels to near normal. detect the position of valve drive;
This extreme environmental condition they do not determine flow or posi-
has a chance of subsiding within 24 tion of valve gate. Hence monitor-
hours. ing does not influence fault dura-
tion time for failure to remain open
The levels of the immediate post- (plug) failure modes.
accident environment cannot be de-
termined exactly, but conditions Valve outages for maintenance range
generally representative of the ac- from 30 minutes to several days with
cident were used in a series of pump a mean maintenance duration tD of 24
qualification tests for the inside hours. Maintenance acts on certain
pumps. These tests were non- valves may be limited to 24 hours
exhaustive. The results. of these during powered operations by speci-
tests and experience data from pump fication. Under these conditions
performance in test re.actors oper- the mean act duration time tD is 7
ating at extremely high temperatures hours. The mean maintenance act
were considered in making the as- frequency f is 0.22 acts per month.
sessments for pumps inside contain- Thus,
ment. Recovery to near normal envi-
ronmental conditions is likely to tD f
increase the probability of contin- M.' QM " M ,
ued pump operation. Experience and QT -
testing (Ref. 1, 2, 3, 4) have re-
vealed, however, some degradation in where tD in the first equation is
lubricants, bearings, and motor in- the test downtime and in the second
111-40
equation maintenance downtime. Sub- relay, or shorts to power (which could
stituting will yield the applicable effect power circuit) if these modes
numerical values for QT and QM. have a unique, individual effect on the
system.
c. Environments.
4.1.6 NOTES ON SWITCHES - FAILURE MODES
In general, valves within the safety
system operate on demand within a The data do not uniquely separate the
few minutes after the accident. causes of failure; hence the above
Hence degradation due to post- failure modes are not necessarily inde-
accident environments is deemed not pendent. Failure to operate includes
significant within the associated failure of contacts. In general, the
uncertainties. contact contribution should not be added
to the switch contribution to determine
4.1.3 NOTES ON PIPE - TESTING overall switch failure rate. As with
relays, when separate, individual ef-
Certain safety piping is tested monthly fects occur, individual contact contri-
during the tests on pumps within the butions can be computed (such as for
safety system. Certain portions of the multiple contact switches).
piping however are incapable of being
periodically tested except during the
initial tests prior to final licensing 4.1.7 NOTES ON BATTERIES - FAILURE
of the plant. MODES
Therefore the failure rate assessments The emergency dc power system involves
were applied to both standby pipes 58-60 series connected lead cadmium or
(safety) and active pipes (process) with lead calcium battery cells to form a 125
large uncertainties to account for the volt supply. Two 125 volt systems are
possibility of either extreme. The series connected to obtain 250 volts.
safety assessments are given in units of These batteries are constantly charged
per section per hour with a section by chargers and the open circuit output
defined as an average length between voltage monitored at regular intervals.
major discontinuities such as valves, The significant failure mode in this
pumps, etc. (approximately 10 to 100 arrangement involves failure to provide
feet). Each section can include several adequate output voltage under emergency
welds, elbows and flanges. See special load conditions. Failures by shorts to
assessment section of this appendix for ground or internal shorts within cells
more details. are likely to be detected quickly with
negligible resulting fault duration
4.1.4 NOTES ON MOTORS time.
In many instances, pumps and valves

within the safety system are driven by 4.1.8 NOTES ON SOLID STATE DEVICES
electric motors. Available experience
data do not permit separation of motor a. Environments. High power applica-
failure from pump failure. Therefore, tion is defined as application in
separate motor failure rates for pump circuits involving currents of 1
and valve drive motors should not be ampere or above and/or voltages - 28
included. The assessments above apply volts and above.
to those electric motors that function
independently of the pump and valves. b. Failure Modes. The available data
donot permit separation of the
4.1.5 NOTES ON RELAYS - FAILURE MODES causes of failure in all cases;
hence the above failure modes are
The available data do not completely not independent. Failure rates for
isolate separate causes of failure; shorts should not be added to rates
hence the above failure modes are not for failure to function unless
necessarily independent. For example, special consideration of short
failure rates for failure to energize failures is necessary due to unique
includes failure of the normally open effects on the system.
contacts to close. Hence relay and
contact failure rates in general should The relatively large error factors
not be combined together to determine on solid state device assessments
overall relay failure rates. Individual reflect the potential variation from
contributions, however, can be employed application to application. For
where there are individual, separate particular situations, a detailed
effects on the system. Examples are analysis could yield narrower
failure of contact of a multiple contact bounds.
111-41
4.1.9 NOTES ON DIESELS circuit consists of approximately 30
connections with approximately 20 of
a. Test and Maintenance. Certain spe- these connections comprised of lug ter-
cific tests on emergency diesel minals on terminal boards.
generators render the power plant
unavailable for use in the event of The data do not permit a unique separa-
a demand on the equipment. The tion of failure modes in all cases;
duration of these tests ranges from hence the failure modes listed for wires
15 minutes to 4 hours with a mean and terminals are not necessarily inde-
test act duration time tD, of 1.4 pendent. Probabilities for defective
hours. terminations should not in general be
added to wire probabilities to obtain
Maintenance acts on diesels range in overall circuit probabilities. Separate
duration from 2 hours to 160 hours. terminal board data are provided for
The mean maintenance act duration is those cases in which unique system
21 hours. If specifications limit effects exist.
the maximum diesel outage during
plant operation to 24 hours the
associated mean is then 13 hours. 4.2 SUMMARY OF POST ACCIDENT
ASSESSMENTS
b. Failure Modes. The demand probabil-
ities on failure to start involves Table III 4-3 summarizes the assessments
the complete plant including start- pertaining to leak failures of the con-
ers, pumps and fueling systems. tainment system, and the associated
Because of possible variance in the hardware in the post-accident situation.
redundancy of auxiliary equipment, At the time of a severe loss-of-coolant
the operational failure rate for the accident the pressure within the con-
engine is separated from the tainment system may rise to 40-45 psig
operational failure rate for the from normal operating pressures. This
complete power generator system. pressure rise is expected to be rapid,
but should subside in a few minutes if
c. Environments. These above data the safety system performs as intended.
apply to diesel operation in normal In the event of safety system failure,
environments. Diesels operating in the conditions may exceed the design
extreme weather conditions or with limits of the system. Those assessments
exhaust outlets near the intake air derived from data from hardware oper-
vents, etc., may have significantly ating within design limits apply only to
higher operational failure rates due conditions given safeguard system opera-
to the sensitivity of the system to tion.
intake air quality. These should be
assessed on an individual basis.
4.2.1 NOTES ON CONTAINMENT HARDWARE -
4.1.10 NOTES ON INSTRUMENTATION - TEST
FAILURE MODES
Normally the containment system is at or
The data for shift in calibration incor- slightly below atmospheric pressure with
porate a variation of drift magnitude. continuous monitoring of the internal
These data may be pessimistic if used containment environment; hence signifi-
for instrumentation with wide'opera- cant leaks occurring prior to an acci-
tional tolerance bands. In these cases dent should be quickly detected. The
individual assessment should be capability of the system to withstand
performed. high pressure is verified at three year
intervals by pressurizing the system to
The relatively large error factors asso- the design levels.
ciated with instrumentation assessments
reflect the wide variation in configura-
tion from application to application. 4.2.2 GENERAL DATA BEHAVIOR
For any particular instrumentation sys-
tem, a detailed analysis may be done to The assessments used in the study are
obtain narrower bounds. grouped and plotted in the following
figures to show trend and class behav-
4.1.11 NOTES ON WIRES AND TERMINAL ior. In the assessment process, these
BOARDS - FAILURE MODES types of plots were also used to help
check the overall consistency of the
The failure rates for wires are based on final data base.
a typical control circuit wire section
with soldered and lug connections to Figure III 4-1 is a summary of the
components and terminal boards. The relative failure assessments for seven
III-42
1 operational failure
classes of switching components. The The plots are in
assessments are plotted as demand rates per hour and are shown in decreas-
failure probabilities, and are shown in ing severity of the environment.
descending order of magnitude.
Figure III 4-4 is a summary of the
Figure III 4-2 is a summary of the demand failure probabilities for four
relative failure assessments for five general classes of hardware. Class 1
classes of valves. The assessments are
contains heavy mechanical equipment such
plotted as demand failure probabilities, as diesel generators; Class 2 electro-
and are shown in descending order of mechanical devices such as motors,
magnitude. clutches, etc.; Class 3 includes mechan-
ical devices such as pumps and valves;
Figure III 4-3 is a summary of the and Class 4 electrical equipment such as
assessments for the operational failure circuit breakers, relays, etc.
rate of pumps, given proper start for
three different environmental levels.
Figure III 4-5 is a summary of the gross
leak and rupture assessments for the
1 passive safeguard and containment asso-
The figures are at the end of the text. ciated hardware.
References
1. WCAP-7744, "Environmental Safety Features Related Equipment, Volumes 1 and 2

(NSSS Standard and Nonstandard Scope)," December 1971, J. Locante, E. G. Igne.
Non-Proprietary Class 3.
2. WCAP-7829, "Fan Cooler Motor Unit Test," April 1972, C. V. Fields. Non-
Proprietary Class 3.
3. WCAP-7343-L, "Topical Report - Reactor Containment Fan Cooler Motor Insulation

Irradiation Testing", July 1969, J. Locante (Westinghouse NES Proprietary Class
2).
4. WCAP-7396-L, "Safety Related Research and Development for Westinghouse

Pressurized Water Reactors - A Program Outline, Spring 1969," April 1969,
R. M. Hunt (editor). (Westinghouse NES Proprietary Class 2)
111-43
TABLE 111 4-1 SUMMARY OF ASSESSMENTS FOR MECHANICAL HARDWARE
Computational Error
Components Failure Mode Assessed Range Median Factor
Pumps
(includes
driver)- Failure to start
ixl0-3/d
on Demand , Qd 3x10-4 _ 3x10 3/d 3
Failure to run,
given start, AO
(normal environ-
ments)- 3x10-6 _ 3xl-4 /hr 3xl0 -5 /hr
Failure to run,
given start, A0
(extreme, post
accident environ-
ments inside
2
10
containment): l0- lxl 0- /hr ix10- 3/hr
Failure to run,
given start, a
(post accident,
after environ-
4 10
mental recovery]. 3x10-5 - 3xl0 3/hr 3x10 /hr
Valves
Motor
Operated: Failure to operate,
Qd (includes
-4 ix1O-3/d
driver) (b): 3x10 - 3xl0- 3 /d 3
Failure to remain xO-4/

5
4
open, Qd (plug) (c). 3x10- - 3xl0 /d >X10- /d 3
- xl0- 6 7
Xs. lxl0-7 /hr 3x10 /hr 3
7
Rupture, A5 . lxl0-9 - x10- /hr ixl0- 8/hr 10
Components Failure Mode Assessed Range Computational Error

Median Factor
Solenoid
Operated: Failure to operate.,
(d) : 3
3xl0_ 4- 3xl0 3 /d ix10- /d
Failure to remain
5 4
open, Qd(plug): 3xl0 - 3x10_ /d lxl0 4/d
9 7
Rupture, As: 1x10_ - 1x10 /hr lxl0 8/hr
Air-Fluid
Operated: Failure to operate,
3 3x10- 4/d
Od (a): lxlO _ 1x10 /d
Failure to remain I0-4/
0
open, d (plug): 3xl10 - 3x10 4/
7 3xlO-7 /hr
A: 1x10 - 1x10_6 /hr
9 7 ixl0- 8/hr
Rupture, AS: 1x10 - 1x10 /hr
Check
Valves: Failure to open, lxl -4/d
Od: 3xlO-5 _ 3xlO-4/d
Internal leak, Ao 3xl0 7/hr

7
(severe): 1x10 - 1x10_6 /hr
lxl0-8/hr
7
Rupture, AS: 1 9
lx0 - 1X10 /hr
Vacuum
Valve: Failure to operate,
Od: 5 4 3xl.0-5/d
1x10_ _ 1X10 /d
Manual
Valve: Failure to remain lxlO 4/d
0 5
open, d (plug): 3xl0 - 3x10-4/d 8
lxl0- /hr
9
Rupture, AS: 1x10 - lxl0- /hr
Relief
Valves: Failure to open,
5
Qd: 3X10-6 _ 3X10- /d ixl0- /d
Premature open,
6 5 5
A0 : 3x10 _ 3x10 /hr lxl1 /hr 3
Components Failure Mode Assessed Raroe Computational Error

C Median Factor
Test Valves,
Flow Meters,
Orifices: Failure to remain
open, Qd (plug). Ixl -_ l10- 3/d 3x10-4 /d 3
Rupture, X.:
s lX0- 9 - lxl0-I/hr Ix0-8 /hr 10
Pipes
Pipe 4 3"
dia per
section Rupture/Plug,
3xlG - 3xl0- /hr ixl0-9 /hr 30
Pipe 1 3"
dia per
section. Rupture/Plug.
s, X : 3x10 -12 3xlO-9/hr Ix10- 10 /r 30
Clutch,
mechanical: Failure to operate,
Qd(d) IxlO-4 -xl- 3/d 3xlO-4 /d 3
Scram Rods
(Single): Failure to insert, 3x10- - 3x10-4 /d xl0- 4/d 3
(a) Demand probabilities are based on the presence of proper input control signals.
For turbine driven pumps the effect of failures of valves, se.asors and other
auxiliary hardware may result in significantly higher overall failure rates
for turbine driven pump systems.
(b) Demand probabilities are based on presence of proper input control signals.
(c) Plug probabilities are given in demand probability, and per hour rates, since
phenomena are generally time dependent, but plugged condition may only be
detected upon a demand of the system
(d) Demand probabilities are based on presence of procer input control signals.
Table III 4-1
111-45/46
TABLE Ill 4-2 SUMMARY OF ASSESSMENTS FOR ELECTRICAL EQUIPMENT
Computational Error
Clutch,
Electrical: Failure to operate,
(a): Ixl0-4 - ixI0-3/d 3x10-4/d 3
Premature dis-
_
-xl0-7 lXl0-5/hr
engagement, Xo" lxl0 6/hr 10
Motors,
Electric, Failure to start,
ix10 -4 _ lxl0- 3/d 3x10 4/d 3
Qd (a):
Failure to run,
given start, X0
(normal environ-
3x10 -6 _ 3xl0 -5 /hr ixl0-
5
/hr
ment) :
Failure to run,
given start, X0
(extreme environ- lxl0 -4 1xl0 2/hr
ment): lxl0 3/hr 10
Relays: Failure to 3klO -5 3xlO -4/d -4

(a).
energize, Qd lxlO /d 3
Failure of NO
contacts to close,
given energized, xl0 -7 1x10 -6/hr
X: 3xl0 7/hr 3
0
Failure of NC
contacts by
Opening, given
not energized, 3xlO -8 3xlO -7/hr
A: lxl0 7/hr 3
0
Short across NO/NC
9 10
contact, X.: 1x10 - lxl0 7/hr lxl0- /hr
8 6
xl0- lxl0 7/hr 10
Coil open, A0: 1x10 -
Coil Short to
power, A0 : ixl0-9 - lxl0 7/hr ixl0-8 /hr 10
Computational Error
Circuit
Breakers: Failure to transfer,
4 3
Qd (a): 3xl0 3x10 3/d lxl0 /d 3
Premature transfer,
7 6
X: 3xl0 3x10- 6/hr lxlO /hr 3
0
Switches
Limit: Failure to operate,

4 3
Qd: 1x10 _ ixl0- /d 3x10-4 /d 3
Torque: Failure to operate,

5
Od: 3x10 _ 3x10 4/d Ixl0-4 /d 3
Pressure: Failure to operate,

5
3xl0 _ 3x10- 4 /d lxl0 4/d 3
Qd:
Manual: Failure to transfer,

6
Ixl0- 5 /d
5
Od: 3xl0 - 3xl0- /d 3
Switch
Contacts: -Failure of NO
contacts to close
given switch
operation, Ao0 lxl0-8 - lxl0 6/hr lxl0 7/hr 10
Failure of NC by
opening, given
no switch
9
operation, A.: 3xlO0 3xl0 7/hr 3xl0 8/hr 10
Short across NO/NC

9
contact, Ao : 1X10 ixl0 /hr lxl0 8/hr 10
Battery
Power
Systems
(wet cell): Failure to provide
proper output, As: lxl0-6 _ 1xl0- 5 /hr 3xl0 6/hr 3
Computational Error
Assessed Range Median Factor
Components Failure Mode
Transfcrrers: Open Circuit

primary or
secondary, )0* 3x10 - 3xl0 6/hr Ixl0-6 /hr
Short primary to
secondary, X0 : 3x10 -7 3xl0 6/hr Ixl0- 6/hr 3
Solid State
Devices, Hi
power Appli-
cations (diodes,
transistors,
etc.): Fails to function,
0 3x10-7 _ 3xl0-5/hr 3xl0 6/hr 10
Fails shorted,
-xl0-7
_ xl0-5/hr lx10-6/hr 10
x:
o
Solid State
Devices,
Low power
Applications: Fails to function,
a: ixl0-7 _ ix10-
5
/hr i!-6/h
lxl0-6/hr 10
Fails shorted: -xl0-8- ixl0-6/hr lxlO_ /hr 10
Diesels
(Complete
plant): Failure to start,
Qd: Ixl0-2 _ lxlD 1/d 3x10 2/d 3
Failure to
run, emergency
conditions,
given start,
A: 3x10-4 _ 3xl0 2/hr 3xl0 3/hr 10
0
Diesels
(Engine
only): Failure to run,
emergency con-
ditions, given
4
9tart, X.:
o 3x10-5 - 3xl0 3/hr 3xl0 /hr 10
TABLE III 4-2 (continued)
Components
C Computational Error
Failure mode Assessed Range Median Factor
Instrumenta-
tion - General
(Includes
transmitter,
amplifier and
output
device): Failure to operate,
lxlO-7 _ lxlO-5/hr
xo: x10- 6/hr 10
Shift in calibra-
6
tion, Ao: 3xl0- - 3xl0- 4 /hr 3xl0- 5 /hr 10
Fuses: Failure to open,

6 5 5
Qd: 3xi0- - 3x10- /d lx10- /d 3
Premature open,
7
Ao: 3x10- _ 3xl0- 6 /hr lxl0- 6 /hr
Wires
(Typical
circuits,
several
5
joints): Open circuit, A0: lxl0- - lxl0- 3xl0 6/hr 3
Short to ground,
8
Ao: 3x10- - 3xl0-6/hr 3xl0-6/hr 10
Short to power,
Ao: lx10-9 - xl0- /hr xl0-8 /hr 10
Terminal
Boards: Open connection,
xo: lxi0-8 - lxl0-6/hr ixl0- /hr 10
Short to adjacent
circuit, Ao: lxl09 - lxl0- 7 xl0-8/hr 10
(a) Demand probabilities are based on presence of proper input control signals.
Table III 4-2
111-47/48
TABLE III 4-3 SUMMARY OF POST ACCIDENT ASSESSMENTS
d Ra Computational Error
Component Failure ode (a) As Median Factor
Welds
(containment
quality): Leak, Xo(post
0
accident, serious): lxl0 - lxl0 /hr 3xl0 9/hr 30
Elbows,
Flanges,
Expansion
3oints
(containment
Cuallty): Leak, A0 (post
accident, serious): lxlO-8 - lxlO /hr 3xl- /hr 30
Gaskets
(containment
quality): Leak, X0 (post
accident, serious): lxl0 - ixl0- /hr 3xl0- /hr 30
(a) For assessments of containment system rupture probabilities, see the special
assessment section of this appendix.
Table III 4-3
111-49/50
o 10.2
I x10,3.
J 'l
I-' I-
,•0--_
-
6
I xi"
g -
FIGURE III 4-1 Relative Failure Rate

Assessments - Switches
.....I-
I x IOr3= | I I
i 1 x '.4 __
1x 10-4
1I~i0-r
I 10
5
lxlO
0"
FIGURE 111 4-2 Relative Failure Rate

Assessments - Valves
(1) Failure to Run Given Steels
(Extreme Post Acvident Envirornments)
(2) Failure to Run Givers Stant
iPost Accident Afte, Envronental
Reco-eyl
(3) Failure to RUtn Given Start
(Normal Eniron-ment)
'5
o
I t105
1 lo16
FIGURE III 4-3 Relative Failure Rate

Assessments - Pumps
Cias 3 Clas 4
Crt
S Ci
!2 i I
CI... t MaloiMrMava.
10.lOr CG..ri
t. sot EievrroMriiu
0la. 2
W.-vr Civiris ct
C'..s 3 Mctavl
Ctas 4 ElI-¢ctl
(Re.. a .i.. -.
S.stces. r I
i
I1
I . 0to -
1. tO0
FIGURE Il1 4-4 Demand Probabilities of

Classes of Hardware
ul 12
I I
FIGURE III 4-5 Leak and Rupture

Assessments for
Passive Hardware
Fig. III 4-1 - Fig. III 4-5
111-51/52
Section 5
Test and Maintenance Data
and Applications
5.1 INTRODUCTION test and maintenance teams; 2) analysis

of technical specifications (which
dictate the maximum allowable outages
Certain test and maintenance acts cause during powered operation) and; 3) review
effective removal of a component from of maintenance summary reports for four
the system, rendering it unavailable for operating plants.
some period of time. This unavailabili-
ty due to test or maintenance is a func- The contributions to unavailability were
tion of the test or maintenance act separated into test contributions and
duration time and the frequency of the maintenance contributions for four major
acts. The contribution to the unavaila- classes of components: pumps, valves,
bility can be written as: diesels, and instrumentation.
Q= f(avg acts/month) x tD (avg hrs/act) The bounds which were used to derive
720 (hrs/montlh) mean test durations for the quantifica-
tion formulas are given in Table III
where f is the frequency and tD is the 5-1.. The test act includes the minor
duration time (downtime). repair, calibration and reconfiguration
time that normally occurs as part of the
The duration time tD depends on several periodic testing during normal plant
factors including the component in- powered operation. Those tests that
volved, the complexity of the test or occur during refueling (and other plant
maintenance, the magnitude of repair, outages) do not affect system availabil-
contingencies which arise, etc. When ity. In general, testing of most safety
maintenance is performed non periodical- hardware occurs at monthly intervals;
ly, f is likewise dependent on similar i.e.e, f (the test frequency) = 1 and the
factors. The log-normal distribution average unavailability due to testing
was used to describe the variable nature is:
of these parameters, for the following
reasons (in addition to the general con-
siderations discussed in Appendix II): =tD
a. The general agreement found between

the log-normal model, and the avail-
able test and maintenance data. See where
Figs. 111 5-1 thru 111 5-4.
b. The positive skewed nature of the tD, average (mean) duration time
log-normal distribution, which is in
accord with the experience that the Maintenance summary reports from mill-
majority of acts are completed In stone 1 and Dresden 1, 2, and 3 for 1972
relatively short times, but that provided the data listed on Table III
occasionally circumstances require 5-2 for act duration ranges and mean
significantly longer times. values observed for major corrective and
preventative maintenance programs..
c. The capability of defining the dis-
tribution and its various parameters
from a knowledge of only the as- The data from which these values were
sessed ranges. The mean value is derived are shown plotted in Figs. III
pertinent for quantification of the 5-1 to 111 5-4, along with the theoreti-
unavailability, and can be obtained cal cumulative log-normal distribution
from whatever range is assessed, by derived from the sample mean and vari-
identifying the limit values with ance. The agreement between the model
the 5% (Xmin) and 95% (XSirax) per- and the data supports use of this dis-
centile values and using. the tribution as an adequate approximation.
relationships given in Appendix II. (Log-normal probability plots showed
similar adequacy in the log-normal fit).
Estimates of the maximum and minimum
values for the test act and maintenance From discussions with plant personnel,
act durations and frequencies were it was learned that minor maintenance
derived from: 1) discussions with plant and repair can occur quite frequently,
111-53
and involves short periods of time the model results were corroborated with
compared to the more major acts. Fur- the data. The average unavailability
thermore, the plant Technical Specifica- from maintenance data was calculated
tions restrict in many cases, the dura- from the individual act duration times
tion time that a component within the listed in the maintenance summary, which
safeguard system can be wout" for main- were summed over all the components of
tenance while the plant is in operation. that class for the year. This value was
Certain pumps are limited to 24 hour divided by the number of components of
outages, while others are limited to 72 that class in the summary plants to
hours. If the repairs cannot be com- determine an average maintenance act
pleted within the allowed interval the duration per year, and then this value
plant is placed in a "shutdown" config- was normalized by the number of hours
uration until they are completed. The per year to determine average unavaila-
maximum unavailability of certain bility, i.e.,
components in the event of an accident
is thus limited by these restrictions.
The maintenance act duration data for Duration of observed acts
most restricted components were there- Q (hrs/yr)
fore derived using 30 minutes and 24 or Qavg /Number of .Number i 'hr'r
72 hour limits. For diesels, because of [components) -(plants in) • (hs/yr
generally longer maintenance and looser \per plant \ summary /
restrictions, bounds of 2 hours and 72
hours were used. These limits and their
calculated log-normal means are shown on
Table III 5-3.1 The model results were determined using
the equation discussed earlier, i.e.,
Finally, frequency of the maintenance
act varies from monthly to yearly as
indicated by the summary reports; f tD
therefore, bounds of 1 month and 12
months were used as the 5 and 95 per- Q ' 2
centile points on a log-normal distribu-
tion to derive the maintenance act where tD and f are the log-normal mod-
frequency values. The mean interval is eled values previously given.
4.6 months per act with a range of 1 to
12 months per act. The mean frequency
is 0.22 acts per month with a range of
1.0 to 0.083 acts per month. UNAVAILABILITY
5.2 CORROBORATION OF THE MODEL Component Model Results Data Results

RESULTS
Pumps 2 x 10-3 2.5 x 10-3
To determine the capability of the
models to predict unavailability values, Valves 2 x 10-3 3 x 10-3
Diesels 6 x 10-3 1 x 10-2
1
Because of the specifications, the Instrumen- 2 x 10-3 8 x 10-4
distributions are actually truncated tation
and maintenance times greater than the
limit should be set equal to the limit. As observed, there is adequate agreement
The log-normal averages account for between the theoretical and raw data
these truncations. results.
111-54
TABLE 111 5-1 SUMMARY OF TEST ACT DURATION
Calculated
Range on Test Mean Test Act
Component Act Duration Time, Hr Duration Time, tD, Hr
Pumps 0.25 - 4 1.4

Valves 0.25 - 2 0.86
Diesels 0.25 - 4 1.4
Instrumentation 0.25 - 4 1.4
TABLE III 5-2 SUMMARY OF MAJOR MAINTENANCE ACT DURATION (RAW DATA)
Range on Maintenance Mean Maintenance Act

Component Act Duration Time, Hr Duration Time, tD, Hr
Pumps 2 - 400 37
Valves 1 - 350 24
Diesels 2 - 300 21
Instrumentation 1/4 - 72 7
TABLE I11 5-3 LOG-NORMAL MODELED MAINTENANCE ACT DURATION
Range On Mean Act

Component Duration Time, Hr Duration Time, Hr
Pumps 1/2 - 24 7
1/2 - 72 19
Valves 1/2 - 24 7
Diesels 2 - 72 21
Instrumentation 1/4 - 24 6
111-55/56
x 1
1.0 F
xx
0.a
I 0.68
0.4- x U P
K I
0.21-
0
S I I i 11.1
I , I e I
T I
til
#0
Hours to Rfpwir
FIGURE III 5-1 0,bserved Repair Times and Theoretical

Distribution - Pumps
VALVES
x
xVx
x
X
10 100
Hours To M"ir
FIGURE III 5-2 Observed Repair Times and Theoretical

Distribution - Valves
x[
I
zI
08
08
04 - xX II
1 10 100 1~00
How, To Roo...
FIGURE 111 5-3 Observed Repair Times and Theoretical

Distribution x[ -Diesels
X X
0&4
I I
0
x
IIII I~
0
0
x I
IB I
w 10 10 1000
HOurs To Rp-,
FIGURE III 5-4 Observed Repair Times and Theoretical

Distribution - Instrumentation
Fig. 111 5-1 - Fig. 111 5-4
111-57/58
Section 6
Special Topics
6.1 HUMAN RELIABILITY ANALYSIS events in terms of what it calls prob-

ability tree diagraming. Probability
tree diagraming is simply a form of
6.1.1 INTRODUCTION decision tree or event tree where each
step or branch indicates different human
The Safety Systems provided in nuclear actions possible, different environments
power plantq to prevent and mitigate possible, etc.
accidents are generally designed to
operate automatically during the initial
states of accident sequences. Informa- In the present study, the system fault
tion on the conditions in the reactor trees in Appendix II were analyzed as to
and on the operation of the Safety the human errors which were combined in
Systems during an accident would be the trees. In a number of cases, the
displayed at the control room and the human errors were relatively straight-
operator would be able to follow the forward, and values were directly
sequence of events but no direct human assigned from basic data considerations.
action would be required until the
accident is brought automatically under In other cases, when the human errors
control. There is, however, human in- were more involved, probability tree
teraction with the system in routine diagraming was used to decompose the
plant operation, testing and main- human error into constituent acts for
tenance. Furthermore human intervention which basic data existed or for which
would be required in case of malfunction values could be assigned from extra-
of automatic systems. Hence, human polations of basic data. Details of the
reliability needs to be considered in probability tree diagraming are not
safety system analysis. given for all the cases analyzed;
instead, sufficient information and ex-
As an extensive actuarial-type data base amiples will be given to describe the
does not exist for human reliability, general technique with data values used
the analysis involves a -significant and results obtained.
effort in estimation of the reliability
of human responses under emergency and 6.1.2 HUMAN PERFORMANCE DATA
normal conditions, and the influence of
stress, routine and, other factors on An actuarial data base for human error
error rates for various tasks. rates in nuclear power plants does not
exist. Although the AEC does collect
Whenever possible, data were obtained information on human errors associated
for human reliability in industries with abnormal power plant incidents, the
involving tasks comparable to those data are not generally in a form usable
found in nuclear power plants. For some for human reliability analysis. There-
cases data were obtained from military fore, in this study, substitutes had to
experience, with less similarity to be found for actuarial data. A first
nuclear plant tasks. Because the total data source consisted of human perform-
available data on the whole are somewhat ance data on tasks with similarity to
meager, human reliability analysis as nuclear plant operation, test, mainte-
applied to nuclear power plants is still nance, and calibration tasks. Such data
somewhat subjective. Nonetheless, the have been compiled for European nuclear
derived numbers are considered to be reactor operator tasks and also for the
sufficiently accurate for risk analysis process tasks found in petrochemical
purposes, with the error bands tending operations. The sources were the United
to cover the associated uncertainties. Kingdom Atomic Energy Authority (UKAEA),
the Danish AEC, and the Imperial
The human reliability analysis was Chemical Industries, Ltd. (ICI) of Great
performed to estimate the influence of Britain.
human errors on the unavailability of
various safety systems and components. The above sources, though relevant,
Several equally valid approaches can be suffer from lack of actual recorded
used to quantify human reliability, and data. Most of the numbers represent
the approach in the study utilized the estimates of human error rates based on
general features of the THERP Technique the judgment of technical personnel in
for Human Error Rate Prediction, a model the organizations mentioned. Some data
developed at Sandia Laboratories (Refs. from controlled studies have also been
1, 2). The model uses conventional obtained from the UKAEA (Refs. 3, 4) and
reliability technology, describing the ICI (Ref. 5).
111-59
A second data source consists of human vant available data an estimate of 0.2
error rate data from weapons production, to 0.3 is assumed as the average error
maintenance, and testing tasks with less rate for nuclear power plant personnel
similarity to nuclear plant tasks *than in a high-stress situation such as a
the above. These data have been col- LOCA. -Thi's estimate is based on the
lected by human reliability analysts at assumption that the perceived stress in
Sandia Laboratories. In using these a LOCA situation is comparable to the
data, the analysts had to judge their perceived stress in the two cases
applicability to nuclear plant tasks. studied, whereas it might, in fact, be
This judgment accounted for similarity lower. The human-reliability analysts
in perceptual, cognitive, and motor making this study have judged that the
aspects of the tasks. It is possible perceived stress would not be higher, so
for the equipment involved in the the range of 0.2-0.3 is to be considered
performance of two different tasks to be conservative.
physically different, and yet for the
psychological (behavioral) aspects of The average failure rate of 0.2 to 0.3
the tasks to be similar. can thus be used as a rough gauge for
average performance of nuclear plant
A particular lack of data for the personnel under extreme accident condi-
present study concerns the reliability tions. The value, of course, is simply
of nuclear power plant personnel after a a rough average value, and, to obtain
large loss of coolant accident (LOCA) more accurate evaluations, each particu-
has occurred. Since there is no histor- lar situation must be individually
ical precedent for this event, there has analyzed to assess the specific human
been no opportunity to see how these failure rate which is applicable.
personnel would react in the presumedly
highly stressful situation created by Other reported data on stress and human
such an occurrence. In the absence of behavior (Ref. 8) indicate that the
such experience, the best data available error rate for a task bears a curvi-
come from studies of man's behavior in linear relationship to perceived stress
other emergency conditions. level (see Fig. 111 6-1). That is, with
very low stress levels, a task is so
Two studies that merit mention here are dull and unchallenging that most opera-
both considered classics in the area of tors would not perform at their optimal
human factors. In one study by the level. Passive-type inspection tasks
American Institutes for Research (Ref. are often of this type and can be
6) critical incidents were collected associated with error rates of 0.5 or
from Strategic Air Command aircrews higher (Ref. 9). The average error
after they survived in-flight emer- rate of 10-1 assigned for less passive
gencies (such as loss of engine on monitoring tasks is based on data from
takeoff, cabin fire, tire blowout on the above reference and from reference
landing, etc.). The critical incident 10.
average error rate was 0.16; that is,
16% of the time the critical actions of When the stress level of a job is some-
the aircrews; in such stress situations what higher (high enough to keep the
either made the situation worse or did operator alert) optimum performance
not provide relief. levels are reached. But when stress
levels are still higher, performance
In the second study, conducted by the begins to decline again, this time due
Human Resources Research organization to the deleterious effects of worry,
(Ref. 7) Army recruits were subjected to fear or psychological responses to
simulated emergencies such as the stress. At the highest level of stress,
increasing- proximity of falling mortar human reliablity would be at its lowest
shells to' their command posts. The level, as shown .in Fig. 111 6-1.
recruits were exposed to these simulated
emergencies in such a way that they The curve form1 shown in Fig. 111 6-1
believed the situations to be real. As has been applied to various tasks in
many as one third of new recruits fled nuclear power plants in determining some
in panic, rather than perform the of the values in the human error rate
assigned task that would have resulted data base presented later in *this
in a cessation of the mortar attack. report. For example, the error rate in
These studies have yielded indications a typical walk-around inspection of a
of the devastating effects that very facility after maintenance is presumed
high stress levels can have on the to correspond to an inspector error rate
performance of even thoroughly trained,
reliable personnel.
In this study, based on the most rele- 1Alfigures appear at the end of text.
111-60
of 0.5 for a passive inspection task Sufficient data do not exist to
represented on the curve as performance determine empirically the exact shape
under a "very low" stress level. on the and spread of the distributions of human
other hand, it is judged that the normal errors which are directly applicable for
control room situation is sufficiently nuclear power plant tasks. Therefore,
demanding that performance should be estimates of the human error distribu-
optimal, considering only the effects of tion have been formed with the use of
stress. Performance after a large LOCA data from other sources.
is presumed to correspond to the high
error rate (low performance) end of the For the particular shape, a log-normal
curve, due to the effects of high stress curve was used in the study, based in
levels. part on a Monte Carlo analysis of human
performance data (analysis by
Following a LOCA, human reliability L. W. Rook, in Ref. 13) and on the time
would be low, not only because of the taken to respond to a simulated alarm
stress involved, but also because of a signal superimposed on normal tasks in a
probable incredulity response. Among nuclear power plant (Ref. 4). In these
the operating personnel the probability studies the human performance curve was
of occurrence of a large LOCA is be- found to be skewed, with more perform-
lieved to be low so that, for some ance scores tending towards the low
moments, a potential response would error rates and low response times.
likely be to disbelieve panel indica-
tions. Under such conditions it is Other studies have yielded curves with
estimated that no action at all might be shapes that differ in details, but in
taken for at least one minute and that general the performance curve is skewed
if any action is taken it would likely toward the higher error rates or re-
be inappropriate. sponse times. In view of the accuracies
required for the purposes of the study
With regard to the performance curve, in and the general insensitivity of the
the study the general error rate was overall results to the particular shape
assessed to be 0.9 (9 x 10-1) 5 minutes used, it is reasonable to assume the
after a large LOCA, to 0.1 (10-1) after log-normal distribution. Therefore, the
30 minutes, and to 0.01 (10-2) after log-normal distribution which was em-
several hours. It is estimated that by ployed in other areas of study was used
7 days after a large LOCA there would he for the human error distributions, i.e.,
a complete recovery to a normal, steady- the distribution associated with the
state condition and that normal error error ranges and spreads.
rates for individual behavior would
apply. Table 111 6-1 presents general human
error rate estimates derived from
There is an important exception to the existing data (as described above), as
shape of the performance curve de- modified by the independent judgments of
scribed. This exception would occur if two human-reliability analysts. These
the operators are called on to take some judgments were made after reviewing
corrective action after a LOCA and the information on nuclear power plant per-
time available to take this corrective sonnel skill levels, previous jobs held
action is severely restricted. One by these personnel, operating proce-
theory of human behavior under time- dures, and the design of the controls,
stress (Ref s. 2, 11) holds that the displays, and other equipment read or
normal error rate for each succeeding manipulated by the operating personnel.
corrective action doubles when an error The information was obtained in inter-
has been made in the preceding views with operating personnel, supervi-
corrective attempt or when the preceding sor, and engineering personnel at
action did not have its intended nuclear power plants, by observation of
corrective effect. Thus, if one starts control room, test, maintenance, and
out with an error rate of 0.2, calibration tasks at several plants, and
theoretically it takes only three more by a study of written materials and
attempts at corrective action to reach a photographs.
limiting case of an error rate of 1.0.
This limiting condition corresponds to As noted in the table, modification of
an individual's becoming completely dis- these underlying (basic) probabilities
organized. Extensive clinical experi- was made as necessary when incorporated
ence exists in the literature on human into the fault trees. The modifications
performance to support the theory that considered the exact nature of the human
large numbers of individuals will fail engineering, e.g., the close similarity
to perform assigned tasks under severe of labeling of different switches, with
stress and may become completely the attendant higher probability of
disorganized (Refs. 8, 12). grasping and manipulating the wrong
111-61
switch. A later section describes the done by the operator is influenced
application and modification of the by the interaction of his emotional
basic error rate estimates to a sample state (e.g., fear and worry inmuedi-
human-reliability analysis problem. ately after a large LOCAd.
In general, human error ratds for tasks 3. The responses the operator makes by
have been estimated to the nearest order means of switches, large valves,
of magnitude, with two analysts making oral orders, writing down infor-
independent estimates based on a de- mation etc.
tailed description of the task require- The above analytical approach was used
ments (including written instructions to break down the tasks into smaller
and photographs of controls, displays,
valves and other items to be read or bits of behavior that could more readily
manipulated by operating personnel). In be combined with existing data or with
all cases, the independent estimates the experience of the analysts.
agreed to the nearest order of magni- Finally, the estimates of error rates
tude. The associated assessed error for the individual behavioral units were
factors (probability ranges) covered the combined into estimates of error rates
possible variations and uncertainties for larger units of behavior, cor-
associated with the final estimates. responding to nuclear power plant tasks
or groups of tasks. In this recombina-
The two specialists attempted to avoid tion operation, the estimated error
overestimating human reliability, that rates for smaller behavioral units were
is, underestimating error rates. Con- at times modified in consideration of
currently, they tried to avoid deliber- their interdependencies to avoid the
ately overestimating error rates to derivation of unrealistically low esti-
provide only conservative estimates. mates of task error rates. In the
However, in post-accident situations, present study, the task error rate
e.g., after a LOCA, it was deemed proper estimates so derived were combined with
to avoid overly optimistic assessments consensus-estimated error rates to en-
of human reliability. hance the stability of the estimates.
Some of the estimates were based direct- The estimated task error rates were
ly on data collected on tasks identical modified, where appropriate, by the
or highly similar to nuclear reactor effects of available personnel redundan-
tasks. For example, UKAEA experience is cy, that is, the checking of a man's
that large manual valves that have no performance by another man. In some
readout of their position except the cases, the total estimated failure rate
valve itself are left in the incorrect of a task, including recovery from an
position after non-routine operations original error made possible by using
approximately once in 100 times (10-2 personnel redundancy, was equal to or
occurrence). Such information was ap- less than 10-6. However, experience
plied in the present study without with human reliability analysis and the
modification. (This is the case when no observation of "the impossible" have led
special precautions are taken, such as most specialists in this field to view
use of padlocks with administratively with skepticism any task error rate less
controlled keys.) than 10-5 for any but the very simplest
human acts. Consequently, in the pres-
In other cases an analytical. approach ent analysis, estimates of human error
was necessary to apply existing data on rates smaller than 10-5 were not used.
human error rates. In these cases, a
nuclear power plant task was broken down The estimates of task error rates were
into individual steps involving percep- incorporated in fault trees by the fault
tual, conceptual/emotional, and motor tree analysts, and human failure events
aspects of behavior. In more common were treated in the same manner as other
terms, this means taking a particular failure events:
step in a task and considering the
following three aspects: 6.1.3 PERFOPRMANCE-SHAPING FACTORS
1. The inputs to the operator, as pro- Several factors had to be considered in
vided by such things as displays on deriving estimated error rates for
control panels, labels, configura- nuclear power plants. Following are the
tion of manual valves (including more important of these factors, each of
presence or absence of padlocks), which is discussed under the topic
written instructions, and other headings which follow.
signals.
*Level of presumed psychological
2. The thinking and decision making stress
111-62
e Quality of human engineering of Furthermore, at the low level set point,
controls and displays both sets of valves would normally be
closed and the green indicator lamps
* Quality of training and practice above them would be illuminated. A
sample human reliability analysis using
e Presence and quality of written these switches is described in a later
instructions and method of use section to illustrate how the potential
confusion in using these switches can
e Coupling of human actions result in human errors.
e Type of display feedback Fairly high rates were assigned to the

probability of manipulating the wrong
e Personnel redundancy switch in cases where similar appearing
controls and displays were close to-
gether without separation by functional
6.1.3.1 Level of Presumed Psychological flow lines on the panels or some other
Stress. means to show normal process flow, a
design characteristic of operating pan-
As discussed earlier, the highest error els on some research reactors (Ref. 14).
rates were assigned to the time period In general, the design of controls and
immediately after a large LOCA, with displays and their arrangements on
recovery to normal levels of human reli- operator panels in the nuclear plants
ability occurring as a function of time. studied in this analysis deviate from
Implicit with this assumption that error human engineering standards specified
rates decrease with time is the underly- for the design of man-machine systems
ing assumption that things do get and accepted as standard practice for
better. That is, the nuclear power military systems (See Ref s. 15 through
plant is brought under control with 19). Whether such standards are
appropriate automatic and manual necessary and would result in a net
responses to the emergency. benefit is outside the goal of this
analysis.
Normal error rate values have been
assigned to routine control room It was appropriate to assign fairly low
operations and to maintenance and cal- error rates to tasks where the quality
ibration tasks, as it is assumed that of human engineering is such that the
the normal stress level has a facilita- cues given for task initiation and
tive effect. In the interviewing and correct task completion are difficult to
observation of control room operators, ignore. For example, lower error rates
maintenance personnel, and calibration have been assigned to cases where the
technicians, it appeared that .the jobs task initiation cue is an annunciator
were sufficiently challenging to main- alarm than where the cue is merely the
tain facilitative levels of motivation. deviation of a meter on a panel in the
No one seemed bored or "just putting in control room. Also, for some large
time". (This is a clinical judgment manual valves, the use of a special
based on the independent observations of padlock and chain with administratively
two psychologists trained in clinical controlled keys and associated paper
evaluations.) work reduces the probability of for-
getting to return the valve to the
6.1.3.2 Quality of Human Engineering of normal condition after maintenance. In
Controls and Displays. the latter case the primary cause of
leaving such a valve in the wrong
The basic error rates in Table 111 6-1 condition after maintenance would be
were modified by assigned higher rates failure to use the required procedures.
to situations where the arrangement and An estimated 10-4 error rate per
labeling of controls to be manipulated opportunity was assigned to such
were potentially confusing. For exam- failure.
ple, motor operated valves MOV-1860A and
MOV-1860B are to be opened at the RWST In certain cases, a high recovery factor
low level set point (14.5% full). Imme- was assigned to the error of manipulat-
diately adjacent to these switches are ing an incorrect MOV or pair of MOV's.
MO0V-1863A and MOV-1863B. The two sets An example of a recovery factor is as
of switch numbers are similar, and they follows. Assume an operator is supposed
have similar functional labels: to open a pair of MOV's to increase the
flow rate as displayed on a meter. The
LO HEAD S.I. PP A SUMP SUCT VV normal procedure would be for the
operator to make the switch manipulation
and and then observe the flow meter for the
LO HEAD S.1. PP A DISC ISO VV proper rate of flow. If the proper rate
111-63
of flow fails to materialize, the opera- dures without hesitation or indecision
tor would have a high probability of potentially indicates lack of a clear
realizing something was wrong and would plan of action should such emergency
likely take corrective aCtion. The situation6 occur. Based on the above
example in a later section illustrates findings, relatively high error rates
some recovery factors. were consequently assigned to operator
actions required soon after the onset of
In general, it was found that most a major emergency such as a large LOCA.
errors in maintenance and calibration
tasks either had immediate and com- 6.1.3.4 Presence and Quality of Written
pelling feedback of their correctness or Instructions and Method of Use.
incorrectness or that subsequent recov-
ery factors made it highly improbable Generally, a lower error rate was as-
that errors would remain undetected for signed to procedures for which written
long. instructions are available. It was
necessary to make an estimate of the
6.1.3.3 Quality of Training and likelihood that written instructions
Practice. would be used by the operator, main-
tenance technician, or calibration tech-
On the basis of interview, observation, nician, rather than trusting his memory
a visit to a training center, and review of the procedures. For example, in one
of training materials, the level of of the cases analyzed, even with appro-
training of nuclear power plant per- priate use of calibration procedures, it
sonnel was judged to be outstanding. was observed that a technician anticipa-
For example, interviews with control ted what approximate instrument reading
room operators revealed a clear under- should appear for each step in the
standing of normal reactor operation. procedure. He had performed this
They can readily describe the events lengthy calibration procedure so often
occurring in normal on-line operation that he 'knew what to expect. This
and have a clear conceptual picture of knowledge coupled with a very low
the processes involved. (In one inter- frequency of finding an out-of-tolerance
view an operator who was considered by indication sets up a very strong
his supervisor to be "below average" for. expectancy that each reading will be in
operators at the site demonstrated the tolerance. Under these circumstances
above thorough understanding.) There- there is some likelihood (estimated as
fore, for routine maintenance, calibra- 10-2) that the technician will "see" an
tion, and control room operations, a out-of-tolerance indication as being in
high degree of trained-in excellence has tolerance. (In this particular in-
been assumed with associated high stance, however, there were so many
estimates of human reliability. recovery factors that even with the
assumption of a 10-4 error rate, the
Although original training includes probability of an uncaught and uncor-
responses to emergencies, there is no rected calibration error was negligi-
provision for frequent on-site practice ble.)
in responding to simulated emergencies
(such as a large LOCA) at the sites In estimating error rates, the quality
visited. In the absence of appropriate of the written instructions was evalu-
simulation equipment, such on-site prac- ated. Of concern were such factors as
tice could be simulated by frequent the easewith which an operator could
.atalk-through" of responses to emergen- find a written emergency procedure, the
cies. This type of informal test was extent to which the format would aid the
made in the course of the present study. operator, the likely ease of under-
It was found that the operators inter- standing non-routine instructions, and
viewed could explain in general terms so on. The style of written instruc-
what they should do in. postulated emer- tions contributed materially to the
gency situations, but they did not estimated error rates. The written in-
always appear to be sure of the structions do not conform to established
locations of switches and readings on principles of good writing; they are
displays relevant to manual backup more typical of military maintenance
actions required in the event of failure procedures of approximately 20 years'
of automatic safeguards systems. This ago. Other deficiencies which contribu-
does not imply that, based on such a ted to relatively high error rate esti-
limited "test" of operator ability in mates were poor printing quality, no
emergencies (i.e., a discussion of a distinctive binder or location for
hypothetical situation), operators would emergency procedures, lack of tabs and
not be able to carry out emergency inappropriate indexing which made it
tasks. Nevertheless, the lack of abili- difficult to find specific procedures,
ty to "talk through" appropriate proce- and poor format for each procedure.
111-64
The observed method of use also contri- probability of forgetting to reclose one
buted to relatively high estimated error valve would not be independent of the
rates. Men were observed performing probability of forgetting to reclose the
several tasks and then checking them off other valve. Since most operators would
on the check list. The correct and more be likely to follow the prescribed
reliable procedure would be to perform a procedure, loose coupling best expressed
listed task, check it off, and then move the relationship errors of forgetting
on to the next item in the check list. for the two valves.
Lower error rates were assigned to cases
where information from a meter or a dial For the valves in question, the impor-
had to be recorded on the check list tant error was forgetting to reclose
rather than merely checking off that an both valves. The probability of this
item had been completed. Such a proce- error was calculated as follows: Gener-
dure markedly reduces the probability of ally, loose coupling was taken to be the
forgetting to perform a step in the log-normal median value between the
check list. upper and lower bounds. The upper bound
on coupling is defined by the assumption
6.1.3.5 Coupling of Human Actions. of complete coupling between the two acts
(i.e. reclosing of the two valves). The
Another important factor is related to lower bound is obtained from the
the type of grouping of switches or assumption of complete independence
manual valves plus the effects of between the two acts. Given an estimate
written instructions. This factor is of 10-2 for the error of forgetting to
the amount of coupling of human actions, reclose a sIngle valve, the upper bound
that is, the relative lack of independ- becomes 10- and the lower bound
ence of such actions. Four levels of 10-2 x 10-2 = 10-4. The log normal
coupling were used in the analysis: no median is the square root of the product
coupling (i.e., complete independence), of the lower and upper bounds, or,
loose coupling, tight coupling, and
complete coupling (complete dependence).
The degree of coupling is assigned on an IX 10-3
individual failure basis but some gener- ._10-2 x-10-4 =
al guidelines were used as illustrated
below.
An example of no coupling between tasks Thus, the probability of forgetting to

would be where the probability of error reclose each valve is estimated as 10-2
in one task is independent of the and the probability of forgetiting to
probability of error in another task. reclose both valves (the only error of
Tasks which are dissimilar or which are importanc-i-n the analysis) is estimated
greatly separated in space and time tend as 1 x 10-3.
to be independent. However, such tasks
might be affected by the same conditions Tight coupling can be illustrated by the
(e.g., the stress after a large LOCA) requirement to calibrate three bistable
and the estimates of their error rates amplifiers in the reactor protection
were influenced by this consideration. system (SCRAM). One calibration
technician performed the calibration in
Loose coupling can be illustrated by two the instrument room while communicating
test valves in the PWR containment spray with an operator in the control room. A
injection system located in a building 10-2 probability was assessed for the
next to the RWST. Both these large error of the technician's miscalibrating
manually operated valves are chained and the first bistable amplifier, as by
padlocked in the normally closed posi- using an incorrect set level. The
tion. Periodically they must be un- incorrect set level, for example, could
locked and opened for test purposes. The be due to a simple misreading error.
procedures call for one valve to be Given that the calibration technician
opened and that part of the system has miscalibrated the first amplifier,
tested, and then for the valve to be there is a substantial probability of
closed, chained, and padlocked before carrying over the incorrect set level to
proceeding to open the other valve to the second bistable amplifier. It was
test the other part of the system. It estimated that the conditional
was judged there was a small probability probability of miscalibrating the second
that, for convenience, an operator would amplifier, given miscalibration of the
regard both valves as a unit and not first, would be 10-1, or a joint
follow the prescribed procedures. That probability of 10-3 of miscalibrating
is, he would open both valves prior to both amplifiers. It was estimated that
any testing and after all testing the conditional probability of miscali-
reclose both valves. Therefore, the brating the third amplifier, given
111-65
miscalibration of the first and second overall rate of making one of the above
amplifiers, would be 1.0, or a joint two calibration errors and then failing
probability of 10-3 of miscalibrating to catch this error and incorrectly
all three bistable amplifiers. In other recalibrating all four racks is
words, a tightly coupled sequence of approximately 10-2 (the initial error) x
events was assumed. In this particular 10-2 (second rack) x 10-2 (third rack) x
operation, there were several recovery 10-2 (fourth rack), or much less than
factors, so that the final estimated 10-5. (Recall that we do not use any
influence of human errors on the reactor estimates smaller than 10-5.)
protectiog system was smaller than the
above 10- estimate for the basic act. 6.1.3.6 Type of Display Feedback.
An example of complete coupling is found
when one basic act results in several One of the most important recovery fac-
failures. For example, one step in the tors to mitigate the effects of an error
is the type of display feedback. If an
written procedure calls for the operator error resulted in an immediate annuncia-
to open two valves. The two valves are tor warning, a relatively low failure
regarded as one unit by the operator.
In estimating the probability of his rate was assigned to the recovery fac-
omitting to open these valves, the same tors. The total task failure rate would
estimated error rate was given for one be the product of the initial error rate
or both valves. That is, it was consid- and the low failure rate of the recovery
ered that if he would open one valve, he factor. But if the feedback consisted
of a slow rise in pressure, for example,
would open the other. Likewise, if he as displayed on a meter on the vertical
failed to open one valve, he would fail wall underneath the annunciator panels,
to open the other. This analysis is an a higher failure rate was assigned, in
approximation, of course. Absolutely certain instances 0.5.
complete coupling can be very unlikely--
yet, in this particular example, it was 6.1.3.7 Personnel Redundancy.
assessed that human behavior would
exhibit high dependency, and complete Another important recovery factor is the
coupling was assumed as a reasonable use of personnel redundancy (or, as it
approximation. is sometimes called, human redundancy)
which refers to the use of a second
As a contrast to the above discussions, person to verify that the performance of
the following example. shows how an ap- a first person was correct. Personnel
parent common mode error due to apparent redundancy can vary from complete
coupling was estimated to have no redundancy (i.e., complete independence
resulting net effect on safety system of the initial act and the checking act)
availability. At one site two possible to very low degrees of redundancy (i.e.,
common mode errors for comparator cali- high degrees of dependency between the
bration in the reactor containment initial act and the checking act).
pressure consequence limiting system Lower recovery factor failure rates are
were: related to higher degrees of personnel
redundancy.
a. using the wrong decade resistance
for all channels, and Beneficial use of a high degree of
personnel redundancy is illustrated by
b. using the wrong scale on the digital the calibration of the water level
voltmeter for all channels. sensors and drywell sensors at one site.
A two-man team performs the calibration
Once either error is made, the calibra- with one man reading and recording the
tion technician might indeed recalibrate readings on the check list while the
an entire rack. The estimated error rate other man does the calibration. After
for either comnon mode error was 10-2. the calibration has been completed the
However, when the technician went to the two men reverse roles and perform a
second rack, he would discover that the functional check. With this extensive
comparators in that rack, too,. needed a use of personnel redundancy, an estimate
gross recalibration, and he should sus- of 10- was assigned to the joint proba-
pect that something was wrong with the bility of a miscalibration being made
test procedure rather than merely pro- and the functional check failing to
ceed to recalibrate the second rack. catch the miscalibration.
The estimated failure rate of the recov-
ery factor for the second rack was 10-2. A low degree of personnel redundancy is
(This estimate was deliberately made illustrated by the use of a single
conservative.) Since the technician person to perform critical actions,
typically calibrates all four racks in followed by an informal type of
one shift, it can be seen that the checking. For example, in the case of
111-66
one critical manual valve located at the 4.9 When the RWST reaches the low-low
RWST, one man is responsible for reopen- level setpoint (7%) complete the
ing this valve after maintenance. following actions:
Should he forget to open the valve, the
RWST would not be available in the event 4.9.1 Close *MOV-862, suction to
of a large LOCA. At certain times a the low head safety injec-
walkaround inspection is performed, but tion pumps from the RWST
(as already noted) the estimated error
rate for this type of passive monitoring 4.9.2 Open the charging pump suc-
task is high (0.5). tions from the discharge of
the low head pumps by
It is sometimes thought that requiring a opening MOV-863A and B.
person to sign a statement that he has
accomplished a task will ensure that he This sample analysis is restricted to
really performed the task. For tasks steps 4.8.1, 4.9.1 and 4.9.2. The MOV
are frequently performed, the switches inovlved are MOV-1860A and B,
that
signing of one's name tends to become a MOV-1862, and MOV 1863A and B. [NOTE:
perfunctory activity with no more the procedures drop the initial digit
meaning than checking off an item on a since it is understood, for example,
In general, very little that MOV-860A could refer to this switch
checklist.
reliability credit was allowed for the for either the number 1 reactor (i.e.,
requirement to sign off that a procedure MOV-1860A) or the number 2 reactor (MOV-
had been completed. 2860A).] These switches are shown in
the bottom row of the sketch in Fig. III
In general, the degree of personnel 8-2. The two rows of switches shown in
redundancy was high for calibration the sketch are the bottom two rows of
operations, lower for certain operator seven rows on the left most panel of
tasks such as manipulating MOV's, and four segemnts in a large switch board
lowest for maintenance tasks. However, (one plane). There are other safety
in the case of the latter, a highly panels in other planes.
reliable recovery factor was the testing
of maintained system components before In the sketch the switches are associ-
the system was put back on line. ated with indicator lamps: G stands for
green (closed condition of motor
operated valve) and R stands for red
6.1.4 A SAMPLE HUMAN RELIABILITY
ANALYSIS (open condition of MOV). The lines
radiating from some of the indicator
To illustrate how a typical human relia- lamps indicate the normal "on" condition
this of these lamps prior to the low level
bility analysis was performed,
section outlines a sample analysis based setpoint.
on paragraphs 4.8 and 4.9 of the
entitled "Loss of Reactor Not shown in the sketch, but of impor-
procedure row
Coolant," provided by the utility that tance to the analysis, is the third
The two para- from the bottom of MOV switches. The
runs the subject PWR.
graphs are: row consists of 5 switches identical in
shape and size to the bottom row. The 5
switches are physically arranged from
4.8 When the RWST reaches the low level left to right and are labeled as
setpoint (14.5%) and CLS [Conse- follows:
quence Limiting System] initiation
has been reset (RESET PERMISSIVE < LO HEAD S.I. PP A DISC ISO VV
0.5 psig) complete the following MOV-1864A
actions: ISO DISC FROM COLD LEGS
4.8.1 Open MOV-860A and B, suction LO HEAD S.I. PP A RECIRC ISO WV

to the low head SI [Safety MOV-1885A I
Injection] pumps from the
containment sump. LO HEAD S.I. PP A&B RECIRC ISO WV
MOV-1885C
4.8.2 Stop the containment spray
pump motors and close spray
pump turbine steam supply
valves MS-103A, B, C and D
LO HEAD S.I.
MOV-1885B
PP B RECIRC ISO VV
~1
LO HEAD S.I. PP B DISC ISO WV
4.8.3 Close Spray pump suction and MOV-1864B
discharge valves MOV-CS- ISO DISC FROM COLD LEGS
100A, 100B, 101A, B, C and
D. (Normally open-red lamp)
111-67
The procedures in paragraph 4.8 are to point. This 10-3 estimate is shown in
be performed about 20-30 minutes after a Fig. III 6-3 as the second branch
LOCA, and the procedures in 4.9 should leading to failure event F1 . Thus, the
be pqrformed about 2 minutes after those total estimated failure rate F1 (failing
in 4.8. The 14.5% low level setpoint is to perform step 4.8.1 in time) is 10-4 x
indicated by a meter that shows dropping 10- = 10-7. Although as stated previ-
water level in the RWST, and also by an ously an estimated failure rate of less
annurwiator. The 7% low-low level set- than 10-5 should be viewed with skepti-
poipt is similarly indicated. cism, it can be concluded that the
probability of failure to perform step
,Reference to Table I11 6-1 indicates 4.8.1 is relatively small, and this
that the basic operator error rate at potential failure was therefore dropped
the end of 30 minutes after a LOCA is from further consideration.
approximately 10-1. This basic error
rate was used for certain of the activi- It was estimated that if step 4.8.1 were
ties as described below. performed, the probability of selecting
some pair of switches other than MOV-
The first question to be asked in the 1860A and B would be of the order of
analysis was: what is the probability 10-2. The reliability of this task is
that no action would be taken at the low estimated at this value because it was
level setpoint condition? The second assessed to be highly probable that
question was: what is the probability responsibility for operating the valves
that some pair of switches, other than would be assigned to one person, that
MOV-1860A and B would be manipulated? is, no personnel redundancy would be
used. This judgment was based on
In answering the first question the observation of operators at work. Mis-
basic error rate of 10-1 was used. selection of switches is the type of
However, it was assumed that by 20-30 error that operators tend to disregard
minutes after a LOCA at least three as a credible error. Therefore, it was
people would be present in the control deemed unlikely that anyone would check
room, and that each of these people the operator who actually manipulated
would have to fail to notice the need the MOV's. The basic error rate of
for taking action indicated in step 10-1 was assessed to be too large for
4.8.1. Furthermore, it. was estimated this type of action, and 10-2 was ac-
that the presence of the meter indi- cordingly selected as the nearest order
cation of falling RWST level should add of magnitude estimate.
a probability of 0.9 that someone
present would be cued to perform step Reference to Fig. III 6-3 indicates that
4.8.1. (This estimate is based on an there are two paths leading to misselec-
assumed probability of 0.5 that an tion of the pair of switches. The path
individual will fail to notice a change
in a meter indication under the circum- A-F2 (10-4 x .999 X 10- 2 V 10-6)
stances. For three people the joint
probability that the change will be
unnoticed is 0.53 = .125, yielding a has a small probability and hence can be
probability of 0.875 that it will be rejected. The only remaining failure
noticed. For convenience, this was path of consequence is thus
rounded to 0.9.) The probability that
step 4.8.1 would not be executed is thus A-F 3 (.999 x 10-2)
estimated as about 10-4 prior to the
auditory alarm, which would provide
another cue for action. This estimate which reduces to 10-2.
of 10-4 is shown in the first branching
of the probability tree diagram shown in Given that the operator selects a wrong
Fig. III 6-3. pair of switches at the low level
setpoint there now arise the possible
Once the alarm has sounded, the opera- candidates of incorrect pairs he will
tors have 2 minutes in which to perform select. It was assessed that the most
step 4.8.1. It was reasoned that if no probable candidates are MOV-1863A and B
action has been planned until the alarm since they are on the same row of
sounds, some degree of disorganization switches, are adjacent to the desired
is indicated and the basic error rate of switches, and have similar MOV numbers
10-1 is applicable for each of the three and labels. The probability of select-
operators. Thus a probability of 10-3 ing a pair of switches from the second
was estimated for the failure to take row from the bottom is lower in value
action by any of the three operators because of the dissimilarity of switch
within 2 mintues after the first audito- nomenclature and the different appear-
ry alarm at the 14.5% low level set- ance of the switches themselves (they
111-68
have an AUTO position). The switches in ent estimates to check on the source
the third row from the bottom have of any disagreement and to resolve
labels similar to the desired switches, it.
but the outboard switches (the most
likely candidates for mis-selection) are 6.2 AIRCRAFT CRASH PROBABILITIES
normally open. Their red-indicator
lamps would furnish a cue that they are The AEC Regulatory Staff has compiled
not the correct switches to be manipula- data (Refs. 20, 21, 22) on aircraf t
ted. In addition, this third row is movements and calculated crash probabil-
spatially somewhat remote from the ities as a function of distance from an
desired switches. airport and orientation with respect to
runway flight paths. The probabilities
Given the initial error of selecting are computed per square miles per air-
some pair of switches other than May- craft movement so that the individual
1860A and B, it is therefore estimated plant sites can be evaluated by deter-
that there is a probability of .75 that mining the plant vulnerable area, dis-
the operator would select MOV-1863A and tance from the airport and the number of
B and a probability of .25 that some aircraft movements involved. Table III
other pair of switches would be selec- 6-2 which was taken from Reference 23 is
ted. The error of mis-selection of MOV- based on general aviation aircraft
1863A and B has a recovery factor which movements for the years 1964 through
enters at the 7% (low-low) level 1968 and includes 3993 fatal crashes as
setpoint. That is, in step 4.9.2 the a result of 320,000,000 aircraft move-
operator is supposed to close MOV-1863A ments. Only crashes resulting in a
and B. If the error of mis-selection fatality were considered. It is reason-
had already been committed, the operator able to assume that accidents severe
would find these M'OV's already closed. enough to create significant damage to a
This situation will likely cue him that nuclear plant would generally involve
something is wrong. A 0.9 probability fatal injuries, however.
is therefore used for his noting an
error, and hence the total estimated Table 111 6-3 presents fatal crash
failure rate for step 4.8.1, including histories of air carrier and military
failure of the recovery factor, is 10-z aircraft. Crashes within ten miles of
x 0.75 x 10-1 = 0.00075 which is rounded an airport runway and within a 60 degree
to approximately 10-3. reference flight path symmetric about
the extended center line of the runway
A similar analysis was performed for are considered.
steps 4.9.1 and 4.9.2. The detailed
analytical approach described above Although the number of aircraft move-
involves a degree of subjectivity. For ments per year may increase significant-
the study this subjectivity was not ly in the uiext_ four decades, the fatal
particularly crucial because what is crash probability per aircraft movement
important and affects the overall re- per square mile is expected to stay
sults is the order of magnitude of the relatively constant and will probably
human error failure rate and not its decrease as safety technology develops
exact value. The error bounds attached in future years. The updating of the
to the final estimate also gave coverage crash probabilities to account for
to uncertainties and errors which might future growth can then be accomplished
exist. As a tool in itself, the de- by estimating the increase in aircraft
tailed analytical approach is valuable movements for the period of concern. A
for the following reasons: study conducted by Sandia Laboratories
indicates that the accident rate per
a. The exercise of outlining all plau- mile for all U.S. air carriers steadily
sible modes of operator action decreased over the period of 1968
decreases the probability that some through 1971 even though the number of
important failure path will be miles flown increased significantly.
overlooked.
It is reasonable to expect this trend to
b. Due to the lack of error rate data continue so that extrapolation of crash
for nuclear power plant tasks, it is probabilities based solely on the ex-
necessary to break down operator pected increase in aircraft movements
actions to a level where existing will result in conservative answers.
data can be used.
Based on the reference data on the prob-
c. The detailed approach makes it ability of aircraft crashes as a func-
easier for analysts making independ- tion of number of aircraft movements and
111-69
vulnerable area, the analysis of 1972 number of operations = 81,500.
specific plants is dependent on (1) the b. Assumed Conditions:
number and nature of aircraft movements
in the vicinity of the plant, (2) the 1. Only 1/2 of the 81,500 opera-
vulnerable area of the plant arid (3) the tions fly over the site. (Since
damage potential of aircraft crashes 1/2 are landings and 1/2 are
into the vulnerable area.
takeoffs, it is likely that only
one or the other and not both
6.2.1 NUMBER AND NATURE OF AIRCRAFT types of operation would be
MOVEMENTS involved.)
Aircraft movements considered have gen- 2. Half of the operations are by
erally been limited by size or weight large aircraft and half by
restrictions. The assumption commonly smaller aircraft (less than
made is that aircraft having a weight of 12,500 lb.).
12,500 lbs. or greater will cause seri- 3. Of the smaller aircraft, only
ous damage to a reactor plant. It is 1/4 are large enough to cause
assumed that some portion (25% for damage.
Surry) of the smaller aircraft is large
enough to cause damage. Judgements on 4. Vulnerable areas of 2 each unit
size and speed considerations are made ari less than 0.01 mi and 0.005
for individual airport-plant interac- mi for large and small aircraft
tions based on the type of aircraft respectively.
involved. 5. Probability of fatal crash is
less than 0.3 x 10- 8/mi 2 per
6.2.2 DETERMINATION OF PLANT VULNERABLE operation. (Military aviation
AREA has a better safety record than
general aviation.) Accordingly,
The plant vulnerable area is calculated the probability of an aircraft
as the "shadow" area in square miles of accident resulting in structural
vulnerable plant structures based on a damage is:
defined impact angle. The angle is
generally assumed to be 200 although it P <811500 1 00
may vary from 100 to 300. It should be S,A , x½x 0.01
noted that the effective area will vary
depending on the direction of approach, x 3 x 0 81,5000
terrain features, and type of damage.
6.2.3 DAMAGE POTENTIAL x IT x 0.005 x 3 x 10.9
0
Two types of damage are generally con-
sidered, (1) fire damage either from the P. <-7 x 10-7 /year
aircraft exploding and burning or from
sprayed fuel igniting, and (2) structur- 6.2.4.2 Source.
al damage due to impact of the aircraft
frame and engines. a. Williamsburg - Jamestown Airport
Five miles N-NW of the site.
Table 1II 6-4 was taken from Reference
23 and shows the calculated Maximum gross weight of aircraft
probabilities for three plants. The 12,000 pounds.
table has been expanded to include the
Surry plant Units 3 and 4. The 1972 number of operations - 45,000.
information for Surry was taken from the
Safety Analysis Report and from the AEC b. Assumed Conditions:
Regulatory Staff evaluation.
Using I probability of crash of I x
6.2.4 TYPICAL DAMAGE CALCULATIONS 10 8 /mi' and assuming that only 1/4
(SURRY 3 and 4) of aircraft are large enough to
cause damage since this is a rela-
6.2.4.1 Source. tively small airport with predomi-
nately light aircraft traffic.
a. Felker AAF Field
PS, < •M
45,000 X 0.005
005
Five miles SE of the site. SB 2
Maximum gross weight of aircraft x x1 10-
O 8
x1
47,000 lb. 4
111-70
PS,B < 3 x 10- 7/year . not permit operation of the reactor
without offsite power. Therefore, off-
site power is assumed to be available
immediately prior to a LOCA. Since the
To determine the likelihood of an impact
of the containment vessel the ratio of time frame of interest for this event is
the containment vessel area to the over- in the order of one minute, the likeli-
all target area was estimated at 0.5, hood of losing offsite power by a fail-
which results in a probability of 5 x ure which is not causally related to the
10-7 for impact on the containment LOCA is negligible. Likewise, because
structures. of the short time span, credit cannot be
taken for corrective actions during this
Further, in Reference 23, it was event.
concluded the likelihood of a trip,
A LOCA will cause a generator
penetration (given impact) resulting in resulting in a sudden loss of genera-
damage to a critical element within the If this sudden loss of generation
tion.
containment vessels (such as the limit of
exceeds the transient stability
reactor, the primary piping, etc.) was the power system, then offsite power
reduced at least a factor of 100. will be lost. The Federal Power Commis-
Therefore, the estimate of critical sion has provided transient stability
damage due to an aircraft accident is information for power plants east of the
conservatively established at: Rockies. Based on this information, the
probability is assumed to be 10-3 that
P < 5 x 10- 9/plant year . offsite power would be lost as a result
of the generator trip that would arise
from a LOCA. This is the value used in
this study, although for the particular
6.3 TOTAL LOSS OF ELECTRIC POWER plant considered in this study, this
number might be lower (i.e., the
An event of major concern in the reactor
safety study is total loss of electrical transmission system of the plant review-
ed has a high transient stability limit
power at LOCA or during the course of a
LOCA. Accordingly, the statistics and due to high installed capacity, the ex-
methodology used to quantify the likeli- tensive grid interconnections with other
hood of such an event are reported large utilities, and the number of 500
herein. and 230 kV transmission lines connecting
the plant to the grid). Conversely,
of two this number would be higher for other
This event requires the failure
independent systems, the areas, e.g., Florida, where the tran-
essentially low.
offsite power system and the onsite sient stability limit is relatively
power system. Further, because the The associated error spreads serve to
electrical requirements are reduced as cover such possible deviations.
time progresses subsequent to a LOCA,
the event was evaluated for two discrete If offsite power is lost at LOCA, then
time periods: (1) at the instant of a the subsequent loss of two diesel
LOCA; (2) at time periods up to nine generators results in total loss of
months after a LOCA, provided that the electric power at LOCA. Both diesels
electrical system operated properly at could either fail to start, or both
LOCA. generators could trip due to the sudden
application of load. Either case,
Because time is not a factor for loss of failing to start or tripping, would
electric power at LOCA, cyclic or per result in total loss of power. The
demand statistics were used to compute failure of both diesels to start is
the probability of such a loss in lieu considered to be a random event due to
of the more standard failure rate data. two independent failures. Nuclear oper-
Conversely, because time is a factor for ating experiences (the data tables)
loss of electric power during the course indicate that the failing to start prob-
of a LOCA, applicable failure rates were ability is 3 x 10-2 per demand. Since
used to compute the probability of such two diesel generators are involved, the
a loss. probability that both fail to start is
9 x 10-4, or approximately 10-3. If
6.3.1 TOTAL LOSS OF ELECTRIC POWER both diesels start, the subsequent
AT LOCA tripping of both generators would result
in total loss of power at LOCA. Since
The sequence that leads to this event is both generators must pick up all
loss of the offsite power sources at emergency loads upon loss of offsite
LOCA, and the subsequent failure of the power, this is a single event that could
diesel generators to start or to pick up trip both units. Based on analyses and
load. The Technical Specifications do sparse engineering data, the probability
111-71
of such an event is assessed to be 10-2, Vendor data indicate that the time
compared to 10-3 for independent failure required to uncover the core upon loss
calculation (Ref. 24 through 27). The of all electric power, Tmax, can be
error spreads again serve to cover the approximated by a linear function
associated variabilities of this whenever the time t after LOCA exceed
estimate. 144 hours;
The loss of offsite power at LOCA, Tmax Wt)- 0 ; t < 144 hr
(qnet), was estimated to be 10-3, and
the loss of both diesel generators,
(q2DG) was governed by the tripping t
sequence and estimated to be 10-2. Tmax Mt) 1+ - ; t > 144 hr
Since offsite power and onsite power
must be lost to cause total loss of
power at LOCA, the point probability of Thus, all electric power may safely be
such an event, (qAC) can be computed as lost for approximately two hours in the
follows: period starting one month after a LOCA
occurrence. As a result, the repair
models used for restoration of electric
10- 3x 10- 2 power allow a maximum repair time which
qAC-- net (q2DG)" coincides with the above equations.
The computed maximum allowable outage
=10-5 . times were subsequently coupled with
applicable repair data, and the proba-
bility of not restoring power within the
Because the 9SP requirements are most maximum allowed outage time was deter-
stringent immediately after a LOCA mined. The cumulative probability of
(e.g., the core would be uncovered in a losing all power increases directly with
matter of minutes without electric time; however, because the time allowed
power), no credit is taken for remedial to repair such outages also increases
actions such as restoration of offsite with time, the cumulative probability of
power or manual start or repair of meaningful failures increases less rap-
diesel generators. idly than would otherwise be the case.
6.3.2 TOTAL LOSS OF ELECTRIC POWER The data on which the probability
DURING A LOCA calculations are based include nuclear
operating experience for loss of offsite
A premise for this event is that power power and diesel failure and repair, and
was available at LOCA and that the utility operating experience for resto-
subsequent total loss of power was due ration of offsite power. Nuclear oper-
to random uncorrelated events. As in ating experience for 1972 includes three
the case of total loss of electric power events where offsite power was lost.
at LOCA, this event requires the loss of
offsite and onsite power. In contrast These events occurred in about 150,000
to the case of total loss of electric operating hours, giving a point estimate
power at LOCA, this event allows credit of the failure rate for offsite power,
to be taken for corrective actions. X(net), of 2 x 10-5 failures per hour.
Credit for corrective action is allowed This data was not inconsistent with the
because the requirements of the ESF sys- other experiences.
tems, primarily the heat removal system,
become progressively less stringent as
time passes after the LOCA. The repair model for restoration of
offsite power was based on outage data
The probability of this event therefore of the Bonneville Power Administration
involves two aspects: (1) reliability, for the years 1970, 1971 and 1972. The
(2) maintainability. The reliability statistics represent the operating
aspect is the probability that the total experience of more than 11,000 miles of
electric power system will fail at some transmission lines rated at 500, 345,
time, T, after the LOCA; the maintaina- 287, 230, 138 and 115 kV, and include
bility aspect is the probability that more than 1500 outages. These statis-
power cannot be restored before the tics are summarized in Tables I11 6-5,
maximum allowable outage time (i.e., the 6-6, 6-7. These data represent single
time required to uncover the core). failures, andnot necessarily the loss
Thus, the relevant probability for this of offsite power; however, the repair
event is the joint probability that all data are applicable because the- repair
power is lost and that it is not of a single line would constitute
restored before the maximum allowable restoration of offsite power. For the
outage time. outages reported, the restoration time
111-72
ranged from more than 150 hours to
essentially zero time. A cumulative
distribution curve of these outages was pt)W f ot (net) dt' S- _xp
net(t /max
/
plotted (Fig. III 6-4), and the mean
0
repair time was found to be less than
0.25 hour. For the post-accident
environment, a conservative, constant TmaxtWD
mean repair time (Tnet) of 1 hour was q (2 DG) exp TDG)
used. Thus, the probability that
( 2
offsite power is not returned to service
by time t after failure is approximated
As shown in the t, t<tO
by exp (-t/Tnet). = X(net) q (2 DG)
tables, the outages are caused by such
factors as trees in line, lightning,
storm, fire, malicious damage,
accidental damage and fire. The major = A(net) q (2 DG) 0 ++t T 1
contributor to the total number of
outages is lightning, and the outages
which require the longest time to repair
are generally those associated with
fire, ice or line material failures.
better depict the distribution of these
To ex(-T' t~ + 1
outages, a histogram was plotted on
semi-log paper, Fig. III 6-5.
- exp
The data were in the form of numbers of
incidents and total outage times within
each cause category. Although this pre- where
averaging may distort details of the
distribution (i.e., all incidents of a t = 144 hrs
0
given type are assigned the same average
outage time) the conclusions are not i/ = i/Thnet + 2/TDG = 1.095
sensitive to it. The distribution in
Fig. III 6-4 bears a reasonable resem-
blance to a log-normal curve, and the Tmax(t) = 't + 1
mean repair time used in further calcu-
lations was assessed to be adequate for T' = 1/720
the purposes of the study.
X(net) = 2.0 x 10-5
As previously stated, the probability q (2 DG) = 10-2

that both diesels fail to start
independently is approximately 10-3. 6.3.3 SUMMARY
However, if the diesels are required to
pick up a significant load immediately The probability of total loss of elec-
after start, as is the case, the proba- tric power was computed for two discrete
bility that both generators will trip time periods: (1) at LOCA and (2) dur-
ing the course of a LOCA. The results
out, q(2DG), is 10-2. Data for repair
of diesel generator sets were not very are tabulated as follows:
detailed. For the study's purposes,
however, the 1972 nuclear operating a. Total loss of electric power at
LOCA, Qmed = 10-5 per demand. The
experience data were able to be used to
the mean repair time, TDG, of 90 percent probability bounds
estimate
the diesel generators, which was twenty- (range) on this median estimate are:
one hours.
Qlower = 10-6 per demand;

Total loss of electric power during the
course of a LOCA involves the loss of
offsite power with both diesels failing
to pick up load, and neither the offsite Qupper = 10-4 per demand.
power source nor any diesel being re-
paired before the maximum allowed outage
time, Tmax, has elapsed. The cumulative
for this combined event can b. The point estimates of total loss of
probability
be given by the following equation: electric power during a LOCA, given
111-73
success at LOCA, and the associated For the final assessments, the rupture
90 percent probability bounds for data were extended and interpolated into
various times after a LOCA (see three categories as shown above. This
Table III 6-8) were computed by finer categorization was done principal-
using the aforementioned equation ly for modeling considerations and is
and by including the relatively somewhat subjective, based on judgement
small contributions from other fault and on extrapolation of general trends
tree analyses. (The point estimates observed in the basic data. The finer
were taken as median values with structure is not inconsistent with the
regard to the probability bounds.) basic data and the two group classifica-
tions, the highest and lowest bounds
(10-2 and 10-3) agree with the two
6.4 PIPE FAILURE DATA. groups and the total range which is
obtained from the basic data. The large
The probabilities of pipe failure as an ranges stemming from basic data which
initiating event for loss of coolant are associated with each category tend
accidents are listed in Table III 6-9. to cover any categorization errors made
and any categorization variation which
The pipe rupture assessments noted in can occur, with the range sizes causing
Table III 6-9 were obtained from exami- all the categories to overlap heavily
nation of nuclear data sources, indus- one another.
trial data sources, and a number of
other data sources. The same type of
range approach as used for the component In addition to the pipe sizes, the
data base was used for the pipe rupture rupture size and severity varied over a
assessments. Each of the various data spectrum, which contributed to the
sources was individually evaluated to uncertainty. In general, ruptures were
obtain pipe rupture assessments. Ranges categorized as those breaks of major,
(i.e., error spreads) were then deter- severance-type size. Minor leaks were
mined which covered and were not not counted in the rupture assessments.
inconsistent with the individual esti- When there were questions concerning
mates yielded by the various sources. particular failures, evaluations were
performed both including and excluding
In general, the pipe data from the these failures which served in determin-
various sources were quite rough and ing the ranges for the assessments.
gave much freedom of interpretation. To
incorporate the resulting uncertainty
and possible variations that could exist The assessments made in the study apply
in the assessments, the ranges (error to those types of pipe ruptures which
spreads) were required to be large in would cause LOCA's. When data sources
size. As with the other data, the were in the form of total, per plant
associated median values represent the probabilities that were applicable to a
geometric midpoint of the ranges; the rupture occurring in systems anywhere in
associated error factor from median to the plant, these total probabilities
range endpoint is thus 10. The range, were normalized by the ratio of LOCA
or error spread, and median values are sensitive piping to the total piping in
again rounded to the nearest half value which failures were reported. Average
on the exponent scale. For error deter- plant characteristics were used to
mination, a log normal was assigned to determine the fraction of piping in the
the above ranges and the ranges were data base associated with possible LOCA
interpreted at 90% probability. initiation; the characteristic values
used are shown below, followed by the
Various pipe sizes were included in the evaluation of the individual data
evaluations and the rupture data were sources. The variation in these charac-
categorized into different sizes. In teristic values from plant to plant was
general, the basic pipe data, as given judged to be negligible compared to the
in the data sources, could be broken assessed ranges associated with the
into two general categories, ruptures basic data variability.
occurring in pipes less than roughly 4"
in diameter and ruptures occurring in
pipes having diameters greater than 4". Finally, event trees were constructed to
In the summaries of the individual data analyze additional, plant-peculiar
sources which will be presented, the causes of rupture which were not includ-
data are broken into these two categor- ed in the data histories which were
ies for analyses where the less than 4" examined. These additional causes were
diameter pipes are simply termed "small then incorporated along with the data
pipes" and the greater diameter ones, assessment values in the final risk
"large pipes". evaluations.
111-74
X(LPB) will be used to represent the
6.4.1 PLANT PARAMETERS and
large pipe LOCA rupture rate (Z 4")
are listed as A(SPB) will be used to represent the
Average characteristics
follows: small pipe LOCA rupture rate (:. 4").
a. LOCA Sensitive Piping - 10% of total 6.4.2 NUCLEAR AND NUCLEAR-RELATED

piping in the reported data base. EXPERIENCE
In approximately 150 reactor years of

b. LOCA Sensitive Small Piping - 4.7%
of total piping in the reported data commercial nuclear power plant experi-
ence to date, there have been no cata-
base, 10% of small piping.
strophic failures of the primary coolant
c. LOCA Sensitive Large Piping - 5.3% loop. A crack in the secondary loop was
of total piping in the reported data recorded, believed due to a water hammer
base, 10% of large piping. effect; however, complete severance did
not occur. Using 1 failure as an upper
From the average plant characteristics, bound, therefore,
approximate relations are obtainable
between total plant failure rates and 1 10-3/plant
failure rates for the LOCA sensitive X(LPB) < 150 /plant year
piping. If failures are recorded for
the total plant, then:
Essentially the same result is obtained
if zero (0) failures are used and a 95%
Large Pipe LOCA' = (Rupture Rate for) chi square (or Poisson) confidence bound
Rupture RateA Total Plant is taken (X(LPB) 9 5 % < 3/150). The bound
is high, not particularly due to the
x 0.047 actual failure rate being high but to
lack of sufficient data.
= (Rupture Rate
Small Pipe LOCA) f or) If one interprets the above values as
Rupture Rate / Total Plant applying to the large piping
then the 7 x 10-
of the
3
value
entire plant,
x 0.053 can be multiplied by the LOCA sensitivi-
ty factor (susceptibility) of 0.10 to
into those obtain another bound for X(LPB).
If the failures are broken
occurring in larg piping and in small
piping, then th respective rates are X(LPB) < 7 x 10-3 x 0.10
multiplied by 0.1 to obtain the LOCA
rates:
< 7 x 10- 4/plant year
( Large Pipe LOCAt Rate for\
Large Piping ) With regard to small pipe ruptures, the
LRupture Rate (Rupture same type values as above are also ob-
x 0.10 tained. Several failures have occurred,
none of which were complete ruptures,
= (Rupture Rate for ahd there is freedom as to precise
Small Pipe LOCA)
applicability and failure counts. Using
1 failure as an order of magnitude type
Rupture Rate /\ Small Piping )
value,
x 0.10
X(SPB) < 7 x 10- 3 /plant year
The aforementioned relationships assume
a uniform occurrence of failure with
regard to pipe location. For order of Extrapolation to the small piping of the
magnitude calculations the relationship entire plant as before will yield an
is reasonable if the error spreads are additional factor of 10 reduction.
large enough to incorporate any errors
made in this extrapolation. For the The above values represent gross order
total plant rate relationships, each of magnitude type bounds, which are
factor (i.e., 0.047 and 0.053) is ap- dominated by lack of sufficient and
proximately 0.05, which is a factor of precise data. Because of the associated
two different from the large and small uncertainties, attempts to categorize
breakdown fractions of 0.10. For order the history in more detail, by subjec-
of magnitude calculations, this differ- tive judgement, will yieid no further
ence is generally not significant. In significant information with regard to
the following data source summaries, the overall statistical assessments.
111-75
If the experimental reactor experience 4 Minor leaks
and military applications experience
(naval) are added to the commercial b. Other failure related occurrences
nuclear experience, then additional val-
ues can be obtained. There are approxi- 1 Pipe dented - no break
mately 40 odd years of experimental
reactor experience and on the order of 1 Pipe hanger failure - no resulting
1200 reactor years of military experi- damage
ence. Including this experience with
the approximately 150 years of commer- The pipe sizes are not separated since
cial experience gives on the order of the detection, or severity factor, will
1400 years of combined nuclear experi- serve to differentiate large and small
ence. rupture probabilities. The above data
are taken from the more detailed tabula-
In the 1400 years of total experience tions given in the general data base
there have been no reported large pipe discussion.
ruptures occurring in the primary loops.
Using 1 failure as an upper bound, which Rate of breakage in large LOCA-sensitive
within the accuracies being computed piping (per plant per year):
agrees with the 95% zero failure bound,
one obtains 4 x 0.047 = 1.0 x 10-2
)X(LPB) < • = 7 x 10-4 /plant year Since the amount of small piping is
approximately equal to the amount of
large piping,the rate of breakage for
In the above calculation, a plant year small LOCA sensitive piping will also be
is taken to be synonymous with a reactor approximately 1.0 x i0-Z. This breakage
year. The 10% LOCA sensitivity factor rate can then be taken as an upper bound
can be applied to obtain another order for the small pipe LOCA rupture rate:
of magnitude reduction; however, since
the data are not directly correlated X(SPE) < 1.0 x 10-2
with plant characteristics, the 10% fac-
tor adds extra uncertainty. Precise
small pipe rupture data were not availa- If a fraction of the breakage rate is
ble; however, the same order of magni- taken as advancing to large ruptures,
tude value as above, i.e., 10-3, would then the upper bound will be reduced by
be roughly applicable, the value being this fraction to obtain the large pipe
less conservative with several failures rupture rate. In terms of experience
being counted for the bound. data, this severity fraction is the
ratio of large ruptures occurring to the
In addition to the bounds obtained from number of breakages occurring. The se-
commercial experience and combined nu- verity fraction represents a detection
clear experience, rough bounds can also inefficiency and can be taken as incor-
be obtained from non-rupture failure porating the probability that a rupture
data on process piping. Rupture proba- will occur without intermediate leakage
bilities are obtained (extrapolated) or breakage.
from the non-rupture statistics by ap-
plying non-rupture to rupture detection Using the average empirical value of
(severity) factors. Process piping does 0.05 from the G.E. and English data
not necessarily have the same failure (given in their associated data assess-
characteristics as the better quality ments), which represents a 95% detection
coolant piping, the LOCA related piping, efficiency.
which causes additional possible con-
servatism and uncertainty to be includ- A(LPB) < 1.0 x 10-2 x 0.05
ed. Since the bounds are to be inter-
preted as rough indicators, the effects
will not impact the bound applications. < 5 x 10-4
Using the 1972 nuclear history examined
for the general data base, the process 6.4.3 U.S. NON-NUCLEAR UTILITY
piping failures can be grossly categor- EXPERIENCE
ized as follows:
One of the more complete analyses avail-
a. Process Piping Failures (17 plants) able is the General Electric study of
non-nuclear power utility experience
4 Breaks (severity lying between (GEAP-574). The amount of experience
minor leakage and major rupture) was one of the largest analyzed and was
111-76
sufficient to obtain statistically sig- Non-Severance Failure Rate
nificant results. The data base does (Per plant year)
have the weakness that is non-nuclear.
Because of the applicable general utili- - (399-19) 4 x 10-2
ty environment and the general agree- 9 x 103
ments between nuclear and industrial
data observed in the other component
assessments, the G.E. results can be Since the above rates are interpretable
interpreted as being of more significant as applying to those reported for the
applicability. To account for the ex- entire plant, the large pipe rupture
trapolation uncertainties for nuclear rate can be evaluated as:
applications, the results must, however,
be interpreted as having large error X(LPB) = 2 x 10-3 x .047
spreads.
The G.E. basic data are summarized as
= 9 x 10- 5/plant year
follows:
Plant years of experience = 9 x 103* The 399 failures included minimum break
sizes comparable to the small rupture
Total number of failures = 399 sizes defined in the study, and hence a
corresponding small pipe rupture rate
Number of severances (ruptures) = 19 can be obtained by using the non-sever-
ance failure rate, which is essentially
19 the total failure rate:
Severity fraction T =30.05
= 2 x 10-3
Percentage of failures occurring with X(SPB) = 4 x 10-2 x .053
leakage - 94%
6.4.4 UNITED KINGDOM DATA
Percentage of failures occurring without
leakage - 6% The Phillips and Warwick report (AHSB(S)
R162) principally analyzed pressure ves-
The 399 failures covered the range of sel failures; however, some piping data
more minor breaks to more severe rup- were included. Non-nuclear history was
tures. There were 19 failures of the evaluated which covered the period from
large rupture type, which were charac- 1962 to 1967 and was comprised of a
terized as being more complete type total of 132 failures occurring in
severances. The severity fraction was roughly 100,300 plant years of experi-
discussed earlier, and empirically is ence. To better correlate with nuclear
the ratio of severances to total number applications, system ages were restrict-
of failures. The percentage of failures ed to be less than 30 years, had associ-
occurring without leakage is in general ated working pressures above 150 psi,
and were built to the English Class 1
agreement with the severity fraction.
standards. Because the pipe failures
The failure rate evaluations of the G.E. reported on were not as detailed as the
data are: vessel failures and because of the ex-
trapolation uncertainties, the results
Total Failure Rate must be interpreted as having larger
(Per plant year) associated error spreads. The evalua-
tions of the Primary Circuit Piping
_ 3993 = 4 x 10-2 Failure Rate (per plant year) are:
9 x 103
Potentially Catastrophic
Severance Failure Rate Dangerous
(Per plant year)
- 19 =2 x 10-3
5 x 10-4 2 x 10-5
9 x 10
The potentially dangerous rate corre-
sponds approximately to a range greater
than minor leaks but less than complete
severance. The value can thus be taken
*The plant years have been obtained from as roughly comparable to the small pipe
LOCA rate. The catastrophic rate can be
data and some analyses, where the plant
years can be taken to be roughly equiv- taken as being roughly comparable to the
alent to nuclear plant years. large LOCA rate.
111-77
As one other data source, the UK Systems 6.4.5 OTHER REPORTED PIPE FAILURE RATES
Reliability Service, in its data evalua-
tions, reports a rate of pipe defects to Listed on Table III 6-10 are pipe fail-
be approximately 3 in 107 feet of piping ure rates which have been given in
per year. The defect severities cover various published reports. The refer-
the spectrum from smaller breaks to ences are with regard to those given in
larger ruptures. This rate is based on the bibliography found in section 7 and
experience with approximately 70 conven- are associated with the study's data
tional boiler plants operating in the base. The reported values are taken at
100 to 500 MW range. face value since insufficient documenta-
tion was provided in the reports to be
If this total plant failure rate is able to assess the relative validity of
applied as an upper bound to the large the numbers. The values are in general
LOCA sensitive piping, then a value is similar, with a few having higher
obtained of: deviations.
A < 3 x 10-3 /plant year 6.5 FAILURE RATES COMPARED WITH

LOG NORMAL
Because of the defect definition, the
3 x 10-3 value can also be taken as an Figures III 6-6 through III 6-9 illus-
upper bound for the small LOCA failure trate the log-normal model distributions
rate. Since the defects cover a versus experience failure data. The
spectrum of severities, this bound can log-normal distributions are those util-
overestimate the true LOCA failure rate ized in the study to predict variations
by an order of magnitude. Using the in component failure data. The experi-
same factors as previously, the ence failure data consist of the raw
associated large pipe LOCA rate or small data which were obtained from the vari-
LOCA rate can be obtained by applying ous sources employed in the data assess-
the 0.05 approximate severity factor ments. Since the log-normal distribu-
obtaining the value of: tions utilized in the study are based on
data assessment and not on simple empir-
A(LPB) t- 3 x 10-3 x 0.05 ical fitting, the distributions will not
necessarily "best fit" the experience
- 1.5 x 10-4 /plant year data (in the data assessments performed,
for example, greater importance is given
The factor and its uncertainty can can- to nuclear and nuclear related data than
cel any conservatism in this large pipe to data which are not as directly
value. applicable).
References
1. Rook, L. W., Reduction of Human Error in Industrial Production, SCTM-93-62(14),

Sandia Laboratories, Albuquerque, New Mexico, 1962.
2. Swain, A. D., A Method -for Performing a Human Factors Reliabiliy Analysis,
Monograph SCR-685, Sandia Laboratories, Albuquerque, New Mexico, 1963.
3. Ablitt, J. F., A Quantitative Approach to the Evaluation of the Safety Function
of Operators of Nuclear Reactors, AHSB(S)R-160. Authority Health and Safety
Branch, United Kingdom Atomic Energy Authority, Risley, England, 1969.
4. Green, A. E., Safety Assessment of Automatic and Manual Protective Systems for
Reactors, AHSB(S)R-172, Authority Health and Safety Branch, United Kingdom
Atomic Energy Authority, Risley, England, 1969.
5. Kletz, T. A. and Whitaker, G. D., Human Error and Plant Operation, EDN 4099,
Safety and Loss Prevention Group, Petrochemicals Division, Imperial Chemical
Industries, Ltd., Billingham, England, 1973.
6. Ronan, W. W., Training for Emergency Procedures in Multiengine Aircraft, AIR-
153-53-FR-44, American Institutes for Research, Pittsburgh, Penna., 1953.
7. Berkun, M. M., "Performance Decrement Under Psychological Stress", Human
.Factors, 1964, 6, 21-30.
III-78
8. Appley, M. H. and Trumbull, R. (eds.), Psychological Stress, Appleton-Century-
Crofts, New York, 1967.
9. Harris, D. H. and Chaney, F. B., Human Factors in Quality Assurance, John Wiley
and Sons, New York, 1969.
10. McCornack, R. L., Inspector Adequacy: A Study of the Literature, SCTM-53-

61(14), Sandia Laboratories, Albuquerque, New Mexico, 1961.
11. Siegel, A. I. and Wolf, J. A., Man-Machine Simulation Models, John Wiley and
Sons, New York, 1969.
12. Grinker, R. R. and Spiegel, J. P., Men Under Stress, McGraw Hill Book Co., 1963
(reprinted from 1945).
13. , Some Limitations in Using the Simple Multiplicative Model in Behavior

Quantification", W. B. Askren (ed.), Symposium on Reliability of Human
Performance in Work, AMRL-TR-67-88, Wright-Patterson Air Force Base, Ohio, 1967.
14. Raudenbush, M. H., "Human Engineering Factors in Control Board Design for
Nuclear Power Plants", Nuclear Safety, 1973, 14, 21-26
15. MIL-H-46855A, Military Specification, Human Engineering Requirements for

Military Systems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C.,
2 May 1972.
16. MIL-STD-1472A, Military Standard, Human Engineering Design Criteria for Military
Systems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C., 15 May
1970.
17. Morgan, C. T., Cook, J. S. III, Chapanis, A. and Lund, M. W. (eds.), Human
Engineering Guide to Equipment Design, McGraw Hill Book Co., New York, 1963.
18. Van Cott, H. P. and Kincade, R. G. (eds.), Human Engineering Guide to Equipment
Design, (Rev. Ed.), U.S. Govt. Printing Office, Wash., D.C., 1972.
19. Woodson, W. E., and Conover, D. W., Human Engineering Guide for Equipment
Designers, Univ. of California Press, Berkeley, Cal., 1964 (2nd ed.)
20. Insurance Facts (1972), (Disaster Impact Data) Insurance Information Institute,
New York, New York.
21. Docket 50-289 (Aircraft Impact Data) Files, Bethesda, Maryland.
22. FAA (Air Traffic Data) Federal Aviation Administration (FAA), Dept. of
Transportation, Washington, D.C.
23. D. G. Eisenhut, "General Aviation Fatal Crash Probability Distribution for Use
in Nuclear Reactor Sitings", August 1972.
24. Reactor Incident File (1972) (Component Failure Data) Office or Operations
Evaluation (OOE) of Regulatory Operations (RO), Atomic Energy Commission (AEC),
Bethesda, Maryland.
25. Reactor Incident File (1971) (Component Failure Data) Data control of RSS,
Bethesda, Maryland.
26. EEI Availability Report (Component Failure Data) Edison Electric Institute
(EEI), New York, New York.
27. Systems Reliability Service, UKAEA, Office of Operations Evaluation (OOE) of

Regulatory Operations (RO) are Members of Service.
28. Insurance Facts (1972), (Disaster Impact Data) Insurance Information Institute,
New York, New York.
29. Docket 50-289 (Aircraft Impact Data) Files, Bethesda, Maryland.
111-79
TABLE III 6-1. GF•Jt'RAL ERROR PATF ESTIMAtTES(a'b)
Estimated
Activity
Rates
10-4 Selection of a key-operated switch rather than a non-key switch (this

value does not include the error of decision where the operator misin-
terprets situation and believes key switch is correct choice).
10-3 Selection of a switch (or pair of switches) dissimilar in shape or

location to the desired switch (or pair of switches), assuming no
decision error. For example, operator actuates large handled switch
rather than small switch.
3 x 10-3 General human error of commission, e.g., misreading label and therefore
selecting wrong switch.
10-2 General human error of omission where there is no display in the

control room of the status of the item omitted, e.g., failure to
return manually operated test valve to proper configuration after
maintenance.
3 x 10-3 Errors of omission, where the items being omitted are embedded in a
procedure rather than at the end as above.
3 x 10-2 Simple arithmetic errors witn self-checking but without repeating

the calculation by re-doing it on another piece of paper.
i/x Given that an operator is reaching for an incorrect switch (or pair of
switches), he selects a particular similar appearing switch (or pair
of switches), where x = the number of incorrect switches (or pair of
switches) adjacent to the desired switch (or pair of switches). The
l/x applies up to 5 or 6 items. After that point the error rate would
be lower because the operator would take more time to search. With up
to 5 or 6 items he doesn't expect to be wrong and therefore is more
likely to do less deliberate searching.
10-1 Given that an operator is reaching for a wrong motor operated valve MOV
switch (or pair of switches), he fails to note from the inditator
lamps that the MOV(s) is (are) already in the desired state and merely
changes the status of the MOV(s) without recognizing he had selected
the wrong switch(es).
-1.0 Same as above, except that the state(s) of the incorrect switch(es) is
(are) not the desired state.
-1.0 If an operator fails to operate correctly one of two closely coupled

valves or switches in a procedural step, he also fails to correctly
operate the other valve.
10-1 Monitor or inspector fails to recognize initial error by operator.
Note* With continuing feedback of the error on the annunciator panel,
this high error rate would not apply.
10-1 Personnel on different work shift fail to check condition of hardware

unless required by check list or written directive.
5 x 10-1 Monitor fails to detect undesired position of valves, etc., during

qeneral walk-around inspections, assuming no check list is used.
.2 - 3 General error rate given very high stress levels where dangerous
activities are occurring rapidly.
TABLE 111 6-1 .(Continued)
Estimated Activity
Rates
Given severe time stress, as in trying to compensate for an error made

in an emergency situation, the initial error rate, x, for an activity
doubles for each attempt, n, after a previous incorrect attempt, until
the limiting condition of an error rate of 1.0 is reached or until time
runs out. This limiting condition corresponds to an individual's
becoming completely disorganized or ineffective.
-1.0 Operator fails to act correctly in the first 60 seconds after the onset
of an extremely high stress condition, e.g., a large LOCA.
9 x 10-1 Operator fails to act correctly after the first 5 minutes after the
onset of an extremely high stress condition.
10x1 Operator fails to act correctly after the first 30 minutes in an

extreme stress condition.
10-2
Operator fails to act correctly after the first several, hours in a high
stress condition.
After 7 days after a large LOCA, there is a complete recovery to the
normal error rate, x, for any task.
(a) Modification of these underlying (basic) probabilities were made on the basis of
individual factors pertaining to the tasks evaluated.
(b) Unless otherwise indicated, estimates of error rates assume no undue time
pressures or stresses related to accidents.
TABLE III 6-2 AIRCRAFT CRASH PROBABILITIES
Probability of a Fatal
Distance From Airport, miles Crash per Mile 2 Per
Aircraft Movement
0 - 1 84 x 10-8
1- 2 15 x 10 8
2 - 3 6.2 x 10-
3 - 4 3.8 x 10-
4 - 5 1.2 x 10-8
TABLE Il 6-3 COMPARISON OF PROBABILITY OF All AIRCRAFT CRASH FOR VARIOUS TYPES OF
AIRCRAFT
Distance Probability (xlO 8) of a Fatal Crash

From End Per Square Mile per Aircraft Movement
Of Runway,
(mile) U.S. Air Carrier USN/USMC USAF
0- 1 16.7 8.3 5.7

1 - 2 4.0 1.1 2.3
2 - 3 0.96 0.33 1.1
3 - 4 0.68 0.31 0 42
4 - 5 0.27 0.20 0.40

0 0 (a) NA(b) NA(b)
5 - 6
6 - 7 0.0 NA UA
7 - 8 0.0 NA NA
8 - 9 0.14 NA -'A
9 - 10 0.12 '!A NA
(a) No crashes occurred at these distances witlin a 600 flight path.
(b) Data not available.
TABLE III 6-4 CRASH PROBABILITIES AT VARIOUS SITES
Three
Mile Shoreham, Rome Surry
Island (1 Unit) Point Units 3-4
(2 Units) (2 Units) (2 Units)
Usage (movements year)
Air Carriers , (a) -- 3,000 dO,000

8 0 0 0 0
Navy -- 8,000 97 , 0 00(c) 40,000

-- 3 , 0 00 (b).
Miscellaneous
Location (plant-airport
distance in miles) 2.5 4.5 3.5 5
Target Area (used in (d)

2 2 2 2 d
probability analysis) 0.02 mi 0 01 mi 0.02 mi .01 ml
Probability of a
potentially damaging
2 x 10-7 4 x 10-7 1 x 10-6
crash (per year) 5 x 10-7
(a) The facility is designed to withstand the crash of all but 2,400 of these
movements.
(b) Air-carrier statistics were used for these movements.
(c) The facility is designed to withstand the crash of all of these 97,000 movements.
2
(d) For small aircraft, area used was 0.005 ml
111-81/82
ON BONNEVILLE POWER ADMINISTRATION DATA--
TABLE 11 6-5 SUMMARY OF TRANSMISSION LINE OUTAGES (BASED
1970 STATISTICS)
(a)
Transmission Line Outages & Durations
Cause 500 kV 345 &287 kV 230 kV 138 & 115 kV Total

No Hr Min No Hr Min No Hr Mn "ao Hr Min No Hr Min
0 0 0 0 0 0 2 7 9 7 25 27 9 32 36
1. Tree in line
9 1 28 4 0 38 87 27 8 71 71 46 171 101 0
2. Lightning
0 0 0 0 0 0 0 0 0 4 209 57 4 209 57
3. Storm
1 0 8 0 0 0 10 29 58 23 192 23 34 222 29
4. Snow, Frost or Ice
0 0 0 0 0 0 0 0 0 3 0 6 3 0 6
5. Living Creature
0 0 0 0 0 0 0 0 0 3 0 28 3 0 28
6. Contamination
0 0 0 0 0 0 2 23 24 1 1 7 3 24 31
7. Fire
1 0 18 1 53 25 1 152 26 4 64 33 7 270 42
8. Line Material Failure
6 52 2 2 5 7 7 5 19 12 a 23 27 70 51
9. Terminal Equipment Failure
3 0 33 0 0 0 2 0 4 0 0 0 5 0 37
10. Overload
6 0 40 0 0 0 2 4 6 1 0 0 9 4 46
11. Improper Relaying
8 9 43 5 0 14 14 3 28 4 0 25 31 13 50
12. Accidental Tripping
1 0 18 1 0 0 4 0 11 5 0 41 11 1 10
13. Improper Switching
1 0 7 0 0 0 1 6 19 12 75 35 14 82 1
14. Malicious Damage
Damage 0 0 0 1 0 1 3 0 11 2 0 0 6 0 12
15. Accidental
0 0 0 0 0 0 0 0 0a 0 49 1 0 49
16 Supervisory Misoperation
26 5 40 3 0 1 30 10 46 35 10 42 94 27 9
17. Unknown
TOTAL 62 70 57 17 59 26 165 270 29 188 662 22 432 1063 14
MILES OF LINF 1707 797 4685 3836 11,025
(a) In each case, the number of incidents is given together with the total time for all of those incidents.
TABLE 111 6-6 SUMMARY OF TRANSMISSION LINE OUTAGES (BASED ON BONNEVILLE POWER ADMINISTRATION DATA--
1971 STATISTICS)
Cause 500 kV 345 & 287 kV 230 kV 138 & 115 kV Total
No Hr Min No Hr Min No Hr Min No Hr Min No Hr Min
0 0 0 0 0 0 0 0 0 16 176 13 16 176 13
1. Tree in line
11 0 56 7 0 8 83 12 13 69 30 13 170 43 30
2. Lightning
0 0 0 0 0 0 4 11 29 12 41 6 16 52 35
3. Storm
Frost or Ice 0 0 0 1 140 55 1 0 0 19 0 16 21 141 11
4. Snow,
1 0 0 0 0 0 0 0 0 0 0 0 1 0 0
5. Living Creature
5 0 20 0 0 0 4 2 10 0 0 0 9 2 30
6. Contamination
0 0 0 0 0 0 3 122 57 3 28 22 6 151 19
7. Fire
1 7 2 0 0 0 2 18 26 10 32 30 13 57 58
8. Line Material Failure
6 78 56 1 0 22 15 7 11 4 2 19 26 88 48
9. Terminal Equipment Failure
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
10. Overload
2 1 25 0 0 0 2 0 4 0 0 0 4 1 29
11. Improper Relaying
9 1 14 0 0 0 10 1 11 8 1 33 27 - 3 58
12. Accidental Tripping
0 0 0 0 0 0 2 0 0 2 0 2 4 0 2
13. Improper Switching
0 0 0 0 0 0 1 5 59 3 19 44 4 25 43
14. Malicious Damage
2 0 44 3 9 18 1 0 0 4 9 4 10 19 06
15. Accidental Damage
0 0 0 0 0 0 1 0 10 3 13 47 4 13 57
16. Supervisory Misoperatmon
21 3 15 2 5 36 26 21 32 35 0 45 84 31 8
17. Unknown
TOTAL 58 93 52 14 156 19 155 203 22 188 355 54 415 809 27
MILES OF LINE 1810 797 4836 3669 11,112
II
TABLE III 6-7 SUMMARY OF TRANSMISSION LINE OUTAGES (BASED ON BONNEVILLE POWER ADMINISTRATION DATA--
1972 STATISTICS)
Cause 560 kV 345 & 287 kv 230 kV 138 & 115 kV Total
No Hr Min No Hr Min No Hr Min No Hr Min No Hr Min
1. Tree in line 0 0 4 6 10 18 145 16 22 151 26

2. Lightning 49 2 29 22 25 194 22 8 98 3 37 363 28 39
3. Storm 17 2 13 5 10 25 13 0 13 27 44 53 62 57 44
4. Snow, Frost or ice 5 5 22 1 3 9 1 0 0 7 6 52 14 15 23
5. Living Creature 0 0 0 0 0 0 0 0 0 2 1 58 2 1 58
6. Contamination 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0
7. Fire 0 0 0 0 0 0 1 5 49 0 0 0 1 5 49
8. Line Material Failure 4 22 11 0 0 0 0 0 0 3 40 28 7 62 39
9. Terminal Equipment Failure 11 64 45 0 0 0 17 328 42 10 1 46 38 395 13
10. Overload 4 1 14 0 0 0 0 0 0 1 1 15 5 2 29
11. Improper Relaying 6 1 46 1 0 0 8 0 57 6 0 26 21 3 9
12. Accidental Tripping 11 2 8 1 0 0 18 1 30 7 0 35 37 4 13
13. Improper Switching 2 0 16 0 0 0 3 0 14 3 0 7 8 0 37
14. Malicious Damage 0 8 0 0 0 0 2 15 33 9 76 11 11 91 44
15. Accidental Damage 0 0 0 0 0 0 2 12 26 38 16 23 40 28 49
16. Supervisory Misoperation 0 0 0 0 0 0 2 0 51 2 1 4 4 1 55
17. Unknown 35 45 8 5 0 15 19 2 2 44 2 16 103 49 41
TOTAL 144 147 32 35 14 14 284 396 35 276 343 7 739 901 28

MILES OF LINE 1931 797 4601 3676 11,005
TABLE 1I1 6-8 PROBABILITY OF TOTAL LOSS OF ELECTRIC POWER AFTER A LOCA
Q - 90 percent Probability Bounds (a)

Time after
LOCA med Upper Lower
I hour 2.0 x l0-7 2.0 x 10-6 2.0 x 10-8

24 hours 5.2 x 10-6 5.0 x 10-5 5.0 x lo-7
4 months 7.5 x 10-5 7.0 x 10-4 7.0 x 10-6
9 months 7.6 x 10-5 8.0 x 10-4 8.0 x 10-6
(a) Assessed range.
TABLE III 6-9 PIPE FAILURE ASSESSED VALUES
Pipe Rupture Size LOCA Initiating Rupture Rates

(Inches) (Per Plant Per Year)
90% Range Median
4 1xl0-3
1/2 - 2 ix10- - ixl0-2
3x10-5 - 3xlO-3 3x10A
2 - 6
> 6 ixl0-5 ixl0-3
- ixl0-4
111-83/84
TABLE 1l1 6-10 REPORTED PIPE FAILURE RATES
1. Green and Bourne:

"Probability of Large Scale Rupture of Primary Coolant System"
(1968) X = 2 x 10-3 to 3 x 10-6/plant year
2. Salvatory:
"Catastrophic Rupture of Primary System Pipes"
(1970) X = 1 x 10- 4/plant year
3. Erdmann:
"Pipe Rupture"
(1973) X = 1.5 x 10- 6/section year
(corresponding to roughly A = 10-4 to 10-2 per plant year)
4. Otway:
"Pessimistic Probability for Catastrophic Failure of Primary System of PWR"
A = 1.7 x 10 -7/plant year
5. General Electric Report:

"Total Probability of Severance Anywhere in Primary System Piping"
(1970)
without ultrasonic testing: AX= 1 x 10-3/plant year
with ultrasonic testing: = 5 x 10- 4/plant year
6. Wells-Knecht:
"Failure Rate for Rupture of Primary Coolant System Piping"
(1965) A = I x 10- 7/plant year
Table III 6-10
111-85/86
ii
High
W)
IA
C
CL
Low
Very Low Moderate

Stress Level Very High
FIGURE III 6-1 Hypothetical Relationship between Performance

and Stress
Circles we IndhAtOýr lihn

O-Ge1.. AR".d
0 0 00_0 0_ 0AUTO0--
r AUTO
_0
r-AU-TO--
0
ICLOSSE 0" ILOSt OE N CLOSE SPi
de0
SAUTO IALTO~J
P. T
:VanT.
I• N
~t1*1.5
O~~uilat
RF•C1RC
So,-4.s A
150.WS
O.lIW RECIAC
Top-INJI TK-llsA
ISO IAOWCI
0.1-1 RIEICIFIRC
160
lT
II
I
14-SI.I
TV18A A
CLOSE I IOPEN
f 'L 0- V0PV-I AC --. 7VS
-SC t-0IS-VVI
FI a I I.-S, I-*. II
FIGURE III 6-2 Motor Operated Valve (MOV) Switches on Control

Panel
A
10-4
No action until
.1.,r (3 people)
0 0999
Take action
0 999 to Failure to
2 minutes after
alarm (3 oeopl.)
itl2
Swrong palr of
Correct 9.1, switches
FI
of switches
Step 4 8 1 not
done 4. time.
0 99
Correct pain
of switch•e$
SL F Wrong pasr
of CitcheS
s5 F,
FIGURE III 6-3 Probability Tree Diagram for Step 4.8.1
9--- ]
go- ----
/ Ate~tm S*%OAO.tCha,
mo SI
AkntCCC TutpN..
* .
0. . o 0.-. C.. .. 12. . ,.
-- - Crmat I-O--
n - - -- - -b~l~
5 - -- ~ ~ 1-- ~ ~ ------T. vs 0.I.OfI..I.I.
0 'O
0 R
FIGURE 111 6-4 Cumulative Outage Duration Distribution Curve
II
HISTOGRAM - RESTORATIONOF TRANSMAISSION
tllt OUTAGES
37.9%Owtg.
Rewrt.d in
0.1 TO0.32 Hoon.
UAW
ConýWiud:
:57%O.,ugn.
.400
Anon In
0.0.12To0.1w
Houw.
12.8%'~10.2.0.. '.4%w
48
How
03To10 1.0 To3.2"
I
20.0 - Conwt.n-.. R.,.nnOI.
Ligh-Kn And Moian N-., 3.2 To 10.0
Annid.,IoI
ft-Nd. In Tripping MConýý M
MM-nm - 0
0.010 To 0.W
Tnn-En., S~w-n. And Tm. In Lim.
Tn Eod'- 5no. F-nn. Sno. P.... 0n
Or I. 1..And
Cnon*lon, ".iono.
1.1%0.-g Lndinn., And
R-Wsd,61OWm M~jonn.
00
7%, 0.01 Mon. Owo
Mowft
II I I I [III' I I I II III I I I II lI I 1 11I11111

0.0O 0.1 1.0 20.0
O.Uag. Ow--o4 T.-e IHon)
FIGURE III 6-5 Histogram - Restoration of Transmission Line

Outages
111-87/88
I I I
10 I I
I I
I I PUMPS
7--
7 I Ix
4-I
5--
5 I I
4 - I
I I
3-
x2
ND
x1I
1 0- 1 103 1 x 102 1 x 101
Failure Rate
FIGURE III 6-6 Log-Normal Distribution - Pumps
10
I I
I I
a-
6--
I
I
3-
1- I
1 x 1a4 1 x 10.3 t x 102 I a 101

1 105
Failure Rate
FIGURE III 6-7 Log-Normal Distribution - Valves
HI
I I
I I
I I
I I
I I
1.0
I I
.9 -
ICLUTCH-EIectrical
,8 -
I I
.7
I I
I Ic
.6 I I
x
x
.5 I I
I I
NO I
.4
.3
.2
I I
.1 I I
0 I I
I I I II ll I I I I III I I 1 1 111 1 I I I I . 102 I I I
1 . I10 I x 105 1 x 104 1 x 10.3
Failure Rate
FIGUFRE III 6-8 Log-Normal Distribution - Clutch - Electrical
DIESELS
DIESELS
1.0
.9
.8
.7
.6
.5
.4
.3 x
.2
.1
!
-p
I I I I I 1ll1l Illll1l I I 1 11111111
I a 10-4 I x 1I-2 1 10"1l
1 x 1(4
Failure Rate
FIGURE 111 6-9 Log-Normal Distribution - Diesels
111-89/90
Section 7
References
7.1 DISCUSSION OF REFERENCES 7.3 SPECIAL SOURCES
In addition to the Nuclear Operating The other sources are described as spe-
experiences (Refs. 1, 2 and 3,) approxi- cial in that they generally contain
mately 50 other sources of failure rates information on particular hardware
and failure data were reviewed in sup- failure modes or operating conditions.
port of the estimates used in this anal- For example, References 10, 12, 13, 14,
These sources can be broadly 15, 16, 17, 18 and 20 involve pipe and
ysis.
grouped into two categories: (1) gener- pipe hardware failures. References 23,
al reliability data sources and (2) spe- 24, 25, 26 and 27 refer to aircraft ac-
cidents, earthquakes and other
cial sources.
background phenomena. References 34
through 52 contain analyses of
particular hardware and systems in
7.2 GENERAL SOURCES nuclear and non-nuclear utilities and
chemical industry applications.
The general sources consist primarily of
the United Kingdom Systems Reliability It should be noted that these references
Service, FARADA, AVCO, LMEC, Collins and do not represent 50 independent sources.
Pomeroy and Holmes and Narver. These Some refer to and use data from other
sources provide failure data on a references by updating, the data to re-
spectrum of hardware and failure modes flect current experiences and interests.
The references, therefore, represent a
from a variety of applications including
nuclear and non-nuclear utilities, test broadly based amalgamation of experi-
and research reactors and military and ence, operation conditions, and use
NASA components. applications.
Contact, Service Contact, Report Report, Listing

Reference Office or Originator or Source Date Source or Content
1. Reactor Incident Office or Operations 1/1/72 Contains approximately 30%

File (1972) (Com- Evaluation (OOE) of to unusual occurrences at
ponent Failure Regulatory Operations 12/31/72 nuclear facilities and 90%
Data) (RO), Atomic Energy of reportable abnormal
Commission (AEC), occurrences observed in
Bethesda, Maryland. the year of 1972.
2. Reactor Incident Data control of RSS, 9/4/73 Contains approximately one

File (1971) (Com- Bethesda, Maryland. quarter of 1971 unusual
ponent Failure and abnormal occurrences
observed from the files of
Data)
OOE.
3. EEI Availability Edison Electric 8/16/73 Contains 66 unit years of

Report (Component Institute (EEI), New & fossil and nuclear power
York, New York.
10/12/73 plants component availa-
Failure Data)
bility and outage
statistics of contributing
facilities.
4. Systems Office of Operations All Service Pub- Contains Failure Rate

Reliability Evaluation (OOE) of lications plus Assessments derived. UK
Service, UKAEA Regulatory Opera- Special Requests and other available
tions (RO) are 9/12/73. European sources.
Members of Service.
111-91
11
Reference Contact, Service Contact, Report Report, Listing
Office or Originator or Source Date Source or Content
5. FARADA Converged Failure All current Contains Failure Rate

Rate Data Handbooks, issues. Assessments derived from
published by Fleet Army, Navy, Air Force, and
Missile Systems NASA sources.
Analysis and Evalua-
tion Group Annex,
NWS, Sea Beach,
Corona, Calif.
6. AVCO Reliability Engineer- 1962 Contains Failure Rate
ing Data Services Assessments for primarily
Failure Rates. AVCO military quality hardware.
Corp.
7. LMEC Failure Data Hand- 1969 Compilation of failure
book For Nuclear rates derived from test
Power Facilities, and research reactor
Liquid Metal operating experiences.
Engineering Center.
8. Collins & Environmental 11/1/71 Operating experience and
Pomeroy Reports, Directorate related data from litera-
of Licensing, ture in support of occur-
Division of Compli- rence rates to be assumed
ance, Regulatory, for further interim
AEC. guidance on accident eval-
uations.
9. Holmes & Narver Collection of relia- 1968 Contains failure rate data
bility data at gathered from operating
nuclear power plants, experience, one plant--
Holmes & Narver, Inc. 4 months.
10. Chemical AEC Headquarters 9/24/73 Bibliography listing of
Abstracts Library, Germantown, metallurgical and piping
(Piping Failure Maryland. analysis reports (65j of
Data) industrial conduit
systems.
11. The Chemical The Institution of 1971 Contains data on reliabi-
Engineer Chemical Engineers, lity of instruments in the
16 Redgrave, London chemical plant environment.
S.W.I
12. NASA Literature Information Tisco 9/12/73 Listing of steam pipe
Search (Piping Inc., NASA Scientific failure reports (393) for
Failure Data) and Technical Infor- normal and limited distri-
mation Facility, bution of industrial steam
College Park, systems.
Maryland.
13. AEC RECON AEC Headquarters 9/10/73 Listing of Nuclear Science
(Piping Failure Library, Germantown, Abstracts search on pipe
Data) Maryland. rupture and pressure
vessel analysis of primary
steam systems.
14. DOT Pipeline Office of Pipeline 10/10/73 1971 and 1972 gas pipe
Safety (Pipeline Safety, Department of line leak and rupture
Leak Summary) Transportation (DOT), history of transmission
Office of the Secre- and distribution systems
tary, Washington, throughout the United
D.C. States.
111-92
Contact, Service Contact, Report Report, Listing
Reference Office or Originator or Source Date Source or Content
15. NSIC Literature Nuclear Safety Infor- 9/13/73 Listing of references of

Search (Piping mation Center (NSIC) piping failures (317) in
Failures) of the AEC, Oak industrial uses of atomic
Ridge, Tennessee. power.
16. GIDEP "ALERT" National Technical 9/3/73 Parts, materials, and

(Manufacturing Information Service processes experience
Defects) (NTIS) U.S. Department summary of NASA and Govern-
of Commerce, Spring- ment-Industry Data
field, Virginia. Exchange Program (GIDEP)
reports.
17. NAVSHIPS Report Maintenance Support 10/3/73 Printouts contain mainten-

(Main Steam Office, Naval Ship ance data covering main
Piping Data) Systems Command, steam piping on nuclear
Department of the submarines and surface
Navy, Arlington, ships for a three year
Virginia. period ('70, '71, and '72).
18. DDC Literature Defense Documentation 9/12/73 Bibliography of piping

Search (Steam & Center (DDC), Defense problems and simulated
Water Pipe Supply Agency, Alex- failures throughout the
Failures) andria, Virginia. military and industrial
world. (53 itemized
descriptions).
19. DDC Literature Defense Documentation 8/23/73 Bibliography on probabi-

Search (Manu- Center (DDC), Defense lities of manufacturing
facturing Supply Agency, Alex- errors from the stand-
Defects) andria, Virginia. point of design evalua-
tions (147 items).
20. GEAP (Piping General Electric 1964 thru 1972 Periodic reports (series
Failure Data) Company, Atomic 10207 of the Reactor
Power Department, Primary Coolant System
San Jose, Califor- Pipe Rupture Study
nia. summarizing failure mech-
anisims and probabilities.
21. Nuclear Science Technical Informa- 1967 thru 1972 Subject index for nuclear
Abstracts tion Center (TIC) scientific reports over a
(Containment of the U.S. Atomic six year period.
Breaches) Energy Commission, Reference book.
Oak Ridge,
Tennessee.
22. NSIC Literature Nuclear Safety 8/2/72 A ten year literature

Search (Special Information Center search for five categor-
Common Mode (NSIC) of the U.S. ies of qualitative
Failures) Atomic Energy reports and bibliogra-
Commission, Oak phies.
Ridge, Tennessee.
23. Engineering AEC Headquarters 8/17/73 A search for quantitative

Index (Environ- Library, Germantown, reports on the earth-
mental Factors) Maryland. quakes electrical fires
and airplane crashes.
24. Geologic Litera- American Geologic 8/17/73 A listing of topics (220)

ture Search Institute, associated with earth-
(Disaster Im- Washington, D.C. quake predictions from
pact Data) the standpoint of
geologic effects.
111-93
iI
Reference Contact, Service Contact Report Report, Listing
Office or Originator or Source Date Source or Content
25. DDC Literature Defense Documentation 8/21/73 Bibliography on unusual
Search \Center (DDC), Defense natural occurrences
(Disaster .Supply Agency, Alex- (192).
Impact Data) andria, Virginia.
26. Insurance Facts Insurance Information 8/20/73 A yearbook of property
(1972) (Disaster Institute, New York, and liability insurance
Impact Data) New York. facts of losses as
reported by U.S.
companies.
27. RESPONSA Selected Nuclear 8/15/73 Listing of seismic

(Seismic Effect Science Abstracts topics (245) for reactor
Data) (RESPONSA), AEC siting and nuclear
Headquarters Library, application: includes
Germantown, Maryland. docket material.
28. RESPONSA (ECCS Selected Nuclear 8/1/73 Listing of Emergency Core
Analysis Data) Science Abstracts Cooling System (ECCS)
(RESPONSA), AEC Head- topics (approx. 928) and
quarters Library, associated analysis.
Germantown, Maryland.
29. RESPONSA (Parts Selected Nuclear 8/24/73 Listing of topics (approx.
& Materials Science Abstracts 936) on fractures of
Data) (RESPONSA), ABC Head- reactor parts and mater-
quarters Library, ials with emphasis on
Germantown, Maryland. steel and alloys.
30. NASA Literature Information Tisco 8/17/73 Listing of disaster pre-
Search Inc., Scientific and diction or forecasting
(Disaster) Technical Information reports (608) on-meteoro-
Facility, College logical and climatological
Park, Maryland. measurements.
31. NASA Literature Information Tisco 8/23/73 Quality control in manu-
Search (Manu- Inc., NASA Scientific facture of machinery or
facturing and Technical Informa- power generating equip-
Defects) tion Facility, College ment a brief survey.
Park, Maryland.
32. Docket 50-289 Files, Bethesda, 8/28/73 Three Mile Island Unit 1
(Aircraft Impact Maryland. (Metropolitan Edison Co.
Data) of Pennsylvania) report,
Summary of Aircraft
Impact Design.
33. FAA (Air Federal Aviation March 1972 En Route IFR Air Traffic
Traffic Data) Administration (FAA), Survey Peak-Day FY 1971,
Dept. of Transporta- authored by the FAA
tion, Washington, D.C. Statistical Division.
34. Letter from W. F. Shopsky to D. F. Paddleford dated October 20, 1972.

35. A. J. Bourne, "Reliability Assessment of Technological Systems," Report, Systems
Reliability Service, UKAEA, October 1971.
36. K. H. Lindackers, W. Stoebel, Part I, 0. A. Kellerman, W. Ullrich, Part II:
Probability Analysis Applied to LWR's, Institute of Reactor Safety, W. Germany,
Paper 9.
111-94
37. F. M. Davies, "A Worked Example on the Use of Reliability Analysis Techniques -
Decay Heat Removal", Lecture No. 58 Reactor Assessment, Section I, Safety and
Reliability Directorate, Risley, U.K.
38. "Meeting of Specialists on the Reliability of Electrical Supply Systems and

Related Electric-Mechanical Components for Nuclear Reactor Safety", European
Nuclear Energy Agency Committee on Reactor Safety Technology, Session I, Ispra,
Italy, (June 27-28, 1968).
39. M. C. Pugh, "Probability Approach to Safety Analysis", United Kingdom Atomic

Energy Authority, 1969.
40. R. M. Stewart, G. Hensley, "High Integrity Protective Systems on Hazardous Chem-

ical Plants", European Nuclear Energy Agency Committee on Reactor Safety Tech-
nology, Munich (May 26-28, 1971).
41. J. C. Moore, "Research Reactor Fault Analysis", Parts I and II, Nuclear Engi-
neering (March, June 1966).
42. "IEEE Transactions on Nuclear Science", Volume NS-18, February 1971.
a. B. M. Tashjian, "Sensitivity Analysis of a Two-out-of-Four Coincident Logic

Reactor Protective System" pg. 455.
b. R. Salvatori, "Systematic Approach to Safety Design and Evaluation, pg. 495.
43. A. J. Bourne, G. Hensley, A. R. Eames, A. Aitken, "Reliability Assessment of the

S.G.H.W.R. Liquid Shutdown System", AHSB(S)R 144 (March 1968).
44. H. J. Otway, R. K. Lohrding, M. E. Battat, "A Risk Estimate for an Urban-Sited

Reactor", Nuclear Technology, Vol. 12 October 1971.
45. F. R. Farmer, "Siting Criteria - A New Approach", United Kingdom Atmoic Energy
Authority, Risley, Warrington, Lancs, U.K.
46. J. R. Beattie, G. D. Bell, J. E. Edwards, "Methods for the Evaluation of Risk",

AHSB(S)R 159 UKAEA, (1968).
47. G. D. Bell, "Risk Evaluation for Any Curie Release Spectrum and Any Dose Rise
Relationship", AHSB(S)R 192, UKAEA, (1971).
48. "Fault Tree Analysis, SPERT IV Scram System" INC Work Request No. N-42128.
W. L. Headington, M. E. Stewart, J. 0. Zane, "Fault Tree Analysis of the PBF

49.
Transient Rod Drive System", IDO-17272 (November 1968).
50. Gulf Electronics Systems, Nuclear Instrumentation Specifications.
51. "Proceedings of the Meeting of Specialists on the Reliability of Mechanical

Components and Systems for Nuclear Reactor Safety," RISO Report No. 214,
Establishment (February 1970).
a. S. Antocisco, G. Tenoglia, A. Valeri, "A Theoretical Reliability Assessment

of a Fire Protection System", pg. 22.
b. W. Bastl, H. Gieseler, H. A. Maurer, U. Hennings, "The Reliability of Emer-

gency Core Cooling Systems of Light Water Nuclear Plants", pg. 91.
c. H. Huppman, "Frequency and Causes of Failure to Components of Large Steam

Turbines", pg. 171.
d. U. Hennings, "Auslegung and Anordnung Einer Reaktor-Beschickungsan-lage

Auggrund von Zwerlassigngeitsbetrachtungen" pg. 213.
e. G. Mieze, "Analysis of a German Pressure Vessel and Boiler Drum Statistics",

pg. 301.
111-95
!I
f. G. A. G. Phillips, R. G. Warwick, "A Survey of Pressure Vessels Built to a
High Standard of Construction", pg. 323.
g. J. Ehrentreich, H. Maurer, "Reliability Considerations for Mechanical Compo-
nents of Control Rod Drive Systems of Gas Cooled Power Reactors Operated in
the European Community", pg. 481.
52. NRTS National Reactor Testing Station, Ihaho: Failure History 1968-1972,
B. A. Thomas ETAL.
53. D. G. Eisenhut, "General Avaiation Fatal Crash Probability Distribution for Use
in Nuclear Reactor Sitings", August 1972.
54. Ablitt, J. F., A Quantitative Approach to the Evaluation of the Safety Function
of Operators of Nuclear Reactors, AHSB(S)R-160, Authority Health and Safety
,Branch, United Kingdom Atomic Energy Authority, Risley, England, 1969.
55. Appley, M. H. and Trumbull, R. (eds.), Psychological Stress, Appleton-Century-
Crofts, New York, 1967.
56. Berkun, M. M., "Performance Decrement Under Psychological Stress", Human Fac-
tors, 1964, 6, 21-30.
57. Green, A. E., Safety Assessment of Automatic and Manual Protective Systems for
Reactors, AHSB(S)R-172, Authority Health and Safety Branch, United Kingdom
Atomic Energy Authority, Risley, England, 1969.
58. Grinker, R. R. and Spiegel, J. P., Men Under Stress, McGraw Hill Book Co., 1963
(reprinted from 1945).
59. Harris, D. H. and Chaney, F. B., Human Factors in Quality Assurance, John Wiley
and Sons, New York, 1969.
60. Kletz, T. A. and Whitaker, G. D., Human Error and Plant Operation, EDN 4099,
Safety and Loss'Prevention Group, Petrochemicals Division, Imperial Chemical
Industries, Ltd., Billingham, England, 1973.
61. McCornack, R. L., Inspector Adequacy: A Study of the Literature, SCTM-53-
61(14), Sandia Laboratories, Albuquerque, New Mexico, 1961.
62. Meister, D., Human Factors: Theory and Practice, John Wiley and Sons, New York,
1971.
63. MIL-H-46855A, Military Specification, Human Engineering Requirements for
Military Systems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C.,
2 May 1972.
64. MIL-STD-1472A, MilitaZy Standard, Human Engineering Design Criteria for Military
Systems, Equipment and Facilities, U.S. Dept. of Defense, Wash., D.C., 15 May
1970.
65. Morgan, C. T., Cook, J. S. III, Chapanis, A. and Lund, M. W. (eds), Human Engi-
neering Guide to Equipment Design, McGraw Hill Book Co., New York, 1963.
66. Rasmussen, J., "Man-Machine Communication in the Light of Accident Records",

Proceedings of the International Symposium on Man-Machine Systems, Cambridge,
England, 1969.
67. Raudenbush, M. H., "Human Engineering Factors in Control Board Design for Nu-
clear Power Plants", Nuclear Safety, 1973, 14, 21-26.
68. Ronan, W. W., Training for Emergency Procedures in Multiengine Aircraft, AIR-
153-53-FR-44, American Institutes for Research, Pittsburgh, Penna., 1953.
69. Rook, L. W., Reduction of Human Error in Industrial Production, SCTM-93-62(14),
Sandia Laboratories, Albuquerque, New Mexico, 1962.
111-96
70. Shapero, A., Cooper, J. E., Rappaport, M., Schaeffer, K. H. and Bates, C. J.,
Human Engineering Testing and Malfunction Data Collection in Weapon System
Programs, WADD TR 60-36, Wright-Patterson Air Force Base, Ohio, 1960.
71. Siegel, A. I. and Wolf, J. A., Man-Machine Simulation Models, John Wiley and
Sons, New York, 1969.
72. Swain, A.D., A Method for Performing a Human Factors Reliability Analysis,
Monograph SCR-685, Sandia Laboratories, Albuquerque, New Mexico, 1963.
73. , Some Problems in the Measurement of Human Performance in Man-Machine

Systems", Human Factors, 1964, 6, 687-700.
74. , "Some Limitations in Using the Simple Multiplicative Model in
Behavior Quantification", W. B. Askren (ed.), Symposium on Reliability of Human
Performance in Work, AMRL-TR-67-88, Wright-Patterson Air Force Base, Ohio, 1967.
75. Van Cott, H. P. and Kincade, R. G. (eds.), Human Engineering Guide to Equipment
Design (Rev. Ed.), U.S. Govt. Printing Office, Wash., D.C., 1972.
76. Williams, H. L., "Reliability Evaluation of the Human Component in Man-Machine

Systems", Electrical Manufacturing, 1958, 4, 78-82.
77. Woodson, W. E. and Conover, D. W., Human Engineering Guide for Equipment Design-
ers, Univ. of California Press, Berkeley, Cal., 1964 (2nd ed.).
111-97
!I
WASH- 1400
(NUREG-75/014)
COMMON MODE FAILURES
Bounding Techniques
and
Special Techniques
APPENDIX IV
to
REACTOR SAFETY STUDY
U.S. NUCLEAR REGULATORY COMMISSION

OCTOBER 1975
11
Appendix IV
Table of Contents
Section Page No.
1. INTRODUCTION AND OVERVIEW ......................................... IV-l
2. COMMON MODES IN EVENT TREES AND FAULT TREES ........................... IV-7
2.1 Introduction ................................................. IV-7

2.2 Contribution of Event Trees to the Study of Common Mode
Failures ..................................................... IV-7
2.3 Common Mode Failures ......................................... IV-8
REFERENCES ............................................................... IV-9
3. BOUNDING AND QUANTIFICATION TECHNIQUES FOR COMMON MODE

FAILURES .......................................................... IV-l1
3.1 Introduction ................................................. IV-ll

3.2 Bounding by Smaller Combinations ............................. IV-12
3.2.1 Basic Considerations ................................. IV-12

3.2.2 Bounding Combinations of Two Failures .................... IV-13
3.2.3 Bounding Combinations of Three or More Failures ...... IV-16
3.3 Analyses and Quantifications Applied in the Study ............... IV-17

3.4 More Detailed Quantification Approaches ........................... IV-19
4. FAILURE COUPLING .................................................. IV-27
5. SPECIAL ENGINEERING STUDIES TO IDENTIFY POTENTIAL COMMON

MODES IN ACCIDENT SEQUENCES ....................................... IV-35
5.1 Summary of Results ........................................... IV-35
5.1.1 Large LOCA Sequences ................................. IV-35

5.1.2 Small LOCA Sequences ................................. IV-36
5.2 Summary of Secondary Failure Methods .............................. IV-37

5.3 PWR LOCA Sequence Common Mode Failure Evaluations ............... IV-37
5.3.1 Sequence CD (Given A or S) ............................... IV-37

5.3.2 Sequence CDI (Given A or S) .............................. IV-37
5.3.3 Sequence HF (Given A or S) ........................... IV-38
5.3.4 Sequence G (Given A or S) ............................ IV-38
5.3.5 Sequence AD (Given A) ................................ IV-38
5.3.6 Sequence CF (Given A or S) ............................... IV-39
5.3.7 Sequence B (Given A or S) ................................ IV-39
5.3.8 Sequence F (Given A or S) ................................ IV-40
5.3.9 Sequence HI, FI, or HFI (Given A or S) .................. IV-4Q
5.3.10 Sequence HG (Given S) ................................ IV-40
5.3.11 Sequence D (Given S) ................................. IV-40
5.4 Supporting Material .......................................... IV-41
5.4.1 Summary of the Results of Examining Inter-System

Interfaces for Sequence Failure Possibilities ........ IV-41
5.4.2 Summary of Plant Layout Examination for Sequence
Secondary Common Mode Failures ........................... IV-41
5.4.3 Systems Which Can be Failed by Common Mode
Failure of Similar Component ............................ .V-42
IV-i
II
Table of Contents (Continued)
Section Page No.
6. SPECIAL ENGINEERING STUDIES TO IDENTIFY POTENTIAL COMMON
MODES IN ACCIDENT SEQUENCES ....................................... IV-45
6.1 Summary of Results ........................................... IV-45
6.1.1 Large LOCA Sequences .............................. IV-45
6.1.2 Small (1) and Small (2) LOCA Sequences............... .. IV-45
6.1.3 Transient Sequences .................................. IV-46
6.2 Summary of Methods............................................ IV-46
6.3 Consideration of Common Mode Effects in Particular
Sequences .................................................... IV-47
6.3.1 Large LOCA ........................................... IV-47
6.3.1.1 Sequence AE - LLOCA/ECI ...................... IV-47
6.3.1.2 Sequence AI - LLOCA/LPCRS .................... IV-47
6.3.1.3 Sequence AJ - LLOCA/HPSW .................... IV-47
.6.3.2 Small LOCA's ......................................... IV-47
6.3.3 Transients ........................................... IV-47
List of Tables
Table Page No.

IV 1-1 Common Mode Treatment in the Various Analysis Stages .............. IV-5/6
IV 3-1 Classes of Potential Common Mode Mechanisms ....................... IV-25/26
IV 3-2 Combination Properties Indicating Potential Common Cause
Susceptibility............. .... ..................... IV-25/26
IV 4-1 PWR Coupling - BWR Coupling ................................... .... IV-31/32
IV 5-1 Similar Component Failures and Significant Affected Sequences
(Large LOCA) ........ .... . .............. .. ....... 0 IV-43/44
IV 5-2 Interface Examination Results ............ ............. ..... IV-43/44
IV 5-3 Electrical Power Interfaces ......................................... IV-43/44
IV 6-1 Sequence AE-LLOCA/ECI, Principal Common Mode Possibilities
and Effects......... *.......................................... IV-49/56
IV 6-2 Sequence AI-LLOCA/LPCRS, Principal Common Mode Possibilities
and Effects .............. .......
*............................... IV-49/50
IV 6-3 Sequence AJ-LLOCA/HPSW, Principal Common Mode Possibilities
and Effects ..... o....... ................................... IV-51/52
IV 6-4 Sequence SiE-Small LOCA (1)/ECI, Principal Common Mode

Possibilities and Effects ........ .......... . .......... IV-51/52
IV-ii
List of Figures
Figure Page No.
IV 4-1 Independent Versus Coupled Failure Rate Distributions

[Frequency on Vertical Axis (Ordinate), Failure Rate on
Horizontal (Abscissal)] ........................................... IV-33/34
IV 4-2 Increased System Uncertainties Due to Coupling Effects

(Vertical Axis - Frequency; Horizontal - System Probability) ...... IV-33/34
IV-iii
Section 1
Introduction and Overview
With regard to the analyses performed in odology will be given here to place the
this study, potential common mode fail- material of this appendix in better
ures can be defined as multiple failures context. A fuller discussion of the
which are dependent, thereby causing the overall common mode methodology is found
joint failure probability to increase. in Appendix XI and the Main Report.
The multiple failures are common mode or
dependent because they result from a Following the outline of the table, the
single initiating cause, where "cause" event tree constructions first treated
is used in its broadest context. common mode failures in their detailed
modeling of system to system functional
The single initiating cause can be any interactions. If failure of one system
one of a number of possibilities: a caused other systems to fail or be inef-
common property, a common process, a fective, then this was explicitly
common environment, or a common external modeled in the event trees by drawing
event. Multiple failures which are de- straight lines through the other system
pendent can likewise encompass a spec- columns. 1 These straight lines had no
trum of possibilities such as multiple steps for the affected systems and hence
system failures caused by a common did not require consideration of possi-
component failure, system failures ble interaction with these eliminated
caused by a common external event, systems.
multiple component failures caused by a
common defective manufacturing process, The systems rendered failed or ineffec-
a sequence of failures caused by a tive by the single system failure were
common human operator, etc. treated in the subsequent analysis as
being essentially non-existent, and the
Because potential common mode failures analysis then concerned itself only with
the critical single system failure. By
entail a wide spectrum of possibilities
and enter into all areas of modeling and considering these functional interac-
analysis, common mode failures cannot be tions, multiple system possibilities
isolated as one separate analysis, but were thus changed to single system fail-
ure analyses. From a common mode
instead must be considered throughout
all the modeling and quantification viewpoint, the affected systems consti-
tute common mode events which are
steps involved in the risk assessments.
In the study, common mode considerations coupled to the single system failure.
were incorporated in every stage of the Incorporation of this coupling in the
analyses. Table IV 1-1 gives a general event trees was most significant since
breakdown of common mode treatments that it in essence changed a product of
were performed as an integral part in system probabilities into one, single
each of the analysis steps. system probability. The imrpact of the
event trees on this type of common mode
dependency can be gauged by the numbers
This appendix will describ~e in detail given in section 2 of Appendix I which
only those aspects of the common mode show the reduction in size for the event
failure methodology which are not dis-
cussed in other portions of the report. trees constructed in the study, which
Bounding and coupling techniques, in incorporated dependencies, as compared
particular, will be described (pertain- to the unconstrained size obtained when
ing to Table items 111-2, 111-3, IV-2, dependencies are not considered.
and IV-3 of Table IV 1-1) and special
engineering investigations conducted to In addition to incorporation of system
identify additional potential common interdependencies, the event trees also
mode failures are discussed in section defined the context for which the indi-
5-1 of this appendix. Specific examples vidual fault trees were to be construct-
ed. Particular system failures, i.e.,
and applications pertaining to all the the top events of the fault trees, were
above items are also described through- defined within the context of other
out the fault tree and event tree
appendices.
Before discussing the bounding tech- 1
nique 5 and special investigations, a See Appendix I for event tree descrip-
review of the overall common mode meth- tions.
IV- 1
11
particular systems having already .cluded in the analysis of the fault
failed. The fault trees in an accident trees for the study, and in certain
sequence were coupled by the system cases they had much higher probability
failure definitions and by the common contributions to system failure than the
accident conditions (the faUlt trees hardware bauses. In a number of cases
were thus conditional fault trees). 1 these non-hardware contributions gave
significantly high system failure proba-
The construction of the fault trees bilities (essentially single failure
included common mode considerations in probabilities) such that all other con-
determining the level to which failures tributions had minor impact on the
should be analyzed and the failure system number.
causes and interfaces which should be
modeled. The fault trees were con-
In addition to their individual impacts,
structed to a level of detail such that the non-hardware contributions were ex-
all relevant common hardware in the amined in the quantification stage for
systems would be identified. Because of possible interdependencies. Multiple
this depth of analysis, single failures failures caused by human errors were
were identified that would cause multi- dependent if the same operator could
ple effects. These included potential
single failures that could cause several perform all the acts. Testing or main-
systems to fail or be degraded and that tenance caused failures to be dependent
if several components could simultane-
could cause redundancies to fail or be ously be brought down for testing or
negated. Had the fault trees stopped at maintenance. Accident environments
a less detailed level, these single
failures would have had to be treated as caused multiple failures to be dependent
if the failures could be due to the same
common mode causes and given special environment. Identification
common mode treatments since they would of non-
hardware causes laid the basis for
not have been explicitly shown in the individual and dependent event calcula-
fault trees. tions which were performed in the quan-
The failure causes modeled in the fault tification stage, and the resulting
trees included not only hardware failure significance can be seen by the large
but also failures caused by human inter- contributions predicted for non-hardware
vention, test and maintenance acts, and causes.
environmental effects, which enabled po-
tential dependencies to be investigated The fault tree quantification stage,
and incorporated in the quantification. also tended to implicitly cover depend-
To illustrate the effects of this more ency and common mode considerations
complete failure cause identification, within the basic calculations. The
in a number of the fault trees con- component data which were input to .the
structed, a valve being in a closed calculations were total failure data and
position was determined to be a failure. had error spreads (probable ranges) to
The failure could be caused by the valve account for uncertainties and varia-
itself failing closed, i.e., a hardware tions. The failure rate for a particu-
failure, and this cause is the cause lar component included not only contri-
usually included in the fault tree butions from hardware failure (sometimes
model. In addition to the valve hard- called the random failure rate), but
ware failure, however, the valve could also contributions due to testing or
also be in a closed position due to its maintenance, human causes, environment
being purposely closed for testing or causes, etc. The error spreads aided in
maintenance and it could also be in a covering uncertainties not only from
closed position due to the operator's statistical estimation but also from
forgetting to open it after the-previous possible defects in the component, pos-
test or maintenance act. These other sible failure mechanisms not included in
causes are often ignored in fault tree the data sources, and from other physi-
modeling; however, they have the same cal causes of possible variations. Tkis
effect on the system as the hardware realistic treatment of data gave higher
failure. These other causes were in- system failure probabilities, which of-
ten proved to be insensitive to common
mode effects when sensitivity studies
were performed.
1 The quantification formulas treated both

The definition and probability quanti- hardware and non-hardware contributions
fication of the containment failure with their relevant dependencies. The
modes, incorporating accident dependen- human errors and test and maintenance
cy considerations, are given in Appen- downtime contributions identified in the
dices V and VIII. fault trees were quantified to obtain
IV-2
their probability contribution. Error nents which were common to several
spreads were used for human probabili- systems in the sequence. Single fail-
ties to account for individual varia- ures that could fail multiple systems
tions and posqible inefficiencies were thus identified and quantified, and
(tiredness, possible confusion, etc.). as a result independent system failures
A log-normal distribution was used to became dependent failures.
obtain test and maintenance downtimes,
where the distribution is positively Since an accident sequence in the event
skewed (having a tail for longer down- trees can be viewed in terms of fault
times) to account for test and mainte- tree logic, the same quantification
nance problems, possible laxities, and techniques were used on the individual
other test and maintenance associated fault trees. (In terms of fault tree
deviations. When human or test and representation, the individual systems
maintenance contributions had additional in a sequence are viewed as being inputs
interdependencies, coupling formulas us- to an AND gate to form the accident
ing the log-normal median approach were sequence.) Human errors, test and main-
employed. Accident environment effects tenance, and accident environment were
on both components and human responses evaluated for their contributions to the
were treated by using higher failure sequence, and the contributions were
rates when appropriate and coupling coupled when they were dependent. Since
individual failures when the same envi- multiple systems were analyzed, the
1
ronment affected the failures. couplings now included dependencies
across systems.
In the fault tree quantification stage,
error spreads were propagated through For the consequence calculations, the
the calculations to determine the re- accident sequences were partitioned into
sulting error spreads on the computed release categories. 1 The probabilities
system probabilities. The system error for sequences assigned to the Same
spreads thus included the possible devi- category were then summed to obtain the
ations in test and maintenance, human total release category probability which
errors, and failure rates which thereby was used as the input for the f inal con-
caused other potential common mode ef- sequence calculations. The grouping
fects not explicitly included to have tended to cover effects of dependencies
less impact since they now needed to lie and common modes since single system
outside the error spreads. Bounding and failures often existed in each release
coupling calculations were also per- category. Multiple failure accident se-
formed throughout the quantification to quences thus became negligible, even
determine maximum possible impacts from with possible common modes, when they
common mode failures which might exist were added to the single failure
and were not previously included. The accident sequences to obtain the total
bounding and coupling studies served as release category probability. Bounding
an additional check on the calculations and error propagation techniques were
and identified areas that needed further used on the multiple failure accident
investigation because of their larger sequences to investigate maximum common
possible impact. Failure rates were mode effects. The bounding techniques
also coupled to determine the potential encompassed those used for the fault
effects of several components all having trees, which are described in this
a high failure rate due to a bad manu- appendix.
facturing batch, quality control error,
etc. Since the bounding and coupling As a final check on possible dependen-
techniques were not described in detail cies and common mode effects, special
in the modeling and analyses appendices engineering investigations were per-
(Appendices I, II, III, and V), they are formed to complement the modeling and
treated in this appendix. mathematical techniques which had been
used throughout the study. The event
After the fault trees were quantified, tree accident sequences which were
the event tree quantification stage judged to be possible susceptible to
combined the individual fault tree prob- common mode impacts which had not been
abilities to obtain sequence probabili- identified were reexamined for any
ties. To obtain the sequence probabili- extraneous dependencies which may have
ties, Boolean techniques were used on been previously overlooked. These se-
the fault trees to extract any compo- quences were also examined to determine
1
See Appendix II for detailed applica-
tions and discussions. IAppendix V.
IV- 3
iI
potentials for interdependencies between In the fault tree and event tree quanti-
initiating events and system failures. fications, common mode failures in many
As part of the common mode investiga- cases did not have as significant an
tions, a design adequacy task investi- effect. Single system failure probabil-
gated the effects of earthquakes and ities dominated the accident sequences
external events. The fafil2t tree and which determined the release category
event tree models were also reviewed, probabilities, and single component
and checks were made comparing model failures, in turn, dominated the single
predictions versus available past histo- system failure probability. Commnon mode
ry experiences. The comparisons with failures between components thus had
past history are contained in the data little impact since at most they could
and fault tree appendices. As stated, change multiple.component failures into
since they are not contained in the single component failures and these
other appendices, the accident sequence already existed for the system.
special investigations are described in
this appendix. Human errors, because of their larger
With regard to the impact of common mode basic probabilities as compared to com-
failures on the spectrum of individual ponent failure rate data, in a number of
results computed in the study, in many cases dominated the system again causing
areas common mode contributions had common modes between components to have
significant effects and in some areas a small effect.
they did not. This conclusion may not
seem simple, however, many different .In certain systems, however, common mode
detailed results were computed in the contributions did significantly enter,
study to arrive at the final risk as- for example, in cases when "several
sessments. 1 failures were coupled to a common human
cause. There were other cases in which
In the accident sequence definitions and common modes did impact, either through
in the containment failure, mode analy- the fault tree development and fault
ses, common mode considerations had a definition or through the quantifica-
significant impact. Common mode consid- tion. These specific cases, along with
erations of functional interdependencies the specific event tree findings, are
significantly modified the event tree discussed in their appropriate sections
sequences and hence the resulting proba- (Appendices 1, 11, and V).
bilities. Consideration of containment
failure mode dependencies gave signifi-
cantly modified probability values to be The outcomes of the varying significance
used for the accident sequences. of common mode failure which were found
in the study further reinforce the re-
quirement that common modes and general
dependency considerations should not be
1 fone looks specifically at the final -isolated and treated separately, but
should be incorporated throughout all
risk assessment numbers then common stages of the analysis. However, this
modes in general had a very significant along with all the other modeling con-
effect as discussed in Aippendix XI and siderations, is what should be automati-
the main report. (In .Large part, this cally done in any thorough and complete
was due to the event tree effects.) analysis.
IV- 4
TABLE IV 1-1 COMMON MODE TREATMENT IN THE VARIOUS ANALYSIS STAGES
I. EVENT TREE CONSTRUCTION

1. Incorporation of functional dependencies between systems in the sequence
constructions.
2. Establishment of accident sequences including containment failure mode
definitions which incorporate system and accident interdependencies.
II. FAULT TREE CONSTRUCTION

1. Resolution of failures to a level such that common system hardware will
be identified.
2. Fault tree construction which identify human interfaces, test and
maintenance interfaces, and other interfaces of potential dependency.
III. FAULT TREE QUANTIFICATION

1. Practical data utilization, which incorporates uncertainties and
variations.
2. Quantification formulas which incorporate dependencies and contributions
due to human error, test and maintenance, and accident related
environments.
3. Mathematical techniques involving bounding calculations and error propa-
gation calculations, which serve to determine the significance of possible
dependencies and serve to incorporate resulting uncertainties.
IV. EVENT TREE QUANTIFICATION

1. System fault trees combined and analyzed by Boolean techniques to extract
common components between systems.
2. Quantification formulas which incorporate couplings and dependencies
across systems due to human error, test and maintenance, and accident
environments.
3. Grouping of accident sequences of similar outcome and identification of
the dominant accident sequences using discrimination and bounding
techniques.
V. SPECIAL ENGINEERING INVESTIGATIONS

1. Investigation of special, susceptible accident sequences to determine any
remaining possible common modes including those due to external events and
common component sensitivities.
2. A special design adequacy task to investigate common mode failures result-
ing from earthquakes, other external forces, and post accident
environments.
3. Final checks on the fault tree and event tree models for model accuracy
and consistency.
Table IV 1-1
IV-5/6
11
Section 2
Connmon Modes in Event Trees and Fault Trees
2.1 INTRODUCTION quence; any sequences that can be

eliminated need not be examined. The
For the convenience of the reader, disciplined examination of the function-
excerpts of the common mode discussions to-function, function-to-system, and
in Appendices I and Ii are reproduced system-to-system interrelationships in
here. (The bounding techniques and the specific context defined by the
special engineering investigations are accident sequences has made a key
given in the following sections.) For contribution in limiting the magnitude
further specific details, the fault tree of the CMF effort needed in this study.
and event tree quantification sections
include discussions and considerations A measure of this contribution is com-
applicable to common mode failures when parison of the number of interactions
they were significant contributors. possible with the number actually in-
volved. This can be done, for instance,
2.2 CONTRIBUTION OF EVENT TREES TO by examining the large LOCA and contain-
THE STUDY OF COMMON MODE ment event trees described above for the
PWR and BWR. The PWR trees have 8 and 5
FAILURES the BWR, 9 and
headings, respectively;
The potential effects of common mode 7. Use of 2n- tree with all possible
failures (CMFs) on the safety of nuclear permutations and combinations of choices
power plants have been increasingly included would give roughly 4000 acci-
discussed in recent years. Current dent sequences for the PWR and 32,000
design requirements related to safety for the BWR. Since each sequence would
address this matter in certain areas, have 12 and 15 elements, respectively,
principally with regard to possible the number of potential CMF interactions
external forces due to natural phenomena to be investigated would be about 48,000
and airplane crashes. This is because a for the PWR and about 480,000 for the
large external force such as an earth- BWR. However, the PWR and BWR large
quake might not only initiate an acci- LOCA and containment event trees involve
dent but also result in failures of only about 150 sequences each, with an
engineered safety features provided to average of about 10 potential interac-
mitigate the accident. Therefore, all tions per sequence. Thus the total
the systems that contribute to assuring number of potential interactions for the
the safety of the plant (e.g, the reac- PWR and BWR would be about 1500 each, or
tor coolant system and all the ESFs) are a reduction from the 2 n-± approach of
designed to withstand substantial earth- about a factor of 32 for the PWR and 320
quakes without failure (Ref. 1). In ad- for the BWR.
dition to the above, LOCAs can impose
large reaction forces and cause missiles Thus, for the large LOCA, the use of
which have the potential to damage event trees has eliminated illogical and
components whose failure can interfere meaningless combinations of events and
with the performance of ECCs and other thus reduced the areas requiring exami-
ESFs. This has led to the use of pipe nation for CMFs by about three orders of
restraints, missile shields and other magnitude. This approach contributes
such design requirements to prevent enormously to making the analysis of
damage by the LOCA. Beyond this, potential CMFs tractable.
limited analysis has been done to
quantify the effects of potential common
mode failures on reactor accidents. In considering the total number of event
trees involved in the overall study (see
An important objective of this study has sections 4 and 5 of this Appendix), it
been to develop methodologies suitable can be seen that many thousands of po-
for quantifying the contribution of com- tential accident sequences involving
mon mode failures to reactor accident hundreds of thousands of potential
risks. Event trees play a role in CMF interactions were screened in this study
studies because they eliminate illogical to arrive at a relatively small number
and meaningless accident sequences. of potential CMF interactions. As will
Evaluation of potential CMF contribu- be shown in later Appendices (IV and V),
tions requires examination of the poten- further screening involving the
tial CMF interrelationships of the identification of those particular
various events in each accident se- sequences which were the dominant
IV-7
ii
contributors to risk reduced the number High to Reduce Spray Effectiveness" is a
of potential interactions of interest by common mode suspect since the event
additional very large factors. appears as an input to both redundant
subtree branches. If upon further
In addition to the above, it should be investigation (relating CSIS design
noted that the containment trees dis- output pressure with the maximum
cussed in Appendix II represent an ex- pressure which might be attained in the
tensive common mode failure investiga- containment) the event is determined to
tion of the relationship between core be probable, then the event is a common
melting and containment integrity. mode contributor since it is a single
While it has long been known that a event thaf can fail both spray subsys-
molten core would almost surely result tems. Further investigation of this
in loss of containment integrity, this event, however, indicated that it would
study has shown that there are widely be unlikely to occur; that is, the
different consequences having widely containment pressure will not reach a
different probabilities for the various level sufficiently high to reduce CSIS
modes of containment failures. 1 effectiveness. The event was, there-
fore, not shown on the reduced tree
which was quantified.
2.3 COMMON MODE FAILURES
Hardware failures, human errors, and Some human interactions with a system,
test or maintenance outage all have a whether for operation, test, mainte-
direct effect on the probability of nance, or calibration are potentially
system failure (i.e. the unavailability important common mode events. In con-
or unreliability). System failure prob- structing the detailed fault trees
abilities can also be affected by more operational errors which can cause
subtle factors such as common environ- components not to be in their proper
ment, common design, common manufactur- operational state when required are
ing processes, or common human interven- shown as individual events on the tree
tion with the system (including (e.g., "Operational Error - Switch S8
operation, maintenance, and their asso- Not Closed," "Operational Error - Valve
ciated test procedures). All of these 506 Closed,".etc.).
common links represent potential depen-
dencies which can compromise any In the process of evaluating the fault
assumptions of independence of failures. trees, functionally related human error
Events related to common hardware and events were examined to determine their
other single events having direct input potential for common mode failure. For
to a system are identifiable in the example, four human error events, each
process of constructing the fault tree related to failure to start one of four
as described in Appendix II. The compo- redundant BWR high pressure service
nent failure event RWST lCS-TK-l water pumps, were examined to determine
"Rupture" (common hardware) and fault whether those errors were likely to be
event "RWST Vent Plugged" (direct input committed independently or as a single
event) as shown in the Containment Spray act. The major contributor to BWR high
Injection System (CSIS) example (See pressure service water system failure as
Appendix II section 5.4) are events that determined in the analysis was failure
lead to multiple system and subsystem of the operator to turn on one or more
failure. The PWR refueling water stor- of the four redundant pumps when the
age tank (RWST) is common to both CSIS system is needed. If the operator does
subsystems and also to the emergency not start one pump, there is a high
core cooling injection systems. Rupture probability that he will not start the
of the RWST or plugging of the RWST vent other pumps as well.
would fail the two CSIS subsystems and
the low pressure injection system (LPIS) Human errors related to the testing and
of the emergency core cooling systems. maintenance of components can also be
important common mode contributors. For
Other types of events identified on the example, instruments can be "valved-out"
'detailed fault trees may have common for calibration purposes and not re-
mode failure implications but require stored to their operational state when
further investigation to determine if the calibrations are complete, valves
they are probable. For example, the can be aligned to divert pump flow
third level event on the CSIS detailed during a test and not realigned follow-
tree "Containment Pressure Sufficiently ing the test, reset switches may not be
depressed following logic test, etc.
All components in a system can be poten-
ISee Appendices V, VI, VII, and VIII. tially coupled to common environmental
IV-8
causes for failure by' expanding the erational, maintenance, and test-
fault tree analysis into secondary ing procedures, etc., that could
causes, i.e., by postulating possible contribute to common mode failures.
causes for component failures which
exceed the design ratings of the compo- Components that could potentially
nents and then developing the fault tree be affected by a common operating
to identify possible causes for those environment were examined relative
secondary events occurring. For exam- to their proximity to one another
ple, the analyst, 0 knowing that a relay and to energy releasing sources
is rated for 180 F, would show an event (rotating machinery, flammable
on the fault tree which states, in fluids, steam lines, etc.) within
essence, that "relay fails due to the plant. A determination was
temperature >180 0 F. The fault tree made as to whether energy was
would be developed, then, to identify likely to become released or not
possible causes for the temperature and, if released, whether or not
exceeding 180 0 F. The fault tree would multiple components would likely
be similarly developed about other envi- be affected. Among the items
ronmental conditions which would cause considered were the amount of
the relay to fail. Some of the events energy which could be released,
could be common to other component physical barriers between compo-
failures and, therefore, would be common nents and the energy sources, the
mode events. vulnerability of components to the
forms of energy that could be
To develop a fault tree indiscriminately released, the modes in which the
into common mode or secondary causes components would need to fail in
without regard to the likelihood of order to fail systems, and the
occurrence results in a large number of manner and time in which correc-
events that must be subsequently dis- tive action would or could be
carded because of their insignificance, taken.
thus causing a considerable waste of
time and effort. In order to assure The event coding scheme described in
that adequate consideration was given to Appendix II facilitates the sorting of
common mode causes of system or subsys'- events having a common property. For
tem failure an initial screening of example, human error events related to
component failure events was made, and manual valves in a system can be re-
those events which have potential for trieved by sorting for valve type MX and
contributing significantly to common fault mode designator X. In some cases
mode system failure were examined and the fault tree analyst may decide that
analyzed further. The approach used for two or more components may be subject to
this initial screening of events in common events due to their proximity to
search of common mode contributors is as an energy source, or their being subjec-
follows: ted to the same maintenance procedure,
etc. Because of location in a large
fault tree, it is not immediately clear
System fault trees and drawings whether the potential dependency is
were reviewed to identify multiple important or not. In the process of
components and their respective analysis the analyst will give the
failure modes that would be most components the same name. Later, when
likely to contribute to system and the fault tree is processed for evalua-
multiple system failures. In tion, it can then be determined whether
general those components selected the common mode is potentially signifi-
for further consideration were cant.
redundant operating partners (com-
ponents of the same type operating In addition to the fault trees them-
in parallel whose failure could selves, common mode failures within a
fail the system). Components of system are accounted for in the methods
the same type and manufacture were of quantification used for the tree;
retained for further consideration common failures which affect multiple
on the basis that those components systems are accounted for in the event
could potentially be more likely tree quantifications. These quantifica-
to have common latent defects. tions are discussed in Appendix IV and
Also, like components would more in the individual fault tree quantifica-
likely be subjected to common options.
lReferences
1. AEC General Design Criteria, Appendix A, Title 10, Code of Federal Regulations,
Part 50, Criterion No. 2.
IV- 9
I1
Section 3
Bounding and Quantification Techniques
for Common Mode Failures
a.1 INTRODUCTION Numerous examples can again be given for

occurrences of degradation common mode
As stated previously, common mode fail- failures. Because of harsh accident
ures can be defined to be multiple environment, two pumps become degraded
failures which occur because of a single in performance. Given one pump has
initiating or influencing cause. The failed due to this environment, there is
a high probability that the second pump
single cause or mechanism serves as a The second pump may not
common input to the failures affected. will also fail.
fail immediately when the first pump
If this mechanism or cause occurs, all
the failures are triggered and a common fails. However, the probability for the
mode failure occurs. The components second pump's failing is now higher than
affected by the common mechanism or its unconditional failure probability.
cause may constitute hardware, systems, The second pump, for example, may not
subsystems, or particular events. 1 fail at the same time, but there may be
a high probability it will fail near the
first pump's failure time.
Examples of common mode failures are
numerous. Two spring loaded relays in In the above example, the common mode or
parallel fail because of a common design dependent failure is the failure of the
defect. The defect causes both relays two pumps and the common cause is the
to simultaneously fail and is the common harsh environment. Another example in
cause. Because of an error of incor- the same general category is a failure
rectly disengaging the clutches, three induced by a test or maintenance error.
motor valves are placed in a failed Because of improper maintenance and
state after maintenance. The common calibration, three motor valves become
cause for the valve failures is the degraded in performance.
common maintenance error. A steam line
ruptures causing multiple circuit board Depending upon the extent of the test or
failures. The common mode failures are maintenance error, the valves may suffer
the circuit board failures and the minor degradation to complete inopera-
common cause is the steam line rupture. bility. Even if the degradation is not
severe, their joint failure probability
Instead of triggering simultaneous fail- will increase. In conjunction with this
ures, which is the extreme case, the increase in probability, the failure
common cause may produce a less severe, dependence of the valves will be in-
but common, degradation of the compo- creased due to the common test or
nents. The components do not simul- maintenance.
taneously fail together; however, their
joint probability of failure can be Another example of common mode failures
greatly increased. In this degradation of the degradation type is the loading
situation, the second component, for or dragging effect caused by another
example, may fail at a time later than failure. Three pumps are operating and
the first component failure. Because of one fails. Because of this failure, the
the common impressed cause, however, the other two pumps suffer a degradation due
second component failure is dependent to the extra load placed upon them.
'and coupled to the first failure. The Their failure probability will then be
joint probability of failure of the two higher than their joint unconditional
components can consequently be much probability of failing.
higher than the product of the individu-
al component probabilities (the inde- For this pump loading example, the com-
pendent failure situation). mon mode failures are the failures of
the second and third pumps. The common
cause is the failure of the first pump.
The common causes may be compounded, for
example, if, in addition, the three
IThe term "component" may therefore, be pumps are located in a harsh accident
interpreted in the general sense, re- environment. An additional common cause
ferring to any basic failure being is then the environment imposing its own
considered. degradation.
IV-11
If a common cause occurs, the failures 3.2 BOUNDING BY SMALLER COMBINA-
of the affected components must be TIONS
treated as dependent events and not as
independent events. In conjunction with 3.2.1 BASIC CONSIDERATIONS
the dependency of the events, the times
of failure of the affected components One of the first questions to be asked
are also coupled to one another. To is whether common mode failures can have
quantify common mode failures, statisti- an impact on a particular quantitative
cal and reliability methods must there- evaluation. A general technique is
fore be employed which treat dependen- first described by which an upper bound,
cies in failure occurrences. In or maximum value, can be obtained for
particular, conditional probabilities the common mode failure contribution.
and conditional failure distributions The upper bound technique, which will be
must be analyzed and be combined. A called'"combination bounding", has the
number of techniques can be used, advantage of being relatively simple to
certain of these which are considered to apply. It can therefore be used as a
be the most straightforward and which preliminary check to determine possible
were applied in the study. impacts. If the upper bound, which
represents a maximum possible effect,
It should be noted that common mode does not significantly change a predict-
failures do not encompass all the ed system failure probability, then the
degradation phenomena or all the depend- number is insensitive to conmnon mode
ency phenomena which exist in any real contributions. If the upper bound does
life situation. For those types of change and increase the result, then
degradation and dependency which are not more detailed analyses need to be per-
modeled explicitly as common modes, the formed to determine the actual effect of
techniques to be described may not be common mode failures.
applicable. Even for common mode type
failures, other techniques may be used As is true in any bounding approach,
which better model a particular instead of serving as a check, the upper
phenomenon. bound itself can be used as a result.
For example, if the upper bound satis-
A technique, for example, is described fies specification requirements, then no
in a later section where a particular further analysis need perhaps be
type of degradation is modeled by simul- performed. Alternatively, if error bars
taneously increasing all affected compo- or uncertainties are given for a system
nent failure rates. The components now result, these error bars can be
all fail with a greater failure rate. increased to account for 1 a maximum
The effect of this degradation is possible common mode effect. If the
incorporated in the error bounds of the increased uncertainties still satisfy
system failure probability. That model accuracy requirements, then further
is useful for incorporating and investi- analysis may not be needed.
gating manufacturing defects, certain
maintenance errors, and certain environ- The -upper bounds can finally be used to
mental effects. help direct and scope general common
mode failure investigations. The upper
Other types of degradations, which may bounds represent a maximum effect and
not be common mode associated, include hence a list of candidate common mode
certain types of wear-out phenomena and failures can be ordered with regard to
drifting phenomena. If these phenomena their respective upper bounds. The
are judged pertinent to the problem, common mode failures having the largest
then other approaches may need to be upper bounds can have the maximum effect
used. and hence these are analyzed and
investigated first.
The techniques in the next sections Although the combination bounding tech-
describe methods by which a maximum nique is simple in principle, it does
bound can be placed on the. contribution have the disadvantage in a number of
from common mode failures. These bounds situations of giving too conservative a
have importance, for example, in deter- result (i.e., too large of an upper
mining the adequacy and believability of
other contributions which have been
computed in a quantification analysis
(such as the independent failure
contributions). If data are available, fIn a statistical sense, the error bars
more exact calculations of common mode and uncertainties would thus account
contributions can be performed. These for systematic-type errors as well as
calculations are also discussed. random-type errors.
IV-12
bound). Other sections will discuss the product of the individual probabili-
techniques by which better and hence ties.
tighter bounds are obtainable for common
mode failure contributions. If the data P(AB) ý P(A)P(B), A and B dependent
are available, techniques are also
discussed for computing exact common (IV 3-3)
mode contribution.
However, even in the dependent case, in
3.2.2 BOUNDING COMBINATIONS OF TWO order for AB to fail, A must individual-
FAILURES ly fail and B must individually fail.
Therefore, in all cases, both independ-
Since common mode approaches are not ent and dependent;
normally found in the literature, this
discussion will be somewhat basic. The P(AB) < P(A) (IV 3-4)
reader with a background in probability
can skim over this section, referring and
principally to the result obtained
[Equations (IV 3-6) and (IV 3-20) P(AB) < P(B) (IV 3-5)
through (IV 3-22)]. Section 3.3 treats
applications in the study and section Since both inequalities are true, the
3.4 deals with more involved modeling. minimum of either P(A) or P(B)
1
may be
taken as the best upper bound;
The bounding technique is given the name
combination bounding because smaller
are P(AB) < MIN[P(A) , P(B)] (IV 3-6)
valued combinations or redundancies
used for establishing the bounds. Con- denotes the
Therefore, MIN[P(A), P(B)]
sider the event of both A and B failing minimum, or smallest value, of P(A) or
and denote this joint failure occurrence P(B). Equation (IV 3-6) thus gives the
by AB. The expression AB thus repre-
upper bound obtained by the combination
sents the combination of A and B both bounding technique. This equation is
failing. The symbol A and the symbol B to the spectrum of common
applicable
may for example represent failures of mode failures, from simultaneous trig-
particular components and the expression
both of these gerings to minor degradations.
AB then represents
components failing. In Equation (IV 3-6), P(AB) can repre-
sent the total probability of A and B
Let the probability of A failing be failing from all mechanisms, both random
denoted by P(A) and the probability of B and common mode. The equation therefore
failing be denoted by P(B). For the
gives an upper bound and conservative
combination AB, denote its probability true probability
estimate on the total,
by P(AB); failing. Since
of the combination
Equation (IV 3-6) applies when P(AB)
represents the total probability for AB,
P (AB) = the probability of both A and it therefore also applies when P(AB)
B failing. represents the probability of a partic-
ular common mode failure of AB.
(IV 3-1)
The probabilities and failure events are
general representations and can be par-
The -probability expression P(AB), which ticularly interpreted and applied to any
will be called the combination probabil- specific calculation. If A and B are
ity,. is completely general and as such unavailability related failures then
implies nothing about the independence P(A), P(B), and P(AB) are availabilities
or dependence of A and B.
If A and B are independent, the combina-

tion probability, P(AB), can be
expressed as the product of the individ- lIn terms of Boolean theory,
ual probabilities P(A) and P(B); AB is a
subset of A and is also a subset of B.
P(AB) = P(A)P(B), A and B independent Therefore, Equations (IV 3-4) and
(IV 3-5) follow. The results can also
(IV 3-2) be obtained using conditional probabil-
ities, e.g., for Equation (IV 3-4),
If the events are not independent and P(AB) = P(A)P(B/A) and since
can be due to a common cause, then in P(B/A) < 1, therefore P(AB) < P(A).
general the above equation is not true The quantity P(B/A) is the probability
and the combination probability is not of B, given A has occurred.
IV-13
11
(denoted by Q's in the earlier insensitive to this common mode contri-
appendices). If A and B are operation- bution, even at its maximum value. If
ally related failures then the probabil- the system probability is significantly
ities can be interpreted as being smaller than 10-3, additional analyses
failure probabilities or cumulative would need to be performed to verify
probabilities, which may be time independence or to better define the
dependent. degree of possible common cause
dependency.
As an example of the use of Equation (IV
3-6), assume a system has been analyzed Instead of serving as a check, the upper
and evaluated to obtain a system proba- bound of 10-3 may itself be used in the
bility number. Among the contributions evaluations. This bound, for example,
that cause system failure is the failure can be used in the system quantification
of two pumps to start when demanded. to determine whether the system failure
There is concern because the investiga- probability will contribute to the
tion has shown that the two pumps may be overall risk, even with this maximum
susceptible to common mode failure. common cause contribution. Alternative-
(Possibilities of common causes include, ly, if extreme accuracy is not required
for example, design defects and and error bars or probability ranges,
environmental degradation). For this are associated with the system result,
problem, the possible impact of the they can be increased to account for the
common mode contribution is desired in possible maximum 10-3 contribution.
order to compare with the system number
which has been obtained. As a further example of this bounding
technique consider two failures A and B,
With regard to the two pumps let A now where now P(A) = 10-5 and P(B) - 10-2.
be the failure of one pump and B be the In the independent case
failure of another pump. From the data 10-2
base (Appendix III), the probability of P(AB) = 10-5 x
one pump failing to start when demanded- independent
is 10-3.
(IV 3-11)
Thus,
P (A) = 10-3 (IV 3-7) If common causes are determined to be a
possible significant failure mechanism,
and then Equation (IV 3-6) can be used to
give,
P (B) = 10-3 (IV 3-8)
P(AB) < MIN(10-5, 10-2) (IV 3-12)
If the pump failures are independent, or

the probability of both failing to (PAB) < 10-5; dependent
start, P(AB), is simply the product of (IV 3-13)
the individual pump probabilities; i.e.,
p(AB) - 10-3 x 10- - 10-6. However, if since 10-5 is the minimum individual
the pump failures are due to common probability. Whereas assuming independ-
causes, Equation (IV 3-6) can be applied ence, the probability of A and B failing
and hence, is 10-7; even if common causes are
significant, the probability is still
P(AB) < MIN[10-3, 10-3] (IV 3-9) less than or equal to 10-5.
or • In Equation (IV 3-6) and the aforemen-

tioned examples, point values are used
P (AB) < 10-3 (IV 3-10) for the probabilities and the upper
bound obtained is a point value upper
since 10-3 is the minimum individual bound. If error spreads or probability
pump probability (both individual pump ranges are used in the calculations,
probabilities being equal). Therefore, then these can be incorporated in the
using combination bounding, an upper upper bound by using the error spreads
bound of 10-J is obtained for the or probability ranges in Equation (IV
combination probability P(AB). 3-6). If, for example, the upper values
of the error spreads are used for the
Having obtained an upper bound of 10-3 individual probabilities in Equation (IV
this number can then be compared to the 3-6), then an upper bound on the
total system failure probability. If combination probability will be obtained
the %ystem probability is of the order which now incorporates the uncertainties
of 10- or larger, then the system is in the individual probabilities.
IV-14
In the preceding example, if factors of probability). For example, random
10 error spread are associated with P (A) failures may dominate and contribute
and P(B), an upper bound on P(AB) can be most to the individual component proba-
obtained which now incorporates the un- bility, while common mode failures may
certainties on P (A) and P (B) if conser- dominate and contribute most to the
vative values (upper error spread val- combination probability.
ues) are used in Equation_ IV 3-6). For
P(A) = 0- and P(B) = 10 4 with factors For the individual component probability
of 10 error, the conservative values for to be applicable, i.e., to be able to be
P(A) and P(B) are 10-5 x 10 =i1-4 and used as in Equation (IV 3-6), either of
10-2 x 10 = 10-1, respectively. There- tw9 conditions must be satisfied:
fore P(AB) < MIN[l0- 4 , 10-1] =- 0-
which now inc~orporates the uncertainties
and variabilities on P(A) and P(B). a. The dominant combination mechanisms
This use of error spreads and conserva- should be contained in the individu-
tive values accounts for the possible al component failure mechanisms
omission of specifically defined failure which are thereby included in the
mechanisms in individual estimated individual component probability, or
probabilities as well as uncertainties
due to statistical estimation. b. The dominant combination mechanisms
should cause an insignificant change
in the individual component proba-
In the following discussions, point bility if they were included as part
value calculations will be described. of the individual component failure
It will be understood, however., that mechanisms.
error spreads or probability ranges can
be incorporated by using them in place
of the point values. In particular, In the first of the above conditions the
combination upper bounds which incorpo- combination mechanisms are included
rate uncertainties can be obtained by among the individual component failure
using conservative values for the mechanisms. The combination mechanisms
individual probabilities in all the may or may not be dominant with regard
formulas. to the component failures. In the
second of the alternative conditions,
For the upper bound in Equation (IV 23-6) the combination mechanisms are not
the minimum individual component proba- included among the individual failure
bility is used, and 'notthe maximum, mechanisms; however, if they were, they
since the combination probability is would cause negligible effect on the
less than all of the individual compo- overall component probability.
nent probabilities. Since the combina- The above two conditions are obtained
tion probability is less than every one from standard reliability considerations
of the component probabilities, it is and can also easily be derived mathemat-
therefore less than the minimum of these ically by decomposing the probability
probabilities. into constituent mechanisms contribu-
tions. In practice, the conditions can
The mathematics used in obtaining the be checked before the upper bounds are
upper bound is quite general and depends computed. For example, if common mode
only upon basic Boolean and set opera- failures due to design defects are being
tion properties. Since the same event investigated, then the component failure
space is tacitly assumed in these probability should contain design
mathematical operations, one must only defects in its contributions. If the
take care that the individual component component probability does not cover
probability is applicable with regard to failures from design defects, then,
the combination probability. This alternatively, design defect failures
applicability property is important and should be insignificant with regard to
needs some elaboration. other types of failures affecting the
individual component which are covered
The individual component probability, by the component probability.
e.g., [P(A)], gives the probability of
the component failing by various mecha- As another example, if common mode
nisms. Likewise the combination proba- failures due to environmental degrada-
bility (P(.AB)] gives the probability of tion are being analyzed and bounded,
the combination failing by its various then the individual component probabili-
mechanisms. The dominant component ty should apply to this environment or
failure mechanisms need not necessarily should be negligibly affected by it. In
coincide with the dominant combination this example and the previous one, only
failure mechanisms ("dominant" meaning one mechanism is of interest. The same
here those that contribute most to the applicability checks are used when a
IV-15
series of mechanisms can enter into a Since the combination consists now of
number of possible common mode failures. three failures, an upper bound can be
obtained by considering either single
To bound a number of common-mode failure failure or two failure combinations.
contributions due to a possible group of Using the same Boolean and conditional
mechanisms, the component' Orobability probability methods as in the previous
should contain and cover this group of section, one obtains for the single
mechanisms as they affect the individual failure bound.
component. Alternatively, with regard
to the individual component, these mech- Single Failure Bound:
anisms should have negligible effect as
compared to other types of failures the P(ABC) < MIN [P(A), P(B), P(C)]
individual component may suffer. For
this alternative condition, it is again
important to note that the mechanisms (IV 3-15)
are assessed with regard to their
affect, not on the combination, but on In the above equation, the symbol MIN
the individual component. again denotes that the minimum, or
smallest value, of either P(A) or P(B)
The above applicability conditions can or P(C) is used as the upper bound. To
be rephrased with regard to Equation (IV obtain an upper bound for a triple com-
3-6) giving the upper bound on P(AB). bination probability, one therefore sim-
If P(AB) represents a particular common ply uses the smallest individual compo-
mode probability, then the individual nent probability.
probabilities P(A) and P(B) should
therefore contain or be negligibly af- Equation (IV 3-15) is the result yielded
fected by the particular common mode by the combination bounding technique,
mechanism. If P(AB) represents the which is mathematically simple. To be
total combination probability, including able to use this result, the same appli-
various common mode mechanisms, then the cability conditions must be satisifed as
individual probabilities should contain for the two combination casel i.e., the
or be negligibly affected by these combination mechanisms should be con-
mechanisms. tained in the component probability used
as the upper bound or should have negli-
If error spreads or probability ranges gible effect with regard to its other
are incorporated in the calculations, contributions.
then the above applicability conditions
and discussions apply to the error In addition to the single bound, P(ABC)
spreads or ranges. The individual error can also be bounded by considering com-
spreads or ranges should incorporate the binations of two failures. Treating a
uncertainties and variabilities from the particular double combination as an in-
mechanisms which affect the combination dividual failure event, one obtains, us-
or should be negligibly affected by ing the same appraoches as before,
these uncertainties and variabilities.
P(ABC) < P(AB) (IV 3-16)
3.2.3 BOUNDING COMBINATIONS OF THREE OR P(ABC) • P(BC) (IV 3-17)
MORE FAILURES P(ABC) • P(AC) (IV 3-18)
The combination bounding technique has or

been applied in the previous discussions
to combinations consisting of two fail- Double Failure Bound:
ures. The technique can be simply ex-
tended to combinations consisting of any P(ABC) < MIN [P(AB), P(BC), P(AC)]
number of failures. Consider first a
combination of three components failing (IV 3-19)
and let this combination failure be re-
presented by the expression ABC. The By combination bounding therefore, an-
expression ABC thus represents the fail- other upper bound for a triple combina-
ure of A and the failure of B and the tion is obtained by taking the minimum
failure of C. Let the probability of of all possible double combination prob-
this combination failure be denoted by abilities. This compares with the pre-
P(ABC); vious, alternative upper bound which is
obtained by taking the minimum of the
P(ABC) = the probability of A, individual component probabilities. For
B, and C failing. the double bound, i.e., Equation (IV 3-
19), the same applicability conditions
hold, where the double combinations are
(VI 3-14) now the individual failure events
IV-16
("double combination" is substituted for the smaller combination which is used in
"component" in the applicability condi- the equation.
tions).
3.3 ANALYSES AND QUANTIFICATIONS
Either the single failure bound or the APPLIED IN THE STUDY
double failure bound can be used for the
triple combination. The double failure Because the combination bounding tech-
bound will in general give a smaller and nique is uncomplicated in its mathemat-
hence better value. However, combina- ics, it can be easily and simply
tion probabilities must be computed for applied. In the Reactor Safety Study,
this bound, i.e., P(AB), P(BC), or the technique helped to serve as a check
P(AC); and, if common modes dominate and an analysis tool. In its use as a
these doubles, then the computation may check, upper bounds were computed for
be infeasible. combinations of failures where engineer-
ing principles and experience suggested
The minimum probability does not need to that they could be possible common mode
be used, since by Equations (IV 3-16) failure candidates. These bounds were
through (IV 3-18), the triple combina- then compared to the predicted system
tion is bounded by any double combina- failure probability to determine its
tion probability. The double bound is sensitivity to possible common mode
therefore useful when two of the compo- contributions. If the bounds had an
nents are determined to be reasonably impact, further investigation was per-
independent. For example, if A and B formed and more detailed analyses were
are independent and the common modes undertaken. As will be described, in a
involve only C, then Equation (IV 3-16) number of cases the bounds were also
may be used to obtain incorporated as part of the uncertainty
and variability.
P(ABC) < P(AB) =P(A)P(B)
(A and B independent) (IV 3-20) In checking for common mode impacts, one
of the first steps was to identify po-
In general, for this type of bounding, tential common mode mechanisms. These
the upper bound always used is the dou- mechanisms can be categorized into vari-
ble combination that can be justified to ous classes, and one such breakdown used
be reasonably independent. in the study is listed on Table IV 3-1.
Using the same approaches as for the In the breakdown, on Table IV 3-1, envi-
double and triple combinations, the com- ronmental variations include both acci-
bination bounding technique can be ap- dent and non-accident environments.
plied to a general combination consist- Failure or degradation due to an ini-
ing of n failures: tiating failure includes, for example,
Single Failur3 Bound an extra load placed on the second pump
due to the first failing. It also
P(Al A2 ... An) < MIN includes the cases of missile generation
(IV 3-21)
[P (Al), P (AD), ... P(An)]; and piping ruptures affecting nearby
components. Other forces that could
Double Failure Bound potentially cause failure, include such
P(Al A2 ... An) < MIN phenomena as fire, floods, tornadoes,
[Probabilities of all double (IV 3-2 2) etc.
combinations]
A number of the mechanisms in Table IV
Triple Failure Bound 3-1 were also investigated in other
P(AlI A2 ... An) < MIN aspects of the study. As an example,
[Probabilities of all triple (IV 3-23) certain areas relating to design defects
combinations] (E, G) were analyzed as part of the
design adequacy task in Appendix X.
Also, functional dependencies were in-
corporated in the event trees. These
etc other coimnon mode related studies are
described in their respective appen-
The various upper bounds are therefore
obtained by computing the probabilities dices.
of smaller combinations contained in the
original, large combination. The upper For the particular studies undertaken
bounds are obtained, not only for the here, in which combination bounding
minimum, but for any smaller combination served as one of the tools, the common
probability which is computed. For any mode mechanisms in Table IV 3-1 were
of these upper bounds, the applicability those not directly covered by the event
conditions must again be satisfied by tree and fault tree efforts. The common
IV- 17
mode mechanisms were analyzed with re- component is of the order of 10-3.
gard to their effect on the individual Analogously, the highest unavailability
system fault trees and their effect on for a Single passive component iLs of the
the combined fault trees which the event order of 10-4. Using the single failure
trees required. II bound, the maximum effect from common
causes is thus 10-3 or 10-4, whichever
After identification of potential common is pertinent (i.e., MI1N [P(A), P(B)J
cause mechanisms, the component combina- equals 10-3 or 10-4) . As seen from the
tions were then examined for their sus- fault tree and event tree report~s, for a
ceptibility to these mechanisms. The number of systems the relevant: system
component combinations which were exam- values are not impacted by even these
ined were the critical paths, or minimal highest potential effects of 10-3 or
cut sets, i.e., those failure combina- 10-4.1
tions that would cause system failure or
combined system failures. With regard to the precision of the
predicted values of system failure prob-
A listing of properties indicating po- abilities, system values are required to
tential susceptibility that was used in only .one or two orders of magnitude in
the examination is given in Table accuracy for the overall risk analysis.
IV 3-2. The letter or letters in Common mode contributions that were of
parenthesis beside each property refer the same order as the system value would
to the possible common mode mechanisms therefore at maximum change the value by
which can be associated with property a factor of two or so, which was -within
(the letters refer to those used in the accuracy requirements. Furt~hermore,
Table IV 3-1). the system values already had larger
error spreads due to data and modeling
in examining for susceptibility proper- uncertainties. The addition of common
ties, all components in the combination mode contributions did not therefore
(i.e., on the critical path) must have impact these existing larger spreads.
been susceptible to the same potential
failure mechanism, Conversely, the com- There were of course exceptions. in which
ponents having a common potential mecha- common mode failures did impact the sys-
nism must have constituted a failure tem values and the pertinent contribu-
combination (critical path). tions are discussed in the fault tree
reports in Appendix II.
When the susceptible combinations were
identified in the examination process, The cases of large potential common mode
upper bounds were then taken to deter- impact consisted principally of failures
mine their maximum impact. In the com- involving human errors, environmental.
bination bounding process, single fail- variations, and particular external
ure bounds were principally used. Since events and failures causing or acceler-
the bounding determination was quite *ating additional failures. The combina-
simple (using the minimum component tion bounding technique was used in
probability), the checking was performed these cases to quantify a range for the
in conjuction with the basic analysis probability contribution. If f urther
and quantification of the fault tree. investigation and analysis did not pro-
duce any more accurate information or
In a number of cases, the bounds showed results, the range was used as the
little potential impact, either indivi- contribution to the system failure
dually or collectively, on the predicted probability.
system failure probability and its asso-
ciated error bars that had already been In determining a range for the common
obtained. This was attributed to two mode probability, an upper bound and a
principal factors: one, the larger mag- lower bound are required to define the
nitude which had already been obtained range. The upper bound is given by the
for the system probabilities, and two, combination bounding technique and was
the lesser precision required for the
overall risk analysis along with the
relatively large widths of the system
error spreads.
1
The magnitude factor can be seen heuris- The insensitivity to common modes was
tically. For the system and combined also due to the fact that the system
fault trees, the pertinent component fault trees already contained single
probabilities were component unavaila- component failures. Common modes at
bilities and component failure probabil- the extreme could change multiple com-
ities. From the data base, the highest ponent failures to single component
unavailability for a. single active failures which already existed.
IV- 18
that value used in the checking. Repre- ular set being unsafely miscalibrated is
senting an opposite end point, the lower 1 x l0-3.
bound gives a minimum value for the
combination probability; i.e., the true Using the combination bounding tech-
combination probability is greater than nique, the upper bound for the combina-
the lower bound value. Where common tion failure of two sets being miscali-
mode failures can prevail, a lower bound brated is 10-3 (i.e. MIN [10-3, 10-3]).
on the combination probability can This represents the completely dependent
therefore simply be taken as the inde- situation (given the first is miscali-
pendent failure situation in which brated, the probability is then one for
individual probabilities are simply mul- the second miscalibration). The other
tipled. When information existed, a side of the range, the lower bound, is
better lower bound value was instead obtained from the independent calcula-
used. tion, 10-3 x 10-3 = 10-6. This repre-
sents the situation of the two miscali-
With the upper and lower bound, the bration being completely independent.
range is determined and can be used in
the quantification analyses. The mid- When the probabilistic approach was used
point of the range, for example, can be to incorporate the possible contribu-
used as a best estimate of the true tions, then the log-normal technique was
probability value. Instead, the bounds used. Since there was neither strong
themselves can be used in conservative dependence nor strong independence, the
or optimistic calculations. midpoint of the range was used, which is
approximately
In the study, since a probabilistic
approach was being used, a probability
distribution was associated with the 3 x 10-5 (i.e., 10-6 x l0-3).
range. As for the other parts of the
study, a log-normal was used with its
median (50% value) positioned at the
center (geometric midpoint) of the range
and its 90% bounds lying within the To cover the possible variations, the
range. individual probabilities were treated as
random variables and Monte Carlo simula-
In the actual determination of the log- tion was employed for the final system
normal distribution which was to be quantification (section 3.6.2 of Appen-
associated with the original range, dix II).
Monte Carlo simulation was employed
using the SAMPLE CODE. The reader is 3.4 MORE DETAILED QUANTIFICATION
referred to Appendix II for details on APPROACHES
this methodology. When there was knowl-
edge that the true probability would lie This section discusses certain of the
in a particular portion of the range concepts and techniques which can be
(for example, in the high value region), applied if more detailed quantification
then the bounds were adjusted to incor- of common mode failures is necessary.
porate this knowledge. When there was In the Study, because of the results
no such knowledge, then the bounds were obtained, these more detailed quantifi-
kept as originally determined. 1 cations had a minor role. An approach
will be discussed here which was used as
a supplemental technique for common mode
As an example of the application of the quantification. It will also serve to
bounding and range approach that was illustrate the types of considerations
performed in the study, consider the which can be included in general depend-
miscalibration of two sets of bistable ency modeling.
amplifiers discussed in earlier appendi-
ces. If both sets of amplifiers are The approach presented deals with dis-
miscalibrated then system failure will crete failure events, which can then be
result. The probability for any partic- extended to the continuous time domain
(incorporating time dependencies of the
probabilities). Consider again the com-
bination AB, which represents the fail-
ure of both A and B. Various mechanisms
'With regard to the log-normal, the can cause AB to fail, and hence the
median was thus centered at the probability of AB, P(AB), can be broken
geometric midpoint of the original into various mechanistic contributions.
range, or on geometrically subdivided
regions, depending upon the relevant Let M denote a particular mechanism
information. which if it were to occur could cause
IV-19
both A and B to fail. The total proba- broken into an independent contribution
bility, P(AB), can then be expressed as and a common cause contribution:
N P(AB) = (PMo)P(AB/Mo)
P(AB) = EP(M) P(AB/M) (IV 3-24)
M=l + EP(M)P(AB/M)
where M (common cause) (IV 3-27)
P(M) = the probability of mechanism M The last term in Equation (IV 3-27) is a
occurring summation over all mechanisms which do
(IV 3-25) not lead to independence, i.e, over all
common cause mechanisms.
and By the definition of the independent
environment Mo, the components fail in-
P(AB/M) = the probability of AB fail- dependently of one another. Hence,
ing when mechanism M exists
P (AB/Mo) = P (A) P (B) (IV 3-28)
(IV 3-26)
Consider now the occurrence probability
for Mo, i.e., P(Mo). Under efficient
In equation (IV 3-24), the summation design, manufacturing and quality con-
N trol, and testing and maintenance, a
symbol F denotes summation over all larger portion of potential common modes
M=1 are eliminated or are detected and
pertinent mechanisms (say, a total of N corrected. Hence, for these cases,
of them). Equation (IV 3-24) is the which are characteristic of present-day,
standard decomposition of a probability efficient procedures, P(Mo) u 1.
into its elemental contributions (termed
a mixture decomposition in probability The above equality, P(Mo) = 1, simply
methodology). says that *for a larger portion of the
time and cases, say at least 50%, an
It is important to note in Equation (IV approximately independent environment
3-24) that the likelihood of M, P(M), exists. This does not say that common
and its effect on AB, P(AB/M), enter in cause mechanisms do not dominate the
the form of a product, i.e., P(M)P combination failures since their rela-
(AB/M). Therefore, if the effect of M tive effects can be large. In fact, all
on AB is large but its likelihood is combination failures which occur can be
small then the resulting product contri- due to common causes. This is a
bution could be small. However, if the relative effect, where the combination
likelihood of occurrence of mechanism M failures constitute the base of compari-
is small but is of sufficient size to son. The equation P(Mo) 1, concerns
1
cause the product term to dominate, the an absolute frequency, for example
contribution would then be significant. implying that the combination failure
The summation in Equation (IV 3-24) can does not occur daily.
therefore be considered to be over those
mechanisms for which the product terms For normal environments the approxima-
dominate. tion P (Mo) = 1 is thus reasonably ac-
curate, yielding results with reasonable
The mechanisms defined in Equation (IV accuracy.l (For peculiar situations
3-24) are general and incorporate the where non-normal deviations are more
spectrum of component properties and likely, the assumption will be slightly
environments which can exist. Since the conservative and yield conservative
summation is over all mechanisms whether results.) Using P(Mo) 1 and the
they are common cause related or not,
the independent, non-common cause situa-
tion can be treated as one "mechanism".
This non-common mode mechanism, or envi-
ronment, is within the design environ- 1
The accuracy for example, is within
ment under which components fail inde-
pendent. This environment will be several significant figures for failure
termed the independent environment. detection efficiencies of greater than
90%, where the efficiency incorporates
If the independent environment is denot- the efficiencies of all stages, design,
manufacturing, testing, etc.
ed by Mo, then Equation (IV 3-24) can be
IV-20
independence of A and B under Mo, bility modeling). Empirical data fit-
Equation (IV 3-27) then becomes: ting and controlled designs can also be
employed (use of the Weibull distribu-
tion is an example of the former and
P(AB) = P(A)P(B) environmental testing of the latter).
In the quantification of Equation (IV

3-24) or (IV 3-29), the amount of detail
+ ZP(M)P(AB/M) can be adapted to the problem needs and
data available. For those calculations
M (common causes) (IV 3-29) in which order of magnitude accuracy
only is desired, the analysis and re-
The above equation is the final form quired information will be greatly sim-
thus obtained, in which failures are plified. In certain cases, one mecha-
decomposed into independent and common nism can be isolated as yielding the
mode contributions. dominant contribution (for example,
considering the one mechanism for which
Equations (IV 3-24) or (IV 3-29) can be the components are most failure-sensi-
used to quantify the total combination tive). Bounding and range calculations
probability or a particular common cause can also be performed. Flexibility
contribution. The occurrence probabili- therefore exists in the utilization of
ties P(M) are obtained from examination these equations, as will be illustrated
of quality control processes, testing, in the application discussions of this
etc., to determine their relative effi- section.
ciencies. Processes can be grouped into
classes for greater information utiliza- Equations (IV 3-24) and (IV 3-29) can
tion, thus giving larger population straightforwardly be transformed to in-
bases. The probabilities P(M) can be corporate time dependencies. These time
determined directly from experience data dependent forms are often the ones
using standard estimation techniques or utilized in quantification and modeling.
can be modeled using such techniques as If the mechanism can exist at the time
stochastic process theory.l of component installation, i.e., at
t = 0, then P(M) is a constant, ini-
The probabilities P(AB/M) represent tial-condition probability P(M) = P.
failure behavior under various given This is applicable to design, manufac-
environment and situations. These prob- turing, and quality control defects, and
abilities can be modeled using standard also other phenomena which are inherent-
reliability techniques, taking into ly associated with the component.
account the particular sensitivities and
properties of the components involved. If the mechanism is not directly tied to
a component property, but instead can
If the mechanisms are extreme, then the occur over some exposure time, then P(M)
approximation can be used that P(AB/M) is a cumulative time-dependent distribu-
= 1 (the mechanism is certain to cause
failure). Degradation models can be tion, or equivalently a time dependent
density function. This form is appli-
employed where the mechanisms impose cable to testing and maintenance errors,
stress-type conditions (k factors and environmental degradation, and other
Arrhenius modeling are examples of such
approaches). phenomena which occur during operation
and use of the component. Applicable
Instead of being obtained by modeling, forms for P(M) are those associated with
the probabilities P(AB/M) can also be renewal theory or stochastic process
directly obtained from experience data. theory for example. A common model is a
Poisson process, with either time inde-
This is particularly so when the mecha- pendent or time dependent occurrence
nism causes a higher failure probabili- rate; i.e.,
ty, thereby yielding some data. Even if
the mechanism is corrected, the data can
still be utilized for estimation, with P(M) = I - e- Xt or P(M) = I - e-A(t)
checking and correction then separately
incorporated in the model (analogous to
incorporating repair in standard relia-
where A and A(t) are the associated
1 parameter rates.
For this estimation and modeling, the
formulas are generally utilized in In time dependent analyses, failure
their time dependent form, as discussed probability P(AB/M) is treated by stand-
later. ard reliability techniques, with the
IV-21
condition that mechanism M has occurred. As illustrated, given A has failed, B is
The probability is thus conditional, no longer independent but has a high
analyzed under the environment or char- probability of failing at or near the
acteristics of the mechanism M, and the time of the A failure. In the extreme
probability is in general dependent (a case, the distribution of B becomes a
bivariate for example). The definitions delta function. The equations for this
of P(AB/M) are similar to those normally model and other coupled, conditional
employed; for operating or standby fail- models are obtained from conditional
ures, P(AB/M) is a cumulative failure probabilistic theory.
probability or an unavailability, re-
spectively. For cyclic failures, The techniques that have been briefly
P(AB/M) can be treated as a demand outlined above are by no means exhaus-
probability. tive, but they help in circumscribing
the various possible approaches. Since
The functional forms for P(AB/M) are the approaches are varied, each indivi-
those used in reliability and statistic- dual problem must be evaluated to
al theory with, for example, parameter determine the specific approach which is
values chosen to correspond with the applicable, and also compatible with the
given condition of M having occurred. available data. The approaches are all
Exponentials, for example, can be used straightforward and involve standard
with modified failure rates (such as in statistical and reliability techniques,
the k-factor approaches). utilizing either gross data or detailed
data.
The standard bivariate exponential can
be used for correlated failure modeling, Upper bounds can be obtained from
where the bivariate form is given by, Equations (IV 3-24) and (IV 3-29) by
using conservative values for P (M) and
P (AB/M - exp[-A 1 tl-A 2 t 2 -A 3 max (tl,it2)] P (AB/M). Lower bounds can be obtained
by using associated lower bounds for
these terms or by neglecting contribu-
(IV 3-30) tions in the summation [for example,
using only the independent contribution
where tI and t2 are the failure times of in Equation (IV 3-29)].
A and B. The probability is for failure
times being greater than tI and t2. The The above bounding approaches can, for
parameters A1 and A2 relate to the indi- example, be applied to common mode
vidual failures and A3 to the coupled or failures that can be due to external
dependent contribution. 1 events or previous failures having
occurred. As a specific illustration
Instead of dealing directly with the consider the common mode failure due to
combination probability P(AB/M), the in- a steam line rupture .which was investi-
dividual contributions (marginal distri- gated in the study.
butions) can also be analyzed. In terms For the steam line rupture mechanism,
of the individual probabilities, P(AB/M) using Equation (IV 3-29), P(M) is then
= P(A)P(B/A), where the given condition the probability that the steam line
of M is implicit in each probability on rutpures, and P(AB/M) is the probability
the right hand side. A straightforward that the nearby components (control
approach is, for example, to use an circuits, etc.) are failed by this oc-
exponential distribution for P(A) with currence. An upper bound for this con-
an appropriate failure rate and a trun- tribution can be obtained by using a
cated normal or exponential for P(B/A) conservative estimate for the steam line
located at the failure time of A. A rupture P(M) and a conservative estimate
heuristic diagram of this model is shown for the affected failure probability
below. P(AB/M).
1<00 Distribution of B
A straightforward approach for P (AB/M)
is to use the fraction of solid angle
subtended by the pertinent components
t (i.e., fraction of area exposed) or to
t - Failure Time of A
assume P (AB/M) = 1. For the steam
line rupture P (AB/M) - 1 was used and
1 the solid angle approach was used for
If the failures were independent, then those cases involving missile-type
A3 = 0, giving simply a product of generation, e.g., turbine runaways [for
exponentials as in the random failure the missile investigations P(N)
W
approach. For )3 9' 0, the failure probability of turbine runaway, P (AB/M)
times are coupled. = critical fractional solid angle].
IV-22
using P(AB/M) = 1 for the steam line bility is less than 10-7, then 10-7 can
rupture case, Equation (IV 3-29) be used as the upper bound, for example,
becomes, in assigning the log-normal probability
range for P(AB) (the lower bound of the
< P(A) P(B) + P(M) (IV 3-31) range consisting of the independent
P(AB) and
contribution). Equation (IV 3-32)
From the .Study's data base an upper the bounds are applicable to any combi-
nation AB which were encountered in the
bound for P(M) is 10-7, when a conserva- (constituting a critical
tive, leak type failure rate is used and fault trees
a 1 hour window exists about the acci- path) and which were located adjacent to
1
dent time. Hence, to order of magnitude a steam line.
P(AB) < P(A)P(B) + 10-7 (IV 3-32)
For these cases then, if the independent iFurther detailed descriptions of this
probability P(A)P(B) is greater than type of analyses are given in the
10-7, the common mode contribution is special engineering investigations to
negligible. If the independent proba- be discussed.
IV-23
TABLE IV 3-1 CLASSES OF POTENTIAL COMMON MODE MECHANISMS
A. Design Defects
B. Fabrication, Manufacturing, and Quality Control Variations
C. Test, Maintenance, and Repair Errors
D. Human Errors
E. Environmental Variations (Contamination, Temperature, etc.)
F. Failure or Degradation Due to an Initiating Failure
G. External Initiations of Failure
TABLE IV 3-2 COMBINATION PROPERTIES INDICATING POTENTIAL COMMON CAUSE SUSCEPTIBILITY
1. All Components Identical in Type and Specification (A,B)
2. Components All Under the Same Maintenance or Test (C)
3. All Components Having Similar Failure Sensitivity (E,G)
4. Components All in the Same Locations (E,F,G)
5. Components All Exposed to a Possible Accident Environment (E)
6. All Components Loaded or Degraded by a Previous Failure (F)
7. All Component Failures Human Initiated (D)
Table IV 3-1 - Table IV 3-2
IV-25/26
Section 4
Failure Coupling
Because of common quality control, com- ing. In the Study, to investigate the
mon manufacturing processes, common de- effects of failure rate coupling in a
sign, or common influencing environment, probabilistic manner, the failure rate
components can be coupled in a different distributions were coupled in a one to
type of common mode manner. One form of one correspondence.
this coupling manifests itself in the
failure rates of the components. The In the normal calculations (representing
specific result is that affected compo- no failure rate coupling), each compo-
nents will all have higher failure rates nent failure rate in the Study was
than normal. In certain beneficial assigned a distribution to account for
situations, the affected components can individual variations and uncertain-
also all have lower failure rates as ties. 1 The distributions were then
compared to the normal values for those propagated to obtain the possible varia-
components. tion on the resultant system failure
probability. The possible system varia-
A particular example of failure rate tion is represented by confidence
coupling is the existence of a manu- spreads (probability ranges) on the
facturing/manufacturing defect in a system probability. In the normal cal-
group of relays. Because of the defect culations, all component failure rate
all relays in the produced batch will distributions were treated as being
thus be affected. This effect will independent of one another.
manifest itself in all the failure rates
being higher than the average failure In the failure-rate coupling analyses,
rate for that type of relay. the same failure rate distributions were
used for the normal calculations. Com-
Instead of a detrimental effect, the ponents were however, now categorized
failure rates may all be lower than into characteristic classes where the
their standard value. Such an effect characteristic classes were defined such
will occur, for example, if better than that all components in a particular
average maintenance is being performed class had a potential common coupling
on a set of components. -Whether the cause. A characteristic class thus
effect is detrimental or beneficial, a represented a potentially coupled set.
coupling occurs in the affected compo-
nents thus causing a certain loss of In the Monte Carlo simulation, compo-
independence. nents of one characteristic class were
coupled by equating the component fail-
As a numerical illustration of the failure rates to a common single failure
ure rate coupling effect, assume two rate. An example of the failure rate
latching relays are in parallel (i.e., a coupled model used in the study is shown
double failure is needed for system in Fig. IV 4-1. .The components are of
failure). For this type of relay1 the same characteristic class, for
assume the normal failure rate is 10-O example two similar relays. Each of the
per demand. If normal situations curves in Fig. IV 4-1 represents the
existed, the probability for both inde- distribution of the individual failure
pendently failing is then 10-3 x rate (i.e., its density function). In
10-3 = 10-6. For the two particular the independent case, when one failure
relays, however, because of a coupling rate is low (the above figure), the
defect assume that both failure rates other failure rate can be high (lower
are now 10-2. The joint probability figure). This independent behavior
given this defect, is therefore represents the independent individual
10-2 x 10-2 = 10-4. The failure rate component variations which can occur.
coupling consequently yields two orders
of magnitude increase in the joint prob- In the coupled case, when one failure
ability of failure. rate is high, the other failure rate in
the same coupled class is also high. In
The above example yields a two order of
magnitude effect given that the defect
does indeed exist. A quantitative
treatment must also incorporate the
probability of the defect first exist- iSee Appendix II.
IV-27
complete coupling, as is shown, all com- coupling was repeated in this sampling
ponents have the same failure rate (one manner to obtain the resultant variation
to one correlation).' In this coupled in the system probability. (A more
treatment, the probability of the cou- detailed description of the actual
pled variation existing is in6orporated sampling procedure is given in section
by the individual component failure rate 3.6.2 of Appendix II.)
distribution (the upper curve in the
coupled case). (Given a particular The coupled modeling which was used had
the effect of increasing the error
failure rate value (the Ox"~ sampled on a
curve) the coupling is then established spread of the system probability. The
distribution and associated error
by assigning the same failure rate value
to all the other components of the same spreads on the system probability then
represented the possible variations
characteristic class.) 'the common mode coupling
including
effects. The system error spreads thus
In the Study, the characteristic classes became larger, as compared to the normal
of components coupled were defined to be_ independent calculations, accounting for
components of the same basic functional the coupling effects. The amount of
type. All relays constituted one class, widening, as compared to the independent
all pumps another, motor valves, wires, case, represents one measure of the
etc., other classes. This categoriza- effect of coupling existing in the sys-
tion corresponded to the general cate- tem. The coupling effect is illustrated
gorization breakdown in the failure rate in Fig. IV 4-2.
data base (Appendix III). The estab-
lishment of these characteristic classes It should be -noted that the model de-
enabled the examination of a very broad scribed is simply one method of coupled
range of potential couplings to be made. treatment. It is applicable when coup-
in general, many people have thought of ling effects are incorporated into the
potential couplings as including system distribution. More detailed
Such components that were quite specifi-
only models can be employed by which the
cally related such as relays, pumps, coupling effects are incorporated into
valves, etc. of a given manufacturer. the actual system probability value.
Since the classes used herein were much This requires a more detailed type of
broader, the coupling studies performed data, but is useful when, for example,
included all generally similar compo- higher accuracy is required.
nents such -asall relays, all pumps etc.
within a particular system. Table IV 4-1 shows the results of stud-
ies that were performed to determine the
Since the test and maintenance downtime effect of common mode coupling on the
represents a unique, non-component con- PWR and BWR system probability bounds,
tribution to the system probability, no using the modeling techniques previously
6oupling was assigned to it. The test discussed. The independent 90% bounds
and maintenance downtime was thus were those obtained by the standard,
treated as in the independent case. independent treatment. The coupled 90%
Common mode human errors are explicitly bounds were those obtained by completely
incorporated as separate contributions coupling all the generic classes. in
to the system probability. Therefore, general the error bands became larger
the human contributions were also not for the dependent case and the median,
failure rate coupled (human contribu- only slightly changing. The results
tions were thus also treated as in the listed in the table are those for which
standard independent case).* The coupled the coupling had some observable ef-
classes were consequently those composed fects. Even for these cases, the
only'of hardware failures. coupling effect is not an order of
magnitude significance and does not have
1 As extra error
In the study, the coupled variation was a very large impact.
evaluated by Monte Carlo sampling using
the SAMPLE program (described in Appen- 1
dix 11). Sampling a failure rate value n general, the coupling has greater
from an individual distribution gave all effect in systems having dominant fail-
the failure rates for that class. The ure contributions from single charac-
teristic classes. The coupling effect
. is therefore useful for general inves-
tigations of -component diversity within
systems. The smaller effect in the
I1n a statistical methodology the one to study's results was due to the systems
one correlation is represented by being dominated by single failure and
equating the random variable failure non-hardware contributions (test and
rates, X1 - A2 - 13, etc., maintenance, human).
IV- 28
coverage, however, the coupled values evaluations. (This also gave added pro-
were used in the fault tree reports for tection against biases and correlations
those systems where the relative effect resulting from non-independent estima-
was larger and could impact further tion of the component data.)
IV-29
TABLE IV 4-1 PWR COUPLING - BWR COUPLING
System Case Lower Bound Median Upper Bound
PWR COUPLING
RPS Independent 1.3 x 10-5 3.6 x 1.0 x 10-
Dependent 8.4 x 10-6 3.0 x 4.3 x

10-
LPRS Independent 4.4 x 1.3 x 3.1 x
10-2
Dependent 2.1 x 9.6 x 10o3 6.5 x
HPRS Independent 4.3 x 9.0 x 2.2 x

103
Dependent 2.1 x 10-3 9.0 x 4.0 x
HPIS Independent 4.4 x 8.6 x 10- 2.7 x
Dependent 2.4 x 1.8 x 10-2 5.0 x

102
AFWS Independent 7.0 x 10-6 3.7 x 3.0 x
SPB(Start & 8 Hrs.) 6
Dependent 4.2 x 10 3.2 x 10-5 6.0 x 10-4
BWR COUPLING
ECI - I Independent 1.0 x 1.5 x 2.1 x

103
Dependent 9.4 x 1.5 x 3.6 x
ECI - II Independent 1.0 x 2.0 x 3.0 x

10-4 10- 3
Dependent 8.2 x 2.0 x 10- 5.0 x
10-4 10- 4
ECI - III Independent 8.4 x 9.3 x 1.0 x
10- 10-7 10- 4
10-6 10-7 10-
RPS Independent 4.3 x 1.3 x 4.8 x
10- 10- 5 10-
Dependent 2.3 x 1.3 x 8,9 x
10- 10-
CSIS Independent 6.7 x 9.5 x 1.4 x
(Both Legs)
Table IV 4-1
IV-31/32
lx"'
I
I
1
1
*
Independent Case Coupled Case
FIGURE IV 4-1 Independent Versus Coupled Failure Rate Distribu-

tions [Frequency on Vertical Axis (Ordinate),
Failure Rate on Horizontal (Abscissa)]
Independent System Distribution
/Z Coupled System Distribution
FIGURE IV 4-2 Increased System Uncertainties Due to Coupling

Effects (Vertical Axis - Frequency; Horizontal -
System Probability)
Fig. IV 4-1 - Fig. IV 4-2
IV-33/3 4
Section 5
Special Engineering Studies to Identify
Potential Conunon Modes in
Accident Sequences
5.1 SUMMARY OF RESULTS b. Common mode failures in similar com-

ponents are failures involving
In this special engineering study, com- several similar components (such as
mon mode failures are again examined for motor-operated valves or motor
their possible contribution to PWR acci- starter breakers) used in more than
dent sequence failure probabilities. one system where the components can
From these engineering studies, it was all fail within a critical time
found that the common mode failure frame due to some common cause (such
probabilities in general did not as a manufacturing error).
significantly impact these failure
probabilities. 5.1.1 LARGE LOCA SEQUENCES
Many of the accident sequence failure In addition to the above, the potential
probabilities are dominated by component for common mode caused damage to safety
failures in subsystems that have inter- systems and to the containment structure
faces with more than one system in a due to whipping motions of ruptures RCS
sequence or by common human errors that piping was considered. ("Pipe whip" is
affected redundant systems. These are a term commonly given to this type
failures, however, which were identified damage potential.) In this considera-
and evaluated in 1 the individual system tion, the layouts of the reactor coolant
fault analyses, and were previously system (RCS) and other high energy pip-
taken into account when the systems were ing relating to the preservation of
considered together in the evaluation of2 containment integrity and the safety
the accident sequence probabilities. systems piping runs were examined. Re-
This common mode failure study therefore straints to prevent potential pipe whip
did not include the already considered were found to be applied where the
multi-system sequence failures due to possibility of interaction between a
individual component failures in inter- ruptured pipe and containment might po-
facing subsystems, or the human inter- tentially occuj (e.g. main steam and
face, acting through a common human feedwater lines ). No pipe whip damage
error, failing redundant legs of a mechanisms were identified in the case
system. of safety systems since, in all areas
considered, the presence of the crane
Two types of common mode failures were wall and operating decks provided ade-
examined in this special study: quate protection. In these cases where
individual legs of emergency cooling
a. Common mode failures from secondary (ECCS) piping ran from the crane wall to
failure sources, are component the RCS connections, the loss of func-
failures resulting from phenomena, tion for that ECCS leg was assumed to
such as flooding or fire, which occur whenever that part of the RCS loop
.exceed component design limits. ruptured. This common mode failure of
This type of common mode includes the ECCS connection to a single RCS loop
failures in one system which can was incorporated in the analysis of ECCS
indirectly fail the other systems in overall failure probability as stated in
the sequence. In some cases, the Appendix I, section 2.4 and in Appendix
secondary failure sources may cause II, section 5.6.
multiple system failures through a
common interface. The accident sequences in the Large LOCA
event tree which were investigated for
these types of failures were chosen
because they had some potential suscep-
1 tibility for common modes and their
See Appendix II for system fault analy- probability could have been affected if
sis descriptions.
2
See Appendix I for event tree discus-
for sequence ISee Appendix X, subappendix A, section
sions, and Appendix V
evaluations. A6.3.2.
IV-35
such common modes existed. The symbols The' HF (given A) sequence has as a
used in the subsequent discussions are contributor the common mode failure of
as follows: the containment sump. The blowdown
during a LOCA causes an accumulation of
A = Large LOCA (loss-of-coolant debris in the containment which in turn
accident); plugs the sump, with a value on the
probability of plugging the sump of
B = EP (Electric Power); 10-610o].*1
C = CSIS (Containment Spray Injec- The D (given 'A) sequence had as a
tion System fails); contributor a common mode failure in
which a LOCA on the discharge side of
D - ECI (Emergency Cooling Injec- the primary coolant pump causes pump
tion failure, which is. essen- overspeed and flywheel fracture. A
tially the failure of the LPIS, piece of the fractured flywheel pene-
or Low Pressure Injection trates the cubicle wall in the vicinity
System, for a large LOCA); of a single pipe for low pressure
injection to the cold legs, thereby
F = CSRS (Containment Spray Recir- striking and failing this line (there-
culation Systems fails); fore failing D). This event sequence
had a probability of approximately:
G = CHRS (Containment Heat Removal
System failure); 1.3 x 10-6
QCM -
H = ECRS (Emergency Cooling Recir-
culation System failure, the 5.1.2 SMALL LOCA SEQUENCES
failure of the LPRS, or Low
Pressure Recirculation System, Small LOCA event sequences involve most
for a large LOCA); of the same systems and event codes as
the large LOCA events, except for the
I = SHAS (Sodium Hydroxide Addition following:
System failure, the system to
supply NaOH to the, containment S = Small LOCA;
and the containment sump by
injection into the RWST). D = ECI (essentially the failure of
the HPIS, or High Pressure In-
The sequences for which the common mode jection System);
failures were evaluated, and the results
of the evaluation, are as follows: H = ECR (the failure of the HPRS,
or High Pressure Recirculation
System);
Sequence Common Mode Impact
K = RPS (failure of the Reactor
CD Insignificant Protection System);
CDI Insignificant
HF Minor Impact L = AFWS and SSR (failure of the
Insignificant Auxiliary Feedwater System and
D Within Error Spreads Secondary Steam Relief valves).
CF Insignificant
B Insignificant
F Insignificant The results of the evaluation for the
HFI, HI, FI Insignificant contribution of common mode failures to
small LOCA event sequences are in gener-
al the same as for the large LOCA event
The sequences HF (given A) and D (given sequences; that is, the common mode
A) were identified as having some poten- contributors have probabilities which lo
tial for non-negligible effects, but not significantly impact the sequence
even for these cases the impact on the failure probability or the release cate-
probability of the release category was gory probability.
assessed to be small and within the
error spreads. The D (given S) sequence does not
include the common mode contributor of
1
See the PWR event tree discussion in
Appendix I for discussion of the de- iQuantity within the brackets is the
tailed meaning of these sequences. error factor which applies.
IV-36
the flywheel failure (pump B flywheel of the secondary failure sources on the
failure), because the relatively slow sequences being evaluated is in subsec-
depressurization of the reactor coolant tion 5.4.2. A summary of common faces
system (RCS) will not cause pump over- through which common mode failures may
speed. Other sequence common mode fail PWR LOCA sequences is in subsection
failures (primarily a RCS stop valve 5.4.1.
failing closed causing a severe water
hammer and a LOCA) have probabilities A list was compiled from the system
that are orders of magnitude less than fault trees, system drawings, component
the independent unavailability of D (the specifications, and other plant design
HPIS). information listing similar components
used in the PWR Safety Systems which can
The small LOCA sequences involving the K fail a system or multiple systems by the
and L systems are not among the impor- failure of several similar components in
tant contributing sequences for small a given failure mode within a critical
LOCA events. Since no significant com- time frame. The listing, and the PWR
mon mode failures were determined for K LOCA sequences which can be affected by
or L that affect other systems in the multiple failures of similar components
sequences (common mode failures involv- are presented in Table IV 5-1.
ing only K or L systems were developed
and evaluated as a part of the analysis
1 fail- 5.3 PWR LOCA SEQUENCE COMMON MODE
for those systems ), common mode
ures for those small LOCA sequences FAILURE EVALUATIONS
involving K and L systems will not be
discussed further. The more detailed evaluation of the po-
tential common mode failures for the PWR
The C (given S) sequence is an important LOCA sequences summarized earlier is
small LOCA sequence for the S2 LOCA (a given below. The single letter codes
small LOCA due to a break in the RCS used to identify PWR systems are listed
equivalent to a hole with a 1/2 to 2 in the preceeding section 5.1. The
inch diameter). However, no significant evaluation discussion below does not
common mode failures could be found for include those common mode failure
the CSIS, other than common human errors contributors which were found to have a
already considered as a part of the CSIS negligible influence on the total common
2
fault analysis. mode failure contribution.
5.3.1 SEQUENCE CD (GIVEN A OR S)

These considerations leave the HF (given
S) sequence as the important small LOCA Common mode contributors are not signif-
sequence with a common mode failure icant contributors to the CD sequence
between systems of the containment sump failure probability, since their proba-
plugging failure. Even though the prob- bility was one to two orders of magni-
ability of the sequence is affected, the tude less than for the CD sequence as
impact on the release category is, determined from the basic fault trees.
however, insignificant and within the A common mode contributor for the CD
error spreads of the release category sequence is the event of four or more
probability. 480 V motor starter breakers for the
system pumps could all trip due to a
common cause. The probability for this
5.2 SUVMMARY OF SECONDARY FAILURE common mode contribution was assessed to
METHODS be much less than the CD sequence fail-
ure probability already evaluated.
Secondary failure sources were identi-
fied in studies of plant layout, and of
potential interactions between system 5.3.2 SEQUENCE CDI (GIVEN A OR S)
components and between energy sources
and system components. Plant drawings The CDI sequence failure probability has
and visits to the plant were used for as a contribution failure of the RWST
this study. A summary of the influence common interface, primarily by plugging
of the 8 inch RWST vent. This probabil-
ity was assessed to be comparable to
that of passiye component failures for
1
the LPIS systemy.
See Appendix II, section 5.2 for the
RPS, section 5.3 for the AFWS.
2 1
See the CSIS analysis in section 5.4 of See section 5.6.3 in Appendix II for
Appendix II. the LPIS analysis.
IV-37
!I
CDI sequence common mode contributors failure of operators to open the
(interacting with the sequence by fail- containment heat exchanger vent valves,
ing the RWST) do not significantly add which leads to air entrapment in heat
to the CDI sequence failure probability, exchangers when flow is initiated and
as follows: failure of the heat exchanger function.
a. Rupture of the RWST by an exploding
high pressure gas bottle in the ad- Other identified common mode contribu-
jacent bottle farm. tors which were assessed to have insig-
nificant contribution to the G sequence
b. Rupture of the RWST by a vehicle failure probability are:
crashing into the RWST. This was
the dominant common mode failure.
The probability of this event, how- a. A rupture of the turbine oil condi-
ever, was insignificant compared tioner spilling oil into the adja-
with the CDI sequence failure cent service water valve pit. If
probability. this oil is ignited, the normally
closed motor operated valves (MOV's)
Common mode failure of the Safety in the valve pit for service water
Injection Control System (which fails D) to the containment heat exchangers
coupled with failures of the CI sequence may be failed.
also can contribute to common mode
failures for the CDI sequence. These b. Two check valves fail to open on
failure combinations are again assessed demand due to a common failure
not to be significant contributors. cause.
c. Rupture of a service water line in
5.3.3 SEQUENCE HF (GIVEN A OR S) the service water valve pit floods
containment heat exchanger MOV's,
The possible common mode contributor for preventing their opening for a LOCA.
the HF sequence is:
d. Four MOV's inadvertently closed
Plugging of the containment sump after a within 24 hours.
LOCA is assessed as 10- 6 [10]. This
contribution is included in the event e. Two bellows joints rupture within 24
sequence probability; however, hours.
the ef-
fect on the total 1 release category
probability is small. 5.3.5 SEQUENCE AD (GIVEN A)
5.3.4 SEQUENCE G (GIVEN A OR S) Identified common mode contributors

could affect the AD sequence failure
The G(CHRS) sequence failure probability probabilityl however, the impact is
for the first day of recirculation has still within the error spread.
as a contribution the drainage of the
intake canal, an interfacing system. A
human interface common mode failure, A possible common mode contributor for
previously developed and evaluated in the AD sequence has a probability which
the CHRS fault tree analysis, 2 is the could at most double the probability for
independent A and D events. This common
mode failure is a rupture (LOCA) in the
RCS piping at the discharge side of RCS
pump B which would cause the pump to
overspeed and potentially result in a
flywheel fracture. A piece of the
1
Consideration of the overall probabili- fractured flywheel penetrates the loop B
ty results for core melt (see Table cubicle wall near the single line for
V 3-14, Appendix V) also indicates that low pressure injection to the cold legs,
the results are not particularly sensi- and ruptures this line thus failing the
tive to large variations in the proba- LPIS (D). The common mode failure was
bility estimates for containment sump conservatively evaluated as follows:
plugging. For example, an increase of
two orders of magnitude in the HF se-
quence due to the sump plugging contri- OC•4 - OLOCA OBD/L QPF/Bb QTA
bution still has small effect.
2
See section 5.6.3 in Appendix II for QLOCA - The probability of a large
the LPIS analysis. LOCA - 1 x 10- /yr.
IV-38
= The probability of a and evaluated in the CLCS fault tree
QBD/L analysis.1
rupture in the pump B dis-
charge line Z .13(l)
The CLCS, and the CSIS and CSRS may
= The probability of fly- also be failed due to common mode fail-
QPF/BD
wheel fracture : 1.0(2) ures of similar components. An evalua-
tion for these failures found them not
OTA The fraction of the sus- to impact the CF sequence failure proba-
ceptible circumferential bility. These similar component common
area around pump B z .1 mode failures (not including human cali-
bration errors) are:
QCM which
(.1) = 1.3 x 6, a. Three CLCS Hi-Hi relays fail to
would be approximately energize.
double the probability for
independent A and D b. Three containment pressure trans-
events. The value is, ducers fail to respond to low
however, within the error pressure.
spreads.
c. Three power supplies have low
Regarding the AD sequence, another iden- voltage.
tified potential common mode failure
results if one of the six RCS stop d. Three signal comparators drift up.
valves fails, allowing the valve disc to
drop and suddenly stop loop flow. The e. Six 480 V motor-starter breakers
sudden flow stoppage could cause an fail to close.
excessive water hammer which ruptures
several emergency core-cooling system f. A fire in the instrument room fails
(ECCS) piping connections to the RCS in both trains of the CLCS.
more than one of the loops, resulting in
a LOCA and failure of several ECCS g. Four MOV's inadvertently closed.
systems. Essential ECCS piping would be
lost if 2 out of 3 accumulator lines h. Six 480 V motor-starter breakers
were ruptured, or if 3 out of 3 LPIS trip.
lines to the cold legs were ruptured.
This common mode failure was assessed to 5.3.7 SEQUENCE B (GIVEN A OR S)
have a probability less than the pump
flywheel failure. Possible common mode contributors for EP
failure are determined not to impact the
EP failure probability.
5.3.6 SEQUENCE CF (GIVEN A OR S)
These common mode contributors, for the
The CF sequence failure probability is B sequence are:
dominated by failure of the consequence
limiting system (CLCS), a common inter- a. The electrical switchgear overheats
facing system with the CSIS and CSRS. and fails when switchgear room air
Failure of the CLCS is in turn dominated conditioning is lost due to an ex-
by a human common mode failure, plosive failure of one of the three
miscalibration of CLCS instrumentation. air conditioning chiller air com-
This common mode failure was developed pressors which fails adjacent chill-
ers, or fails the service water
supply to the chillers, or fails the
power to the chillers.
140% of the RCS loop piping is on the
b. The switchgear overheats and fails
discharge side of the pumps and there due to
when air conditioning is lost
are 3 loops; so QBD/L = .4/3 = .13. air
explosions of high pressure
2 bottles in Mechanical Equipment Room
The value used for QPF/Bp is considered No. 3 failing the service water
somewhat conservative since the pump supply to the air conditioning
overspeeds attained may not be great chillers or severing the power
enough to cause flywheel missiles to be cables for the chillers.
generated. As can be inferred from
Table V 3-14, Appendix V and from the
above result, use of this potential
conservatism still had no significant 1
See section 5.5 of Appendix II for the
effect on the resulting overall proba-
bilities of a core melt. CLCS analysis.
IV-39
nl
c. The electrical switchgear is flooded impacting common mode failures were
when one of 8 condenser inlet lines found to exist for these 3 sequences
ruptures and quickly floods the tur- (HI, FI, or HFI) for the first day of
bine rooms and the adjacent switch- recirculation.
gear room.
Long terni failure of I(NaOH) or I and
The aforementioned three common mode F(CSRS) has also been previously assess-
failure sequences require a lower proba- ed as having a negligible probability
bility passive failure as an initiating because of the several possibilities for
event. The probability of the initiat- operator action to deliver NaOH to the
ing event in combination with the short RCS after a LOCA. But, if NaOH is not
time window for the failure sequences to delivered to the RCS, and if the
cause significant problems in responding operators are aware that NaOH is not
to an accident (about 24 hours) results delivered to the RCS, then the long term
in probabilities for the common mode failure of NaOH can lead to stress
failures that are less than the EP corrosion in the ECR and CSR systems,
failure probability determined from the due to an expected buildup of chlorides
fault tree analyses.1 in the containment sump water following
a large LOCA. Therefore, the long term
Other common mode failures were evalu- failure probabilities for the HI, FI,
ated but were also found to be insignif- and HFI sequences all have a common mode
icant. These were common mode failures contributor equivalent to the long term
of similar components in switchgear and failure probability of NaOH (I), through
motor control centers which could fail the above common mode failure interac-
electrical power, by failing those tion. This failure sequence requires
combinations qf buses defined in the undetected NaOH delivery failures [con-
electrical power failure analysis. tributed by failure of an operator to
open chemical addition tank (SHAS) block
valves after a CSIS flow test], and
5.3.8 SEQUENCE F (GIVEN A OR S) failure of the chemical addition tank
The identified common mode contributors level instrumentation or failure of the
are assessed not to be a significant operators to detect the lack of low
contributor to the F sequence failure level in the chemical addition tank,
probability as evaluated in the CSRS therefore, failing to detect that NaOH
failure analysis given in the fault tree was not delivered to the RCS.
reports. 2 The identified common mode
contributors for the F (CSRS) sequence This common mode event is assessed not
are common mode failures of similar to be an impacting contributor to long
components. These failures are: term recirculation failure probabilities
for the HI, FI, or HFI sequences because
of the dominance of system component
a. Two MOV's inadvertently closed. failures (primarily pumps).l
b. Four 480 V Motor-starter fail to
start. This is the dominant common 5.3.10 SEQUENCE HG (GIVEN S)
mode failure of these three has
failures. This sequence, like the G sequence,
as a contribution the drainage of the
c. Four 480 V Motor-starter breakers intake canal, since successful operation
of both the CHRS and HPRS requires ser-
trip. vice water for cooling.
5.3.9 SEQUENCE HI, FI, OR HFI (GIVEN A
Other identified common mode contribu-
OR S) tors do not significantly contribute to
the GH (given S) sequence failure
Since the injection of NaOH (I) into the probability.
RCS is not a critical requirement for
safety system operations after a LOCA
within the first days of opezation, and 5.3.11 SEQUENCE D (GIVEN S)
since NaOH can be delivered via the
CSIS, LPIS, or HPIS, no significant and This sequence can occur due to failure
of an RCS stop-valve disk, which is a
common mode failure as described for the
AD sequence. The probability of this
ISee section 5.1 of Appendix II for the
PWR electrical power failure analysis.
1
See section 5.7 of Appendix 11. See Appendix II.
IV-40
event is evaluated to be less than the c. Sequences - CD or CDI
probability determined from the basic Secondary Failure: LPIS pump B has
fault trees. a catastropic failure in which a
high energy missile punches through
A number of possible common mode fail- the pump B cubicle wall failing the
ures were identified for the HPIS(D), power cables to LPIS pump A and the
CSIS motor operated valves (MOV's).
but they required a low probability
passive failure as an initiating event Power to LPRS suction MOV's could
(such as a high energy pipe rupture or also be failed. This would have to
an explosive pump failure). Therefore, occur within roughly a minute to
these common mode failures did not fail the CSIS (by not allowing CSIS
result in an impact of the HPIS(D) MOV's to open).
unavailability.
d. Sequence - AD
This conclusion also applies to the Secondary Failure: A LOCA at the
HPRS (H), since the same components are discharge of RCS pump B causes pump
used in a slightly different overspeed and a fracture of the pump
configuration. flywheel. A fractured flywheel
missile punches through the loop B
5.4 SUPPORTING MATERIAL cubicle wall and fails the single
pipe or LPI to the cold legs.
5.4.1 SUMMARY OF THE RESULTS OF
EXAMINING INTER-SYSTEM INTERFACES e. Sequence - AD or ADH
FOR SEQUENCE FAILURE Secondary Failure: An RCS loop stop
POSSIBILITIES valve disk falls into the closed
position. The sudden flow stoppage
Interfaces, such as common systems, causes a large water hammer which
common components, or the human opera- fails several ECCS piping connec-
tion interface, were examined to deter- tions to the RCS in more than 1
mine the combinations of systems and loop. Failure of the ECCS piping
corresponding sequences which would be connections is also a LOCA.
affected by the interface failure. The
Table IV 5-2 list summarizes the results f. Sequence - B (EP)
of this interface examination. Secondary Failure: Switchgear room
air conditioning is failed by:
The electrical interfaces were found to
not fail any of the sequences other than 1. Catastropic failure of chiller
B (electrical power failure) since any air compressor which fails an
of the combinations of the redundant adjacent unit, or service water
emergency buses fails systems which are supply lines, or power cables.
given to have succeeded in the sequences.
2. Catastropic failure of high
An exception is failure of the motor pressure dry air bottles in
control centers IHI-I and iJl-l, which Mechanical Equipment Room No. 3
would only fail the HPIS and HPRS. fails the service water supply
These systems, however, are not required or chiller power cables.
for a large LOCA. The electrical bus
interfaces for the PWR systems are shown g. Sequence - B (EP)
in the Table IV 5-3. Secondary Failure: Flood the
switchgear room by:
5.4.2 SUMMARY OF PLANT LAYOUT
EXAMINATION FOR SEQUENCE The service water supply into
1.
SECONDARY COMMON MODE FAILURES Mechanical Equipment Room No. 3
ruptures and floods switchgear
a. Sequence - F
Containment sump in the adjacent switchgear room.
Secondary Failure:
plugs.
2. Rupture of a condenser inlet
b. Sequence - F (CSRS only) line, floods the turbine room
Secondary Failure: If a high proba- and the adjacent switchgear
bility exists for inside CSRS pump room.
failures in a steam environment,
then only one CSRS system need be
failed for system failure in the h. Sequence - G
first day after a LOCA, or 2 CSRS Secondary Failure: A pipe ruptures
systems after that. This has in the service water valve pit and
already been included in the CSRS fails CHRS MOV's before they have
analysis. opened.
IV-41
i. Sequence - G A high energy missile from a failed
Secondary Failure: Spilled oil from CSIS or AFWS pump could penetrate
a rupture of the turbine lubricating the concrete floor and fail HPIS
oil conditioner, next to the service and/or HPRS suction piping below the
water valve pit, is ignited causing floor. Missiles from one failed
burning oil to spill into the ser- charging pump could fail HPIS
vice water valve pit and fail CHRS suction.
MOV's before they have opened.
Rupture of a steam generator blow-
j. Sequence - G down line can fail HPIS discharge
Secondary Failure: A small rupture MOV's at the boron injection tank,
in a condenser inlet line, or a or a whipping blowdown line can fail
rupture that id quickly stopped, the normal charging line to contain-
floods the service water valve pit, ment and fail the HPIS isolation
nearby, before CHRS MOV's have MOV's for this line. Continued
opened. steam discharge through the ruptured
blowdown line can result in an envi-
k. Sequence - CDI ronmental failure of the charging
Secondary Failure: The RWST is pumps, thus failing the HPIS or
ruptured by: HPRS.
1. High pressure gas bottles in the A rupture of one charging pump ser-
bottle farm next to the RWST vice water pipe in Mechanical
explode. Equipment Room 3 can flood and fail
the pump in the redundant charging
2. A vehicle crashes into the RWST, pump service water pipe, below.
which is near the parking lot This failure would fail the HPIS or
and the truck gate. the HPRS.
1. Sequence - CDI or CF(G,I) Secondary failure number 6, above,
Secondary Failure: A fire in the will also fail the HPIS or HPRS *by
instrument room fails the safety failing the service water supply to
injection control system (SICS) or the charging pumps.
the consequence limiting control
system (CLCS) (SICS cabinets are 5.4.3 SYSTEMS WHICH CAN BE FAILED BY
next to each other, as are the CLCS COMMON MODE FAILURE OF SIMILAR
cabinets). COMPONENT
m. Sequence - HFI Table IV 5-1 shows the results of an
Secondary Failure: Failure to get examination of PWR safety systems for
NaOH into the RCS causes chloride similar components which can fail a
stress corrosion in ECR & CSR system or several systems if they fail
systems, failing the piping. by a given failure mode within a criti-
cal time frame by some common mode
failure. This type of failure would be
n. Sequence - D (given S) or H (given most likely due to manufacturing,
S) design, or installation errors. The
Many common mode failures which can numbers in the table under the sequence
fail the HPIS or HPRS were identi- codes designate the minimum number of
fied. These failures, requiring the similar components which must fail
passive initiating events, are not to cause the sequence failure. The
likely to be significant contribu- effects of these failures were evaluated
tors to HPIS or HPRS unavailabil- to not impact the previously obtained
ity. probability.
IV-4 2
TABLE IV 5-1 SIMILAR COMPONENT FAILURES AND SIGNIFICANT AFFECTED
SEQUENCES (LARGE LOCA)
Component Failure
Type Modes Affected Sequences
Fails to CH CHI CG CHG CGI CHGI CD (b) CDI (b)
MOV
open 6 8 8 10 10 12 6 8
Closes H HI G HG GI HGI F HF
2 4 4 6 6 8 2 4
FI HFI D DI DG DGI DF DFI
4 6 1 3 5 7 3 5
CH CHI CG CHG CGI CHGI CF CHF
4 6 6 8 8 10 4 6
CD CDI CDG CDGI CDF
3 5 7 9 5
480 V Pump Fail to D DF CF CD CDF F

Motor-starter start 2 6 6 4 8 4
Trips H F HF D DF CH CF CHF
pump 2 4 6 2 6 4 6 8
CD CDF
4 8
Manual Valve Closes H HI D DI CH CHI CD CDI
2" or greater 2 4 (a) 1 3(a) 4(a) 6 (a) 3(a) 5 (a)
Check Valve Fails to H G HG D DG CH CG CHG

2" or greater open 2 2 4 (a) 1 3(a) 4(a) 4 (a) 6(a)
CD CDG
3 (a) 5 (a)
SIS Relays Fail to CDI

energize 2
CLS Relays Fail to CF

energize 3
Pressure Fail to CDI

Transducers low 2
pressure
Fail to CF
show high 3
pressure
Power Hi CDI
Supplies voltage 2
Low CF
voltage 3
Signal Drift CDI

Comparators down 2
Drift CF
up 3
Level Fail to CDI

Transmitters show low 2
level
Bellows Rupture G
Joints 2
(a) Valves used in C, F, G, and I systems have manufacturers different from those used
in D and H systems.
(b) For small LOCA where D includes the HPIS.

TABLE IV 5-2 INTERFACE EXAMINATION RESULTS
Affected
Sequence Interface Discussion
HF Containment Suinp
F Containment Environment Both inside CSRS pumps could
be failed by post-LOCA envir-
onment. But, 2 outside CSRS
pumps would remain.
CD None Interfaces are ruled out since
they fail systems assumed to
succeed.
CDI RWST
D SICS
CI Operator Valve positioning failures
after a CSIS flow test.
CF(G,I) CLCS
G' Intake canal Draining the intake canal fails
HG(given S) the service water supply for
the CHRS. This failure also
fails the HPRS, which is not
required for a large LOCA.
TABLE IV 5-3 ELECTRICAL POWER INTERFACES
Systems Affected
Bus C F I D H D(b) H(b) G CLCS CLCS
Identifiers CSIS* CSRS NaOH LPI LPR HPI HPR CSHX SICS Hi Hi-Hi
JAGO 4160-iJ X X
JB00 4160-1H X X
JCOO 480-lJ X X X X X
JDOO 480-1H X X X X X
JFOO lHl-l X X X(a)
JGOO lJl-2 X X X x x x
JHOO lHl-2 X X X X X X
JJOO DC-lB X X X X X X X X X X
JKOO DC-lA X X X X X X X X X X
VBI-I X X X X
VBl-II X X
VB1I-III X X X X
VBl-IV X X X X
(a) With loss of station power
(b) For small LOCA
IV-43/44
TABLE IV 6-1 SEQUENCE AE-LLOCA/ECI, PRINCIPAL COMMON MODE POSSIBILITIES AND EFFECTS
Common Mode Failure Effect
1. LLOCA in one CSIS injection line. 1. Failure probability of ECI increases

however, failure probability of
LLOCA decreases because of specific
location, with net effects leading
to cancellation.
2. Similar power relays fail on 2. Already covered on fault tree and

safety buses. not dominant failure.
3. Pipe or valve rupture on one CSIS 3. Probability of ruptures is small

subsystem causes rupture of pipe compared to other contributors, and
or valve on adjacent selected LPCIS commom mode combination would have
line or vice versa. no impacting contribution to ECI
failure probability.
4. Damage to sensing switches in racks 4. Probability of secondary environment

25-5 and 25-6 caused by secondary at the time of, and independent of,
failure (fire, explosion, pipe the LOCA is more remote than the
burst) preventing the generation of failure probability for ECI. The
initiating signals to CSIS and LPCIS overall probability is further re-
valves and motors. duced by structural protection such
as the barrier between racks 25-5
and 25-6.
5. Damage to relays located on the 9-32 5. Not impacting due to same reasons
and 9-33 panels in the cable spreading indicated in 4.
room caused by secondary failures
(fire, explosion, pipe burst) pre-
venting the generation of initiation
signals to CSIS and LPCIS valves and
motors.
TABLE IV 6-2 SEQUENCE AI-LLOCA/LPCRS, PRINCIPAL COMMON MODE POSSIBILITIES AND EFFECTS

1. Loss of emergency service water to 1. This already is included as the dom-
all four pump room coolers. inant contribution to LPCRS failure.
2. Damage to both LPCIS injection lines 2. Only plugging of both lines would be
in drywell by LOCA. significant since break in drywell
would permit flow to torus while
CSCRS provided the continuous core
flooding. Physical arrangement of
LPCIS lines makes plugging of both
caused by LOCA an extremely remote
possibility.
3. Failure of both LPCIS injection 3. This effect can be negated by switch-

valves to open due to common compo- ing flow to torus through the test
nent fault. lines, bypassing the problem.
4. Failure of LPCIS contribution to ECI 4. Those failures which could cause loss
success (success mode which requires of all LPCIS (instead of 2/4 pumps)
all CSIS contribution, no LPCIS). where considered when LPCRS was eval-
uated.
5. Failure of all 4 LPCIS pumps or fail- 5. Not impacting because of the low pro-
ure of 4 valves of the same type or bability of all foUr components of a
failure of all four heat exchangers type failing in the same time frame.
because of similar component common
mode.
6. Rupture of ESW supply in torus com- 6. Close proximity of HPCI or RCIC sup-
partment by LOCA in HPCI or RCIC ply and ESW lines has been compensated
steam supply line and resultant fail- for to some extent by restraints in
ure of LPCIS pumps by loss of room the supply lines. Also, RCS rupture
coolers. in these supply lines can be isolated
and the core water loss stopped. The
resultant special sequence of required
failures does not dominate the conseq-
uence probability results.
Table IV 6-1.- Table IV 6-2
IV-49/50
TABLE IV 6-3 SEQUENCE AJ-LLOCA/HPSW, PRINCIPAL COMMON MODE POSSIBILITIES AND EFFECTS
1. Rupture of HPSW line in torus com- 1. A HPSW line passes within about 6
partment by LOCA in HPCI or RCIC feet of the HPCI supply line in the
steam supply line. torus compartment. The HPCI line is
restrained at expected break points
and the surmised HPSW line break does
not itself cause loss of HPSW. It
reduces the available pumps from 4 to
2 and requires continued closure of
the normally closed HPSW cross over
valve at the pump building. The net
effect of this common mode failure is
assessed to not influence the release
probability.
2. Failure of all 4 HPSW pumps or fail- 2. Not significant because of the rela-
ure of 4 valves of the same. type or tively lower probability of all four
failure of HPSW side of all four heat components of a type failing in the
e~changers because of similar compo- same time frame.
nent common mode.
TABLE IV 6-4 SEQUENCE S IE-SMALL LOCA (1)/ECI, PRINCIPAL COMMON MODE POSSIBILITIES AND
EFFECTS
1. HPCIS supply line is the LOCA site 1. HPCIS is lost raising failure prob-
inside drywell between steam header ability. Failure probability de-
and first isolation valve, creases however because of specific
location. Net effect is judged to be
within error spread of failure seq-
uence.
2. HPCIS supply line is the LOCA site 2. Same as 1, plus ADS would fail.
inside drywell between steam header Chance of common mode effects is re-
and first isolation valve and effects latively small because a severed HPCI
of LOCA fail ADS operate air supply pipe which might move around would be
lines or electrical signal lines to a large LOCA and ADS would not be
valve air operators. needed. Effects of small LOCA would
be small missiles and jet forces only.
3. SLOCA in one CSIS injection line. 3. Same as large LOCA, effects tending
to cancel.
IV-51/52
0
Printed
/on recyclledk>
paper
S
. .::::::
... Me
..........
:•:•:-••
....'-••: •iii:i!:
:•..•.........

ML070610293

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ML070610293

Uploaded by

Copyright:

Available Formats

WASH-10

Reactor a fety Study

United States Nuclear Regulatory Commission

This report was prepaied as an account of work sponsored bv

U.S. NUCLEAR REGULATORY COMMISSION

Section Page No.

Section Page No.

6.1.3.1 Level of Presumed Psychological

6.1.4 A Sample Hunan Reliability Analysis ...................... 111-67

6.2 Aircraft Crash Probabilities ................................. 111-69

6.2.1 Number and Nature of Aircraft Movements ................. 111-70

6.2.4.1 Source ...................................... 111-70

6.3 Total Loss of Electric Power ................................. 111-71

6.3.1 Total Loss of Electric Power at LOCA ..................... 111-71

6.4 Pipe Failure Data ............................................ 111-74

6.4.1 Plant Parameters ..................................... 111-75

6.5 Failure Rates Compared With Log Normal ........................... 111-78

REFERENCES ............................................................... 111-78

7. REFERENCES ........................................................ 111-91

7.1 Discussion of References ..................................... 111-91

Table Page No.

III 2-1 Data Assessment Tabulation ....................................... 111-7/8

III 2-2 Comparison of Assessments with Nuclear Experience ................ 111-11/12

III 2-3 Comparison of Assessments with Industrial Experience ............. 111-13/14

III 3-1 Number of Failures by Plant Showing Failures During Standby

III 3-2 Number of Failures by Plant Component/System ..................... 111-35/36

III 3-3 Averaged Failure Rate Estimates (Rounded to Nearest Half

III 3-4 Averaged Demand Probability Estimates (Rounded to Nearest

III 3-6 Common Mode Effects and Causes ................................... 111-37/38

III 4-1 Summary of Assessments for Mechanical Hardware ................... 111-45/46

III 4-2 Summary of Assessments for Electrical Equipment .................. 111-47/48

III 4-3 Summary of Post Accident Assessments ............................. 111-49/50

III 5-1 Summary of Test Act Duration ..................................... 111-55/56

III 5-3 Log-Normal Modeled Maintenance Act Duration ...................... 111-55/56

III 6-1 General Error Rate Estimates ..................................... 111-81/82

III 6-2 Aircraft Crash Probabilities ..................................... 111-81/82

III 6-3 Comparison of Probability of an Aircraft Crash for Various

III 6-4 Crash Probabilities at Various Sites ............................. 111-81/82

III 6-5 Summary of Transmission Line Outages (Based on Bonneville

III 6-6 Summary of Transmission Line Outages (Based on Bonneville

III 6-7 Summary of Transmission Line Outages (Based on Bonneville

Figure Page No.

In the quantitative system probability 3. A discussion of nuclear power plant

in risk assessment, since results 5. A discussion of test and maintenance

1.1 DISCUSSION OF CONTENTS Failure Probabilitx: the probability

2.1 OVERALL DATA TABULATION ranges as compared to obtainable nuclear

~r ~l- NA NA NA NA NA NAl• NA0" *.i0.

0. ION I0 N. 1.04 I 4.4.4

A NA N A NA NA- A A NA kA0 1.10

Table IlI 2-1 (Sheet 1 of 2)

3.104M9 1 g4l. ,&3A-I 3.W 1~Z.,941 4..,3 .... 1 1 -a' N

3. 10,7-)..04 NA 5.10, 1.10, way" HA 3.u10' 51041 NA NA NA MA NA "A llA &

Table 1II 2-1 (Sheet 2 of 2)

Component/Primary Assessed Values Nuclear(a

Air Operated 1 x 10- 3 /d

Check 3 x 10- 4/d

Component/Primary Assessed Values Nuclear

Transformers 3 x 10- 7/hr 1 x 10- 6/hr

Limit Switches Sx 10-4 /d 1 X 10-3/d -4

Torque Switches 3 x 10-5/d 3 x 10- 4/d

Manual Switches 3 x 10- 6/d 3 x 10- 5/d 3 x 10- 5/d

Battery Power Supplies

Solid State Devices

Diesels (complete plant) 3 x 10-2 /d