•i• plant •nntrnl system ap1000 probabilistic risk assessmentwhile this may be a conservative...

CHAPTER 28

PLANT CONTROL SYSTEM

28.1 System Analysis Description

This chapter evaluates the reliability of the plant control system (PLS). Specifically, the analyses presented in this chapter assess the availability of the plant control system to provide the nonsafety-related functions necessary to control the plant during normal operation and to maintain the plant in a desired condition. Included in the assessed functions are the plant control system capability to control associated nonsafety components in the plant that are operated automatically and remotely from the main control room or remote shutdown workstation, and the plant control system capability to monitor the plant functions during and following an accident. In particular, the assessed functions of the plant control system include the availability of the system to:

" Automatically initiate the operation of appropriate systems to provide regulation of the reactor and other key components in response to load changes, and maximize margins to plant safety limits and the plant's transient performance

" Sense accident conditions and initiate the operation of associated mitigating systems and components

A description of the plant control system is provided in Chapter 7 of the APIO00 Design Control Document (DCD).

The AP1000 instrumentation and control architecture contains the following three major components: 1) protection and safety monitoring system (PMS), 2) plant control system, and 3) diverse actuation system (DAS). This chapter focuses on the assessment of the plant control system. The protection and safety monitoring system and diverse actuation system are discussed in Chapters 26 and 27, respectively.

Because of the rapid changes that are taking place in the digital computer and graphic display technologies employed in a modem human system interface, design certification of the AP1000 focuses upon the process used to design and implement instrumentation and control (I&C) systems for the AP1000, rather than on the specific implementation.

AP1000 DCD Chapter 7 has been written to permit the use of current (at the time of construction) commercial off-the-shelf hardware and software for the control system. The AP1000 PRA is based on one possible control system configuration designed to meet the requirements of DCD Chapter 7. The I&C functional requirements and the degree of redundancy modeled in the PRA are representative of the expected final I&C design.

The scope of the system analyses includes the following equipment:

"* Control cabinets "* Logic cabinets "* Signal selector cabinets

AP1000 Probabilistic Risk Assessment•I•_ Plant •nntrnl System

28-1 Revision 1

28. Plant Control System AP1000 Probabilistic Risk Assessment

"* Sensors "* Operator controls "* Main control room multiplexers and remote shutdown workstation multiplexers

Note that an assessment of the rod control system, while not included in the plant control system scope, is also developed in this chapter.

The analysis of the plant control system is divided into the following functional groups:

"* Control

- Automatic - Sensors through output driver modules - Manual - Control inputs through output driver modules

" Indication - Qualified data processing system (QDPS), data display and processing system (DDS), and diverse actuation system (DAS) (These systems, although not included formally in the plant control system, are evaluated to form a generic indication model in this chapter.)

The following paragraphs discuss the general approach taken for the modeling of each of the functional groupings.

Control

As part of the system trees, developed in the other chapters of this document, an actuation signal is typically needed as one of the inputs to a system tree to model the complete control of a component. For each of these required actuation signals, an I&C subtree is developed to model the unavailability of the plant control system to provide the actuation signal upon demand. There are 62 I&C subtrees that are developed in this chapter to support that purpose. The assigned systems/functions that they support in the models are as follows:

"* Compressed and instrument air system (CAS) "* Containment cooling system (CCS) "* Condenser system (CDS) "* Chemical volume and control system (CVS - pumps only) "* Main ac power system (ECS) "* Main feedwater system (MFS) * Main steam system (MSS) "* Normal residual heat removal system (RNS) "* Rod cluster control system (RCCS) "* Startup feedwater system (SFW) "• Service water system (SWS) "* Turbine building closed cooling water system (TCS) "* Hydrogen control system (VLS) "* Chilled water system (VWS)

A detailed description of the I&C subtree development is presented later in this chapter.

Revision 128-2

Indication

Wherever manual action is credited in the assessment of the plant control system, the availability of the systems that collect and provide appropriate information to be displayed as indications to the operator are modeled. A conservative simplified model is applied generically to the plant control system assessments to bound the availability of the indication functions. That model is developed as follows:

There are three basic paths that are assumed to be normally available to provide indication to the operator. These are:

* Data display and processing system * Qualified data processing system * Diverse actuation system

The unavailability of each of these systems to provide a particular indication is assigned at 1.OE-02 failures/demand. While it is expected that the actual unavailability of each of these systems to provide indication would be substantially better than the assigned value, there is not a total overlap of indication functions provided across all systems, and the conservative assigned value reflects the consideration of that limitation. These values are also consistent with the assigned unavailability of 1.OE-02 failures/demand for the diverse actuation system in general. While this may be a conservative assignment, it is assumed that each of the systems is capable of providing the essential indications required for the plant control system functions being modeled at that assigned rate. Therefore, failure of all three systems must occur before total loss of indication to the operator is achieved. This gives a total unavailability for the combinational loss of all indication systems of 1.OE-06 failures/demand. Due to diversity between the systems, the contribution of common mode failure is minimized in this evaluation and, hence, does not have a dominant contribution in this model.

The application of the result in the plant control system models is achieved by implementing a node representing the failure of all indication, which has the resultant contribution of 1.OE-06, wherever a manual action is credited. It should be noted that wherever the "failure of all indication" node is applied, a failure node representing the common mode failure of the associated instrumentation, namely sensors, is also applied. This is done to reflect the fact that the sensors, although independent, are conservatively expected to be of the same type. Therefore, they are susceptible to a common mode failure that could inhibit the availability of an accurate indication across all systems. This, too, is considered conservative because multiple queues are usually available to the operator as indications relating to the various plant parameters being monitored. The models of the plant control system generally only consider the most direct sensor/queue path and do not credit alternate paths.

28.1.1 Analysis of Support Systems

Power Distribution

The incorporation of the ac power distribution scheme for the plant control system in the analysis can be divided into the same functional groups previously mentioned.

28. Plant Control System -. AP1000 Probabilistic Risk Assessment

28-3 Revision I

AP1000 Probabilistic Risk Assessment

" Control - Loss of power to the modules that support the control functions leads to a default state that generally results in a "stay-as-is" state for the plant control system. In addition, due to the complexity of determining appropriate default states for each plant scenario that could be modeled, a conservative modeling approach has been taken which assumes that power is required for proper processing of information and final control signal actuation. Therefore, modeling of the potential for the loss of power is included in the plant control system fault trees. Credit is taken for the multiple trains of power that are available, some of which are backed by plant batteries.

" Indication - Loss of power is assumed to cause the loss of the associated indication path under consideration. The contribution due to loss of power is included in the bounding 1.OE-02 unavailability assigned to each system in the indication model. Loss of power does not result in a high contribution due to the redundant, battery-backed busses that are available.

Table 28-4 provides a detailed list of the power supporting systems.

Equipment Cooling

Loss of cooling to the plant control system cabinets, which could eventually lead to elevated cabinet temperatures, is detected by cabinet temperature sensors that are continuously monitored by the system. On detection of high cabinet temperature, the system assumes a predefined default state. Generally, that state is stay-as-is for the plant control system. To conservatively model the possibility for failure of this mechanism, the contribution for failure of the cabinet fan unit has been included in the modeling of each cabinet subsystem. Also, conditional probabilities given fan failure, and the coincident failure of the circuits that detect the high temperature, have been included as contributions to unavailability in the models.

28.1.2 Analysis of Instrumentation

The field signals are wired directly from the sensor, transmitter, switch, relay contact, or external systems to the plant control system input/output (1/0) termination boards. Assignment of the sensors and input groups to each of the plant control system fault tree models is performed on a function-by-function basis in the analyses. Where multiple sensors are used as inputs to a function and no redundancy or combinational logic is used, all sensors are conservatively assumed to be able to fail the function independently. Table 28-11 shows the sensor types that are used in the analyses.

28.1.3 Test and Maintenance Assumptions

Table 28-5 provides a detailed list of plant control system components testing frequency. Table 28-6 provides a description of the maintenance assumptions.

Automatic Testing

Automatic testing is used to test the signal selector cabinet subsystems. This analysis assumes that the automatic tester sequence will be initiated quarterly for the signal selector cabinet and that by operation, an equivalent quarterly time between tests for the remainder of the plant

Revision 1

28. Plant Control System

28--4

control system hardware can be conservatively assigned. This is because by normal, daily operation of the plant control system, testing of those functions is implicitly performed. This

is achieved two ways: 1) a plant control system demand is initiated by the operator and no

action or different action is implemented by the plant control system and, hence, is

observable to the operator, and 2) a plant control system change in demand or control state

occurs spuriously, which would also be detectable to the operator. There is the possibility that

a plant control system control channel could undetectably fail in an "stay as-is" state and then

manifest itself when a change in plant state is demanded, either automatically or manually. In

either case, the downtime before the state change demand occurs would not count against the

system in the analysis because the "as-is" state would match the current desired state of the

plant. Once the state change demand is received, however, the downtime is counted because

the system would then be failing on demand. In each of these cases, the time to diagnose the failure as being caused by failure of the plant control system could extend the "time to restore

function" of the plant control system beyond the assumed four-hour repair time assumed for

the plant control system hardware, given detectable failures. This additional time is more than

conservatively covered in assuming a quarterly time for detection for these faults. Note that the automatic testing requires manual initiation to enable it to perform its automated testing

sequence. This test frequency is used in the analysis availability equations to define the

mission time and/or downtime, given failure for the systems under consideration.

Self-Diagnostic Testing

Automatic self-diagnostic testing is performed during all modes of plant operation. This

testing is designed to provide early detection of hardware malfunctions. It is performed continuously. This type of diagnostic testing includes tests such as processor checks,

programmable read-only memory block check sums, read/write tests of random access memory, check sums of static random access memory data, check sums of shared memory

blocks, and data link transmission error detection. Extensive, detailed failure modes and

effects analyses (FMEAs) and functional block analyses (FBAs) have been performed on the plant control system modules to determine the effectiveness of these self-tests. In general, the results indicate that approximately 90 to 99 percent of the faults that could occur will be

detected by the diagnostics and will cause the system to assume a default state. These results

are also incorporated into the unavailability equations as the percentages of faults that are detectable and/or fail-safe.

Additional test and maintenance assumptions for each of the plant control system functions are described in this chapter.

Control

The plant control system hardware is internally tested on a continuous basis through the

application of on-line diagnostics and is functionally tested quarterly to demonstrate operability of all plant control system functions.

28-5 Revision 1

APIO00 Probabilistic Risk Assessment9R Plant (?nntrnl ,•v•tpm

Revision I28-5

28. lantContol SstemAP1000 Probabilistic Risk Assessment

Indication

By providing the basic indication functions for the plant, effective testing of the various indication paths is performed during each use of the indications available. Through comparison of the redundant displays, confirmation of correct processing and display can be assumed to be obtained on a continuous basis.

28.2 Performance During Accident Conditions

This section discusses the success criteria for the plant control system assessments following different initiating events. The plant control system provides automatic and manual actuation signals for the systems or functions that have been listed earlier. Each of the initiating events generates an appropriate control demand or actuation to mitigate plant damage. Table 28-1 lists the fault trees names created in modeling the plant control system I&C

system. The success criteria for each of these fault trees are described in Table 28-2.

28.3 Initiating Event Review

This section addresses the following two issues: 1) initiating events that impact the availability of the plant control system, and 2) initiating events that can be generated due to the failure of the plant control system.

28.3.1 Initiating Events Impacting the Plant Control System

Control

There are no initiating events that will impact the availability of the plant control system.

Indication

There are no initiating events that will impact the availability of the indication functions supported by the plant control system.

28.3.2 Initiating Event due to Loss of the Plant Control System

Control

Plant control system failure could lead to the failure to actuate or control plant systems. Failure of the plant control system could result in a spurious unplanned change in the state of plant components. This is possible if any one or combinations of the following cabinets fail: control cabinets, logic cabinets, signal selector cabinets, multiplexing cabinets, and communication subsystems. In the case of communications subsystems or signal selector cabinet failure, the manual actuation of the components is still possible by the plant control system. However, failure of logic cabinets or control cabinets can stop the ability of the plant control system to control both automatic and manual actuation of components. This is because the manual signals pass through the logic and control cabinets.

Revision 1

I


28-6

Indication

The indication functions of the plant control system have no direct control over plant component actuation and cannot cause an initiating event by the plant control system. Only by failure to indicate correctly, coupled with failure of all other sources of display, failure of the associated operator action, and failure of the protection systems, is it possible to generate the condition for an initiating event originating from the plant control system indication functions.

28.4 System Logic Model Development

This section presents the logic models used for the quantification of system performance during various conditions. Each model depicts the system, given an initiating event. The top event logic for each model is defined by the success criteria, which are directly related to the initiator.

28.4.1 Assumptions and Boundary Conditions

The following assumptions and boundary conditions apply to the assessment of the plant control system:

a. The level of detail modeled for the plant control system is limited to the circuit board or line replaceable unit level.

b. Wiring and cables are available. Typically, failures of this equipment are experienced at the termination junctions of the transmitting and receiving boards, and the failure rates for wiring are typically much lower than the transmitting and receiving hardware. The effects of these failures are incorporated into the assessed performance of the associated circuits boards. In addition, the level of complexity, coding, and dynamic signaling techniques used in the transmission of data (such as deadman timers and on-line diagnostics) throughout the system force any failures of this type to become uniquely detectable. The effect of these failures is bounded by the performance of the transmitting and receiving circuitry.

c. The automatic tester subsystem is not analyzed in this evaluation, and the communication subsystem, although part of the protection and safety monitoring system, is analyzed for the part that is used for transmitting signals from the protection and safety monitoring system to the plant control system.

d. The self-diagnostic test is conservatively assumed to be automatically completed every five minutes, with an effectiveness in excess of 90 percent for all components that are monitored within the system. The actual effectiveness assigned is dependent on the module under consideration and the function that module is performing. Each value is

used in the availability equations that form the basic event data base numbers.

e. A mean time to repair (MTTR) for the I&C components is four hours for the components located in accessible areas during the plant normal operation.


Revision I28-7


f. No contribution due to random software failure is considered, because software failure falls solely under the category of common mode design failures. Appropriate nodes reflecting the common mode software failure of individual software implementations, as well as common mode failure of all software implementations within the system, are included in the modeling. Development of the software common mode models is discussed later in this chapter.

g. Cards connected directly to computer busses are capable of causing the busses to fail.

h. Pressure transmitters are used to measure pressure, level, or flow parameters.

" The first type of pressure transmitter, used to continuously interface with the reactor pressure and high temperature, measures the following parameters:

- Pressurizer (PZR) pressure - Pressurizer water level - Steam generator (SG) narrow-range and wide-range water level - Steam generator steam line pressure - Startup feedwater flow - Reactor coolant pump (RCP) flow

Common cause failures associated with these transmitters are named CCX-XMTR and/or CCX-XMTR195, as defined in Table 28-9.

"* The second type of pressure transmitter, which interfaces with high pressure and/or high temperature following an accident, measures the containment pressure. Common cause failures associated with these transmitters are named CCX-XMTR1.

" The third type of pressure transmitter senses a system pressure (that is, no stringent operating conditions). These transmitters (generally measuring pressure or flow) are used to start a standby loop (such as service water) on the failure of the normally operating one. Common cause failures (CCFs) associated with these transmitters are named CCX-TRNSM.

" A fourth type of pressure transmitter measures in-containment refueling water storage tank (IRWST) low water level. These transmitters sense very low pressure and normal temperature, except during passive residual heat removal (PRHR) actuation. Common cause failures associated with these transmitters are named IWX-XMTR.

i. The automatic testing performed by the automatic tester subsystem comprehensively tests all associated boards and is performed every three months. A manual starting of the automatic tester subsystem is required.

j. The sensors and the field contacts are powered by the same bus of the plant control system, that is, by the Non-lE, 120-vac uninterruptible power supply (UPS).

Revision 1


28-8

k. For the plant control system, when a component can be manually actuated at system level as well as component level, the failure of the common part of the chain (such as the logic cabinet) is modeled to reflect that singularity and is integrated with the individual input and output circuits required.

1. Instrument line plugging during plant normal operation is assumed undetectable until variations in plant conditions occur. Given that a plugged line occurs, the sensor/transmitters continue to record the same value as before the plugging occurred. It is assumed that the operator performs a "channel check" every 24 hours. This consists of reading and comparing the values of the same parameter coming from the four divisional sensor/transmitters.

If a large variation on the plant conditions (such as pressure and level) occurs, the sensor/transmitter connected with the plugged instrument line records a value different from the others. This alerts the operator to the degradation of the sensor/transmitter, which is put into a bypass state until the next refueling. This potential downtime is reflected in the development of the sensor unavailabilities.

m. The power source of 120 vac is modeled in all the trees because a power failure is assumed to cause a "stay-as-is" state for the plant control system and may require power for proper operation.

n. The implementation of the I&C subtrees is determined by combining the success criteria (as described in the chapters for which the subtrees are developed), the instrument lists, and information regarding the modeled function (as described in the process block diagrams) listed in Section 28.6.

o. The loss-of-cooling assembly does not affect the board's performance, but failure of the heating, ventilation, and air conditioning (HVAC) fan units has been conservatively included in the modeling of the systems.

p. In case of a blackout, one out of two subsystems of control cabinets and logic cabinets is inoperable. It is assumed in the analysis that the second subsystem works correctly because it is supplied by an uninterruptible power supply.

q. Where many (more than three) independent, diverse sensor measurements are available as inputs for the processing of a particular functional operation, a conservative 1.01E-06 failures/demand rate is assigned to represent the unavailability contribution due to failure of all the associated input sensors.

28.4.2 Fault Tree Models

The plant control system fault tree models included in this section are comprised of I&C subtrees generically labeled as:

SYS-IC - Failure of the plant control system to provide automatic and/or manual actuation signals to plant equipment, incorporating the appropriate parts of the plant control system engineered safety features I&C. There are 62 plant control system I&C

,-,AP1000 Probabilistic Risk Assessment28. Plant Control System

28-9 Revision I


subtrees, each of which are detailed in Table 28-2. Note that for each of the 62 I&C subtrees, a list of their associated subtrees is provided. These trees, when linked together according to batch-run files, form the individual I&C subtrees. This is described in detail in the following.

The fault trees for the plant control system I&C subtrees and their associated subtrees can be found in Appendix E.

The fault tree analysis results provide quantitative values of the total system unavailability and the importance of specific components to that total. Table 28-1 provides a brief description of the fault trees modeled. Table 28-2 provides the success criteria summaries for these fault trees. The event file for these trees is listed in Table 28-10.

28.4.3 Description of I&C Subtree Development

The I&C subtrees are developed in a modular fashion that facilitates the construction, assembly, and review of the various I&C subtree functions required for the analysis. To illustrate, the application of this method, the CAS-ICI I&C subtree is used. The trees required to construct the CAS-IC1 I&C subtree are listed in the first column of the second entry in Table 28-2, I&C Subtree Success Criteria. They are (with description):

* CAS-ICOl: top Tree of CAS-ICI - Failure to actuate compressor B and VOOlB

* ElICASO0: failure control cabinet subsystem 1 analog input modules

* ElOCASO1: failure control cabinet subsystem 1 analog output modules

* E2ICAS01: failure control cabinet subsystem 2 analog input modules

* E2OCASO1: failure control cabinet subsystem 2 analog output modules

* EPICAS01: failure logic cabinet digital input modules

* EPOCAS01: failure logic cabinet output driver modules

* MA1CASOl: failure manual action (human error)

* SllCASO0: failure of plant control system sensor group 1

* SIICAS01: failure of plant control system sensor group 1 for indication (common cause failure)

* APLLL09: failure of plant control system logic cabinet 9 (auto-non-signal selector cabinet input)

* APLCC02: failure of plant control system control cabinet 2 (autonon-signal selector cabinet input)

* MPLL09: failure of plant control system logic cabinet 9 (manual)

28-10 Revision 1

A discussion of the assembly of these trees is presented in detail. The following paragraphs describe the naming conventions that are used for the tree types. Note that each of the tree names contains a three-character system designator (e.g., CAS) and other unique identifiers. For the top tree, the naming convention is as follows:

SYS-ICXX

where

SYS = the three-character system designator

XX = the two-digit number representing a unique individual I&C subtree number within each system

Exceptions to this convention are as follows:

The "-" is sometimes replaced by a B or P to signify a blackout or loss-of-offsite power (LOOP) tree, respectively.

The XX is sometimes made up of characters and/or numbers (e.g., 01, Al, 99) to accommodate the organization of the I&C subtrees.

The three-character system designators addressed in the PLS are:

CAS CVS MSS SFW VLS

CCS ECS RCS SWS VWS

CDS MFW RNS TCS

There are two general types of supporting trees. These are cabinet trees and I&C specific trees, the majority of which support the cabinet trees. For the plant control system cabinet trees, the naming convention is as follows:

APLIPC(Y) where Y = B, P, or Y for blackout, LOOP, or yearly frequency analysis, respectively

Note that the APL stands for automatic plant control system, and the IPC indicates the input cabinetry. These cabinet trees are not used for manual actuation.

QPLXYY(Z) where Q = A for automatic actuation and M for manual actuation

and X = C or L to indicate control cabinet versus logic cabinet, respectively

28-11

Revision 1

28. Plant Control System ,AP1000 Probabilistic Risk Assessment

28-11 Revision I


and YY = 01 through 03 for control cabinets, and 01 through OD (hexadecimal notation) for logic cabinets, to indicate which cabinet of a certain type is being used

and Z = B, P, or Y for blackout, LOOP, or yearly frequency analysis, respectively

Note: PL stands for plant control system.

The list of plant control system cabinet trees is as follows:

" Automatic plant control system input cabinets (transient, blackout, LOOP):

APLIPC APLIPCB APLIPCP

" Automatic plant control system control cabinets - signal selector cabinet inputs (transient, blackout, LOOP):

APLC01 APLC01B APLCO1P

APLC03 APLC03B APLC03P

" Automatic plant control system logic cabinets - signal selector cabinet inputs (transient, blackout, LOOP):

APLL01 APLL01B APLLO1P

APLLOD APLLODB APLLODP

" Automatic plant control system control cabinets - non-signal selector cabinet inputs (transient, blackout, LOOP):

APLCCO1 APLCC01B APLCCO1P

APLCC03 APLCC03B APLCC03P

" Automatic plant control system logic cabinets - non-signal selector cabinet input (transient, blackout, LOOP):

APLLL01 APLLL01B APLLL01P

APLLLOD APLLLODB APLLLODP

" Manual plant control system control cabinets (transient, blackout, LOOP):

MPLCO1 MPLC01B MPLCO1P

MPLC03 MPLC03B MPLC03P

Revision 1


28-12

* Manual plant control system logic cabinets (transient, blackout, LOOP):

MPLLO1 MPLLO1B MPLLO1P

MPLLOD MPLLODB MPLLODP

Tables 28-12 and 28-13 show the assignment of the various plant systems to each of the plant control system cabinets.

For the I&C-specific support trees, the following naming convention is applied:

XXXSYSNN

where

XXX = tree type, where the types with descriptions are as follows:

"* EPO: failure of plant control system logic cabinet output driver modules

"* EPI: failure of plant control system logic cabinet digital input modules

"* MALI failure of manual action (human error)

"* S 11: failure of plant control system sensor group 1 (division 1 or single sensor)

"* S12: failure of plant control system sensor group 2 (division 2)

"* S13: failure of plant control system sensor group 3 (division 3)

" S 14: failure of plant control system sensor group 4 (division 4)

"* S3D: failure of diverse actuation system sensor groups (common cause failure)

"* SC 1: failure of plant control system sensor groups (common cause failure)

"* SII: failure of plant control system sensors used for indication (common cause failure)

" Eli: failure of plant control system control cabinet subsystem 1 analog input modules

" E21: failure of plant control system control cabinet subsystem 2 analog input modules

"* E10: failure of plant control system control cabinet subsystem 1 analog output modules

28-13

Revision 1


28-13 Revision I

E20: failure of plant control system control cabinet subsystem 2 analog output modules

and SYS = the system designator, where the systems are as follows:

CAS CCS CDS CVS ECS MFW MSS RCS RNS SFW SWS TCS VLS VWS

and NN = the number of the I&C subtree within each system application, where NN is made up of characters and/or numbers (e.g., 01, Al, 99) to accommodate the organization of the I&C subtrees.

To construct an I&C subtree, a top tree is first generated. For this example, to generate the CAS-ICI I&C subtree, the top tree, CAS-ICOl, is developed. When fully developed, linked, and quantified, the output of the CAS-ICO0 top tree is named to correspond with the I&C subtree name, CAS-ICI, to support linking and quantification of the calling system trees.

The logic of the CAS-ICOl top tree shows that both automatic and manual actuations must fail to cause total actuation failure. Note that the top branch is composed of two contributory elements: failure of automatic and manual plant control and common mode software failure of all boards-CCX-SFTW. Failure of either element causes failure of the actuation. The plant control branch is composed of two elements: failure of automatic plant control and failure of manual plant control-SUB-MPLL09, both of which must fail to cause total failure of the actuation. The SUB prefix in SUB-MPLL09 indicates that the MPLL09 cabinet tree will be linked into this tree. From previously, the MPLL09 cabinet tree represents failure of the plant control system manual logic cabinet 9 actuation. Expansion of the MPLL09 tree is discussed in the following.

The automatic branch of CAS-IC01 shows that either the logic control (logic cabinet) or control group (control cabinet) actuation paths can fail to cause total failure of the automatic actuation for this case. The plant control system automatic actuation failure branch calls SUB-APLLL09 and SUB-APLCC02 for the logic cabinet and control cabinet, respectively. From previously, the APLLL09 cabinet tree represents failure of the automatic plant control system logic cabinet 9-non-selector signal cabinet input, and the APLCC02 cabinet tree represents failure of the automatic plant control system control cabinet 2. Expansion of the APLLL09 and APLCC02 trees are discussed in the following. Simplified versions of the files that perform the naming and linking of the trees are shown in Table 28-3.

At this point in the discussion, top tree CAS-ICO0 and its immediate subtrees that are called have been addressed. This can be represented as follows, where indentation indicates called subtrees, and <= indicates the renaming of the application specific output file for linking as a generic name. (Called trees with no <= indicate that the called name is a specific rather than a generic call. Therefore, the called name is exactly the same as the supporting tree name, and no renaming is required.)

Revision 1


28-14

CAS-IC1 <= CAS-ICO0 MPLL09 APLLL09 APLCC02

The MPLL09 tree models the logic of the manual MUX and logic cabinets. Using the same format as presented before, the subtrees that are called from the MPLL09 tree are as follows:

MPLL09 EPO ESFOPER CCXSNRS2 EDlEAll ED1EA2

EPOCASO0 MA1CASO0 SI1CASO0

Note: The MPLL09 tree always calls EDlEAll and EDlEA2, but the actual tree used for the EPO, ESFOPER, and CCXSNRS2 trees are dependent on the application; hence, EPOCAS01, MAlCASOl, and SI1CASOl are assigned, respectively, in this case.

The APLLL09 tree models the logic of the automatic plant control system logic cabinets. The subtrees that are called from the APLLL09 tree are as follows:

APLLL09 EPO EPI1 PLSENSOR ED1EA11 ED1EA2

EPOCASO1 EPICAS01 S11CASO0

Note: The APLLL09 tree always calls EDlEAl1 and ED1EA2, but the actual trees used for the EPO, EPI1, and PLSENSOR trees are dependent on the application; hence, EPOCAS01, EPICASO1, and S I1CASO0 are assigned, respectively, in this case.

The APLCC02 tree models the logic of the automatic plant control system control cabinets. The subtrees that are called from the APLCC02 tree are as follows:

APLCC02 EAOI EAO2 EAI1 EAI2 PLSENSOR ED1EAl1 ED 1EA2

EIOCAS01 E2OCAS01 EIICAS01 E2ICASOI SllCASOI

28-15

Revision I


28-15 Revision 1


Note: The APLCC02 tree always calls ED1EAll and ED1EA2, but the actual trees used for the EAO1, EOA2, EAI1, EAI2, and PLSENSOR trees are dependent on the application; hence, ElOCASO1, E2OCASO1, ElICAS01, E2ICAS01, and S11CASOI are assigned, respectively, in this case.

Combining the information shown previously, the full CAS-IC1 tree is then expanded as follows:

CAS-ICI <= CAS-IC01 MPLL09

EPO <= EPOCASO1 ESFOPER <= MAICAS01 CCXSNRS2 <= SIICAS01ED1EAll ED 1EA2 APLLL09 EPO EPIl PLSENSOR ED1EAl1 EDlEA2

APLCC02 EAO1 EAO2 EAI1 EAI2 PLSENSOR ED1EA11 ED1EA2

EPOCASO1 EPICASO1 S11CASOI

ElOCASO1 E2OCASO1 EIlCASO0 E2ICAS01 SlCASO1

By using this modular fault tree-linking methodology, trees that are called by many I&C subtree functions (such as the cabinet trees) can be created and reviewed once, and then configured in the overall I&C subtree linking along with the appropriate supporting input trees as many times as required. This removes the need for the same tree to be explicitly modeled repeatedly in multiple trees.

The linking of the I&C subtrees is performed automatically using a set of batch-run files to execute the running, renaming, and linking of the trees. Simplified versions of those files are shown in Table 28-3 to facilitate review of the I&C subtrees.

28.4.4 Human Interactions

Generally, human interactions are modeled in the plant control system fault trees where operator action is needed to initiate a manual control demand or actuation. Note that for the I&C subtrees in high only manual action and no automatic action is credited, the human interactions are generally modeled in the calling system level trees and not in the I&C

Revision 1


28-16

subtrees. This is done to facilitate the correct development of the logic in those system level

trees. Table 28-8 lists a summary of the human errors included as basic events in the

two reactor trip system fault trees. Note that the details on the calculation of human errors are

discussed in Chapter 30.

28.5 Discussion of Methodology

The following subsections present the methods that have been applied in this analysis. These

are fault tree analysis (FTA), by which the system level results are calculated; data

manipulation, in which the individual part failure rates are obtained and processed for use in

the fault tree analyses as unavailabilities and failure probabilities; and common mode failure

analysis, in which the contributions of common faults across redundant portions of the design are calculated.

28.5.1 Fault Tree Analysis

The availability and reliability of the plant control system I&C systems are demonstrated

using the fault tree analysis methodology. The fault tree analysis method uses a quantified

logic diagram showing the various paths of failures and combinations of failures that can lead

to an undesired event for the system being studied. The fault tree analysis determines the probability of occurrence of each part as well as the logical sum of the probabilities, which is

the probability of failure of the undesired event of the system as a whole. The fault tree

analysis methodology applied is consistent with the specification for reliability assessments in ANSMIIEEE-352-1987.

The following paragraphs discuss the key fault tree analysis modeling and quantification methods used in the analyses. The first portion of the discussion is applicable to the spurious

failure-rate-per-year calculations, and the latter portion of the discussion applies to the fault

tree analyses that are performed to produce unavailability or failure-upon-demand results.

28.5.2 Unavailability

For the plant control system I&C analyses, the application of the fault tree analyses for the

failure-on-demand cases is performed using the standard fault tree analysis unavailability application, where ORed events effectively sum the event unavailabilities, and ANDed events have their respective unavailabilities multiplied. The result from the fault tree analyses directly produces the final unavailabilities, and no further processing is performed. This is the standard method used for evaluation of fault tree analyses to give system level unavailabilities.

28.5.3 Common Cause Failures

Several common cause failures within the plant control system are considered credible and accounted for explicitly during construction of the fault trees. Mainly two common cause failures are identified: hardware common cause failures due to the use of the same type of

boards for many subsystems and software common cause failures.

28-17

Revision 1

9• Plo• I•nntrnl .•Iv•tpm

Revision I28-17

The hardware common cause failure evaluations are based on the multiple greek letter method (MGL), which uses beta, gamma, and delta factors to represent the conditional probabilities of second-, third-, and fourth-order failures, respectively, due to common cause. These factors are then applied to the random hardware failure probabilities to produce the common cause failure probabilities. Both common cause failures of components within a system and common cause failures of components across systems are addressed. It should be noted that the method used in calculating the multiple greek letter factors for the hardware common cause failure includes a substantial contribution due to the inclusion of software in the design. This inclusion is deliberately left in the analysis as an added measure of conservatism when considering the potential impacts of software failures on the system, in addition to the contributions for software common mode failure described in the following.

The software common cause failure evaluations are based on a model that incorporates a number of factors that can affect the development and implementation of the software modules. This model yields a resultant software common mode unavailability of l.lE-05 failures/demand for any particular software module, and a software common mode unavailability of 1.2E-06 failures/demand for software failures that would manifest themselves across all types of software modules, derived from the same basic design program, in all applications.

The supporting common cause failures used in the analyses are presented in Table 28-9. The

data files used for quantification are included in Chapter 32.

28.5.4 Data Manipulation

This section discusses how individual component unavailabilities and probabilities of failure are computed for input into the logic in the fault trees.

The data used in this analysis are computed based upon the following generic formulas for computing component unavailability:

Unavailability: A = (MTTR)/(MT/F + MTTR) MTTF = mean time to failure MTTR = mean time to repair

These simple formulas are enhanced to correctly model the board utilization for multiple channel boards and the fault tolerance of the component using the following factors:

" ADJ - The adjust factor is used to adjust the component failure rate based on the percentage of the component's hardware needed to perform the function modeled. For example, the failure rate for a four-channel input module that uses only one channel to perform the required function is adjusted appropriately with the ADJ factor to account for the fact that only failures of the channel used and any hardware that is common to all of the channels can affect the required function performed by the module.

" FD - The fail-danger factor is used to apportion failures that are undetectable or result in the nondefault or undesired state. This factor is derived from the results of the failure modes and effects analyses and functional block analyses. .-

I


28-18 Revision 1

The following discussion explains the data manipulations performed for the data sets used in quantifying failure-upon-demand plant control system configurations. The component unavailability is computed as follows:

AT = 1 - (MTTF/ADJ)/((MTTF/ADJ) + FD*T/2 + MTTR)

In this case, the mean time to failure is only adjusted by the adjust term, since both fail-safe and fail-danger terms are being considered. The fail-danger term, though, is used in adding additional downtime experienced by the system due to undetected failures. In this case, the average amount of downtime experience due to undetected failures is computed by apportioning the mission time (T)-divided-by-two term by the percentage of failures that can result in the nonsafe and undetectable state.

Failure probabilities calculated in this section are shown in Table 28-7.

28-19 Revision 1


Revision I28-19


Revision I

Table 28-1

LIST OF SYSTEM FAULT TREES

Fault Tree Name Description

SYS-IC Failure of the I&C systems to provide automatic and/or manual actuation signals to plant equipment, incorporating the appropriate parts of the plant control system and diverse actuation system.


28-20

28. Plant Control Svstem AlO rbblsi ikAssmn

Table 28-2 (Sheet 1 of 22)

FAULT TREE SUCCESS CRITERIA SUMMARY

Components System Required to

Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions

AS01 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

SI ICAS01 compressor B and inputs, process channels driver modules Chapter 30, Chapter 30,

SI1CASO0CAS VOO1B (loop) information, and operational Table 30-2 Table 30-2

-ICIP actuate control

CASPIC01 signals

EIICAS01 ElOCAS01 E2ICAS01 E2OCASOI EPICAS01 EPOCAS01 MA1C APLLL09P APLCC02P MPLL09P

CAS-ICI Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

CAS-IC01 compressor B and inputs, process channels driver modules Chapter 30, Chapter 30,

EIICAS01 V001B information, and operational Table 30-2 Table 30-2

ElOCAS01 actuate control

E2ICAS01 signals

E2OCAS01 EPICAS01 EPOCAS01 MAICAS01 Sl1CAS01 SI1CAS01 APLLL09 APLCC02 MPLL09

CAS-IC2P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in

CASPIC02 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,

ElICAS02 (loop) information, and operational Table 30-2 Table 30-2

E1OCAS02 actuate control

E2ICAS02 signals

E2OCAS02 EPICAS02 EPOCAS02 S11CAS02 APL.,09P

APLCC02P

28-21

Revision 1


Revision I28-21






CAS-IC2 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in

CASCAS-IC02 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,

EIICAS02 information, and operational Table 30-2 Table 30-2


E2ICAS02 signals

E2OCAS02 EPICAS02 EPOCAS02 SIICAS02 APLLL09 APLCC02

CAS-IC3P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in

CASPIC03 compressor B inputs, process channels driver modules Chapter 30, Chapter 30,

EIICAS03 (loop) information, and operational Table 30-2 Table 30-2

EIOCAS03 actuate control

E2ICAS03 signals

E2OCAS03 EPICAS03 EPOCAS03 SIICAS03 APLLL09P APLCC02P


CAS-IC03 compressor B inputs, process channels driver modules Chapter 30, Chapter 30,

ElICAS03 information, and operational Table 30-2 Table 30-2


E2ICAS03 signals

E2OCAS03 EPICAS03 EPOCAS03 S 11CAS03 APLLL09 APLCC02

Revision 1


28-22





CAS-IC4P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

CASPIC04 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,

EIICAS04 (loop) information, and operational Table 30-2 Table 30-2


E2ICAS04 signals

E2OCAS04 EPICAS04 EPOCAS04 MAICAS04 SllCAS04 SIICAS04 APLLL09P APLCC02P MPLL09P


CAS-IC05 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,

ElICAS05 (yearly) information, and operational Table 30-2 Table 30-2


E2ICAS05 signals

E2OCAS05 EPICAS05 EPOCAS05 SIICAS05 APLLL09Y APLCC02Y

CCS-IC1 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

CCS-IC01 standby pump inputs, process channels driver modules Chapter 19, Chapter 19,

EIICCS01 sub-loop B information, and operational Table 19-2 Table 19-2

EIOCCS01 actuate control

E2ICCS01 signals

E2OCCSOI EPICCS01 EPOCCS01 MA1CCS01 S1ICCS01 SIlCCS0l APLLL01 APLCCO1 MPLL01

28-23

Revision 1


28-23 Revision I






CCS-IC2P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

CCSPIC02 pump sub-loop A inputs, process channels driver modules Chapter 19, Chapter 19, (loop) information, and operational Table 19-2 Table 19-2

actuate control EIOCCS02 signals E2ICCS02 E2OCCS02 EPICCS02 EPOCCS02 MA1CCS02 S1ICCS02 SIICCS02 APLLLOIP APLCCO1P MPLLO1P

CCS-IC3P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

CCSPIC03 standby pump inputs, process channels dnver modules Chapter 19, Chapter 19, sub-loop B (loop) information, and operational Table 19-2 Table 19-2

actuate control EIOCCS03 signals E2ICCS03 E2OCCS03 EPICCS03 EPOCCS03 MA1CCS03 SIICCS03 SI1CCS03 APLLL01P APLCCO1P MPLLOIP

Revision 1


28-24





CCS-IC3 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

CCSIC03 standby pump inputs, process channels driver modules Chapter 19, Chapter 19, sub-loop B information, and operational Table 19-2 Table 19-2

actuate control EIOCCS03 signals E2ICCS03 E2OCCS03 EPICCS03 EPOCCS03 MAlCCS03 S11CCS03 SIICCS03 APLLL01 APLCC01 MPLL01

CDS-ICl Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CDS pump B inputs, process channels driver modules Chapter 16, Chapter 16,

CDS-C (automatic) information, and operational Table 16-2 Table 16-2 actuate control

EIOCDS01 signals E2ICDS01 E2OCDSO1 EPICDSO1 EPOCDSO1 SI1CDSOI APLCC03 APLLLOD

CDS-IC2 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in air-operated valve inputs, process channels driver modules Chapter 16, Chapter 16,

CDS02 V022 information, and operational Table 16-2 Table 16-2 actuate control

EIOCDS02 signals E2ICDS02 E2OCDS02 EPICDS02 EPOCDS02 S 11CDS02 APLCC03 APLLLOD

28-25

Revision 1

28. Plant Control System APIO00 Probabilistic Risk Assessment

28-25 Revision I





CDS-IC3 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in air-operated valve inputs, process channels driver modules Chapter 16, Chapter 16, CDS-1C03 V2 al 62 Tbe1

EICDS3 V025 information, and operational Table 16-2 Table 16-2 actuate control

EIOCDS03 signals E2ICDS03 E2OCDS03 EPICDS03 EPOCDS03 S11CDS03 APLCC03 APLLLOD

CVS-IC1 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CVS pump A inputs, process channels driver modules Chapter 17, Chapter 17, CVS-IC01

EPOCVSOI (manual) information, and operational Table 17-2 Table 17-2 actuate control

MAICVS01 signals SI1CVS01 MPLL03

CVS-IC2 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CVS pump B inputs, process channels driver modules Chapter 17, Chapter 17, CVS-IC02

EPOCVS02 (manual) information, and operational Table 17-2 Table 17-2 actuate control

MAICVS02 signals SI1CVS02 MPLL03

CVS-IC3 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CVS pump A inputs, process channels driver modules Chapter 17, Chapter 17, CVS-IC03

EPOCVS03 (automatic) information, and operational Table 17-2 Table 17-2 actuate control

MAICVS03 signals S IICVS03 S12CVS03 S13CVS03 S14CVS03 SCICVS03 APLIPC APLL03

Revision 1

\ *1


28-26






CVS-1C9 Failure to trip CVS Accurately accept All 24 hours Actuate output As defined in As defined in

pump inputs, process channels driver modules Chapter 17, Chapter 17, CVS-SC09 information, and operational Table 17-2 Table 17-2

EPOCVS09 actuate control MAICVS09 signals S I1CVS09 S 12CVS09 S13CVS09 S14CVS09 SC1CVS09 SI1CVS09 APLIPC APLL03 MPLL03

CVS-IClO Failure to trip Accurately accept All 24 hours Actuate output As defined in As defined in

CVS4Clo startup feedwater inputs, process channels driver modules Chapter 17, Chapter 17,

EPOCVS10 pump information, and operational Table 17-2 Table 17-2 actuate control

MA1CVS10 signals

SlICVS10 S12CVSIO S13CVSIO S14CVS10 SCICVS10 SI1CVSl0 APLIPC APLL03 MPLL03

CVS-ICl 1 Failure to alarm Accurately accept All 24 hours Actuate output As defined in As defined in

low boric acid tank inputs, process channels driver modules Chapter 17, Chapter 17, CVS-ICll level information, and operational Table 17-2 Table 17-2

actuate control

signals

28-27

Revision 1

,AP1000 Probabilistic Risk Assessment28. Plant Control System

28-27 Revision 1

sAP1000 Probabilistic Risk Assess ent



Components System Required

Event Success Initial Mission to Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions

ECS-ICIB Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in diesel generator-1 inputs, process channels driver modules Chapter 24, Chapter 24,

ECSB 1 (blackout) information, and operational Table 24-2 Table 24-2 E 11ECS01

actuate control EIOECSOI signals E2IECS01 E2OECS01 ECSBIC01 EPIECS01 EPOECS01 MA1ECS01 SIlECS01 SIIECS01 APLLL05B APLCCO1B MPLL05B

ECS-IC2B Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in diesel generator-2 inputs, process channels driver modules Chapter 24, Chapter 24, ECSBIC02

ElIECS02 (blackout) information, and operational Table 24-2 Table 24-2 actuate control

EIOECS02 signals E2IECS02 E2OECS02 ECSBIC02 EPIECS02 EPOECS02 MAIECS02 S 11ECS02 SIIECS02 APLLL05B APLCCO1B MPLL05B

Revision 1


-- 1/

28-28

I)Q IDln* d- .f-1 Q vc*P P0 rbblstcRs Assmn



Components

System Required to

Event Success Initial Mission Change Initiating Operator

Fault Tree Description Configuration Status Time Status Signals Actions

ECS-IC3B Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

motor generator inputs, process channels driver modules Chapter 24, Chapter 24, ECSBIC03 breaker (blackout) information, and operational Table 24-2 Table 24-2

EIOECS03 actuate control

E21ECS03 signals E2IECS03 E2OECS03

ECSBIC03 EPIECS03 EPOECS03 MAIECS03 SlIlECS03 SIIECS03 APLLL05B APLCC01B

MPLL05B

ECS-IC4B Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

motor generator inputs, process channels driver modules Chapter 24, Chapter 24, ECSBIC04 breaker (blackout) information, and operational Table 24-2 Table 24-2

ElIECS04 actuate control

E21ECS04 signals E20ECS04 E2OECS04

ECSBIC04 EPIECS04 EPOECS04 MAIECS04 Si1ECS04 SI1ECS04 APLLL05B APLCCO1B

MPLL05B

MFW-IC1 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in main feedwater inputs, process channels driver modules Chapter 16, Chapter 16,

MEW-IC0I air-operated valve information, and operational Table 16-2 Table 16-2

E1IMFWOI V250A actuate control

E21MFWOI (automatic) signals

E2IMFW 1 E2OMFW01 SILMFW01 APLCC03 ______________

28-29

Revision 1

AP1000 Probabilistic Risk Assessment95/ DI•**• ll",*nf*-nl .•wcl•m

Revision I28-29

2nAP100 Probabilistic Risk Assessment





MFW-1C2 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in main feedwater inputs, process channels driver modules Chapter 16, Chapter 16, MFW-1C02 air-operated valve information, and operational Table 16-2 Table 16-2 V250B actuate control

ElQMFW02 (automatic) signals E2IMFW02 E2OMFW02 S 11MFW02 APLCC03

MSS-IC1 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

MSSICO1 eight air-operated inputs, process channels driver modules Chapter 16, Chapter 16, valves MSS V001 information, and operational Table 16-2 Table 16-2 EPQMSS01 to 008 (automatic) actuate control MA1MSSOI signals

S12MSSO1 S12MSS01

S13MSSOI S14MSSO1 SC1MSS01 APLIPC APLLOA

MSS-IC2 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in one-out-of-four inputs, process channels driver modules Chapter 16, Chapter 16,

EPOMSS02 AOVs MSS V001, information, and operational Table 16-2 Table 16-2 MAIMSS02 V003, V005, and actuate control

SAIMSS02 V007 (manual) signals SI1lMSS02

MPLLOA

PLS-RODS Failure to step in Accurately accept All 24 hours Controlled Manual ATWrods (manual) inputs, process channels stepping in of action to MANOI (in

information, and operational rods on cause demand tree RTLOC)

actuate control demand signal signal signals through rod control system

IRevision 1


28-30






RNS-1C3 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

RNS pump 01A inputs, process channels drivers Chapter 17, Chapter 17, EPORNS03 information, and operational Table 17-2 Table 17-2

actuate control RNS-IC03 signals

SIIRNS03

RNS-IC3P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

RNS pump 01A: inputs, process channels drivers Chapter 17, Chapter 17, EPORNS03 Loss of offsite information, and operational Table 17-2 Table 17-2 MA1RNS03

RNS-IC3 power case actuate control

S11RNS03 signals

RNS-IC5 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

RNS pump 01B inputs, process channels drivers Chapter 17, Chapter 17, EPORNS05 information, and operational Table 17-2 Table 17-2

MA1RNS05 actuate control

RNS-IC05 signals SIIRNS05

RNS-IC5P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in RNS pump 01B: inputs, process channels drivers Chapter 17, Chapter 17,

EPORNS05 Loss of offsite information, and operational Table 17-2 Table 17-2 MA1RNS05

RNS-C05 power case actuate control

SIIRNS0505 signals

28-3 1

Revision 1


28-31 Revision I





SFW-IC1 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in feedwater pump A inputs, process channels driver modules Chapter 16, Chapter 16, SFLLOB and open motor- information, and operational Table 16-2 Table 16-2

APLLO operated valve actuate control APLC V013A signals APLCC03

MPLLOB MAlSFW01 SI I SFW01 S13SFWO1 Sl1SFW01 S12SFWOI S14SFWOI MINSFW01 SCISFW01 ElOSFW01 EIISFW01 E2OSFWO1 E2ISFW01 S31SFW01 EPOSFW01

SFW-ICIP Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in

SFWPICOI feedwater pump A inputs, process channels driver modules Chapter 16, Chapter 16, and open motor- information, and operational Table 16-2 Table 16-2

EIOSFW01 operated valve actuate control E21SEW01 V013A (loop) signals E2ISFW01 E2OSFW01

EPOSFW01 MAISFW01 SllSFW01 S12SFWO1 S13SFWOI S 14SFWO1 S31SFWOI SC1SFW01 SI1SFW01 APLIPCP APLLOBP APLCC03P MPLLOBP

Revision 1


28-32




Components

System Required to Event Success Initial Mission Change Initiating Operator


SFW-IC2P Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in feedwater pump B inputs, process channels driver modules Chapter 16, Chapter 16,

SFW02 and open motor- information, and operational Table 16-2 Table 16-2 EIOSFW02 operated valve actuate control E21SFW02 V013B (loop) signals E2ISFW02 E2OSFW02

EPOSFW02 MAISFW02 SI ISFW02 S12SFW02 S 13SFW02 S14SFW02 S31SFW02 SC1SFW02 SFWPIC02 SIISFW02 APLIPCP APLLOBP APLCC03P MPLLOBP

SFW-IC2 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in feedwater pump B inputs, process channels driver modules Chapter 16, Chapter 16, SFW-IC02 and open motor- information, and operational Table 16-2 Table 16-2

EIOSFW02 operated valve actuate control

E2OSFWO2 V013B signals E2ISFW02 E2OSFW02

EPOSFW02 MAISFW02 SIISFW02 S12SFW02 S13SFW02 S14SFW02 S31SFW02 SC1SFW02 SIISFW02 APLIPC APLLOB APLCC03 MPLLOB

Revision 1


28-33






SFW-IC3 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

SFWIC03 motor-operated inputs, process channels driver modules Chapter 16, Chapter 16, valve V010 information, and operational Table 16-2 Table 16-2

EIOSFW03 (automatic) actuate control E21SFW03 signals E2ISFW03 E2OSFW03

EPISFW03 EPOSFW03 SIISFW03 APLCC03 APLLLOB

SFW-IC4P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in

SFWPICO4 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, air-operated valve information, and operational Table 16-2 Table 16-2 V255A actuate control

E20SFW04 (automatic) signals S1ISFW04 S 12SFW04 S13SFW04 S14SFW04 SCISFW04 APLIPCP APLC03P

SFW-IC4 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in

SFW-C04 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, air-operated valve information, and operational Table 16-2 Table 16-2 V255A actuate control

E20SFW04 (automatic) signals SIISFW04 S12SFW04 S13SFW04 S14SFW04 SC1SFW04 APLIPC APLC03

28-34

Revision 1


28-34 Revision 1

28. Plant Control System APlOOD Probabilistic Risk Assessment







SFWPIC05 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16,

ElWPIC05 air-operated valve information, and operational Table 16-2 Table 16-2 E20SFW05 255B (loop) actuate control E2OSFW05 signals S 11SFW04

S12SFW04 S 13SOFW04 S14SFW04 SCISFW04 APLIPCP APLC03P


SFW4CO5 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16,

air-operated valve information, and operational Table 16-2 Table 16-2 E20SFW05 255B (automatic) actuate control

E2OSFW05 signals SI 11SFW04

S12SFW04 S13SFW04 S14SFW04 SClSFW04 APLIPC APLC03


startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, EIOSIC06 V067A (loop) information, and operational Table 16-2 Table 16-2

E 10SFW06 actuate control E2OSFW06 signals SlISFW04 S12SFWO4 S 13SFW04 S 14SFW04 SCISFW04 "APLIPCP APLC03P

28-35

Revision 1


28-35 Revision I







SFW-C06 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, V067A information, and operational Table 16-2 Table 16-2

E20SFW06 (automatic) actuate control SlISFW04 signals S12SFW04 S 12SFW04

S 13SFW04 S14SFW04 SCISFW04 APLIPC APLC03


SFWPIC07 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, V067B (loop) information, and operational Table 16-2 Table 16-2

actuate control E20SFW07 signals SI ISFW04 S12SFW04 S13SFW04 S14SFW04 SCISFW04 APLIPCP APLC03P


SFW-IC07 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, V067B information, and operational Table 16-2 Table 16-2

E20SFW7 (automatic) actuate control E2OSIFW07

SIISFW04 signals

S12SFW04 S13SFW04 S 14SFW04 SCISFW04 APLIPC APLC03

28-36

Revision 1


28-36 Revision 1





SFW-IC8P Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

SFWPIC08 motor-operated inputs, process channels driver modules Chapter 16, Chapter 16, valve V028 information, and operational Table 16-2 Table 16-2

ElISFW08 (automatic) (loop) actuate control E21SFW08 signals E2ISFW08 E2OSFW08

EPISFW08 EPOSFW08 S 1ISFW08 APLCC03P APLLLOBP

SFW-IC8 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

motor-operated inputs, process channels driver modules Chapter 16, Chapter 16, ElI-1W08 valve V028 information, and operational Table 16-2 Table 16-2 E1ISFW08

(automatic) actuate control E1OSFWO8 signals E2ISFW0O8

E2OSFW08 EPISFW08 EPOSFW08 SlISFW08 APLCC03 APLLLOB

SWS-ICI Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in air-operated valve inputs, process channels driver modules Chapter 22, Chapter 22,

SWSOI V006A (yearly) information, and operational Table 22-2 Table 22-2

actuate control E10SWS01 signals E2ISWSOI E2OSWSO1 EPISWS01 EPOSWS01 MA1SWS01 SllSWSOl SC1SWS01 SI1SWS01

APLLL07Y APLCC02Y MPLL07Y


28-37 Revision I

APlO00 Probabilistic Risk Assessment



Components

System Required to Event Success Initial Mission Change Initiating Operator


SWS-IC2 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in

SWS-IC02 standby pump inputs, process channels dnver modules Chapter 22, Chapter 22,

EIISWS02 sub-loop B information, and operational Table 22-2 Table 22-2 actuate control EIOSWS02 signals

E2ISWS2 E2OSWS02 EPISWS02 EPOSWS02 MA1SWS02 SIISWS02 SC1SWS02 SIISWS02 APLLL07 APLCC02 MPLL07


SWSIC03 standby pump inputs, process channels driver modules Chapter 22, Chapter 22, sub-loop B (loop) information, and operational Table 22-2 Table 22-2

E Wactuate control EIOSWS03 signals E2ISWS03 E2OSWS03 EPISWS03 EPOSWS03 MAISWS03 S11SWS03 SC1SWS03 SIISWS03 APLLL07P APLCC02P MPLL07P

Revision 1

1- --


28-38

28 Plant Control Svstem A10 rbblsi ikAssmn







standby pump inputs, process channels driver modules Chapter 22, Chapter 22,

SWS04 sub-loop B information, and operational Table 22-2 Table 22-2 E 11SWS04 actuate control ElOSWS04 signals E2ISWS04 E20SWS04 EPISWS04 EPOSWS04 MAISWS04 S 11SWS04 SClSWS04 SIISWS04 APLLL07 APLCC02 MPLL07


pump sub-loop A inputs, process channels driver modules Chapter 22, Chapter 22, SWS-SC05 (loop) information, and operational Table 22-2 Table 22-2

EIISWS05 actuate control EIOSWS05 signals E2ISWS05 E2OSWS05 EPISWS05 EPOSWS05 MAl SWS05 SIISWS05 SC1SWS05 S11SWS05 APLLL07P APLCC02P MPLL07P

28-39

Revision 1


Revision 128-39





SWS-IC6 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in cool tower blower inputs, process channels driver modules Chapter 22, Chapter 22,

SWS06 fans (loop) information, and operational Table 22-2 Table 22-2 ElISWS06

actuate control E1OSWS06 ElOSWS06signals E2ISWS06 E2OSWS06 EPISWS06 EPOSWS06 MAISWS06 SIISWS06 SC1SWS06 SIISWS06 APLLL07P APLCC02P MPLL07P

SWS-IC7 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in cool tower blower inputs, process channels driver modules Chapter 22, Chapter 22,

SWS-IC07 fans (loop) information, and operational Table 22-2 Table 22-2 SEIlSWS07 actuate control EIOSWS07 signals E2ISWS07 E2OSWS07 EPISWS07 EPOSWS07 MAISWS07 SIISWS07 SCI SWS07 SI1SWS07 APLLL07P APLCC02P MPLL07P

Revision I


28-40







SWS-IC8 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in

MOV 037B upon inputs, process channels drivers chapter 22, chapter 22, ElISWS08 loss of offsite information, and operational Table 22-2 Table 22-2

E2ISWS08 power actuate control

E20SWSOS signals

EPISWS08 EPOSWS08 MAISWS08 S11SWS08 SCISWS08 SIlSWS08 APLCC02P APLLLO7P SWS-IC08

TCS-ICl Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in

standby turbine inputs, process channels driver modules Chapter 16, Chapter 16, TCS-IC01 cold-leg information, and operational Table 16-2 Table 16-2

EIlTCS01 circulating water actuate control

El21TCSl system pump B signals

E2ITCS01 E2OTCS01

MAlTCS0l EPITCS01 EPOTCS01 SllTCS0l SI1TCS0l APLCC02 APLLL06 MPLL06

28-41

Revision 1

'78 Plant Control S stem9R Plnnf Cnnfrnl .•v•tpm

Revision 128-41

sAP1000 Probabilistic Risk Assessment


Revision 1




VLS-IC1 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in H2 ignitors inputs, process channels driver modules Chapter 18, Chapter 18, VLS-IC0 1

EPOVLSO1 information, and operational Table 18-2 Table 18-2 actuate control

MA1VLS01 signals SIlVLS01 MPLL03

VWS-IC1 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in H2 ignitors inputs, process channels driver modules Chapter 18, Chapter 18, VWS-IC01

EPOVWSO information, and operational Table 18-2 Table 18-2 actuate control

MAlVWS01 signals SIlVWS01 MPLL02

I

28. Plant Control Systemn

28-42

28-43

Revision 1

28-43



PLS I&C SUBTREE CONSTRUCTIONS

Subtree Name Tree Naming and Linking

CAS-IC1 Rename: EPICAS01 EPI1 MAlCAS01 ESFOPER SIICAS01 CCXSNRS2 SlICAS01 PLSENSOR ElOCAS01 EAO1 ElICAS01 EAI1 E2OCASOI EAO2 E2ICAS01 EAI2 EPOCAS01 EPO APLLL09 APLCC02 MPLL09 CAS-IC01

CAS-IC2 Rename: EPICAS02 EPI1 S11CAS02 PLSENSOR E1OCAS02 EAO1 ElICAS02 EAI1 E2OCAS02 EAO2 E2ICAS02 EAI2 EPOCAS02 EPO APLLL09 APLCC02 CAS-IC02

CAS-IC5 Rename: EPICAS05 EPI1 S11CAS05 PLSENSOR E1OCAS05 EA01 EIICAS05 EAI1 E2OCAS05 EAO2 E2ICAS05 EAI2 EPOCAS05 EPO APLLL09Y APLCC02Y CAS-IC05

Revision 1


/



Subtree Name

CCS-IC1

Tree Naming and Linking

Rename: EPICCS01 MA1CCS01 SIICCS01 SllCCS01 E1OCCS01 ElICCS01 E2OCCSO1 E2ICCSOI EPOCCS01 APLLL01 APLCC01 MPLL01 CCS-ICO1

EPII ESFOPER CCXSNRS2 PLSENSOR EAO 1 EAI1 EAO2 EA12 EPO

CDS-IC1 Rename: S11CDS01 PLSENSOR E1OCDS01 EAO1 EPOCDS01 EPO EPICDS01 EPI1 E2OCDSO1 EAO2 EIICDS01 EAI1 E2ICDS0l EAI2 APLCC03 APLLLOD CDS-IC01

CDS-IC2 Rename: SI1CDS02 PLSENSOR E1OCDS02 EAO1

EPOCDS02 EPO EPICDS02 EPI1 E2OCDS02 EAO2

EIICDS02 EAI1 E2ICDS02 EAI2 APLCC03 APLLLOD

CDS-IC02

CVS-IC1 Rename: MA1CVS01 ESFOPER SIlCVS01 CCXSNRS2 EPOCVS01 EPO MPLL03 CVS-IC01

Revision 1

I


28-44





CVS-IC3 Rename: MA1CVS03 ESFOPER SClCVS03 CCXSNRS1 SlICVS03 SENS1 S 12CVS03 SENS2 S13CVS03 SENS3 S14CVS03 SENS4 EPOCVS03 EPO APLIPC APLL03 CVS-IC03

CVS-IC9 Rename: S13CVS09 SENS3 MAlCVS09 ESFOPER SIICVS09 CCXSNRS2 SC1CVS09 CCXSNRS1 S1ICVS09 SENSI S 12CVS09 SENS2 S14CVS09 SENS4 EPOCVS09 EPO APLIPC APLL03 MPLL03 CVS-IC09

CVS-IC10 Rename: S13CVS1O SENS3 MA1CVS10 ESFOPER SI1CVS10 CCXSNRS2 SCiCVS10 CCXSNRS1 SllCVS10 SENS1 S 12CVS 10 SENS2 S 14CVS 10 SENS4 EPOCVS10 EPO APLIPC APLL03 MPLL03 cVS-Ic10

CVS-IC1 1 Rename: CCXSNRS2 CVS-IC 11

28-45

Revision 1


28-45 Revision 1





ECS-ICIB Rename: MAIECS01 ESFOPER EPOECS01 EPO EPIECS01 EPI1 SI1ECS01 CCXSNRS2 E1OECS01 EAO1 EIlECS01 EAI1 E2OECSOI EAO2 E2IECS01 EAI2 S1IECS01 PLSENSOR MPLL05B ECSBIC01

ECS-IC3B Rename: MAlECS03 ESFOPER EPIECS03 EPI1 SI1ECS03 CCXSNRS2 E1OECS03 EAO1 EIIECS03 EAI1 E2OECS03 EAO2 E2IECS03 EAI2 SI1ECS03 PLSENSOR EPOECS03 EPO APLLL05B APLCCO1B

MPLL05B ECSBIC03

MFW-IC1 Rename: S11MFW01 PLSENSOR E10MFW01 EAO1 E1IMFW01 EAI1 E2OMFWO1 EAO2 E2IMFWO1 EAI2 APLCC03 MFW-IC01

MSS-ICI Rename: EPOMSS01 EPO MAIMSSO1 ESFOPER SC1MSS01 CCXSNRS1 SllMSS01 SENS1 S12MSSO1 SENS2 S13MSSO1 SENS3 S14MSSO1 SENS4

APLIPC APLLOA MSS-IC01

Revision 1

'-C-,


28-46




MSS-1C2 Rename: MAlMSS02 ESFOPER SI1MSS02 CCXSNRS2 EPOMSS02 EPO MPLLOA MSS-IC02

PLS-RODS ROD-IC01

RNS-1C3 Rename: EPORNS03 EPO MAlRNS03 ESFOPER SI1RNS03 CCXSNR52 MPLL04 -

RNS-IC03

SFW-IC1 Rename: MA1SFW01 ESFOPER SI1SFW01 CCXSNRS2 S13SFWOI SENS3 SllSFW0l SENSI S12SFW01 SENS2 S14SFWOI SENS4 SC1SFW01 CCXSNRSI E1OSFW01 EAO1 EIlSFW01 EAI1 E2OSFW01 EAO2 E2ISFW01 EAI2 S31SFW01 PLSENSOR EPOSFW01 EPO APLIPC APLLOB APLCC03 MPLLOB SFW-IC01

SFW-IC3 Rename: S11 SFW03 PLSENSOR E1OSFW03 EAO1 EPISFW03 EPI1 E2OSFW03 EAO2 EIlSFW03 EAI1 E2ISFW03 EAI2 EPOSFW03 EPO APLCC03 APLLLOB SFW-IC03

28-47

Revision 1


28-47 Revision I




SFW-IC4 Rename: S13SFW04 SENS3 S11SFW04 SENSI S12SFW04 SENS2 S14SFW04 SENS4 SCISFW04 CCXSNRSI EIOSFW04 EAO1 E2OSFW04 EAO2 APLIPC APLC03 SFW-IC04

SFW-IC6 Rename: S13SFW06 SENS3 S11SFW06 SENSI S12SFW06 SENS2 S14SFW06 SENS4 SC1SFW06 CCXSNRS1 E1OSFW06 EAOI E2OSFW06 EAO2 APLIPC APLC03 SFW-IC06

SFW-IC8 Rename: S11SFW08 PLSENSOR E1OSFW08 EAO1 EPISFW08 EPI1 E2OSFW08 EAO2 EIISFW08 EAHI1 E2ISFW08 EAI2 EPOSFW08 EPO APLCC03 APLLLOB SFW-IC08

N-,

Revision 1


28-.48


SFW-IC1A



Tree Naming and LinkingSubtree Name

ESFOPER CCXSNRS2 SENS3 SENS1 SENS2 SENS4 CCXSNRS1 EAO1 EAM1 EAO2 EAI2 PLSENSOR EPO

EPI1 ESFOPER CCXSNRS2 PLSENSOR CCXSNRS 1 EA01 EAI1 EAO2 EA12 EPO

SWS-Ic1

Rename:

Rename:

MAlSFW01 SI1SFW01

S13SFWO1 SllSFW01 S12SFW01 S14SFW01 SC1SFW0l ElOSFW01 ElISFW01 E2OSFWO1 E2ISFWOI S31SFWOI EPOSFW01 APLIPC APLLOB APLCC03 SFW-IC1A

EPISWS01 MA1SWS01 SI1SwS01 SllSwS01 SC1SWS01 ElOSWS01 EIISWS01 E2OSWS01 E2ISWS01 EPOSWS01 APLLL07Y APLCC02Y MPLL07Y SWS-Ico1

28-49

Revision 1

Revision I


28-49




Subtree Name

SWS-IC2

SWS-IC5

SWS-IC6

Tree Naming and Linking

Rename:

-I.

Rename:

+

Rename:

EPISWS02 MAISWS02 SI1SWS02 S 1I SWS02 SCISWS02 EIOSWS02 EIlISWS02 E2OSWS02 E2ISWS02 EPOSWS02 APLLL07 APLCC02 MPLL07 SWS-IC02

EPISWS05 MAlSWS05 SIISWS05 SIISWS05 SC1SWS05 EIOSWS05 EIlISWS05 E20SWS05 E2ISWS05 EPOSWS05 APLLL07P APLCC02P MPLL07P SWS-IC05

EPISWS06 MA1SWS06 SI1SWS06 SIISWS06 SClSWS06 ElOSWS06 EIISWS06 E2OSWS06 E21SWS06 EPOSWS06 APLLL07P APLCC02P MPLL07P SWS-IC06

EPII ESFOPER CCXSNRS2 PLSENSOR CCXSNRS 1 EAO1 EAI1 EAO2 EAI2 EPO

EPI 1 ESFOPER CCXSNRS2 PLSENSOR CCXSNRS1 EAO1 EAI1 EAO2 EAI2 EPO

EPI1 ESFOPER CCXSNRS2 PLSENSOR CCXSNRS 1 EAO1 EAI1 EAO2 EAI2 EPO

Revision 1


28-50

API000 Probabilistic Risk Assessment

28-51

Revision 1




TCS-IC1 Rename: E1ITCS01 EAI1 E1OTCS01 EAO1 E2ITCS0l EAI2 E2OTCSO1 EAO2 EPITCS01 EPII EPOTCS01 EPO MA1TCS01 ESFOPER S11TCSO1 PLSENSOR SI1TCS01 CCXSNRS2 APLCC02 APLLL06 MPLL06 TCS-IC01

VLS-IC1 Rename: EPOVLS01 EPO MA1VLS01 ESFOPER SI1VLS0l DASSIND S11VLS01 CCXSNRS2 MPLL03 VLS-IC01

VWS-IC1 Rename: MA1VWS01 ESFOPER SI1VWS01 CCXSNRS2 EPOVWS01 EPO MPLL02 VWS-Ico1

'•R Pln•f I•nfrn| .•v,=fpm

Revision I28-51

28. lantContol SstemAP1000 Probabilistic Risk Asse~ssment


PLS DEPENDENCY MATRIX

120 vac

Distribution Distribution Plant Control System Cabinets Panel EDS1 EA1 Panel EDS1 EA2

Logic Cabinets

Subsystem I

/O x x

Processing X

Subsystem 2

1/O X X

Processing x

ILC Output Driver Modules X X

Control Cabinets

Subsystem 1

1/0 X X

Processing X

Subsystem 2

1/0 X X

Processing x

Communication Subsystem

All Cards X

Revision I


28-52


PLS DEPENDENCY MATRIX

120 vac

Distribution Distribution

Plant Control System Cabinets Panel EDS1 EA1 Panel EDS1 EA2

Control MUX

Subsystem 1

All Cards X

Subsystem 2

All Cards X

Note: For the logic cabinets, the apportioning of each card to the power remain the same, except for the different distribution panels used, i.e.:

Distr. Panel EDSI EAl becomes Distr. Panel EDS2 EA1 Distr. Panel EDS1 EA2 becomes Distr. Panel EDS2 EA2, etc.

28-5 3 Revision 1


Revision I28-53


Assumed Effect on Automatic Mechanical Quarterly

Modulating On-Line Tester Component Functional Test Subsystem/ Devices Diagnostic Subsystem Surveillance Test Based on

Card (24 hrs) (5 min) (Quarterly) (Quarterly) Operation

IPC Comms X X

ILC X X

ICC X X

SSC x x

Control MUX X X

Table 28-6

COMPONENT MAINTENANCE ASSUMPTIONS

Revision 1

Table 28-5

PLS COMPONENTS TEST ASSUMPTIONS

No scheduled outage for maintenance is assumed for the plant control system. The outage for repair is accounted for together with the numerical evaluation of the cards unavailabilities.


28-54

28. Plant Control System APlOOO Probabilistic Risk Assessment


FAILURE PROBABILITIES CALCULATED IN THIS SECTIONSIMON.DAT Failure

Line Number Event ID Description Probability

010 ALL-IND-FAIL Generic indication failure probability 1.00E-06

037 CCX-PMS-SENSORS CCF of PMS transmitters 4.04E-08

617 ###030##SA Logic group processing failure on demand 1.16E-03

618 ###030##BA Logic group processing spurious failure 8.01E-06

619 CCX-###03 CCF of the logic group processing 9.69E-05

620 CCX-###EHO CCF of MUX transmitters 4.03E-06

621 CCX-P##MOD1 CCF of output logic I/Os 1.41E-04

622 CCX-P##MOD1-SW Software CCF of output logic I/Os 1.10E-05

623 CCX-P##MOD2 CCF of actuation logic groups 3.04E-04

624 CCX-P##MOD2-SW Software CCF of actuation logic groups 1.10E-05

625 CCX-P##MOD4 CCF of MUX logic groups 4.98E-05

626 CCX-P##MOD4-SW Software CCF of MUX logic groups 1.10E-05

627 CCX-P##MOD5 CCF of modulating groups 6.98E-05

628 CCX-P##MOD5-SW Software CCF of modulating groups 1.10E-05

629 CCX-P##MOD3 CCF of input logic groups 1.03E-04

630 CCX-P##MOD3-SW Software CCF of input logic groups 1.10E-05

631 CCX-P##MOD6 CCF of signal selector groups - logic and I/Os 2.53E-04

632 CCX-P##MOD6-SW Software CCF of signal selector groups - logic 1.1 OE-05 and I/Os

634 P##MOD1# Failure of output logic group # 1/0 2.09E-03

635 PL#MOD5# Failure of modulating logic or 1/O group # 8.74E-04

636 P##MOD4# Failure of MUX logic group # 6.35E-04

639 P##MOD3# Failure of input group # 5.02E-03

647 ###EP####SA Failure of the power interface board 1.7 1E-04

648 ###EA####SA Failure of the analog input board 2.51E-04

650 ###TP###RY Pressure transmitter yearly failure 5.23E-03

28-55

Revision 1

AP1000 Probabilistic Risk Assessment28. Plant Control System

28-55 Revision 1


.1


FAILURE PROBABILITIES CALCULATED IN THIS SECTION

SIMON.DAT Failure Line Number Event ID Description Probability

651 ###TF###RI Flow transmitter failure 5.23E-03

655 ###TL###UF Level transmitter failure 5.23E-03

656 IWX-XMTR CCF of IRWST & Boric Acid Tank Level 4.78E-04 transmitters

657 ###EU###SA Failure of the analog output board 6.42E-05

659 ###VS###UF Failure of level switch 1.00E-03

660 ###OR###SP Failure of orifice - plugged 7.22E-03

661 ###TE###UF Failure of temperature element 3.06E-03

667 CCX-EAI CCF of the analog input boards 1.27E-05

668 CCX-EAO CCF of the analog output boards 3.23E-06

669 CCX-EP-SA CCF of the power interface output boards 8.62E-06

670 CCX-EPI CCF of the power interface input boards 1.00E-10

671 CCX-LS-FA CCF of the limit switches 5.37E-06

672 CCX-MFI CCF of the main feed isolation signal sensors 1.00E-06

673 CCX-ORY-SP CCF of orifice-plugged* 1.01E-20

674 CCX-PRHR CCF of PRHR actuation signal sensors 1.00E-06

675 CCX-RM-UF CCF of radiation monitors 7.58E-05

676 CCX-S-SIG-SENS CCF of the S-signal sensors 1.00E-06

678 CCX-TRNSM CCF of pressure, flow transmitters (low) pressure 4.78E-04

679 CCX-TT-UF CCF of temperature transmitters 1.17E-04

680 CCX-TT1-UF CCF of temperature transmitters following an 1.17E-04 accident

681 CMX-VS-FA CCF of CMT level switches 3.84E-05

682 CCX-XMTR CCF of pressure or level transmitters (higher 4.78E-04 pressure)

* This basic event has been accounted for in each of the appropriate sensor common cause failure basic events (IWX-XMTR, CCX-TRNSM, CCX-XMTR, CCX-XMTR1, and CCX-XMTR195).

Revision 1


28-56

28. Plant Control System APlOOO Probabilistic Risk Assessment


FAILURE PROBABILITIES CALCULATED IN THIS SECTION

SIMON.DAT Failure Line Number Event ID Description Probability

683 CCX-XMTR1 CCF of pressure transmitters following an 4.788E-04 accident

684 CCX-XMTR195 CCF of pressurizer level sensors 4.78E-04

686 EC#RE27BGA Failure of the undervoltage relay 4.36E-03

687 ###TP###RI Failure of pressure transmitter 5.23E-03

690 P##EH0##SA Failure of MUX transmitter to group # 8.00E-05

691 PLSMOD6# Failure of signal selector logic group # 3.46E-03

693 PM#MOD2# Failure of actuation logic group # 4.07E-03

696 P##XSO0ASA Failure of output logic group selector 8.OOE-05

699 CMT-SENS-FAIL CMT signal sensors 1.001E-06

701 DUMMY Logical zero 1.00E-10

702 S-SIG-SENS#-FAIL S-signal sensor failure 1.00E-06

703 VLX-ANLYZ CCF of the H2 analyzers 7.58E-05

706 CCX-CMT-SENS CCF of CMT signal sensors 1.OOE-06

707 ###TP###UF Failure of pressure transmitter 5.23E-03

711 DG#-LOGIC Diesel sequencing logic 5.00E-03

712 ROD-CTRL-SYS Rod control system failure to step in rods 6.60E-04

959 CCX-SFTW Software CCF among all boards 1.20E-06

28-5 7 Revision 1

AP1O00 Probabilistic Risk Assessment28. Plant Control System

Revision I28-57

28. Plant Control System APlOOG Probabilistic Risk Assessment


OPERATOR ACTIONS AND SYSTEM MISPOSITION ANALYSIS SUMMARY

Identifier Description

ADN-MAN01 Operator fails to actuate ADS before core damage

ADN-REC01 Operator fails to complete ADS actuation after core damage

ATW-MAN01 Operator fails to step in control rods via PLS within one minute after an ATWS

ATW-MAN03 Operator fails to recognize need and fails to trip reactor via PMS within one minute after an ATWS

ATW-MAN05 Operator fails to recognize need and fails to trip reactor via PMS within seven minutes after an ATWS

CAN-MAN01 Operator fails to recognize need and fails to actuate standby CAS compressor

CMN-RECO1 Operator fails to actuate CMT after core damage

CIA-MAN01 Operator fails to recognize need and fails to isolate failed SG after a main steam line break

CIC-MAN01 Operator fails to recognize need and fails to isolate CMT given core damage after a LOCA

CMN-MANO0 Operator fails to actuate CMT during a LOCA

FWN-MAN02 Operator fails to start SFW pumps after a loss of main feedwater during a transient

HPM-MANO1 Operator fails to recognize need for high-pressure decay heat removal after a loss of main feedwater

LPM-MANO0 Operator fails to recognize need for RCS depressurization during SBLOCA

LPM-MAN02 Operator fails to recognize need for RCS depressurization during MBLOCA

LPM-MAN03 Operator fails to recognize need for RCS depressurization given only DAS indication during SBLOCA

LPM-MAN04 Operator fails to recognize need for RCS depressurization given only DAS indication during MBLOCA

LPM-RECOI Operator fails to recognize need for RCS depressurization during SBLOCA with PRHR failure, CMT success

PCN-MANO1 Operator fails to recognize need and fails to actuate PCS AOVs

RCN-MAN01 Operator fails to trip the four RCPs

REC-MANDAS Operator fails to actuate manual DAS ESF functions

REN-MAN02 Operator fails to recognize need and fails to open recirculation valves during accidents

Revision 1


28-58


28-59

Revision 1


OPERATOR ACTIONS AND SYSTEM MISPOSITION ANALYSIS SUMMARY

Identifier Description

REN-MAN03 Operator fails to recognize need and fails to open recirculation valves after core damage

SGHL-MAN01 Operator fails to recognize need and fails to trip CVS pump and isolate SFW to failed SG after a SGTR

SWN-MAN01 Operator fails to recognize need and fails to open AOV on motor strainer line during accidents

SWN-MANO1N Operator fails to recognize need and fails to open AOV on motor strainer line during normal operation

SWN-MAN02 Operator fails to recognize need and fails to start standby SWS pump during an accident

SWN-MAN02N Operator fails to recognize need and fails to start standby SWS pump during normal operation

TCB-MAN01 Operator fails to recognize need and fails to start standby TCS pump

VLN-MAN01 Operator fails to recognize need and fails to start hydrogen control system

VWN-MAN01 Operator fails recognize need and fails to align standby chiller during a LOCA

ZON-MAN01 Operator fails to recognize need and fails to start standby diesel generator during LOSP

AIP1000 Probabilistic Risk Assessment28. Plant Control System

28-59 Revision I


Table 28-9 (Sheet I of 2)

COMMON CAUSE FAILURE ANALYSIS SUMMARY

Event Name Description

CCX-CMT-SENS CCF of CMT signal sensors

CCX-EAO CCF of the analog output board

CCX-EP-SA CCF of the power interface output board (PLS)

CCX-EP-SAM CCF of the power interface output board (PMS)

CCX-EPI CCF of the power interface input board

CCX-IN-LOGIC-SW Software CCF of input logic groups

CCX-INPUT-LOGIC CCF of input logic groups

CCX-LS-FA CCF of the limit switches

CCX-MFI CCF of main feed isolation signal sensors

CCX-###03 CCF of the logic group processing

CCX-4##EHO CCF of mux transmitters

CCX-P##MOD1 CCF of output logic I/Os

CCX-P##MOD 1-SW Software CCF of output logic I/Os

CCX-PL#MOD5 CCF of modulating control groups-output logic I/Os

CCX-PL#MOD5-SW Software CCF of modulating control groups

CCX-P##MOD4 CCF of MUX logic groups

CCX-P##MOD4-SW Software CCF of MUX logic groups

CCX-PL#MOD3 CCF of input logic groups (communications subsystem of PMS IPCs)

CCX-PL#MOD3-SW Software CCF of input logic groups (communications subsystem of PMS IPCs)

CCX-PL#MOD6 CCF of signal selector groups-logic and I/Os

CCX-PL#MOD6-SW Software CCF of signal selector groups-logic and I/Os

CCX-P##MOD2 CCF of actuation logic groups

CCX-P##MOD2-SW Software CCF of actuation logic groups

CCX-PRHR CCF of PRHR actuation signal sensors

CCX-RM-UF CCF of radiation monitors

CCX-S-SIG-SENS CCF of the S-signal sensors

Revision 1


28-60


COMMON CAUSE FAILURE ANALYSIS SUMMARY

Event Name Description

CCX-SFTW Software CCF among all boards (both PLS and PMS)

CCX-TRNSM CCF of pressure and flow transmitters (low system pressure)

CCX-TT-UF CCF of temperature transmitters

CCX-TT1-UF CCF of temperature transmitters following accident

CMX-VS-FA CCF of CMT level switches

CCX-XMTR1 CCF of pressure transmitters following accident

CCX-XMTR195 CCF of pressurizer level transmitters

IWX-XMTR CCF of IRWST and boric acid tank level transmitters

VLX-ANLYZ CCF failure of the H2 analyzers

28-61

Revision 1

iAPIO00 Probabilistic Risk Assessment

Revision I28-61

28. Plant Control System AP1000 Probabilistic Risk Assegcment


FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM

trnvn W•TT TTnt' MflflP'•'FT -,."N. mu, flflt Vfilflutkt. SOURCEUt TIME

EP SPURIOUS FAILURE OF THE POWERADAEP001ABA

ADAEP001ASA

ADAEP002ABA

ADAEP002ASA

ADAEP003ABA

ADAEP003ASA

ADAEP0041BA

ADAEP0041SA

ADAEP0042BA

ADAEP0042SA

ADAEP004A1SA

ADAEP004A2SA

ADAEP004CISA

INTERFACE BOARD (###EP####BA)

FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)

SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)

FAILURE OF THE POWER INTERFACE

BOARD (###EP####SA)









EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)

9.150E-07

1.710E-04

9.150E-07

1.710E-04

9. 150E-07

1.710E-04

9.150E-07

1.710E-04

9. 150E-07

1.710E-04

1.710E-04

1.710E-04

0.00OE+00

0.000E+00

0.00EE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

0.OOOE+00

o.OOOE+00

O.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PmS

PMS

PMS

PMS

PmS

PMS

PMS

PMS

1.710E-04 O.OOOE+00 PMS

O.000E+00

O.OOOE+00

0.00OE+00

O.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

O0000E+00

0. 000E00

0.OOOE+00

0.000E+00

O.OOOE+00

rm Tnr•

0.000E+00 1.71E-04 0.00E+00

28-62

(j

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

QRevision 1


m•lf• PROBABILITY

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

1.71E-04

1.71E-04

VARIANCE

o.00E+00

O.00E+00

O.00E+00

o.00E+00

o.00E+00

o.OOE+00

o.00E+00

o.O0E+00

o.00E+00

o.OOE+00

o.00E+00

0.00E+00

K28. Plant Control System

K.AP1000 Probabilistic Risk Assessment



"I - cn"Dýr MTMV DDnMhMTT.Trr'V 11hOTh"OV FT IDENT k-%JLlr rA.Lijunz Muým Irart fl7�rPt' �TtDTtW1Ct' CflTTflrr

ADAEP004C2SA

ADAEP011ABA

ADAEP011ASA

ADAEP012ABA

ADAEP012ASA

ADAEP013ABA

ADAEP013ASA

ADBEP001BBA

ADBEP001BSA

ADBEP002BBA

ADBEP002BSA

ADBEP003BBA

ADBEP003BSA

EP FAILURE OF THE POWER INTERFACE

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

BOARD (###EP####SA)







BOARD (###EP####SA)







1.710E-04

9.150E-07

1.710E-04

9.150E-07

1.710E-04

9.150E-07

1.710E-04

9.150E-07

1.710E-04

9.150E-07

1.710E-04

9.150E-07

0.000E+00

0.000E+00

O.OOOE+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.00OE+00

0.000E+00

0.000E+00

0.000E+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.710E-04 0.000E+00 PMS

0.OOOE+00 1.71E-04 0.00E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

9.15E-07

0.00E+00

0.00E+00

0.00E+00

0.00E+00

0.00E+00

O.OOE+00

0.00E+00

0.00E+00

0.00E+00

O.OO+00

0.00E+00

0.000E+00 1.71E-04 0.00E+00

28-63

Revision 1

'1'TMP DD•nhTT.T'PV ¶?�flT M�7flP

Revision I


28-63

28. Plant Control System AP1000 Probabilistic Risk Asceccmnt~n



FT IDENT

ADBEP0041BA

ADBEP0041SA

ADBEP0042BA

ADBEP0042SA

ADBEP004B1SA

ADBEP004B2SA

ADBEP004D1SA

ADBEP004D2SA

ADBEP011BBA

ADBEP011BSA

ADBEP012BBA

ADBEP012BSA

ADBEP013BBA

COMP FAILURE MODE

EP SPURIOUS FAILURE OF THE POWER

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP













EP SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)

PATE RATE TAR TAtJCP EnrTRCE

9.150E-07

1.710E-04

9. 150E-07

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

9. 150E-07

1.710E-04

9.150E-07

1.710E-04

0. OOOE+00

0.OOOE+00

O.OOOE+00

0. 000E+00

O .OOOE+00

0. 00E+00

0 OOOE+00

0 OOOE+00

O .OOOE+00

0.OOOE+00

0 .OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

9.150E-07 0.OOOE+00 PMS

ST MR

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE÷00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

FAIL RATE VARIANCE SOURCE TIME

0.OOOE+00 9.15E-07 0.OOE+00

28-64

(/

Revision 1

(

~A10 .................. Ris Assessment

PROBABILITY

9.15E-07

1.71E-04

9.15E-07

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

9.15E-07

1.71E-04

9.15E-07

1.71E-04

VARIANCE

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

(28. Plant Control System

(.




COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME

ADBEP013BSA

ADCEP002ASA

ADCEP0041BA

ADCEP0041SA

ADCEP0042BA

ADCEP0042SA

ADCEP004A1SA

ADCEP004A2SA

ADCEP004C1SA

ADCEP004C2SA

ADCEP012ASA

ADDEP002BSA

ADDEP0041BA





EP SPURIOUS FAILURE OF THE POWER




EP FAILURE OF THE POWER INTERFACE BOARD C###EP####SA)






1.710E-04

1.710E-04

9. 150E-07

1.710E-04

9.150E-07

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

9.150E-07

0.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

0. OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

o.OOOE+00

o.OOOE+00

0.00OE+00

0.OOOE+00

0.000E+00 1.71E-04 O.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.71E-04

9. 15E-07

1.71E-04

9.15E-07

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

9.15E-07

0.00E+00

0.00E÷00

0. OOE+00

o.00E+00

0.OOE+00

o.00E+00

0.00E+00

0.OOE+00

0.OOE+00

0.00E+00

0.00E+00

0.00E+00

28-65

Revision 1

FT IDENT PROBABILITY VARIANCE

0.00OE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

0.00OE+00

o.OOOE+00

0.00OE+00

0.000E+00

0.o00E+00

o.OOOE+00

0.000E+00

0.000E+00

28-65 Revision 1

28. Plant Control SystemAPi 1011 Probabilitto W-IC A.-ccwn



FT IDENT

ADDEP0041SA

ADDEP0042BA

ADDEP0042SA

ADDEP004BISA

ADDEP004B2SA

ADDEP004DiSA

ADDEP004D2SA

ADDEP012BSA

ADN-MAN01

ADN-REC01

ALL-IND-FAIL

CA2EAPS002A1SA

CA2EAPS002A2SA

COMP FAILURE MODE


EP

EP

EP

EP

EP

EP

EP

xx

xx

EA

EA

BOARD (###EP####SA)








PROBABILITY FOR SUB- BASIC EVE NTS


GENERIC INDICATION FAILURE PRO BABILITY

FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)


PATTL RATE •T• VATbMP.nrT•r m•=+rTMr

1.710E-04

9.150E-07

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.OOOE-01

1.OOOE-01

1.OOOE-06

2.510E-04

2 .510E-04

0.OOOE+00

0.OOOE+00

0. OOOE+00

0 OOOE+00

0. OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

SUB

SUB

PMS

PMS

PMS

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0. OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.000E+00

28-66

FAIL RATE VARIANCE SOURrr MTMV

Revision 1

((N

PROBABILITY

1.71E-04

9.15E-07

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.O0E-01

1.00E-01

1.00E-06

2.51E-04

2.51E-04

VARIANCE

0.00E+00

0.OOE+00

0 OOE+00

0.00E+00

0.00E+00

0. 00E+00

0. 00E00

0 OOE+00

0.OOE÷00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00


( (IAPlO00 Probabilistic Risk Assessment



CO•MP FATTITRE MODE FAIL RATE VARIANCE SOURCE TIME

EA FAILURE OF THE ANALOG INPUT BOCA2EAPS002B1SA

CA2EAPS002B2SA

CA9EP001BSA

CA9EPCMPASA

CA9EPCMPBSA

CAN-MAN01

CANTP011RI

CClEATF1011SA

CClEATF1012SA

CC1EPSBPASA

CC1EPSBPBSA

CCB-MAN01

CCNTF101RI

ARD (###EA####SA)


FAILURE OF THE POWER INTERFACE BOARD (###EP##*#SA)




FAILURE OF PRESSURE TRANSMITTE R (###TP###RI)






FLOW TRANSMITTER FAILURE (###T F###RI)

2.510E-04

2.510E-04

1.710E-04

1.710E-04

1.710E-04

1.OOOE-01

5.230E-03

2.510E-04

2.510E-04

1.710E-04

1.710E-04

1.OCOE-01

5.230E-03

0. 00OE+00

o.OOOE+00

0.000E+00

0.000E+00

0. 000E+00

0.000E+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.aooE+00

PMS

PMS

PMS

PMS

PMS

SUB

PMS

PMS

PMS

PMS

PMS

SUB

PMS

O.OOOE+00 2.51E-04 0.00E+00

0.OOOE+00

o.000E+00

o.000E+00

0.OOOE+00

0.00OE+00

0 . OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0. OOOE+00

0.OOUE+00

2. 51E-04

1.71E-04

1.71E-04

1.71E-04

1. OOE-01

5.23E-03

2.51E-04

2.51E-04

1.71E-04

1.71E-04

1. OOE-01

5.23E-03

0.00E+00

0.OOE+00

0.OOE+00

O.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.00E+00

0.OOE+00

28-67

Revision 1

PT TDrFh'T PROBABILITY VARIANCE

EA

EP

EP

EP

xx

TP

EA

EA

EP

EP

xx

TF

Revision 1

FT IDENT COMP FAILURE MODE

28-67

28. Plant Control System APIO00 Probabilistic Risk Assecgmant



- - --.- -- *-~ AnA, rr~nnnD~cI VARll'IANCE.COMP FATTTI•R MC•fl T�ATr. PA'P� �Y�DT�?(Tr� �C�rTDf.t'

CCX-CMT-SENS

CCX-EAI

CCX-EAO

CCX-EP-SA

CCX-EP-SAM

CCX-EPI

CCX-IN-LOGIC-SW

CCX-INPUT-LOGIC

CCX-LS-FA

CCX-MFI

CCX-ORY-SP

CCX-PL103

CCX-PLIEH0

-- CCF OF CMT SIGNAL SENSORS (CCX -CMT-SENS)

CCF OF THE ANALOG INPUT BOARDS (CCX-EAI)

CCF OF THE ANALOG OUTPUT BOARD S (CCX-EAO)

CCF OF THE POWER INTERFACE OUT PUT BOARD (CCX-EP-SA)

CCF OF THE POWER INTERFACE OUT PUT BOARD (CCX-EP-SA)

CCF OF THE POWER INTERFACE INP UT BOARD (CCX-EPI)

SOFTWARE CCF OF INPUT LOGIC GR OUPS (CCX-PL#MOD3-SW, -IN-LOGI C-SW)

CCF OF INPUT LOGIC GROUPS (CCX -PL#MOD3, -INPUT-LOGIC)

LS CCF OF THE LIMIT SWITCHES (CCX -LS-FA)

CCF OF MAIN FEED ISOLATION SIG NAL SENSORS (SGS04) (CCX-MFI)

OR CCF OF ORIFICE - PLUGGED (CCXORY-SP)

CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)

CCF OF MUX TRANSMITTERS (CCX-# ##EHO)

1.OOOE-06

1.270E-05

3 .230E-06

8. 620E-06

8.620E-06

1.OOOE-20

1.100E-05

1.030E-04

5.370E-06

1.000E-06

1.00OE-20

9.690E-05

4.030E-06

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0 OOOE+00

0.OOOE+00

0.OOOE+00 1.OOE-06 0.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.27E-05

3 .23E-06

8. 62E-06

8. 62E-06

1.00E-20

1. lOE-05

1.03E-04

5.37E-06

1. OOE-06

1.OOE-20

9. 69E-05

4.03E-06

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0. OOE+00

0. OOE+00

0 OOE+00

0.OOE+00

0 OOE+00

0.OOE+00

0 OOE+00

28-68

(

FT TDENT

0 OOOE+00

0.OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

(Revision 1

AP1000 Probabilistic Risk Assess ent


( (




COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE

CCX-PL1MOD1

CCX-PLIMODI-SW

CCX-PLIMOD5

CCX-PL1MOD5-SW

CCX-PL203

CCX-PL2EH0

CCX-PL2MOD1

CCX-PL2MOD1-SW

CCX-PL2MOD5

CCX-PL2MOD5-SW

CCX-PL303

CCX-PL3EHO

CCX-PL3MOD1

-- CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)

SOFTWARE CCF OF OUTPUT LOGIC I

/Os (CCX-P##MOD1)

CCF OF MODULATING GROUPS - OUT PUT LOGIC I/Os (CCX-PL#MOD5)

SOFTWARE CCF OF MODULATING GRO UPS (CCX-PL#MOD5-SW)



CCF OF OUTPUT LOGIC I/Os (CCXP##MODI)

SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)


SOFTWARE CCF OF MODULATING GRO

UPS (CCX-PL#MOD5-SW)



CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)

1.410E-04

1.100E-05

6.980E-05

1.100E-05

9. 690E-05

4.030E-06

1.410E-04

1.100E-05

6.980E-05

1.100E-05

9.690E-05

4.030E-06

1.410E-04

O.OOOE+00

O.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

O.OO0E+00

o.OOOE+00

0.000E+00

o.OOOE+00

o.OOOE+00

0.000E+00 1.41E-04 O.COE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.10E-05

6.98E-05

1.10E-05

9 . 69E-05

4.03E-06

1.41E-04

1.10E-05

6.98E-05

1.10E-05

9.69E-05

4.03E-06

1.41E-04

O.OOE+00

O.00E+00

O.00E+00

0.OOE+00

O.00E+00

0.00E+00

0.00E+00

O.OOE+00

O.OOE+00

O.OOE+00

0.00E+00

O.OOE+00

28-69

Revision 1

FT IDENT

0. 00OE+00

. 000E+00

o .OOOE+00

o. 000E+00

o. 000E+00

o. 000E+00

0.000E+00

0. 000E+00

o.000E+00

0.000E+00

0. OOOE+00

0.000E+00

28-69 Revision 1

28. Plant Control System APl000 Probabilistic Risk Assessment



FT IDENT

CCX-PL3MOD1-SW

CCX-PL3MOD5

CCX-PL3MOD5-SW

CCX-PL403

CCX-PL4EHO

CCX-PL4MODI

CCX-PL4MODI-SW

CCX-PL503

CCX-PL5EHO

CCX-PL5MOD1

CCX-PL5MODI-SW

CCX-PL603

CCX-PL6EHO

COMP FAILURE MODE

-- SOFTWARE CCF OF OUTPUT LOGIC I lOs (CCX-P##MOD1)


SOFTWARE CCF OF MODULATING GRO UPS (CCX-PL#MOD5-SW)


CCF OF MUX TRANSMITTERS (CCX-# ##EH0)









WATT. RA'TE VAR TAN('F •(OTIWr' '• PTME

1.100E-05

6.9 80E-05

1.100E-05

9.690E-05

4.030E-06

1.410E-04

1.100E-05

9.690E-05

4.030E-06

1.410E-04

1.100E-05

9.690E-05

4. 030E-06

0 OOOE+00

0.OOOE+00

0. 00OE+00

0.OOOE+00

0 OOOE+00

0 OOOE+00

0.OOOE+00

0. 00E+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.OOOE+00

0.OOOE+00

0.000E+00

0.00OE+00

0.00OE+00

0. 00OE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

28-70

FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME

Revision 1

(


PROBABILITY

1.10E-05

6.98E-05

1.10E-05

9.69E-05

4. 03E-06

1. 41E-04

1. 10E-05

9. 69E-05

4. 03E-06

1. 41E-04

1.10E-05

9.69E-05

4.03E-06

VARIANCE

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

0.OOE+00

o .OOE+00

o .OOE+00

0 OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

(2R. Plant Control Svstem

( (AP1O00 Probabilistic Risk Assessment




CCX-PL6MOD1

CCX-PL6MOD1-SW

CCX-PL703

CCX-PL7EH0

CCX-PL7MOD1

CCX-PL7MOD1-SW

CCX-PL803

CCX-PL8EHO

CCX-PL8MOD1

CCX-PL8MOD1-SW

CCX-PL903

CCX-PL9EHO

CCX-PL9MOD1



/Os (CCX-P##MOD1)




SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MODI)








1.410E-04

1.100E-05

9.690E-05

4.030E-06

1.410E-04

1.100E-05

9. 690E-05

4.030E-06

1.410E-04

1.100E-05

9. 690E-05

4.030E-06

1.410E-04

0.00OE+00

o.OOOE+00

o.OOOE+00

0.000E+00

0.000E+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

0.00OE+00

0.000E÷00

o.000E+00

o0.000E+00 O.OOOE+00

O .OOOE+00

O.000E+00 1.41E-04 O.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.10E-05

9.69E-05

4.03E-06

1.41E-04

1.10E-05

9.69E-05

4.03E-06

1.41E-04

1.10E-05

9. 69E-05

4.03E-06

1.41E-04

O.OOE+00

0.00E+00

0.OOE+00

O.OOE+00

O.OOE+O0

O.OOE±OO

0.OOE+00

0.00E+00

O.OOE+O0

O.OOE+00

O.OOE+O0

O.OOE+00

28-7 1

Revision 1

WT TflFNT•

0. 000E+00

O.OOOE+00

0.00OE+00

0.00OE+00

0.00OE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

0.000E+00

0.00OE+00

o.000E+00

O. 00E+00

Revision I

28 Plant Control Svstem


28-71

28. Plant Control System AP1000 Probabilistic Risk As��m�nt



FT IDENT

CCX-PL9MOD1-SW

CCX-PLA03

CCX-PLAEHO

CCX-PLAMOD1

CCX-PLAMOD1-SW

CCX-PLB03

CCX-PLBEHO

CCX-PLBMOD1

CCX-PLBMOD1-SW

CCX-PLC03

CCX-PLCEHO

CCX-PLCMOD1

CCX-PLCMOD1-SW

COMP FAILURE MODE

-- SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)













FAIL RATE VARIANCFE S•O1RCFV

1.100E-05

9. 690E-05

4.030E-06

1.410E-04

1.100E-05

9.690E-05

4 .030E-06

1.410E-04

1.100E-05

9.690E-05

4.030E-06

1.410E-04

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.00EE+00

0.0OOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

O.O00E+00

0. OOOE+00

0.0OOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.100E-05 0.OOOE+00 PMS

TTM1V

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00


0.OOOE+00 1.10E-05 0.OOE+00

28-72

( Revision 1


PROBABILITY

1.10E-05

9.69E-05

4.03E-06

1.41E-04

1.10E-05

9.69E-05

4.03E-06

1.41E-04

1.10E-05

9.69E-05

4.03E-06

1.41E-04

VARIANCE

0.00E+00

0.OOE+00

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00


((r





CCX-PLD03

CCX-PLDEH0

CCX-PLDMOD1

CCX-PLDMOD1-SW

CCX-PLMMOD4

CCX-PLMMOD4-SW

CCX-PLMOD3

CCX-PLMOD3-SW

CCX-PLSMOD6

CCX-PLSMOD6-SW

CCX-PMA030

CCX-PMAEHO

9. 690E-05

4.030E-06

1.410E-04

1.100E-05

4.980E-05

1. 100E-05

1.030E-04

1.100E-05

2. 530E-04

1.100E-05

9.690E-05

4.030E-06

0.000E+00

o.OOOE+00

o.OO0E+00

0.OOOE+00

o.OO0E+00

0.OOOE+00

0.000E+00

0.OO0E+00

0.000E+00

o.OOOE+00

0.000E+00

0.00OE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.000E+00 9.69E-05 0.OOE+00-- CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)


CCF OF OUTPUT LOGIC I/Os (CCXP##MODI)

SOFTWARE CCF OF OUTPUT LOGIC I 10s (CCX-P##MOD1)

CCF OF MUX LOGIC GROUPS (CCX-P ##MOD4)

SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)

CCF OF INPUT LOGIC GROUPS (CCX -PL#MOD3, -INPUT-LOGIC)

SOFTWARE CCF OF INPUT LOGIC GR

OUPS (CCX-PL#MOD3-SW, -IN-LOGI C-SW)

CCF OF SIGNAL SELECTOR GROUPS - LOGIC AND I/Os (CCX-PL#MOD6)

SOFTWARE CCF OF SIGNAL SELECTO R GROUPS - LOGIC AND I/Os (CCX

-PL#MOD6-SW)



4.03E-06

1.41E-04

1.10E-05

4.98E-05

1.10E-05

1.03E-04

1.10E-05

2.53E-04

1.10E-05

9.69E-05

4.03E-06

0.00E+00

0.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

o.O0E+00

O.OOE+00

O.OOE+00

o. OE+00

0.OOE+00

0.OOE+00

28-73

Revision 1

FT IDENT

o.OOOE+00

0.OOOE+00

0.OOOE÷00

0.00OE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

28-73 Revision 1

28. Plant Control System AP1000 P~robabilistic Risk Assessment



F'I' TTWi:N'

CCX-PMAMOD1

CCX-PMAMOD1-SW

CCX-PMAMOD2

CCX-PMAMOD2-SW

CCX-PMAMOD4

CCX-PMAMOD4-SW

CCX-PMB030

CCX-PMBEHO

CCX-PMBMODI

CCX-PMBMOD1-SW

CCX-PMBMOD2

CCX-PMBMOD2-SW

CCX-PMBMOD4

tY•M P F'ATT,TIRIF MflTlS!



CCF OF ACTUATION LOGIC GROUPS (CCX-P##MOD2)

SOFTWARE CCF OF ACTUATION LOGI C GROUPS (CCX-P##MOD2-SW)




CCF OF MUX TRANSMITTERS (CCX-# ##EH0)






fl�mQ \,ADTANTr'P CflTTOflP mTur

1.410E-04

1.100E-05

3.040E-04

1 100E-05

4.980E-05

1.100E-05

9.690E-05

4. 030E-06

1 .410E-04

1. 100E-05

3 040E-04

1. 100E-05

4. 980E-05

0.OOOE+00

0 OOOE+00

0 OOOE+00

0. 00OE+00

0.OOOE+00

0 OOOE+00

0. 00OE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.00OE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

28-74

(Q

FT IDENT COMP FAILURE MODE WATTý DAMW 111- - -T-V MT-

Revision 1

K(


PROBABILITY

1.41E-04

1.10E-05

3. 04E-04

1. 10E-05

4. 98E-05

1.10E-05

9. 69E-05

4. 03E-06

1 .41E-04

1.10E-05

3. 04E-04

1. 10E-05

4. 98E-05

VARIANCE

0. 00E+00

0 OOE+00

0.OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

(28. Plant Control Svstem

( (AP1000 Probabilistic Risk Assessment



E7�TI �7�rM� �7�DT?�W� CC�TTDf'� �TM1�r-r jtIDN %..U±± rn~aunr. £'Jxn~nnJJ~.,,

CCX-PMBMOD4-SW

CCX-PMC030

CCX-PMCEH0

CCX-PMCMOD1

CCX-PMCMOD1-SW

CCX-PMCMOD2

CCX-PMCMOD2-SW

CCX-PMCMOD4

CCX-PMCMOD4-SW

CCX-PMD030

CCX-PMDEHO

CCX-PMDMOD1

CCX-PMDMOD1-SW

-- SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)

CCF OF THE LOGIC GROUP PROCESS

ING (CCX-###03)







SOFTWARE CCF OF MUX LOGIC GROU

PS (CCX-P##MOD4-SW)





/Os (CCX-P##MOD1)

1.100E-05

9.690E-05

4.030E-06

1.410E-04

1.100E-05

3. 040E-04

1.100E-05

4. 980E-05

1.100E-05

9.690E-05

4.030E-06

1.410E-04

1.100E-05

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

O.OOOE+00

O.OOOE+00

0. OOOE+00

O.O00OE+O0

0. OOOE+O0

O.OOOE+00 1.10E-05PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

9. 69E-05

4.03E-06

1.41E-04

1.10E-05

3.04E-04

1.10E-05

4.98E-05

1.10E-05

9. 69E-05

4.03E-06

1.41E-04

1.10E-05

28-75

Revision 1

O.OOOE+00

O.OOOE+00

o.OOOE+00

0.000E+00

O .OOOE+OO

0.000E+00

O.000E+00

0. 000E+00

O.000E+00

0.000E+00

0 .000E+00

o.OOE+00

0.OOE+00

0.OOE+00

o.OOE+00

0.OOE+00

o.OOE+00

O.OOE+00

o.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

0.OOE+00

o.OOE+00

Revision 1

28. Plant Control Svstem

•'•l•[rJ • 7• "rT TT• •'i I•.•,T.•.• •D•TTT•V

28-75

28. Plant Control SystemAP1 000 Probabilistic Risk Ass --cpf



FT IDFNT

CCX-PMDMOD2

CCX-PMDMOD2-SW

CCX-PMDMOD4

CCX-PMDMOD4-SW

CCX-PMXMOD1-SW

CCX-PMXMOD2-SW

CCX-PMXMOD4-SW

CCX-PRHR

CCX-RM-UF

CCX-S-SIG-SENS

CCX-SFTW

CCX-SFTWS

CCX-TRNSM

flOMP F•A T TIrn Mflfl.

-- CCF OF ACTUATION LOGIC GROUPS (CCX-P##MOD2)




SOFTWARE CCF OF OUTPUT LOGIC I 1Os (CCX-P##MOD1)



CCF OF PRHR ACTUATION SIGNAL S ENSORS (SGS06) (CCX-PRHR)

RM CCF OF READIATION MONITIRS (CC X-RM-UF)

CCF OF THE S-SIGNAL SENSORS (C CX-S-SIG-SENS)

SOFTWARE CCF AMONG ALL BOARDS (CCX-SFTW)

SPURIOUS CCF OF SOFTWARE (CCXSFTWS)

CCF OF PRESSURE TRANSMITTER LO W PZR (CCX-TRNSM)

t�ATT. DAm� ,IADT7U<Tr't' Cflrlflfle mr�,r.

3.040E-04

1.100E-05

4.980E-05

1. 100E-05

1.100E-05

1. 100E-05

1. 100E-05

1.OOOE-06

7.580E-05

1.OOOE-06

1.200E-06

3.000E-08

0.000E+00

0.000E+00

0.000E+00

0. OOOE+00

0.000E+00

0.OOOE+00

0. OOOE+00

0. OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.00OE+00

0 OOOE+00

0. 00OE+00

0. 000E+00

0.OOOE+00

0.OOOE+00

0. 000E+00

0.OOOE+00

0. OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

4.780E-04 0.OOOE+00 PMS 0.OOOE+00

.- ý -1. FT IDENT COMP FAILURE MODE FATTý DAMV - T- -

2.01E-04 0.00E+00

28-76

(1iRevision 1

(

PROBABILITY

3.04E-04

1.1OE-05

4.98E-05

1.10E-05

1.1OE-05

1.10E-05

1.10E-05

1.OOE-06

7.58E-05

1.OOE-06

1.20E-06

3.OOE-08

VARIANCE

o.OOE+00

o.OOE+00

0.0OE+00

o.OOE+00

0.OOE+00

o.OOE+00

o.OOE+00

o.OOE+00

o.OOE+00

O.OOE+00

o.OOE+00

o.OOE+00

2


(



r'nMp P"A T T ImP M•fl FAIL RATE VARIANCE SOURCE TIME

CCX-TT-UF

CCX-TT1-UF

CCX-VS-FA

CCX-XMTR

CCX-XMTR1

CCX-XMTR195

CD3EA0101SA

CD3EA0102SA

CD3EA0221SA

CD3EA0222SA

CD3EA0251SA

CD3EA0252SA

CD3EA0281SA

-- CCF OF TEMPERATURE TRANSMITTER

S (CCX-TT-UF)

TT CCF OF TEMPERATURE TRANSMITTER S FOLLOWING ACCIDENT (CCX-TT1

UF)

VS CCF OF CMT LEVEL SWITCHES (CMX -VS-FA)

CCF OF PRESSURE TRANSMITTERS CCX-XMTR)

CCF OF PRESSURE TRANSMITTERS F OLLOWING ACCIDENT (CCX-XMTR1)

CCF OF PRESSURIZER LRVRL SENSO RS (CCX-XMTR195)

EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)




EA FAILURE OF THE ANALOG INPUT BO

ARD (###EA####SA)



1.170E-04

1.170E-04

3.840E-05

4.780E-04

4.780E-04

4.780E-04

2.510E-04

2.510E-04

2. 510E-04

2.510E-04

2.510E-04

2.510E-04

2.510E-04

O.OOOE+00

0.00OE+00

0.OOOE+00

0.000E+00

O.000E+00

o.000E+00

0.OOOE+00

0.00OE+00

o.OOOE+00

0.OOOE+00

0.000E+00

o.000E+00

0.000E+00

0.000E+00 1.17E-04 0.OOE+00

0.OOOE+00 1.17E-04 0.OOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

3.84E-05

4.78E-04

4.78E-04

4.78E-04

2 .51E-04

2.51E-04

2.51E-04

2 . 51E-04

2. 51E-04

2.51E-04

2.51E-04

0.OOE+00

o.OOE+00

0.00E+00

0. OOE+00

o.OOE+00

0.00E+00

O.OOE+O0

0.OOE+00

0.00E+00

0. 00E+00

0.00E+00

28-77

Revision 1

rm TflriYP

C


PROBABILITY VARIANCE

o.000E+00

0.000E+00

o.OOOE+00

0.000E+00

0.00OE+00

0.OOOE+00

o.000E+00

0.00OE+00

0.000E+00

o.000E+00

0.000E+00

Revision I


28-77

28. Plant Control SystemAPI1000 Probabilistic Risk Assesscment



COMP FAILURE MODE

EA FAILURE OF THE ANALOG INPUT BOARD (###EA####SA)












CD3EA0282SA

CD3EACPB1SA

CD3EACPB2SA

CDDEP022SA

CDDEP025SA

CDDEPCPBSA

CDNTF01BRI

CIA-MAN01

CIAEP003SA

CIAEP004SA

CIAEP014SA

CIBEP004SA

CIBEP006SA

PATT. NATF VAR TMJC' ••nrIWfl mTMP

2. 510E-04

2.510E-04

2 .510E-04

1.710E-04

1.710E-04

1.710E-04

5 .230E-03

1. OOOE-01

1.710E-04

1.710E-04

1.710E-04

1.710E-04

0.00OE+00

O.OOOE+00

0.000E+00

0.OOOE+00

0.000E+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

O.000E+00

0.00OE+00

0.000E+00

O.000E+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

SUB

PMS

PMS

PMS

PMS

0 OOOE+00

0.000E+00

0 OOOE+00

0. 000E+00

0 OOOE+00

0 OOOE+00

0. 000E+00

0.OOOE+00

0. OOOE+00

0.000E+00

0.000E+00

0.000E+00

0.000OE+00

1.710E-04 O.000E+00 PMS 0.OOOE+00

FT IDENTCOMP FAILURE MODE FAIL RATE VARIANCE SOURCE TImv


K

1.71E-04 0.00E+00

28-78

CRevision 1

K.

PROBABILITY

2.51E-04

2.51E-04

2.51E-04

1.71E-04

1.71E-04

1.71E-04

5.23E-03

1.00E-01

1.71E-04

1.71E-04

1.71E-04

1.71E-04

VARIANCE

0.00E+00

0.OOE+00

0.OOE+00

0.00E+00

0.OOE+00

0.O0E+00

0.00E+00

0.00E+00

0.00E+00

0.0OE+00

0.OOE+00

0.00E+00

C 28. Plant Control System

(




CIC-MAN01

CICEP009SA

CICEP055SA

CIDEP010SA

CIDEP057SA

CMAEP014ASA

CMBEP014BSA

CMCEP015ASA

CMDEP015BSA

CMN-MAN01

CMN-REC01

CMT-SENS1-FAIL

CMT-SENS2-FAIL

XX PROBABILITY FOR SUB-

EP

EP

EP

EP

EP

EP

EP

EP

XX

XX

NTS

FAILURE OF THE POWER BOARD (###EP####SA)








PROBABILITY FOR SUBNTS

BASIC EVE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

BASIC EVE


CMT SIGNAL SENSORS (CMT-SENS-F AIL)


1.000E-01

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.OOOE-01

1.OCQE-01

1.00OE-06

0.000E+00

0. 00OE+00

0. OOOE+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0. OOOE+00

0.OOOE+00

SUB

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

SUB

SUB

PMS

1.000E-06 0.000E+00 PMS

0.OOOE+00 1.OOE-01 0.OOE+00

O.000E+00

o.OOOE+00

O.000E+00

o.000E+00

o.000E+00

o.000E+00

o.000E+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1. 71E-04

1.71E-04

1.71E-04

1.00E-01

1.OOE-01

1.OOE-06

O.00E+00

0.OOE+00

0. OOE+00

0.0OE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOOE+00 1.00E-06 0.OOE+00

28-79 Revision 1

FT I DENIT

AP100Prbabliti Rsk ssssenAP1000 Probabilistic Risk Assessment

PROBABILITY VARIANCEFT IDENT

28-79 Revision I




COMP FAILURE MODE AIT., RATE WAR T A?'JC' ECTIWPC TTM•

CMT-SENS3-FAIL

CMT-SENS4-FAIL

CMX-VS-FA

CV3EPCPASA

CV3EPCPBSA

CV3EPCVPSA

CV3EPSFPSA

CVAEP067SA

CVAEP084SA

CVBEP081SA

CVCEP091SA

CVDEP090SA

DAS

-- CMT SIGNAL SENSORS (CMT-SENS-F AIL)


VS CCF OF CMT LEVEL SWITCHES (CMX -VS-FA)





BOARD (###EP####SA)






-- UNAVAILABILITY GOAL FOR DIVERS E ACTUATION SYSTEM (DAS)

1.OOOE-06

1.000E-06

3.840E-05

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

0. 00OE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.OOOE-02 0.OOOE+00 DAS

0 OOOE+00

0 .OOOE+00

0 OOOE+00

0 00 E+00

0. OOOE+00

0 000E+00

0.OOOE+00

0 OOOE+00

0.OOOE+00

0. 00OE+00

0 OOOE+00

0 OOOE+00

1. OOE-06

1.OOE-06

3.84E-05

1. 71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0. OOE+00

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

O.OOE+00

O.OOE+00

0.OOOE+00 1.OOE-02 0.OOE+00

28-80

FT IDENT DDflUIARTT.TmV

KRevision 1

Q.


COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME DUnU1.TTT11

C28. Plant Control System AP1000 Probabilistic Risk Assessment



ti~~~~~~~~~~~~ - -ti~ 1U- -rf±jft 'u1 nJ llL nf.r-%~l.L-Dvflftn-TT.TmV Iy71flrTA1'F

DG1-LOGIC

DG2-LOGIC

DUMMY

EC1EA67B1SA

EC1EA67B2SA

EClRE27BGA

ECIREDGiGA

EC1REDG2GA

EC5EPDGISA

EC5EPDG2SA

EC5EPMGB1SA

FWN-MAN02

FWN-MAN03

-- DIESEL SEQUENCING LOGIC (DG#-L OGIC)

-- DIESEL SEQUENCING LOGIC (DG#-L OGIC)

-- LOGICAL ZERO (DUMMY)

EA FAILURE OF THE ANALOG INPUT BO

ARD (###EA####SA)


RE FAILURE OF THE UNDER VOLTAGE R

ELAY (EC#RE27BGA)

RE FAILURE OF THE UNDER VOLTAGE R ELAY (EC#RE27BGA)

RE FAILURE OF THE UNDER VOLTAGE R ELAY (EC#RE27BGA)




XX PROBABILITY FOR SUB- BASIC EVE NTS


5.OOOE-03

5.OOOE-03

1.00OE-20

2.510E-04

2.510E-04

4.360E-03

4.360E-03

4.360E-03

1.710E-04

1.710E-04

1.710E-04

1.OOOE-01

1.00CE-01

O.000E+00

0.000E+00

0.000E+00

0.000E+00

0.00OE+00

0.000E+00

0.00OE+00

0.00OE+00

0.000E+00

0.00EE+00

o.000E+00

o -OOOE+00

0.000E+00


PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

SUB

SUB-

5. OOE-03

1.OOE-20

2.51E-04

2.51E-04

4.36E-03

4.36E-03

4.36E-03

1.71E-04

1.71E-04

1.71E-04

1.OCE-01

1.OOE-01

0.00E+00

0.OOE+00

o.00E+00

0.OOE+00

0.OOE+00

0. 00E+00

0.OOE+00

0. OOE+00

o.00E+00

o.OOE+00

o.OOE+00

o.OOE+00

28-81

Revision 1

0.OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.00OE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

0.00OE+00

0.000E+00

o.OOOE+00

I,

28. Plant Control Svstem

28-81 Revision 1

28. Plant Control System APlOOD Probabilistic RMiC Asc~ment



COMP FAILURE MODE

XX PROBABILITY FOR SUB-NTS










FAIL RATE VARIANCE SOURCE TTMF.

BASIC EVE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

HPM-MAN01

IRAEP117ASA

IRBEP117BSA

IRBEP123ASA

IRBEP123BSA

IRBEP125ASA

IRBEP125BSA

IRCEP1I8ASA

IRDEP118BSA

IRDEP120ASA

IRDEP12OBSA

IWlTLO45UF

IW2TLO46UF

1. OOOE-01

1.710E-04

1 .710E-04

1 .710E-04

1. 710E-04

1. 710E-04

1 .710E-04

1.710E-04

1. 710E-04

1 .710E-04

1. 710E-04

5.230E-03

5.230E-03

O.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

0.OOOE+00

O.OOOE+00

0.OOOE+00

SUB

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. 000E+00

0.OOOE+00

28-82

(N

FT IDENT

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

TL

TL


LEVEL TRANSMITTER FAILURE (### TL###UF)



Revision 1

Q


PROBABILITY

1.OCE-01

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.71E-04

5.23E-03

5.23E-03

VARIANCE

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00


(AP1000 Probabilistic Risk Assessment




IW3TLO47UF

IW4TL048UF

IWN-MAN01

IWX-XMTR

LPM-MAN01

LPM-MAN02

LPM-MAN03

LPM-MAN04

LPM-MAN07

LPM-MAN08

LPM-REC01

MDAS

MF3EA250A1SA

5.230E-03

5.230E-03

1.OOOE-01

4.780E-04

1.000E-01

1.000E-01

1.000E-01

1.000E-01

1.000E-01

1.OOOE-01

1.000E-01

1.000E-02

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.OOOE*00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.00OE+00

PMS

PMS

SUB

PMS

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0.OOOE+00 5.23E-03 O.OOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.00OE+00

5.23E-03

1.OOE-01

4.78E-04

1.OOE-01

1.OOE-01

1 .OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1. OE-02

TL LEVEL TRANSMITTER FAILURE (### TL###UF)



-- CCF OF PRESSURE TRANSMITTER (I WX-XMTR)








-- UNAVAILABILITY GOAL FOR MANUAL

DIVERSE ACTUATION SYSTEM (MDAS)


0.OOE+00

0.OOE+00

0. OOE+00

0.OOE+00

0.OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0.OOE+00

0 OOE+00

0. OOE+00

O .OOE+00

28-83

Revision 1


2.510E-04 0.OOOE+00 PMS 0.OOOE+00 2.51E-04

Revision 1

FT IDENT

28-83

28. Plant Control System API000 Probabilistic Risk Assessment



r'r TflFI?

MF3EA25OA2SA

MF3EA250B1SA

MF3EA25OB2SA

MF3EU250A1SA

MF3EU25OA2SA

MF3EU250B1SA

MF3EU25OB2SA

MSAEPSD1SA

MSAEPSD2SA

MSAEPSD3SA

MSAEPSD4SA

MSAEPSD5SA

MSAEPSD6SA

CflMP :A T T,Trnr• MfltW.

EA FAILURE OF THE ANALOG INPUT BOARD (###EA####SA)



FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)










rATT. flAT1 X7AP TA•Trr CflT TPC • ; TMP

2.510E-04

2.510E-04

2 510E-04

6.420E-05

6.420E-05

6.420E-05

6.420E-05

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

0 OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0. 000E+00

0 00 E+00

0 OOOE+00

0.OOOE+00

0.OOOE+00

0 OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOEt00

0.00OE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

1.710E-04 0.OOOE+00 PMS 0.OOOE+00


1.71E-04 0.OOE+00

28-84

C.Revision 1

,.

PROBABILITY

2. 51E-04

2. 51E-04

2. 51E-04

6.42E-05

6.42E-05

6 .42E-05

6.42E-05

1. 71E-04

1. 71E-04

1.71E-04

1. 71E-04

1. 71E-04

VARIANCE

0. OOE+00

0. OOE+00

0.OOE+00

0 OOE+00

0. 00E+00

0. 00E+00

0 OOE+00

0 OOE+00

0.00E+00

0 OOE+00

0. 00E+00

0 OOE+00

C,

K,





MSAEPSD7SA

MSAEPSD8SA

PCITP005UF

PC2TP006UF

PC3TP007UF

PC4TP008UF

PCAEP001ASA

PCBEPO01BSA

PCN-MAN01

PLI0301ASA

PLI0301BSA

PL10302ASA

PL10302BSA



TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)





BOARD (###EP####SA)



03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)




1.710E-04

1.710E-04

5.230E-03

5.230E-03

5.230E-03

5.230E-03

1.710E-04

1.710E-04

1. 000E-01

1.160E-03

1.160E-03

1.160E-03

1.160E-03

o .OOOE+00

0. 000E+00

O.000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

o0. OOOE+00

O.000E+00 0.000E+i00

O.OOOE+00

0. OOOE+00

0.000E+00

0. OOOE+00

0.000E+00

0.000E+00 1.71E-04 O.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

SUB

PMS

PMS

PMS

PMS

1.71E-04

5.23E-03

5.23E-03

5.23E-03

5.23E-03

1.71E-04

1.71E-04

1.OOE-01

1. 16E-03

1.16E-03

1.16E-03

1. 16E-03

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.00E+00

0.00E+00

0.00E+00

0.00E+00

28-85

Revision 1

FT IDThJT PROBABILITY VARIANCE

0.000E+00

0. 000E+00

0. 000E+00

0. 00OE+00

0.OOOE+00

0. 00OE+00

0. 000E+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

Revision I


28-85




COMP FAILURE MODE

PLIEHOAISA

PL1EH0A2SA

PLIMODi1

PLlMOD12

PLlMOD51

PLlMOD52

PL1XS00ASA

PL20301ASA

PL20301BSA

PL20302ASA

PL20302BSA

PL2EHOAlSA

PL2EHOA2SA


EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)


FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)

FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODl#)

FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)


XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)







8.OOOE-05

8.OOOE-05

2.090E-03

2.090E-03

8.740E-04

8.740E-04

8.000E-05

1.160E-03

1.160E-03

1.160E-03

1.160E-03

8.000E-05

8.000E-05

0.OOOE+00

0. OOOE+00

0.OOOE+00

0. 00OE+00

0.000E+00

0.00OE+00

0. OOOE+00

0.OCOE+00

0.000E+00

o.OOOE+00

o.OOOE+00

0. 000E+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-86

(

FT IDENT

O.OOOE+00

0.OOOE+00

0.00OE+00

0. OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

0 . OOOE+00

O.000E+00


Revision 1

( K.K,

PROBABILITY

8.00E-05

8.OOE-05

2.09E-03

2.09E-03

8.74E-04

8. 74E-04

8.O0E-05

1.16E-03

1.16E-03

1.16E-03

1.16E-03

8.OOE-05

8.OOE-05

VARIANCE

0.00E+00

0.00E+00

0.00E+00

0.00E+00

0.00E+00

o.00E+00

0.OOE+00

o.OOE+00

o.OOE+00

o.OOE+00

o.00E+00

o.OOE+00

o.00E+00

(2





PL2MOD11

PL2MOD12

PL2MOD51

PL2MOD52

PL2XSOOASA

PL30301ASA

PL30301BSA

PL30302ASA

PL30302BSA

PL3EHOA1SA

PL3EHOA2SA

PL3MOD11

PL3MOD12

-- FAILURE OF OUTPUT LOGIC GROUP

# I/O (P##MOD1#)

FAILURE OF OUTPUT LOGIC GROUP

# I/O (P##MOD1#)









EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)



2.090E-03

2.090E:03

8.740E-04

8.740E-04

8.OOOE-05

1.160E-03

1. 160E-03

1.160E-03

1.160E-03

8.000E-05

8.000E-05

2.090E-03

2.090E-03

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.O0OE+00

0.OOOE+00

0.OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

o .OOOE+00

0.OOOE+00 2.09E-03 0.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

2.09E-03

8.74E-04

8.74E-04

8.OOE-05

1.16E-03

1. 16E-03

1.16E-03

1. 16E-03

8.00E-05

8.OOE-05

2.09E-03

2.09E-03

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

o.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.0OE+00

28-87

Revision 1

FT IDENT

C

o.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

28-87 Revision 1




COMP FAILURE MODE

PL3MOD51

PL3MOD52

PL3XSOOASA

PL40301ASA

PL40301BSA

PL40302ASA

PL40302BSA

PL4EHOA1SA

PL4EHOA2SA

PL4MOD11

PL4MOD12

PL4XSO0ASA

PL50301ASA


-- FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)









FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)


XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XS0OASA)


8.740E-04

8.740E-04

8.OOOE-05

1.160E-03

1.160E-03

1.160E-03

1.160E-03

8.OOOE-05

8.000E-05

2.090E-03

2.090E-03

8. OOOE-05

1. 160E-03

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. 00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.00OE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-88

C

FT IDENT

0.OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0. 00OE+00

0.OOOE+00


Revision 1

(KI,

PROBABILITY

8.74E-04

8.74E-04

8.OOE-05

1.16E-03

1.16E-03

1.16E-03

1.16E-03

8.OOE-05

8.OOE-05

2.09E-03

2.09E-03

8.OOE-05

1.16E-03

VARIANCE

o. 00E+00

0.00E+00

o .OOE+00

o .OOE+00

0 .00E+00

o. 00E+00

o .OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.00E+00

o.00E+00

o.00E+00


( ("





PL50301BSA

PL50302ASA

PL50302BSA

PL5EHOA1SA

PL5EHOA2SA

PL5MOD11

PL5MOD12

PL5XS0OASA

PL60301ASA

PL60301BSA

PL60302ASA

PL60302BSA

PL6EHOA1SA








XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XS00ASA)






1.160E-03

1.160E-03

1. 160E-03

8.000E-05

8.000E-05

2.090E-03

2.090E-03

8.OOOE-05

1.160E-03

1.160E-03

1. 160E-03

1.160E-03

8.000E-05

O.OOOE+00

O.000E+00

O.OOOE+00

O.OOOE+00

O.000E+00

0.00OE+00

0.OOOEE+00

0.00OE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

O.O00OE+O0

O.O00OE+O0

O.OOOE÷00 1.16E-03 0.00E+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1. 16E-03

1.16E-03

8.00E-05

8.00E-05

2.09E-03

2.09E-03

8. OOE-05

1. 16E-03

1. 16E-03

1.16E-03

1. 16E-03

8. OOE-05

O.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

0.00E+00

0.00E+00

0.00E+00

O.OOE+00

0.OOE+00

O.OOE+00

0.00E+00

28-89

Revision 1


0.000E+00

0.OOOE+00

0. 000E+00

0.000E+00

0. OOOE+00 0. 000OE+00

0.000E+00

O.O 0E+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

0.000E+00

0.000E+00

28-89 Revision 1




COMP FAILURE MODE

PL6EHOA2SA

PL6MOD11

PL6MOD12

PL6XSOOASA

PL70301ASA

PL70301BSA

PL70302ASA

PL70302BSA

PL7EHOAISA

PL7EHOA2SA

PL7MOD11

PL7MOD12

PL7XSOOASA

FATL RATE VAPTANCF. flOTTIfl TTMF


FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1I)












8.OOOE-05

2.090E-03

2.090E-03

8. OOOE-05

1.160E-03

1.160E-03

1.160E-03

1.160E-03

8.OOOE-05

8.OOOE-05

2.090E-03

2.090E-03

8.OOOE-05

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.000E+00

0.OOOE+00

0. OOOE+00

0. OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-90

C./

FT IDENT

0 OOOE+00

0 OOOE+00

0. 00OE+00

0. 00OE+00

0. 00E+00

0 OOOE+00

0 00 E+00

0 OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00


Revision I

CL.

PROBABILITY

8.O0E-05

2.09E-03

2.09E-03

8.OOE-05

1.16E-03

1.16E-03

1.16E-03

1.16E-03

8.00E-05

8.OOE-05

2.09E-03

2.09E-03

8.OOE-05

VARIANCE

0.OOE+00

0.00E+00

0.00E+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

(28. Plant Control System AP1000 Probabilistic Risk Assessment



rflMr WA•TTTIflP. Mflfl WATT. PA'PTT UAflTAtSflW �nrrnrw 'T'TMW

PL80301ASA

PL80301BSA

PL80302ASA

PL80302BSA

PL8EHOA1SA

PL8EHOA2SA

PL8MOD11

PL8MOD12

PL8XSO0ASA

PL90301ASA

PL90301BSA

PL90302ASA

PL90302BSA














1.160E-03

1.160E-03

1.160E-03

1.160E-03

8.OOOE-05

8. OOOE-05

2.090E-03

2. 090E-03

8.000E-05

1. 160E-03

1. 160E-03

1. 160E-03

1. 160E-03

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.00OE+00

0. OOOE+00

0.OOOE+00

0.00OE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0. 000E+00

0 00. OE00

0 OOOE+00

0.OOOE+00 1.16E-03 0.00E+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.16E-03

1.16E-03

1.16E-03

8.00E-05

8.00E-05

2.09E-03

2.09E-03

8.OOE-05

1.16E-03

1.16E-03

1.16E-03

1.16E-03

0 OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

28-91

Revision 1

fl' TfF-t•l'P DPP PP• z• 1 T T.T '1'V ¶7�PT �W'P

0.000E+00

0.00OE+00

0.00OE+00

0.000E+00

0.000E+00

0.00OE+00

0.000E+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME XTAT) T hm"t,

28-91 Revision I




COMP FAILURE MODE

PL9EHOA1SA

PL9EHOA2SA

PL9MOD1I

PL9MOD12

PL9XSOOASA

PLA0301ASA

PLA0301BSA

PLA0302ASA

PLA0302BSA

PLAEHOA1SA

PLAEHOA2SA

PLAMODI1

PLAMOD12

FAIL RATE VARIANCE 5•OIIrCF. TTMF



FAILURE OF OUTPUT LOGIC GROUP # I/0 (P##MOD1#)











8. OOOE-05

8.OOOE-05

2.090E-03

2.090E-03

8.OOOE-05

1.160E-03

1.160E-03

1.160E-03

1.160E-03

8.000E-05

8.OOOE-05

2. 090E-03

2.090E-03

0.00OE+00

0.00OE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-92

(.

FT IDENT

0 OOOE+00

0. OOOE+00

0 OOOE+00

0. 00OE+00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0. OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00


Revision 1

(KI

PROBABILITY

8.OOE-05

8.OOE-05

2.09E-03

2.09E-03

8.00E-05

1.16E-03

1.16E-03

1.16E-03

1.16E-03

8.0OE-05

8.OOE-05

2.09E-03

2.09E-03

VARIANCE

0.00E+00

0.00E+00

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0. OOE+00

0 OOE+00

0.OOE+00

0. 00E+00

0 OOE+00

0 OOE+00

0 OOE+00

(28. Plant Control System AP1000 Probabilistic Risk Assessment




PLAMOD31

PLAXSOOASA

PLB0301ASA

PLB0301BSA

PLB0302ASA

PLB0302BSA

PLBEHOA1SA

PLBEHOA2SA

PLBMOD11

PLBMOD12

PLBMOD32

PLBXSOOASA

PLC0301ASA

5.020E-03

8.000E-05

1. 160E-03

1.160E-03

1.160E-03

1. 160E-03

8. 000E-05

8.000E-05

2.090E-03

2.090E-03

5.020E-03

8.OOOE-05

0.000E+00

0.000E+00

0.00OE+00

0.000E+00

0.000E+00

0.00OE+00

0.OOOE+00

0.000E+00

0.00OE+00

O.OOOE+00

0.000E+00

0.000E+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

-- FAILURE OF INPUT GROUP # (P##M OD3#)

XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSO0ASA)









FAILURE OF INPUT GROUP # (P##M OD3#)

XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSO0ASA)


0.000E+00 5.02E-03 0.OOE+00

O.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

O.OOOE+00

0.OOOE+00

0. OOOE+00

O.000E+00

0.OOOE+00

0. 000E+00

O.OOOE+00

8.00E-05

1.16E-03

1.16E-03

1.16E-03

1. 16E-03

8.OOE-05

8.00E-05

2.09E-03

2.09E-03

5.02E-03

8.OOE-05

0.OOE+00

O.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

0.OOE+00

O.OOE+O0

0.OOOE+00 1.16E-03 O.00E+00

28-93

Revision 1


1.160E-03 0.OOOE+00 PMS

<i

28-93 Revision I




COMP FAILURE MODE

PLC0301BSA

PLC0302ASA

PLC0302BSA

PLCEHOA1SA

PLCEHOA2SA

PLCMOD11

PLCMOD12

PLCMOD33

PLCXSOOASA

PLD0301ASA

PLD0301BSA

PLD0302ASA

PLD0302BSA















1.160E-03

1.160E-03

1.160E-03

8.OOOE-05

8.OOOE-05

2.090E-03

2.090E-03

5.020E-03

8.OOOE-05

1.160E-03

1.160E-03

1.160E-03

1.160E-03

0. 00OE+00

0 OOOE+00

0 OOOE+00

0. 00OE+00

0. OOOE+00

0. OOOE+00

0o.00E+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-94

FT IDENT

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.00OE+00

Revision I

( (


PROBABILITY

1. 16E-03

1. 16E-03

1. 16E-03

8. 00E-05

8.OOE-05

2. 09E-03

2. 09E-03

5. 02E-03

8. OOE-05

1.16E-03

1. 16E-03

1.16E-03

1. 16E-03

VARIANCE

0.OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0. 00E+00

0.OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0.OOE+00


(

K CAP1000 Probabilistic Risk Assessment




PLDEHOAISA

PLDEHOA2SA

PLDMOD11

PLDMOD12

PLDMOD34

PLDXS00ASA

PLMMOD41

PLMMOD42

PLSMOD61

PLSMOD62

PMA0301ABA

PMA0301ASA

PMA0301BBA







FAILURE OF MUX LOGIC GROUP #( P##MOD4#)


FAILURE OF SIGNAL SELECTOR LOG IC GROUP # (PLSMOD6#)

FAILURE OF SIGNAL SELECTOR LOG IC GROUP # (PLSMOD6#)

03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)



8.OOOE-05

8.000E-05

2.090E-03

2 .090E-03

5.020E-03

8.000E-05

6.350E-04

6.350E-04

3.460E-03

3 .460E-03

8.010E-06

1.160E-03

8.010E-06

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.00OE+00

0.000E+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00


PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

8. OOE-05

2. 09E-03

2. 09E-03

5.02E-03

8.00E-05

6.35E-04

6. 35E-04

3 .46E-03

3 .46E-03

8.01E-06

1. 16E-03

8. O1E-06

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0 OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

28-95

Revision 1


0.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

0.00OE+00

O.OOOE+00

28-95 Revision 1




COMP FAILURE MODE

PMA0301BSA

PMA0302ABA

PMA0302ASA

PMA0302BBA

PMA0302BSA

PMAEHOA1SA

PMAEHOA2SA

PMAMOD11

PMAMOD12

PMAMOD21

PMAMOD22

PMAMOD31

PMAMOD41










FAILURE OF OUTPUT LOGIC GROUP # I/O (P#iMODI#)

FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)



FAILURE OF MUX LOGIC GROUP #i

P##MOD4#)

1. 160E-03

8.010E-06

1.160E-03

8.010E-06

1.160E-03

8.000E-05

8.OOOE-05

2. 090E-03

2. 090E-03

4.070E-03

4. 070E-03

5.020E-03

6.350E-04

O.000E+00

0.OOOE+00

0.000E+00

0.00OE+00

0 OOOE+00

O.OOOE+00

O .OOOE+00

0. 00OE+00

0 OOOE+00

O .OOOE+00

0. 000E+00

0 OOOE+00

0 OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-96

(

FT IDENT

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0. OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0. 000E+00

PROBABILITY

1.16E-03

8.01E-06

1.16E-03

8.01E-06

1.16E-03

8.00E-05

8. OOE-05

2 .09E-03

2.09E-03

4. 07E-03

4 .07E-03

5. 02E-03

6. 35E-04

VARIANCE

0.00E+00

0.00E+00

0.00E+00

0.00E+00

o.OOE+00

0 OOE+00

0.OOE+00

0.OOE+00

0.00E+00

0. 00E+00

0. 00E+00

0 OOE+00

o. 00E+00

Revision 1

( \,

(





PMAMOD42

PMAMSD11

PMAMSD12

PMAMSD21

PMAMSD22

PMAMSD31

PMAXS00ABA

PMAXS00ASA

PMB0301ABA

PMB0301ASA

PMB0301BBA

PMB0301BSA

PMB0302ABA

-- FAILURE OF MUX LOGIC GROUP # P##MOD4#)

SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1#)

SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSDI#)

SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)


SPURIOUS FAILURE OF INPUT GROU P # (PM#MSD3#)

XS SPURIOUS FAILURE OF OUTPUT LOG IC GROUP SELECTOR (P##XSOOABA)







6.350E-04

8.400E-06

8.400E-06

2.040E-05

2.040E-05

2.740E-05

1.000E-10

8.000E-05

8.010E-06

1. 160E-03

8.010E-06

1.160E-03

8.010E-06

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.000E+00

O.000E+00

0.OOOE+00 6.35E-04 0.00E+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

8.40E-06

8.40E-06

2.04E-05

2 . 04E-05

2 .74E-05

1.OOE-10

8.00E-05

8.01E-06

1. 16E-03

8.01E-06

1.16E-03

8. 01E-06

0.OOE+00

0. OOE+00

0.OOE+00

0.OOE+00

0. OOE+00

0.00±E00

0.00E+00

0.00E+00

0. OOE+00

0.OOE+00

0.00E+00

o.00E+00

28-97

Revision 1

DfllWrI TT.TmV 1.7?VDT MCTf'�

0.OOOE+00

0.00OE÷00

0.00OE+00

0.000E+00

0.000E+00

0.000E+00

0.000E÷00

0.000E+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.000±E00

Revision I

ýnun VATT"DV UnnV DOnnhnTT.TMV VATT- DAMP ITAOTANTOV C!n"vrlr IPTMV A I A D T L'•m T T• "C•.Tr•

28-97

28. Plant Control System APlO0O Probabilistic Risk Assessment



COMP FAILURE MODE

PMB0302ASA

PMB0302BBA

PMB0302BSA

PMBEHOA1SA

PMBEHOA2SA

PMBMOD11

PMBMOD12

PMBMOD21

PMBMOD22

PMBMOD32

PMBMOD41

PMBMOD42

PMBMSD11

FAIL RATE VARIANCE SOUIRCE TIME












FAILURE OF MUX LOGIC GROUP #I

P##MOD4#)

SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/0 (PM#MSD1I#)

1.160E-03

8.010E-06

1.160E-03

8.OOOE-05

8.000E-05

2 .090E-03

2.090E-03

4.070E-03

4. 070E-03

5 .020E-03

6.350E-04

6. 350E-04

8.400E-06

0.OOOE+00

0.OOOE+00

0.000E+00

0.000E+00

0.000E+00

0.OOOE+00

0.000E+00

0.000E+00

0.00OE+00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-98

(.

FT IDENT

O.000E+00

O.OOOE+00

0. OOOE+00

0.000E+00

0.OOOE+00

O.000E+00

O.000E+00

0.OOOE+00

0.000E+00

0.000E+00

O.000E+00

O.OOOE+00

0.000E+00


Revision 1

CC


PROBABILITY

1. 16E-03

8. 01E-06

1. 16E-03

8. OOE-05

8. OOE-05

2. 09E-03

2. 09E-03

4 .07E-03

4.07E-03

5.02E-03

6.35E-04

6.35E-04

8.40E-06

VARIANCE

o. 00E+00

0.00E+00

o. 00E+00

0 OOE+00

0 OOE+00

o. 00E+00

o. 00E+00

0.00E+00

O.00E+00

O.OOE+O0

O.OOE+00

O.OOE+00

O.OOE+00


CAP1000 Probabilistic Risk Assessment



('('Un t'aTTTot )AATht. �?�TT. D�m� ¶7T�('�' enrtDr'� mTM�

PMBMSD12

PMBMSD21

PMBMSD22

PMBMSD32

PMBXS0OABA

PMBXSOOASA

PMC0301ABA

PMC0301ASA

PMC0301BBA

PMC0301BSA

PMC0302ABA

PMC0302ASA

PMC0302BBA

-- SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1#)




XS SPURIOUS FAILURE OF OUTPUT LOG IC GROUP SELECTOR (P##XS0OABA)

XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XS00ASA)


03 LOGIC GROUP PROCESSING FAILURE

UPON DEMAND (###030##SA)






8.400E-06

2.040E-05

2.040E-05

2.740E-05

1.OOOE-10

8. OOOE-05

8.010E-06

1.160E-03

8.01OE-06

1.160E-03

8.010E-06

1.160E-03

8.010E-06

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0. 000E÷~00

0.00OE+00

o.OOOE+00

0. OOOE+00

0. 00OE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0 OOOE+00

0.OOOE+00 8.40E-06 0.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

2.04E-05

2.04E-05

2.74E-05

1.OOE-10

8.OOE-05

8. 01E-06

1. 16E-03

8.01E-06

1. 16E-03

8.01E-06

1. 16E-03

8.01E-06

0.OOE+00

0.OOE+00

0.OOE+00

o.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

28-99

Revision 1

DDfl7ITTTT'V

0.OOOE+00

0.O0OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

r I IV-NA - -T".v -nnv VATT VNMV A17%VT71?17rV CnTTDrlr TIMM PROBABILITY 17ARTANr-L-"•rn T 'r% "L"eK'Fel•

28-99 Revision 1




CON? FAILURE MODE

PMC0302BSA

PMCEHOA1SA

PMCEHOA2SA

PMCMOD11

PMCMOD12

PMCMOD21

PMCMOD22

PMCMOD33

PMCMOD41

PMCMOD42

PMCMSD11

PMCMSD12

PMCMSD21

FAIL' RATF. VA1 TA?(CW S•lTIflflF 'TT MP














1.160E-03

8.OOOE-05

8.OOOE-05

2.090E-03

2.090E-03

4.070E-03

4.070E-03

5.020E-03

6.350E-04

6.350E-04

8.400E-06

8.400E-06

2.040E-05

0. 00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. 00OE+00

0.OOOE+00

0.OOOE+00

0. 00OE+00

0. OOOE+00

0. OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-100

FT IDENT

0. 000E+00

0.00OE+00

0. 00OE+00

0 OOOE+00

O .OOOE+00

0.OOOE+00

0 OOOE+00

O .OOOE+00

0.OOOE+00

O.OOOE+O0

0. 000E+00

O.000E+00

O .000+00


Revision I

( (N

PROBABILITY

1.16E-03

8.00E-05

8.OCE-05

2.09E-03

2.09E-03

4.07E-03

4.07E-03

5.02E-03

6.35E-04

6.35E-04

8.40E-06

8.40E-06

2.04E-05

VARIANCE

0.OOE+00

0.OOE+00

0.OOE+00

0.00E+00

0.00E+00

0.OOE+00

0.00E+00

0.OOE+00

0.00E+00

O.OOE+00

0.OOE+00

0.OOE+00

0.00E+00

C28. Plant Control System

( (J





PMCMSD22

PMCMSD33

PMCXSOOABA

PMCXSOOASA

PMD0301ABA

PMD0301ASA

PMD0301BBA

PMD0301BSA

PMD0302ABA

PMD0302ASA

PMD0302BBA

PMD0302BSA

PMDEHOA1SA

2.040E-05

2.740E-05

1.OOOE-10

8. OOOE-05

8.010E-06

1.160E-03

8. O1OE-06

1.160E-03

8. O1OE-06

1.160E-03

8.010E-06

1.160E-03

8. OOOE-05

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.OOOE+00 2.04E-05 0.OOE+00-- SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)


XS SPURIOUS FAILURE OF OUTPUT LOG IC GROUP SELECTOR (P##XSOOABA)

XS FAILURE OF OUTPUT LOGIC GROUP

SELECTOR (P##XSOOASA)






03 LOGIC GROUP PROCESSING FAILURE

UPON DEMAND (###030##SA)




2.74E-05

1.O0E-10

8.00E-05

8. 01E-06

1. 16E-03

8. 01E-06

1.16E-03

8. 01E-06

1.16E-03

8.01E-06

1.16E-03

8.00E-05

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0. OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

28-101

Revision 1

FT IDENT

0.OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.000E+00

0.0O0E+00

0.00OE+00

O.O00E+00

0.00OE+00

0.0OOE+00

0.00OE+00

28-101 Revision 1




COMP FAILURE MODE

PMDEHOA2SA

PMDMOD11

PMDMOD12

PMDMOD21

PMDMOD22

PMDMOD34

PMDMOD41

PMDMOD42

PMDMSDII

PMDMSD12

PMDMSD21

PMDMSD22

PMDMSD34






FAILURE OF ACTUATION LOGIC GRO UP # (PMtMOD2#)


FAILURE OF MUX LOGIC GROUP #I P##MOD4#)

FAILURE OF MUX LOGIC GROUP #I P##MOD4#)

SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1I#)

SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1I#)




8.OOOE-05

2. 090E-03

2.090E-03

4.070E-03

4.070E-03

5. 020E-03

6. 350E-04

6.350E-04

8.400E-06

8. 400E-06

2.040E-05

2.040E-05

2 .740E-05

0.OOOE+00

0.OOOE+00

0.000E+00

0. 000E+00

0.000E+00

0 OOOE+00

0 OOOE+00

0 .000E+00

0. 000E+00

0 OOOE+00

0. OOOE+00

0 OOOE+00

0 OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28-102

C

FT IDENT

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.OOOE+00

0.000E+00

0.000E+00

0.000E+00

0.OOOE+00

0.000E+00

0.000E+00

0.000E+00

0.OOOE+00

Revision 1

(N.,(


PROBABILITY

8.OOE-05

2.09E-03

2.09E-03

4.07E-03

4.07E-03

5. 02E-03

6.35E-04

6.35E-04

8.40E-06

8.40E-06

2.04E-05

2. 04E-05

2. 74E-05

VARIANCE

0.OOE+00

o.OOE+00

o.OOE+00

0.OOE+00

0.00E+00

o .OE+00

o .00E+00

0. 00E+00

o .OOE+00

0.OOE+00

0.00E+00

0.OOE+00

o. 00E+00




FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE

PMDXSOOABA XS SPURIOUS FAILURE OF OUTPUT LOG 1.000E-10 O.OOOE+00 PMS O.OOOE+00 1.OOE-10 O.OOE+00 IC GROUP SELECTOR (P##XSCOABA)

PMDXSOOASA XS FAILURE OF OUTPUT LOGIC GROUP 8.OOOE-05 O.OOOE+00 PMS O.OOOE+00 8.OOE-05 0.OOE+00 SELECTOR (P##XSOOASA)

PRCEP101SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOCE+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)

PRCEP108SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.000E+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)

PRDEP101SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOOE+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)

PRDEP108SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOOE+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)

PRN-MAN01 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- O.OOOE+00 1.00E-01 0.OOE+00 NTS

PRN-MAN02 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.COOE+00 1.OOE-01 0.OOE+00 NTS

PXAVS011BA VS SPURIOUS FAILURE OF LEVEL SWIT 2.320E-06 0.OOOE+00 PMS O.OOOE+00 2.32E-06 0.OOE+00 CH (###VS###BA)

PXAVS011UF VS FAILURE OF LEVEL SWITCH (###VS 1.OOOE-03 0.OOOE+00 PMS 0.OOOE+00 1.OOE-03 0.OOE+00 ###UF)

PXAVS013BA VS SPURIOUS FAILURE OF LEVEL SWIT 2.320E-06 0.000E+00 PMS 0.OOOE+00 2.32E-06 0.00E+00 CH (###VS###BA)

PXAVS013UF VS FAILURE OF LEVEL SWITCH (###VS 1.000E-03 0.OOOE+00 PMS 0.OOOE+00 1.00E-03 0.00E+00 ###UF)

PXAVS015BA VS SPURIOUS FAILURE OF LEVEL SWIT 2.320E-06 0.000E+00 PMS 0.OOOE+00 2.32E-06 0.00E+00 CH (###VS###BA)

28-103 Revision 1

28. Plant Control System API000 Probabilistic Risk Assessment



COMP FAILURE MODE

PXAVS015UF

PXAVS017BA

PXAVS017UF

PXBVS012BA

PXBVS012UF

PXBVS014BA

PXBVS014UF

PXBVS016BA

PXBVS016UF

PXBVS018BA

PXBVS018UF

RClOR195SP

RCITLI95UF

FAIL RATE VARIANCE SO[uRCE TIME

VS FAILURE OF LEVEL ###UF)

VS SPURIOUS FAILURE CH (###VS###BA)







VS FAILURE OF LEVEL ##UUF)



OR FAILURE OF ORIFI( ###OR###SP)

TL LEVEL TRANSMITTEJ TL###UF)

FT IDENT

SWITCH (###VS

OF LEVEL SWIT

SWITCH (###VS

OF LEVEL SWIT

SWITCH (###VS

OF LEVEL SWIT

SWITCH (###VS

OF LEVEL SWIT

SWITCH (###VS

OF LEVEL SWIT

SWITCH (###VS

CE - PLUGGED (

R FAILURE (###

1.OOOE-03

2 .320E-06

1.000E-03

2.320E-06

1. OOOE-03

2.320E-06

1.OOOE-03

2.320E-06

1.OOOE-03

2.320E-06

1. OOOE-03

7 .220E-03

5.230E-03

0.000E+00

0.000E+00

0.000E+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0 OOOE+00

0 OOOE+00

0 OOOE+00

0. OOOEi-00

0. 00OE+00

0 OOOE+00

0. 00E+00

0. OOOE+00

0 OOOE+00

0 OOOE+00

0. OOOE+00

0 OOOE+00

0. OOOE+00


Revision I

C28-104

K.

PROBABILITY

1.OOE-03

2.32E-06

1.OOE-03

2.32E-06

1.OOE-03

2.32E-06

1.OOE-03

2.32E-06

1.OOE-03

2.32E-06

1.OOE-03

7.22E-03

5.23E-03

VARIANCE

0.OOE+00

0.0OE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.0OE+00

0.OOE+00

0 OOE+00

(' (728. Plant Control System

(7AP1000 Probabilistic Risk Assessment



COMP FAILURE MODE FAIL RATE VARIANCE SOuIRCE TIME

RC20R196SP

RC2TLl96UF

RC30RI97SP

RC3TL197UF

RC40RI98SP

RC4TL198UF

RCATE211UF

RCATE212UF

RCATE213UF

RCATE214UF

RCATE215UF

RCATE221UF

RCATE225UF

OR FAILURE OF ORIFICE - PLUGGED ###OR###SP)






TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)

TE FAILURE OF TEMPERATURE ELEMENT C###TE###UF)


TE FAILURE OF TEMPERATURE ELEMENT ###TE###UF




7.220E-03

5.230E-03

7.220E-03

5.230E-03

7.220E-03

5.230E-03

3. 060E-03

3 .060E-03

3. 060E-03

3. 060E-03

3.060E-03

3.060E-03

3.060E-03

o.OOOE+00

o.OCOE+00

O.OOOE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

O.OOOE+00

0. OOE+00

0.000E+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

28- 105

Revision 1

FT IDENT 1• RORA T T,T TV" VYARTAN'

O.OOOE+00 7.22E-03 O.OOE+00

O.OOOE+00 5.23E-03 O.OOE+00

O.OOOE+00 7.22E-03 O.OOE+00

O.OOOE+00 5.23E-03 O.OOE+00

O.OOOE+00 7.22E-03 O.OOE+00

O.OOOE+00 5.23E-03 O.OOE+00

O.OOOE+00 3.06E-03 O.OOE+00

O.OOOE+00 3.06E-03 O.OOE+00

O.OOOE+00 3.06E-03 O.OOE+00

O.OOOE+00 3.06E-03 O.OOE÷00

O.OOOE+00 3.06E-03 O.OOE+00

O.OOOE+00 3.06E-03 O.OOE+00

O.OOOE+00 3.06E-03 O.OOE+00


28-105 Revision I




COMP FAILURE MODE

TE FAILURE OF TEMPERATURE (###TE###UF)








TE FAILURE OF TEMPERATURE

(###TE###UF)



TE FAILURE OF TEMPERATURE

(###TE###UF)


ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

ELEMENT

RCBTE211UF

RCBTE212UF

RCBTE216UF

RCBTE222UF

RCBTE226UF

RCCTE213UF

RCCTE217UF

RCCTE223UF

RCCTE227UF

RCDTE214UF

RCDTE218UF

RCDTE224UF

RCDTE228UF

3. 060E-03

3. 060E-03

3.060E-03

3.060E-03

3.060E-03

3.060E-03

3. 060E-03

3. 060E-03

3.060E-03

3.060E-03

3. 060E-03

3.060E-03

o.OOOE+00

o.OOOE+00

0. OOOE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

o.OOOE+00

o.OOOE+00

0 . OOOE+00

O . OOOE+O0

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

3.060E-03 O.OOOE+00 PMS

o.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

0.00OE+00

O.OOOE+O0

0.00OE+00

o.OOOE+00

FT IDENT PROBABILITY

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

3.06E-03

O.OOOE+00 3.06E-03 O.OOE+00

28-106

VARIANCE

o.OOE+00

o.OOE+00

0.OOE+00

O.OOE+00

O.OOE+O0

O.OOE+O0

o.OOE+00

o.OOE+00

o.OOE+00

O.OOE+00

o.OOE+00

O.OOE+00


K'

Revision 1

K

( (i 28. Plant Control System AP1000 Probabilistic Risk Assessment




RCN-MAN01 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00

NTS

RCNTP191UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00

R (###TP###UF)


R (###TP###UF)


R (###TP###UF)

RCNTP194UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00 R (###TP###UF)


RCNTP196UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 0.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00

R (###TP###UF)



REC-MANDAS XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00

NTS

REN-MAN02 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.00E-01 O.OOE+00 NTS

REN-MAN03 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00 NTS

REN-MAN04 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00 NTS

Revision 128-107




"rm TfnlVMT

RNAEP01ASA

RNAEP01BSA

RNAEP022SA

RNAEPRNPSA

RNBEP011SA

RNDEP023SA

ROD-CTRL-SYS

RPAEP051SA

RPAEP053SA

RPBEP052SA

RPBEP054SA

RPCEP061SA

RPCEP063SA

C'fMP rATT.TI• Mnnr







-- ROD CONTROL SYSTEM FAILURE TO STEP IN RODS (ROD-CTRL-SYS)




BOARD (###EP####SA)




rAfT. DAq'r IIAPTANTC'P CflTiDfllT m�ur

1.710E-04

1.710E-04

1.710E-04

1. 710E-04

1.710E-04

1.710E-04

6. 600E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

0. 000E00

0. 000E+00

0. 000E+00

0. OOOE+00

0. 000E+00

0 OOOE+00

0. 000E+00

0. 000E+00

0 OOOE+00

0. 000E+00

0.000E+00

0. 000E+00

0.000E+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.000E+00

0.000E+00

0.000E+00

0.OOOE+00

0.OOOE*00

0.000E+00

0.000E+00

0.000E+00

0.000E÷00

0.000E+00

0.000E+00

0.000E+00

0.000E+00

28-108

(

FT IDENT COMP FAILURE MODE FAIL RATE 11 AD T A NTf'V QnTIDýv MTMV

Revision 1

PROBABILITY

1. 71E-04

1. 71E-04

1. 71E-04

1. 71E-04

1. 71E-04

1 .71E-04

6. 60E-04

1 .71E-04

1. 71E-04

1. 71E-04

1. 71E-04

1. 71E-04

1. 71E-04

VARIANCE

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

0.OOE+00

o .OOE+00

o .OOE+00

t/

(






RPDEP062SA

RPDEP064SA

S-SIG-SENSi-FAIL

S-SIG-SENS2-FAIL

S-SIG-SENS3-FAIL

S-SIG-SENS4-FAIL

SDAS

SF3EU067A1SA

SF3EU067A2SA

SF3EU067B1SA

SF3EU067B2SA

SF3EU255A1SA

SF3EU255A2SA



BOARD (###EP####SA)

S-SIGNAL SENSOR FAILURE (S-SIG -SENS#-FAIL)




SPURIOUS FAILURE OF DAS (1.OOE -00) PMS (SDAS)

EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)






1.710E-04

1.710E-04

1.OOOE-06

1.OOOE-06

1.00OE-06

1.OOOE-06

1.OOOE-08

6.420E-05

6.420E-05

6.420E-05

6.420E-05

6.420E-05

6.420E-05

o.OOOE+00

0.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

0. OOOE+00

o.OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

o.000E+00

0.000E+00

0. 00OE+00

0.OOOE+00 1.71E-04 0.OOE+00PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

1.71E-04

1.O0E-06

1.OOE-06

1.OOE-06

1.O0E-06

1.OOE-08

6.42E-05

6.42E-05

6.42E-05

6.42E-05

6.42E-05

6.42E-05

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

28-109

Revision 1

FT IDENT

0.000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.00OE+00

o.000E+00

0.OOOEE+00

0.00OE+00

0.OOOE+00

0.000E+00

28-109 Revision 1

28. Plant Control System APIOO0 Proabailistic Risk Assp•cmpnt



FT IDENT

SF3EU255B1SA

SF3EU255B2SA

SFBEATF50B1SA

SFBEATF50B2SA

SFBEATF51B1SA

SFBEATF51B2SA

SFBEP010SA

SFBEP013ASA

SFBEP013BSA

SFBEP028SA

SFBEPSFPASA

SFBEPSFPBSA

COMP FAILURE MODE

EU FAILURE OF THE ANALOG OUTPUT B

EU

EA

EA

EA

EA

EP

EP

EP

EP

EP

EP

OARD (###EU###SA)












WATT. WATF \IAPTATK!CW•T cnTrrnrr

6.420E-05

6.420E-05

2.510E-04

2.510E-04

2 .510E-04

2.510E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

O.OOOE+00

0 . OOOE+00

0. 000E+00

o .OOOE+00

0. 00E+00

o. 000E00

o .OOOE+00

0.000E+00

0. OOOE+00

0.OOOE+00

0 .OOOE+00

o.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS


7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.OOE+00

28-110

((¾

o.000E+00

0.000E+00

0.000E+00

0. 000E+00

0.000E+00

o.OOOE+00

o.000E+00

o.000E+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

COMP FAILURE MODE FAIL RATE VARIANCE cOURCE IPTMV

SG1ORO01SP

Revision 1

Q

~~A 10 ...... ........... Ris Assess entl

•TM• PROBABILITY

6.42E-05

6.42E-05

2.51E-04

2.51E-04

2. 51E-04

2. 51E-04

1. 71E-04

1. 71E-04

1. 71E-04

1. 71E-04

1.71E-04

1.71E-04

VARIANCE

0. 00E+00

o .OOE+00

o .OOE+00

o .OE+00

0 OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o .OOE+00

o.OOE+00

O.OOE+0O

o. OOE+0O

( 28. Plant Control System API000 Probabilistic Risk Assessment




OR FAILURE OF ORIFICE - PLUGGED###OR###SP)

FAILURE OF ORIFICE ###OR###SP)









PLUGGED

PLUGGED

PLUGGED

PLUGGED

PLUGGED

PLUGGED

PLUGGED

PLUGGED

PLUGGED

SGIOR002SP

SG1ORO03SP

SG1OR004SP

SGIORO11SP

SG1ORO12SP

SG1ORO15SP

SG1ORO16SP

SG1OR030SP

SG1OR031SP

SGIOR032SP

SG1OR033SP

SGlTF055ARI

SGlTF055BRI TF FLOW TRANSMITTER FAILURE (###T F###RI)

7.220E-03

7.220E-03

7 .220E-03

7.220E-03

7.220E-03

7.220E-03

7.220E-03

7.220E-03

7.220E-03

7.220E-03

7.220E-03

5.230E-03

0.000E+00

o.OOOE+00

0.000E+00

0.000E+00

0.00OE+00

0.000E+00

O.OOOE+00

O.OOOE+00

o.OOOE+00

O.OOOE+00

0.00OE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

5.230E-03 O.000E+00 PMS

0.000E+00 7.22E-03 0.00E+00

0.00OE+00

O.OOOE+00

0.000E+00

0.OOOE+00

0.000E+00

0.000+E00

O.OOOE+00

O.OOOE+00

0.000E+00

0.000E+00

O0.00E+00

7.22E-03

7.22E-03

7.22E-03

7.22E-03

7.22E-03

7.22E-03

7.22E-03

7.22E-03

7.22E-03

7.22E-03

5.23E-03

0.OOE+00

o.00E+00

O.OOE+00

O.OOE+00

O.00E+00

O.OOE+00

O.OOE+00

O.OOE+00

O.00E+00

O.OOE+00

o.OOE+00

0.000E+00 5.23E-03 0.OOE+00

28-111

Revision 1


OR

OR

OR

OR

OR

OR

OR

OR

OR

OR

TF

FAILURE OF ORIFICE - PLUGGED ###OR###SP)


FT IDENT

28-111 Revision 1

28. Plant Control System APIOOO Probabilistic Risk Assess•ment



COMP FAILURE MODE

SGITF51ARI

SGITF51BUF

SGITL001UF

SGlTLO02UF

SGITLO03UF

SGlTLO04UF

SGITL011UF

SGlTLO12UF

SGITLO15UF

SGlTLO16UF

SGlTP030UF

SG1TP031UF

SGlTP032UF

FAIL RATE VARIANCE SOEIRCE. TTMF

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

0. 000E-00

0. OOOE+00

o.OOOE+00

0 . OOOE+00

o.OOOE+00

0. OOOE+00

0. 0dE+00

o.000E+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

TF FLOW TRANSMITTER FAILURE (###T F###RI)

TF FLOW TRANSMITTER FAILURE (###T F###RI)












0.00OE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

O.OOOE+00

0.000E+00

o.000E+00

0.OOOE+00

0.00OE+00

FT IDENTFAIL RATE VARIANCE SOURCE TIME

0.000E+00 5.23E-03 0.OOE+00

28-112

C'

5.230E-03 0.000E+00 PMS

(Revision 1

(.


PROBABILITY

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

VARIANCE

o.OOE+00

0.00E+00

0.OOE+00

o.OOE+00

O.OOE+00

o.OOE+00

O.OOE+00

0.OOE+00

o.OOE+00

o.OOE+00

0.OOE+00

o.OOE+00





SGlTP033UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 C.OOOE+00 PMS 0.OOOE+00 5.23E-03 0.OOE+00 R (###TP###UF)

SG2OROO5SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.00E+00 ###OR###SP)

SG2ORO06SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS O.OOOE+00 7.22E-03 O.COE+00

###OR###SP)

SG2ORO07SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 O.OCOE+00 PMS 0.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)

SG2OROO8SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS O.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)

SG2ORO13SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)

SG2ORO14SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS O.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)

SG2ORO17SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.00E+00 ###OR###SP)

SG20R018SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.000E+00 7.22E-03 0.00E+00 ###OR###SP)

SG20R034SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.000E+00 7.22E-03 0.00E+00

###OR###SP)


SG2ORO36SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.OOOE+00 7.22E-03 0.00E+00 ###OR###SP)


Revision 128-113




CORP FAITTJIRF ROF'

TF FLOW TRANSMITTER FAILURE (###TSG2TF056ARI

SG2TF056BRI

SG2TF50ARI

SG2TF50BUF

SG2TLO05UF

SG2TLO06UF

SG2TLO07UF

SG2TL008UF

SG2TLO13UF

SG2TLO14UF

SG2TLO17UF

SG2TLO18UF

SG2TP034UF

F'ATT. OATP! X7APTAMCT? QflrTWflT' mTM1�

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5 .230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

5.230E-03

0.000E+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

28-114

FT IDENT

F###RI)












FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)

FT IDENT COMP FAILURE MODE FAIL RATE VARIANrv Qn"ur'ý 11-

Revision 1

(1

PROBABILITY

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

5.23E-03

VARIANCE

o.00E+00

0.OOE+00

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0 OOE+00

o .OOE+00

0. 00E+00

0. OOE+00

0 OOE+00

0. OOE+00

0. OOE+00


Ki (AP1000 Probabilistic Risk Assessment



CflMP FATTTT•R Mfll WFATT. 'RATWR XAR TAM]CW WflTT'RC T"RrTMF

TP FAILURE OF PRESSURE TRANSMITTER (###TP###UF)




SG2TP035UF

SG2TP036UF

SG2TP037UF

SGAEP027BSA

SGAEP040BSA

SGAEP057BSA

SGAEP074BSA

SGAEP075BSA

SGBEP027BSA

SGBEP040BSA

SGBEP057BSA

SGBEP074BSA

SGBEP075BSA

TP

TP

EP

EP

EP

EP

EP

EP

EP

EP

EP

EP

5.230E-03

5.230E-03

5.230E-03

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.710E-04

0.00OE+00

0. 000E+00

0.000E+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOE+00

0.000E+00

0.000E+00

O.000E+00

0.OOOE+00

o.OOOE+00

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

PMS

0.OOOE+00 5.23E-03 O.OOE+00

0.00OE+00

O.OOOE+00

0.00OE+00

O.OOOE+00

0.00OE+00

0.OOOE+00

O.O00OE+O0

O.OOOE+00

O.OOOE+00

0.OOOE+00

O.OOOE+00

a.OOOE+00

5.23E-03

5.23E-03

1.71E-04

1. 71E-04

1. 71E-04

1.71E-04

1.71E-04

1.71E-04

1. 71E-04

1.71E-04

1 .71E-04

1.71E-04

O. 00E+00

O .OOE00

O.OOE+00

0 OOE+00

0 OOE+00

O .OOE+00

O.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

O.OOE+00

28-1 15

Revision 1

WT TflN 'Pnflfl •,lT T.TTrV ¶JAfl T h1J�F

BOARD (###EP####SA)

FAILURE OF THE POWER BOARD C###EP####SA)









INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE

INTERFACE


28-115 Revision 1




('fMD •ATT.TTW• MflI


SGCEP040BSA

SGCEP25OBSA

SGDEP040BSA

SGDEP250BSA

SGHL-MAN01

SUB-AESIPC

SUB-AESIPCB

SUB-AESIPCP

SUB-AESOUTA

SUB-AESOUTAB

SUB-AESOUTAP

SUB-AESOUTB

SUB-AESOUTBB













INTERFACE

INTERFACE

INTERFACE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

"• ,T T. D, pam' , ¶TMP, '1•I Q(VlTD t"! 'PaTM•

1.710E-04

1.710E-04

1.710E-04

1.710E-04

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1. OOOE-01

1.OOOE-01

1. OOOE-01

1.OOOE-01

0.00OE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

PMS

PMS

PMS

PMS

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0 OOOE+00

0 OOOE+00

0. OOOE+00

0 OOOE+00

0. 000E+00

0.OOOE+00

0. OOOE+00

0. OOOE+00

0. OOOE+00

0. OOOE+00

0. OOOE+00

0. OOOE+00

0. OOOE+00

28-116

•"1 TflVP

EP

EP

EP

xx

xx

xx

xx

xx

xx

xx

xx

xx

FT IDENT COMP FAILURE MODE VhTT. DATL' 17ADTAMOV Cn"DOV MTMV

Revision 1

Q

PROBABILITY

1.71E-04

1.71E-04

1.71E-04

1.71E-04

1.00E-01

1.00E-01

1.OOE-01

1.O0E-01

1.OOE-01

1.00E-01

1.OOE-01

1.OOE-01

1.OOE-01

VARIANCE

O.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

U.00E+00






SUB-AESOUTBP

SUB-AESOUTC

SUB-AESOUTCB

SUB-AESOUTCP

SUB-AESOUTD

SUB-AESOUTDB

SUB-AESOUTDP

SUB-APLC03

SUB-APLC03P

SUB-APLCC01

SUB-APLCC01B

SUB-APLCCO1P

SUB-APLCC02

XX PROBABILITY FORNTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

FOR SUB- BASIC EVE

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.000E-01

O.OOOE+00

0.OOOE+00

o.OOOE+00

0. OOOE+00

o.OOOE+00

o.OOOE+00

0.00OE+00

o.OOOE+00

o.000E+00

o.000E+00

0. OOOE+00

0.000E+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

1.000E-01 0.000E+00 SUB-

o.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

o.000E+00

0.00OE+00

o.OOOE+00

O.000E+00

0. OOOE+OO

O.OOOE+O0 0. 000E+00

O.O00E+O0

O.O00OE+00

O.OOOE+00

1.OOE-01 O.OOE+00

1.OOE-01

1.OOE-01

1.OOE-01

1.00E-01

1.O0E-01

1.OQE-01

1.00E-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

0.OOE+O0

0.OOE+00

0.OOE+0O

0.OOE+00

o .OOE+00

O.OOE+OO

0.OOE+00

o.OOE+00

o.OOE+00

0.OOE+00

0.OOE+O0

0.OOE+00

Revision 1


(

28-117




COMP FAILURE MODE


SUB-APLCC02P

SUB-APLCC02Y

SUB-APLCC03

SUB-APLCC03P

SUB-APLIPC

SUB-APLIPCB

SUB-APLIPCP

SUB-APLL03

SUB-APLLOA

SUB-APLLOB

SUB-APLLOBP

SUB-APLLL01

SUB-APLLL01P

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

FOR SUB

FOR SUB

FOR SUB

FOR SUB

FOR SUB-

Xx

Xx

Xx

Xx

Xx

XX

XX

XX

Xx

xx

Xx

xx

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE


1.OOOE-01

1.OOOE-01

1.OOOE-01

1.00OE-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.000E-01

1.OOOE-01

1.000E-01

1.0 00E-01

1.OOOE-01

1.000E-01

1,000E-01

0 OOOE+00

0.000E+00

0. OOOE00

0 OOOE+00

0 OOOE+00

0 OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0,00OE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0.OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

28-118

(K(I"

FT IDENT

FOR

FOR

FOR

FOR

FOR

FOR

FOR

PROBABILITY

1.00E-01

1.00E-01

1.OOE-01

1.O0E-01

1.OQE-01

1.00E-01

1.00E-01

1.OCE-01

1.OCE-01

1.00E-01

1.00E-01

1.OOE-01

1.OOE-01

VARIANCE

O.OOE+00

O.OOE+00

o.OOE+00

O.00E+00

O.00E+00

0.OOE+00

0.00E+00

O.OOE+00

O.00E+00

0.OOE+00

o.00E+00

0.00E+00

O.OOE+00

Revision 1

C

( (28. Plant Control System




CflMP FATT.tTPr MflflW rATr. RATF VARTA•fF •Tr•rr TTMF

XX PROBABILITY FORSUB-APLLL05B

SUB-APLLL06

SUB-APLLL07

SUB-APLLL07P

SUB-APLLL07Y

SUB-APLLL09

SUB-APLLL09P

SUB-APLLL09Y

SUB-APLLLOB

SUB-APLLLOBP

SUB-APLLLOD

SUB-APOADS83

SUB-BPOADS83

NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

1.000E-01

1.0ODE-01

1. 00CE-01

1.CODE-01

1.CODE-01

1.OOE-01

1.OOOE-01

1.OC0E-01

1.O00E-01

1.CODE-01

1.0O0E-01

1.O00E-01

1.COOE-01

o.OOOE+00

0.0O0E+00

0.00E+÷00

0.000E+00

C.000E+00

o.000E+00

0.OO0E+00

0.000E+00

C.000E+00

o.000E+00

O.OOOE+C0

O.OD0E+O0

0.0O0E+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

O.OOE+00 1.00E-01 0.OE+00

0. 00E+00

0. 00E+00

.COOE+00

0. OOOE+00

o .00E+00

o .00E+00

0.O0OE+00

0.0O0E+00

0.000E+00

0. 000E+00

0.000E+00

0.CO0E+00

1.ODE-01

1.ODE-01

1.OOE-01

1.ODE-01

1.C0E-01

1.COE-01

1. OE-01

1.ODE-01

1. OE-01

1. 00E-01

1. OE-01

1. OE-01

C.00E+00

O.OOE+00

O.OOE+00

O.00E+00

0.00OE+00

O.COE+00

0. OE+00

0.C0E+00

C.OOE+00

0.OOE+00

C.00E+00

C.00E+00

28-1 19

Revision 1

FT TflFMT Pfl nl a nTT, T V lflflTAT'Jflr

xx

XX

xx

XX

xx

XX

XX

xx

XX

XX

XX

XX

Revision 1


28-119




FT IDENT

SUB-CCXSNRS1

SUB-CCXSNRS2

SUB-CPOADS83

SUB-DASSENS

SUB-DASSIND

SUB-DPOADS83

SUB-EAI1

SUB-EAI2

SUB-EA0I

SUB-EAO2

SUB-EDlEA1l

SUB-EDlEA1IB

SUB-EDlEA1iP

COMP FAILURE MODE

XX PROBABILITY FOR SUB-

XX

XX

XX

Xx

XX

XX

XX

XX

XX

XX

XX

Xx

NTS














BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.000E-01

1.000E-01

1.000E-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.000E-01

0.OOOE+00

0. 00OE+00

0. 00OE+00

0 OOOE+00

0 OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0. OOOE+00

0.000E+00

O.000E+00

O.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0 .OOOE+00

0 .OOOE+00

O.000E+00

O.OOOE+00

28-120

,

PROBABILITY

1. 00E-01

1. 00E-01

1.00E-01

1. OOE-01

1. OOE-01

1. 00E-01

1. 00E-01

1. 00E-01

1. 00E-01

1. 00E-01

1. 00E-01

1. 00E-01

1. 00E-01

VARIANCE

0.OOE+00

0. 00E+00

. 00E+00

o. 00E+00

0.00E+00

0.00E+00

o. 00E+00

. 00E+00

O.00E+00

. 00E+00

. 00E+00

o. 00E+00

o. 0E+00

Revision 1

/ (28. Plant Control System




SUB-ED1EA2

SUB-ED1EA2P

SUB-ED2EAI1

SUB-ED2EA11B

SUB-ED2EA11P

SUB-ED2EA2

SUB-ED2EA2P

SUB-ED32HR

SUB-ED3EAI

SUB-ED3EAII

SUB-ED3EA1IB

SUB-ED3EA11P

SUB-ED3EA11Y













BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE


1.OOOE-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.000E-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.000E-01

0.00OE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

o.OOOE+00

0.OOOE+00

O.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.000E+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0.00OE+00

0.000E+00

o.000E+00

0.00OE+00

0.00OE+00

0.00OE+00

o.OOOE+00

0.OOOE+00

0.0OOE+00

0.00OE+00

0.00OE+00

O.OOOE+00

1.OOOE-01 0.OOOE+00 SUB- U.000E+00

1.OOE-01 0.OOE+00

1.OOE-01

1.00E-01

1. OOE-01

1. OOE-01

1. 00E-01

1. OOE-01

1. OOE-01

1. OOE-01

1. 00E-01

1. 00E-01

1.OOE-01

0.00E+00

0. 00E+00

0.00E+00

0. 00E+00

0.00E+00

o OOE+00

o 00E+00

o OOE+00

0. 00E+00

0. 00E+00

0.00E+00

1.00E-01 0.00E+00

Revision 1

•"'9 T T•'•m �MP �TT.TTP� MflrY�FT IDENT COMP FAILURE MODE FAIT. DhMV X771DThNjt1W c4n"Dýv MTUV

28-121




COMP FAILURE MODE

XX PROBABILITY FOR SUB-SUB-ED3EA1B

SUB-ED3EA1P

SUB-ED3EA2

SUB-ED3EA2P

SUB-ED3EA2Y

SUB-EPIl

SUB-EPO

SUB-ESFOPER

SUB-IDAEA1

SUB-IDAEA1B

SUB-IDAEA1P

SUB-IDAEA2

SUB-IDAEA2P

FOR SUB-

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY hTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS

XX PROBABILITY NTS


1.OOOE-01

1.00OE-01

1.000E-01

1.00OE-01

1.00OE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.000E-01

1 .OOOE-01

1.00OE-01

1.OOOE-01

1.OOOE-01

O.OOOE+00

O.OOOE+00

O.000E+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

O.OOOE+00

0.00OE+00

0. OOOE+00

O.OOOE+00

O.O0OE+0O

O.OOOE+00

O.OOOE+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

O.OOOE+00

O.O00E+0O

O.OOOE+0O

O.0OOE+0O

O .0OOE+0O

O .00OE+0O

O .0OE+0O

O .O00E+0O

O .O00E+0O

O .OOOE+0O

O .OOOE+00

O .0OOE+0O

O .0OOE+0O

28-122

FT IDENT

FOR SUB- BASIC EVE

PROBABILITY

1.OOE-01

1.OOE-01

1.OQE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1.00E-01

VARIANCE

O.OOE+00

O.OOE+00

O.OOE+00

0.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

O.OOE+00

Revision 1

K




CPCMP V•TTTW• M(NTh VATT, TWATRD ,' UTD•1•C'i •'lT C'i ,. T TMR


PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

SUB-IDBEA1

SUB-IDBEA1B

SUB-IDBEAIP

SUB-IDBEA2

SUB-IDBEA2P

SUB-IDBEA3

SUB-IDBEA3B

SUB-IDBEA3P

SUB-IDCEAI

SUB-IDCEA1B

SUB-IDCEA1P

SUB-IDCEA2

SUB-IDCEA2P

1.000E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1. 00E-01

1.OOOE-01

1.000E-01

o.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

o.OOOE+00

0.OOOE+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

o.OOOE+00

0.00OE+00

o.OOOE+00

o.OOOE+00

0.OOOE+00

0.OOOE+00

o.OOOE+00

O.O00OE+O0

o.OOOE+00

o.OOOE+00

O.O00OE+00

O.O00OE+O0

1.OOOE-01 0.OOOE+00 SUB- 0.OOOE+00

1.OOE-01 O.OOE+00

1.OOE-01

1.OOE-01

1. OOE-01

1. OOE-01

1. 00E-01

1. OE-01

1. 00E-01

1. 00E-01

1. 00E-01

1 OOE-01

1.OOE-01

O.OOE+00

0.00E+00

0.OOE+00

O.OOE+00

o.OOE+00

o.OOE+00

o.OOE+00

o.OOE+00

0.OOE+00

O.OOE+00

0.OOE+00

1.OOE-01 O.OOE+00

28-123

Revision 1

T~qT Tfl~g1Tr

(

A P1000 Probabilistic Risk Assessment

P�T�TT.TTV


xx

xx

XX

XX

xx

xx

XX

XX

XX

xx

xx

FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCEV•WT•NOV

28-123 Revision I




cnwP WATT.TTRF M~nnr

XX PROBABILITY FOR SUB-SUB-IDCEA3

SUB-IDCEA3B

SUB-IDCEA3P

SUB-IDDEAI

SUB-IDDEA1B

SUB-IDDEAIP

SUB-IDDEA2

SUB-IDDEA2P

SUB-MESOUTA

SUB-MESOUTAB

SUB-MESOUTAP

SUB-MESOUTB

SUB-MESOUTBB

NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

PROBABILITY FOR NTS

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

WATT. RATR \?APTAMr'W CflTTPC'P '1'TMr

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

1.000E-01

1.OOOE-01

1.000E-01

1. 000E-01

1. 000E-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.000E-01

1.OOOE-01

1.000E-01

1.000E-01

1.OOOE-01

0.000E+00

0. 000E+00

O.000E+00

0.000E+00

0 OOOE+00

0. 000E+00

0. 000E00

0.000E+00

0.000+E00

O.OOOE+00

0.000E+00

0. 000E+00

0 000E+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0.000E+00

0.000E+00

0.000E+00

0. 000E+00

0.000E+00

O.000E+00

0.000E+00

O.000E+00

0.000E+00

0.000E+00

0.000E+00

0. 000E+00

0.000E+00

28-124

(,

FT TflF'r••

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE Qn"Vr-ý MTMV

Revision 1

(

PROBABILITY

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

1 .00E-01

1.OOE-01

1. OE-01

1.OOE-01

1. OOE-01

1. OE-01

1.OOE-01

1.OOE-01

1. OOE-01

VARIANCE

0 OOE+00

0 OOE+00

0 OOE+00

0.00E+00

0.OOE+00

0. 00E+00

0 OOE+00

0 OOE+00

0 OOE+00

0.OOE÷00

0. 00E+00

0 OOE+00

0 OOE+00

/






XX PROBABILITY FOR SUB-SUB-MESOUTBP

SUB-MESOUTC

SUB-MESOUTCB

SUB-MESOUTCP

SUB-MESOUTD

SUB-MESOUTDB

SUB-MESOUTDP

SUB-MPLL01

SUB-MPLL01P

SUB-MPLL02

SUB-MPLL03

SUB-MPLL04

SUB-MPLL04P

NTS













BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

BASIC EVE

1.OOOE-01

1.000E-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.000E-01

1.000E-01

1. 00OE-01

1. 00E-01

1. 000E-01

1. 000E-01

1.000E-01

1.OOOE-01

0.OOOE+00

0.OOOE+00

0.000E+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. 000E+00

0.000E+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

0.000E+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.00OE+00

0.OOOE+00

0.00OE+00

0.00OE+00

0.00OE÷00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.00OE+00

1.OOE-01 0.OOE+00

1. OOE-01

1. OOE-01

1.00E-01

1.OOE-01

1. OOE-01

1. OOE-01

1. OOE-01

1.O0E-01

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

0.OOE+00

0.00E+00

0.OOE+00

0.0OE+00

0.OOE+00

0.OOE+00

O.OOE+00

.0 OE+00

0 OOE+00

0.OOE+00

0.OOE+00

O.OOE+00

Revision 1

FT IDENT

XX

XX

XX

Xx

xx

xx

xx

XX

xx

xx

XX

xx

FT IDENT COMP FAILURE MODE PROBABILITY VARIANCE

28-125




FT IDENT

SUB-MPLL05B

SUB-MPLL06

SUB-MPLL07

SUB-MPLL07P

SUB-MPLL07Y

SUB-MPLL09

SUB-MPLL09P

SUB-MPLLOA

SUB-MPLLOB

SUB-MPLLOBP

SUB-PLSENSOR

SUB-SENS1

COMP FAILURE MODE


PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

PROBABILITY NTS

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FOR

FAIL RATE VARIANCE SOURCE

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

BASIC

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

EVE

1.OOOE-01

1.00OE-01

1.OOOE-01

1.000E-01

1.OOOE-01

1.OOOE-01

1. OOOE-01

1.OOOE-01

1.0O0E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

0. OOOE+00

0. OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0. 000E+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB

SUB-

XX PROBABILITY FOR NTS

SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.OOE+00 1.00E-01 0.OOE+00

28-126

TIME

0 OOOE+00

0 OOOE+00

0. 00OE+00

0 OOOE+00

0. OOOE+00

0 OOOE+00

0 OOOE+00

0.00OE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.000E+00

SUB-SENS2

Revision 1

Q.


PROBABILITY

1.00E-01

1.OOE-01

1.00E-01

1.00E-01

1.OOE-01

1.OOE-01

1.00E-01

1.00E-01

1.00E-01

1.00E-01

1.OOE-01

1.OOE-01

VARIANCE

0.OOE+00

0.00E+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.OOE+00

0.00E+00


C (AP1000 Probabilistic Risk Assessment



rOMP F'A TTTrnFT MOB F FATT, T• A'1' UATAU T rhT ~C•TTP(•'P FTM1•

XX PROBABILITY FOR SUB- BASIC EVESUB-SENS3

SUB-SENS4

SUB-SESIPC

SUB-SESOUTA

SUB-SESOUTB

SUB-SESOUTC

SUB-SESOUTD

SW2EAPD02A1SA

SW2EAPD02A2SA

SW2EAPF0011SA

SW2EAPF0012SA

SW7EP006ASA

SW7EPCTFASA

NTS













1.000E-01

1.000E-01

1.000E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

2 .510E-04

2.510E-04

2. 510E-04

2.510E-04

1.710E-04

1.710E-04

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0. OOOE+00

0.OOOE+00

0.OOOE+00

SUB

SUB

SUB

SUB

SUB

SUB

SUB

PMS

PMS

PMS

PMS

PMS

PMS

0.00OE+00

0.000E+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.00OE+00

0.OOOE+00

1.OOE-01 0.00E+00

1. OOE-01

1. OOE-01

1. OOE-01

1. OOE-01

1.00E-01

1 .OOE-01

2 .51E-04

2 51E-04

2. 51E-04

2. 51E-04

1.71E-04

1. 71E-04

0.OOE+00

0.OOE+00

0 OOE+00

0. 00E+00

0 OOE+00

0. 00E+00

0. 00E+00

0 OOE+00

0 OOE+00

0 OOE+00

0 OOE+00

0.OOE+00

28-127

Revision 1

FT TfDl-NT 0Dn•T T.TMPV I rR T 7WT

XX

XX

XX

XX

XX

XX

EA

EA

EA

EA

EP

EP


28-127 Revision 1




FT IDENT

SW7EPCTFBSA

SW7EPSBPASA

SW7EPSBPBSA

SW7EPV037BSA

SWATP002RY

SWB-MAN02

SWB-MAN02N

SWN-MAN01

SWN-MANOiN

SWNTP001RI

TC2EATCSP1SA

TC2EATCSP2SA

TC6EPTCPBSA

COMP FAILURE MODE

EP FAILURE OF THE POWER INTERFACEBOARD (###EP####SA)




PRESSURE TRANSMITTER YEARLY FA ILURE (###TP###RY)





FAILURE OF PRESSURE TRANSMITTE R (###TP###RI)





1.710E-04

1.710E-04

1.710E-04

1.710E-04

5.230E-03

1.000E-01

1.OOOE-01

1.OOOE-01

1.OOOE-01

5.230E-03

2.510E-04

2. 510E-04

1.710E-04

0. 000E+00

0 OOOE+00

O .OOOE+00

0.OOOE+00

0 OOOE+00

0.000E+00

0.OOOE+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.000E+00

0.OOOE+00

0.000E+00

PMS

PMS

PMS

PMS

PMS

SUB

SUB

SUB

SUB

PMS

PMS

PMS

PMS

O.OOOE+00

O.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

O.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

0.OOOE+00

28-128

PROBABILITY

1.71E-04

1.71E-04

1.71E-04

1.71E-04

5.23E-03

1.OOE-01

1.OOE-01

1.OOE-01

1.OOE-01

5.23E-03

2.51E-04

2.51E-04

1.71E-04

VARIANCE

0.OOE+00

0 OOE+00

0.OOE+00

o .OOE+00

0.OOE+00

o .OOE+00

o .OOE+00

o. 00E+00

0.OOE+00

0.OOE+00

o.OOE+00

0.00E+00

o.OOE+00

Revision 1

(

( (28. Plant Control System




FAILURE MODE FAIL RATE VARIANCE SOURCE TIME

PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.0OOE+00 NTS

FLOW TRANSMITTER FAILURE (###T 5.230E-03 O.OOOE+00 PMS 0.OOOE+00 F###RI)

FLOW TRANSMITTER FAILURE (###T 5.230E-03 O.OOOE+00 PMS O.OOOE+00 F###RI)

PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.OOOE+00 NTS


FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOOE+00 PMS O.OOOE+00 BOARD (###EP####SA)


PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.000E+00 SUB- 0.OOOE+00 NTS

28-129

Revision 1

FT IDENT

TCB-MAN01

TCNTF109ARI

TCNTF109BRI

VLN-MAN01

VLX-ANLYZ

VW2EPTRBSA

VWN-MAN01

ZON-MAN01

COMP

xx

TF

TF

xx

xx

EP

xx

xx

PROBABILITY

1.OOE-01

5.23E-03

5.23E-03

1.OOE-01

1.COE-01

1.71E-04

1.00E-01

1.00E-01

VARIANCE

0.OOE+00

o.OOE+00

o.OOE+00

O.OOE+0O

O.OOE+00

o.OOE+00

0.OOE+00

0.OOE+00

28-129 Revision 1

Table 28-11 (Sheet I of 3)

ASSUMED LIST OF I&C INSTRUMENTATION

Parameter Channel Sensor Instr. Lines

SG-1 Narrow-Range Level 1 SGITLOOlUF SG1OROOSP 2 SGlTLO02UF SG10RO02SP 3 SG1TLO03UF SG1ORO03SP 4 SG1TLO04UF SG1ORO04SP

SG-2 Narrow-Range Level 1 SG2TLO05UF SG2ORO05SP 2 SG2TLO06UF SG2ORO06SP 3 SG2TLO07UF SG2ORO07SP 4 SG2TLO08UF SG2ORO08SP

SG-l Startup Feedwater Flow I SGITF055ARI 2 SG1TF055BRI

SG-2 Startup Feedwater Flow 1 SG2TF056ARI 2 SG2TF056BRI

SG-1 Wide-Range Level 1 SGITL01lUF SGIOR011SP 2 SGlTLO12UF SGIOR012SP 3 SGITLO15UF SG1ORO15SP 4 SGlTLO16UF SGIOR016SP

SG-2 Wide-Range Level 1 SG2TLO13UF SG2ORO13SP 2 SG2TLO14UF SG2ORO14SP 3 SG2TLO17UF SG2ORO17SP 4 SG2TLO18UF SG2ORO18SP

CMT-A Level Switch 1 PXAVSO11UF 2 PXAVS013UF 3 PXAVS015UF 4 PXAVS017UF

CMT-B Level Switch 1 PXBVS012UF 2 PXBVS014UF 3 PXBVS016UF 4 PXBVS018UF

CMT Signal 1 CMT-SENS 1-FAIL 2 CMT-SENS2-FAIL 3 CMT-SENS3-FAIL 4 CMT-SENS4-FAIL

Safety Injection Signal 1 S-SIG-SENS 1-FAIL 2 S-SIG-SENS2-FAIL 3 S-SIG-SENS3-FAIL 4 S-SIG-SENS4-FAIL

28-130

Revision 1

28. Plant Control System AP1O00 Probabilistic Risk Assessment

28-130 Revision I





Condensate Pump Flow CDNTFO1BRI

SG-1 Feedwater Wide-Range SG2TF50ARI Flow

SG-2 Feedwater Wide-Range SGITF51ARI Flow

SG-1 Steam Line Pressure 1 SGlTP030UF SG1OR030SP 2 SGITP031UF SG1OR031SP 3 SG1TP032UF SGIOR032SP 4 SGITP033UF SGIOR033SP

SG-2 Steam Line Pressure I SG2TP034UF SG2ORO34SP 2 SG2TP035UF SG2ORO35SP 3 SG2TP036UF SG2ORO36SP 4 SG2TP037UF SG2ORO37SP

SG-l Feedwater Narrow-Range SG2TF50BUF Flow

SG-2 Feedwater Narrow-Range SGlTF51BUF Flow

Containment Pressure I PC1TP005UF 2 PC2TP006UF 3 PC3TP007UF 4 PC4TP008UF

Pressure Level 1 RCITLI95UF RC1OR195SP 2 RC2TL196UF RC2OR196SP 3 RC3TL197UF RC3OR197SP 4 RC4TL198UF RC4OR198SP

Differential Pressure Transmitter SWATP002RY

Pressure Transmitter SWNTPOO1RI

Undervoltage Relay EC 1RE27B GA

In-Containment Refueling Water 1 IW1TLO45UF Storage Tank Level 2 IW2TLO46LTF

3 IW3TLO47UF 4 IW4TLO48UF

Component Cooling Water CCNTF101RI System Pump Discharge Flow

28-131

Revision 1

•AP1000 Probabilistic Risk Assessment28. Plant Control System 11

28-131 Revision I





Instrument Air Pressure Signal CANTP011RI

Diesel Generator 1 Undervoltage ECIREDGIGA Relay

Diesel Generator 2 Undervoltage EC1REDG2GA Relay

Heat Exchanger ME01A Flow TCNTF109ARI

Heat Exchanger MEO1B Flow TCNTF109BRI

Reactor Coolant Pump 1A 1 RCATE21 lUF Bearing Water Temperature 2 RCATE212UF

3 RCATE213UF 4 RCATE214UF

Reactor Coolant Pump 1B 1 RCATE215UF Beanng Water Temperature 2 RCATE216UF


Reactor Coolant Pump 2A 1 RCATE221UF Bearing Water Temperature 2 RCATE222UF


Reactor Coolant Pump 2B 1 RCATE225UF Bearing Water Temperature 2 RCATE226UF


Pressurizer Pressure 1 RCNTP191UF RCNTP195UF 2 RCNTP192UF RCNTP196UF 3 RCNTP193UF RCNTP197UF 4 RCNTP194UF RCNTP198UF

Revision 1


28-132


Table 28-12

ASSIGNMENTS OF PLANT SYSTEMS TO LOGIC CABINETS

CLC 1 Component cooling water system (CCS)

CLC 2 Central chilled water system (VWS)

CLC 3 Chemical and volume control system (CVS)

CLC 4 Normal residual heat removal (RNS)

CLC 5 Diesel generators Starting sequences, main generator breaker, switchgear breakers

CLC 6 Turbine building closed cooling water system (TCS)

CLC 7 Service water system (SWS)

CLC 8 Circulating water system (CWS)

CLC 9 Compressed and instrument air system (CAS)

CLC A Steam dump valves function

CLC B Startup feedwater system (FWS)

CLC C Main feedwater system (FWS)

CLC D Condensate system (CDS)

28-133

Revision 1


28-133 Revision 1


Control Group 1

Table 28-13

ASSIGNMENTS OF PLANT SYSTEMS TO THE CONTROL GROUP CABINETS

Pressurizer Pressure and Level Control Reactor Coolant Level and Flow Control Component Cooling Water System Central Chilled Water System Chemical and Volume Control System Normal Residual Heat Removal Diesel Generators Starting Sequences, Main Generator Breaker, Switchgear Breakers

Turbine Building Closed Cooling Water System Service Water System Circulating Water System Main Steam System (MSS) Compressed And Instrument Air System Steam Dump Valves Function

Main and Startup Feedwater System Condensate System Feedwater Control Valves Function Feedwater Pump Speed Function

Control Group 2

Revision 1


J

28-134

CHAPTER 29

COMMON-CAUSE ANALYSIS

29.1 Introduction

Dependent and common-cause failures (CCF) defeat the redundancy incorporated into the design to improve the availability of some plant functions, such as coolant injection. A dependent, or a common-cause failure arises from some causes that fail more than one system or more than one train of a system simultaneously or within the surveillance time interval.

The methodology described in Attachment 29A is applied to consider the different types of dependent failures, with particular emphasis on common-cause failures. Common-cause failures are those failures in which fault states exist in two or more components at the same time, or within a short interval, and are direct results of shared causes.

Common-cause parameters for the Multiple-Greek Letter (MGL) method are taken from the Electric Power Research Institute (EPRI) Advanced Light Water Reactor Utility Requirements Document (Reference 29-1).

The common-cause basic events are defined in the system fault trees and are tabulated in each system chapter. The failure probabilities of these basic events are calculated and are given in Sections 29.4 and 29.5, except for instrumentation and control common-cause failures that are calculated in their respective system chapters. Table 29-2 summarizes the common-cause failure probabilities calculated in this section.

29.2 Dependent Failures

In the AP1000 Probabilistic Risk Assessment (PRA), the following dependent failures are analyzed:

"* Sequence functional dependencies, "* Intersystem dependencies, "* Dependencies due to human actions, "* Inter-component dependencies (common cause).

Sequence Functional Dependencies

The sequence functional dependencies indicate the effects of the status of one system or safety function on the success or failure of another. These dependencies are explicitly accounted for in the event tree analysis.

Additionally, a set of common-cause initiating events are identified that not only result in a plant transient or accident, but also in failure or degradation of systems required to operate following the initiating event. One group of these events includes those associated with total or partial failure of support systems, such as loss of turbine closed cooling water system, loss of component cooling water system, loss of service water system, loss of compressed air system, and loss of one high voltage AC electrical bus. The dependencies

29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment

29-1 Revision 1

introduced as a result of these initiating events are addressed by constructing specific event trees for each event.

Intersystem Dependencies

In the APlOO0 plant design, most of the safety-related systems are essentially passive systems with substantially reduced dependency on auxiliary systems. However, the dependency on dc power for these systems and the dependency on other auxiliaries for the non-safety-related systems are carefully analyzed in the probabilistic risk assessment.

Intersystem dependencies include both hard-wired dependencies (such as through electric power and cooling water) and functional dependencies (such as ambient cooling and adequate net-positive suction head). These are incorporated explicitly in the different system fault trees using the same basic event name or subtree name (SUB-XXXXXX) to identify the same component failure mode or the same supporting system failure mode.

Some auxiliary systems require supporting systems to operate correctly. Therefore, the redundant systems or components could have dependencies due to the supporting systems.

A systems dependency matrix, provided in Support Systems Analysis summarizes these interdependencies. These dependencies are incorporated explicitly in the different system fault trees using the same basic event name.

Human Action Dependencies

Dependencies due to human actions or diagnostic errors, which might affect the manual actuation of redundant systems, are explicitly modeled as separate events in the fault trees. Other dependencies due to human actions, such as incorrect calibration of sensors or instruments, which might affect the annual actuation of redundant systems, are explicitly modeled as separate events in the fault trees.

Dependencies of the operator actions that affect multiple systems are analyzed in the Human Reliability Analysis, where the human interactions are treated for consideration in the fault tree/event tree quantification. The Human Reliability Analysis is discussed in Chapter 30.

Inter-Component Dependencies (Common-Cause Failures)

Inter-component dependencies, also called common-cause failures, are root-cause events leading directly to multiple component outages from the shared causes. Common-cause failures are significant because they can lead to simultaneous (or nearly simultaneous; that is, within the mission time) failure of redundant components. Therefore, they can prevent the maximum theoretical gain in reliability being achieved from adding redundant components/trains. Common-cause failures arise because the components are susceptible to the same failure causes. However, there may also need to be some triggering events or preconditioning that leads to the simultaneous failures.

Revision 1

29. Common-Cause Analysis APIO00 Probabilistic Risk Assessment

29-2


There are three basic groups of common-cause failures, as discussed in the following paragraphs.

1. DesignlManufacturing/Construction/Installation Inadequacy, or Internal Causes

This root-cause event generally affects similar components. It encompasses actions and decisions made during design, manufacturing, or installation of components - both before and after the plant is operational. Also included in this category is the malfunctioning of something internal to the component as a result of normal wear out or other intrinsic failure, and the influence of the normal ambient environment of the component. However, diversification in design, quality assurance during the manufacturing process, and good plant management practices can provide significant defense against these potential common-cause failures.

2. Abnormal Environmental Stress

Abnormal environmental stress includes causes related to a harsh environment that is not within component specific design criteria. These root-cause events affect equipment in the same location that is also sensitive to the same harsh environment.

This potential is significantly reduced if there are defenses in place to reduce the susceptibility of the redundant components to the effect of the trigger event. For example, locating the components of redundant trains of a safety system in different rooms reduces their susceptibility to failure from factors in the internal environment.

For components located in a harsh environment, such as inside primary containment, a specific qualification program can adequately reduce the susceptibility to this type of common-cause failure.

Common-cause failures due to harsh environmental conditions are recognized to be negligible in the AP1O00 design. In fact, safety components located outside the containment, such as the automatic logic and the dc electrical power, are located in divisional areas. Environmental conditions, more severe than those predicted by the designers for equipment qualification, occurring simultaneously in more than one divisional area are unlikely. Potential for common-cause failure is to be identified only for components located inside the primary containment. However, the expected frequency of encountering a severe harsh environment is small because of the requirement of considering the severe accident conditions. The design and operational defenses lead to screening out the occurrence of these events.

3. Maintenance or Operation Errors

Maintenance or operation errors affect equipment operated according to the same procedures. However, good management practices and well-conducted testing and maintenance programs provide significant defense against these potential common-cause failures.

Revision 1

29. Common-Cause Analysis

29-3


29.3 Common-Cause Analysis

The methodology described in Attachment 29A is used for common-cause failure analysis. The following steps are performed:

1. Identification of the common-cause component groups. These are a group of similar components that are considered to have a high potential for failure due to the same cause. The identification is based on a qualitative screening analysis within each system and among different redundant systems performing the same function.

2. Identification of design or operational defenses to reduce the susceptibility to root-cause and to coupling mechanisms that provide the bases to screen out a component from the common-cause component group or to provide the bases for a quantitative evaluation. Quantification of the common-cause component groups not screened out is performed by using data derived from the Electric Power Research Institute (EPRI) Requirements Document (Reference 29-1).

3. Identify inter-component dependencies, also called common-cause failures, due to shared root cause of failures. These dependencies are modeled and quantified in Table 29-2.

The analysis is performed looking for potential common-cause failures within each system and, later, when the event tree sequences are identified, for the potential common-cause failures among the several systems called upon during each event tree sequence.

29.3.1 Assumptions

Basic assumptions used to perform the present, common-cause failure analysis are the following:

1. Common-cause failures of heat exchangers (HXs) belonging to different systems to plug or leak are not considered because the water characteristics and system operation conditions (pressure, temperature, and flow) are different for heat exchangers used in different systems. Furthermore, within the same system, one heat exchanger is in operation and the other is in standby. Therefore, it is unlikely to have more than one heat exchanger fail at the same time.

2. Common-cause failures for plugging of orifices or strainers belonging to different systems or to different loops of the same system (with one normally operating and the other in standby) are evaluated and are not included for the same reasons as described previously for heat exchangers. The only exception is for strainers, which treat water in different conditions during an accident (such as sump strainers). In this particular case, an analysis is performed as needed.

3. Several common-cause failures affecting only electrical components are disregarded due to their negligible failure probability (1E-5/d and less) and because they are always connected through an "AND" gate (in the fault tree) with random failures or other common-cause failures. A typical example is circuit breakers spuriously opening for

Revision 1


29-4

which the common-cause failure (from Table 29-1), evaluated as 0.05 x 6E-7/hr x 24 hr = 7.2E-07 per demand, is always connected through an "AND" gate with other random or common-cause failures. Therefore the failure probability is negligible. The evaluation of components that were disregarded is included in Table 29-1.

4. Common-cause failures of electrical busses are also disregarded because different types of busses are used according to the different voltages. Furthermore, the common-cause failure unavailability (from Table 29-1), evaluated as 0.05 x 2E-7/hr x 24 hr = 2.4E-07 per demand, is negligible with respect to other failures. In addition, the performance and environmental conditions during an accident should be similar to those during normal operation. Therefore, it is unlikely that failures such as spurious openings or bus malfunctions not detected during one or two years would occur during the accident. The evaluation of components that were disregarded is included in Table 29-1.

5. No catastrophic tank common-cause failure among systems is assumed credible because of the differences in operating fluid pressure, tank size, and volume. Only common-cause failures within the same systems are considered credible, such as within the core makeup tank (CMT).

6. Common-cause failures of standby components (such as pumps and check valves) that operate when a normally operating component fails are not taken into account as potential common-cause failures within the system. They are always combined with random or common-cause failures of normally running equipment. Therefore, the total failure has a negligible probability to occur. In addition, these common-cause failures are not considered among different systems because:

- The standby component is called at different times and probably at different plant conditions during the progress of the accident.

- Generally, there are some differences among the components.

Therefore, the failure to start standby pumps and the failure to open check valves on standby loops are not considered as potential common-cause failures within and among systems.

7. Plugging due to loose parts on accumulators, core makeup tanks, or the passive residual heat removal (PRHR) system are not accounted as susceptible to common-cause failures. The plugging mechanism is related to the maintenance procedures. Different maintenance crews and different access times for system maintenance allow this common-mode failure event to be disregarded, because it is negligible even within the same system.

8. Plugging is assumed credible only within the in-containment refueling water storage tank (IRWST) during the gravity injection phase, where the two injection lines take water from the same pool. There is a probability of the plugging of both protective suction screens in a short time.

29-5

Revision 1

AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis

Revision I29-5

9. The IRWST injection system consists of four high-pressure (HP) explosive valves (EV). The IRWST recirculation system consists of two HP EVs and two low-pressure (LP) EVs. For this analysis, these valves are grouped into one common-cause failure group of six HP EVs and one common-cause failure group of 2 LP EVs.

In order to fail both injection lines, all EVs on the injection lines must fail. But, when four of the HP EVs fail due to common cause, it is assumed that all of the HP EVs will fail due to common cause. Therefore, when analyzing the failure of two IRWST injection lines, common-cause failure of 6 out of 6 HP EVs is used.

10. When calculating independent failure probabilities, it is assumed that the component will fail at the midpoint of the testing frequency. Therefore, when converting an hourly failure probability to a per demand failure probability, a time interval of "testing frequency"/2 shall be used.

29.3.2 Analysis of Potential Common-Cause Failures within the Systems

Each system analysis section contains a summary table for common-cause failure basic events modeled in that section. The probabilities of these basic events are calculated and or summarized in Table 29-2. The equations used to determine the QK/QT values are shown in Table 29-3.

29.3.3 Analysis of Potential Common-Cause Failures among Several Systems

An evaluation of potential intersystem common cause failures determined that one such failure does exist. The intersystem common cause failure is failure of the operating train's motor-driven pump to continue to run for the component cooling water, chilled water, and turbine building closed cooling water systems. This event (CCX-PM-ER) probability is summarized in Table 29-2.

29.4 Calculations For Component Groups

For some components identified by the common-cause analyst as having potential importance to the total risk, a detailed analysis is performed and reported in the following subsections. In addition, the Multiple-Greek Letter method is applied to those components.

The susceptible components that have a detailed analysis are:

A. DC batteries B. Reactor trip breakers C. Explosive valves on the Automatic Depressurization System D. Air-operated valves (AOVs) on the core makeup tanks (CMTs) E. Motor-operated valves on the Automatic Depressurization System

Common-cause failures of IRWST valves are calculated in Section 29.5.


29-6 Revision 1

29.4.1 DC Batteries

A description of the onsite dc power system is provided in Chapters 22 and 23.

Eight batteries are used to supply the four Class 1E electrical divisions. Four batteries are used to supply the non-Class 1E switchboards.

Each of the Class 1E electrical divisions B and C is supplied by one battery for 24 hours of operation and another one for 72 hours of operation. This results in a total of 4 batteries.

Class 1E electrical divisions, A and D, are supplied by one battery each. Both batteries are sized to operate for 24 hours.

Each of the four non-Class 1E switchgear buses is powered by its own battery. Each battery is

sized to operate for 2 hours.

Two different analyses have been performed:

Al - Common-cause failure of batteries on Class 1E, and A2 - Common-cause failure of batteries on non-Class lE.

Al - Common-cause failure of batteries on Class 1E

This calculation is made for a single train of two batteries in parallel, where the failure is defined as both batteries in the train fail.

From Reference 29-1, the common-cause parameters for a three-battery system are:

S= 4.2E-2 ,y= 4.3E-1

It is assumed that the same parameters are applicable for a group of eight batteries.

The common-cause multipliers obtained, using equations from Table 29-3, are:

Q2/QT = 3.4E-3, Q3/QT = ... = Q7/QT = 0,

Qs/QT = 1.8E-2.

The independent failure is:

QT = 2E-6/hr x 2190 hr/2 = 2.2E-3/d.

Only the global common-cause failure affecting all the batteries, and one combination with common-cause failure of two batteries have numerical contribution with respect to the others.

29-7

Revision 1

29. Common-Cause Analysis 'AP1000 Probabilistic Risk Assessment

Revision 129-7


Therefore, the common-cause failure of batteries that provide output on demand, named CCX-BY-PN, is evaluated as:

CCX-BY-PN = Q2/QT x QT + Qd/QT x QT.

The value is:

CCX-BY-PN = 4.7E-5/d.

A2 - Common-cause failure of batteries on non-Class 1E

This system has only four batteries; one in each train. However, two of them may be connected in some cases. For this reason the common-cause failure is calculated to include a two-out-of-two common-cause failure also.

From Reference 29-1, the common-cause parameters for a three-battery system are:

P = 4.2E-2, and y = 4.3E-1.

It is assumed that the same parameters are applicable for a group of four batteries.


Q2/QT = 7.980E-3, Q3/QT = 0, Qn/QT = 1.806E-2.


QT = 2E-6/hr x 2190 hr/2 = 2.20E-3/d.

Only the global common-cause failure affecting all four batteries, and one combination with common-cause failure of two batteries have numerical contribution with respect to the others.

Therefore, the common-cause failure of batteries that provide output on demand, named CCX-BY-PN1, is evaluated as:

CCX-BY-PN1 = Q2/QT X QT + Q4SQT X QT.

The value is:

CCX-BY-PN1 = 5.703E-5/d - 5.7E-5/d.

29.4.2 Reactor Trip Breakers

There are four redundant protection sets with each protection set controlling the tripping of two circuit breakers in the reactor trip switchgear (eight breakers total). The reactor trip is obtained when two-out-of-four protection sets deliver a trip signal to the breakers.

Revision 1


29-8

From Reference 29-1, the common-cause parameters for a four reactor trip breaker system are:

P3= 0.2, y = 0.3,

85= 1.0.

It is assumed that the same parameters are applicable for a group of eight breakers.


Q2/QT = 2E-2, Q3/QT = ... = Q/QT = 0,

Q8/QT = 6E-2.


QT = 3E-3/d.

The contribution to the common-cause failure caused by combinations of two and two and four breakers have a negligible contribution with respect to the global common-cause failure of all breakers. Therefore, the common-cause failure of reactor trip breakers to remain closed, named RCX-RB-FA, is evaluated as:

RCX-RB-FA = Q8/QT x QT

The value is:

RCX-RB-FA = 1.8E-4/d.

29.4.3 Automatic Depressurization System Explosive Valves

There are four explosive valves (EVs) on the fourth stage of the Automatic Depressurization System. The evaluated success criterion is that at least two-out-of-four explosive valves open.

From Reference 29-1, the common-cause failure parameters for a group of four components are:

I3= 1E-l, =5E-1,

5= 9E-1.


Q2/QT = 1.7E-2, QJ/QT = 1.7E-3, Q4/QT = 4.5E-2.

Revision 129-9



Qr = 5.8 E4/d.

Four combinations of three-out-of-four and global failure of four are assessed to contribute to the numerical evaluation with respect to the others.

ADX-EV-SA = 4 x Q3/QT x QT + Qg/Q- X Qr.

The value is:

ADX-EV-SA = 3.0 E-05 /d.

The common-cause failure of six combinations of two-out-of-four valves is assessed.

ADX-EV-SA2 = 6 x Q2/Qrx QT.

The value is:

ADX-EV-SA2 = 5.90 E-05 /d.

29.4.4 Air-Operated Valves in Core Makeup Tanks

Two different analyses have been performed:

D 1- Failure to open air-operated valves in both core makeup tanks, and D2 - Failure to open air-operated valves in one core makeup tank (either is broken).

D1 - AOVs in Both CMTs

The failure of both the core makeup tanks occurs when all of the four air-operated valves fail to open. From Reference 29-1, the common-cause failure parameters for a group of four air-operated valves are:

P3 = 7.8E-2, y = 0.93, 8 = 0.77.


Q2IQT = 1.8E-3, Q3/QT = 5.6E-3, Q4/Qr = 5.6E-2.


QT = 1E-6/hr x 2190 hr/2 = 1.1E-3/d.

29-10

Revision 1


-.._t'

Revision 129-10

The combinations of two-out-of-four and three-out-of-four valves are assessed to have a negligible contribution with respect to the global common-cause failure. Therefore, the common cause of check valves to open, leading to the failure of both core

makeup tanks, named CCX-AV-LA, is evaluated as:

CCX-AV-LA = Q4/QT x QT.

Its value is:

CCX-AV-LA = 6.2E - 5/d.

D2 - Air-Operated Valve in One Core Makeup Tank

In the event of a break in one core makeup tank line, only one core makeup tank is available, and no passive residual heat removal is requested. Therefore, conservatively a group of only two air-operated valves is considered. The common-cause failure for a group of two valves are:

P = 8.8E-2.

The common-cause multiplier obtained, using equations from Table 29-3, are:

Q2/QT = 8.8E-2.


Qr = 1E-6/hr x 2190 hr/2 = 1.09E-3/d.

Therefore, the common-cause failure of the air-operated valves on one line of core makeup tank to open, named CMX-AV-LA, is evaluated as:

CMX-AV-LA = Q2/QT x QT.

The value is:

CMX-AV-LA = 9.6E-5/d.

29.4.5 Automatic Depressurization System Motor-Operated Valves

There are different failure criteria for spurious opening of Automatic Depressurization System motor-operated valves considered in this analysis, according to consequences contributing to the large or medium LOCA initiating event. Criteria for failure of valves to open are considered in this analysis.

El - Medium LOCA: Either line of the ist stage, both lines of the 1' stage or any line of the 2 nd or 3rd stage,

29-Il

Revision 1


29-11 Revision 1

E2 - Large LOCA: Any lines of the 4"h stage or any two lines of the 1t, 2 d , and 3rd stage

that have a combined diameter greater than 9 inches.

E3 - Fail to open: ADS motor-operated valves fail to open.

From Reference 29-1, the common-cause failure parameters for a group of four motoroperated valves are:

P = 1.7E-2, y = 4.4E-1, 8 = 2.6E-1.

It is assumed that the same parameters are applicable for a group of twelve motor-operated valves.


Q2/QT = 8.655E-4, Q}QT = 1.006E-4, QgQT = ... = Qll/ QT = O, Q12/QT = 1.945E-3.


QT = 5E-9/hr x 8760 hr/2 = 2.19E-5/d.

Independent failures generally include failures such as hardware failure and signal failure, etc. The independent failure from Reference 29-1 is 1.4E-07/hr. This value was deemed unnecessarily conservative. Thus, the value of 5.OE-09/hr was chosen to represent independent hardware failure. The fault trees using this failure rate also include a basic event for signal failure, etc.

El - Contribution to Medium LOCA

The number of combinations with common-cause failure of two motor-operated valves that lead to the failure of 1 out of 2 lines of the 1 t stage is 2. The number of combinations with common-cause failure of three motor-operated valves that lead to the failure of 1 out of 2 lines of the 1"t stage is 20. The other combinations of two and three valves are assessed to have a negligible contribution.

Therefore, the common-cause failure of Automatic Depressurization System motor-operated valves to remain closed with consequences contributing to the medium LOCA event, named ADX-MV1-EB, is evaluated as:

ADX-MV 1-EB = 2 x Q2/QT x Qr + 20 x Q3/QT x QT.

The value is:

ADX-MV1-EB = 8.20E-8/d.

29. Common-Cause Analysis APIO00 Probabilistic Risk Assessment

29-12 Revision 1

The number of combinations with common-cause failure of two motor-operated valves that lead to the failure of 1 out of 4 lines of the 2 "d & 3rd stage is 4. The number of combinations with common-cause failure of three motor-operated valves that lead to the failure of 1 out of 4 lines of the 2 nd & 3d stage is 40. The other combination of two and three valves are assessed to have a negligible contribution.

Therefore, the common-cause failure of Automatic Depressurization System motor-operated valves to remain closed with consequences contributing to the medium LOCA event, named ADX-MV2-EB, is evaluated as:

ADX-MV2-EB = 4 x Q2/QT x QT + 40 x Q3/Q" x QT.

The value is:

ADX-MV2-EB = 1.64E-7/d.

E2 - Contribution to Large LOCA

The combinations with common-cause failure of two and three motor-operated valves are assessed to have a negligible contribution with respect to the global common-cause failure. Therefore, the common-cause failure of Automatic Depressurization System motor-operated valves to remain closed with consequences contributing to the large LOCA event, named ADX-MV3-EB, is evaluated as:

ADX-MV3-EB = Q12/QT x QT.

The value is:

ADX-MV3-EB = 4.26E-8 /d.

E3 - Motor-operated Valves Failure to Open

From Reference 29-1, the common-cause failure parameters for a group of four motoroperated valves to fail to operate are:

= 4.9E-2, y = 9.OE-l,

= 7.8E-1.

It is assumed that the same parameters are applicable for a group of eight motor-operated valves. The common-cause multipliers obtained, using equations from Table 29-3, are:

Q2/QT = 7.00E-4, Q3/QT = 4.62E-4, Q 4/QT = ... = Q7/QT = 0, Q8/QT = 3.44E-2.

Revision 1


29-13



QT = 1.OE-05/hr. x 4380 hr/2 = 2.19E-02/demand.

The common-cause failures of the motor-operated valves of the Automatic Depressurization System first, second, and third stage to operate is evaluated as:

ADX-MV-GO = Q8IQr X QT.

The value is:

ADX-MV-GO = 7.48E-04/d.

It is required that at least two lines of the Automatic Depressurization System stages 2 and 3 open in order to have success. There are 32 combinations of motor-operated valve failure that will cause Automatic Depressurization System stages 2 and 3 to fail. The common-cause failures of 32 combinations of three stage 2 and stage 3 motor-operated valves to fail to operate is evaluated as:

ADX-MV3-GO = 32 x QVQT x QT.

The value is:

ADX-MV3-GO = 3.24E-04/d.

29.4.6 Common-Cause Failure for IRWST Valves

29.4.6.1 Definitions

In this section, the common-cause failure probabilities for various missions of the IRWST injection, recirculation, and sump flooding are calculated. The common-cause failures are associated with the 16 valves shown in Figure 29-1. These valves are classified for common-cause failure modeling as follows:

4 High pressure explosive valves for injection (EV)

4 Injection check valves (CV)

2 Recirculation check valves (CV) (different from injection CVs)

2 Recirculation/sump flooding motor operated valves (MOV)

2 High pressure explosive valves for recirculation/sump flooding (EV)

2 Low pressure explosive valves for recirculation/sump flooding (EV)

16 Valves

29-14

Revision 1


29-14 Revision 1


There are five distinct missions of the IRWST injection, recirculation, sump flooding, as represented by the following five fault trees:

1. IW2AB

2. IWlA

3. RECIRC

4. IWF

5. RECIRCI

IRWST injection into the reactor coolant system through 1 out of 2 check valve/squib valve paths (with 1 check valve and 1 squib valve per path) in I out of 2 gravity injection lines.

IRWST injection into the reactor coolant system through I out of 2 check valve/squib valve paths (with 1 check valve and 1 squib valve per path) in 1 out of 1 gravity injection lines.

Flow from containment sump (via opening of either the squib valve flow path or the check valve/squib valve flow path) to the RCS (via the opening of either check valve/squib valve flow path) through 1 out of 4 gravity-injection/recirculation lines.

Sump flooding through 1 of 2 lines of the two recirculation trains with 1 MOV and 1 EV per path following core damage.

Flow from containment sump (via opening of either the squib valve flow path or the check valve/squib valve flow path) to the RCS (via the opening of either check 4 gravity injection lines, given the success of IRWST/gravity and failure of containment isolation.

In the next sections, common-cause failure basic events associated with the above missions are defined, and their failure probabilities are calculated.

29.4.6.2 Common-Cause Failure Models

In this section, the common-cause failure (CCF) models for the different missions defined in the previous section are modeled. The common-cause failure basic events are also defined. The probabilities of these basic events are calculated in the next section.

IW2AB

CCF of 6 HP injection EVs = 6 of 6 EVs* = IWX-EV-SA CCF of 4 injection CVs = 4 of 4 CVs = IWX-CV-AO

(1) (2)

Other common-cause failure combinations are of much lower probability, since they contain products of failures; thus they are not modeled.

*See Assumption 9 in Section 29.3.1.

Revision I


29-15


IWIA

The common-cause failures defined for IW2AB will fail this mission. Moreover, two other common-cause failures will also fail this mission. These are given below.

CCF of 6 HP EVs = 6 of 6 EVs* = IWX-EV-SA (1) CCF of 4 injection CVs = 4 of 4 CVs = IWX-CV-AO (2) CCF of 2 injection CVs = 2 of 4 CVs (V122A, 124A) = IWX-CVl-AO (3) CCF of 2 injection EVs = 2 of 6 EVs (123A, A125A) = IWX-EV1-SA (4)

*See Assumption 9 in Section 29.3.1

RECIRC

Failure of 2 of 2 low pressure EVs with failure of 2 of 6 high pressure EVs (V120A/B) will fail the whole system. Combinations of CV/EV/MOV common-cause failures that have a lower probability are not modeled.

CCF of 2 HP EVs = CCF of 6/6 HP EVs = LWX-EV-SA (1) CCF of 2 HP EVs = CCF of 2/6 HP EVs (V120A/B) = IWX-EV2-SA (6) CCF of 2 HP EVs = CCF of 3/6 HP EVs = IWX-EV3-SA (7) CCF of 2 LP EVs = 2/2 LP EVs (1 18A, 118B) = IWX-EV4-SA (8)

IWF '

Failure of two recirculation lines will fail the system. This includes common-cause failure of 2 LP recirculation EVs and common-cause failure of 2 recirculation motor-operated valves (MOVs).

CCF of 2 MOVs = 2/2 MOVs (1 17A, 117B) = IWX-MV-GO (5) CCF of 2 LP EVs = 2/2 LP EVs (118A, 118B) = IWX-EV4-SA (8)

RECIRCI

Failure of 2 of 2 low pressure EVs, with failure of 2 HP EVs (V120 A/B) will fail the whole system. If containment isolation fails, failure of 3 of 4 recirculation EVs will fail the system. Combinations of CV/EV/MOV common-cause failures have a lower probability, and are not modeled.

CCF of 2 HP EVs = CCF of 6/6 HP EVs = IWX-EV-SA (1) CCF of 2 HP EVs = CCF of 2/6 HP EVs (V120A/B) = IWX-EV2-SA (6) CCF of 2 HP EVs = CCF of 3/6 HP EVs = IWX-EV3-SA (7) CCF of 2 LP EVs = 2/2 LP EVs (118A, 11 8B) = IWX-EV4-SA (8)

Revision 1


29-16


29.4.6.3 Common-Cause Failure Calculations

In section 29.4.6.2, eight common-cause failures basic events are defined. In this section, their common-cause failure probabilities are calculated. These basic events are:

IWX-EV-SA IWX-CV-AO IWX-CV 1-AO IWX-EV 1-SA IWX-MV-GO IWX-EV2-SA IWX-EV3-SA IWX-EV4-SA

CCF of 6/6 IRWST (HP) EVs. CCF of 4/4 IRWST injection CVs. CCF of 2/4 (V 122A, 124A) IRWST injection CVs. CCF of 2/6 IRWST injection (HP) EVs (V123A, V125A). CCF of 2/2 sump recirculation MOVs. CCF of 2/6 (HP) sump recirculation EVs (V120A/B). CCF of 4 combinations of 3/6 IRWST (HP) EVs. CCF of 2/2 sump recirculation (LP) EVs.

The random failure probabilities and common-cause failure data for the three types of valves are as follows:

Basic Event

Random Failure

Probability (Ur.)

IWX-CV-AO 2.OOE-07

IWX-CV1-AO 2.00E-07

IWX-EV-SA N/A

IWX-EV3-SA N/A

IWX-EV1-SA N/A

IWX-EV2-SA N/A

IWX-EV4-SA N/A

IWX-MV-GO 1.OOE-05

29.5

Random Failure

Probability

1.75E-03 /d.

1.75E-03 /d.

5.80E-04 /d.

5.80E-04 /d.

5.80E-04 /d.

5.80E-04 /d.

5.80E-04 /d.

8.76E-02 /d.

CCF Combinations Grouping of Failures

CommonCause

MultiplierCCF

Probability

1 1.70E-02 3.OOE-05 /d.

I 3.47E-04 6.07E-07/ d.

4/4

2/4

6/6

3/6

2/6

2/6

2/2

2/2

1 0.045 2.60E-05 /d.

4 0.0005 1.16E-06 /d.

1 0.01

1 0.01

1 0.1

1 0.05

5.80E-06 /d.

5.80E-06 /d.

5.80E-05 /d.

4.40E-03 /d.

Results

In each system analysis, the common-cause basic events needed are defined and are reported in a table. These basic events are analyzed and their probabilities of failure are calculated and reported in this section.

The common-cause failure probabilities are given in Table 29-2. These probabilities are either calculated in the table, or are reported and referenced in the table.

References

29-1 "Advanced Light Water Reactor Requirements Document," Vol. III, Appendix A to Chapter 1, "PRA Key Assumptions and Ground Rules," EPRI Rev. 5&6, 12/93.

Revision 1

1. 2. 3. 4. 5. 6. 7. 8.

Master Data Bank Location

051

105

860

062

862

862

861

061

29.6


29-17

Table 29-1

ELECTRICAL COMPONENTS WITH LOW CCF RATE

Mean (1) (d =

demand Error I.D. Simon File Mission CCF Component Failure Mode hr = hour) Factor Code Line # Time (hr) p(2) Rate

Circuit Breaker Spurious open 6.OE-7/hr 3 -- CB---RQ 515 24 0.05 7.2E-7/d (>4 kV)

Circuit Breaker Spurious open 5.OE-7/hr 3 -- CR---RQ 495 24 0.05 6.OE-6/d (<600 V)

Relay Contacts fail to 1.OE-4/d 10 ---RE---CA 561 0.05 5.OE-6/d (electromechanical) operate (open or 1.OE-6/hr

close) Operate spuriously to 10 ---RE---DQ 563 24 0.05 1.2E-6/d de-energize state

Electrical Failure during 2.OE-7/hr 5 ---BS---LF 531 24 0.05 2.4E-7/d Buswork operation

Transformer High voltage: failure 1.2E-6/hr 3 ---TR---HF 541 24 0.05 1.4E-6/d to continue operating

Fuse Spurious opening 5.OE-7/hr 10 ---FU---RQ 521 24 0.05 6.OE-7/d

Relay Spurious operation 2.OE-7/hr 10 ---RS--AA 986 24 0.05 2.4E-7/d

Notes: 1. Value from AP600 PRA 2. Beta factor from Reference 29-1.

29-18

Revision 1

29-18


Revision 1



COMMON-CAUSE FAILURE CALCULATIONS

Basic Event Identifier Description Failure Probability MDB Comments

ACX-CV-GO Accumulator check valves V028A/B 2E-7/hr x (17520/2) x 2.9E-2 = 49 or V029A/B fail to open 5.1E-5/d

ACX-TK-AF Both accumulator tanks fail 1 E-7/hr x 24 x 5E-2 = 1.2E-7/d 50

ADX-EV-SA ADS EVs of fourth stage fail to open 3.OE-5/d 46 29.4.3

ADX-EV-SA2 6 combinations of 2/4 ADS EVs fail to 5.9E-05/d 40 29.4.3 open

ADX-MV-GO ADS MOVs of first, second, third 7.48E-4/d 45 29.4.5/1E3 stages fail to open

ADX-MV3-GO 32 combinations of 3 stage 2 & 3 3.24E-4/d 35 29.4.5/1E3 MOVs failure to open

ADX-MV1-EB ADS MOVs fail remain closed - 8.2E-8/d 435 29.4.5/E1 medium LOCA

ADX-MV2-EB ADS MOVs fail remain closed - 1.64E-7/d 436 29.4.5/El medium LOCA

ADX-MV3-EB ADS MOVs fail remain closed - large 4.26E-8/d 437 29.4.5/E2 LOCA

CAX-CM-ER CAS air compressors fail to run 1E-4/hr x 24 x 5E-2 =l.2E-4/d 80

CCX-AV-LA CMT AOVs fail to operate to 6.2E-5/d 41 29.4.4/D1 de-energized position

CCX-BC-SA Battery chargers on IDS fail to 7E-6/hr x 24 x 5E-2 = 8.4E-6/d 848 IDS continue operating

CCX-BC-SA1 Battery chargers on EDS fail to 7E-6/hr x 24 x 5E-2 = 8.4E-6/d 848 EDS continue operating

CCX-BL-ER Tower blower fans fail to continue 1E-5/hr x 24 x 5E-2 = 1.2E-5/d 44 VWS operating

CCX-BY-PN Battery on IDS fail to operate 4.7E-5/d 849 29.4.1/Al

CCX-BY-PNI Battery on EDS fail to operate 5.7E-5/d 850 29.4.1/A2

CCX-HE-AF CCS HXs leak or plug 1E-6/hr x 24 x 5E-2 = 1.2E-6/d 434

CCX-IV-XR Inverters 125 vdc/120 vac on IDS fail 2E-5/hr x 24 x 5E-2 = 2.4E-5/d 846 IDS to continue operating

29-19

Revision I

'AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis

Revision I29-19

29. Common-Cause Analysis APlOOO Probabilistic Risk Assessment




CCX-IV-XR1 Inverters 125 vdc/120 vac on EDS fail 2E-5/hr x 24 x 5E-2 = 2.4E-5/d 846 EDS to continue operating

CCX-PM-ER Motor-driven pumps fail to run 2.5E-5/hr x 24 x 2.3E-2 = 42 Intersys 1.4E-5/d CCS, TCS,

VWS

CCX-RE-TA Static transfer switches on 120 vac 2.5E-6/hr x 24 x 5E-2 = 3E-6/d 847 IDS IDS fail to transfer

CCX-RE-TA1 Static transfer switches on 120 vac 2.5E-6/hr x 24 x 5E-2 = 3E-6/d 847 EDS EDS fail to transfer

CDX-AV-AA CCF Condensate System AOVs 1E-6/hr x 24 x 8.8E-2 = 2.1E-6/d 74 V022&V025 -spurious closure

CDX-PM-ER Condensate pumps POIA/B fail to run 2.5E-5/hr x 24 x 9.9E-3 = 73 5.9E-6/d

CIX-AV-LA Containment isolation AOVs fail to 1E-6/hr x (17520/2) x 8.8E-2 = 95 operate to de-energized position 7.7E-4/d

CMX-AV-LA AOVs in one CMT line fail to open 9.6E-5/d 103 29.4.4/1D2

CMX-CV-GO CMT check valves VO16A/B and 2E-7/hr x (17520/2) x 2.9E-2 = 47 V017A/B fail to open 5.1E-5/d

CMX-TK-AF CMT tanks 002 A/B failure 1 E-7/hr x 24 x 5E-2 = 1.2E-7/d 48

CVX-MV-GC2 CVS MOVs (V090/091) (SGHL Fr) 1E-5/hr x 17520/2 x 5E-2 = 36 fail to close 4.4E-3/d

CVX-PM-ER CVS P01A/B fail to run 2.5E-5/hr x 24 x 6.2E-2 = 53 3.7E-5/d

CWX-PM-ER CWS pumps fail to run 2.5E-5/hr x 24 x 2.3E-2 = 78 1.4E-5/d

ECX-CB-GC 6.9 kV circuit breakers fail to close 8.3E-7/hr x (17520/2) x 0.1 = 841 7.3E-4/d

ECX-CB-GO 6.9 kV circuit breakers fail to open 4.8E-7/hr x (17520/2) x 0.1 = 844 4.2E-4/d

FWX-AV-AA MFW modulated AOV-V25OA/B 1E-6/hr x 24 x 8.8E-2 = 2. 1E-6/d 65 spurious closure

Revision 1


29-20





FWX-CV2-GO SFW check valves V012 A/B fail to 2E-7/hr x 2190/2 x 2.9 E-2 = 71 open 6.4E-06/d

FWX-HV-AA CCF of MFW isolation valves V057 1.0E-6/hr x 24 x 5E-2 = 1.2E-6/d 55 A/B - spurious closure

FWX-MV2-GO SFW MOV-013A/B fail to open 1E-5/hr x (2190/2) x 5E-2 = 69 5.5E-4/d

FWX-PM-ER Main FW pumps or booster pumps fail 2.5E-5/hr x 24 x 9.9E-3 = 64 to run 5.9E-6/d

FWX-PM2-ER SFW pumps P03A/B fail to run 2.5E-5/hr x 24 x 9.9E-3 = 68 5.9E-6/d

FWX-PM2-FS SFW pumps P03A/B fail to start 5E-6/hr x (2190/2) x 9.8E-2 = 67 5.4E-4/d

IWX-CV-AO CCF of 4 of 4 check valves in IRWST 3.0E-5/d 51 29.4.6 injection trains.

IWX-CV1-AO CCF of 2/4 check valves in one 6.07E-7/d 105 29.4.6 IRWST injection train (V122A & 124A).

IWX-EV-SA CCF of 6/6 IRWST HP EVs 2.6 E-05/d 860 29.4.6

IWX-EV1-SA CCF of 2/6 HP EVs (V123A and 5.80E-06/d 862 29.4.6 125A)

IWX-EV2-SA CCF of 2/6 HP EVs (V120A and 5.80E-06/d 862 29.4.6 120B)

IWX-EV3-SA CCF of 3/6 HP EVs 1.16 E-06/d 62 29.4.6

IWX-EV4-SA CCF of 2/2 LP EVs (V118A and 5.80E-05/d 861 29.4.6 V118B)

IWX-FL-GP CCF of IRWST strainers plugging 1E-5/hr x 24 x 5E-2 = 1.2E-5/d 99 during operation

IWX-MV-GO CCF of MOVs in both recirculation 4.4E-3/d 61 29.4.6 trains

IWX-PLUG CCF of orifices in IRWST injection 8.3E-8/hr x (17520/2) x 0.1 = 108 -OR-SP lines plugging 7.3E-5/d

29-21

Revision 1


29-21 Revision I





IWX-MTRLW MOVs on recirculation line fail to 5E-9/hr x 24 x 7.7E-2 = 9.2E-9/d 958 -MV-RP remain open

MSX-AV2-FA CCF of steam dump valves (2 out of 2 3E-6/hr x 17520/2 x 8.8E-2 = 63 fail to open) 2.3 1E-3/d

MSX-AV4-FA CCF of steam dump valves (2 out of 4 4 x 3E-6/hr x 17520/2 x 75 fail to open) 1.90E-03 = 2.00E-4/d

PCX-AV-LA PCS AOV-V001 A/B fail to open 1E-6/hr x (2190/2) x 8.8E-2 = 84 9.6E-5/d

PRX-HR-ML CCF of PRHR HXs leak 1E-7/hr x 24 x 5E-2 = 1. 2E-7/d 52

PXX-AV-LA AOVs fall to operate to de-energized 1E-6/d x 2190/2 x 8.8E-2 = 58 position 9.6E-5/d

PXX-AV-LAI Failure of IRWST gutter AOVs to See calculation for PXX-AV-LA 58 operate to de-energized position

RCX-RB-FA Reactor trip breakers fail to open 1.8E-4/d N/A 29.4.2

REX-FL-GP CCF of IRWST recirculation sump 1 E-5/hr x 24 x 5E-2 = 1.2E-5/d 99 strainers plugging during recirculation

RNS-HE-CCF CCF of 2/2 RNS heat exchangers See TCX-HE-AF 34

RNX-CV-GO NRHR check valves 2E-7/hr x (17520/2) x 2.9E-2 = 59 V0l5A/V015B/V0l7A/V017B fail to 5.1 E-5/d open

RNX-KV-GO NRHR stop check valves V007A/B 5.6E-6/hr x 2190/2 x 0.1 = 60 fail to open 6.1E-4/d

RNX-KV1-GO NRHR stop check valves V007A/B 5.6E-6/hr x 17520/2 x 0.1 = 4.9 870 fail to open E-03/d

RNX-PM-ER NRHR pumps PO1A/B fail to run 2.5E-5/hr x 24 x 2.6E-2 = 1.6E-5 57

RPX-CB-GO 6.9 kV circuit breakers fail to open 4.8E-07 x (17520/2) x 0.10 = 844 4.2 E-04/d

RNX-PM-FS NRHR pumps POIA/B fail to start 5E-6/hr x (2190/2) x 0.14 = 56 7.7E-4/d

SGX-AV-FA CCF of SFW AOV-255A/B on 3E-6/hr x 24 x 8.8E-2 = 6.3E-6/d 70 discharge lines A/B to operate properly

Revision 1


29-22

29. Common-Cause Analysis APi 000 Probabilistic Risk Assessment

29-23

Revision 1




SGX-MV-RP CCF of SFW MOVs 067A/B to 1.4E-07/hr x 2190/2 x 5E-2 = 72 remain open 7.67E-6/d

SWX-PM-ER SWS pumps fail to run 2.51E-5/hr x 24 x 2.3E-2 = 76 1.4 E-5/d

TCX-HE-AF TCS HXs leak or plug 1E-6/hr x 24 x 5E-2 =1. 2E-6/d 43

VLX-HI-SA CCF hydrogen igniters fail to operate 3.6E-7/hr x 17520/2 x 0.1 853 3.2E-4/d

VWX-RF-ER CCF to run of chillers 1.0 E-5/hr x 24 x 5E-2 = 116 1.2E-5/d

VWX-TK-AF CCF of chilled water high capacity air 1E-7/hr x 24 x 5E-2 = 1.2E-7/d 83 separator tanks MV03/5/7 (catastrophic failure)

ZOX-BL-ES CCF of fans to start (monthly tested) 6E-4/d x 0.1 = 6E-5/d 824

ZOX-BL-ER CCF of fans to run for 2.5 hrs IE-5/hr x 2.5 x 5E-2 = 1.3E-6/d 825

ZOX-DG-DR CCF of DGs to run for 2.5 hours 2.4E-3/hr x 2.5 x 7.3E-2 = 4.4E- 842 4/d

ZOX-DG-DS CCF of DGs to start 1.4E-2/d x 2E-2 = 2.8E-4/d 843

ZOX-FL-GP CCF of DG filters to plug 1E-5/hr x 2.5 x 5E-2 = 1.3E-6/d 832

ZOX-PD-ER CCF of DG engine-driven fuel pumps 1E-3/hr x 2.5 x 5E-2 = 1.3E-4/d 829 to run for 2.5 hrs (four pumps per DG) I

ZOX-PD-ES CCF of DG engine-driven fuel pumps 2E-2/d x 0.1 = 2E-3/d 830 to start (four pumps per DG)


29-23 Revision I


Notes: M represents the number of components in the analysis group. Subscript K represents the number of failed components. Qr is the component independent failure.

Revision 1

Table 29-3

SIMPLIFICATION OF QK/QT EQUATIONS

M Q1 Q2 Q3 Q4 Qs Q6 Q7 Qs Q9 Q10 Qn Q12

1 1 ....

2 1-J3 [3 -

3 1-13 (1/2)13(1-),) 13v -

4 1-13 (1/3)0l(1-/) (1/3 )13y(1- 8 ) 13y8 -

5 1-f3 (1/4)fl(1-y) (1/6)fly(1-8) 0 13y8 -

6 1-fl (1/5)03(1-y) (1/10)fly(1-8) 0 0 ly58 -

7 1-f3 (1/6 )fl(1-y) (1/15)p3y(l-8) 0 0 0 1ly6 -

8 1-fl (1/7)J3(1-y) (1/21)fly(I-8) 0 0 0 0 fly8 -

9 1-fl (1/8)f3(1-y) (1/2 8 )fly(1-8) 0 0 0 0 0 ly58 -

10 1-fl (1/9)f3(1-y) (1/3 6 )PAy(l- 8 ) 0 0 0 0 0 0 f7y8 -

11 1-fl (1110)f3(1-y) (1/45)f3y(1-8) 0 0 0 0 0 0 0 oys8 -

12 1-fl (1/11)[3(1-y) (1/55)fly(1-8) 0 0 0 0 0 0 0 0 fly5


29-24


l117A

TO AND -< FROM SUMPd IN~

FROM SUMP

119A 120A

122A

123A j

IRST TANK

124A

*f "X,

125A

ItII

122B

123B ItII

TO RCS

HP EVs Injection. CVs Rec. CVs ReciSump MOVs LP EVs

117B

1188 ,f ,Q F TO AND

/ / /FROM SUMP

F-FROM SUMP

1208 1198

124B

S\.J

1258

U1I

TO RCS

123A/B, 125 MB, 120 A/B. 122A/B, 124 A/B. 119 A/B. 117 A/B. 118 A/B. Valves

IRWST Valve Configuration

Revision 1

6 4 2 2 2 16

Figure 29-1

29. Common-Cause Analysis . AP1000 Probabilistic Risk Assessment

29-25


ATTACHMENT 29A

COMMON-CAUSE ANALYSIS GUIDELINES

29A.1 Introduction

Dependent failures are those failures that defeat the redundancy that is employed in the design to improve the availability of some plant functions such as a coolant injection, etc.

In the absence of dependent failures, separate trains of a redundant system, or diverse methods of providing the same function, are regarded as independent, so that the unavailability of the function is essentially the product of the unavailability of the separate trains or diverse systems.

However, a dependent failure arises from some causes that fail more than one system or more than one train of a system simultaneously, or in a short interval (during the mission time or during two surveillance tests). Thus the effect of dependent failures is to increase the unavailability of the function with respect to the situation of the independence.

This guidebook describes the methodology to consider the different types of dependent failures, with particular emphasis for common-cause failures (CCFs), in which two or more component fault states exist at the same time or in a short time interval and are a direct result of a shared cause.

The methodology is in compliance with the Electric Power Research Institute (EPRI) ALWR Requirements (Reference 29A- 1).

29A.2 Types of Dependencies

The following paragraphs discuss the types of dependencies that should be considered in the present Probabilistic Safety Study (PSS) analysis:

Sequence Functional Dependencies, which indicate the effects of the status of one system or safety function on the success or failure of another.

These dependencies are expected to be addressed in the event tree analysis chapter (Chapter 40).

Particular care should be used to consider the dependencies due to interactions of core-cooling systems and containment systems, where the response of containment or containment systems may impact the ability of the system providing core cooling to continue to operate.

Intersystem Dependencies, including both hard-wired dependencies (e.g., through electric power, cooling water, interlocks, permissive, etc.) and functional dependencies (e.g., ambient cooling, adequate net-positive suction head, etc.). These are incorporated explicitly in the different system fault trees using the same basic event name or the same

29A. Common-Cause Analysis Guidelines

29A-1 Revision I

subtree name (SUB-XXXXXX) to identify the same component failure mode or the same supporting system failure mode.

Furthermore, in the system notebooks, a Dependency Matrix showing the dependencies among the frontline and supporting systems will be reported.

* Inter-component Dependencies, also called common-cause failures, due to shared root causes of failures. These dependencies shall be modeled and quantified using the methodology described in the following Sections 29A.3, 29A.4, 29A.5 and 29A.6.

* Dependencies due to Human Actions, such as incorrect calibration of sensors or instruments, or such as diagnostic error which might affect the manual actuation of redundant systems are explicitly modeled as separate events in the fault trees and are evaluated in human reliability analysis.

29A.3 Common-Cause Failures Definition

The multiple dependent failures, whose root causes are not modeled explicitly in the plant model, are defined as common-cause failures. The common-cause events are treated using the parametric common-cause models discussed in Section 29A.6.

In particular, in the present analysis, it is assumed that sequence functional dependencies, intersystem dependencies, and most of the dependencies due to human actions, such as plant staff errors of omission and commission (i.e., failure to follow a correct procedure, or incorrect calibration of instruments, or failure to restore components to service after test or maintenance) are addressed explicitly in the plant model, where they are included as separate events.

It is further assumed that common-cause initiating events are explicitly addressed under external events (e.g., earthquake) and specific internal events. Therefore, only root-cause events leading directly to multiple component outages from the shared cause and coming from the following categories are addressed:

"* Design/Manufacturing/Construction Installation Inadequacy, or Internal Causes "* Abnormal Environmental Stress "* Maintenance or Operation Actions not explicitly modeled (addressed hereafter).

Design/Manufacturing/Construction/Installation Inadequacy encompasses actions and decisions during design, manufacturing or installation of components both before and after the plant is operational. Also included in this category is the malfunctioning of something internal to the component as a result of normal wear-out or other intrinsic failure and the influence of the normal ambient environment of the component. These root-cause events affect similar components.

Abnormal Environmental Stress includes all causes related to a harsh environment that are not within a component's specific design criteria. Table 29A-1 contains illustrated dependencies coupled by a common environment as derived from NUREG/CR 2300

Revision 1

29A. Common-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment

29A-2

(Reference 29A-2). This type of root-cause event affects equipment in the same location that is sensitive to the same harsh environment.

Maintenance or Operator Actions affect equipment operated according to the same

procedures. Errors include procedure error, plant staff error and scheduled or unscheduled maintenance.

Only the multiple failures due to root causes that are not explicitly modeled should be

considered in the common-cause failure category. Generally, they are related to operator

errors in sub-components at a level lower than those normally considered in the fault tree

construction. Examples of potential root-cause events leading to common-cause failure are:

"* Use of improper lubrication type which might damage equipment "* Lack of sufficient antifreeze liquid in the diesel radiator during severe cold weather "* Wrong setting of protection device (such as torque switch) if not explicitly modeled

Instead, the failure to restore components to service after their isolation for test and maintenance are explicitly modeled in the fault trees and should not be considered again.

29A.4 Methodology

The methodology described in the EPRI NP-5613 report (Reference 29A-3) on common-cause analysis procedures shall be used.

One of the most important tasks is the identification of the common-cause component groups to be considered in the analysis. The common-cause component group is defined as a group

of (usually similar) components that are considered to have a potential of failing due to the same cause. This identification is based on a qualitative screening analysis within each system and among different redundant systems performing the same function.

This qualitative analysis is based on the fact that common-cause failures, and generally dependent failures, can be thought of as resulting from the coexistence of two factors:

" A susceptibility for components to fail or to be unavailable from a particular root cause of failure

" A coupling mechanism that creates the conditions for multiple components to be affected by the same cause simultaneously or in short time.

The susceptibility to root cause and the coupling mechanisms can be reduced if design or operational defenses are present.

These defenses will provide the bases to screen out a component from the common-cause component group. Section 29A.5 provides a more detailed procedure. Quantification of the common-cause component group, which is not screened out, is needed.

29A-3 Revision 1

APIO00 Probabilistic Risk Assessment

Revision I29A-3

For screening purposes the generic "beta" factors reported in Reference 29A-1 should be used. These beta factors are collected from the common-cause factors presented in Reference 29A-1. The values are derived from the common-cause factors for two-of-two failures.

For the components not listed in the previous sources, a generic "beta" factor value of 0.1 should be used if the number of components that could lead to the failure of the function is low (approximately 5). Otherwise, a value of 4.5E-2 will be used for "failure to operate" and 2.3E-2 for "failure to continue to operate" as derived from the multiplication of values for 0, -, 8 reported in Reference 29A-1 for generic components. Exception is made for microprocessor based components (boards or cards) for which a dedicated analysis is performed and reported in the Protection and Safety Monitoring System analysis and Plant Control System analysis of the PRA.

For the cases in which the analyst desires to investigate the effects of levels of redundancy beyond two-fold, or if the use of a single factor for a common-cause failure of more than two components within a group leads to overestimation of an important sequence frequency, the Multiple-Greek Letter (MGL) approach will be used.

In these cases, the common-cause factors reported in Reference 29A-1 should be used or, in lack of those, an in-depth analysis should be performed according to the methodology reported in Section 3.3 (common-cause modeling and data analysis) of EPRI-5613 (Reference 29A-3). In Section 4 of Reference 29A-3, some examples of application of the methodology are given.

An in-depth analysis, according to Reference 29A-3, should also be performed when the common-cause component group results in a dominant contributor to the plant risk and there are reasons to believe that the data of Reference 29A-1, or the generic beta factor value of 0.1, is too conservative.

29A.5 Common-Cause Failures Calculation Procedure

Two distinct procedures are hereafter described according to whether the common-cause failure evaluation should be performed for common components group within the system or among more systems.

For the passive plants (AP1000), there is a need to consider the common-cause failures also among systems while, for the PRA of the present plants, generally the analysis is limited to intra-system common-cause failure. The reason is that the supporting systems, such as the diesel generators and the service water systems, are traditionally the dominant contributors for the present plant generation because many redundant systems are dependent on them.

Therefore, the common-cause failures of the components of the supporting systems are the dominant contributors, such that the increase of the model complexity by inserting other intersystem common-cause failure for other components might not be worthwhile.

Revision 1

I


29A-4

The passive systems have very slight dependencies from support systems such that the common-cause failure of other components (e.g., check valves) have the potential for becoming more important.

The common-cause failures within a system are those failures that affect only the components of that system susceptible to the same root cause, considered as completely independent from other plant systems. For this case, the analysis is performed considering the different alignment that the system can assume and identifying all probable common-cause failures.

The common-cause failures among systems are those failures that can affect the components susceptible to the same root cause in different plant systems. For these common-cause failures, the analysis will be performed later in the program when the event tree sequences and, therefore, the front-line systems, called upon to perform the mitigating function, are identified.

In the first phase of the analysis, the system analyst, together with the common-cause failure analyst, must identify only the common-cause failures within the system and model those into the fault tree.

The common-cause failure analyst will provide data for the quantification of these common-cause failures, according to the generic beta factors reported in Reference 29A-1.

Later, the common-cause failure analyst will identify the common-cause failures among the systems and their value, and together with the system analyst, will insert them into the fault trees.

Where a common-cause failure among the systems is discovered to already be considered as a common-cause failure within the system, its identification name will be changed to allow for identifying similarities among more systems using the WLINK3 Code System.

29A.5.1 Procedure for Treatment of Common-Cause Failures Within a System

Before starting a common-cause failure analysis, it is strongly recommended that a table be created which identifies for each system, and for each fault tree performed, the components (and the related failure modes) that are required to change status. This type of table can easily provide all component failures considered in the fault tree models.

Such a table should be provided by each system analyst, as part of a system calculation note, irrespective of the common-cause failure analysis.

The following procedure should be used to model and evaluate common-cause failure within a system:

Step 1: Identification of Common-Cause Component Groups

In this step, important common-cause component groups are identified for inclusion in the system fault tree. A typical component group contains components of the same type which might cause failure of redundant loops of the system by the same failure mode.


29A-5 Revision I


Common-cause events for other component groups in a system may be defined if it appears that such an event would be an important contributor to system unavailability. These events may also be defined if the components in the group can be linked to conceivable common-cause failures such as those defined previously (design/manufacturing/construction inadequacy, abnormal environmental stress, etc.).

Common-cause failures due to abnormal environmental stress will be eventually accounted only for components that are located inside the containment. This is because the systems located outside the containment are assumed to be in separate rooms and, therefore, no common environmental conditions can affect them.

The components identified for inclusion in the common-cause failure analysis should not only be of the same type (pumps, valves, etc.), but should also meet all the following conditions:

" Same initial conditions (i.e., normally open, normally closed, energized, de-energized, etc.) and operating characteristics (normally running, standby). One valve that is normally open and another valve which is normally closed should not be included as a common-cause component group.

" Same use or function such as system isolation, flow modulation, parameter sensing, motive force, etc. For example, a check valve in the discharge lines of the safety injection system (e.g., accumulator discharge valves) and a check valve that follows a pump should not be included in the same common-cause component group.

" Same failure mode (failure to open on demand, failure to start on demand, etc.). A normally operating pump that fails to run and a standby pump that fails to start and run should be included in the same common-cause group only for the pump failure to run.

Also, diverse redundant components that have piece parts that are identically redundant, and are not already contained in the common-cause component groups previously identified, should not be assumed to be fully independent. One approach in this case is to break down the component boundaries and identify the common piece parts as a common-cause component group (this could be the case of the electrical motors used in both pumps and fans).

Components affected by maintenance or operator errors (not already explicitly modeled) and operated according to the same procedures might belong to this group. This will be performed only if this event is estimated to be an important contributor. Examples are limit or torque switch setting error, use of improper lubrication, etc.

The analysis should also identify these potential common-cause failures and justify the reason for eventually screening them out (e.g., components already considered negligible compared to other common-cause failures, detection during frequent operation, etc.).

Therefore, a table similar to Table 29A-2, which contains a list of the components activated (as provided by each system analyst), will identify if two or more components within the system can be affected by the same failure mode at the same time.

I

29A-6 Revision I


Step 2: Quantitative Evaluation

Make a quantitative evaluation of the common-cause failures resulting from the qualitative screening. The evaluation should be performed at the beginning, using the beta factors reported in Reference 29A-1.

Step 3: Replacement of Common-Cause Failure in the Fault Tree and Quantification

Insert the common-cause failures evaluated in the fault tree, and try to understand if more common-cause failures can be coalesced in a module without impairing the identification of possible similarities.

Step 4: Re-quantification (If necessary)

If the common-cause method causes common-cause failures to be dominant contributors to system failure, core damage, or serious release, the data and process should be reevaluated to determine whether any conservatism might be removed.

For the cases in which the use of a single factor for a common-cause failure of more than two components within a group leads to overestimation of an important sequence frequency, the Multiple-Greek Letter (MGL) approach will be used.

In these cases, the common-cause factors reported in Reference 29A-1 should be used or, lacking those, an in-depth analysis should be performed according the methodology reported in Section 3.3 of EPRI NP-5613 (Reference 29A-3).

Step 5: Documentation

Each system notebook will report the common-cause failures considered together with their numerical evaluation and identification code.

29A.5.2 Procedure for Treatment of Common-Cause Failures Among More Systems

To identify potential common-cause failures among different systems, an expert opinion session is used. Fault tree analysts, as well as designers are a part of this session. In this session, the various component groups are discussed to see if they have common-cause potential among different systems, due to:

* Components being identical * Environment "* Test and maintenance related errors "* Other factors

If any common-cause candidates are found, they are documented. Then the failure probabilities for these components are calculated in the section.

29A-7 Revision 1


29A-7 Revision 1

29A.6 Common-Cause Failure Numerical Evaluation

This section reports how the "beta" factors and the common-cause factors for the MultipleGreek Letter method should be used for a proper numerical evaluation of the common-cause failures.

29A.6.1 Evaluation through Beta Factor Method

The beta factor method assumes that Qr, the total failure probability of the specific component, can be expanded into independent (Q,) and dependent (Qoc) failure contributions:

QT = Qr + Qcc,

where Q, = (1-P) QT, and

QCC= P QT,

where "P3" is the conditional probability that the common cause of a component failure will be shared by one or more additional components. The "P3" value may be taken from Reference 29A-1.

For calculation ease we assume, conservatively, Qr = QT.

The failure probability QT is that taken from the Data Analysis section of the PRA. Therefore, the contribution of Qcc is easily found.

For each common-cause group, a single basic event that accounts for dependent failure should be inserted in the fault tree with each random component failure or, preferably, only one time at a highest level.

As an example, if motor-operated valves A, B, C and D have been identified as a common-cause group for the "failure to open" mode, this failure mode should be considered in the fault tree as follows:

Q, = QT = 4.E-3, as independent failure for each motor-operated valve to open, and

Qcc = 0.05 x 4E-3 = 2.OE-4, as concurrent failure of A, B, C and D due to common causes.

29A.6.2 Evaluation through Multiple-Greek Letter (MGL) Method

The Multiple-Greek Letter method model is an extension of the beta factor model. In this method, others parameters in addition to the beta factor, are introduced to distinguish among common-cause events affecting larger numbers of components in a higher order redundant system.

The Multiple-Greek Letter parameters consist of a set of failure fractions used to quantify the conditional probabilities of all the possible ways a common-cause failure of a component can be shared with other components in the same group, given a component failure has occurred.

Revision 1

I


29A-8

For a system of "m" redundant components and for each given root cause, "m" different

parameters are defined. For simplification purposes, only the first three parameters are

generally used.

The first three parameters of the Multiple-Greek Letter model are:

P = conditional probability that the common cause of a component failure will be shared

by one or more additional components,

y = conditional probability that the common cause of a component failure that is shared

by one or more components will be shared by two or more components additional to the

first,

5 = conditional probability that the common cause of a component failure that is shared

by two or more components will be shared by three or more components additional to

the first.

Table 29A-3 shows the equations that are used to calculate the probability of a basic event

(Qk where 1 < k < m) involving the failure of four ("in") or fewer specific components.

The failure probability of a component due only to independent causes (therefore, not

common cause) is evaluated as:

Q1 = (1-P) QT that will be approximated at Qr

The meaning of the above common-cause (CC) factors is as follows:

CC Factor 2 of 4 = P3 (l-y)/3

CC Factor 3 of 4 = P3 y (1-8)/3

CC Factor 4 of 4 = P y 8

As example, for the case of four motor-operated valves identified as a common-cause group

for the "failure to open" mode, in the fault tree for each component, the following eight

distinct basic events should be considered:

for MOV "A": QA, QAB, QAC, QAD, QABC, QABD, QACD, QABCD

for MOV "B": QB, QAB, QBC, QBD, QABC, QABD, QBCD, QABCD

for MOV "C": Qc, QAC, QBC, QCD, Q~Ac, QACD, QBCD, QABCD

for MOV "D": QD, QAD, QBD, QCD, QACD, QBCD, QABD, QABCD

29A-9 Revision 1


Revision I29A-9

the values are:

Q1 = QA = QB = Qc = QD = Qr = 4E-3, as independent basic event, and

Q2 = QAB = QBC = QBD = QAC = (CC Factor 2 of 4) x QT = 1.7E-3 x 4E-3 = 6.8E-6/d,

as common-cause failure of two components failing simultaneously, and

Q3 = QABC = QABD = QBCD = QACD = (CC Factor 3 of 4) x QT = 3.3E-3 x 4E-3 = 1.3E-5/d,

as common-cause failure of three components failing simultaneously, and

Q4 = QABCD = (CC Factor 4 of 4) x QT = 3.4E-2 x 4E-3 = 1.4E-4/d,

as common-cause failure of all four components failing simultaneously.

This method leads to some illogical combinations of events in the resulting system cutsets when more than two components are contained in a common-cause group.

For example, if three components are identified to be in the same common-cause group, cutsets of type QAB and QAC may appear. The definition of QAB and QAC events precludes their occurrence in logic "AND" otherwise, the component A would be supposed to have been failed twice by the same root cause. In general, the contribution of these type of cutsets is considerably smaller than that of cutsets like QABC, and thus the inclusion of this cutset does not make significant numerical difference to the results.

29A.7 References

29A- 1 "Advanced Light Water Reactor Requirements Document," Vol. III, Appendix A to Chapter 1, "PRA Key Assumptions and Ground Rules," EPRI Rev. 5&6, December 1993.

29A-2 NUREG/CR-2300 "PRA Procedure Guide," Volume January 1983

29A-3 EPRI NP-5613 "Procedure for Treating Common-Cause Reliability Studies," January 1988.

1, ANS and IEEE,

Failures in Safety and

Revision 1

I


29A-10

29A Co mon-Cause Analysis Guidelines A10 rbblsi ikAssmn

Table 29A-1

EXTREME ENVIRONMENTAL CONDITIONS (GENERIC CAUSES OF DEPENDENT FAILURES)

EXCERPTED FROM THE ANS/IEEE PRA PROCEDURES GUIDE (NUREG-2300)

Extreme Condition Environmental

(Generic Cause) Example of Source Channel

I Impact Pipe whip, water hammer, missiles, structural failure, Common location, earthquakes* hydraulic coupling,

common structural base

2 Vibration Machinery in motion, earthquakes Common structural base

3 Temperature Fire*, hghtning*, welding equipment, cooling system Common location,

faults, electrical short circuits ventilation ducts

4 Moisture Condensation, pipe rupture, rainwater*, floods* Common location, ventilation ducts, hydraulic coupling

5 Pressure Explosion, out-of tolerance system changes (pump over- Common location, speed), flow blockage ventilation ducts,

hydraulic coupling

6 Grit Airborne dust, metal fragments generated by moving Common location, parts with inadequate tolerances, crystallized boric acid ventilation ducts from control system

7 Electromagnetic Welding equipment, rotating electrical machinery, Spatial proximity to

interference hghtning*, power supplies, transmission lines source

8 Radiation Neutron sources and charged-particle radiation Spatial proximity to source

9 Corrosion or other Acid, water, or chemical attack Common location,

chemical reaction ventilation ducts, hydraulic coupling

10 Conductive Medium Conductive gases Common location, ventilation ducts

*These events will be covered by the External and/or Internal Events Analysis

29A-1l

Revision 1


Revision 129A-11I

Table 29A-2

COMMON-CAUSE FAILURES AMONG SYSTEMS

System "A" System "B"

1 Motor-driven Pump:

- fails to start

- fails to run X X

2 Check Valves:

- fails to open X X

- fails to close

3 Air-Operated Valves:

- fails to operate X

Revision 1

I


29A-12

Table 29A-3

COMMON-CAUSE FAILURE EQUATIONS FOR MGL METHOD

Number of Failed Components (k)

Number of Components in Common-Cause Group (m) 1 2 3 4

2 QT 0(-1) QT -P ..

3 Qr (I-13) QT rP(l-7)/2 QTPY -

4 QT (1-13) QT P3(l-7)/3 QT P 0(l-6)13 QTP Y6

where:

Qr = total failure frequency of the component due to all independent events. This value can be obtained from the Data Analysis Section.

and common

29A-13

Revision 1

29A. Comnmon-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment

29A-13 Revision I

•i• plant •nntrnl system ap1000 probabilistic risk assessmentwhile this may be a conservative...

Documents